Upload
meercatalex
View
215
Download
0
Embed Size (px)
Citation preview
7/25/2019 Safety in Design Paper A Live Picture of Organisational Risk by Linking Risk Management and Control Assurance
1/12
Session 2: A live picture of organisational risk by integrating risk management and control assurance
Safety in Design Conference 2015 IDC Technologies1
Session 2:
A Live Picture of Organisational Risk by IntegratingRisk Management and Control Assurance
Alex Aposto lou and Jodi GoodallMeercat Pty Ltd
Abstract
Bowties are an efficient, highly adaptable and well-accepted tool for the visualisation
and analysis of risk. Even to the untrained eye, the bowties map-like elements are
quickly intuited (overall shape, left-to-right flow of linked boxes, standard labels, etc.)
and help to define the risks dimensions, boundaries and interactions, encouraging
navigation, exploration, discovery and hopefully, preparedness.
However, by virtue of their scenario-based frame of reference there is often a great
deal of overlap within bowtie registers. Left unresolved in an assurance process, these
overlaps would increase the resourcing and verification burden unsustainably.
This case study provides an insight to the key learnings from the implementation of an
integrated risk management and control assurance program into an explosives and
chemicals manufacturing organisation with 65+ sites. Key amongst the objectives was
the creation of a live risk profile to best guide budgetary decision-making for risk
reduction, facilitating a more comprehensive understanding of current fatality risk and
control at all levels of the business in the most resource efficient manner possible.
The implemented solution involved identifying the common elements in more than
1,600 bowties and managing them centrally, providing a highly-leveraged assurance
approach delivering site and corporate risk profiling at a lower cost, in-built continuous
improvement, real-time data sharing, and dynamically calculated bowties; all managed
with little or no on-site expertise.
7/25/2019 Safety in Design Paper A Live Picture of Organisational Risk by Linking Risk Management and Control Assurance
2/12
Session 2: A live picture of organisational risk by integrating risk management and control assurance
Safety in Design Conference 2015 IDC Technologies2
Introduction
Bowties are an efficient, highly adaptable and well-accepted tool for the visualisation
and analysis of risk. Even to the untrained, the bowties map-like elements are quickly
intuited (overall shape, left-to-right flow of linked boxes, standard labels, etc.) and help
to define the risks dimensions, boundaries and interactions, encouraging navigation,
exploration, discovery and hopefully, preparedness.
Understandably major hazards industries are broadly enthusiastic in using bowties: it
is common to see a small mining operation with 70 active bowties, a Major Hazard
Facility (MHF) with over 300. Many software tools are extending the bowtie usage to
support the delivery of ALARP demonstration, Layer of Protection Analysis, Cost
Benefit Analysis and recently Control Assurance.
This case study describes the key learnings of a process that began in 2014 to
implement a control assurance program across 65+ Australian sites of a global
manufacturer of explosives and fertilisers, and a provider of blasting services. They
operate across a variety of underground and surface mines, and various emulsion and
fertiliser manufacturing plants, some of which are registered major hazard facilities.
Early program roll-out planning identified unacceptable levels of resourcing based on
the estimated quantity of bowties and critical controls involved. The solution described
herein resolved those resourcing issues, was accepted and continues to be rolled-out.
Firstly, Bowties 101
For those unfamiliar with bowties, here's a quick introduction1:
Causes Top Event Consequences
Preventative Controls Mitigative Controls
Figure 1 Simplistic example of a bowtie diagram
1A number of other node types are excluded to keep things simple.
7/25/2019 Safety in Design Paper A Live Picture of Organisational Risk by Linking Risk Management and Control Assurance
3/12
Session 2: A live picture of organisational risk by integrating risk management and control assurance
Safety in Design Conference 2015 IDC Technologies3
Bowties flow left to right but the nodes conform to a pattern depending on their
placement:
- Sources of probability are represented in the Causes(also known as threats);
- The Preventative Controlslimit the likelihood of the Top Event (also known as
barriers or safeguards);
- The Top Eventis the point at which control is lost as the context switches from
prevention to mitigation (in this working at heights scenario it is the point at
which one loses balance);
- The Mitigative Controls limit the likelihood of or the Severity of the
Consequences;
- The Consequences represent the impact of the loss of control on people,
finances, environment, reputation, legal, etc.
Using the logic of fault and event trees, the bowtie calculates the probability as it flows
through the model and moderated by controls as it travels left to right. The thickness of
each connecting line is a proportional representation of that likelihood at that point.
Figure 2 Individual causal pathway demonstrating probability f low calculation
The Likelihood of this Cause has been determined as Possible, which equates to an
occurrence once every 10 years as per the following values in Table 1.
Table 1. Likelihood
Likelihood x Times per Year Every x Years
Very likely 10 0
Likely 1 1
Possible 0.1 10
Unlikely 0.01 100
Very Unlikely 0.001 1,000
The risk reduction provided by controls is determined by the Effectiveness as per the
following Order of Magnitude values in Table 2.
