operational risk management. cap approach top-down leader backing decentralized implementation ...

Operational Risk Management

CAP Approach

Top-down leader backing Decentralized implementation Moderate implementation tempo Safety lead role for cross-

functional implementation

CAP ORM Vision

“Create a Civil Air Patrol in which all

personnel manage risk such that all

operations are successfully completed

at the least possible cost.”

CAP ORM Mission

“Enhance mission effectiveness at all

levels while minimizing risk.”

The CAP ORM Concept

All are responsible for using ORM.

Risk is inherent in all operations.

Risk can be controlled.

The Compliance Culture

My job is to comply with the standard.

I am told what the standard is. If I am not told, I don’t usually act. When I am given a standard, the

standard is my objective. When I meet a standard, that’s it.

The Performance Culture

My job is to optimize risk - to perform.

I’m given a standard, but that is only a baseline. I use ORM to exceed it.

Standards are only a start point. Meeting a standard means little. I

continuously improve.

ORM Principles

Accept no unnecessary risks. Make risk decisions at the

appropriate level. Accept risks when benefits

outweigh costs. Integrate ORM into doctrine and

planning at all levels.

Accept no unnecessary risk

What are the three main reasons that “unnecessary risks” are sometimes taken?

How can the taking of unnecessary risks be minimized?

Corollary is “Accept Necessary Risk”.

Three reasons for taking unnecessary risks

#1 - Not aware of the risk. #2 - An incorrect assessment

of cost versus benefit. #3 - Interpreting “bold risk

taking” to mean gambling.

Procedures for minimizing the taking of unnecessary risk

Improve hazard detection procedures and awareness of risks.

Improve risk decision making skills at all levels of the organization.

Train personnel at all levels regarding the risk management “credo” not “Mission accomplishment at any cost”, but “Mission accomplishment at the least cost.”

Make risk decision at the appropriate level

What is the “appropriate” level? How do field leaders know if they

are the appropriate level? Is the appropriate level a constant

or does it change?

Finding the appropriate level

Who will answer in the event of an accident? Who is the senior person at the operational

scene? Who possesses best insight into the full

benefits and costs of a risk? Who has the resources to mitigate the risk? What level makes the most operational

sense? What level makes these types of decisions in

other operational activities?

THE MAKING OF IMPORTANT RISK

DECISIONS SHOULD BE PREPLANNED WHENEVER

POSSIBLE

ACCEPT RISKS WHEN BENEFITS OUTWEIGH COSTS

What happens when organizations stop taking risks ?

It becomes “bureaucratized”

WEBSTER: “BUREAUCRACY: A system of administrationcharacterized by lack of initiative and flexibility, by indifferenceto human needs or public opinion, and by a tendency to deferdecisions to superiors or to impede action with red tape.”

• It loses its competitive position.• Innovation is minimized.• It becomes reactive to events.• Morale and esprit decline.

The ORM 6 - Step Process

1. Identifythe Hazards

2. Assessthe Risks

3. Analyze Risk Control

Measures

4. MakeControl

Decisions

5. Risk ControlImplementation

6. Superviseand Review

Using the ORM process

Apply the steps in sequence. Maintain balance in the

process. Apply the process as a cycle. Involve people fully.

Hazard: Any real or potential condition that

can cause mission degradation, injury, illness, or death to

personnel or damage to or loss of equipment or

property.

STEP 1“HAZARD ID”

3. Analyze Risk ControlMeasures

4. MakeControlDecisions


6. Superviseand Review


2. Assessthe Risks

MISSION TASK ANALYSISAction 1

What is at risk?

Focus on the criticalcomponents of the mission.They will be primary targetsfor Hazard ID.

OVERALL MISSION

USING AN OPERATIONS FLOW OR TIMELINE TO IDENTIFY HAZARDS

START

RISK LEVELS H L H M EH M

1 2 3 4 5 6

OPERATION ALPHA

PHASES

Watch forissues betweenphases, at the interfaces.

FINISH

FINDING THEIMPORTANT TARGETS

Review the mission statement. Focus on key capabilities and the

associated equipment. Look at past patterns of mishaps to detect

high impact issues. Ask operational personnel what is

important. Use the timeline.

LIST HAZARDSAction 2

Sources of Information The 7 Primary Hazard ID Tools

BASIC SOURCES

There are three basic sources:

- Experts and References

- Traditional Techniques - (Inspections,

Mishap Reports, Interviews, Audits)

- Hazard Analysis Tools

SOURCES AT UNIT

Unit personnel A lessons learned database or file A safety survey and/or fire inspection hazard

inventory An inventory of hazardous materials with

locations Mishap reports and Annual Mishap Analyses

PRIMARY HAZARD IDENTIFICATION TOOLS

Operations Analysis Preliminary Hazard Analysis What If Tool Scenario Process Tool Logic Diagrams Change Analysis Cause and Effect Tool

(See tutorial or AFPAM91-215 for more detail)

LIST CAUSESAction 3

Use the 5M model to detect root (systemic) cause factors.

