safety in design paper a live picture of organisational risk by linking risk management and control...

7/25/2019 Safety in Design Paper A Live Picture of Organisational Risk by Linking Risk Management and Control Assurance

1/12

Session 2: A live picture of organisational risk by integrating risk management and control assurance

Safety in Design Conference 2015 IDC Technologies1

Session 2:

A Live Picture of Organisational Risk by IntegratingRisk Management and Control Assurance

Alex Aposto lou and Jodi GoodallMeercat Pty Ltd

Abstract

Bowties are an efficient, highly adaptable and well-accepted tool for the visualisation

and analysis of risk. Even to the untrained eye, the bowties map-like elements are

quickly intuited (overall shape, left-to-right flow of linked boxes, standard labels, etc.)

and help to define the risks dimensions, boundaries and interactions, encouraging

navigation, exploration, discovery and hopefully, preparedness.

However, by virtue of their scenario-based frame of reference there is often a great

deal of overlap within bowtie registers. Left unresolved in an assurance process, these

overlaps would increase the resourcing and verification burden unsustainably.

This case study provides an insight to the key learnings from the implementation of an

integrated risk management and control assurance program into an explosives and

chemicals manufacturing organisation with 65+ sites. Key amongst the objectives was

the creation of a live risk profile to best guide budgetary decision-making for risk

reduction, facilitating a more comprehensive understanding of current fatality risk and

control at all levels of the business in the most resource efficient manner possible.

The implemented solution involved identifying the common elements in more than

1,600 bowties and managing them centrally, providing a highly-leveraged assurance

approach delivering site and corporate risk profiling at a lower cost, in-built continuous

improvement, real-time data sharing, and dynamically calculated bowties; all managed

with little or no on-site expertise.


2/12



Introduction

Bowties are an efficient, highly adaptable and well-accepted tool for the visualisation

and analysis of risk. Even to the untrained, the bowties map-like elements are quickly

intuited (overall shape, left-to-right flow of linked boxes, standard labels, etc.) and help

to define the risks dimensions, boundaries and interactions, encouraging navigation,

exploration, discovery and hopefully, preparedness.

Understandably major hazards industries are broadly enthusiastic in using bowties: it

is common to see a small mining operation with 70 active bowties, a Major Hazard

Facility (MHF) with over 300. Many software tools are extending the bowtie usage to

support the delivery of ALARP demonstration, Layer of Protection Analysis, Cost

Benefit Analysis and recently Control Assurance.

This case study describes the key learnings of a process that began in 2014 to

implement a control assurance program across 65+ Australian sites of a global

manufacturer of explosives and fertilisers, and a provider of blasting services. They

operate across a variety of underground and surface mines, and various emulsion and

fertiliser manufacturing plants, some of which are registered major hazard facilities.

Early program roll-out planning identified unacceptable levels of resourcing based on

the estimated quantity of bowties and critical controls involved. The solution described

herein resolved those resourcing issues, was accepted and continues to be rolled-out.

Firstly, Bowties 101

For those unfamiliar with bowties, here's a quick introduction1:

Causes Top Event Consequences

Preventative Controls Mitigative Controls

Figure 1 Simplistic example of a bowtie diagram

1A number of other node types are excluded to keep things simple.


3/12



Bowties flow left to right but the nodes conform to a pattern depending on their

placement:

- Sources of probability are represented in the Causes(also known as threats);

- The Preventative Controlslimit the likelihood of the Top Event (also known as

barriers or safeguards);

- The Top Eventis the point at which control is lost as the context switches from

prevention to mitigation (in this working at heights scenario it is the point at

which one loses balance);

- The Mitigative Controls limit the likelihood of or the Severity of the

Consequences;

- The Consequences represent the impact of the loss of control on people,

finances, environment, reputation, legal, etc.

Using the logic of fault and event trees, the bowtie calculates the probability as it flows

through the model and moderated by controls as it travels left to right. The thickness of

each connecting line is a proportional representation of that likelihood at that point.

Figure 2 Individual causal pathway demonstrating probability f low calculation

The Likelihood of this Cause has been determined as Possible, which equates to an

occurrence once every 10 years as per the following values in Table 1.

