SEARCH

Those who have been following me might be aware of my presentations on demystifying risk entitled, Lord of The Risks – Defeating the Dragon of Uncertainty. In these presentations we follow the adventures of a team of individuals that go on an adventure to complete a mission of strategic importance. They have never worked together before and some have never been on an adventure. Their mission will require that they leave the world of the Shire, a place where they know everyone, how things work, and where life is predictable – it is a world of certainty. However, they must now take a step out into the a world that they don't fully understand, they don't know how things work, and both threats and opportunity are unpredictable – it is a world of uncertainty. And it is this uncertainty that creates the opportunity for risk. It’s a dangerous business, walking out one’s front door. You step onto the road, and if you don't keep your feet, there's no knowing where you might be swept off to.” While not fully understanding the risks ahead our team agree to go on the adventure because the stakes are too high not too. The Ring of Value that was forged in the Valley of Capabilities has been lost and if not recovered may end up at Mount Doom where value is destroyed. Their mission objective is to find the Ring of Value and take it to the Mountain of Better Outcomes along the value stream. Fortunately, with the help of a wizard (aka risk manager) our team was successful in fighting the Dragon of Uncertainty and reclaimed the Ring of Value. We catch up with our team as their journey continues... Lord of the Risks - The Two Towers: Productivity and Compliance The Fellowship of the Ring of Value have just decided to pass through the gate of pro-activity and are making progress towards the Mountain of Better Outcomes along the value stream when they come across someone they recognize but have not seen for a while. The Wizard who had previously helped them now greets them: "I come back to you now, at the turn of your intention. One stage of your journey is over, another begins. To make progress towards your destination you must be mindful of the ever watchful eyes of The Two Towers: Productivity and Compliance. Keep both in your gaze at all times and don't by any means look at only one and avoid the other." The leader of the fellowship puzzled by what the wizard had just said, replied: " you have not changed, my friend, you still speak in riddles." The wizard apologized for speaking in Riskish and explained, this time in English, more about The Two Towers and how the towers will help them achieve their mission. "Because even the very wise cannot see all things" The Two Towers: Productivity and Compliance The two towers were constructed in recent years to guide you through the valley of capabilities (otherwise known as the Value Chain) along the value stream. Here is a map so that you can find your way: Each tower has its own purpose to help ensure that the Ring of Value reaches the Mountain of Better Outcomes. They also have different strategies and tools to help you contend with the dragons of uncertainty: Aleatory and Epistemic. What you must always remember is to keep both towers in sight and never look at only one at the expense of the other. The Tower of Productivity - Use only what you need You must only use the resources you need to ensure you have enough to reach your destination. This tower will help you eliminate waste, and improve your productivity so that you reach your destination with room to spare which is called margin, which is the best way to contend with the Aleatory Dragon. The strategy most often used by the Tower of Productivity is something that is known as LEAN. Here the Ring of Value will be pulled through the value stream which will surface hidden artifacts that are slowing you down. The people of this tower call these artifacts waste and you will be wise to eliminate as many of these as you can manage. Learn from these folk for their practices and tools will help you with what lies ahead that you cannot predict. However, you must remember that the two towers work together and so you must be ever mindful to use your gains wisely. Some of your gains must be allocated to the Tower of Compliance to strengthen your defenses to defeat the Epistemic Dragon. The Tower of Compliance - Your defenses must hold Your standards, systems, processes, and controls must not fail to protect the the Ring of Value as you move through the value stream. The Tower of Compliance will help you buy down risk by creating lines of defense against the Epistemic Dragon. The folk in the Tower of Compliance are known to use what is known as RISK MANAGEMENT and they are fond of the BowTie Analysis. They will look to your goals and objectives to identify prevention and recovery controls (your defenses) to increase the certainty of completing your mission. Make sure that you know what your objectives are otherwise their strategies will be less effective. You must ensure your defenses are sufficient and strong enough to hold. To strengthen them and broaden your coverage you will need to make alliances with Safety, Quality, Security, Environmental, and Regulatory folk. Some of them have not worked together for many years if at all. However, you will find that they will unite and fight together under the banner of "risk reduction" which is a goal they all have in common. One last thing, there is more at risk than you realize. Your defenses must not only protect the Ring of Value , they must also protect the fellowship, the people of the value stream, and the Valley of Capabilities otherwise you will not make it to the Mountain of Better Outcomes . The Wizard Rides North Some of the fellowship