By Nathan Turner, Ehsan Akhavan and Khaled Metwally, DuPont
Sustainable Solutions; Mark Hause, DowDuPont
All too often, thoughts on how best to manage a company’s exposure
to risk vary significantly between process safety professionals who
see risks on a near daily basis, and executives who, though they
understand the presence of risk within the organization, must also
give their attention to numerous other factors impacting the company’s
This disconnect is clearly evident in a recent global survey of
executives in high-hazard industries conducted by DuPont Sustainable
Solutions (Figure 1 on the PDF). The survey found that executives
recognize they are not devoting enough resources and capabilities to
effectively manage the risks that exist within their companies.
Executives also acknowledge there is a significant organizational
disconnect and misalignment between leadership and employees with
respect to risk management, which contributes to the likelihood of a
Unfortunately, when executives attempt to overcome this
disconnect, their actions, though well-intended, don’t always result
in improved risk mitigation and performance within the organization.
Some executives may respond to poor risk management results with a
reflexive “shoot the messenger” approach, which contributes to
non-transparent communications and secrecy to avoid similar tongue
lashings in the future. Other executives may attempt to demonstrate
increased ownership of and interest in risk mitigation, but in the
process inadvertently usurp control of the decisions and work
processes of the company’s process safety experts. Most executives
tend to respond with a rapid-fire sequence of new initiatives and
blind resourcing, but such responses can have a detrimental impact on
the company’s capabilities, knowledge absorption and morale without
achieving any of the desired effects.
Executives have also looked to many tools that have been created to
better manage risk within their organization, such as process hazard
analyses and enterprise risk management practices. While tools such as
these help to identify and catalogue sources of risk, they don’t take
into account controls that may be in place and how well those controls
are maintained, which is necessary to understand how well the
organization is managing risk. Also, elaborate KPI dashboards are
often constructed to indicate where a site, region or business line is
struggling. But while KPIs are a vital part of any robust governing
process, they cannot serve as a substitute for on-site auditing.
While each of these techniques and tools can help connect executives
to the risks within the company, each has its limitations.
Fundamentally, when it comes to risk governance most executives need
answers to these questions:
- Where are the company’s biggest risks located?
- How can I be confident those risks are being adequately addressed?
- What else needs to be done to effectively mitigate these risks?
This requires not thinking about risk in a linear fashion without prioritization. Rather than simply considering risk in terms of identification, quality of control, and resulting likelihood of occurrence, it is more effective to look at aggregate and individual risks relatively, which means focusing more on higher risks and troublesome assets, and giving less attention to others – in other words, risk profiling.
Risk isn’t universally defined. Organizations face a wide spectrum of potential risks, ranging from high frequency/low severity risks to low/frequency/high severity risks, and everything in between. Risk profiling is a is a means to collect and assess relative risk level based on a set of criteria across competency areas and sites (units and assets) to enable differential risk treatment decisions. This informs and drive priorities, EHS actions, capability development needs, clarity on risks and investments at the site level, and audit plans, investments, leadership action, corporate EHS programs and asset prioritization at the corporate level. This method places risks in a real-time prioritization tool for management and integrates inherent hazards and dynamic factors (such as frequency of high hazard operations activities and personnel changeover) to help management focus efforts and attention on highest risk sites and singular risks.
Developing a tailored risk profiling tool for an organization
requires understanding and identifying the following key components
(Figure 2 on the PDF):
- Inherent Hazards – Hazards or complexities that are integral to the process or system that create potential for injury, illness, incident, or non-compliance. This could include chemical hazards, physical hazards, regulatory complexity, etc.
- Dynamic Risk (Internal and External) – Internal changes to the activity that create the potential for additional hazards or complexity, or likelihood of injury, illness, incident, or non-compliance, which can include technical, personnel, or process changes. Also, external changes to the process or system that create potential for additional complexity or negative impact, which could include proximity to the community, natural receptors, natural resource shortages, transportation risks, community relations, etc.
- Management Systems – Leading metrics and controls that measure the strength of the system or process in managing the risk, such as certifications, time to close audit findings, near misses, repeat audit findings, capability of personnel vs. requirements, training, etc.
- Performance – Lagging metrics that measure the performance of the system or process in managing the risk, including injuries, illnesses, deviations, incidents, non-conformances, etc.
Once the parameters of the above components are defined based on the
individual company, data must then be collected (Figure 3 on the PDF).
This involves establishing an iterative process where the
organization’s assets provide annually a selected set of metrics along
with other gathered data for loading into the risk profiling tool.
Then, the resulting profiles are examined and regular action planning
begins. This process is repeated on a regular basis, and over time, as
risk sources and risk controls (including action plans) change, the
prioritization of the assets changes correspondingly.
The result is a tool that illustrates in one simple view how executives can efficiently prioritize resources against assets with the highest risk. In the example shown in Figure 4, each dot plotted in the graph represents a different company asset with a composite risk profile (including occupational safety, environmental risks, process safety, etc.). Depending on where assets are plotted on the graph, executives can clearly see those assets that require immediate attention, and those that do not. Site HSE professionals can also use this tool to focus on site level improvement initiatives.
Over time, numerous benefits of such risk profiling become apparent.
For example, companies may discover that similar assets experience a
high variability of risk, indicating that personnel at those sites may
have a different understanding of requirements and metrics for
activities at those locations. Also, HSE professionals within a
company can use the data to evolve from being perceived as auditors
and policy makers to consulting and support teams, which can reduce
tension among the various functions and encourage collaborative
Risk mitigation is a key concern among corporate executives, but it
is one of many. Presenting information about a company’s risks to the
C-suite must be done in a way that enables executives to quickly
understand and prioritize those risks that require attention so
decisions can be made accordingly. This makes risk profiling a useful
tool to help executives focus and expedite risk mitigation initiatives
and resources without overwhelming the rest of the organization with
unnecessary data collection or tasks.
Nathan Turner is Senior Manager, Ehsan Akhavan is Principal, and Khaled Metwally is Senior Manager with DuPont Sustainable Solutions. Mark Hause is Senior Manager HSE Systems & Risk Management, DuPont.