THE EVOLVING RELATIONSHIP BETWEEN EHS AND

Transcription

THE EVOLVING RELATIONSHIP BETWEEN EHS AND
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
Strategies for
Improving Operational Excellence
CONNECT:
lnsresearch.com
The Evolving Relationship Between
EHS and Operational Risk Management
TABLE OF CONTENTS
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Section 1: The Growing Need to Manage ORM for EHS Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Section 2: The Essential Role of Culture and Leadership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Section 3: Understanding the Operational Risk Management (ORM) Process . . . . . . . . . . . . . . . . . . . 16
Section 4: Supporting Risk Processes and Getting Started with ORM Software . . . . . . . . . . . . . . . . . 26
lnsresearch.com
Executive Summary
Executive Summary
PAGE
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
4
Operational Risk Management (ORM) involves a continuous im-
LNS Research has been seeing this trend grow in its primary
provement process designed to mitigate and avert operational risk
research of manufacturers across its EHS, manufacturing operations,
and has been a key pillar of organizational management for many
asset performance, and quality management research.
years. It is also an essential aspect of how businesses achieve Oper-
Also, between emerging compliance requirements, new manage-
ational Excellence, manage costs and product quality, and take EHS
ment system frameworks, and increasingly stringent customer de-
performance and productivity to the next level. ORM helps us better
mands, ORM is becoming a central component of the new reality for
understand and prepare for adverse events and the resulting impact
global manufacturers. And there’s been an increasing understanding
they have on operations.
of the scope of hazards, controls, and monitoring capabilities that
As a framework for understanding and managing operations,
can impact enterprise and plant-level risk management performance.
traditional ORM approaches tend to address operational risks
To that end, in this eBook LNS Research will cover the evolving and
implicitly. In light of today’s increasingly complicated regulatory and
expanding role of ORM in the contemporary business landscape, the
CONTENTS
competitive environment, it is important for companies to evaluate
inextricable role of culture and leadership in supporting ORM, and
SECTION
risk explicitly across operations. Evaluating ORM explicitly calls upon
best practices for identifying and implementing the right ORM soft-
1 2
3 4
a business to assess a subset of risks that are operational in nature,
ware solutions , all with respect to EHS performance.
TABLE OF
as opposed to evaluating every possible risk that could impacts
performance. For example, we can begin by defining risks related to:
•
Environment, Health, and Safety (EHS)
•
Quality
•
Compliance
Market leaders in manufacturing are learning that ORM needs to
pervade almost all aspects of enterprise performance. ORM now
plays an integral part in every aspect of how we manage our busi-
The ORM Process
Framework Cycle
MONITOR
AND
RESPOND
IDENTIFY
ORM
Process
Framework
nesses, and while it used to be viewed as a watertight compartment
in overall enterprise performance, it is increasingly viewed as an
aspect that pervades all business performance programs and feeds
into overall Operational Excellence.
CONTROL
ASSESS
SECTION 1
The Growing Need to Manage
ORM for EHS Performance
The Growing Need to Manage Risk
PAGE
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
6
TABLE OF
We have been witnessing a growing move from reactive to preven-
Besides compliance, process industries are recognizing that ef-
tive management across enterprise performance management pro-
fective ORM feeds directly into financial performance and overall
grams, not only within a risk framework, but also across EHS, asset
Operational Excellence. ORM can to some extent be propelled by
performance, quality, and manufacturing operations management.
compliance demands but ought to be viewed as an opportunity to
This has manifested across a widespread industry awareness of the
fuel EHS performance and Operational Excellence.
benefits of an operational-risk-based approach, but we have also
Manufacturers who simply respond to compliance-based risk re-
seen regulators increasingly embed risk-based assessments and ac-
quirements do not embrace the spirit of regulations: that is, to under-
tivities into their rulemakings. In this section we will cover risk’s in-
stand manufacturing processes and reduce associated risks. By em-
creasing role in performance management by looking at compliance
bracing this spirit manufacturers would be left with improved business
trends, management systems, LNS Research data, and other emerg-
processes and a better framework for improving ORM systems.
ing business drivers that are putting risk at center stage.
CONTENTS
Between the Food and Safety Modernization Act (FSMA),
SECTION
OSHA’s Injury and Illness Prevention Program (I2P2), and
1 2
3 4
Dodd-Frank-associated Conflict Minerals regulations, there has
been a nascent codification of risk
among U.S. regulators. Other international bodies, including those
among the EU, have either followed
Conflict
Minerals
I2P2
ISO 45001
suit or been more progressive in their
rulemaking approaches. Beyond legislation, new management system standards like ISO 45001
(Health and Safety) and the
latest iteration of ISO 9001 are
embedding risk management
directly into their models.