did not understand and were not sure of what the Wizard had just told them. There were some who wished that this mission had not been given to them and that the wizard had not come. The Wizard hearing their murmurs picked up his staff, stood up and said, " So do all who work in highly-regulated, high-risk industries, but that is not for them to decide. All we have to decide is what to do with the time that is given us. There are other forces at work in this world, besides cost reduction and loss prevention. Remember, the people of the value stream will need you, use only what is absolutely necessary and make sure your defenses hold and promise me that you will keep both towers in your gaze at all times and don't by any means look at only one and avoid the other." The wizard then called his horse as he spoke once more to the fellowship: I have heard news about a different kind of dragon, one that has not been seen in these parts for some time, the Dragon of Opportunity. I ride north to learn more about this dragon. Look to my coming, at first light, on the fifth day. At Dawn, Look to the East." And with that the Wizard rode off leaving the fellowship in the Valley of Capabilities between the Two Towers: Productivity and Compliance planning their next part of their journey keeping in mind what the Wizard had just told them about LEAN and RISK MANAGEMENT. Note: Any reference to The Lord of The Rings by J.R.R Tolkien or related works is used under Fair Use License for the purpose of education and learning. #managedsafety #riskmanagement #leanmanagement

Risk scores are commonly used to support risk-based decisions and are usually derived from a semi-quantitative analysis of the underlying risk factors to produce a single value such as: low, medium, and high. This value is subsequently applied to the ranking of options or as a trigger for additional actions and as such can be extremely helpful to support decision making. However, if not implemented correctly, they can introduce vulnerabilities that expose companies to unnecessary and avoidable risk. In a recent discussion on LinkedIn, a person wrote about a situation where risk scores were used. With their permission, I have included an excerpt from that discussion: "A firm with an IS0 27001 certification had both a gap with risk evaluation and risk estimation unrealized by the external auditor. First, its vendor risk management process held that firms with services that cost more need more oversight than firms with services that cost less. This is fine until one looked at why a service might cost less. In this case, the service requests for vulnerability patching a corporate firewall were costing less because they had been skipped for three years. Falsely, the system reported the firewall service was lower risk because it cost less -- in this case too little for the firm’s best interests. Next, risk computations themselves were done in a manner that sounded good but was mathematically flawed. By adding a score for Confidentiality to Integrity to Availability it was possible to rank the security needs of a service, product, software or vendor. But by adding rather than multiplying it became possible for 70% or more of all risks to all have the score of medium. Summing risk indicators presumes statistical independence that was not truly present. The result is a bell curve with 70% of the answers for any combination of inputs resulting in a medium risk score. " This story helps serve to illustrate potential problems with the improper use of risk assessments, scores and ranking. Here are 5 key problems: 1. Outcomes were not validated The resultant scores were not validated to ensure that they would produce the appropriate outcomes. In addition, incorporating the other criteria: confidentiality, integrity, availability; in the calculation was not implemented correctly and may in fact not be statistical valid as mentioned in the excerpt. The decision to create a single-value score (most likely to facilitate the decision making process) contributed to unintended outcomes. 2. Risk scores were not calibrated Risk scores were not calibrated and aligned with the risk attitude (appetite and tolerance) of the organization. There are two aspects to this: (1) the scores themselves need to generate the right distribution of outcomes based on the inputs, and (2) the use of the score must be consistent with the risk attitude of the organization. For example, choosing a high risk option even if it was free would not be acceptable if the risk tolerance for the organization is low. 3. Using single-variable scores produced sub-optimal results Choosing a set of options using single-variable ranking (ex. a resultant score between 0 and 10) can often lead to a less than optimal selection. The primary concern is that a single value is not always sufficient to differentiate the available options. This appears in other domains such as choosing the optimal portfolio of: projects, investments, or process improvement initiatives. Issues with using single-variable ranking are well documented and there are solutions to overcome them. Among these include using: real options, efficient frontiers, multi-attribute ranking, and others. Often just using a matrix of value against risk is enough to produce a more optimal result. 