7/25/2019 Safety in Design Paper A Live Picture of Organisational Risk by Linking Risk Management and Control Assurance
4/12
Session 2: A live picture of organisational risk by integrating risk management and control assurance
Safety in Design Conference 2015 IDC Technologies4
Table 2. Risk Reduction from Control Effectiveness
Control Effectiveness Order of Magnitude
Excellent 2.0
Strong 1.5
Adequate 1.0Needs to Improve 0.5
As can be seen in Table 3, the controls reduce the likelihood 2.5 orders of magnitude
(based on Log10), taking the likelihood from once every 10 years to once every 3,000.
Table 3. Calculated example of Risk Reduction based on Control Effectiveness
ControlOrder of
MagnitudeFrom From Years To
To
Years
Scaftag 1.0 Possible 10 Unlikely 100
Training authorised
personnel
1.0 Unlikely 100 Very Unlikely 1,000
Inspection of equipment
prior to use
0.5 Very Unlikely 1,000 Very Unlikely 3,000
As a result, the combined controls effect on the likelihood changes the risk rating is
shown in Table 4:
Table 4. Example of the effect of combined controls on risk rating
From Without Controls To With Controls
Assessing Control Effectiveness during a risk review process can deliver this ALARP
assessment at a specific point in time, perhaps yearly. It is the confidence that the
control will continue to function at the same level between verifications that inevitably
diminishes the longer the period between those verifications (this is not to say that the
controls effectiveness diminishes).
7/25/2019 Safety in Design Paper A Live Picture of Organisational Risk by Linking Risk Management and Control Assurance
5/12
Session 2: A live picture of organisational risk by integrating risk management and control assurance
Safety in Design Conference 2015 IDC Technologies5
Graph 1. An example of controls may become less effective in between assurance checks
Control Assurance processes should mitigate confidence decay by being repeated in
time cycles appropriate to the control. With continuing demands to increase efficiency,there is an on-going need to verify control performance, and justify residual risk, with
minimal resourcing.
Sizing the Challenge
Despite operating in various hazardous environments and locations, a scan across the
sites' risk registers identified commonalities in the major events and the critical controls
used to prevent or mitigate them.
To understand the logistics issues associated with rolling out an on-going assurance
program, a statistical summary of the scope has been provided in Table 5
Table 5. Program Scope
Description Value
No. of Sites for rollout 68
No. of Site Personnel 2-40
No. of Master Bowties 40
No. of Master Critical Controls 80
No. of Bowties across all Sites 1,708
No. of Critical Controls across all Sites 25,207
Avg. no. of Bowties per Site 25
Avg. no. of Critical Controls per Site 371
Avg. no. of Critical Controls per Bowtie 15
Avg. no. of Master Critical Controls in use on each Site 48
Avg. no. of times a Site Critical Control uses a Master Critical Control 187
Max. no. of times a Site Critical Control uses a Master Critical Control 4,411
Frequency of site-based Critical Control assurance activities 12 monthly
7/25/2019 Safety in Design Paper A Live Picture of Organisational Risk by Linking Risk Management and Control Assurance
6/12
Session 2: A live picture of organisational risk by integrating risk management and control assurance
Safety in Design Conference 2015 IDC Technologies6
Clearly the success of the program hinged on delivering a simple, repeatable and time-
efficient process that would leverage existing tools and support the following primary
assurance workflow:
Figure 3. Overview of the Assurance workflow
Optimisation
Four main areas were identified with potential to leverage the risk data. They were:
a) Standardising bowties into a common set ofMaster Bowtiesbased on Major
Events, thereby aligning sites from the start and establishing solid pathways to
share future learnings; and
b) Standardising critical controls into a common set ofMaster Critical Controls
thereby reducing the assurance burden from every control in its specific context
to every control in the site context.
What is a Master Critical Control?
A Permit to Work System is an example of a Master Critical Control. It appears in manydifferent bowties and in a variety of contexts. There is a strong chance that it would appear onthe same bowtie more than once. However, across the company, there is only one Permit toWork Master Critical Control, and that refers to the policy and procedure documents thatdefine, in a procedural way, how employees and contractors are expected to interact with it.
There are two assessments for each Master Critical Control:
1) Design Adequacyis performed annually for every Master Critical Control: this measures theadequacy of the Master Critical Controls Performance Standard as tool to test how the siteshave implemented and are using the Master Critical Control to reduce risk in all contexts whereit is being used.
2) Control Effectivenessis performed annually for every Control on every Site linked to the
Master Critical Control: this measures the effectiveness of the Risk Control according to the
7/25/2019 Safety in Design Paper A Live Picture of Organisational Risk by Linking Risk Management and Control Assurance
7/12
Session 2: A live picture of organisational risk by integrating risk management and control assurance
Safety in Design Conference 2015 IDC Technologies7
Criteria in the Master Critical Controls Performance Standard.
Figure 4. Function of a Master Critical Control
c) Standardising Causes into Causal Groups within Master Bowties to enable
Causal Likelihoods to be set to commonly accepted values, thereby minimising
variability across sites.
d) Scaling the frequency of Critical Control inspection based on the Effectiveness
required on every Causal pathway. This would have the effect, in the example
shown above, and delaying an inspection where the situation is already ALARP
without the inspection having taken place.
