Ever consider that true risk management sometimes occurs only at the lower levels of some pipeline organizations? That is, personnel performing field activities are in effect setting risk levels for the company. Their choices of day-to-day activities are essentially driving risk management and thereby establishing corporate risk levels. This is not just theoretical—real choices are being made. While there are regulations and company-specific procedures to control certain actions, the on-the-ground team is often relied upon to prioritize, allocate, act, and request additional resources based on their perceptions.
Fortunately, we have a generally savvy work force that usually makes good choices. But why would top company executives choose to delegate company-wide risk management decision-making? In effect abdicating their own power to manage the risk of the organization?[1]
In at least one sense, this delegation of risk management decision-making is a good thing. Those most knowledgeable in location-specific conditions/characteristics are often in the best position to make certain decisions. They are the subject matter experts in the pipeline’s often-highly-variable immediate environment.
But such distributed control also has its weaknesses. In their risk ‘assessments’, the field team may not utilize all of the available information, eg, ILI details, operational data, learnings from other pipelines, etc. They also may not use a formal structure to find and manage the non-obvious risks. Even if they do use formal techniques, without a centralized view of risks across the entire organization, imbalances are certain to occur.
So, if the alternative is not superior, then why is centralized risk management not the standard? At least one explanation lies in the perceived accuracy and usefulness of risk assessments. Some risk issues are very apparent and no formal assessment is needed to understand them. Good inspection techniques take much subjectivity out of certain resource allocations—a list of identified critical anomalies is like a ringing telephone that must be answered. The ‘fix-the-obvious’ opportunities for risk management are hopefully fully addressed in inspection follow-ups and in the day-to-day O&M. A regional approach can be very efficient in managing obvious risk issues.
However, there are other risks and risk reduction opportunities that are not so obvious. Humans can judge a thing based on a subjective and simultaneous interpretation of a handful of factors—maybe 3-5. Real risk scenarios may involve a dozen or more factors. Remember, many modern pipeline incidents are of the ‘perfect storm’ type. Rare chains of events, often involving multiple improbable and non-apparent factors, lead to the incident. This is where formality is needed. The formal risk assessment, when done properly, finds those highly improbable scenarios, involving multiple, non-intuitive, overlapping issues that can generate the perfect storm event. The previously unrecognized event is now revealed and quantified.
How can upper levels in the organization gain the risk understanding required to be fully engaged in risk management? By knowing the risk associated with every asset. The corporate-level decision-maker should seek a portfolio view of the company’s assets, showing all costs of ownership. Just as with a portfolio of stocks and bonds, each asset ties up capital and has carrying costs. The revenue streams, capital cost, the O&M costs, tax liabilities, etc, have always been well understood. The risk cost?—perhaps not as much. Most know that risk is part of the cost of ownership but how many really use that knowledge in everyday decision-making? The key lies in reliable risk assessments whose results truly represent real world cost of ownership risks. Then, and only then, is the top level decision-maker in a position to most efficiently allocate resources across the entire organization.
So, in a moment of self-evaluation, perhaps this question arises: is your risk assessment helping you? Some may answer “sure, I get a checkmark on my regulatory audit form.” But most recognize that so much more is at stake. Beyond regulatory compliance, how much value emerges from the risk assessment effort? Some must admit that their assessments are mostly window-dressing—not really helping decision-making. Perhaps their risk assessment is only documenting what is already perceived. There is some value in such documentation. But there should also be some ‘ah-ha’ moments. Afterall, the whole point of a formal risk assessment is to provide the structure that can and does reveal the otherwise unknown.
[1] I credit this powerful phrase of ‘abdicating risk management’ to my colleagues at Jana Labs
Published March 2014