4. Using risk scores in an automated process may be vulnerable to the " Automation Bias " As risk-based thinking becomes more embedded in the organization it is likely to also become more embedded in the decision support systems. Although, not specifically stated in the above scenario, it is possible that the resultant risk score was used (or could be) to automatically select the vendor. The automation bias is defined as, "the propensity for humans to favor suggestions from automated decision-making systems and to ignore contradictory information made without automation, even if it is correct." Automating the selection process may result in: (1) decision makers abdicating their responsibility for the decision to a computer system, and (2) leaning too much on a score to inform them as to the appropriate decision to make. For those who work in the safety field know, you cannot delegate safety (or decisions about it) to a computer system. 5. Using risk scores may not be ethical Decision support systems use numerical values which is some ways are no different from risk scores. However, in the case of the majority of these systems, they address situations of certainty where decision analysis is effective and can be mechanized in terms of moral rules and conditions. When this is done, responsibility (and possibly accountability) is abdicated to a computer system. Doing so might be appropriate accept for when decisions involve risk. Risk-based decisions due to their inherent uncertainty are in the category of ethical decisions that a company makes and cannot easily (or at all) be reduced to a set of rules. If the risk can be completely eliminated by removing the hazard then rule-based decisions might be appropriate. However, should the hazard remain and uncertainty persist then the decision to proceed becomes an ethical choice. Organizations should not transfer accountability for ethical decisions to an algorithm or a decision support system. Research is on-going and there may be at some point the possibility of implementing ethical subroutines that can be appropriately regulated. However, as of this point in time these do not exist and regulatory accountability is a human one. In the example above, the decision to pick a lower cost (although higher risk) option should be made by a person who can ensure that the decision aligns with the company's ethical standards and guidelines. #riskmanagement

The risk and compliance problem: Companies are too reactive. Prescriptive policies, standards and regulations do not adequately protect against loss or ensure value creation. High consequence risk rarely occur due to a failure of a single activity but instead occur because of an alignment of vulnerabilities across multiple activities (i.e. systemic risk). The capabilities needed to manage systems is different than managing individual processes where results are limited to the sum of the parts. To keep up at the speed that risk becomes a reality companies cannot wait for audit findings to make improvements. The solution: Companies must be more proactive. Policies, standards and regulations need to and are transitioning to performance and outcome-based designs (e.g. vision zero) Meeting performance and outcome-based obligations will require a holistic and integrative approach that goes beyond process improvement to focus on system effectiveness. Capabilities must include managing interdependencies between and across functions to unleash performance where results are the product of the interactions. Continuous improvement will be driven by the presence of uncertainty not only the presence of problems. When companies adopt a proactive approach to risk & compliance they will have a competitive advantage because most others will not. And if they become good at it they will be unstoppable. #grc #effectivecompliance #riskmanagement

The concept of resilience is gaining traction particularly among those in highly-regulated, high-risk industries. In an ever changing regulatory landscape resilience is seen as a means to stay ahead of the regulatory curve, avoid costly disruption, and withstand adverse events should they occur. This sounds similar to the objectives of risk management. At one level one can consider resilience as an outcome of effective risk management in the same way as quality products, and safe working conditions are an outcome of effective quality and safety programs. Resilience is also a capability which serves as a defense against the effects of uncertainty in support of existing risk & compliance programs including: quality, safety, environment, and regulatory objectives. Resilience perhaps is more focused on recovery rather than preventive measures. Should resiliency become a program of its own and have its own standards similar to quality, safety and environmental objectives or should it be added to existing risk & compliance programs? What do you think? #riskmanagement

In response to increasing and often overlapping requirements from standards and regulatory bodies, many companies are looking to integrated and proactive approaches to manage all their obligations, reduce risk, and increase stakeholder trust. Each management system serves as a layer of defense against unwanted events such as: loss of containment, injury, regulatory violation, non-conformance, and others.  A Bow-Tie Analysis can be an effective tool to ensure that you are not over or under investing with respect to risk controls.  It also helps you identify metrics to monitor and track the effectiveness of your overall compliance program. #riskmanagement #managedsafety

Everything happens in the presence of uncertainty so make sure your process plan is a risk-adjusted plan. #riskmanagement

The adoption of ANSI / API Recommended Practice 1173 - Pipeline Safety Management Systems will help improve overall pipeline safety. However, adapting to these new practices can be challenging after years of using systems and procedures embedded across the organization. Applying LEAN principles can help to visualize the entire process through value stream mapping so that sources of process and information waste can be removed before addressing new compliance measures. Download our presentation that looks at how lean principles can be applied to managing change within the RP1173 framework. #leanmanagement

