The Benefits of Bowtie Risk Management in Compliance · PDF file [email protected] [email protected] The Benefits of Bowtie Risk Management in Compliance

www.etq.com [email protected] www.aloftaviationconsulting.com [email protected]

The Benefits of Bowtie Risk Management in Compliance Systems


+

Why do this?

Risk at the centre

Focus for all system activities becomes risk

Cumulative learning

Every report, investigation, audit adds to our overall understanding of the risks to our operation – in reality not just in potential

Better use of scarce skills and resource

Currently much of the effort is spent on interpreting, coding and classifying incoming data to help build understanding

Under this approach much of the classifying and coding and some of the interpreting happens automatically.

The result is we monitor risk management performance continuously.

If we move to a system which combines BowTie risk models with Safety/Quality/Compliance data what benefits does that bring?

2

+ The Challenge Managing safety/quality/compliance data to understand risk


www.etq.com [email protected]

The Deluge! Sa

fety

R

epo

rts

Tech

nic

al

Dat

a

Au

dit

R

epo

rts

Co

nfi

den

tial

R

epo

rts

Safe

ty

Co

mm

itte

es

Inve

stig

atio

n

Rep

ort

s

Maj

or

Glo

bal

Ev

ents

Exte

rnal

A

ud

its

Co

rrec

tive

A

ctio

ns

Safety Trends

Safety Trends

Investigation Report XXX

Tech Analysis

Ramp Safety

Committee Minutes

Engineering Audit March

Confidential Reports

Safety Committee

Minutes

SMS Audit June

Major Event

involving YYY

Safety Action

Closeout Trends

Regulatory Compliance

Audit

And So On... www.etq.com [email protected] www.aloftaviationconsulting.com [email protected]

+ The “Adding Up” Problem

An increase in safety reports, some fairly concerning audit findings, neck hairs rising –

what does it all add up to?

The range of data we have has grown dramatically – better safety reporting,

observational programs, culture surveys, a range of audits, training data, technical

reliability, ...

We tend to store that data, classify it and report it the way we collect it.

Combining data relies on the “wet” computer.

But the human brain has some built in limitations in dealing with risk and data – in fact

we’re not very good at it.

So, is it really adding up?

5 www.etq.com [email protected] www.aloftaviationconsulting.com [email protected]

+ Risk Management – the weak link?

Risk management is the core of safety management

A lot of SMS effort – both operators and regulators is focused on process

But the challenge lies in the content

Hazard identification – Can’t manage unidentified hazard

Risk Assessment – wrong risk level miss directs attention

And we humans are not naturally good at either of these


+ We’re not naturally very good at risk

We can fail to identify critical hazards: Lack imagination – typical scenario is much stronger than “odd” scenario

Don’t expect unexpected

Wrong mental model – simple linear process narrative not complex noisy parallel chaos

Over reliance on procedure

Group think – social effects dominate rational judgement

We can miss-estimate risk: Poor risk calculators

Overconfidence bias

Understanding of complex systems is actually poor

Intuitive sense of random is wrong!

Small data window


+

The Matrix


+ The Matrix!

Judgement based (about the future)

Standardisation hard

Sensitive to Risk Scenario

Qualitative (but looks quantitative)

Multiple hidden assumptions

Many start towards measuring risk by adding risk measures based on something like this to their data – but...

Catastrophic

A

Hazardous

B

Major

C

Minor

D

Negligible

E

Frequent 5 5A 5B 5C 5D 5E

Occasional 4 4A 4B 4C 4D 4E

Remote 3 3A 3B 3C 3D 3E

Improbable 2 2A 2B 2C 2D 2E

Extremely

improbable1 1A 1B 1C 1D 1E

Risk Severity

Risk Probability


+ Risk Scenarios

Worst Case?

Worst Conceivable Case?

Worst Credible Case?

Worst Feasible Case?

Hazard Outcome

E E

E E

E E

E E

Story that links Hazard to Outcome

Will involve barrier failures

Basis for assessing likelihood and

severity

There even if not explicit


+ Multiple Risk Scenarios

E E

E E

E E

E E

Threat Risk Control

Undesired

Operational

State

Recovery

ControlConsequence

Threat

Threat

Risk Control Risk Control

Risk ControlRisk ControlRisk Control

Risk ControlRisk ControlRisk Control

Recovery

Control

Recovery

Control

Recovery

Control

Recovery

Control

Recovery

Control

Recovery

Control

Recovery

Control

Consequence

Consequence

Consequence

Hazard Different scenarios may map to

same risk level

But, may not...