Table 1. Likelihood

Likelihood x Times per Year Every x Years

Very likely 10 0

Likely 1 1

Possible 0.1 10

Unlikely 0.01 100

Very Unlikely 0.001 1,000

The risk reduction provided by controls is determined by the Effectiveness as per the

following Order of Magnitude values in Table 2.


4/12



Table 2. Risk Reduction from Control Effectiveness

Control Effectiveness Order of Magnitude

Excellent 2.0

Strong 1.5

Adequate 1.0Needs to Improve 0.5

As can be seen in Table 3, the controls reduce the likelihood 2.5 orders of magnitude

(based on Log10), taking the likelihood from once every 10 years to once every 3,000.

Table 3. Calculated example of Risk Reduction based on Control Effectiveness

ControlOrder of

MagnitudeFrom From Years To

To

Years

Scaftag 1.0 Possible 10 Unlikely 100

Training authorised

personnel

1.0 Unlikely 100 Very Unlikely 1,000

Inspection of equipment

prior to use

0.5 Very Unlikely 1,000 Very Unlikely 3,000

As a result, the combined controls effect on the likelihood changes the risk rating is

shown in Table 4:

Table 4. Example of the effect of combined controls on risk rating

From Without Controls To With Controls

Assessing Control Effectiveness during a risk review process can deliver this ALARP

assessment at a specific point in time, perhaps yearly. It is the confidence that the

control will continue to function at the same level between verifications that inevitably

diminishes the longer the period between those verifications (this is not to say that the

controls effectiveness diminishes).


5/12



Graph 1. An example of controls may become less effective in between assurance checks

Control Assurance processes should mitigate confidence decay by being repeated in

time cycles appropriate to the control. With continuing demands to increase efficiency,there is an on-going need to verify control performance, and justify residual risk, with

minimal resourcing.

Sizing the Challenge

Despite operating in various hazardous environments and locations, a scan across the

sites' risk registers identified commonalities in the major events and the critical controls

used to prevent or mitigate them.

To understand the logistics issues associated with rolling out an on-going assurance

program, a statistical summary of the scope has been provided in Table 5

Table 5. Program Scope

Description Value

No. of Sites for rollout 68

No. of Site Personnel 2-40

No. of Master Bowties 40

No. of Master Critical Controls 80

No. of Bowties across all Sites 1,708

No. of Critical Controls across all Sites 25,207

Avg. no. of Bowties per Site 25

Avg. no. of Critical Controls per Site 371

Avg. no. of Critical Controls per Bowtie 15

Avg. no. of Master Critical Controls in use on each Site 48

Avg. no. of times a Site Critical Control uses a Master Critical Control 187

Max. no. of times a Site Critical Control uses a Master Critical Control 4,411

Frequency of site-based Critical Control assurance activities 12 monthly


6/12



Clearly the success of the program hinged on delivering a simple, repeatable and time-

efficient process that would leverage existing tools and support the following primary

assurance workflow:

Figure 3. Overview of the Assurance workflow

Optimisation

Four main areas were identified with potential to leverage the risk data. They were:

a) Standardising bowties into a common set ofMaster Bowtiesbased on Major

Events, thereby aligning sites from the start and establishing solid pathways to

share future learnings; and

b) Standardising critical controls into a common set ofMaster Critical Controls

thereby reducing the assurance burden from every control in its specific context

to every control in the site context.

What is a Master Critical Control?

A Permit to Work System is an example of a Master Critical Control. It appears in manydifferent bowties and in a variety of contexts. There is a strong chance that it would appear onthe same bowtie more than once. However, across the company, there is only one Permit toWork Master Critical Control, and that refers to the policy and procedure documents thatdefine, in a procedural way, how employees and contractors are expected to interact with it.

There are two assessments for each Master Critical Control:

1) Design Adequacyis performed annually for every Master Critical Control: this measures theadequacy of the Master Critical Controls Performance Standard as tool to test how the siteshave implemented and are using the Master Critical Control to reduce risk in all contexts whereit is being used.

2) Control Effectivenessis performed annually for every Control on every Site linked to the

Master Critical Control: this measures the effectiveness of the Risk Control according to the


7/12



Criteria in the Master Critical Controls Performance Standard.

