Posted on

What is a hazard?

Risk Management

Introduction
Every day we face things that potentially could cause harm or damage to ourselves, our organisations and the environment. To understand what these things could be, first of all, we have to understand the term “hazard”.

The term “hazard”
A hazard can be defined in more than one way. Many times, it is defined in combination with the term “risk” or “danger”. In the Cambridge Dictionary a hazard is defined as “something dangerous and likely to cause damage” (Definition of hazard). Another way of defining a hazard can be found on the Canadian Centre for Occupational Health and Safety (CCOHS), whose definition is commonly used when talking about workplace health and safety. The definition they use is: “A hazard is any source of potential damage, harm or adverse health effects on something or someone.” (CCOHS: Hazard and Risk). So basically, a hazard is the potential of harm that may cause loss of life, health impacts, property or equipment losses, social and economic disruption, or environmental impacts.

Sources Used
Cambridge Dictionary. (n.d.). “Definition of hazard“. Retrieved from dictionary.cambridge: https://dictionary.cambridge.org/dictionary/english/hazard

CCOHS. (n.d.). “Hazard and risk“. Retrieved from Canadian Centre for Occupational Health and Safety: https://www.ccohs.ca/oshanswers/hsprograms/hazard/hazard_risk.html

Posted on

Relational coordination

Risk Management

When cooperating across sections there may arise a line of potential problems, mainly in regards to the communicative aspect. These problems arise as a result of the clashing of different expertise, authorities and cultural differences. In relation to this a professor within the field of management by the name of Jody H. Gittel has come up with her theory of relational coordination. This theory is mainly focused on the public sector, it is however still applicable for international private organizations. By using this theory as a tool, this theory can help analyse the interpersonal processes, which could potentially be barriers for optimal efficiency. This theory has furthermore been the foundation for multiple Danish consultants, whom have come with their own additions to this theory. Consultants such as Carsten Hornstrup claim that the definition of a good relationship is subjective, and a certain relationship can therefore be seen in two completely opposite ways. A relevant factor in this is the individuals authoritative position within the hierarchy of the organization, whereas leaders will often have a more positive outlook on the relation.

Jody H. Gittel has put up a negative and positive spiral with the purpose of illustrating what indicates a positive and negative relationship. The reason it is illustrated as a spiral is that, a relation is heavily built upon the communication and likewise. There is therefore no real ‘starting point’ and one should try to improve one of the following aspects, in order to breakthrough the next until it comes into full circle.

The theory of relational coordination is based on two different dimensions: Relations and communication. The quality of these aspects are defined as such:

Relations:

  1. Mutual goals: Same interpretation of the mission objective within an organization, where a task is solved based on a set of common, clarified goals. This is also synonymous with the organization’s vision, so it is crucial that everyone is on the same page regarding the overall goal.
  2. Mutual knowledge: To which degree are the different groups familiar with each others professional field and competences? This is not only about perfoming one another’s list of duties, but also knowing and understanding them.
  3. Mutual respect: Whether the different groups feel acknowledged for their contribution to solving the common task. This is where the higher placed personnel may show a lack of respect other groups, which ultimately affects the common engagement in a negative way

Communication:

  1. Frequent and timely: This indicator revolves around whether communication is timed correctly, often and interpreted in a meaningful way. The overall coordination suffers if the communication is too frequent, too rare or timed incorrectly.
  2. Precise and problemsolving: Is the communication constructive, practical and relevant? The task needs to be presented in a comprehensive way for the receiver, and needs to address the actual issue at hand.
Posted on

NAT and HRO; Summary

The NAT and HRO theories both simplify the cause of accidents. HRO underestimates the problems of uncertainty. NAT recognizes the difficulty of dealing with uncertainty but underestimates and oversimplifies the potential ways to cope with uncertainty. Both theories believe that redundancy is the only way to handle risk.

Limitations of Both NAT and HRO

Perrow contributed with his definition of NAT, by identifying interactive complexity and tight coupling as critical factors which shouldn’t be discounted. His top-down system view of accidents versus the bottom-up, component reliability view of the HRO theorists is critical in understanding and preventing future accidents. While the HRO theorists do offer more suggestions, most of them are inapplicable to complex systems or oversimplify the problems involved.

A top-down, systems approach to safety

First, it is important to recognize the difference between reliability and safety. HRO researchers talk about a “culture of reliability” where it is assumed that if each person and component in the system operates reliably, there will be no accidents.

