INDUSTRIAL FIRMS MUST EMBED RISK BASED THINKING INTO THEIR OPERATIONS

Transcription

1 Risk-based thinking is not a new concept for firms. The consideration of business risks has always formed a core component of executive team discussions and the approach and framework for understanding and analyzing these risks has changed little over many years, reflecting a relatively stable operational landscape. In recent years however, rapid and profound shifts in the operational landscape of firms, particularly those operating in the industrial sector, has seen the breakdown of these frameworks. Firms are now more global than ever with larger and more complex supply chains. Firms need to manage an ever expanding list of legislative requirements and the explosion in social media means their activities are scrutinized more closely than ever before. This combination of factors demands firms overhaul their operational risk management (ORM) strategies and make them relevant for today s unique and evolving business challenges. While firms increasingly accept the need to transform their ORM strategies, many are struggling with how to design a strategy which is appropriate for today s more complex operational landscape. In tackling this issue, firms are seeking answers to a core set of questions. What does ORM mean to my business? Where are the issues with my firm s approach to ORM? What is the business value in enhancing the ORM strategy and approach at my firm? What is the relationship between ORM and Operational Excellence (OE)? To answer these questions, DuPont Sustainable Solutions (DSS) commissioned independent analyst firm Verdantix to undertake an independent research study involving interviews with 75 senior leaders. A total of 66 interviews were conducted with firms from the following eight industries: Chemicals/Fertilizer/Petrochemicals, Food & Beverage Manufacturing, Healthcare, Mining & Metals, Oil & Gas Downstream, Oil & Gas Upstream, Transport, Utilities. A further nine interviews were conducted with affiliated trade associations. The senior leaders from the 66 industrial firms were almost all in risk or operational roles (59 interviews) with the remaining seven interviews conducted with individuals in environment, health and safety (EH&S) and project management roles. The interviewees were located across the following ten countries: Australia, Canada, France, Germany, UK, USA, China, India, Saudi Arabia and the United Arab Emirates. All firms (excluding the trade associations) have annual revenues in excess of $1 billion. 1

2 Firms Demand Comprehensive Upgrades to Established ORM Programs Effective risk management has never been more critical for large businesses. Today, these businesses are forced to wrestle with increasingly complex supply chains, a growing roster of legislative requirements and unprecedented social-media fueled scrutiny of their operations. With risk management growing in significance, to what extent do firms have suitable operational risk management (ORM) programs in place? ORM programs are widely deployed. Across the 66 interviews with industrial sector firms, 91% stated that ORM had been adopted in some way across their organization (see figure 1). Only 3% of firms had no ORM program in place. Figure 1, n=66 2

3 ORM programs vary by sector. At the highest possible level, ORM programs are concerned with assessing, prioritizing, mitigating and monitoring risks across the entire operational footprint of an organization. While this overarching definition carries broad agreement, applying this to different sectors creates divergence in terms of the focus of the programs. I think the definition of operational risk management varies. Mining & Metals, Oil &Gas and heavy manufacturing are deeply focused on employee and public safety (Finance Industry Association) I always look at ORM in terms of license to operate. You need to make sure you are complying with all regulations and rules related to environment, energy, emissions, safety and health. You need to ensure the product is at the right quality, is safe to use, can be transported safely and securely and that through all this, your business remains competitive (Steel Association) Firms favor health and safety metrics for assessing operational risk. Interviewees were asked to provide examples of metrics they used to assess operational risk. While there was significant variation in the responses received, health and safety related metrics emerged strongly including injury rate, incident rate and lost time with injuries Assessment of work-related Injuries is how we assess performance. (Transport) Firms target widespread improvements to ORM programs. The interviewees from the industrial firms were asked how important it is for their firm to improve performance across five major areas of ORM over the next 12 months (see figure 2). Across each area, at least 75% of firms said it was important or very important to improve performance over the next year. Risk control processes and governance was the area that recorded the highest number of responses in the very important category (45%) and Setting risk targets was the area with the highest number of very important and important responses (86%). 3

4 Figure 2, n=66 Safety, Compliance, and Reputation Drive Investment in ORM Large industrial firms have established a shared understanding of ORM and most have some sort of ORM program in place. What are the drivers behind this widespread adoption? In which parts of the business is ORM most important? This research reveals some distinctive trends: Safety is the most critical driver for ORM. When asked to rate the importance of eight separate drivers for investing in ORM, 85% of firms rated safety as very important higher than any other driver (see figure 3). This trend emerges again when interviewees are asked to identify the operational areas in which ORM is most important. In this question, employee safety emerges as the most important area with 82% of interviews rating this as very important (see figure 4). Employee safety and health is our major operational risk (Oil & Gas, Upstream) 4