FSMA
Increasing
Codification of Risk
into Regulations
and Standards
Aerospace &
Defense and
Medical Device
Manufacturing
The Growing Need to Manage Risk
PAGE
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
7
TABLE OF
In more highly regulated environments, such as aerospace and de-
performance, now the term is far more all-encompassing. The sus-
fense and medical device manufacturing or pharmaceuticals, more
tainable business is the environmentally responsible and ethical
broadly, we’ve seen risk protocols take an even greater role. In all
business, yes, but it is also the financially sound business as well.
cases, there has been a trend towards streamlining risk management,
And, as we will see, risk management is fundamental to success in
particularly at the plant level, but across all operations in general, in-
all these regards.
cluding those related to EHS, quality, asset performance, and beyond.
However, what is trending in regulatory requirements and management system standards tends to be more prescriptive in nature
and often lags behind industry practice in general. In some cases
industry leaders are outpacing regulators in terms of implementing
advanced risk management models into their business processes.
CONTENTS
This is all based on the recently realized and widespread under-
SECTION
standing that ORM, implemented effectively, ultimately supports
1 2
3 4
HOLISTIC
SUSTAINABILITY
FINANCIAL
PERFORMANCE
EHS performance and overall holistic sustainability.
As illustrated in this diagram, basic compliance requirements
OPERATIONAL EXCELLENCE
are at the foundation of how companies approach holistic
or overall sustainability objectives. At the second tier, risk
management is supported by and related to compliance
GOVERNANCE
factors, but also presents a framework whereby we
can manage governance, achieve operational excellence, and improve financial performance,
RISK MANAGEMENT
ultimately achieving the eventual goal of holistic sustainability. While ‘sustainability’ as
a term used to connote environmental
COMPLIANCE
Hierarchy of Business Objectives Supporting Holistic Sustainability
The Growing Need to Manage Risk
PAGE
8
LNS EHS Management Survey
Some of the data we will present in this eBook will be rooted in
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
the LNS Research EHS survey, which has engaged more than 250
TABLE OF
respondents across an array of manufacturing industries to generate
insights on the most significant trends, opportunities and challenges
facing EHS leaders today, including many questions in the realm of
Operational Risk Management.
• The ORM technology and software-based trends and best practices
that help foster and fuel success.
• Maturity levels of risk management approaches, and strategies for
integrating operational risk and product stewardship into overall
EHS performance programs.
As illustrated below, LNS polled an array of respondents
across a wide cross section of revenue, geographic location, and
Some of the key areas covered by the survey include:
• Top organizational EHS challenges and barriers to success and
manufacturing industry.
associated risk factors.
CONTENTS
SECTION
16.8%
1 2
3 4
6.1%
21.0%
18.1%
35.6%
51.5%
54.3%
41.2%
43.4%
10.8%
1.2%
COLOR BY COMPANY REVENUE
COLOR BY HQ LOCATION
COLOR BY INDUSTRY
Large: $1BB+
Asia
Discrete Man
Medium: $250MM - $1BB
Europe
F&B / CPG
Small: $0 - $250MM
North America
Life Sciences
Middle East / Africa
Process Man
The Growing Need to Manage Risk
PAGE
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
9
Managing Risk for EHS Compliance and Operational Excellence
a number of other data points as well, risk is increasingly driving
Nowhere is the relationship between risk management more deeply
business performance objectives, and compliance is no exception.
tied to another aspect of business performance management than it
But a holistic view of ORM goes beyond compliance and will
is with EHS management, and EHS compliance in particular. The risk-
ultimately feed into Operational Excellence. A comprehensive risk
based costs of EHS management executed poorly are vast.
management approach involves identifying, quantifying, prioritizing,
As any manufacturer knows, the costs of noncompliance are sig-
and mitigating risk. Many manufacturers focus on mitigations from
nificant. In addition to direct costs associated with fines, legal fees,
a compliance perspective, but fail to go through the entire exercise
and increased regulatory attention, not to mention being placed
(e.g. in terms of HACCP for FDA regulated industries like food
on the Occupational Health and Safety Administration’s (OSHA)
service, cosmetics, and pharmaceuticals). The next generation of risk
Severe Violators Enforcement Program (SVEP), the consequences
management will be centered on testing processes over individual
of noncompliance can be severe. Also, OSHA, the Environmental
products. This will ultimately lead to reduced testing on finished
CONTENTS
Protection Agency (EPA), and other national and international reg-
goods and encourage companies to evaluate risk holistically, as
SECTION
ulatory bodies have already begun to implement risk management
opposed to simply from a compliance standpoint.
TABLE OF
1 2
3 4
protocols into regulatory requirements.
