Risk management needs resilience thinking: implications for risk modelling, LOPA and emerging tech
Article by Peter Lacey
The idea of resilience is not new in the field of risk management, but the degree of emphasis placed on it certainly is. What does “resilience thinking” really mean for risk practitioners?
What is resilience thinking in risk management?
Enterprise risk practitioners see the value in considering the resilience of the business as part of their risk management work. This extends to project risks, particularly as organisations take on complex projects in a tricky economic climate. Decision-makers want to know more than just what can be done to prevent failures: they want to know how well the organisation can bounce back from failures, before they commit the organisation to new endeavours. Broadspectrum’s experiences with detention centres is a good example of how project risk can develop into slow-onset reputational harm. This puts enterprises under pressure to respond and recover quickly to mitigate the consequence.
Health, safety and welfare practitioners are more frequently talking about resilience in the workforce. Psychological resilience and return-to-work is expected to be part of the thinking of health and safety professionals. I recall once being told by a health and safety manager that he had an “aggressive return-to-work philosophy”, which made me rather wary. In time, I recognised that his focus was on getting a worker back to work so as to minimise the psychological harm of being removed from productive work for too long.
In the security risk management domain (in Australia at least), we now talk about critical infrastructure resilience rather than critical infrastructure protection. The discourse focuses on continuity (including prevention, mitigation and recovery) which has more relevance to the economic implications of loss-of-control scenarios. Australia’s economy is dependent on critical infrastructure such as ports and airports. Terrorist disruptions and other types of attacks can do some damage, but a significant proportion of the loss incurred from these events comes from the period of time that a critical port or airport has its normal operations disrupted. When Istanbul’s Ataturk International Airport was attacked in June last year, thousands of passengers were left stranded by cancelled flights. Over the following months, speculation grew about the long-term harm to Turkey’s tourism industry. Long-term harm arises from public fear or loss of public confidence, which pertains to preparation for recovery from risk.
Where does “resilience thinking” fit within the conventional paradigms of risk management?
Resilience in these contexts is about the ability of organisms (organisations and/or individuals) to bounce back. “Resilience thinking” is about examining the way that shocks (risk events) impact on organisms, and how organisms respond to and recover from shocks.
For those of us who work with international standards, ISO 31000 provides minimal guidance on how risk controls should account for recovery as part of risk mitigation. The ISO 22301 standard is more helpful, but it draws us down the road of having a business continuity management system. The key advantage of these standards is that they provide a relatively open approach to risk. ISO 31000 is a framework which is agnostic as to the method of risk analysis used. The risk treatment section of the standard does, however, lend itself most easily to qualitative analysis.
The qualitative approach is handy for keeping things simple and digestible. Qualitative descriptions of likelihood and consequence work within a simple risk matrix to calculate risk rating. This avoids introducing more complexity than is strictly necessary.
This simplicity is also the key drawback. It’s hard to get a sense of resilience from qualitative modelling. There’s very little opportunity to see how risk controls interact with each other and how pathways for failure develop. If your organisation is looking to get engagement from a large, low-skill workforce, your risk analysis models need to be accessible to that audience. But this convenience can come at the cost of your more senior risk practitioners not having a precise handle on how the pieces of the risk puzzle fit together.
Using LOPA to Visualise “Bouncing Back”
The layers of protection analysis (LOPA) approach provides a more holistic model. Because it concentrates on defence-in-depth, it works quite well to visualise the way that a business can “absorb” and “bounce back” from threats. Each control represents a point of elasticity at which a disruption can be slowed, reduced or stopped.
Identifying causes and preventative risk controls gives the practitioner a sense of the pathway that a risk event can follow. Separating the consequences and mitigative risk controls guides the practitioner towards thinking more explicitly about how to reduce and recover from harmful consequences. The layered images typical of LOPA are also really good for demonstrating to decision-makers how the organisation can absorb pressure from disruptive events (or not, as the case may be). This model can work with qualitative analysis or with semi-quantitative risk analysis.
