Identifying Effective Corporate And Site Risk Management

29 January, 2014

First published in the January 2014 issue of Quarry Management as Making the Connection

Identifying risk connections to avoid surprises that can impact strategy, reputation and performance

By Loren Padelford, executive vice-president and general manager, Active Risk

The role of risk management changes at each level of an organization in the extractives industry, and the criteria used to evaluate the results will vary enormously. Corporate management will be interested in risks that are vastly different to those that keep general managers at mineral extraction sites awake at night. But what effective corporate and site risk management has in common is that it should all be about removing surprises.

Everyone in the business should be focused on the following simple questions:

What are the real, material risks?
What is being done about them?
Is it actually working?

The first question is the most important. If the focus is on the wrong risks then whatever actions are taken will not reduce surprises that can have the biggest business impacts. The traditional spreadsheet approach to risk management is often at fault. It leads to a focus on static ‘Top Ten’ risk lists that treat risks as unconnected items. This approach often drives the business to look in the wrong direction.

John Summers, former chief risk advisor at Rio Tinto and now an independent risk consultant, has some thought-provoking ideas: ‘In risk registers we tend to list individual risks on individual lines because they are more or less spreadsheet-based applications, but that leads us to treat each risk as a linear, independent element,’ he said.

‘If we start to look at the connectivity between risks, we can understand more about the real risks in our business and how there are themes and connections that we haven’t identified yet. That will open up the potential for a richer discussion about how risks should be understood, how contingency planning for operations and businesses needs to be thought about, and actually how disastrous or business-threatening catastrophes could play out.’

This thinking goes beyond current discussions on so-called ‘black swan’ events. Black swans are low-probability, high-impact events. They are often of such low probability that when risks are scored and compared they do not make it on to the management radar, but could have such catastrophic impacts that they should not be ignored, especially at the strategic level.

‘Risk connectivity’ theory is subtly different. It aims to highlight risks which might be quite small when viewed in isolation, but because they are highly connected, could act as catalysts for other much bigger risks. The impact comes from the chain reaction or the fact that a network of risks can be triggered by just one small risk. This is a much more accurate model of the real world than the old school ‘Top Ten’ risk list approach. The trick is to build in some measure of connectedness when capturing and assessing risks.’

A typical extraction operation will have numerous risk and compliance systems and registers, often using stand-alone spreadsheets. There will be risk registers for health and safety, engineering, maintenance, operations, legal, finance, and for special projects requiring major investment, but often this information is not readily available or in the right format to help each level of the business make the right decisions and spot the connections. Risk connectivity cannot be seen if the risks themselves are being held in separate spreadsheet silos. A move to an enterprise approach and single system is needed.

John Summers continued: ‘There are risks potentially lower down in the pecking order which wouldn’t normally come to management and the board’s attention but which are highly connected. The question that the risk manager must answer is should he or she consider presenting to the board amber risks which are highly connected because they may need more management activity than perhaps a very poorly connected red risk?’

Only those material risks that impact goals are real. Everything else is interesting but not necessarily relevant. Again the traditional ‘Top Ten’ risk list-approach causes problems here. Often the risks which make it on to such reports stay the same year in, year out. Organizations get caught in the ‘risk admiration’ trap, where ‘pet risks’ are identified and kept on reports when they no longer have relevance. This leads to board members disengaging from the risk process and rarely challenging the rankings that are on risk registers. They think that the people in the business have done a lot of hard work bringing the top 10 or 20 to them, so there is very little for them to be able to engage with.

‘The real innovation is getting from the risk data that they have invested a lot of money on collecting into the corporate database, knowledge that they didn’t know was there, knowledge that doesn’t come out through the conventional slicing and dicing of risk maps and summary risk registers. That’s where a lot of the power comes from the potential use of these tools and techniques,’ concluded Mr Summers.

In other words, it is time to go beyond static Top Ten risks lists to avoid the risk surprises that can impact strategy, reputation and performance.