LNS Research’s survey of EHS professionals shows that the overwhelming factor driving businesses to maintain compliance involves
minimizing the risk of noncompliance. Indeed, as we will see across
Top 5 Factors Driving Compliance
Minimizing the risk
of noncompliance
#1
Factor Driving Organizations
to Maintain compliance is
Minimizing the RISK of noncompliance
26%
Support overall
Operational Excellence
19%
Keep pace with evolving
compliance requirements
18%
Better manage the cost
of noncompliance
15%
Meet customer
compliance mandates
12%
0%
5%
10% 15% 20%
The Growing Need to Manage Risk
PAGE
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
10
Financial Performance and Operational Excellence
Though an extreme example, Deepwater illustrates that a
All of the factors we have discussed and will discuss in this section
reactive-based, risk-averse approach will only result in adverse
factor directly into financial performance to varying extents, but
events and increased fines and fees, not to mention the staggering
it is worth pointing out that the costs of ORM, implemented and
costs of lifecycle incident management.
executed poorly, are increasingly staggering. No longer is a reactive-
Also, Just as EHS performance and negative events are
based model of compliance and performance management
accompanied by increased compliance costs and other financial
acceptable, as the sheer costs associated with reactive management
impacts, customers are also increasingly aware that the
become ever more apparent.
performance of suppliers is being factored into their own aggregate
We need look no further than the 2010 Deepwater Horizon
performance assessments incorporating EHS, manufacturing
oil rig explosion and resultant oil spill that netted record costs
operations, asset performance, etc. As a result, manufacturers
for British Petroleum (BP), including an incredible $42.7 billion in
that demonstrate a poor record of risk management and suffer
CONTENTS
economic losses. The company had a record of EHS infractions
the consequences of significant and/or repeat adverse events
SECTION
across the preceding decade, and had—by all accounts—failed to
face the staggering costs associated with losing customers that
1 2
3 4
implement effective corrective risk-based measures to mitigate
are increasingly demanding exemplary EHS performance, for
the likelihood of such a disaster occurring in the first place.
example, across the value chain.
TABLE OF
All of this feeds into risk’s role in EHS performance and overall
Operational Excellence. By implementing a closed-loop cycle
FINANCIAL CONSEQUENCES:
• Costly Adverse events
on risk management across operations and thereby mitigating
and controlling risk across operations, manufacturers are
better prepared to improve financial performance and embrace
Operational Excellence.
FINANCIAL BENEFITS:
• Cost savings through effective risk mitigation
• Improved brand equity and bottom lines
• Fewer fees/fines for noncompliance and legal costs
The Growing Need to Manage Risk
11
Brand Equity Impacts
Photo courtesy of rijans via Creative Commons
PAGE
When a negative EHS event befalls, manufacturers have increas-
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
ingly realized that compliance-related consequences are far from
TABLE OF
the only impacts they feel. The pace of exposure of negative events
that spread through news outlets and gain traction through social
media and other online channels feed into public and stakeholder
visibility of these adverse events, which only increases the need
for better ORM.
One key example is the 2013 Savar Building Collapse at Rana Plaza
near Dhaka, Bangladesh, an event that killed over 1,100 and injured
another 2,400. The textile factory that collapsed in this disaster sup-
CONTENTS
plied goods to leading Western brands, and when pictures of labels
SECTION
in the dust of the aftermath of the event got traction on social me-
1 2
3 4
dia, the buying public spoke up and brands once concerned with the
150
four walls of their business suddenly had to account for EHS performance across their value chain.
global brands and retailers signed
an accord to improve fire and building
safety in Bangladesh post-collapse
The plant at hand had been associated with repeat violations, but
nothing had been done. When the public voiced clear disapproval
with the event, global brands signed safety accords, offered remediational payments to families involved, and pledged to improve EHS
performance across their value chains.
“Rana Plaza changed everything.
It’s Ground Zero for ethical sourcing”
The whole event and its aftermath underscored the need for better ORM to improve overall product stewardship. From both an EHS
and quality perspective, risk ought to have been approached and
managed both enterprise-wide and at the plant level. However, the
organizations tended to fail to take the long view into account.
—Ian Spaulding, Senior Advisor,
Alliance for Bangladesh Worker Safety
SECTION 2
The Essential Role of Culture
and Leadership
The Role of Culture and Leadership
PAGE
13
While we sometimes try to implement ORM strategies with a topdown approach, organization-wide engagement and an understand-
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
ing of the need for pervasive risk management is essential. And only
TABLE OF
an adoption of the tools and processes to improve ORM performance
can support this level of operational and enterprise-wide engagement.
This will extend from both a top-down sponsorship of ORM
initiatives and a congruent bottom-up engagement among frontline
staff and management with ORM initiatives. Many companies go
so far as to define safety and Operational Excellence as corporate
values. Widespread internal education on the fundamental role of risk
management across all aspects of operations, including the principles
CONTENTS
and language behind risk management, will help facilitate a risk-based
SECTION
mandate that is more ingrained into corporate culture.