5 Figure 3, n=66 5

6 Figure 4, n=66 Compliance continues to drive spending on ORM. Compliance has traditionally been seen as the most prominent driver in risk management and ORM. This research still shows it as a key driver (with 74% of interviewees rating it as very important ) but secondary to safety. Compliance-focused ORM can vary in maturity level, spanning from Excel based audits to the integration of comprehensive regulatory databases. We need to keep on top of changes to environmental regulations as it impacts every part of our business, from manufacturing through to distribution. We have realized that we may have to spend more on complying with regulations than planned (Food & Beverage) 6

7 Firms invest in ORM to steer clear of reputational issues. Reputation is the third highest rated driver for investment into ORM with nearly 90% of respondents describing it as important or very important. It is also worth noting that reputation is often a highly significant secondary driver of ORM. Some interviewees stated that safety and compliance risks have to be effectively managed in order to protect business reputation. Firms in high hazard industries are very aware that if a serious event occurs the ultimate price could be the future of the firm. Firms have been known to disappear as a result of serious incidents (Chemicals Industry Association) Avoiding unplanned shutdowns is an important ORM driver for 96% of firms. Unplanned shutdowns can be highly damaging to the cash flow positions of organizations. They typically carry with them a level of urgency which forces management attention to be diverted from executing on broader strategic plans. While a greater number of respondents classified maintain license to operate as a very important driver, unplanned shutdowns are considered significant due to the near unanimous view that it was either an important or very important driver. The fact is that if you do proper maintenance of your assets, you will not have operational problems, unplanned shutdowns, or unplanned costs. (Food and Beverage Manufacturing) ORM drives improved Operational Excellence performance. While not included as a specific option within figure 3, a number of the interviewees commented on how ORM was being used as a tool to drive better performance in their operational excellence (OE) programs. The trade association interviews revealed that rather than treating ORM as a check the box exercise, leading firms are looking at the long- term benefits of ORM by focusing not only on significant operational risks, but also changing customer requirements and even opportunities to develop new offerings. Operational risk management is the critical review of operations that feed into your operational excellence program. (Mining & Metals Industry Association) 7

8 Firms Face Headwinds in Deploying Effective ORM Programs There are a number of powerful factors driving investment in ORM including safety, compliance and reputational concern. Most firms have responded to these drivers by developing an ORM strategy but this alone is not sufficient for an effective ORM program. In order to be successful, it is imperative the ORM strategy focuses on the relevant areas of the business. With a suitable strategy in place, funding then needs to be made available to convert the strategy into an ongoing program. This research reveals a number of prominent hurdles (see figure 5) firms face in securing sufficient funding for ORM programs: Senior executives fail to distinguish ORM from financial risk management. This study asked interviewees to rate the significance of five different barriers to investing in ORM. Lack of understanding of ORM among senior executives emerged as the barrier most frequently rated as very significant (35% of respondents). Further insights from the interviews indicate that for some senior executives, moving away from their traditional financial risk mindset is a major challenge. Investors who are not industry players create challenges in implementing effective operational risk management strategies. They want to maximize the return on their investment and see investment in safety, environment and communities as denting their returns (Finance Industry Association) ORM is not recognized as a discrete program which requires dedicated funding. Where risk management practices are considered to be fully embedded within a firm s operations, it can be challenging to secure funding for a dedicated ORM program. For 26% of the firms interviewed, managing risk as part of current day-to-day operations is identified as a very significant barrier to investing in ORM. ORM should not be seen as a corporate initiative - it should be embedded in day to day business. (Mining & Metals) 8

9 ORM programs lose out to other internal investment initiatives. Investing in risk management can be seen as similar to investing in insurance, where the return on investment is not a useful measure of the value of the investment. This means the business case for ORM needs to be defined differently than other internal initiatives competing for funding. As a result, it can be difficult to secure funding for ORM programs. In this study, 35% of respondents told us that the lack of a proper business case is a very significant or significant barrier to ORM investment and another 65% said the lack of available budget was a significant or very significant barrier. Unfortunately, the true value of an effective ORM program often only becomes apparent when the impacts of a deficient ORM program are exposed. It is quite hard for people to see the return on an investment. If you have a BP Gulf of Mexico event, everyone can see the cost of having failed to deploy an effective ORM strategy. (Finance Industry Association) Figure 5, n=66 9

