Home » Compliance Management Blog- ESG, EHS, EHSQ » The Link Between Risk Management, Critical Controls and Auditing

The Link Between Risk Management, Critical Controls and Auditing

Jonathan Brun


Once companies have covered off base line regulatory compliance, they must embark on a journey to reach operational excellence. Leading companies utilize their risk management business process to identify their biggest risks and associated critical controls, and then implement various assurance processes such as audits and assessments to assure the efficacy of these controls.

In the presentation below, Nimonik Partner John Wolfe, shares some of the lessons learned about business processes in these areas. This presentation covers items he has identified while working with a large number of successful companies around the world.

He outlines the value of an ISO conforming integrated HSEQ (Health, Safety, Environment and Quality) management system framework and provides a high level look at three elements in particular :

  • The framework element dealing with legal and other commitments;
  • The element dealing with risk identification and management; and
  • The element dealing with audit and assessment.

Special emphasis is placed on looking at the interaction between these elements, especially in the identification of high consequence regulations, level 1 risks and critical controls as inputs to a risk based auditing program.

You can learn more about the link between risk identification, assessment, critical controls and auditing, in this free presentation and slides.

For more information on this presentation, on risk management or on other issues, simply reach out to us at info@nimonik.com.



Hello everyone and welcome to Nimonik EHS Webinar Series. Today’s webinar will be on The Link Between Risk Management, Critical Controls and Auditing. I’ll just give everyone a quick minute to settle in before we begin. Okay. So let’s get started. Today’s webinar will cover how leading companies utilize their risk management business processes to identify their biggest risks and associated critical controls. And then how to utilize various insurance processes, such as audits and assessments to assure the efficacy of these controls.

But before we begin, I’d like to briefly introduce Nimonik as a company, my role here and of course our presenter for today. So Nimonik is a software service that provides EHS managers with the tools necessary to ensure environmental, health, safety and quality compliance in their operations. Nimonik is both a web service and an app that is designed to help auditors inspect their facilities for compliance issues as well as stay on top of legal updates and maintain a legal register. My name is Kim Chanel and I’m the Communications Manager here at Nimonik. I will be the one facilitating today’s webinar, so please feel free to ask questions throughout the presentation in the Go to webinar question box and we will gladly address them at the end of the presentation.

So now to present this topic to us today, we have John Wolfe, a Nimonik partner and owner of Management Horizons. He has over 30 years of industry experience in the automotive, nuclear power, oil and gas and chemical manufacturing sectors. He managed the ISO committees that developed the ISO 9000 and ISO 14000 standards. But most recently he was Senior Director of Operations Integrity Audit and Risk for Suncor Global Operations and finally he is a co-founder of Conformance Check which was recently acquired by Nimonik. So I’m happy to say that we have attendees from all over the world joining us today. So thank you all for participating and without further ado, here’s John Wolfe on The Link Between Risk Management, Critical Controls and Auditing.


Thank you, Kim. Good morning or good afternoon, everyone. As you heard from Kim’s introduction, my particular expertise lies in the fields of health, safety environment and quality management systems, risk management and audit. So today’s webinar is focused on some of the learnings that I’ve discovered about what works well in terms of management system frameworks and the rules of risk management and the identification and auditing of critical controls play in helping an organization become operationally excellent. Please note that some of these slides contain a lot of data that we won’t have time to cover in this webinar, so there’s a bibliography there for you for reference after the presentation if you want a copy.

Well, all organizations should operate at a minimum in regulatory compliance. I hope that through this webinar and review of the Nimonik products you’ll also get a good sense of the passion that Nimonik has to help organizations develop a compliance plus culture.

But let’s start with the safety moment. I selected something a little different from the traditional safety moment which might have addressed a teachable moment from one of your life saving or golden rules around safety, things like working with energy sources, slips, trips, falls, safe driving or confined space entry. And instead I’ve looked at some of the drivers for change in your business processes. It remained shocking to me that 60% of all operational losses result from preventable causes and 80% of incidents are in fact repeat incidents and then up to 30% of an organization’s costs are [04:02] wasted fixing the same issues. Obviously, the companies that are operationally excellent have a significant advantage over those that are experiencing these types of issues. I don’t know where your organization stands, but think how much more competitive you could be if you could apply those resources to things like new equipment, R&D, Marketing.