1 2
3 4
• Establishing why we take a cyclical, Identify-Assess-Control-Mon-
OPERATIONAL EXCELLENCE
Executive Sponsorship
itor/Respond approach to risk management across operations.
• Better communicating the language associated with risk (e.g.
hazards, controls, etc.)
• Defining the consequences of operational risk gone wrong
through explicit examples of the costs associated with poor/
Effective
ORM
Capabilities
nonexistent ORM.
But it will take an effective safety and Operational Excellence-based
culture for effective ORM capabilities to evolve, as they permeate so
many different aspects of overall enterprise performance.
Frontline Engagement
Management
Promotion and
Support
The Role of Culture and Leadership
PAGE
14
Leaders across operations, including EHS, maintenance, quality,
manufacturing and production inherently want to ensure that the
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
time and energy their teams invest in improving safety, asset reli-
TABLE OF
ability, and product quality are focused on the right pain points and
also deliver business value from a bottom-line perspective. Coordinating these processes with a formal ORM framework that pervades the enterprise is a good start.
However, improved ORM capabilities are not implemented with
the flick of a switch. Instead, they have to accompany a strategic
alignment of people, processes, and technology. Although risk man-
19%
agement principles are embedded in many of the processes used by
CONTENTS
global manufacturers every day, often there is a lack of explicit cul-
SECTION
tural support or leadership for operational risk management.
1 2
3 4
Risk Management Framework Established
35%
Further, too many do not have a formal risk framework established,
or have no plans to implement such a framework. As LNS Research’s
recent EHS survey indicated, while nearly half of respondents have
47%
a formal risk management framework established, too many (over a
Planned Within 1 Year
Not Planned
Currently Implemented
third) have no plans to implement such an approach.
Improved ORM capabilities are not implemented
with the flick of a switch
The Role of Culture and Leadership
PAGE
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
15
Part of achieving complete cultural engagement in EHS-related
But it is also imperative to understand that any measures taken
ORM responsibilities will lie in defining roles and responsibilities
to improve engagement with EHS ORM activities will need to be
for ORM-related processes. To address this gap we are seeing
connected to overall operational excellence programs.
companies take the steps below to change the culture:
1.
Identifying risk management as a key corporate
initiative supported by the executive team.
TABLE OF
CONTENTS
SECTION
1 2
3 4
2.
3.
Creating a corporate risk management role.
Formalizing the risk management process and
integrating it into existing management systems.
But first it
4.
Building cross-functional teams to support risk
management across the organization.
is imperative to
understand
best-in-class
ORM processes.
SECTION 3
Understanding the
Operational Risk Management
(ORM) Process
Understanding the ORM Process
PAGE
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
17
TABLE OF
CONTENTS
SECTION
1 2
3 4
The ORM process ultimately maps to the framework we see in many
adverse events. For example, with respect to EHS processes, it is
continuous improvement cycles, except in ORM the terms need to
as important for companies to track how robust particular pro-
be tweaked to align better to how risk management works broadly.
cesses are—if the audit schedule is being followed or if incident
The ORM process proceeds across four cyclical steps, namely: Iden-
root causes are recurring, for example—as it is to track actual ad-
tify-Assess-Control-Monitor and Respond.
verse events such as lost time or incidents.
• Identify: This involves establishing an overall risk register that in-
In general these actions come in several well-defined forms. First
cludes hazards, proactive controls, adverse events, reactive controls,
and foremost, companies should focus on the proactive, which means
and consequences. It is fundamentally important to classify hazard
improving controls or transferring risk in one way or another. Some
categories across people, processes, assets, suppliers, and products.
examples of improving controls include enhancing capabilities in EHS,
• Assess: In the ORM assessment stage, companies establish the
likelihood that specific adverse events will occur based on the existing hazards and established controls, as well as the impact that
would occur if an adverse event actually occurred. By quantifying
adopting new safety systems, or becoming more predictive in maintenance practices. Of course, risk can never be completely eliminated, and when an adverse event does occur reactive controls must be
deployed, such as emergency response plans or product recall plans.
the likelihood and impact of particular adverse events, rankings in
the form of risk heat maps or other tools can be established. Gov-
IDENTIFY
ernance policies for risk thresholds should also be established,
which are critical for guiding actions in later stages.
• Control: Once risk assessments have been conducted and thresholds identified, manufacturers must make investments in both
proactive and reactive controls in order to draw particular adverse
events below the risk tolerance threshold. This can include elimi-
MONITOR
AND
RESPOND
ORM
Process
Framework
nating, mitigating, or accepting specific risks.
