Ensuring that you are fixing the right risks with the budget you have available requires a careful and systematic planning. It seems very easy to fall into the mindset that managing risk is just about adding more barriers. We must be safer if we have more things, right? But should you keep adding barriers if those new barriers place a burden on the organisation?
Whether we like it or not, there is a cost associated with everything we do. Blindly adding barriers is not a good long-term strategy for an organisation. Managing risk is about understanding what you need, when you need it and making sure that what you have works.
Here are some steps you can follow to assess and address risks effectively, some of this is obvious, but are still worth repeating:
- Identify and prioritise risks: Begin by identifying potential hazards that could impact your project, organization, or desired outcomes. Conduct a risk review and categorise the risks based on their severity and likelihood. Rank your risks based on where they sit on your risk matrix. The key here is to be honest.
- Align risks with business objectives: Ensure that the risks you are addressing align with your organization's or project's objectives. It's crucial to focus on risks that have the potential to significantly hinder the achievement of your goals. Prioritise risks that are directly related to your core business functions or critical project milestones.
- Further define your ranked risks to get a deeper understanding: There are multiple tools to do this, but this is where the Bowtie method becomes very useful. Focus on the major accident hazards and understand what causes you to lose control over the hazard; what outcomes do you see when you do; what barriers prevent that loss of control; and what barriers help mitigate the outcomes. But don’t bowtie everything, set a criteria based on your risk ranking.
- Think ALARP (As low as reasonably practicable) with regular monitoring and evaluation: Implement a robust monitoring and evaluation process to track the progress of risk mitigation activities. Continuously review the effectiveness of your risk mitigation efforts and assess whether they are addressing the identified risks adequately. If necessary, adjust your strategies and budget allocations to optimize risk management.
- Involve Stakeholders: Engage relevant stakeholders throughout the risk management process. Seek their input and feedback on risk identification, prioritisation, and mitigation strategies. Involving stakeholders will help ensure that the right risks are being addressed and that the budget is being spent in a manner that aligns with their expectations and requirements.
- Learn from past experiences: Review past projects or similar endeavours to learn from previous risk management practices. Analyse what worked well and what didn’t and use those insights to refine your current risk management approach. Incorporate lessons learned and best practices to enhance the effectiveness of your risk mitigation efforts.
Focus on the ALARP approach
Let’s focus on regular monitoring and evaluation, especially thinking ALARP as this is where you generally spend your budget. ALARP approach, in a nutshell focuses on analysing if your barriers give sufficient risk reduction and if they don’t, on what next do you need to do.
Be practical when considering what to do about a shortfall. In other words: can you make the barriers you have more effective i.e., improve / fix what you have, then reassess your risk. If you are still falling short, think “what more can I do”.
There are two facets to think about when you consider doing more:
- When does your barrier function / operate?
- How diverse are they from each other?
When you start considering about when does your barrier function, you need to ask yourself if your barriers are:
- Eliminating cause?
- Preventing loss of control?
- Separating the outcome?
- Mitigating the outcome?
If you only have type 2 or type 4 barriers for example, then consider if you can add type 1 or/and type 3 barriers. The greatest risk reduction barriers are type 1, as they stop the causal chain from starting in the first place.
Then consider the type of barriers you are implementing at each position. If we use the “Bow Tie in Risk Management” (CCPS and EI, 2018) definitions on barrier type, those are:
- Active Human,
- Active hardware + human,
- Active hardware,
- Passive hardware,
- And Continuous hardware.
By defining the type of barriers, you can then diversify the barriers used in your risk management.
Here, the two ‘Preventing’ barriers are not diverse from each other. If the first barrier fails, will the operating team pick up on the second barrier?
But what if we replace the human element by an automatic action instead:
In this case, we see that having a function and diversity mindset of your barriers allows you to consider removing or replacing barriers that potentially do not add value.
Let’s consider the example below, what risk reduction value does two level alarms add?
Due to these common elements, Human Machine Interface and same operating team, the two barriers might not be as powerful and efficient in risk reduction as you would think.
When reviewing the history of the second alarm, we saw it was installed because the first alarm didn’t function as intended. The high-level trip was then added, meaning that during the regular monitoring and evaluation cycle, the second alarm barrier efficiency was not properly questioned.
You need to ask yourself this question during your risk review cycle: ‘Is having more barriers with issues better than having less barriers that are well managed and fit for purpose?’. The answer is usually “No”.
Remember, risk management is an ongoing process, and it requires flexibility and adaptability. You have to regularly review and update your risk management plans as new and existing risks constantly emerge and evolve.