Two other quotes I’ve added in here that I thought were relevant to an operational excellent company. The first one is “Those who don’t know history are destined to repeat it”. So great companies are learning organizations, they learn from their mistakes and the mistakes of their peers. They conduct quality audits and incident investigations and share their incident data to help prevent those repeat incidents. And the second quote is “You cannot find what you do not seek”. Great companies also have past risk management programs and data analytics. They seek to understand their business processes, risk and controls. They don’t hide bad news or risk from their management, shareholders and the public. They proactively look for risk and invest in the controls to manage those risks and maximize their opportunities.

So in my experience, the organizations with robust ISO 9001, ISO 14001, OHSAS 18001 Health Safety Systems and kind of lean manufacturing processes are the most successful. Why is that? In my experience, the ones that are most successful go beyond simple regulatory compliance where it adds value, they empower their people and recognize the importance of safety in a customer first culture, they understand their risks and opportunities. They understand their business and operations processes and have the right metrics to drive and reward the right behaviors and they have simple, up-to-date procedures that they actually follow. They have competent staff, contractors and suppliers and they have a good management system framework to drive all that and they audit a lot.

So let’s take a look at what constitutes a good Management System Framework. Most organizations today are moving towards an integrated management system rather than a separate ISO 14000 or 9000, 18001 system. Most companies I think in the future will in fact have an integrated system. All of them are pretty much built on the “plan, do, check, act” improved model that was developed by Deming back in the early 1980s and it’s now used by millions of companies around the world. This slide that I am illustrating here is actually from Suncor and it has about 18 elements and about 67 requirements supporting these 18 elements. Other companies have organized these elements into as few as 10, but the number of requirements pretty much remains the same across most of the companies that I’ve looked at and I probably looked at about 100 around the world.

Now if you have hazardous operations and you have to layer in process safety requirements, then you can add another couple of hundred more requirements. But the ones that we’re going to look at today…sorry, nothing like 100 requirements. The ones that we look at today, that we’re going to be focusing in our regulatory compliance: Risk Identification, Assessment & Management and Audit.

And I’ll start with regulatory requirements. So the element dealing with legal and other requirements easily outlines requirements to establish a business process to identify legal and other commitments. And those other commitments I think need things like promises that you make in your permanent license applications and agreements. It could be to a regulator, could be to a First Nations group, it could be to a host of other third parties, but it’s something that you’ve promised and you’re going to be held to it. And it also includes requirements to ensure that your organization has evidence, that it keeps this information up-to-date and that it is operating in compliance. These commitments are usually… [08:24] some form of legal registry.

So there are lots of good examples of effectively designed legal registries, but at a minimum they should document What is the requirement that we’re looking at?, How, why and where is it applicable in your operations?, Who is responsible for demonstrating compliance? and What evidence do you have that you are in fact operating in compliance? This usually involves generating evidence in the form of records or reporting a performance. For example, it might be waste management generation or shipment records, air or water monitoring records. It might be training records, it could be an inspection or a maintenance record or in fact it might be an audit.

And again Nimonik can show you lots of good examples and help you develop a good legal registry and in fact provide audit protocols for those situations where you do not have good existing evidence of compliance and/or you want the added level of assurance that an audit provides. And in fact, our next webinar is focused on the attributes of what a good legal registry looks like. The one that I’ve shown you here actually was a short form of one that was listed for Suncor and you might kind of wonder why most companies don’t have this and it always surprises me. A lot of companies that I’ve talked to they say “well, I’ve never been charged, so I must be in compliance”. Well, that’s not the way it works if you have to go to court. To protect your company you’ll need evidence showing proof of control, such as informing workers of the hazards or evidence of training and competence or inspection and maintenance records. And a good legal registry will provide a framework to capture that important data because you’ll know exactly what you had to be in compliance with, or compliance to, you’ll know who is responsible for doing that, you’ll know what controls you had in place and you’ll know what evidence that you’ve got to support those claims. It can be pretty costly if you’re not. Just think of a VP and the billions of dollars he’s spending right now for non-compliance when it spilt millions of barrels of oil into the Gulf of Mexico. Or the organization that I work for Suncor that lost hundreds of millions of dollars a few years ago in shutting production because it actually failed to install a piece of pollution prevention equipment, that instead it worked in a [10:56] application. So there was not even actually being in compliance, it was a promise in a permanent license application.