Highly reliable systems are not necessarily safe and highly safe systems are not necessarily reliable. Reliability and safety are different qualities and should not be confused. In fact, these two qualities often conflict. Increasing reliability may decrease safety and increasing safety may decrease reliability.

Reliability in engineering is defined as the probability that a component satisfies its specified behavioral requirements over time and under given conditions. If a human operator does not follow the specified procedures, then they are not operating reliably. In some cases that can lead to an accident. In other cases, it may prevent an accident when the specified procedures turn out to be unsafe under the circumstances.

If the goal is to increase safety, then we should be talking about enhancing the safety culture, not the reliability culture. The safety culture is that part of organizational culture that reflects the general attitude and approaches to safety and risk management. Aircraft carriers do have a very strong safety culture and many of the aspects of this culture observed by the HRO researchers can and should be copied by other organizations but labeling these characteristics as “reliability” is misleading and can lead to misunderstanding what is needed to increase safety in complex, tightly coupled systems.

Safety is an emergent or system property, not a component property. Determining whether a plant is acceptably safe is not possible by examining a single valve in the plant (although conclusions can be reached about the valve’s reliability). Safety can be determined only by the relationship between the valve behavior and the other plant components and often the external environment of the plant—that is, in the context of the whole. A component and its specified behavior may be perfectly safe in one system but not when used in another.

Sources:

Shrivastava, S., Sonpar, K. &Pazzaglia F. (2009) ”Normal accident theory versus High reliability theory: a resolution and call for an open systems view of accidents”, find it here

Marais, K., Dulac, N. & Leveson, N.: ”Beyond normal accidents and hugh reliability organizations: The need for an alternative approach to safety in Complex systems”, MIT find it here

Posted on

Does your company have a Contingency Plan?

Good strategies always involve a Business Contingency Plan (CP), in case the original plan backfires, and does not work as expected. In this case you need a CP to achieve the same goal as planned. A CP will work as your ‘plan B’ in such case.

Let us see why you need a business contingency plan and how to create one in a few simple steps!

What is a BCP?

But first, let’s define what a contingency plan is.

A contingency plan is a proactive strategy that describes the course of actions the management and staff of an organization need to take in response to an event that could possibly happen in the future. A CP is, in other words, related to likelihood and possibility which we can not predict with certainty.  

What is the purpose of a BCP?

A CP helps you stay prepared for unforeseen events and minimize their impact. The purpose of a business contingency plan is to help your business resume normal business operations after a disruptive event. A CP can also help organizations recover from accidents, manage risk, avoid negative publicity, and handle employee injuries.
In times where your primary plan doesn’t work, you need to execute the plan B. By this your business can react faster to unexpected events.

How to make a CP?

An effective CP is based on good research and brainstorming. The four steps below show you how to develop a business contingency plan to help you prepare for the unexpected.

1) Identify the risks

Before you can prepare for an event, you need to know what you are preparing for. Because of this you need to identify the major events that can have a negative impact on the course of your business and on the key resources, such as your employees, IT systems, machines etc.. Think of all the possible risks in your organization. As you are brainstorming, you could with advantage involve employee from other teams, to ensure that you are preparing for risks in the entire organization, and not only in your team.

Tip: use a min map to organize and categorize the risks you gather from the brainstorming session!

2) Prioritize the risks

 Once the list is created, you need to start prioritizing them, based on the threat they pose. Make sure you spend your time preparing for events that have a high chance of occurring. You would not want to spend all your time preparing for events you’re not experiencing.

Tip: To determine which risks are more likely yo occur, use a risk impact scale!

3) Develop contingency plans                     

Once you have created a prioritized list, it’s time to put a plan together to mitigate those risks. As you write a contingency plan, it should include visuals or a step-by-step guide that outlines what to do once the event has happened and how to keep your business running. Include a list of everyone, both inside and outside of the organization, who needs to be contacted should the event occur, along with up-to-date contact information.

Tip: we recommend you begin with the threats you consider high priority!

4) Maintain the plan

Even after you’ve developed a CP, the process doesn’t stop here. Once you have completed the contingency plans, make sure that:

  • The CP is quickly accessible to all employees and stakeholders
  • You communicate the plan to everyone who could potentially be affected
  • Review your plan frequently (Personnel, operational, and technological changes can make the plan inefficient, which means you may need to make some changes)

Benefits of a CP

Without a backup plan, you’re opening yourself to unnecessary risks. Here we have listed some om the most important benefits of a CP, that you cannot ignore:

  • Helps your business react quickly to negative events
  • A CP lists the actions that needs to be taken, and by this everyone knows what to do, without wasting time panicking
  • Allows to minimize damage and loss of production

What is the CP planning process in your organization? Let us know in the comment section below!

