Mike Meen, Technical Director at Bureau Veritas, assesses whether the traditional two-dimensional approach to risk is adequate in today’s complex society, and highlights the importance of organisational maturity and resilience in hazardous environments.
The traditional two-dimensional risk model sees probability weighed up against consequence, predicting the likelihood of a risk occurring and the severity of the outcome. The problem with this model, particularly in potential hazardous environments and industries, is that it undermines the influence and importance of organisational maturity.
Good organisational maturity, or resilience, results in higher efficiency and greater effectiveness, making sure all those within the company are aligned on culture, communication, processes and goals. A business with a high level of maturity tends to have greater resilience and adaptability to external stimulus.
The 10th edition of Deloitte’s Global Risk Management Survey found that amongst organisations with mature risk management processes, 66% were more likely to achieve their objectives, and have a 30% lower likelihood of experiencing critical incidents compared to companies with low-risk management maturity. In addition, mature organisations demonstrated stronger regulatory compliance, with 85% of mature organisations reporting fewer regulatory breaches, compared to just 55% of less mature ones.
Since the Deloitte report, McKinsey’s 2023 research found only 50% of organisations feel well-prepared to handle external shocks like economic volatility and geopolitical instability, reflecting a significant gap in organisational resilience. Moreover, two-thirds are struggling with complexity and inefficiency in their structures, highlighting the need for more agile and mature systems to better manage risks and disruptions.
Organisational ‘immaturity’ in practice
Organisational maturity is a critical factor in assessing and mitigating risk, particularly in an industrial plant setting where safety, reliability, and operational efficiency are paramount. In the context of industrial risk management, a mature organisation is better equipped to identify, assess, and respond to potential risks in a systematic and proactive way.
In hazardous settings, how a company reacts to an incident can be the differentiator between that event potentially becoming severe or not.
I have personally looked into a number of global incidents over several decades, including Deep Water Horizon, Chernobyl, Piper Alpha and the explosion at the Port of Beirut. In all scenarios, there were clear problems with the chain of command, effective communication and employee training, which has allowed me to formulate the idea that an immature organisation is not resilient to external impacts.
In all these major incidents, probability and consequence were undoubtedly weighed up in the risk management process, the missing link is the third dimension – organisational resilience.
Plant, Procedures, People
In today’s complex society, where technology and artificial intelligence are becoming as sophisticated as people, many organisations can become too reliant on their equipment.
Industries and plants operating in the chemical, manufacturing, nuclear, or oil and gas sectors work heavily on both physical equipment and control logic – particularly safety and environmentally-critical equipment (SECEs) whose sole purpose is to mitigate a potentially hazardous spill or explosion occurring. Although condition monitoring is now sophisticated on these items, it’s vital that ‘people’ are also considered as an additional layer of consideration, otherwise businesses can open themselves up to that third dimension of risk.
In all industrious environments, employees will have the ability to override the machines and controls in place and launch an essential shutdown. The key is ensuring those employees are trained, competent and prepared.
If a piece of plant equipment malfunctions, the next port of call is the business’ procedures and its people. As such, training is vital.
Embedding resilience
It is the environment that a person works in that either supports or inhibits action. It is the application of appropriate processes that prevent or mitigate undesirable events; and ultimately, it is the people and their behaviours that are the source of compliance or ignorance to due process.
Training in risk and resilience doesn’t necessarily mean having to learn about lots of individual elements; it simply means understanding how to be situationally aware.
Organisations seeking to improve their maturity and resilience must ensure that the necessary processes and operations have been put in place, to guarantee a level of excellence across the board – that’s how the third dimension of risk, and arguably the wider risk model, can be mitigated.
It’s important to note that organisational maturity cannot be achieved overnight and isn’t simply the culmination of a set of company rules for employees to follow. It comes from time and investment in navigating each stage of maturity, ensuring operational and process excellence is embedded into the culture of the business.