In a world that values specialists, individual workmanship and personal accountability the LEAN culture can seem foreign, threatening and perhaps even wrong. In the research paper, "Managing Paradoxical Tensions During the Implementation of Lean Capabilities for Improvement [1]" the authors considers four types of organizational paradoxes: organizing, performing, belonging and learning. In the category on belonging a statement from one of the companies researched typifies a common belief: "Specialists value what they do and their prestige is based on what they have achieved; now they have to be process managers rather than specialists; this fact has challenged their work identities” The paper goes on to say: As such, lean calls for learning more professional skills and applying these in a team setting rather than achieving higher levels of technical proficiency in narrower areas of specialisation (Womack, Jones, and Roos, 1990; West and Burnes, 2000; Lee et al., 2000). Namely, “ the paradox is that the better you are at teamwork, the less you may know about a specific, narrow specialty that you can take with you to another company or to start a new business ” (Womack, Jones, and Roos, 1990, p. 14). " - My emphasis in bold Teamwork strikes at the heart of how many people are valued and how they contribute to the organization. The LEAN mindset challenges our current organizational structures and yet the problems that companies face are those that require greater levels of what LEAN espouses. A common consensus among regulators and standards organizations is the need for better systems to keep workers safe and to help workers make safe choices. The solutions do not rest entirely on either the systems or on the workers but on both. To find these types of solutions requires having a more holistic perspective with greater levels of engagement from those that participate in the processes that we wish to improve. This does not mean that the pendulum swings over from specialists to having everyone become generalists. We still and always need the skilled workmanship of specialists. However, we now need to be open to learn and understand how to work better as a team, in community and come along side others when they need support. When pressures are high and push comes to shove we tend to move to our default behavior. Instead of every person for themselves, perhaps we can move in the direction of reaching out to those we work with and seeing if we can help. For those who put their lives at risk everyday they already know that it is better to look out for each other so that everyone gets to go home after their shift. Perhaps, in some ways we are not that far away from the LEAN culture after all. [1] Managing Paradoxical Tensions During the Implementation of Lean Capabilities for Improvement. / Maalouf, Malek Miguel; Gammelgaard, Britta. In: International Journal of Operations and Production Management, Vol. 36, No. 6, 2016, p. 687-709. DOI: 10.1108/IJOPM-10-2014-0471 #leanmanagement

LEAN approaches have been used across many industries for decades with great success. However, there are some industries were using LEAN for process improvement may end up exposing companies to: greater risk, loss of compliance, and reduced safety. This is particularly true for the process industry. Fortunately, many companies in this sector already have the skills to effectively manage risk. They just need to apply these now to manage risk during LEAN improvements. LEAN in the Process Industry There have been several papers over the years written about the use of LEAN in the process industry. The one often cited was published in 2005 by T. Melton, " THE BENEFITS OF LEAN MANUFACTURING | What Lean Thinking has to Offer the Process Industries ." In this paper, Melton presents a compelling case for using LEAN in the process sector while acknowledging that the case for LEAN is not compelling for everyone. She asks the following question, "With the benefits so apparently obvious the question has to be - what's stopping us?" Here we are just over 10 years later and while LEAN continues to make in-roads this question is still pertinent and worth taking another look at. Forces For and Against Melton presents the following force field diagram showing the supporting and resisting drivers within the manufacturing sector of process industries: Let's look at how two of these forces (highlighted in RED) have changed since 2005: Supporting Force: The desire to be compliant in an increasingly regulated environment Since 2005, compliance has changed significantly. Not only has regulation continued to increase but it has also adopted a less prescriptive approach. Several of the recent changes have resulted from acknowledging that the majority of incidents, that precipitated the regulations in the first place, are better addressed by better systems than they are by legislating more prescriptive behaviors. In addition, both standards and regulatory bodies have in previous years introduced updates that are: more systems oriented, risk based, and focused on outcomes. Many have also adopted the use of the Plan-Do-Check-Act (PDCA) cycle and the requirement for continuous improvement. Focusing on the value stream along with continuous improvement are foundational to LEAN and in many ways benefit the process sector more today than in 2005. This is partly because the regulations themselves have adopted best practices from quality and LEAN thinking. Resisting Force: Concerns about the impact of change on regulatory compliance (SHE, Quality, etc) This concern is the flip