Organizational Risk Profiling – Bridging the Gap Between Risk and Executive Decision Making

Published: 2018

By Nathan Turner, Ehsan Akhavan and Khaled Metwally, dss+; Mark Hause, DowDuPont

All too often, thoughts on how best to manage a company’s exposure to risk vary significantly between process safety professionals who see risks on a near daily basis, and executives who, though they understand the presence of risk within the organization, must also give their attention to numerous other factors impacting the company’s well-being.

This disconnect is clearly evident in a recent global survey of executives in high-hazard industries conducted by dss+ (Figure 1 on the PDF). The survey found that executives recognize they are not devoting enough resources and capabilities to effectively manage the risks that exist within their companies. Executives also acknowledge there is a significant organizational disconnect and misalignment between leadership and employees with respect to risk management, which contributes to the likelihood of a catastrophic event.

Unfortunately, when executives attempt to overcome this disconnect, their actions, though well-intended, don’t always result in improved risk mitigation and performance within the organization. Some executives may respond to poor risk management results with a reflexive “shoot the messenger” approach, which contributes to non-transparent communications and secrecy to avoid similar tongue lashings in the future. Other executives may attempt to demonstrate increased ownership of and interest in risk mitigation, but in the process inadvertently usurp control of the decisions and work processes of the company’s process safety experts. Most executives tend to respond with a rapid-fire sequence of new initiatives and blind resourcing, but such responses can have a detrimental impact on the company’s capabilities, knowledge absorption and morale without achieving any of the desired effects.

Executives have also looked to many tools that have been created to better manage risk within their organization, such as process hazard analyses and enterprise risk management practices. While tools such as these help to identify and catalogue sources of risk, they don’t take into account controls that may be in place and how well those controls are maintained, which is necessary to understand how well the organization is managing risk. Also, elaborate KPI dashboards are often constructed to indicate where a site, region or business line is struggling. But while KPIs are a vital part of any robust governing process, they cannot serve as a substitute for on-site auditing.

While each of these techniques and tools can help connect executives to the risks within the company, each has its limitations. Fundamentally, when it comes to risk governance most executives need answers to these questions:

  1. Where are the company’s biggest risks located?
  2. How can I be confident those risks are being adequately addressed?
  3. What else needs to be done to effectively mitigate these risks?

This requires not thinking about risk in a linear fashion without prioritization. Rather than simply considering risk in terms of identification, quality of control, and resulting likelihood of occurrence, it is more effective to look at aggregate and individual risks relatively, which means focusing more on higher risks and troublesome assets, and giving less attention to others – in other words, risk profiling.

Risk isn’t universally defined. Organizations face a wide spectrum of potential risks, ranging from high frequency/low severity risks to low/frequency/high severity risks, and everything in between. Risk profiling is a is a means to collect and assess relative risk level based on a set of criteria across competency areas and sites (units and assets) to enable differential risk treatment decisions. This informs and drive priorities, EHS actions, capability development needs, clarity on risks and investments at the site level, and audit plans, investments, leadership action, corporate EHS programs and asset prioritization at the corporate level. This method places risks in a real-time prioritization tool for management and integrates inherent hazards and dynamic factors (such as frequency of high hazard operations activities and personnel changeover) to help management focus efforts and attention on highest risk sites and singular risks.

Developing a tailored risk profiling tool for an organization requires understanding and identifying the following key components (Figure 2 on the PDF):

  • Inherent Hazards – Hazards or complexities that are integral to the process or system that create potential for injury, illness, incident, or non-compliance. This could include chemical hazards, physical hazards, regulatory complexity, etc.
  • Dynamic Risk (Internal and External) – Internal changes to the activity that create the potential for additional hazards or complexity, or likelihood of injury, illness, incident, or non-compliance, which can include technical, personnel, or process changes. Also, external changes to the process or system that create potential for additional complexity or negative impact, which could include proximity to the community, natural receptors, natural resource shortages, transportation risks, community relations, etc.
  • Management Systems – Leading metrics and controls that measure the strength of the system or process in managing the risk, such as certifications, time to close audit findings, near misses, repeat audit findings, capability of personnel vs. requirements, training, etc.
  • Performance – Lagging metrics that measure the performance of the system or process in managing the risk, including injuries, illnesses, deviations, incidents, non-conformances, etc.

Once the parameters of the above components are defined based on the individual company, data must then be collected (Figure 3 on the PDF). This involves establishing an iterative process where the organization’s assets provide annually a selected set of metrics along with other gathered data for loading into the risk profiling tool. Then, the resulting profiles are examined and regular action planning begins. This process is repeated on a regular basis, and over time, as risk sources and risk controls (including action plans) change, the prioritization of the assets changes correspondingly.

The result is a tool that illustrates in one simple view how executives can efficiently prioritize resources against assets with the highest risk. In the example shown in Figure 4, each dot plotted in the graph represents a different company asset with a composite risk profile (including occupational safety, environmental risks, process safety, etc.). Depending on where assets are plotted on the graph, executives can clearly see those assets that require immediate attention, and those that do not. Site HSE professionals can also use this tool to focus on site level improvement initiatives. 

Over time, numerous benefits of such risk profiling become apparent. For example, companies may discover that similar assets experience a high variability of risk, indicating that personnel at those sites may have a different understanding of requirements and metrics for activities at those locations. Also, HSE professionals within a company can use the data to evolve from being perceived as auditors and policy makers to consulting and support teams, which can reduce tension among the various functions and encourage collaborative problem solving.

Risk mitigation is a key concern among corporate executives, but it is one of many. Presenting information about a company’s risks to the C-suite must be done in a way that enables executives to quickly understand and prioritize those risks that require attention so decisions can be made accordingly. This makes risk profiling a useful tool to help executives focus and expedite risk mitigation initiatives and resources without overwhelming the rest of the organization with unnecessary data collection or tasks.

Nathan Turner is Senior Manager, Ehsan Akhavan is Principal, and Khaled Metwally is Senior Manager with dss+. Mark Hause is Senior Manager HSE Systems & Risk Management, DuPont.