So I would also suggest that you consider the potential consequences of non-compliance as an input to your legal registry as well. And therefore into the audit planning process because again not all regulations are created equal and you want to audit those with the highest potential consequences to your company if you’re deemed to be out of compliance.

Perhaps the most critical and foundational element in the management system framework addresses the business process for risk identification and management. The slide that I’ve used in this webinar illustrates the framework developed by the ISO to establish a risk policy with standard and the supporting procedures, appropriate roles and responsibilities, training and monitoring program to support that business process. It also outlines the methodologies to analyze and assess the risks and then treat them usually by putting controls in place to a nature and depth suitable to mitigate them to a level where the company can live with the risk.

Having worked with the ISO for many years, I highly recommend that you use ISO standards whenever possible. It really contains the best thinking from around the world and you can always go beyond the requirements where it makes business sense. In any case, this element is one of the foundations of an operationally excellent management system. If you have good risk and control data, you will have better information to help you allocate your scarce resources against the right opportunities and your highest risks.

The concept of risk includes five components. The first is 1) The hazard inherent in any activity otherwise deemed beneficial. 2) An undesirable event, which brings out the hazard. 3) The adverse consequence of the undesirable event and 4) Uncertainty whether the undesirable event will happen or not (the likelihood/ probability/ frequency). For example, a hazardous present on the ground is covered with ice. There is no risk if no one has to walk or drive over it. There is some risk if one person has to walk over it. The consequence might be a fall with no injury all the way to a fracture. There is an unacceptable risk if the ice is at the entrance to a busy office with multiple steps and lots of people coming and going. In this case, the likelihood of a worse case increases. In addition, the hazard may not pose a risk at all if it’s not encountered or it may be reduced in severity and likelihood through control treatment, i.e. we remove the ice through heated steps covered walkway, or we add some salt and hand railings and a proper footwear policy and provide safety training on slips, trips and falls. In that case we’ve actually mitigated the risk.

So one of the important concepts here is the consideration of inherent risks, the risk with no controls present. After we apply control treatments, we are left with residual risk. A more visual way to look at risk is to consider these controls or risk treatment measures as layers of protection. Let’s look at this slide using the example of driving a car. What is the risk inherent in driving? And the answer is momentum, because we’re moving. What is the potential undesirable event? A collision, of varying severity. So what are the protective layers? Well, it could be driver training and habits. Obeying the speed limit. Rules around distracted driving. Drug and alcohol policy. Graduated license. A whole series of preventive layers. What is a mitigating control? It could be seatbelts, it could be inherently safer design for the vehicle. Airbag, safety framing. What’s the recovery control? Insurance policies. So consequences of course vary based on speed, number of persons, property impacted and the likelihood varies on the number of people that are actually driving and a whole series of other things.

To help you determine those inherent and residual risks after control treatments most people, most organizations employees deploy a risk matrix. This particular slide shows one that Suncor used a number of years ago. They’ve updated it since, but it’s still quite valid. In this particular risk matrix the risk receptors are considered in four groups: safety, environmental, economic and reputation. And in all the cases you pick the receptor that’s going to have the highest risk rating. Suncor utilized the 6 by 6 matrix with consequence ratings ranging from 1 to 6, ranging from minimal impacts to catastrophic impacts, running horizontally and likelihood readings, 1 to 6, ranging from very likely to extremely rare, running vertically. So for illustrative purposes, that’s a rare event, for some nasty consequences.

If you operate a pipeline, one of the worst potential risks is a large spill to a sensitive ecosystem, such as a lake, a river, ocean or perhaps an estuary of some kind. The main receptors in this case would be environmental, economic and reputation. And the inherent risk without controls is high both in terms of likelihood and consequence. Potentially billions of dollars in cleanup costs, fines, loss of value and of course reputation. These scenarios place the risk somewhere in the upper right quadrant as an unacceptable level one risk. The intent then is to look at controls that we have in place and see if they are in nature and depth sufficient to lower the likelihood of an eventual severity, to an extent that we can remove that risk from the upper right unacceptable level, one portion of the matrix down to becoming more acceptable level one or two or three ranked risk.