• Monitor & Respond: No matter how well a company does in the
first three stages of ORM, processes need to be monitored and
responded to on an ongoing basis. It is critical to establish metrics
to track the health of controls, including the occurrence of actual
CONTROL
ASSESS
Understanding the ORM Process: Identify
PAGE
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
18
TABLE OF
CONTENTS
1. Identify
The beginning or any ORM process starts with identifying possi-
risk register for further analysis and prioritization. All identified
ble risks that may affect all key aspects of operational performance
risks need to be incorporated into the risk register, in preparation
and thereby possibly manifest in the adverse events we have dis-
for the risk assessment phase, where the risk register will be used
cussed in this paper and result in negative consequences. This can
to help evaluate risk according to likelihood and impact.
include risks across all organizational activities, including those
As we have seen in LNS Research data, while half of surveyed
typically ‘owned’ by suppliers and vendors. The process must be
manufacturers have currently implemented the capacity to iden-
thorough and continuous, and is virtually never complete since it is
tify risk factors, a full third have no plans to achieve this capacity,
a part of a cycle of continuous improvement.
which is concerning, since it is an essential element of improving
The identification stage begins with a thorough analysis of
operational excellence and driving business value.
where any risk factors might reside, and honing in on identified
individual risk factors so they can eventually be catalogued in a
SECTION
1 2
3 4
Ability to Identify ORM Factors
50%
Currently Implemented
33%
Not Planned
17%
Planned Within 1 Year
0%
10%
20% 30%
40%
50%
60%
Understanding the ORM Process: Identify
PAGE
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
19
TABLE OF
CONTENTS
SECTION
1 2
3 4
Understanding the ORM Process: Assess
PAGE
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
20
2. Assess
The second stage involves building a risk register that assesses
loss of their experience, knowledge and time on the job; it also means
defined risks according to their associated likelihood and impact.
payroll costs associated with FTEs, compensation costs, potential legal
From there, we can prioritize risks according to whether we can
fees, injury and illness costs, noncompliance costs and more. But let’s
classify them as intolerable, tolerable, or negligible. Of course,
isolate the cost of the incident from the fact of the incident itself.
no clear risk that affects organizational performance is ever truly
In the assessment phase of the ORM process, the adverse event—
acceptable, but with limited bandwidth and the sheer volume of
in this case a forklift accident—leads to reactive controls, such as
risks that can arise during the assessment phase, we have to assess
emergency response and contingency plans. These feed into and
which risks are more ‘tolerable’ than others in order to apply our
attempt to mitigate the consequences mentioned above—financial
resources accordingly.
and otherwise—including loss of customers, brand damage, regula-
A well-developed risk register will feed information directly
TABLE OF
tory consequences, and more.
CONTENTS
into the assessment of risk levels associated with specific adverse
On the other side of the coin, we have the opportunity to assess
SECTION
events. A range of tools can be used to build out risk assessment
hazards proactively according to the likelihood of an adverse event,
1 2
3 4
capabilities. At this stage we can also leverage the fishbone ap-
and implement proactive controls to minimize the potential of occur-
proach mentioned earlier and draw cross-linkages as seen in the
rence of such adverse events. The math behind this analysis will be
diagramon the following page.
multifaceted and potentially complicated depending on the scope
In our risk register (an example of which is seen on the following
and complexity of operations, but in the instance of this hypothetical
page) we essentially want to begin by looking at the central element:
forklift incident, we might look at training, asset health, behavior-
the adverse event. These events can range from mild to severe, and
al aspects, and other elements to determine what kind of proactive
how we approach them will be defined later, as we define risk toler-
controls we need to implement.
ance thresholds. But here, let’s take an adverse event and look at how
it factors into the risk register.
Once we have determined the controls that need to be applied,
we can parse them according to various aspects of enterprise perfor-
For example, a forklift mishap might result in the injury of an employ-
mance, from EHS management, to asset performance management, to
ee, and resultant lost time—a costly proposition for any company, given
safety instrumented systems (SiS) and beyond. The proactive controls
the absence of the affected employee means not only the temporary
mirror the reactive controls we implement after an adverse event has
Understanding the ORM Process: Assess
PAGE
21
already happened in anticipation of that adverse event occurring. The
eliminating the resultant fees, fines, and other negative impacts asso-
proactive controls are ultimately more cost effective as they minimize
ciated with these sometimes devastating events.
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
the potential of costly adverse event actually occurring, thereby nearly
TABLE OF
CONTENTS
SECTION
1 2
3 4
Understanding the ORM Process: Assess
PAGE
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
22
TABLE OF
Hazards: These are risk-related factors that can lead to adverse
Reactive Controls: These are the plans and processes we implement
events. In the case of loss of containment of hydrocarbons, hazards
to minimize the consequences when an adverse event does occur.
could be considered such things as leaking valves, corroded pipes,
When an adverse occurs and we do not have robust ORM protocols
and more. In a robust risk management model, hazards include
in place, we have to process reactive controls, and then deal with the
anything that could lead towards an adverse event. This goes right
consequences of a lack of proactive measures. Two key reactive con-
from the plant design process to evaluation of assets (e.g. in terms
trols include emergency response and contingency plans.
of vibration, corrosion, viscosity and leaks) to supplier assessment
and evaluation.
