The no-nonsense approach to critical risks in mining & resources
The resources sector is one of the highest risk areas when it comes to workplace fatalities. In 2016, a total of 49 workers died in Australia extracting natural resources (including minerals, oil, gas, timber, fish and agricultural produce). That’s around 27.5% of all workplace fatalities.
[data from Safe Work Australia statistics, available here]
The kicker is that fatality accidents are not over quickly. A person may lose their life in the blink of an eye, but the flow-on effects on industry (investigations, litigation, etc) can go on for years. One mine operator recently emerged from prosecution by the WA regulator, over two-and-a-half years after the fatality had occurred (in the news here).
It goes without saying that the flow-on effects for family and friends go on for considerably longer.
Operators in the resources sector have to know their critical risks. Many mine operators already have a good grasp on this, though there are plenty that still need to get their systems in order. Other businesses in the resources sector are well behind.
The International Council of Mining & Metals (ICMM) has put out some great guidance on critical control management. The model they recommend actually works well for just about any high-risk business, which is why we’re going to use it for a no-nonsense approach to critical risk management.
[diagram adapted from the ICMM Good Practice Guide for Health and Safety Critical Control Management, available here]
The overall model is very similar to the ISO 31000 process. The main difference is the laser-sharp focus on accountability for identifying and monitoring critical risk controls. Good risk software will come with intuitive risk analysis and control verification tools to make the process easier.
No nonsense here: if you’re not using a good software package, go out and evaluate some options. Unless your business has the time and resources to develop a system from scratch, it makes sense to choose an off-the-shelf software package that can be customised as a solution for you.
First steps: Identifying critical risks, analysing risk and selecting controls
The ICMM guidance paper talks about “materially unwanted events”. An unwanted event is a risk scenario. In ISO 31000 land, we might call it a critical risk if it had an element of criticality (e.g. a risk that is likely to cause a fatality).
The process of identifying risks, identifying controls and selecting controls is risk assessment. It’s the same method that you’d use with any other risk. The difference is, when we’re talking about risks that are likely to result in a fatality, we’ll call it a critical risk. The key controls that prevent or mitigate the impact of a critical risk are called critical controls.
It shouldn’t matter what risk analysis method you use, but we certainly recommend using bowtie analysis. Why? The no nonsense answer is: because it’s the only way to identify and treat all the pathways through which a fatality occurs. A typical risk spreadsheet encourages you to come up with a list of controls. The internal logic is that a long list of controls = good risk protection.
The reality is that critical risk scenarios can have multiple causes and multiple consequences. You might not go into this level of detail for a low-level risk. Risks with a high potential for fatalities deserve a detailed approach.
Bowtie analysis guides you through the exploration of the different ways that a fatality incident can occur. Bowtie analysis makes it very hard to miss key factors. Why? Because a branch on the bowtie that has no controls is visually jarring. It draws your attention. You don’t get that from a long list of controls in a spreadsheet, because there is no way to visualise how they interact.
An untreated branch on a bowtie is a pathway in which there is nothing to prevent a fatality from occurring. Good risk software such as RiskView gives you the ability to analyse critical risks using bowtie diagrams. You can automatically create bowties from conventional spreadsheets, which is a gentle way of easing into bowtie analysis. The dynamic risk re-calculation feature is a nice touch that visually demonstrates how controls affect the overall risk.
Next steps: taking meaningful ownership of critical controls
Note the most important word in the heading: “meaningful”. Once you’ve identified your critical controls, you need to define the means by which you’ll carry out risk monitoring. This means defining how the performance of critical controls will be measured, and how reporting will occur. It also means assigning responsibility for critical control performance and risk monitoring.
Assigning responsibility is a simple exercise. Anyone can type a name into the system. What is missing is creating meaningful ownership of critical controls. This is particularly important when considering site-specific implementation, because responsibility may be split across different people.
Meaningful ownership means engagement in the system. It means that a person proactively takes on their responsibilities for that critical control. It also means that the person accounts for their ownership of that critical control, by providing assurance to those with higher-level risk responsibilities.
