In an earlier article, we noted that risk management is, in effect, often unintentionally delegated to decision-makers occupying the lower portions of the corporate org chart. In many companies, the field personnel are essentially setting corporate risk levels via their choices in day-to-day activities and their perceptions of priorities.
While we noted some advantages of the ‘hands-on’, ‘boots on the ground’ folks making such decisions, we also took note that the highly compensated, upper echelons of the org chart were often relatively uninvolved in this decision making that literally affects public and environmental life, health, as well as corporate viability.
This unintentional delegation of decision-making happens for two reasons:
1) risk strategizing and performing risk management are not the same thing and realistically should occur at different levels of the organization and
2) meaningful and complete risk information is often unavailable to upper management.
Risk Strategizing vs Risk Management
Risk management is performed at specific locations over defined time periods. Dozens of overlapping activities spread over many miles of facilities over months and years comprise risk management for the whole company. Upper level management is not usually directing such specific actions.
Strategizing, on the other hand, is the charting of the course—determining where the company should be heading, in terms of risk. It entails establishing corporate risk tolerances including reactions to an ever-changing risk landscape. This is the role of corporate leadership. The many details of the location-specific risk management activities should be supporting an overall corporate risk control strategy.
What is Needed for Risk-Based Decision-Making
Top level managers are, of course, involved in risk management. There is budget setting/approval, capital spending authorizations, and other risk-impacting decisions made by upper management. But it’s fair to say that few leaders are fully equipped with tools to make objective and truly risk-based decisions. Subjectivity, bias, and emotions play a large role in reactions to risk unless complete risk understanding is available. Too often, a staff is presenting incomplete risk information to the decision-maker.
“We need this funding for this because bad things might happen if we don’t change it.”
“yeah, Brad is worried about Scenario X, but it really is so unlikely that we don’t need to do anything differently right now.”
“last year’s projects were completed as planned and a new project list is proposed as follows . . . “
These are not sufficient presentations of risk knowledge for today’s needs, but are often all that an upper manager hears. Contrast those risk ‘presentations’ with these:
“We propose to spend $45K on Project X which will reduce company-wide risk by $22K per year.”
“Scenario X could produce some dramatic consequences but, in reality, it contributes only about 2% to our annual risk while Scenario Y contributes 11%. That’s why addressing Scenario Y should be our first priority.”
“Under the current spending plan, our risk next year will increase from $87K to $91K, due mostly to changing population densities and aging of our inspection information.”
Performing Risk Management in Support of the Risk Strategy
The role of modern risk assessment is to put the right knowledge into the hands of decision-makers so that risk strategies can be formulated and risk can be intentionally and efficiently managed. A good risk assessment should be able to answer simple[1] and direct questions like
- “How much has overall risk changed since last year?”
- “What would it cost to reduce overall risk by 10%?”
- “If we have to reduce spending by 5%, how does that change risk for next year? Year 5? Year 20?”
Such questions could be asked and answered for the company’s complete set of owned assets or any subset–eg, a pipeline system, a tank farm, ‘all assets in North Dakota’, etc. Comparisons among and between pump stations, tank farms, compressor stations, marine terminals, stretches of pipelines, and any other collections of assets should be readily available. Answers should be very specific, quantitative, and defensible.
Beyond answering such questions, the risk assessment should also present information that directly supports the establishment or modification of high level risk management strategies. Risk profiles are an essential tool in understanding risk and beginning risk management, as was detailed in a previous article. Mining of tabulated data should also be revealing. For instance, identifying locations of disproportionate risk—calculating a pipeline system’s % corporate length vs its % corporate risk is an easy and effective highlighting process.
Armed with proper risk assessment information, a constantly evolving risk management strategy could include very specific elements such as:
- Reduce overall corporate risk by 5% per year—this does not necessarily reduce risk at all locations; theoretically, only one risk reduction somewhere could achieve this.
- Maintain current risk level with 5% less spending next year—keep risk constant in the face of a reduced budget
- Reduce consequence potential by $50K per incident—focus on the locations and scenarios that could generate the highest consequences and put into place measures to reduce potential consequences
- Reduce risk at higher consequence locations—reduce the risk (probability, consequence, or both) at locations where potential consequences are highest
Strategies could also focus on certain types of failures (eg, external corrosion, excavator damages, etc); certain landuse areas (eg, urban, wetlands, aquifer recharge areas, etc); certain geographies; or any combination of various characteristics. They could also make use of stated or implied levels of acceptable risk, ie, when is it safe enough?
We should not be naïve enough to believe that risk tolerance is a constant value. Economic or political conditions and even recent news headlines will influence risk tolerance so strategies will need to be evergreen.
The important message here is that simply having good intentions without formal, defensible risk control strategies and plans, is insufficient risk management by today’s standards. “Keep risks as low as possible” is a very good idea, but not a compelling strategy. It does not offer sufficient direction nor does it answer important questions about risk tolerance, urgency of actions, and resource allocation.
[1] simple question but answerable only after integrating many moving parts into an appropriate risk assessment.