10 Seven Steps for Developing a Successful ORM Strategy Major shifts in the operational landscape of large global industrial firms have exposed them to a much deeper and more complex network of risks. Driven largely by concerns around safety, compliance and reputational integrity, firms are looking to overhaul long-standing ORM strategies to make them relevant for today s operating environment. Beyond the core objective of mitigating business risks, leading firms are using ORM to help drive OE programs and increase the resiliency of the business. Despite the strong set of drivers, ORM programs can be starved of funding. Misunderstanding of ORM by senior executives, lack of recognition of ORM as a discrete program, and competition with other initiatives all create investment challenges for ORM programs. Seven steps should be taken to develop and activate a successful ORM strategy: 1. Secure approval/consensus and leadership at the corporate level. An ORM program will only be truly effective if it is championed at the very top of the organization. Senior leaders in the corporate function need to be accountable for risk management and drive this approach down across the organization. Many firms have already been successful in taking this step with 79% of interviewed firms stating that risk ownership and accountability for risk management is assigned centrally at the corporate level (see figure 6). It is essentially a top down delivery program. Our board has set up direct input from the functional teams who carry out country controls. We have quarterly meetings where we discuss updates from employees on how we can achieve operational success. (Utilities) 10

11 Figure 6, n=66 2. Introduce risk accountability across the organization. Without buy-in at the corporate level, firms are unlikely to be effective in rolling out an enterprise wide ORM program. At the same time, this senior level support is only one ingredient for success. Employees across every level of the organization need to be trained to incorporate risk-based thinking into their day-to-day jobs. They need to be accountable for the risks within their immediate area of control. The results from this study show that 38% of shop-floor employees are not held accountable for risks management (see figure 6) Enhanced risk prevention / control at every level ensures operational excellence. Continuous examination and inspection of risks is also part of this. (Transport) 11

12 3. Agree to timely risks assessments. Ensuring operational risk assessments are completed on a timely basis is a key component in any ORM strategy. These risk assessments help ensure firms stay on top of new compliance requirements and prevent risk management from slipping off the agenda. The required frequency of the audit will be determined by the precise characteristics of each firm and its operational footprint. Among the interviewees for this study, 92% of firms were conducting risk assessments on at least an annual basis (see figure 7). Self-assessments and routine audits by third party verification firms are in place to control risks. (Oil & Gas Downstream) Figure 7, n=66 12

13 4. Quantify and prioritize risks. An effective ORM program is able to quantify and prioritize the identified risks, enabling mitigation efforts to be targeted in the most effective way. Managing an optimized ORM program requires that risks are quantified in terms of probability and severity, as well as the calculation of costs and benefits of mitigating a risk versus allowing the risk to remain as is. It is this multi-faceted calculation which helps determine the mitigation action (if any) that needs to be taken. Based on the risk metrics, we improve the risk management system. We have 5x5 metrics which comes to 25, which we then use to evaluate day to day operations. If a risk score goes above 12, then it will be considered as moderate or high risk. We will apply the highest priority based on the metrics calculated. (Food & Beverage) 5. Establish appropriate metrics and KPI s to monitor and assess performance. Establishing the correct risk monitoring metrics and KPIs is one of the most important steps in the ORM program. By establishing metrics, firms can ensure that the appropriate effort and resources are expended based on the risk profile of the business. A number of firms are already aware of the criticality of this step and therefore supplement the development of their own metrics with advice and guidance from other sources (see figure 8). For every improvement we make, we tend to establish a set of KPIs to make a measurement of the success of the improvement. Generally, one of those KPIs will be related to risk management. (Mining & Metals) 13

14 Figure 8, n=66 6. Implement consistent, well-documented and cost effective controls. Once the priority risks are quantified and identified and the monitoring metrics and KPIs established, it is necessary to implement control measures to actively mitigate these risks. From the firms interviewed, 98% felt they already had at least adequate controls already in place (see figure 9). In contrast, only 27% described these controls as cost-effective, suggesting an opportunity to find better options for managing and controlling the identified risks. Having standardized processes and procedures in place for risk mitigation is an essential attribute of a successful risk management strategy. (Food & Beverage) 14

15 Figure 9, n=66 7. Reinforce the importance of risk management through regular communications. Establishing a regular timetable of communication on ORM performance is an effective way of maintaining engagement on the subject. Tailor communications to specific levels and functions of the organizations to address different priorities and focus areas. Linking the impact of ORM to broader programs, such as operational excellence, will boost engagement by making the benefits of ORM more tangible. We have monthly reports & information on operational risk management that is sent to everybody stating what is being done & what went wrong and what went right. (Transport) 15