side of the previous driver. Change of any kind, even those that improve the situation, can increase risk and create undesirable impacts. Melton outlines in her paper 5 steps to LEAN Thinking that provide a way to identify and manage undesirable effects: Those familiar with process safety management (PSM) will recognize that these steps are very similar to the steps followed for Management of Change (MOC): Initiation Scoping Change Design Impact Analysis Approvals Implementation Pre-Startup Safety Review Close-Out In recent years, risk assessment and risk management have become more fully embedded in safety processes to support not only PSM covered processes, but also procedure and organizational changes. From a capabilities perspective, the ability to manage risks and changes has advanced significantly for those that have adopted these practices. Key capabilities include: Cross Functional Teams Engineering Problem Solving and Design Risk Management Change Management Measurement and Verification Monitor and Control These capabilities effectively help organizations manage risk arising from changes to their facilities, manufacturing processes, and to the organization itself. What we now need is a similar management of change process to manage risk during LEAN improvements. LEAN Management of Change LEAN offers significant benefits for companies who want to improve not only production but also their business processes. However, these changes must be done in a way that manages risk, keeps people and processes safe, and maintains compliance. The process industry has had decades of experience managing risk and so this is not new to them. However, this maybe new to those who want to use LEAN to improve processes in companies that are highly regulated. Risk management along with a structured change process is missing from many LEAN improvement initiatives. Understandably, this causes concern when applying LEAN to improve compliance programs and systems. In fact, it is a concern for making any changes to critical business processes. Using Management of Change (MOC) best practices, along with skills already in place, will help to fill in the gaps to effectively manage risk during LEAN improvements. Doing so will alleviate many of the concerns and, finally , allow those in highly regulated industries to obtain more of the benefits from LEAN that other industries are currently enjoying. Revisiting the Question So back to Melton's question which I have revised, With the benefits so apparently obvious, and with significant advancement in risk management, the question has to be - what's stopping us now?" #leanmanagement

Recently, I spoke with a safety expert who has worked for several decades in the safety industry. During this time he provided training, wrote books, and consulted, all to help advance safety. He has now decided to leave the industry to pursue other goals. I asked him why and this is what he said, "safety remains a difficult sell." He is tired of trying to persuade business owners on something they do not want to do. After many decades of promoting safety by him and many others in the field, he observed that there are still too many business owners who would rather wait until they are fined instead of avoiding incidents in the first place. They might buy some training to demonstrate that they are doing something. However, for the most part, they do not value and are not willing to pay to improve safety in their companies. This lack of valuing safety shows up in other ways. It is not uncommon to discover postings for safety professionals to manage entire safety programs that require full safety credentials, a minimum of 5 years experience, and yet only pay them entry level wages. Who wants to work in an industry where very few value your expertise and where you are constantly trying to persuade others to value something that they fundamentally don't. The same reasons are given time and time again. I can't afford it, it is too technical, I don't understand it, that's what I have insurance for, and it takes away from my bottom line. The last one being being the most common. A former VP of a pipeline company told me that they were always interested in safety and reducing costs. What he meant by this was that safety is of interest if it reduces cost, and therein lies the rub. This cost reduction message is heard across all industries and across all compliance programs be it safety, security, quality, environmental, and regulatory. All of these programs are seen as an overhead that do not add value. Compliance activities show up in value-streams as necessary but fundamentally as waste and therefore something to eliminate or reduce. Again, who wants to work at something that is considered in this way. No wonder people leave these fields to work in areas where their efforts will be valued and rewarded. Ask anyone who has been involved in a merger or acquisition as to what areas are cut first and you will have proof as to what is valued. Compliance programs in all its forms ends up being the first to cut. The rationale often given is that we are doing fine with our safety. We haven't had a reportable incident for some time. We can survive with a minimal staff for now. That is the risk many companies are willing to take. This view of compliance while predominate is missing the point. We have all been taught that value is in the eyes of the customer. That is how we determine the quality of our products and services. What is often forgotten is that customers also have quality expectations for how a company manufactures its products and delivers its services. An increasing number of stakeholders also expect companies to not harm the environment, to respect their employees, to abide