For example, we might start with the design of the pipeline, the route selected the quality and thickness of the steel we use, the quality of the welds, [17:27] coating, the implementation of a pipeline integrity programs, smart digging, regular inspections, lead detection programs, emergency response programs in place. With such controls in place the residual risk may [17:40] acceptable. You should score all four receptors in most cases and slack the one with the highest rating.

For presentation of the management, many companies use this risk ranking to create heat maps which are color coded red, orange, yellow, green, level one, two, three etc. This provides an easy way to prioritize and justify the actions needed to invest in additional controls. It is important to show both inherent risk and residual risk especially for your level one risk, because if all you ever do is present to management your remediated level two or three risks, you in fact mask what the biggest company risks are and you may not focus on the efficacy of those more critical controls.

There are lots of methods available to us to help identify hazards and undesirable events. Those can include simple things like brainstorming, field level risk assessments, job safety analysis, What-if, HAZOP, Failure mode effect analysis (FMEA), PHAs (process hazard analysis), layers of protection analysis. There are lots and lots of very sophisticated tools that can be applied and very very simple tools that can be applied based on the nature of the risk.

The methodology that I preferred to use during my time at Suncor, as a key piece of the audit planning process was something called The Bow-Tie Analysis. On the left hand side of the page you have the threat causes and preventative controls. In the middle you have the business activity and risk event being considered. And on the right hand side of the page, the recovery preparedness controls and potential consequences. This methodology helps you visualize what controls are critical to either prevent the event, reduce its impact or recover quickly from it. And it’s a great way for risk and control owners to communicate that information as training or communicate it to their management teams since they’re looking for additional resources.

Let’s look at an example of a completed bow-tie for a fictitious east coast marine operator, looking at the potential release of a product to a waterway. You can see the listing of threats and the current state preventative and recovery controls. You can also see the consequence readings for multiple receptors on the right. And this was actually an example of a bow-tie my group prepared when we were looking to audit unsafe release of petroleum product or non-compliant transportation activity. We sat down with our clients to review what the regulator was auditing, what the business was auditing themselves, what performance monitoring data they had, what incidents they had. I want to try and select the controls, the critical controls that would add value for us to audit independently the availability of the information that they already had to support the control of their level one risk.

Of interest, the elements of a management system can also be looked at through the same lens of preventative recovery controls and also aid in audit planning. So this is a look at the 18 elements in the Suncor management system, essentially using a bow-tie and often when we look at the efficacy particularly, risk and control, we also do, as we’re doing an audit of their management system, we apply this particular lens.

At the end of any risk assessment, we often end up with a list of risks that is undesirable as for the consequences and likelihood delineated either using team judgment, expert opinion or detailed quantitative analysis. We call this list a Risk Inventory or a Risk Registry. And there are again many templates available to capture your data, but I have a minimum. You should be capturing, you know, what is the risk being addressed, where is it located, who owns it, what is the inherent risk rating, what are the existing control treatments, a description of the control type, what is the residual risk rating and then the termination of acceptance or plan of action to add more controls. At Suncor we had one, I think it had about 60 data fields that you could turn off and hide and come down to about 10 or expand depending on the level of sophistication that you wanted and it went right down to individual [22:45], it went right down to individual controls based on a higher [22:52] controls from engineering down to PPE, and it also went all the way to future residual risk.

So if you went through this process, the first time you discovered that you did not get with the planned actions, you’re going to take an adequate risk ranking it would take you one more level as well. So loss of a certification is something very simple. The secret here is to have clean data and start to consolidate it down to information that management can use. So at Suncor we tried to build an enterprise risk management program starting at the bottom of individual risk and control owners, doing what-ifs and PHAs, and LOPAs and HAZOPs, FMEAs and we would sometimes have hundreds if not thousands of data entries for complex operations outlining the level one, two and three risks.

This information was then consolidated into business area risk registries at the VP level which might contain a couple of hundred of the highest, certainly all the level ones and the higher level twos. That information was then presented quarterly to the executive and the board as further consolidated down into what we call principal risks. And there might only be 12 of those, but we were looking for a direct line aside between those level one reset the principal at the executive level to all the level ones and higher level twos that generated it across the business.

