Mitigating Risk to ALARP Levels Through Operational Risk Management

June 10, 2020

By Dan Miklovic, Founder and Principal Analyst at Lean Manufacturing Research, LLC; and a member of The Analyst Syndicate.

In my post, “Operational Risk Management Taking on Heightened Importance," I talked about what operational risk management (ORM) is. I explained why it is critical, especially now with COVID-19 being such an issue. I also covered that the differences between ORM and Enterprise Risk Management (ERM), where business leaders tend to be focused these days, revolve around ERM's financial centricity versus ORM's holistic operational approach. As enterprises strive to bridge the process and organizational silos, they must have a playbook or plan to succeed. Yet, merely having the playbook isn't enough. There must be mechanisms in place to ensure that the plans are followed. Developing the ORM playbook and making sure it is followed is what will allow a business to mitigate risks to an acceptable level known as an “As Low As Reasonably Possible” (ALARP) level within their ORM program, while meeting core business objectives.

Management Plans and Systems Vital to ORM

A successful ORM program, as noted in my initial post, must be comprehensive in nature.  While it has at its foundation EHS elements such as audit, incident investigation, management of change, document management, and compliance reporting, it must also provide analysis capabilities and support applications across all disciplines, implying the need for mobility and scalability. ORM has an embedded strategy element, as well. Whether it is asset strategy, operations strategy, compliance strategy, or workforce strategy, a good ORM solution allows an organization to manage risk in multiple domains. While privilege to operate is a fundamental component of ORM, part of the paradigm shift to achieve optimal efficiency and profitability comes from focusing on operations and assets, not just “compliance.”

Graphic that shows the relationships of hazards, risks, and controls.

This is an adaptation of the Reason’s Model* and is not meant to be exhaustive or comprehensive and is used for demonstration purposes only to convey the relationship of hazards, risks, and controls.
(*Reason’s et al)

Since strategy is inherent in a successful ORM program, it dictates that planning – defined as formulating strategy, defining objectives and measurements, deriving tactics, then deploying forces and executing – is essential. The way to ensure ORM success, then, is to:

  1. Clearly articulate the organization's vision of how it will operate in the face of risk.
  2. Identify key performance indicators and metrics which allow the organization to gauge its success in meeting its strategic objectives vis-à-vis risk.
  3. Identify the people, processes, and technologies that are needed to achieve the objectives successfully.
  4. Select the right combination of people, processes, and technologies to most effectively enable ORM execution.
  5. Put in place the supporting systems to ensure that ORM is central to the organization's operation.

Central to the selection of the right technology is defining the systems of record, which serve as the enforcement mechanism, allowing ORM to become endemic.

Often Less is More

For many organizations, one of the biggest hurdles is having too many scattered ORM pieces.  Be they paper based, document and spreadsheet based, or scattered throughout the many applications deployed for operational control such as EHS, MES, APM, RCM and the other dozens of acronym soup solutions, many organizations often have many multiples of ways of doing the same tasks. This variety makes it virtually impossible for an organization to address its challenges. It is appropriate that the expression "less is more" is associated with the architect Ludwig Mies van der Rohe, since architecturally from an IT perspective, that is what is needed to be successful with ORM. Minimizing the number of disparate tools used to deliver your ORM capabilities is one of the surest paths to success. Without interoperability enabled through an ORM strategy, it will be difficult to improve efficiencies and support the real-time proactive decisions required to address the dynamic nature of risk.

You may contact the author at

To learn more about Operational Sustainability LLC’s breadth of ORM capabilities and how they support your ORM efforts, visit our ORM page.