Upload
aldous-ball
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Operational Risk Management
CAP Approach
Top-down leader backing Decentralized implementation Moderate implementation tempo Safety lead role for cross-
functional implementation
CAP ORM Vision
“Create a Civil Air Patrol in which all
personnel manage risk such that all
operations are successfully completed
at the least possible cost.”
CAP ORM Mission
“Enhance mission effectiveness at all
levels while minimizing risk.”
The CAP ORM Concept
All are responsible for using ORM.
Risk is inherent in all operations.
Risk can be controlled.
The Compliance Culture
My job is to comply with the standard.
I am told what the standard is. If I am not told, I don’t usually act. When I am given a standard, the
standard is my objective. When I meet a standard, that’s it.
The Performance Culture
My job is to optimize risk - to perform.
I’m given a standard, but that is only a baseline. I use ORM to exceed it.
Standards are only a start point. Meeting a standard means little. I
continuously improve.
ORM Principles
Accept no unnecessary risks. Make risk decisions at the
appropriate level. Accept risks when benefits
outweigh costs. Integrate ORM into doctrine and
planning at all levels.
Accept no unnecessary risk
What are the three main reasons that “unnecessary risks” are sometimes taken?
How can the taking of unnecessary risks be minimized?
Corollary is “Accept Necessary Risk”.
Three reasons for taking unnecessary risks
#1 - Not aware of the risk. #2 - An incorrect assessment
of cost versus benefit. #3 - Interpreting “bold risk
taking” to mean gambling.
Procedures for minimizing the taking of unnecessary risk
Improve hazard detection procedures and awareness of risks.
Improve risk decision making skills at all levels of the organization.
Train personnel at all levels regarding the risk management “credo” not “Mission accomplishment at any cost”, but “Mission accomplishment at the least cost.”
Make risk decision at the appropriate level
What is the “appropriate” level? How do field leaders know if they
are the appropriate level? Is the appropriate level a constant
or does it change?
Finding the appropriate level
Who will answer in the event of an accident? Who is the senior person at the operational
scene? Who possesses best insight into the full
benefits and costs of a risk? Who has the resources to mitigate the risk? What level makes the most operational
sense? What level makes these types of decisions in
other operational activities?
THE MAKING OF IMPORTANT RISK
DECISIONS SHOULD BE PREPLANNED WHENEVER
POSSIBLE
ACCEPT RISKS WHEN BENEFITS OUTWEIGH COSTS
What happens when organizations stop taking risks ?
It becomes “bureaucratized”
WEBSTER: “BUREAUCRACY: A system of administrationcharacterized by lack of initiative and flexibility, by indifferenceto human needs or public opinion, and by a tendency to deferdecisions to superiors or to impede action with red tape.”
• It loses its competitive position.• Innovation is minimized.• It becomes reactive to events.• Morale and esprit decline.
The ORM 6 - Step Process
1. Identifythe Hazards
2. Assessthe Risks
3. Analyze Risk Control
Measures
4. MakeControl
Decisions
5. Risk ControlImplementation
6. Superviseand Review
Using the ORM process
Apply the steps in sequence. Maintain balance in the
process. Apply the process as a cycle. Involve people fully.
Hazard: Any real or potential condition that
can cause mission degradation, injury, illness, or death to
personnel or damage to or loss of equipment or
property.
STEP 1“HAZARD ID”
3. Analyze Risk ControlMeasures
4. MakeControlDecisions
5. Risk ControlImplementation
6. Superviseand Review
1. Identifythe Hazards
2. Assessthe Risks
MISSION TASK ANALYSISAction 1
What is at risk?
Focus on the criticalcomponents of the mission.They will be primary targetsfor Hazard ID.
OVERALL MISSION
USING AN OPERATIONS FLOW OR TIMELINE TO IDENTIFY HAZARDS
START
RISK LEVELS H L H M EH M
1 2 3 4 5 6
OPERATION ALPHA
PHASES
Watch forissues betweenphases, at the interfaces.
FINISH
FINDING THEIMPORTANT TARGETS
Review the mission statement. Focus on key capabilities and the
associated equipment. Look at past patterns of mishaps to detect
high impact issues. Ask operational personnel what is
important. Use the timeline.
LIST HAZARDSAction 2
Sources of Information The 7 Primary Hazard ID Tools
BASIC SOURCES
There are three basic sources:
- Experts and References
- Traditional Techniques - (Inspections,
Mishap Reports, Interviews, Audits)
- Hazard Analysis Tools
SOURCES AT UNIT
Unit personnel A lessons learned database or file A safety survey and/or fire inspection hazard
inventory An inventory of hazardous materials with
locations Mishap reports and Annual Mishap Analyses
PRIMARY HAZARD IDENTIFICATION TOOLS
Operations Analysis Preliminary Hazard Analysis What If Tool Scenario Process Tool Logic Diagrams Change Analysis Cause and Effect Tool
(See tutorial or AFPAM91-215 for more detail)
LIST CAUSESAction 3
Use the 5M model to detect root (systemic) cause factors.
