Implementing Risk Foresight
Critical Risk Management is focused on monitoring leading indicators of performance that have been identified from an assessment of:
- operational vulnerabilities
- the controls employed to reduce the risk of untenable events (that could be caused by the vulnerabilities metastasizing into failures), and
- the activities that need to be undertaken to assure and verify that the controls will work, as and when required.
Leading organizations that have rigorously implemented this critical risk management approach and readily monitor this type of mature risk information, are now beginning to look beyond their risk register(s) at vulnerabilities not yet recognized or understood. These organizations have commenced a journey towards risk foresight by monitoring information that is not traditionally or ‘normally’ related to the data that comprise leading indicators of risk control performance, to identify ‘weak signals’ that indicate a potential for the emergence of new risks, or the exacerbation of existing threats, to achieving their objectives.
Operational data (e.g. financial, cost optimization, maintenance budget allocation and spend) and/or information relating to external factors (e.g. supply chain disruptions, civil unrest, shifting societal expectations, economics, demographics) that may appear insignificant, when observed from within the domain in which the data are generated, may in fact be significant if observed from the context of what is required for reliable and safe operations.
Any anomalies in these data or information that are a surprise are treated as ‘weak signals’ if they can influence (even remotely!) the organization’s model of risk and thus what needs to be done to monitor and control the changing shape of risk. The process broadly involves:
- Monitoring operational data from across the organization and other information external to the organization.
- Responding to any ‘surprises’ from anomalies in the data by seeking more information from those with expert or intimate knowledge.
- Learning about how the data/information could influence the organization’s model of risk and how it should be monitored for changes and any increasing influence.
- Anticipating the impact of any emerging threat by implementing controls to prevent untenable outcomes.
Case study A: when there was no risk foresight
An organization requires an abrasive material as part of the hydraulic fracturing fluid used to exploit gas from coal seams that occur below ground water, which is used to irrigate agricultural land and as drinking water. In light of this risk information, the organization wanted to ensure they did not pollute the ground water and commissioned an overseas company (where it was more economical) to manufacture the abrasive substance from the crushed shells of nuts. After a number of months of successful and safe implementation of the material within its operations, the government of the country in which the abrasive material was manufactured broadened the definition of ‘food’ in its taxation policies to now include nut shells (despite their being inedible), eroding the manufacturer’s profit due to increasing export taxes. Having to adjust to this new tax to stay solvent, the manufacturer reviewed the specification provided by the organization and found an alternative material that both satisfied the needs defined in the organization’s specifications for the level of abrasiveness and did not fall within the now broadened definition of ‘food’. Soon after, the first shipment of the new abrasive material drew the attention of Customs, who contacted the organization’s procurement division to advise them that the shipment had been seized…because it is illegal to import asbestos-containing materials! In this case, the ‘surprise’ happened when it was too late.
By monitoring regulatory changes in the supply chain of this very important material, the organization could have responded by seeking further information to learn about any ‘weak signals’ of the changing shape of risk (in relation to the specifications, which did not explicitly state that a food grade product had to be used) and anticipate the impact of the changes by working with the manufacturer to find a suitable (safe and legal) alternative.
Case study B: when there was risk foresight
The safety manager in an organization asked their finance department to provide regular reports on the operating expenditure within their power stations. The finance department obliged, but not without intrigue: “why could the safety manager possibly want with this not-very-safety-related information?”. The safety manager noticed that there are budgets allocated for maintenance of the key equipment items in the power station and, in light of this risk information, they were satisfied that maintenance had been scheduled to ensure that the equipment continued to function safely and reliably.
The safety manager continued to monitor the information on an ongoing basis and one day was surprised to see that the budget allocated for boiler maintenance had not yet been spent, a month after it was scheduled. Thinking there may have been some way of assisting the station manager (perhaps there was a hold up on parts or expertise to conduct the maintenance), they responded by calling the station manager and seeking to understand why the budget had not yet been spent. They learned that the station was preparing to bring the unit down for maintenance, but the energy traders had requested that the unit stay on-line to respond to an imminent increase in power demand that had been predicted. Having put the maintenance work on-hold at the last minute (requiring the contracting company to redeploy the workers to other jobs), the maintenance work had to be replanned for another time (when the maintenance workers would be available) and the unit continued to operate. “How could this happen?”, the safety manager asked, “maintenance on the boiler is critical, if we don’t do it in the right timeframe, we risk an in-service failure and a potential explosion”, to which the station manager replied: “I’m fully aware of the risk, but I thought I was supposed to respond to the traders’ requests…that’s the pecking order, isn’t it?”. The safety manager decided that it was time to correct this perception and called the head of energy trading to understand why they would be promoting such reckless behavior only to learn that the energy traders had no idea that the unit had to be taken down for maintenance and that the station manager had not indicated as such. To anticipate any future conflicts between safety and production, the safety manager implemented a process to ensure that energy traders are involved in the maintenance planning activities of the power stations, so that they can contribute to the design of maintenance cycles that assure safe operations and maintain the power station’s ability to respond to foreseeable increases in energy demand.