by the rule of law, to not commit fraud, to protect the rights of their customers, and the list goes on. These too are values and should be considered as part of the overall value proposition. The tension between value production and compliance is a false dichotomy based on an old-factory model. Meeting obligations through effective compliance programs is a value chain in its own right and a critical part of overall value production. Compliance programs when effective are a value-add and not a tax on production or a waste in the value-stream. Compliance delivers value to stakeholders by ensuring that obligations are met consistently and to the highest standards. This engenders trust, reduces risks, and improves customer loyalty. Companies that do not value these programs experience the opposite. By cutting their compliance programs they increase their risks, create uncertainty in meeting obligations, and lose the trust of their stakeholders. It's time to think differently about compliance. Further reading: https://www.leancompliance.ca/single-post/2018/02/11/Compliance-Chain-Analysis https://www.leancompliance.ca/single-post/2017/12/18/Four-Steps-to-Proactive-Compliance https://www.leancompliance.ca/single-post/2017/12/30/Compliance-Helps-Us-to-Stay-Within-The-Lines #managedsafety

Adopting a Safety Management System (SMS) has typically required significant resources, large teams, and expensive technologies and expertise to establish let alone achieve effectiveness at improving safety outcomes. While a SMS is considered an essential part of an effective safety program it remains for many companies a luxury they believe they cannot afford. One reason that supports this belief is that the approaches used by large companies represent best practices and must be used for companies of smaller size, levels of risk, and complexities. However, smaller companies may in fact be in a better position to adopt a SMS with less effort and lower costs by using different practices than larger organizations. In this article, we will consider a case study involving a Land Reclamation company that chose to adopt both a quality and safety management system; something they needed to grow the business but thought they couldn't afford. Case Study I had the opportunity over the last year to work with an organization involved in land clearing, reclamation, and development. This is an asset intensive operation similar to infra-structure construction projects that involve multiple crews, heavy equipment, and interactions with land owners, the public, and the environment. Management wanted to bid on larger projects which required that they have a quality management system in addition to safety. They had always been a company that valued quality and safety but now needed to formalize this as part of a combined managed quality and safety program. They could have taken a traditional approach with a focus on documentation and writing procedures which would have created for them greater administrative overhead among other things. Instead they took an agile and lean approach to meet their objective. The process The first step was to define and then create a Minimum Operational System (MOS) for an integrated quality and safety program (more information regarding this approach can be found here ). Our objective was to establish the processes essential to provide a working system as soon as possible so they could begin to learn how to continuously improve over time. The combined system was modeled after ISO 9001 and ISO 45001 and supported regulatory obligations for safety in Ontario, Canada. The following practices where incorporated into the implementation of their MOS: Management learned essential concepts for a managed quality and safety program. Monthly management reviews were adapted to be proactive (are we making progress) rather than only being reactive (what have we done). Processes and procedures were defined to include measures of conformance, performance and effectiveness. Risk-based assessments were incorporated into all safety and quality critical processes. Data measurement processes were defined for all critical to quality and critical to safety objectives. Corrective and preventative actions (CAPA) were combined to form a single Continuous Improvement (CI) process. Customer satisfaction (NPS) forms and workflows were added to support feed-back processes. A real-time QMS / SMS portal was built using Office 365 to provide continuous status of productivity, safety, and quality. The technical features of the system included: Operator safety check-in using mobile phones to monitor personal safety in remote locations. Drone and site photos are stored and marked-up in Office 365. Operator logs collected and tracked in Office 365 using Microsoft Forms. Microsoft Teams used for project collaboration - SOW, photos, risk assessments, communications, project specific PPE, hazards, etc. Microsoft Forms and Flows for Continuous Improvement requests, approvals, and implementation. Microsoft Planner was used configured as a Kan-Ban to track improvement actions coming from CI’s and Management Reviews. SharePoint libraries used to house and support the management of QMS / SMS documents and manuals. SharePoint Lists used to manage training requirements and records. Metrics tracked and visualized using SharePoint. The QMS / SMS and all associated information is available to employees and contractors from their phones and laptops. The outcome The introduction of an operational QMS / SMS during the year (rather than at the end) produced early benefits associated with: Identification and removal of waste in the process Improved safety and quality measures Improved project measurements which led to improvements