Man root causes - Doesn’t know - Training, Doesn’t care - Motivation, Can’t do - Selection.
Machine - Poor design, faulty maintenance, procedures.
Media - Weak facility design, lack of provisions for natural phenomena.
Management - Inadequate procedures, standards and controls.
Mission - Poorly developed, weak understanding, incompatibilities.
RISK ASSESSMENT
The Process which associates “hazards” with “risks”.The Process which associates “hazards” with “risks”.
1. Identifythe Hazards
2. Assessthe Risks
3. Analyze Risk ControlMeasures
4. MakeControlDecisions
5. Risk ControlImplementation
6. Supervise and Review
ASSESS THE RISK
Action 2:Assess hazard
severity
Action 1:Assess hazard
exposure
Action 3:Assess mission
impact
Action 4:Complete
assessment
HAZARD VERSUS RISK
HAZARDA description of a condition that can impair mission accomplishment. No indication of its mission significance.
RISK
A hazard for which we haveestimated the severity,probability, and scope with which it can impact our mission.
EXPOSUREAction 1
Expressed in terms of time, proximity, volume, or
repetition.
SEVERITYAction 2
What impact on mission? What impact on people? What impact on things (materiel,
facilities, environment)?
SEVERITY CATEGORIES
CATASTROPHIC - Complete mission failure, death, or loss of system
CRITICAL - Major mission degradation, severe injury, occupational illness, or major system damage
MODERATE - Minor mission degradation, injury, minor occupational illness, or minor system damage
NEGLIGIBLE - Less than minor mission degradation, injury, occupational illness or minor system damage
PROBABILITYAction 3
Use the cumulative probability of all causation factors.
Express in descriptive or quantitative terms.
Use experience data when possible. Acknowledge uncertainty.
PROBABILITY CATEGORIES
Frequent Likely Occasional Seldom Unlikely
THE RISK ASSESSMENT INDEX
ProbabilityFrequent Likely Occasional Seldom Unlikely
I
II
III
IV
Catastrophic
Critical
Moderate
Negligible
A B C D E
SEVERITY
High
LowMedium
High
Risk Levels
Extremely
High
ASSESSMENT PITFALLSASSESSMENT PITFALLS
Over-optimism Misrepresentation Alarmism Indiscrimination Prejudice Inaccuracy
THE RISK TOTEM POLE
Biggest hazard
Least hazardworthy of action
By ranking the hazards, we can work them on a worst first basis. This is vital because risk control resources are always limited and should be directed at the big problems first to assure maximum bang for the buck.
THE TOTEM POLE DEMOCRACY MOVEMENT
In the fully mature ORM world, every individual benefits from the knowledge of the priority of hazards (totem pole) that exist in their life. A key obligation of leaders is to see that their subordinates possess this knowledge .
Traditional RM - Personnel can’t name or prioritize hazards -- can only name generic hazards.
ORM - Personnel can name and prioritize RISKS that impact them and their mission.
ANALYZE RISK CONTROL MEASURES
1. Identifythe Hazards
3. Analyze Risk ControlMeasures
4. MakeControlDecisions
5. Risk ControlImplementation
6. Supervise and Review
2. Assessthe Risks
ANALYZE RISK CONTROL MEASURES
Action 1:Identify controloptions
Action 2:Determine controleffects
Action 3:Prioritize riskcontrol measures
Tools Available:
– The Major Risk Control Options
– Risk Control Options Matrix
IDENTIFY CONTROL OPTIONS Action 1
MAJOR CONTROL OPTIONS
Reject Avoid Delay Transfer Spread Compensate Reduce
CONTROL OPTIONS MATRIX
Engineer Guard Improve Task Design Limit Exposure Selection of Personnel Train and Educate Warn Motivate Reduce Effects Rehabilitate
DETERMINE CONTROL EFFECTS Action 2
What is the impact on probability?What is the impact on probability? What is the impact on severity?What is the impact on severity? What will the risk control cost?What will the risk control cost? How will various risk control options work together?How will various risk control options work together?
CONSIDERATIONS IN CONTROL EFFECTS
Some risk controls impede each other. Example: Security and Safety
Some risk controls reinforce each other. Example: Training & Motivation
When cost effective, use risk controls in depth. Be sure to evaluate the full costs.
PRIORITIZE RISK CONTROL MEASURES Action 3
Get operator input. Focus risk controls where they have maximum impact. Benchmark already existing risk controls.
MAKE CONTROLDECISIONS
1. Identifythe Hazards
4. MakeControlDecisions
5. Risk ControlImplementation
6. Supervise and Review
2. Assessthe Risks
3. Analyze Risk ControlMeasures
MAKE CONTROL DECISIONS
Action 1:Select RiskControls
Action 2:Make RiskDecision
SOME IMPORTANT DECISION MAKING CONSIDERATIONS
Make decisions at the right time. Make decisions at the right level. Always make the mission supportive
risk decision
SELECT RISK CONTROLSAction 1
WHEN IS THE RIGHT TIME?