Man root causes - Doesn’t know - Training, Doesn’t care - Motivation, Can’t do - Selection.

Machine - Poor design, faulty maintenance, procedures.

Media - Weak facility design, lack of provisions for natural phenomena.

Management - Inadequate procedures, standards and controls.

Mission - Poorly developed, weak understanding, incompatibilities.

RISK ASSESSMENT

The Process which associates “hazards” with “risks”.The Process which associates “hazards” with “risks”.


2. Assessthe Risks




6. Supervise and Review

ASSESS THE RISK

Action 2:Assess hazard

severity

Action 1:Assess hazard

exposure

Action 3:Assess mission

impact

Action 4:Complete

assessment

HAZARD VERSUS RISK

HAZARDA description of a condition that can impair mission accomplishment. No indication of its mission significance.

RISK

A hazard for which we haveestimated the severity,probability, and scope with which it can impact our mission.

EXPOSUREAction 1

Expressed in terms of time, proximity, volume, or

repetition.

SEVERITYAction 2

What impact on mission? What impact on people? What impact on things (materiel,

facilities, environment)?

SEVERITY CATEGORIES

CATASTROPHIC - Complete mission failure, death, or loss of system

CRITICAL - Major mission degradation, severe injury, occupational illness, or major system damage

MODERATE - Minor mission degradation, injury, minor occupational illness, or minor system damage

NEGLIGIBLE - Less than minor mission degradation, injury, occupational illness or minor system damage

PROBABILITYAction 3

Use the cumulative probability of all causation factors.

Express in descriptive or quantitative terms.

Use experience data when possible. Acknowledge uncertainty.

PROBABILITY CATEGORIES

Frequent Likely Occasional Seldom Unlikely

THE RISK ASSESSMENT INDEX

ProbabilityFrequent Likely Occasional Seldom Unlikely

I

II

III

IV

Catastrophic

Critical

Moderate

Negligible

A B C D E

SEVERITY

High

LowMedium

High

Risk Levels

Extremely

High

ASSESSMENT PITFALLSASSESSMENT PITFALLS

Over-optimism Misrepresentation Alarmism Indiscrimination Prejudice Inaccuracy

THE RISK TOTEM POLE

Biggest hazard

Least hazardworthy of action

By ranking the hazards, we can work them on a worst first basis. This is vital because risk control resources are always limited and should be directed at the big problems first to assure maximum bang for the buck.

THE TOTEM POLE DEMOCRACY MOVEMENT

In the fully mature ORM world, every individual benefits from the knowledge of the priority of hazards (totem pole) that exist in their life. A key obligation of leaders is to see that their subordinates possess this knowledge .

Traditional RM - Personnel can’t name or prioritize hazards -- can only name generic hazards.

ORM - Personnel can name and prioritize RISKS that impact them and their mission.

ANALYZE RISK CONTROL MEASURES






2. Assessthe Risks

ANALYZE RISK CONTROL MEASURES

Action 1:Identify controloptions

Action 2:Determine controleffects

Action 3:Prioritize riskcontrol measures

Tools Available:

– The Major Risk Control Options

– Risk Control Options Matrix

IDENTIFY CONTROL OPTIONS Action 1

MAJOR CONTROL OPTIONS

Reject Avoid Delay Transfer Spread Compensate Reduce

CONTROL OPTIONS MATRIX

Engineer Guard Improve Task Design Limit Exposure Selection of Personnel Train and Educate Warn Motivate Reduce Effects Rehabilitate

DETERMINE CONTROL EFFECTS Action 2

What is the impact on probability?What is the impact on probability? What is the impact on severity?What is the impact on severity? What will the risk control cost?What will the risk control cost? How will various risk control options work together?How will various risk control options work together?

CONSIDERATIONS IN CONTROL EFFECTS

Some risk controls impede each other. Example: Security and Safety

Some risk controls reinforce each other. Example: Training & Motivation

When cost effective, use risk controls in depth. Be sure to evaluate the full costs.

PRIORITIZE RISK CONTROL MEASURES Action 3

Get operator input. Focus risk controls where they have maximum impact. Benchmark already existing risk controls.

MAKE CONTROLDECISIONS





2. Assessthe Risks


MAKE CONTROL DECISIONS

Action 1:Select RiskControls

Action 2:Make RiskDecision

SOME IMPORTANT DECISION MAKING CONSIDERATIONS

Make decisions at the right time. Make decisions at the right level. Always make the mission supportive

risk decision

SELECT RISK CONTROLSAction 1

WHEN IS THE RIGHT TIME?

AS LATE AS POSSIBLE. WHY?

