Harmonising enterprise risk with health and safety using bowtie analysis
Enterprise risk management is a simple name used to describe a complex and diverse domain of risk management. But if the safety risk management approach is not working in tandem with enterprise risk management, are risks being effectively managed?
Bowtie analysis presents an opportunity for businesses to harmonise enterprise risk management with other disciplines such as safety risk, project risk and operational risk.
We all know that enterprise risk management has to do with mitigating the risks that have the potential to impact on enterprise success. The challenge is that this means that enterprise risk management will be different for every business, because the nature of the enterprise is different. Organisations will often address similar corporate risks at this level (e.g. financial risk, misconduct risk, governance risk), but ultimately each business will have a profile of risk that pertains specifically to its own domain of enterprise. This is where the frontline risk management disciplines, such as health and safety, offer some useful intelligence.
For example, a chemical manufacturer has to consider the impact of process hazards as part of enterprise risk. If there is a major accident at the main plant, the business potentially faces a long shutdown (and all the losses that come with an unexpected shutdown). An electricity business has to consider earthquakes and similar such events as part of enterprise risk management. A severe earthquake could damage a key section of trunk line, resulting in loss of power to customers (and total loss of revenue from those customers).
Enterprise risk management practitioners must therefore take an active interest in operational risks and project risks. Daily operations and new projects are directly linked to an enterprise’s core business, which means it can impact on enterprise success.
For these reasons, enterprise risk management can be a difficult balancing act because it encompasses so much. One of the most difficult areas is often the interaction of enterprise risk management and work health and safety.
Enterprise risk management and the big picture
The difficulties arise because of different risk criteria, risk tolerance and risk perception. For example, the enterprise risk team may consider that a safety risk scenario is not relevant to enterprise risk management unless it can cause two or more fatalities. On this point, safety risk practitioners are hardly likely to agree. To use the ISO 31000 process as a metaphor: the risk management process is like a journey, and safety risk practitioners travel along a different journey compared to enterprise risk practitioners.
The result of different journeys is “silos” of risk: safety risk practitioners end up comfortable in their silo of risk management, project risk practitioners end up in theirs. Enterprise risk practitioners have their own silo, but also end up in the unenviable position of having to go knocking on other silos to try to get some collaboration happening.
In many organisations, the split between enterprise risk and other domains is physical in nature. The corporate risk team hold separate job titles and work in one set of offices, and frontline risk people typically have different titles and separate offices. Enterprise risk practitioners will often use one risk software package to document their risk, whereas safety risk and project risk practitioners will often each have their own separate software systems. This makes automatic information-sharing all but impossible.
The solution to harmonising risk practice
The only logical way to harmonise enterprise risk management with other domains of risk (including operational risk, project risk and safety risk) is to bring practitioners along a common journey. It’s possible to reconcile different risk systems at the end of the journey, but it tends to be labour-intensive and not easily replicated (e.g. merging risk databases from several different software packages).
The best solution is to start on a risk journey together, setting up risk criteria, metrics and so on that suit all participants. I’m focusing on the usefulness of bowtie analysis as a means of taking risk practitioners along a common risk journey. The process of constructing, analysing and dissecting the branches of the bowtie are an opportunity for risk practitioners to travel on the risk journey together.
This kind of harmonisation provides some tangible benefits:
- Using a common risk methodology provides a platform for discussing and reconciling different views of risk. The bowtie analysis method is a logical approach that focuses on the way that events unfold, rather than focusing on wording and formatting in spreadsheets. Working collaboratively through bowties makes it easier to identify points of commonality, such as certain terminology or language. It also highlights where a common risk language can be developed.
- Using common risk language increases opportunities for engagement between different risk practitioners. If an enterprise risk practitioner can talk to a health and safety advisor using familiar terminology, it breaks down the walls somewhat and supports more meaningful networking and collaboration between risk professionals.
- Having common risk criteria enables risks from different domains to be directly compared with one another. This is a great help in making investment decisions for risk controls and enforcing risk policies equitably. It also makes a substantial difference to the ability of the enterprise risk team to interact with operational risks that could impact on enterprise success.