in project estimation Improved engagement and participation with project teams and management Installation of the quality and safety manager in their roles having learned essential behaviors and practices during the implementation The result was an operational quality and safety program implemented and sustained through continuous improvement at a fraction of the effort and cost as other approaches. The company was now in a position to continually improve their programs having learning how to do so during its implementation. All of this was accomplished over the course of 12 months utilizing the Lean Compliance Startup Model which is part of The Proactive Certainty Program . This program consists of weekly coaching and work sessions led by subject matter experts as needed to achieve program objectives. Why you may be in a better position to implement a SMS The following observations can be made from this case study and from other projects we have worked on over the years: 1. Larger organizations are slower to change and require greater effort when they do Larger companies typically: Have greater inertia and friction that needs to be overcome when adopting new programs and systems. Require more management to maintain system operations and sustain continuous improvement. Take longer and require more effort to change behaviors. Smaller companies typically: Have less inertia and friction to overcome which enables the adoption of new programs and systems sooner and with less effort. Require less management to maintain system operations and sustain continuous improvement. Can change behaviors faster with less effort. In our case study the company was able to make decisions quickly, engage employees and contractors in participative collaboration, and adopt changes incrementally over the course of 12 months. 2. Larger companies are more likely to follow traditional implementation approaches Traditional implementations use a reductive component-first approach that often leads to silos, overlapping responsibilities, duplication of effort, and other forms of waste. This approach is characterized by: A focus on policies and procedures over outcomes Reductive, divide and conquer approach Removal of waste to address previous inefficiencies leaving less available for real improvements Committees, large projects and waterfall methodologies Viewing continuous improvement as the end game However, a holistic systems-first approach leads to an integrative, more efficient, and the achievement of operational status sooner with less waste in the process. This approach is characterized by: A focus on outcomes over non-value activities Integrative, collaborative and participative approach Adding capabilities to achieve better outcomes Agile and lean teams with continuous delivery methodologies Viewing continuous Improvement not as the end game but as the way systems are built In our case study, a systems-first approach was used to establish a working system of essential processes to support a continuous delivery of quality and safety capabilities. 3. Technology is more abundant and available than ever Advancements in digital technologies have provided companies of all sizes with low cost, on-demand, and more powerful capabilities that help to drive better safety outcomes: The Cloud Big Data Internet of Things Machine Learning and AI Blockchain And many others The company in our case study leveraged Microsoft - Office 365 cloud platform to provide the technology for their QMS and SMS. This was affordable, secure, configurable, included automation support, and available on every device. 4. Reactive management requires greater effort to achieve better results Larger companies tend to have baked-in management practices that reinforce the creation of waste in the form of excessive audits, reporting, and fixing things after the fact. However, smaller companies can be more agile, have fewer fixed systems, and can be more proactive with their compliance. In our case study, the organization was not weighed down needing to support reactive processes and behaviors. Their perspective was always forward looking and always proactive. Conclusion Companies of every size can benefit from having an operational SMS. Smaller companies can take advantage of their size along with agile / lean approaches to implement a SMS that they can afford. In fact, they may have an advantage over larger companies in that they can achieve operational status sooner and be more proficient at continuous improvement in the process. To find out more about our lean approach to compliance visit www.leancompliance.ca. #managedsafety

The practice of continuous improvement is gaining traction within an across all industries. It goes by different names such as: Plan-Do-Check-Act, Lean, Toyota Kata, DMAIC, OODA, and others. Improvement initiatives are often triggered re-actively when issues or problems surface or pro-actively to enhance capabilities or in anticipation of risk due to the effects of uncertainty. These all rely on management having autonomy and discretionary authority to make changes in what objectives are chosen and how they are to be achieved. In highly-regulated, high-risk industries it is not clear what kinds of choices management actually has authorization to make specifically when it comes to meeting safety, environmental, and regulatory obligations. The problems that come from these domains tend to be awkward shapes and sizes that may not align with existing structures which makes it difficult to know who is accountable or responsible. As a consequence, improvement activities are often limited to closing-the-gaps in meeting prescriptive shall statements, and increasing the efficiencies of administrative controls such