Figure 4. Function of a Master Critical Control

c) Standardising Causes into Causal Groups within Master Bowties to enable

Causal Likelihoods to be set to commonly accepted values, thereby minimising

variability across sites.

d) Scaling the frequency of Critical Control inspection based on the Effectiveness

required on every Causal pathway. This would have the effect, in the example

shown above, and delaying an inspection where the situation is already ALARP

without the inspection having taken place.

Assess ing and Selecting the Implementation Model

A review of the risk register data demonstrated that the two largest benefits would be

had by standardising the Risks with Master Bowties and the Site Critical Controls withMaster Critical Controls as shown in Table 6.

Table 6. Benefits of standardising Bowties and Critical ControlsContext Process Standardising Element Degree of

Leverage

Bowtie Rating

Review

Site-by-Site Risk Control Review None None Yearly

Risk Review

Leveraged Control Assurance Master Bowties 159% Weekly

Master Critical Controls 772%


8/12



Accordingly, a 5-point process was developed to deliver the Master Bowtie and Master

Critical Control elements within a change management and technology framework in

the following sequence:

1) Establishing the Context

2) Fit Master Bowties to Site Conditions and Culture

3) Generate the Assurance Activities

4) Perform the Assurance Activities

5) Evaluate, Act and Notify

The following process flow models illustrate the business process/software interface to

deliver minimal handling of data while supporting on and off-line interaction.


9/12




10/12




11/12



Outcome and Conclusion

Based on the developed model the business case for the program was accepted and

implemented:

a) Best-practice bowties for each major event were standardised into a global setof Master Bowties. Master Bowties represented an optimal set of scenarios and

elements so that the minimal number met the broadest usage. This kept

bowties simpler and easier to communicate and adapt;

b) Best-practice Critical controls were standardised into a global set of Master

Critical Controls representing, for the most part, existing company standards

and practices and strengthening naming conventions across all operations;

c) Performance Standards were standardised across operational, MHF and

Process Safety areas to achieve a single perspective on control effectiveness

for any given Master Critical Control;

d) All Site Critical Controls were linked to Master Critical Controls within every Site

Bowtie delivering a single company-wide definition and mode of assessment

for control application, function and purpose. Site Critical Controls are

assessed within the multi-scenario context in which they operate;

e) The following model has been accepted as representing the potential savings if

the original plan had been implemented:

Table 7. Calculated Value of delivering the Program via a leveraged standardised methodology

Full Time EquivalentsOption 1: Site-by-Site Option 2: Leveraged Delta

Setup Perform Setup Perform

SetupBowties

SetupCritical

Controls& PerfStds.

Site RiskReviews

Site CriticalControl

Inspections

SetupMasterBowties

Setup MasterCritical

Controls& Perf Stds.

SetupSite

Bowties

Site RiskReviews

Site CriticalControl

Inspections

FTEs 15.2 7.4 3.9 14.3 1.0 0.3 1.9 3.9 1.9

FTEs for Setup/Perform 22.6 18.2 3.2 5.8

FTEs first Year 40.8 9.0 31.2

FTEs following Years 18.2 5.8 12.6

Additional savings were also identified but not costed in a number of business areas,

including:

a) Reduced training requirement: given the common format of all Assurance

Worksheets, training requirements were minimised;

b) Reduced data management and administration:


12/12



i. all Assurance Worksheets use embedded rules based on policies to

which all responses had to conform thereby eliminating errors and re-

work;

ii. real-time hierarchical roll-up of risk exposure across the company;

iii. all actions correctly validated prior to submission;

iv. automated follow-up of overdue Assurance Activities and Actions;

v. off-line interaction with Assurance Worksheets meant that data entry

could be performed on Sites with poor network connectivity in the field

and then uploaded without rekeying of data;

vi. reporting: all statistics and reporting was updated automatically.

c) Reduced program management through the use of Assurance Templates.

d) Improved business process standardisation.

e) Streamlined processes for measuring and reporting on KPIs.

f) Improved visibility over control budgeting and planning.

In summary, its not realistic to talk of having achieved the specified savings as the

program would never have gotten off the ground at the projected cost levels. However,

this project could claim to demonstrate success in integrating risk management and

control assurance across a large and diverse organisation within timeframe and

budget limitations. In this sense, it provides an interesting counterpoint to other

methods being used and the degree of risk awareness achieved.

safety in design paper a live picture of organisational risk by linking risk management and control...

Documents