Consequences: Consequences are the result of an adverse event
when an adverse event does occur. Consequences can be qualitative,
Proactive Controls: Sometimes described (on an inverse basis)
or directly linked to direct, quantifiable metrics, including immedi-
as ‘Barriers,’ Proactive Controls actually describe how we manage
ate and lifecycle financial impacts. The vast consequences of adverse
posed hazards on a proactive basis. For example, proactive incident
events can manifest in things such as:
CONTENTS
management and Management of Change (MoC) are but two ele-
SECTION
ments of proactive controls we can better manage to improve overall
1 2
3 4
risk management. The main purpose of proactive controls is to reduce the likelihood of a hazard causing an adverse event. Some are
mandated by regulations and some are voluntary, but either will feed
into Operational Excellence.
Adverse Events: These ultimately concern something that has actually occurred, or can theoretically occur. They also form the lynchpin
of the risk matrix, whereby we define how hazards flow into adverse
events, and how we react to such events after they have occurred.
For example, from a safety standpoint, a proactive control might
be machine guarding where the associated adverse event might be
hand injury. There is essentially a cause-and-effect relationship between hazards and adverse events, and risk matrices help us define
and categorize these relationship.
• Loss of life/fatalities
• Loss of customers
• Fines, penalties, and legal fees
• Reduced brand equity, and more
Understanding the ORM Process: Assess
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
23
TABLE OF
CONTENTS
The math behind how to define risk-tolerance thresholds will
where both broad and specific adverse events can be placed
be specific to every business. As with this diagram, mapping the
within the risk threshold. This will help us prioritize risks and
magnitude of impact, financially and otherwise, of an adverse
proactively control (and thereby minimize) adverse events.
event, with the likelihood of its occurrence will help determine
Near Miss
LIKELIHOOD
PAGE
Lost Time Accidents
Risk Tolerance
Threshold
SECTION
1 2
3 4
Asset Failure
Product Failure
Releases
Product Recall
Non-Compliance
Spills
Explosions
IMPACT
Understanding the ORM Process: Control
PAGE
24
3. Control
Once we have assessed and prioritized, we must implement
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
proactive and reactive controls to mitigate the likelihood of adverse
risk levels are deemed ‘unacceptable’, we have to improve controls
or transfer risk to other purviews, departments or partners.
events, based on probability of occurrence and intensity of impact.
Improving proactive controls is the most critical piece of the
There’s an enormous importance in being proactive about accepting
overall control process and it ought to be aligned to the pervasive
the probability of the occurrence of events that lie outside of the
continuous improvement initiatives that have already been
risk threshold and ensuring your organization does not passively
established within the organization. Integrated, enterprise software
or even unknowingly accept unacceptable risks. This is a matter of
tools that align EHS, APM and Enterprise Quality Management
explicitly accepting risks that fall within your defined risk threshold
Software (EQMS) will be essential to improve proactive controls.
as opposed to reacting to implicit risk where it resides. Wherever
TABLE OF
CONTENTS
SECTION
1 2
3 4
ACCEPT RISK
MITIGATE RISK
Improve controls
Share with
partners
transfer
to others
RESPOND TO
ADVERSE
EVENTS
Implement
reactive controls
Understanding the ORM Process: Monitor and Respond
PAGE
25
4. Monitor and Respond
Though we may have implemented controls, it
PROCESS HEALTH
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
is not enough to assume these controls are in and
of themselves effective. Risk may hide and nest
in any corner of vulnerability it finds. Therefore
we must apply a continuous cycle of monitoring
60
EH&S
80
100
120
40
140
20
0 MPH
and responsive actions around the very controls
Incidents
Audits
•
160
Lost Time Accidents
•
we implement.
To that end, for every control that is put in
place, there has to be a process health metric
60
CONTENTS
responded to when performance drops, in the
SECTION
name of averting a possible adverse event. This
1 2
3 4
ought to occur across EHS, EAM, Quality, PLM,
140
•
Audits
Down Time
•
160
Mean Time to Failures
60
80
100
120
40
EQMS
140
20
0 MPH
Open CAPA
al performance where risks have been identified,
health will fundamentally contribute to process
120
20
Work Orders
•
Audits
Scrap
60
PLM
160
•
Recalls
80
100
120
40
140
20
0 MPH
performance and, in the spirit of the ORM pro-
Stage-Gates
•
Audits
OSHA
100
0 MPH
Safety Systems, and all other aspects of operationassessed, and (presumably) controlled. Process
80
40
EAM
that is continually evaluated and scrutinized and
TABLE OF
PROCESS PERFORMANCE
160
New Product Introduction
•
cess cycle, these performance results have to be
linked back to performance estimates developed
at the assessment stage of the cycle. This will help
us build more accurate performance assessment
calculations into future ORM cycles.
