February 5, 2019
One of the new buzz phrases is Operational Risk Management (ORM). Many viewpoints seem to believe Environment, Health & Safety (EHS) and compliance programs are the core fabric of ORM. Unfortunately, most "safety cultures" miss the key points in true enterprise level risk management:
The disconnect exists because a clear focus on EHS does not equate to true risk management. Enterprise Risk Management, or ERM, seeks to holistically identify the possible outcomes of interactions across an organization, and also to evaluate the probability and impact of those outcomes.
ERM involves the systematic identification, assessment and mitigation of risks that could impact an organization. This includes a framework for strategic planning and operational processes coupled with effective decision support processes and tools. Risk is defined as any event that impacts a company's ability to meet its objectives. That would include production losses and lost opportunities.
The goal of ERM is to mitigate financial, operational, and compliance risks to an acceptable level through policies, systems, and procedures. At the end of the day, every type of risk has a financial component because risk can impact a company's privilege and ability to operate. Therefore, ERM components are often interrelated.
ORM is a subset of ERM. More specifically, ORM addresses operational and compliance risks. In traditional ERM versus ORM language, ORM is focused on everything that is non-financial in nature… although as we've discussed, in reality all types of risk have the potential for financial impact.
The current view of ORM that seems to permeate the analyst community is primarily focused on traditional EHS compliance tactics and challenges such as Audit, PHA, Incidents, Corrective Action Management. Sometimes other tools such as bow-tie analysis or work permitting are added into the viewpoint… but the focus is still firmly on traditional, siloed tactics specific to EHS or compliance activities. Because EHS and compliance to do not focus on the risk of production loss through inefficiencies, poor asset management, workforce competency, and conduct of operations, the typical EHS-first view of ORM does not address real risks that can have significant impact on an organization's future.
Companies wanting to properly address ORM challenges must move beyond after the fact results-based EHS tools and to a comprehensive, integrated viewpoint.
Four key areas need to be addressed:
Many companies are attempting to leverage legacy EHS IT solutions, but they lack functionality beyond "ORM Basics," and do nothing to help companies achieve Operational Discipline, leading to Operational Excellence.
Defining and using an accurate, comprehensive risk registry as threats emerge in real-time is integral to making this paradigm change. Realistically, companies are going to need to re-architect their data to move it out of data silos so the resulting interoperability of business processes can improve governance and auditability. It sounds daunting, but help is available. Once you understand the relationship between ORM and ERM, the benefits of an integrated, holistic approach become clear.