as: reporting, approvals, document management, and others; usually through the adoption of information technologies, automation, and data collection. This confusion poses a significant challenge for organizations as regulations and industry standards continue to move towards performance and outcome-based designs. These frameworks require organizations to set goals and objectives usually in the context of advancing Vision Zero targets such as: zero harm, zero incidents, zero fatalities, and so on. Organizations are expected to choose appropriate strategies and tactics by which these objectives and goals will be met and advanced. To make progress, risk-based approaches and continuous improvement are required and foundational to most quality, safety, environmental, and regulatory management standards including those from ISO, API, CSA, OSHA, EPA, FDA, and many more. However, when it comes to the reduction of harms, making improvements is not as easy as applying plan-do-check-act to every suggestion that is made. When people's lives are at stake problem-solving and continuous improvement take on a different form. Problem-Solving Protocol Malcolm K. Sparrow in his book, "The Character of Harms: Operational Challenges in Control" outlines a risk-based problem-solving protocol to help address managerial challenges. He suggests the following protocol: Nominate and select potential problem for attention. Define the problem precisely. Determine how to measure the impact. Develop solutions / interventions. Implement the plan. Periodic monitoring, review, and adjustment. Project closure, and long term monitoring, maintenance. Step 1: This activity is administratively separate from the others as it recognizes that the nomination of which problems to pay attention to may be different in both place and time from the decision and implementation processes. Although responding to problems when manifested is common place, it is the anticipation of problems as part of risk identification that leads to more effective harm-reduction measures. Step 2: As with most problem-solving strategies it is essential that the problem be stated as clearly and concisely as possible. Root cause analysis is important to fully understand the nature and scope of the problem and even when found still needs to be studied particularly when it comes to choosing among alternate treatments. This step has a benefit of preventing (perhaps only slowing down) knee-jerk-reactions to act first before acquiring understanding. Step 3: Understanding the nature of the outcome that should be targeted and how it will be measured is what separates successful interventions from those that are not. This step provides the methodological rigor that obliges management to consider relevant metrics related to the outcomes of a solution or intervention instead of the how it is implemented which is a common mistake. Steps 4, 5, 6 : Developing and implementing solutions and interventions requires alternatives. Modeling, simulation, and experimentation are essential to developing options. It is often not the first option chosen that is most effective, and so any presumption that the first option must necessarily succeed should be abandoned in favor of cultivating more effective alternatives. This highlights the need for periodic monitoring, review and adjustment which may include choosing another approach. Of course all of these steps should be done in such a way that limits making matters worse. Paying attention to exposing latent risk and the emergence of new risks is critical to success. Step 7: As is all too common when managing changes is it is easier to create new projects than to close existing ones. Projects may be closed because they succeeded at their harm-mitigation or that success is not possible. It is just as important to recognize in-effective interventions and stop them when there is little chance of success. This is why Step 3 is so important to identify what success looks like and when initiatives should be cancelled. Executing individual initiatives is different from managing a portfolio of them which is why managerial infrastructure and support is necessary. Organizations will need various systems surrounding each step in the problem-solving protocol. These may manifest themselves differently for each organization but will tend to follow common project portfolio capabilities used for business, IT, and other project-related endeavors. However, what is most important are the skills to effectively practice goal-directed problem-solving in the presence of uncertainty. This requires skills more akin to risk rather than productivity management, and a change process that improves the probability of successful outcomes rather than the completion of tasks. Summary Organizations in high-regulated, high-risk industries have for years operated under prescriptive regulations that have defined how harm and risk-reduction must be done. Improvements to such things as occupational, process, pipeline, and environmental safety tend to be limited to closing-the-gaps between work-as-prescribed and work-as-done, along with improving efficiencies in administrative controls. However, the shift towards performance and outcome-based regulatory designs now requires organizations to determine their own means by which risk will be reduced and how harm-reduction outcomes will be advanced. This requires continuous improvement but a different kind than simply applying plan-do-check-act practices. References: [1] Malcolm K. Sparrow, "The Character of Harms: Operational Challenges in Control" [2] Raimund Laqua, "Risk-based Continuous Improvement", https://www.leancompliance.ca/post/risk-based-continuous-improvement #effectivecompliance #managedsafety