60
SAFETY
SYSTEMS
80
40
100
120
140
20
0 MPH
Alarms
•
Audits
Shutdowns
160
•
OSHA
Budget
SECTION 4
Supporting Risk Processes
and Getting Started with
ORM Software
Supporting Risk Processes with ORM Software
PAGE
27
ORM is often implemented where an Enterprise Application landscape already exists. It can manifest as a standalone product that
EQMS
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
integrates closely with EHS applications, or it can be provided as
TABLE OF
part of a broader EHS application.
It’s important to highlight the role of EHS in this regard since
some hazards and controls are EHS-related, while others—as high-
ERP
lighted earlier—relate more to quality, product, maintenance, and
asset performance.
It is clear that cultural investment in ORM and supporting processes will only take us so far. Additionally, we need ORM software
tools that support processes and facilitate user adoption and en-
Product Lifecycle
Management (PLM)
REACH/RoHS/Weee
Conflict Minerals
Design for Quality /
Manufacturability
Product
Stewardship
Enterprise Quality
Management
System (EQMS)
NC/CAPA • Audits
SOP/GMP/HACCP
SQM/PPAP
Customer
Complaint
EHS
Reporting, Analytics, Configurability,
Mobility, Interoperability
CONTENTS
gagement, thereby helping to fuel organizational risk culture. The
SECTION
pitfalls associated with disparate systems and poor data collection
1 2
3 4
and reporting speak directly to the success of ORM initiatives. For
ASSESS: Analytics &
Quantification
example, too often companies attempt to manage risk across an ar-
CONTROL: Accept, Mitigate,
Transfer
ray of spreadsheets and unintegrated software systems.
Successful ORM programs need the right mix of collaboration,
maintainability, data accuracy, analysis tools, among other elements.
However, as we know, the challenges of integrating newly acquired software tools with existing systems can be vast. Managing
an array of manual, disparate tools presents an array of barriers and
the failure costs of poorly executed implementations and weak integrations can be highly problematic.
Chosen wisely and implemented efficiently, the right ORM software can become the connective tissue that will ultimately help to
foster a robust ORM program.
Operational Risk
Management
IDENTIFY: Risk Register
SAFETY
SYSTEMS
Asset and environmental
monitoring
Process monitoring
MONITOR & RESPOND:
Role based KPI
dashboards with
drill down &
decision support
ERP
CRM
Crisis Management
Sentiment Analysis
Product Service
and Support
Process Automation
Incident management
Task management
Management of change
Standard Operating
Procedures (SOP)
OSHA/Work Permit management
Personal Protective Equipment (PPE)
Industrial hygiene
Machine guarding
Ergonomics • MSDS
Enterprise Asset
Management (EAM)
Electronic Work
Instructions
Calibration Monitoring
MOM
In-Line and
At-Line Testing
Energy management
NC Reporting
Proactive/Predictive
Maintenance
Supporting Risk Processes with ORM Software
PAGE
28
ORM Software generally maps to the ORM process we identified
in the previous section, except it breaks down and assigns various
TABLE OF
CONTENTS
SECTION
1 2
3 4
• Identify: Build out a hazards and control register
Operational Risk Management Software
• Assess: Gauge likelihood against impact
and map to risk tolerance
IDENTIFY:
• Control: Accept, mitigate, or transfer
(transfer or control)
Hazards and
Controls Register
• Monitor & Respond: Use role-based KPIs
to drill down on analytics and
establish decision support.
ASSESS:
MONITOR & RESPOND:
Analytics and Quantifications
Role based KPI dashboards with drill down
and decision support
LIKELIHOOD
PROCESS HEALTH
PROCESS PERFORMANCE
60
EH&S
40
20
0 MPH
80
IMPACT
LIKELIHOOD
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
aspects of the overall ORM process cycle.
100
120
140
160
IMPACT
CONTROL:
Accept,
Mitigate, or Transfer
ACCEPT
MITIGATE
RESPOND
Supporting Risk Processes with ORM Software
PAGE
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
29
When we look at LNS research data on the top 5 areas manufac-
3. Build out a risk register that is focused on hazards and controls.
turers view as most critical to success, Risk Management comes in
A Risk Register can be thought of as the nexus for all risk-based
at number one, with 25 per cent of survey respondents indicating
considerations across operations and enterprise-level functions. It
it was the most critical factor. Data collection and reporting follow
essentially helps record, categorize, prioritize, and respond to the
in a close second at 23 per cent, showing that as companies seek
biggest risks we encounter.
to improve risk management capabilities as a top priority, they still
struggle to effectively collect and report on essential EHS data.
processes with ORM software.
Existing or planned Enterprise Resource Planning (ERP) tools
CONTENTS
will be critical for connections to master data and become the de
SECTION
facto system of record.