AS LATE AS POSSIBLE. WHY?
- More time to improve ORM
- The need for the risk may go away
BUT NEVER TOO LATE
- Miss the operational train
- Radically increase costs.
WHAT IS THE RIGHT LEVEL?
What are the operational realities? Who will take the heat if it goes bad? Who has the best grasp of the risk and
the opportunity issues? Who would make the decision in
combat? Who can commit the risk control
resources?
A BASIC OBJECTIVE
Endeavor to push the average risk decision down the chain of
command over time
WHY? Because the detail and understanding of WHY? Because the detail and understanding of the implications of the decision increases the the implications of the decision increases the closer to the operator you get…IF THE closer to the operator you get…IF THE LEADERS AT THE LOWER LEVELS HAVE LEADERS AT THE LOWER LEVELS HAVE GRASPED THE OVERALL IMPLICATIONS GRASPED THE OVERALL IMPLICATIONS OF ORM.OF ORM.
ALWAYS GO FOR THE RISK WHEN TOTAL BENEFITS OUTWEIGH
TOTAL COSTS
ALWAYS REJECT THE RISK WHENTOTAL COSTS OUTWEIGH
TOTAL BENEFITS
MAKE RISK DECISIONSAction 2
WHAT IS THE DIFFERENCE BETWEEN A BOLD, DECISIVE RISK
AND A GAMBLE?
IMPLEMENT RISK CONTROLS
1. Identifythe Hazards
4. MakeControlDecisions
5. Risk ControlImplementation
6. Supervise and Review
2. Assessthe Risks
3. Analyze Risk Control
Measures
IMPLEMENT RISK CONTROLS
Action 1:Make implemen-
tation clear
Action 2:Establish
accountability
Action 3:Providesupport
RISK CONTROLS MUST BE INTEGRATED
Should be integrated fully within the plans, processes, and operations with which they are associated.
Within the area in which they are integrated, risk controls should compete for resources and time based on their relative significance to the mission.
Risk control should be compatible with the “system”.
WHY MUST RISK CONTROLS BE FULLY INTEGRATED?
Integration forces balancing of mission needs. Integration captures more of the knowledge and
experience of large numbers of operators. Integration reduces the number and diversity of
references needed to do the job right. Integration eliminates redundancy and gaps
between functions. Integration strengthens accountability. Integration (in plans, regulations, etc..) reduces
costs and workloads.
MAKE IMPLEMENTATION CLEAR Action 1
Factors to consider:
– Fully involve operational personnel.
– Frame the control within the organizational culture.
– Provide specific task-oriented guidance.
– Test it on small sample of the target audience.
– Coordinate as necessary.
ESTABLISH ACCOUNTABILITY Action 2
Factors to consider:
– Use the power of command and leadership.
– Use the motivation model.
– Create meaningful, positive incentives.
– Assure accountability is vertically integrated.
PROVIDE SUPPORTAction 3
Factors to consider:
– Avoid the common problems.
– Provide complete packages (clear, policy, job aids, decision tools, models, databases, training, motivation).
– Provide sustained feedback on results.
SUPERVISE AND REVIEW
5. Risk ControlImplementation
6. Supervise and Review 1. Identify
the Hazards
4. MakeControlDecisions
2. Assessthe Risks
3. Analyze Risk ControlMeasures
SUPERVISE AND REVIEW
Action 1:Supervise
Action 2:Review
Action 3:Feedback
Factors to consider:
– When properly integrated, supervision of risk controls is exactly the same as supervision of any leadership action.
SUPERVISEAction 1
A primary reason for integration of Operational Risk
Management is so that risk controls are supervised just like
any other leadership action.
Factors to consider:
– Use rates and numbers when they have a sound statistical basis.
– Use direct measures of risk to supplement rates and numbers or when rates and numbers are not statistically valid.
– Systematically assess the results of the ORM process in De-briefs, lessons learned, etc. Was the benefit worth the cost?
– Adapt and reapply ORM as the mission unfolds.
REVIEWAction 2
You have an adequate exposure base.
You have statistically significant changes.
You make fair comparisons. You “peel” them back.
DON’T USE RATES AND NUMBERS UNLESS
Critical behaviors Critical conditions Critical attitudes Critical skills and knowledge Critical programmatic elements
AUGMENT LEGITIMATE DATA WITH MEASURES OF RISK
Critical means clearly connected to loss potential, i.e., high risk
THE ORM CONTINUUM
PLANNING OPERATIONS AFTERACTION
Deliberate ORMDetailed Hazard IDIntegration
Largely Time-criticalChange AnalysisReal TimeHighly Decentralized
Assess metricsDeliberate ORMIntegrationFeedback to Planning
We try to get most ORM done
here
Factors to consider:
– Cross talk regarding successes and failures.
– Feedback to leaders and other members.
– Input to established databases (lessons learned).
Tie back into Step 1 to continue.
FEEDBACKAction 3
Questions