Sources:

The danish template for CP

For inspiration take a look at CP templates:

Posted on

Risk strategy; risk transfer, sharing and spreading

This post focuses on the last risk management strategy, which we have introduced throughout the last weeks. Take a look at the lasts posts to get the full overview!

The final and most debated goal of risk management strategies is according to Senior Disaster Management Specialist, Damon P. Coppola, risk transfer, sharing or spreading. The concept of the goal is not actually to reduce the risk, but to dilute its consequence or likelihood across a large group of people such that each suffers an average consequence. Risk transfer involves moving the risk to another third party or entity, even though this may include giving up some control. By outsourcing, moving to an insurance agency, or leasing property, your organization is not responsible all alone when something goes wrong.
The most common form of risk transfer is insurance, which includes reinsurance. Insurance reduces the financial consequence of a hazard’s risk by eliminating the monetary loss associated with property damage. Insurers charge a calculated payment that is priced according to the hazard’s expected frequency and consequence. Payment of the premium guarantees the repayment of losses to impacted participants if the insured hazard occurs. In this way the cost of the secondary hazards is thereby shared by, or spread across, all participants through the payment of premiums. The risk transfer safeguards the project team against unpredictable risks such as weather, political unrests, or COVID-19, which are outside of the project team’s control.    
OBS: Risk management may seem superfluous at the beginning of the project. When a project manager is beginning a new project, it is indeed difficult to consider what could go wrong, especially if the project team is overconfidence biased (as described in our earlier post). Therefore, risk management must be considered an absolute priority from the beginning of the project!

Risk transfer do not always result in lower costs. Instead, a risk transfer is the best strategy when you can reduce future damage. In this way insurance can cost money, but it may end up being more cost-effective, than having the risk occur and being solely responsible for reparations.

Risk sharing includes sharing the risk impacts or liability among suppliers, partners, contractors, or companies by a contract. This sharing enables them to reduce risks around capacity and to reduce the risk of price fluctuations. For instance, if a power supply fails in an expensive server causing the loss of revenue for a customer, you could ask and receive a replacement power supply.

Summary of risk management strategies

Avoid, accept, transfer, consequence, or likelihood reduction. For each risk you encounter, you and your organization will have to deal with it. A pre assessment or risk analysis enable more options than just a major construction recall.  

Within your organization’s risk management framework, you should be aware of the different strategies along with understanding the guidelines for their implementation. Engineers and managers make decisions concerning risks every day, throughout the organization. Providing a set of clear strategies along with guidance allows the entire organization to appropriately mitigate risks daily.  

Feel free to comment, or contact us for more information!

Source:

Coppola, D. (2015): “Introduction to international disaster management”

Posted on

Risk strategies: Risk likelihood Reduction and Consequence Reduction

This post focuses on the two second risk management strategies, which we introduced last week. Look at the lasts posts to get the full overview!

Risk Likelihood Reduction

For many kinds of hazard risk, it is possible to reduce the chances that they will manifest into even bigger risks. In such case, risk is addressed through a reduction in likelihood. Obviously, this is not practical or feasible for certain types of hazards such as bad weather. Other secondary risks, such as water in the fundament of the construction have several mitigation options available to manage, including controlled release or cover.

In international projects as an example, companies sign contract to lower the likelihood for disagreements before the actual work begins. 

Another way to reduce the risk likelihood would be enhanced training or applying a security patch. You can also reduce the likelihood by implementing controls. Controls that detect the root causing unwanted failures, that the team can avoid. This kind of control seeks to be found in the management or decision-making process. By improving the ability to find design flaws or to improve the accuracy of field failure rate prediction, you can improve the ability to make appropriate decisions concerning the risks in your project.  

To assign high-risk management activities to highly qualified project personnel. In this way the experts, who are used to run a high-risk business, can anticipate problems, and find better solutions. Companies also use diversification of knowledge by sharing skills and know-how across the supply chains to spread and reduce risks. This can, by advantage, be done through a RoC Drill which gather a group of diverse people. This should be done to have an independent, unbiased outside experts review the project’s risk plan before final approval.