1 2
3 4
but also ensure its framework speaks to broader enterprise-level risk.
In the face of these factors, let’s look at six ways to support risk
ought to inform what kind of ERP solution you implement, as they
TABLE OF
Ensure your Risk Register is optimized to respond to local risks,
1. Establish a robust ORM approach that is supported by leadership:
This goes back to building top-down and bottom-up support for
ORM initiatives, but it also speaks to technology as well. Any manu-
Top 5 Areas of EHS Software Most Critical to Success
Risk
management
25%
Data collection
and reporting
23%
Training and
user adoption
11%
process of finding which solution will be right for the company.
Collaboration
and workflow
11%
2. Implement an ORM framework that pervades enterprise applica-
Metrics
visualization
and analytics
facturer will need strong executive buy in and engagement with the
tions, and extend it into other management software capabilities. If
you have standalone ORM capabilities, integrate with other enterprise applications.
If you have an existing ERP system, look for a global risk solution
that can be embedded across all management system capabilities.
10%
0%
5%
10% 15% 20%
25%
Supporting Risk Processes with ORM Software
PAGE
30
4. Link the Risk Register across all ORM processes (assess, control,
6. Integrate site/plant-specific risk with enterprise risk (compli-
monitor and respond) tied to EHS, but also other organizational
ance-based risk versus site-specific risk i.e. permit, contract legal)
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
management system ‘silos’, for example, APM, MOM, QMS.
TABLE OF
As discussed, risk management for too long has been reactive and
embedded only into individual processes.
on commonalities.
It is one thing to manage operational risk at the site level. But frequently one identified risk at one plant can be mirrored at a multitude
5. Extend to other types of hazards and controls – safety system,
of other plants around the globe. A robust operational/enterprise
maintenance, quality, product, etc.
risk management framework can take plant-based risk responses
The hazards identified and controlled along the lines of a robust
and feed them back into the enterprise system, so other plants apply
risk management framework within an EHS environment can be
the Identify-Assess-Control-Monitor framework in advance of any
as appropriately applied in other areas of enterprise management.
adverse events occurring at their sites.
CONTENTS
Take the hazards and controls that have been built out in EHS risk
SECTION
management and apply them appropriately in other management
1 2
3 4
Build site-based risk profiles and extend to different sites based
system contexts.
Conclusion
PAGE
31
As we have seen, the realm of ORM is rapidly expanding and pervading
in risk management, establishing best-in-class ORM processes, and
all aspects of enterprise management. Between emerging EHS compli-
supporting risk processes with the right ORM software.
THE EVOLVING RELATIONSHIP
BETWEEN EHS AND OPERATIONAL
RISK MANAGEMENT
ance requirements, new EHS management system standards, and customer demands, it is no longer acceptable to not effective and systematically address risk throughout operations (and ultimately the enterprise).
ORM technology is an essential piece of the pie, but an effective
ORM program needs to be endorsed and coordinated from by ex-
Paul Leavoy, EHS Research Analyst
ecutive leadership, and engaged at a grassroots level. People across
paul.leavoy@lnsreseach.com
the organization, especially within EHS functions, need to know the
Matthew Littlefield, President and Principal Analyst
meaning of ORM, and this will only emerge from thorough and con-
matthew.littlefield@lnsresearch.com
stant communication and endorsement of an ORM program.
TABLE OF
CONTENTS
SECTION
1 2
3 4
Authors:
The ORM process is a cyclical program rooted in continuous
Presented by:
improvement and, fundamentally, never ends but always improves, thereby saving lives, minimizing environmental impacts,
and improving bottom-line performance.
Software is a fundamental component of overall ORM, and when
well-integrated with ERP systems, plants can speak effectively to the
enterprise, and vice versa. But ORM software is best implemented
when it is supported by leadership, has a sound risk software strategy behind it, leverages existing software best practices and frameworks, and links to enterprise risk management overall.
The evolving relationship between EHS and ORM is ultimately
driven by the increasing codification of risk into EHS-related regulations and standards; the excessive costs and visibility of EHS-related
risk management executed poorly; and the brand equity impacts of
bad risk management. However, these negative aspects of poor ORM
SAP is a market leader in enterprise application software and
at the center of today’s business and technology revolution. It
works with more than 291,000 customers worldwide with the
goal of helping them collaborate more efficiently and use business insight more effectively. SAP also attempts to help organizations of different sizes and industries overcome the complexities that affect businesses, jobs, and lives. With ‘Run Simple’
as its current operating principle, SAP’s nearly 75,000 employees
try to help the world run better and improve people’s lives. Learn
more about its Environment, Health, and Safety Solutions here:
www.sap.com/sustainability
can be mitigated by understanding the role of culture and leadership
© LNS Research, 2015. All Rights Reserved.