+ BowTie Risk Concepts

Threat Barrier

Undesired Operational

State

Recovery Control

Consequence

System & Culture

Threat

Threat

Barrier Barrier

Barrier Barrier Barrier

Barrier Barrier Barrier

Recovery Control

Recovery Control

Recovery Control

Recovery Control

Recovery Control

Recovery Control

Recovery Control

Consequence

Consequence

Consequence

Hazard


+ Example – Rail Transport

Source: CGE BowTieXP


+ Adding Barriers


+ Adding Data

Threats Safety Reports Observations Barrier Failures Safety Reports Observations Investigation Findings Audit Findings Technical Data

Undesired Operational State

Safety Reports Observations Investigation Findings Technical Data

Recovery Failures Safety Reports Observations Investigation Findings Technical Data

Consequences Industry Data

Thre

at

Risk

Contro

l

Undesire

d

Opera

tional

Sta

te

Reco

very

Contro

lC

onse

quence

Thre

at

Thre

at

Risk

Contro

lRisk

Contro

l

Risk

Contro

lRisk

Contro

lRisk

Contro

l

Risk

Contro

lRisk

Contro

lRisk

Contro

l

Reco

very

Contro

l

Reco

very

Contro

l

Reco

very

Contro

l

Reco

very

Contro

l

Reco

very

Contro

l

Reco

very

Contro

l

Reco

very

Contro

l

Conse

quence

Conse

quence

Conse

quence


Safe

ty

Rep

ort

s

Tech

nic

al

Dat

a

Au

dit

R

epo

rts

Co

nfi

den

tial

R

epo

rts

Safe

ty

Co

mm

itte

es

Inve

stig

atio

n

Rep

ort

s

Maj

or

Glo

bal

Ev

ents

Exte

rnal

A

ud

its

Co

rrec

tive

A

ctio

ns

Taming The Deluge!