Risk Consequence Reduction

The second and similar risk reduction goal, is to reduce the impact of hazard risk on humans, structures, the economy, the environment, or any combination of these. Measures that address consequences typically assume that the hazard is going to result in an even bigger risk, that will have an associated intensity. Such strategy is taken to ensure that the structure, collaboration, system, or other subjects protected by the mitigation strategy, is able to withstand an event without any, or with reduced, negative consequences. The risk levels of most hazard risk can be reducing through at least one, and likely more consequence reduction options, which is not always the case with likelihood reduction. For most technological hazards, consequence reduction revolves around the development of primary and redundant safety and containment. This strategy employs a bit of risk acceptance with a bit of risk avoidance, or an average of both. An example would be a company accepting a bit of delay in the project, by having a buffer time.

Another method to reduce the consequence is to be proactive. Unwanted event or high field failure rates will occur. Therefore, you need to:

1)Think how you will detect the onset of the event, and
2) how to respond.

Maybe you need to stop construction when a part of the plan has a major consequence. Therefore: have plan in place. By acting quick and appropriate you may reduce the exposure to more failures/consequences.

Tip: This can be done by gathering the team around a RoC Drill when you need to reschedule the project process!

Source:

Coppola, D. (2015): “Introduction to international disaster management”

Posted on

Risk strategies: Avoidance and Acceptance

This post focuses on the two first risk management strategies, which we introduced last week. They are opposite each other and seeks by this totally different views and strategies. Take a look at the lasts posts to get the full overview!

Risk Avoidance

Some hazard risks pose such a great threat that even a partial reduction in either risk likelihood or consequences is unacceptable, given the possible outcome of a realized event. For these risks, only total risk avoidance is acceptable, which is why action it is deemed necessary to reduce either the likelihood or the consequence factor to absolute zero.  

By stepping away from the business activities involved or designing out the causes of the risk, you can avoid the occurrence of the undesired events. Some opportunities to avoid risk are to exit the business, cancel the project, close the construction, etc.. This strategy has its consequences: In some cases, we even create additional risks by trying to avoid a particular risk. For instance, we may be tempted to choose a supplier with a proven track record instead of a new supplier, that offers significant price incentives. On one hand we choose not to take any chances, but at the other hand we could also miss out on the benefits we could have received by choosing a new supplier. Even though this has other consequences, it is an option.

Eliminating a risk is the best technique you can apply. If the project manager can avoid the risk, surely it is the best way to avoid negative impacts derived from it on the project.   Managing risk in this way is most like how people address personal risks. While some are more risk-loving and some more risk-averse, everyone sure has a tipping point, where things become just too risky and not worth attempting.

Risk Acceptance

Some associated risks for certain hazards are considered to be acceptable “as is”. It may be determined that any further reduction in risk is either too expensive or unnecessary. Several reasons might lead to this decision.
First, every project team has a whole range of hazards with which it must contend, and there assuredly is limited funding to treat those ranges of hazards. Some risks, as determined through cost-benefit analyses, are better left untreated, with the purpose of treating other hazards for which risk reduction will have greater value. All projects will have risks that are so small in terms of consequence or likelihood of occurrence that they are accepted without discussion. This could be going ahead with an event despite the risk of rain, or deciding to take part in a risky activity, which is well managed and supervised, but still risky.
Second, some risk reduction measures can result in one or more undesirable consequences. These secondary hazards may be expected to arise as a direct result of the mitigation measure. In which cases can be considered more damaging or undesirable that the consequences of the hazard risk. Furthermore, the secondary hazards are not discovered until after mitigation has been conducted – in this case you need to decide whether or not to dismantle the new protection mechanisms.
In most cases, risk acceptance is entertained or applied not when risk reduction or avoidance measures are unavailable, but when they are unaffordable.

Source:

Coppola, D. (2015): “Introduction to international disaster management”

Posted on

What is risk management strategies?

Every project we face will address different risks in the day-to-day operations or at long term. Even the most carefully planned project can encounter problems and unexpected risks. Some will be good and some bad. Some minor some bigger. But this does not mean we should give up, when we are facing unexpected problems!
Once your organization has identified the existing hazards and their associated risks, further evaluation for risk treatment options become possible.

Your ability to mitigate risk allows you to proactively acknowledge and accommodate risks. Getting rid of risk altogether is not a feasible solution, but by measuring risk, your organization can decide how to deal with each kind of risk the best way.