No nonsense: this is why grassroots ownership of risk is still so important. Although you might implement a standardised system for managing risk across the enterprise, the individual stakeholders who own critical controls need to have a sense of engagement in that system. With engagement comes a willingness to challenge unsafe work and ensure that control verification is done in a timely fashion. Engagement makes live risk monitoring possible, because reporting is done on time, every time.
Risk software is a real lifesaver (and time-saver) in this space. RiskView, for example, provides user accountability for all aspects of the risk system. Bowties and risk registers are owned by one or more users in the system, which clarifies areas of responsibility. Action tracking is available in all modules to keep track of the work that individuals are responsible for. Good risk software should empower your risk monitoring team.
That is not to say that you need a dedicated health and safety team. Some mine operators go for a safety team separate from operations, and others prefer to have safety as an embedded function of operations.
Either arrangement can work if management is able to cultivate meaningful ownership of critical controls.
Last steps: verifying performance in an ongoing cycle
Control verification should become a fixture of daily life for those with responsibilities for critical controls. The critical controls may be verified annually or more frequently. This will depend on the performance standards set earlier in the process. Reporting should ideally be live, and risk software can help with this.
If you choose to document your control verifications using paper forms, there is a natural lag between the control verification activity and the risk monitoring reports. No nonsense here: you do also sometimes end up with a lag if you use risk software, because control verification work may be completed offline in the field and then uploaded on returning to the office.
RiskView, for example, supports in-field data entry for control verification. The activities are scheduled according to the performance standards and templates that you set up in the system. Activities are assigned to particular individuals at particular times, with a progress tracker for team leaders.
Control verification can be done using a mobile phone or tablet computer. This can be done with or without a live internet connection (although offline work will have the lag factor).
The result is live (or near-live) risk monitoring. Managers have access to dashboards and reporting that give clear metrics on where critical controls are sitting. Data entry is confined to the field. Evidence-gathering can be done in the field (using the camera in a mobile device), or can be completed when documents are scanned and appended to the activity back at the office.
The most critical thing is to link control verification back to the risk assessment. Control performance shouldn’t just be measured against the agreed metrics. It should be used to inform risk reviews. After the first year of system life, there should be a wealth of data to refer back to when considering the ongoing effectiveness of certain controls.
RiskView, for example, provides a mechanism for setting control effectiveness in bowties based on your verification results. If your verifications find that a particular control is super effective, your bowtie risk review will show it. If a particular control does a poor job, that will show too. Businesses with a mature approach to risk will realise that risk reviews can be done on an ongoing basis if you have this level of reporting. Risk reviews can be shorter but more frequent, and responsive to the data from incoming control verification activities.
Risk decision-makers should be in a position to assess whether certain controls should remain in place, be removed, or be supported by adding new controls.
No nonsense: good reasons to bother with critical control management
If the ICMM model doesn’t appeal to you, or if you’re still unconvinced of the value of good critical control management and risk software, here’s some good reasons to bother.
For fans of safety “indicators”, control verification gives you both “lag” and “lead” indicators. Using RiskView to manage your control verifications, your dashboard shows a summary of the inspections and verifications completed over a period of time. The result is also summarised. Add that data to your incident/injury reports, and you have a pretty solid system of “lag” and “lead” health and safety indicators.
Critical control management works well with the Zero Harm philosophy. If your goal is to achieve zero harm (zero LTIs or zero LTIFR), it is essential to identify the critical controls that do the most to prevent harm. Bowtie analysis does this well because it encourages you to think about common controls across different risk scenarios. Good risk software (such as RiskView) helps you identify base controls, which reduces the number of unique controls and allows you to cover more of your risk exposure with fewer verification activities.
Risk monitoring is easy using the critical control management approach. If you identify the critical controls, you focus attention on the most important risks and the most important control measures. You also explicitly define metrics for risk performance. Taking this approach gives you a fantastic structured framework for risk monitoring and performance tracking. Software like RiskView will automatically pull data from your in-field verification activities to update the risk monitoring dashboard. This gives you live risk intelligence.
If you’re working in the resources sector, you need a robust approach to critical risks and critical control management. Make sure that your systems are up to the task!
What tools and processes do you use for critical control management? Have you fully explored whether these might be better managed using cloud-based software alternatives?