ERM vs. ORM – What is the difference? (Part 2)

June 5, 2019

In Part 1 of the series on ERM vs. ORM, we discussed the difference between Enterprise Risk Management (ERM) and Operational Risk Management (ORM). In Part 2 we discuss Risk Management in more depth.

One of the new buzz phrases is Operational Risk Management (ORM). Many viewpoints seem to believe Environment, Health & Safety (EHS) and compliance programs are the core fabric of ORM. Unfortunately, most "safety cultures" miss the key points in true enterprise level risk management:

When we talk about risk management, we’ve found that most companies focus on incident investigations as companies tend to take a short-term view of risk with a focus on EHS events. There are reasons for this phenomenon. For instance, API 754 is a suggested practice by the American Petroleum Institute with a focus on incident reporting. A core premise of API 754 is that the more small events that can be detected, the more likely you can see the "big one" setting up in your culture. But again, the focus is on EHS events. This mentality can encourage companies to focus on "safety" vs. "risk".

Think about reliability engineering. In some cases, the consequence for failure of a piece of equipment is an acceptable outcome. In those scenarios, you can let that piece of equipment run to failure. That thinking leads us to define Risk Management as determining ranges for acceptable risk tolerances within an organization – what risks must be managed in what ways to keep the organization's overall risk profile within its defined acceptable parameters? Once risks are assessed, they can be prioritized to then manage accordingly. The outcome across a fleet is a risk registry.

Company boards set business performance objectives. To meet these objectives, organizations must manage their risk responsibly to avoid putting their privilege to operate in peril. For this goal to effectively be met, we must establish a "risk tolerance" that we operate within. Risk tolerances are typically made acceptable by adopting a series of technical and administrative safeguards. Part of the monitoring of these safeguards includes risk assessments to determine what hazards are present and if we are managing these within the acceptable risk tolerances. We can add additional safeguards as needed to manage the severity of potential events, but the severity of potential events is a lot more difficult to address.

While many companies are achieving record low incident rates commonly measured by metrics like total recordable incident rate (TRIR), the severity of the incidents that are occurring are often more pronounced. In fact, we are seeing the oil and gas and chemical industry approach record low TRIR rates in many cases, but we are seeing safety performance starting to plateau. Companies need to reach deeper to improve safety performance. In particular, human engineering is an area that companies need to evaluate if they want to make further sustainable improvements in their safety culture. We'll delve deeper into that aspect in Part 4 of this series.

To make risk management more practical, companies need to broaden their view of risk management to include other non-EHS business areas such as supply chain, operations, maintenance, capital projects, and engineering. The outcome is a risk registry that looks at all operational risks through a lens that creates a level playing field. Companies typically utilize a risk ranking matrix to apply criteria to risk. This can be leveraged to apply to a broad category of risks.

How do you create a Risk Management profile?

If you're starting the journey or just need improvement in your Risk Management Program, have you considered the following:

  1. Creating a single risk matrix that can be applied to all risk criteria
  2. Creating categories of risk that need to be managed (i.e. Engineering, Operations, EHS)
  3. Identifying Risk Controls
  4. Creating Risk Indicators
  5. Creating an initial small group of risk criteria
  6. Creating an overarching risk registry and tracking system to manage risks

If the answer is Yes, you have begun the journey to establish a Risk Management Program.