Risk management

Three Mistakes Organizations Make When Evaluating Enterprise Risk

Driving change to encourage a new way of thinking about enterprise-level risk and potential hazards.

Risk Management concept on the gearwheels, 3D rendering
Developing a complete risk profile requires a holistic approach where silos between individual disciplines and local assets are broken down so that interdependencies can be identified.
AlexLMX/Getty Images/iStockphoto

Understanding and recognizing the difference between enterprise and relative risk is critical when considering the various hazards and perils that can affect the operations of an organization or asset.

Too often, risk managers and health and safety personnel operate in silos, without any view of how the hazards that fall within their remit can impact other areas of the business. Without transparency, it is virtually impossible to develop a complete enterprise risk profile and companies can be left unknowingly exposed to potential adverse events—even ones with a very low probability of occurring.

As a global leader in data-driven risk and reliability solutions, ABS Group has a unique perspective on the challenges that organizations face when it comes to enterprise-level risk evaluation and mitigation. Here are three common mistakes we see which can easily be remedied.

1.    Too much focus on one part of the risk equation
An important first step when evaluating risk is to quantify the overall risk profile. Risk is defined in a basic form as:

R= L×C, where:

R = Risk
L = Likelihood = T (Threat) × V (Vulnerability)
C = Consequence of the event occurring

While more complex forms of this equation exist that factor in importance, exposure, and coping capacity, all variations convey the same basic premise that there is some potential adverse condition and an environment in which that condition will yield some form of loss.

When it comes to performing risk calculations, most organizations focus solely on the consequence term of the equation without measuring it against its associated likelihood. This makes it difficult to accurately prioritize risks and efficiently allocate resources toward mitigation measures. It also shifts the focus away from identifying critical vulnerabilities in infrastructure and can leave operations unprotected from “low-probability” events, such as extreme weather events, which have the potential to result in large losses (e.g., floods, wildfires, earthquakes).

To develop a complete risk profile, both the consequence and likelihood terms of the risk equation should be thoroughly evaluated. The latter is typically more difficult to quantify and often requires the help of expert third parties with expertise in the risk domain.

2.    Siloed analysis and failure to identify risk interdependencies
For large enterprises that rely on smoothly functioning supply chains or transfer of products over long distances, it is possible for an event, such as equipment failure in a single location, to have a cascading effect that can magnify as it reverberates downstream.

For example, it is common for process plants to have backup generators onsite in case their primary source of power (usually grid electricity) becomes unavailable. On the surface, this may provide a level of assurance that the plant is protected from an extreme weather event, such as a severe winter storm, which could knock out grid power. However, what if that same storm also impacts equipment at the wellsites and gas plants where the fuel supply for the backup generators is originating? In such cases, there may not be sufficient fuel to power the process facility, leading to an unexpected shutdown and potentially millions of dollars in lost revenue.

Identifying these types of interdependencies and second-order effects is critical. Doing so requires organizations to take a more holistic view of risk mitigation, as opposed to simply delegating analysis and mitigation tasks to individuals at a local level, which results in the creation of silos.

3.    Lack of consideration for the dynamic nature of risk
Risk is highly dynamic. The likelihood and consequence terms in the risk equation are constantly changing due to a variety of factors. This is especially important to consider when evaluating the impact of extreme weather events, which are increasing in both frequency and severity due to climate change.

Take, for example, Broward County in Florida, which recently experienced what was classified as a 1 in 1,000-year rainfall event. Process plants and energy infrastructure are not typically designed and built to deal with events of this scale. In certain instances, it may be necessary to revisit old site risk evaluations to determine if certain values are still relevant.

Another example is the increasing frequency of wildfires in areas where they have historically not been a major threat. In Colorado, 11 of the state’s 20 largest wildfires occurred after 2016. This trend is expected to continue, putting some oil fields and related midstream infrastructure at a higher risk of being impacted than was thought when they were originally commissioned.

Any changes or upgrades to plants or supporting infrastructure and supply chains are also important to consider. The quest to decarbonize and advance the energy transition is seeing a surge in the use of technologies such as carbon capture, utilization, and storage (CCUS) systems, electrolyzers, and energy storage/batteries. Many of these technologies are being applied in novel ways, with little to no historical operational data to reference when evaluating risks. This further emphasizes the importance of engaging with a qualified third party who possesses the necessary domain expertise to perform a detailed risk assessment and evaluation.

Conclusion: Developing a Complete Risk Profile
Every industrial organization recognizes the importance of having a comprehensive risk prevention strategy at the enterprise level. However, most fail to practice what they preach (albeit unknowingly).

Developing a complete risk profile requires a holistic approach where silos between individual disciplines and local assets are broken down so that interdependencies can be identified. Failure to do so can result in prevention gaps and increased exposure to minor events or threats that have the potential to impact operations far beyond what may initially be perceived.