- More time to improve ORM

- The need for the risk may go away

BUT NEVER TOO LATE

- Miss the operational train

- Radically increase costs.

WHAT IS THE RIGHT LEVEL?

What are the operational realities? Who will take the heat if it goes bad? Who has the best grasp of the risk and

the opportunity issues? Who would make the decision in

combat? Who can commit the risk control

resources?

A BASIC OBJECTIVE

Endeavor to push the average risk decision down the chain of

command over time

WHY? Because the detail and understanding of WHY? Because the detail and understanding of the implications of the decision increases the the implications of the decision increases the closer to the operator you get…IF THE closer to the operator you get…IF THE LEADERS AT THE LOWER LEVELS HAVE LEADERS AT THE LOWER LEVELS HAVE GRASPED THE OVERALL IMPLICATIONS GRASPED THE OVERALL IMPLICATIONS OF ORM.OF ORM.

ALWAYS GO FOR THE RISK WHEN TOTAL BENEFITS OUTWEIGH

TOTAL COSTS

ALWAYS REJECT THE RISK WHENTOTAL COSTS OUTWEIGH

TOTAL BENEFITS

MAKE RISK DECISIONSAction 2

WHAT IS THE DIFFERENCE BETWEEN A BOLD, DECISIVE RISK

AND A GAMBLE?

IMPLEMENT RISK CONTROLS





2. Assessthe Risks

3. Analyze Risk Control

Measures

IMPLEMENT RISK CONTROLS

Action 1:Make implemen-

tation clear

Action 2:Establish

accountability

Action 3:Providesupport

RISK CONTROLS MUST BE INTEGRATED

Should be integrated fully within the plans, processes, and operations with which they are associated.

Within the area in which they are integrated, risk controls should compete for resources and time based on their relative significance to the mission.

Risk control should be compatible with the “system”.

WHY MUST RISK CONTROLS BE FULLY INTEGRATED?

Integration forces balancing of mission needs. Integration captures more of the knowledge and

experience of large numbers of operators. Integration reduces the number and diversity of

references needed to do the job right. Integration eliminates redundancy and gaps

between functions. Integration strengthens accountability. Integration (in plans, regulations, etc..) reduces

costs and workloads.

MAKE IMPLEMENTATION CLEAR Action 1

Factors to consider:

– Fully involve operational personnel.

– Frame the control within the organizational culture.

– Provide specific task-oriented guidance.

– Test it on small sample of the target audience.

– Coordinate as necessary.

ESTABLISH ACCOUNTABILITY Action 2


– Use the power of command and leadership.

– Use the motivation model.

– Create meaningful, positive incentives.

– Assure accountability is vertically integrated.

PROVIDE SUPPORTAction 3


– Avoid the common problems.

– Provide complete packages (clear, policy, job aids, decision tools, models, databases, training, motivation).

– Provide sustained feedback on results.

SUPERVISE AND REVIEW


6. Supervise and Review 1. Identify

the Hazards


2. Assessthe Risks


SUPERVISE AND REVIEW

Action 1:Supervise

Action 2:Review

Action 3:Feedback


– When properly integrated, supervision of risk controls is exactly the same as supervision of any leadership action.

SUPERVISEAction 1

A primary reason for integration of Operational Risk

Management is so that risk controls are supervised just like

any other leadership action.


– Use rates and numbers when they have a sound statistical basis.

– Use direct measures of risk to supplement rates and numbers or when rates and numbers are not statistically valid.

– Systematically assess the results of the ORM process in De-briefs, lessons learned, etc. Was the benefit worth the cost?

– Adapt and reapply ORM as the mission unfolds.

REVIEWAction 2

You have an adequate exposure base.

You have statistically significant changes.

You make fair comparisons. You “peel” them back.

DON’T USE RATES AND NUMBERS UNLESS

Critical behaviors Critical conditions Critical attitudes Critical skills and knowledge Critical programmatic elements

AUGMENT LEGITIMATE DATA WITH MEASURES OF RISK

Critical means clearly connected to loss potential, i.e., high risk

THE ORM CONTINUUM

PLANNING OPERATIONS AFTERACTION

Deliberate ORMDetailed Hazard IDIntegration

Largely Time-criticalChange AnalysisReal TimeHighly Decentralized

Assess metricsDeliberate ORMIntegrationFeedback to Planning

We try to get most ORM done

here


– Cross talk regarding successes and failures.

– Feedback to leaders and other members.

– Input to established databases (lessons learned).

Tie back into Step 1 to continue.

FEEDBACKAction 3

Questions

operational risk management. cap approach top-down leader backing decentralized implementation ...

Documents

bold risk

risk controlmeasures4

risk controlimplementation6

unnecessary risks

risk management credo

orm processapply

awareness of risks

possibleaccept risks