Assess ing and Selecting the Implementation Model
A review of the risk register data demonstrated that the two largest benefits would be
had by standardising the Risks with Master Bowties and the Site Critical Controls withMaster Critical Controls as shown in Table 6.
Table 6. Benefits of standardising Bowties and Critical ControlsContext Process Standardising Element Degree of
Leverage
Bowtie Rating
Review
Site-by-Site Risk Control Review None None Yearly
Risk Review
Leveraged Control Assurance Master Bowties 159% Weekly
Master Critical Controls 772%
7/25/2019 Safety in Design Paper A Live Picture of Organisational Risk by Linking Risk Management and Control Assurance
8/12
Session 2: A live picture of organisational risk by integrating risk management and control assurance
Safety in Design Conference 2015 IDC Technologies8
Accordingly, a 5-point process was developed to deliver the Master Bowtie and Master
Critical Control elements within a change management and technology framework in
the following sequence:
1) Establishing the Context
2) Fit Master Bowties to Site Conditions and Culture
3) Generate the Assurance Activities
4) Perform the Assurance Activities
5) Evaluate, Act and Notify
The following process flow models illustrate the business process/software interface to
deliver minimal handling of data while supporting on and off-line interaction.
7/25/2019 Safety in Design Paper A Live Picture of Organisational Risk by Linking Risk Management and Control Assurance
9/12
Session 2: A live picture of organisational risk by integrating risk management and control assurance
Safety in Design Conference 2015 IDC Technologies9
7/25/2019 Safety in Design Paper A Live Picture of Organisational Risk by Linking Risk Management and Control Assurance
10/12
Session 2: A live picture of organisational risk by integrating risk management and control assurance
Safety in Design Conference 2015 IDC Technologies10
7/25/2019 Safety in Design Paper A Live Picture of Organisational Risk by Linking Risk Management and Control Assurance
11/12
Session 2: A live picture of organisational risk by integrating risk management and control assurance
Safety in Design Conference 2015 IDC Technologies11
Outcome and Conclusion
Based on the developed model the business case for the program was accepted and
implemented:
a) Best-practice bowties for each major event were standardised into a global setof Master Bowties. Master Bowties represented an optimal set of scenarios and
elements so that the minimal number met the broadest usage. This kept
bowties simpler and easier to communicate and adapt;
b) Best-practice Critical controls were standardised into a global set of Master
Critical Controls representing, for the most part, existing company standards
and practices and strengthening naming conventions across all operations;
c) Performance Standards were standardised across operational, MHF and
Process Safety areas to achieve a single perspective on control effectiveness
for any given Master Critical Control;
d) All Site Critical Controls were linked to Master Critical Controls within every Site
Bowtie delivering a single company-wide definition and mode of assessment
for control application, function and purpose. Site Critical Controls are
assessed within the multi-scenario context in which they operate;
e) The following model has been accepted as representing the potential savings if
the original plan had been implemented:
Table 7. Calculated Value of delivering the Program via a leveraged standardised methodology
Full Time EquivalentsOption 1: Site-by-Site Option 2: Leveraged Delta
Setup Perform Setup Perform
SetupBowties
SetupCritical
Controls& PerfStds.
Site RiskReviews
Site CriticalControl
Inspections
SetupMasterBowties
Setup MasterCritical
Controls& Perf Stds.
SetupSite
Bowties
Site RiskReviews
Site CriticalControl
Inspections
FTEs 15.2 7.4 3.9 14.3 1.0 0.3 1.9 3.9 1.9
FTEs for Setup/Perform 22.6 18.2 3.2 5.8
FTEs first Year 40.8 9.0 31.2
FTEs following Years 18.2 5.8 12.6
Additional savings were also identified but not costed in a number of business areas,
including:
a) Reduced training requirement: given the common format of all Assurance
Worksheets, training requirements were minimised;
b) Reduced data management and administration:
7/25/2019 Safety in Design Paper A Live Picture of Organisational Risk by Linking Risk Management and Control Assurance
12/12
Session 2: A live picture of organisational risk by integrating risk management and control assurance
Safety in Design Conference 2015 IDC Technologies12
i. all Assurance Worksheets use embedded rules based on policies to
which all responses had to conform thereby eliminating errors and re-
work;
ii. real-time hierarchical roll-up of risk exposure across the company;
iii. all actions correctly validated prior to submission;
iv. automated follow-up of overdue Assurance Activities and Actions;
v. off-line interaction with Assurance Worksheets meant that data entry
could be performed on Sites with poor network connectivity in the field
and then uploaded without rekeying of data;
vi. reporting: all statistics and reporting was updated automatically.
c) Reduced program management through the use of Assurance Templates.
d) Improved business process standardisation.
e) Streamlined processes for measuring and reporting on KPIs.
f) Improved visibility over control budgeting and planning.
In summary, its not realistic to talk of having achieved the specified savings as the
program would never have gotten off the ground at the projected cost levels. However,
this project could claim to demonstrate success in integrating risk management and
control assurance across a large and diverse organisation within timeframe and
budget limitations. In this sense, it provides an interesting counterpoint to other
methods being used and the degree of risk awareness achieved.