Risk management is the process of determining an acceptable level of risk, calculating the current level of risk, and then either accepting the risk, avoid the risk or taking steps to reduce to acceptable level of risk.

In this post, we will introduce the five different strategies to mitigate risk, which we will dike deeper intro in the following posts.

Mitigation

Mitigation refers to any action or sustained effort undertaken to reduce a hazard risk through the reduction of the likelihood and/or the consequence component of that hazard’s risk. In other words, mitigation seeks to either reduce the likelihood of occurring or reduce the impact of the consequences if it occurs.

Mitigations goals

Mitigation goals refer to the different methods of dealing with risk. When considering the mitigation options suitable for treating a risk, several general goals classify the outcome that your strategy may seek:

1) Risk likelihood reduction

2) Risk consequence reduction

3) Risk avoidance

4) Risk acceptance

5) Risk transfer, sharing or spreading

OBS: Most strategies are most of the time not a clean risk consequence reduction or likelihood reduction but a combination between the goals!

Keep in touch to learn more about the 5 different goals in the upcoming posts, where we will zoom in at the specific goal.

Sources:

Coppola, D. P. (2015): “Introduction to international disaster management”

Posted on

Vulnerability Assessment

Understand your vulnerabilities is just as vital as risk assessment because vulnerabilities can lead to risks. If there is a universal imperative when it comes to mitigating vulnerabilities, it’s to analyze them first before you try to fix them. The more compound they are, the more critically important this assessment steps becomes. 

What is a vulnerability assessment? 

A vulnerability assessment refers to the process of defining, identifying, classifying, and then prioritizing all the vulnerabilities that exist in various infrastructures, applications within the company. 

With an effective vulnerability assessment, your organization has the tool needed to understand your security weaknesses, how to assess the risks associated with those weaknesses, and last how to put protections in place which reduce the likelihood of occurring.

How to perform a vulnerability assessment

There are three general steps that your company can follow:

  1. Identify and rang the vulnerability
  2. Document the vulnerabilities
  3. Create guidance

Step 1: Identify and rang the vulnerabilities

In this step you should define the risk and critical value for each action. You can construct a matrix with columns for each vulnerability, a possible scenario, the probability of an event and the impact of such an event.

Tip: Focus on what matters most!

Step 2: Document the vulnerabilities

The purpose of the step is to document the vulnerabilities, so you easily can identify and reproduce the findings in the future.  

Step 3: Create guidance

Use the profile to provide a clear graphical outline of which actions are associated with the greatest vulnerabilities, and likewise which to consider new or additional measure against.  

Tip: Your vulnerability assessment should be reviewed and updated on a regular basis or when changes have been made!

Note: The vulnerability profile cannot stand alone. It should be done along with a risk assessment. (Re)read the post about risk assessment.  

The pros and the cons of vulnerability assessment:

Sources

Snedaker, S. & Rima, C. (2014) ”Risk assessment, Vulnerability Assessment”, in (red.) Business Continuity and Disaster Recovery Planning for IT Professionals, 2.nd. edition

Balbix: “Brief overview of vulnerability assessment”, available online: https://www.balbix.com/insights/vulnerability-assessments-drive-enhanced-security-and-cyber-resilience/ 

Posted on

Risk Assessment, step 1

How to work with the risk 

Before you deal with the risk, you need to identify what hazards exist in your workplace, and how likely they are to become a risk. After this you can decide what mitigation or control measures are needed.  

What is a risk assessment? 

The risk assessment is a systematic process which is designed to allow individuals or firms without any specific security background to conduct a basic security risk assessment as part of any wider assessment process. The tool evaluate the potential risk that may be involved in a projected activity or undertaking.  

This assessment tool is broken down into three steps which are needed to eliminate or control risks: 

This post will only focus on the first step of the risk assessment. Are you interested to learn more,  keep in touch – we’ll post the 2nd step in a week! 

Step 1: Identify the hazards 

Look critically at your organization’s context in terms of operational processes, sources of risks and the outcome.  
There are a wide variety of hazards that can affect the firm entering a new context. Below are some of the most common classifications of hazard to consider.  

Tip: You and your employer must systematically check and track for possible hazards in a risk log or register! 

Sources:   
Damon P. Coppola (2015) “Introduction to international disaster management”  

European interagency security forum (2020) “Security to go: A risk management toolkit for humanitarian aid agencies”  

Humanitarian Practice Network (2010) “Good practice review – Operational security management in violent environment”