Using this kind of semi-quantitative risk analysis adds some complexity: but it is within the skill level of most practitioners on the risk management spectrum, from frontline health and safety officers through to C-level risk managers. Depending on the methods that are used, LOPAs can be easily converted into conventional risk registers for consumption by rank-and-file workers.
Quantitative risk modelling is more precise, at the cost of complexity. Many risk practitioners won’t have the budget to work in this space, particularly in the current economic climate. The results of quantitative risk modelling are also heavily reliant on the quantitative inputs. Your organisation will need to invest heavily in data collection within the business, or alternately select an appropriate dataset from an external provider (e.g. Lloyd’s for offshore risk practitioners). The data selection drives risk calculations, and to some extent removes the process from human view.
Using LOPA software is a good way to get the benefit of layers of protection analysis with a reduced time investment. Good LOPA risk analysis software is user-friendly and automates as much of the analytical work as possible. This makes LOPA more accessible to everyday risk practitioners.
Where does the future of “resilience thinking” for risk management lie?
The future lies in exploring and validating the data and the models we use.
More risk analysis software packages are available to support semi-automation of risk analysis, which enables more carefully considered examination of risk (using the time saved from not having to draw up risk registers and diagrams from scratch). You may well find that your existing systems work well for controlling your daily risk management system tasks (e.g. JSAs, incident reports, inspections and audits), but don’t do so well at detailed risk analysis. We are in a golden era of affordable, cloud-based software systems and apps. Find a balance of systems that gives you good quality analysis upfront, complemented by the capabilities and reliability you need for your day-to-day risk management activities.
There are also more opportunities for testing and validating our conceptions of how risk events unfold. Any robust management system needs mechanisms for verifying and validating the controls that are in place. This is especially important for risk modelling (given the stakes involved). Serious games and simulations have come a long way. There are systems that can be set up relatively quickly to replicate real organisational responses to risk events, which is an exciting prospect.
Imagine taking a selection of your actual workforce and placing them in a simulated workplace. Your workers play as avatars of themselves in a virtual copy of your actual workplace, right down to the layout of corridors and services in your buildings. Introduce a potential loss-of-control situation and watch how things unfold. Explore how pathways differ in each iteration, and validate whether proposed risk controls work actually work the way you expected them to. Input the lessons learned into a risk analysis software package which automatically calculates how the control effectiveness affects the overall risk rating.
Visions for future risk management
If you have an evacuation plan for a multi-user site, create a simulated environment to test whether the evacuation pathways you’ve mapped actually work once real humans are trying to traverse them. Serious games and simulations provide safe environments to test the effectiveness of risk controls in a way that drills and exercises cannot (without introducing real danger). You can also record every second of the exercise, from every participant’s virtual perspective. The footage is fully auditable and can be examined play-by-play from every angle. Use the recorded footage for port-mortem reviews, or for future training courses covering risk scenarios.
Virtual reality (VR) and augmented reality (AR) technologies will be the next breakthrough for these simulations. Well-resourced organisations will be able to test their understanding of risk scenarios before concluding that their risk controls are adequate. Never underestimate the ability of real humans to behave in ways that may not have been anticipated in management-level risk workshops.
The crux of “resilience thinking” for risk management is to focus on risk mitigation before, during and after loss-of-control scenarios. Methods of risk analysis such as LOPA provide excellent insight into how the holes in the swiss cheese line up to create a perfect critical incident. Risk analysis software helps to reduce the effort required to conduct risk analysis, whilst improving visibility of risk.
In my opinion, resilience is about getting a “pound of prevention” without throwing away the “ounce of cure”. It simply isn’t possible to predict and apprehend every possible risk event, but it is possible to prepare the organisation to recover from incident that it fails to predict.
Is “resilience thinking” part of your professional practice? Where do you see “resilience thinking” fitting into risk management?