Achieving control-focused mindsets and methods may be a step change. This article will discuss the mindset shift that forms part of the move toward site control-based risk management and critical control management. Subsequent articles will discuss the changes to risk management methods in more detail.
Risk-focus versus control-focus
In the past, and perhaps even today, we have been ‘risk-focused’, primarily concerning ourselves with establishing that a risk rank, score or calculation has achieved an acceptable level. As such, our mindset (as a person’s way of thinking and their opinions), whether an operator, supervisor or manager, may involve justifying that a number or color (such as green in the basic risk matrix). This mindset may lead to inadequate consideration of the primary factor that affects the likelihood and consequences of an unwanted event; the existence and quality of relevant controls.
The argument for being control-focused may seem easy, or even obvious. If the things that prevent or mitigate an unwanted event are not present, the event will occur. However, sometimes common sense is not so common, possibly the result of Operational Risk Management (ORM) history (see the 2nd article in the series).
Often a general example will help introduce a good understanding of controls
I hope we would all agree that if there are no brakes on the car it will eventually crash. But how well do the brakes need to be designed and maintained to make the risk of operating the car acceptable? Braking systems are not 100% reliable, especially considering all driving conditions. Brakes are a technological system control (see the previous article for the control definition). As such the braking system is a combination of a human act that operates the brakes when needed in the correct manner and the equipment that responds to the act by applying mechanisms to slow or stop the car. (Note that some new cars apply brakes based on distance sensors, without human action, in some situations)
The likelihood of an unwanted vehicle incident where a braking system is an important control is affected by both the braking act of the operator and the status of the braking mechanisms. The later component of the control is usually easier to gauge for effectiveness.
For example, if a son or daughter is trying to purchase a used car, Australian parents may be relieved to know that a safety inspection is required for a car to be legally sold. A potentially effective way to address braking mechanism effectiveness. Vehicle inspections cover a list of technological system controls, including brakes, steering, lights, etc. Adequate status of the listed controls is essential for a ‘pass’. It’s very likely that this overall approach resulted from investigating major car accidents, learning the hard way that inadequate controls increase the risk.
Mindsets may contribute to the success of this approach. Note that, according to Wikipedia, in 2010 approximately 30 US states did not require vehicle inspection for resale. For some reason, despite the ‘common sense’ that this approach will reduce accidents, it is not seen as necessary. What would parents think about their child’s potential purchase if the family lived in a state that didn’t require vehicle inspection?
In summary, to judge the risk of a car accident due to a problem with the vehicle’s roadworthiness by ‘gut feel’ rather than a systematic review of the vehicles important controls and systems would be foolhardy. As such, risk is all about the controls.
Making the transition to control-focus
Many variables affect people’s mindsets about controls, their importance and the degree to which they need to be challenged and monitored. Some sites may have healthy control- focused mindsets while other sites may not. How can we establish the site status and, if required, moved forward?
Basic change management questions can aid the transition to control-focused mindsets and methods, as well as provide a clear demonstration of the need to evolve site ORM. The following set of questions and example answers illustrates the approach.
- What is the purpose of the intended change to a control-focused site? All site personnel should recognize and appreciate that ‘risk is all about the controls’. Proactive decisions should base the level or amount of risk on the existence and quality of effective controls.
- What are the expected outcomes of the change? Ideal outcomes involve thorough control consideration across many areas such as:
- Communication content – meeting agendas/formats, presentations, facilitated discussions and general conversations that include consideration of hazards, unwanted events, controls and thereby the risk.
- Training content – risk, safety, health, environment, induction and skills courses that include learning about controls and their optimization.
- Risk assessment forms design and application – that include good control consideration in broad brush, change management, WRAC, JSA, SLAM, project risk, and other methods.
- Risk management procedures – having content about requiring control identification and reviews of control effectiveness
- Promotion materials – pamphlets, posters, banners, messages and signage that are consistent with a control-based approach to managing risk.
- Incident investigation methods – identifying the controls that failed or were absent, as well as the reason.
- What is the current situation? How are things currently done at the site compared to the defined ideal above? For example:
- Communication content – the conversation in meetings and informally tends to focus on ensuring the risk is ‘acceptable’ as measured by a risk matrix. Controls are not discussed in detail. There is some reluctance to suggest that a risk is high so challenging of existing controls is not common.
- Training content – current training content does not define controls as acts, objects and technological systems (see previous article). The importance of identifying and challenging control status is not emphasized.
- Risk assessment forms design and application – forms include the requirement to note controls but the information is not acts, objects and technological systems so listed information is broad, vague and difficult to discuss to establish status and quality.
- Risk management procedures – the current procedure requires control identification and some consideration of control effectiveness but, again, the definition of controls as acts, objects and technological systems is not included.
- Promotion materials – current health and safety risk posters and signage does not include an emphasis on ‘risk is all about controls’.
- Incident investigation methods – current investigations of significant near hit or loss related incidents identify the failures that contributed but not specifically defined as acts, objects or technological systems. Thereby the rational for failure is limited.
- How could the differences between the intended ideal and the current situation be addressed? What actions could be taken for each difference between the current situation and the ideal to move toward the ideal? For example:
- Communication content – reintroduce personnel to ORM by defining the risk conversations to include clearly definitions of hazard, unwanted events, risk and controls (see previous article for definitions). Suggest that all discussions about health and safety include the correct use of the terms. Reinforce the adage that ‘risk is all about controls’. Monitor conversations and remind personnel if they use terms incorrectly.
- Training content – review current training content and identify areas where new definitions of hazard, unwanted event, risk and controls including a strong focus on defining controls as acts, objects and technological systems. The importance of identifying and challenging control status to ensure the risk is acceptable should also be emphasized.
- Risk assessment forms design and application – review the objective of current risk assessment methods to ensure that they emphasize adequate control for the unwanted event. Note that a later article will address the various methods in more detail.
- Risk management procedures – review the current procedure to include the definition of controls as acts, objects and technological systems, as well as the importance of effective control identification and review of control effectiveness.
- Promotion materials – review the objective of any health and safety risk promotion materials and ensure it aligns with the new definitions and the message; ‘risk is all about controls’.
- Incident investigation methods – modify current investigation methods so that event related controls (acts, objects or technological systems) are identified with their status at the time of the event investigated, including reasons for any failures.
- What methods will be used to monitor the results of the change? For example: A review of the status related to the topics above and their progress will occur in 6 months.
Clearly, the new definition of controls and the increased emphasis on their quality could potentially lead to major changes at the site. These changes should move the site along the Control Based Risk Management journey.
The next article will briefly overview a model of site good practice ORM based on four layers with risk assessment applications. This general approach is common on Australian sites, but the implications of the new control definition will be added.