ThreatRisk Control

Risk Control

Risk Control


State

Recovery Control

Recovery Control

Recovery Control

Recovery Control

Recovery Control

Recovery Control

Risk Control

Risk Control

Risk Control

Risk Control

Risk Control

Risk Control

Consequence

Recovery Control

Recovery Control

Safety System and Culture Threats

Threat

Threat

Consequence

Consequence

Consequence

System Performance • Compliance • SMS Functioning • Safety Culture

Safety Focus Areas


+ Monitoring the whole risk picture

17

ThreatRisk

Control


State

Recovery Control

Consequence

System & Culture

Threat

Threat

Risk Control

Risk Control

Risk Control

Risk Control

Risk Control

Risk Control

Risk Control

Risk Control

Recovery Control

Recovery Control

Recovery Control

Recovery Control

Recovery Control

Recovery Control

Recovery Control

Consequence

Consequence

Consequence

Hazard

Risk Precursor Threat Vulnerability

System Weaknesses


+

Safety Reports

Threat Rates

Consequence Rates

Control Failures

Recovery Activation

UOS

Risk Register

Vulnerability Assessment

Risk Precursor

Continuously updated risk picture

ThreatRisk Control

Risk Control

Risk Control


State

Recovery Control

Recovery Control

Recovery Control

Recovery Control

Recovery Control

Recovery Control

Risk Control

Risk Control

Risk Control

Risk Control

Risk Control

Risk Control

Consequence

Recovery Control

Recovery Control

Safety System and Culture Threats

Threat

Threat

Consequence

Consequence

Consequence


+

Turning the Theory into Reality

19


Safe

ty

Rep

ort

s

Flig

ht D

ata

Au

dit

R

epo

rts

Co

nfi

den

tial

R

epo

rts

Safe

ty

Co

mm

itte

es

Inve

stig

atio

n

Rep

ort

s

Maj

or

Glo

bal

Ev

ents

Exte

rnal

A

ud

its

Co

rrec

tive

A

ctio

ns

Organisational Learning Engine

Data Classification

Engine

Internal Data Shared Industry Risk Experience

BowTie Risk Models

Semi-Automatic Data Management

Runway Excursion - TO

Loss of Control in Flight

Runway Excursion - Landing

Controlled Flight Into Terrain

In-Flight Fire

Mid-Air Collision

Turbulence Injury

Threats

Controls

Distraction

Bird Hazard

AC Malfunction

Runway State

Weather

ATC

Weight and Balance

Threat Drivers

A320 A330 A340 B747 B777

Procedures

Competence/Training

Hardware

Software

Control Framework

Risk Dashboards


Tools to Implement the Vision 21

EtQ Exchange EtQ Reliance Risk Register

Shared Barrier Models

Dynamic Forms

Auto Import of BTXP into Reliance

Reliance Modules: •Safety Reports •Audit •Etc

APF Metrics

Reliance Dashboards


Complete Compliance Management Solution

• Applications for any organization, any industry

– Small or large organization

– Regulated or non-regulated

– Focus on Risk or Regulatory Compliance

• Applications to manage any compliance initiative

• Pre-configured with best practices

• Risk “at the core”


Application Breakdown As of version 10.0a of EtQ Reliance: QMS GMP EHS F&B SMS

Aspects, Objectives, & Targets • •

Audits Management • • • • •

Calibration and Maintenance • • • • •

Change Management • • • • •

Complaints Handling •

Corrective Action and Preventive Action (CAPA) • • • • •

Customer Feedback • • •

Deviation • • • • •

Document Control • • • • •

Emergency Preparedness Plans • •

Employee Training • • • • •

Enterprise Risk Management (ERM) • • • • •

Failure Mode and Effects Analysis (FMEA) • • •

Hazard Analysis Critical Control Points (HACCP) •

Incidents, Accidents and Safety Reporting • •

Job Safety Analysis (JSA) • •

Legislative and Regulatory Requirements • • • • •

Material Returns • • •

Material Safety Data Sheets (MSDS) • •

Meetings Management • • • • •

Monitoring & Inspection • •

Nonconformance Management • • •

Product Specification Management • • •

Production Part Approval Process (PPAP) • •

Project Control • • • • •

Quality Records Management • • • • •

Receiving & Inspection • • •

Risk Register • • • • •

Supplier Rating • • • •

Sustainability •

Complete Compliance Management Solution

• Integrated Risk Assessment

– Measure risk in any process, in context

– Track risk levels in centralized Risk Register

• Predictive Analysis using Risk Management

– Identify controls to mitigate risks

– Manage controls (documents, metrics, audits, etc…)

– Measure the effectiveness of controls (risk levels)

• Reduce Risk through Continuous Improvement

– Monitor control effectiveness through dashboard

– Test controls through Audits

– Survey potential risks using ERM

– Improve controls through CAPA and Change

+

CAPA

Document Control

Training

Finding

Risk

Risk Assessment

Reporting

FMEA Job Safety Analysis

HACCP

Risk

Effectiveness Effectiveness

Risk-Based Compliance

ERM

Risk

Effectiveness

Other Event

triggers

Risk Risk

Change Control

Effectiveness

Risk

Risk

Effectiveness

Controls Hazard Analysis

EtQ Risk Register

Audit

Incident

Risk

Effectiveness Effectiveness

+

CAPA

Complaint

NCR

Audit Change Control

Planned Deviation

Document Control

Training

CRM

ERP, MES

Investigation

Investigation

Finding

EtQ Risk Register

Hazards Controls Risk levels Effectiveness

Risk

Risk

Risk

Risk

Effectiveness

Ad Hoc Event

Ad Hoc Request

Regulatory Compliance

Other processes Legislative and Regulatory Requirements Supplier Management Product Registration Recalls HACCP Calibration & Maintenance Incident / Safety Report

Risk

Effectiveness

Investigation


CONTACT US

[email protected]

www.AloftAviationConsulting.com

[email protected]

[email protected]

www.etq.com

http://www.AloftAviationConsulting.com

http://www.aloftaviationconsulting.com/

Documents

The Benefits of Bowtie Risk Management in Compliance · PDF file [email protected] [email protected] The Benefits of Bowtie Risk Management in Compliance