- Consolidating risk performance reporting into one system makes it much easier to monitor and compare risk performance. This makes life easier for executives and board members, and gives the head of risk for the enterprise greater confidence that risk is being handled appropriately across the business.
Effective risk systems for enterprise risk management
The key to the harmonisation process is having a common system for managing risk. I’ve already emphasised the benefits of using bowtie analysis to harmonise risk assessments. Why should a particular method of risk assessment be better than any other for this purpose? Because the bowtie method accommodates and encourages the user to explore a variety of consequences stemming from a risk event.
For example, imagine the risks involved in the commissioning and operation of a new floating production, storage and offtake (FPSO) facility in an oil and gas setting. The project risk team will be interested in risk events that could threaten project deliverables. The process safety team will be interested in risk events that could lead to major accidents, such as explosions or catastrophic spills. The health and safety team will be interested in the risk to individual human health and wellbeing. And the enterprise risk team is interested in all of these areas, because any one of them represents a threat to the success of the business.
Bowtie analysis provides an opportunity to accommodate these diverse disciplines within a single risk assessment. The risk of fire, for example, is of interest to everyone. There is a finite number of causal pathways for that scenario, which can be fleshed out by the safety teams. Once those are identified, each team has its own view about the consequences that are of concern. The bowtie model accommodates each of these and prompts each team to identify the pathways by which those consequences eventuate.
The bowtie analysis for a fire scenario can encompass the risk assessment for each of the risk teams in a single product. It also encourages each team to consider their individual view of the risk scenario, and how it compares to that of the other teams. This makes it simpler to identify commonalities that can be used to build a common set of risk criteria. These opportunities exist because of the visual and analytical nature of the bowtie model. It would be considerably more difficult to identify commonalities if all the teams were trying to work through a spreadsheet-type risk assessment.
One major challenge here is finding a system or software which is capable of handling the full range of risk management practice that can be found in the enterprise. For example: in a mining business, the process safety team will lead functionality for bowtie risk assessments and hazard studies. The enterprise risk team will need comprehensive risk registers, including monitoring of key operational risks. The project risk teams will need to be able to build project risk registers, analyse complex risk interactions, and document their plans for mitigating risk. All three divisions will probably need to be able to conduct audits or inspections in the field using mobile devices, with real-time upload and reporting.
This is one of the reasons that different risk practitioners tend to end up with completely separate risk software solutions. This no longer needs to present a major obstacle, because there are software packages on the market that can be easily deployed with a full range of risk tools. Existing data holdings need not be lost, because there are options for data import or software interfaces with existing data repositories.
RiskView is one of the best all-round solutions for this kind of application. For the safety division of the business, there are modules for HAZOPs, HAZIDs, layers of protection analysis, in-field control verification and reporting. For operational risks, bowties are a fantastic way of assessing how operating risks could unfold and threaten operational success. Project risk registers can be easily created using hazard studies, which can be automatically formatted and outputted as project risk management plans. Finally, the dashboards and reporting features enable the enterprise risk management team to oversee the whole symphony of risk and engage with stakeholders in a more direct and meaningful way.
RiskView is also the best-equipped to provide bowtie analysis models that facilitate cooperative discussions on risk. Bowties can be created manually or automatically generated from HAZOP studies. The bowties form the new enterprise-wide risk register. The number of unique risk scenarios managed by the organisation can actually decrease, using the bowtie method to eliminate duplicated scenarios across departments and to identify scenarios with similar causes and consequences.
The value gained from any enterprise risk management software will, of course, depend on how well it is implemented. Harmonising enterprise risk management and safety risk management is a challenge. It is far from impossible, but it does take concerted effort and discipline. It takes commitment more than risk maturity to make it work. Using the right tools (such as change champions, internal consultation, software tools, and consultants if necessary) can provide the same amount of leverage as risk maturity. For these reasons, harmonisation is not out of the reach of most businesses coping with risk.
A critical area where harmonisation can be achieved is in risk controls, which we will be discussing in more detail on this blog in the next few weeks. Identifying, verifying and monitoring risk controls in a common platform is an achievable and valuable exercise for the enterprise.
If your organisation faces risk (as every organisation does), and your enterprise risk management isn’t dovetailing with your safety risk practices, it’s time to consider change.