The executive was always interested in the adequacy and efficacy of those control treatments, especially for the level one and two risks and the most effective controls of course are those that eliminate the risk. The next most effective controls are the engineering controls. So for instance, you might add machine guards, interlocks or barriers, safety instrument systems. Or you might change your process. For example, the electronic industry moving from using hazardous solvents to clear a circuit board to a water-based cleaning system. Or you could choose to move, to adjusting time inventory and cut back on the storage of hazardous toxic or explosive materials.

The next in the hierarchy are administrative control such as operating procedures and training and of course the last resort and least effective is personal protective equipment. So when you look at your risk registry and you’ve got a level one risk, what should you be looking for in terms of control adequacy, well the nature and depth of the control should be commensurate with the financial consequences. So you should be looking for a lot of engineering controls and a lot of really tight administrative controls. If all you see is the administrative controls and PPE, you’re probably already in trouble. So more mature companies assign a new miracle value to the different categories of controls to ensure that the risk owners can then properly downgrade a level one risk to a level two risk, using a list, controls that are lower in the hierarchy.

And it’s very interesting when you start using methodologies such as HAZOPs and PHAs, LOPAs, you get immediate value and risk reduction through the identification of gaps in this control adequacy. I also find that you find a lot of orphan children work, people don’t actually…there’s nobody who’s been assigned to manage a particular risk or a particular control. So the risk registries are really great in capturing that data as well.

Now if you operate a business, there’s always a new risk and this simple slide makes the point that there are trade-offs and management gets paid to determine the company’s risk tolerance. To engineer out a risk totally can quite cost [26:54]. So again, in a due diligence world what we’re looking for is to make sure that you identify that risk and then you apply reasonable controls to manage it on an ongoing basis and that you know those controls are working.

The International Council on Mining and Minerals has a really good book that you should look, you should get, it talks about critical controls and they have a great slide in their guide which talks about kind of the definition of what a critical control is. And it’s basically is the control performance specified observable manageable and auditable. Is the control crucial to event? Is the control crucial to preventing the event or minimizing the consequences of the event? Is that the only controllers are backed up by another control event if the first fails? Would the absence or failure significantly increase the risk despite the existence of other controls? Does it address multiple cases or mitigate multiple consequences of the hazard? In other words, if it appeared in multiple places on the bow-tie or in a number of bow-ties, this may indicate it’s a critical control. So if you answered yes to most of those questions, then that helps determine whether the control is critical.

But in many ways it’s common sense. In discussion with the risk and control owner, they pretty much should know what are the critical controls, they should have a good idea and it’s their responsibility to have data, to show that those controls are working with efficacy. And it’s your job as the auditor really to help them through that process and to audit those most critical controls and make sure in fact that that auditee has processes in place to ensure their efficacy on an ongoing basis. In almost serious incidents, you have multiple causes with multiple layers of protection having failures, you know, all lining up under some unusual circumstances or operating condition and that usually involves some sort of failure of the process design or a protection system and alarm system operating within the safe limits that fail your safety instrument systems failed, something in your procedures failed or perhaps the procedure was adequate, but staff didn’t follow it or perhaps the procedure was wrong, you had a failure in your management system, your safety culture failed, alertness…all these things have to line up and something, this is basically called the Swiss Cheese Model. So multiple multiple things have to fail in a [29:46] usually for really bad incidents to happen.

The BP spill provides a great example of the Swiss Cheese Model of critical control failures. And in fact, in this case 8 different critical control areas had failures, and all had to line up for the incident to occur. So I hope there’s no one from BP on the line.  But there’s an excellent book out there called Failure to learn and BP actually had VPs on board the rig that day celebrating personal safety performance. Those VPs I don’t think had a risk registry or process safety risk and controls in each of these different categories that might have driven them to ask the right questions. And if they had, perhaps those controls might have been audited and disaster reverted.

By taking these lessons learned from BP’s unfortunate incident to our own offshore operations at Suncor, we drove audits looking at the efficacy of the controls in all our areas and I’m sure every other offshore operator did. The other thing that that incident did was it drove us to look at our joint venture operations where we’re not the operating partner and [31:06 I think it] a five billion dollars bill as a non-operating partner. So it’s interesting if you look at some of these incidents and the critical control failures. It often drives you in other directions to look at risk and governance activity.

So as I designed our particular audit program each year, there are a number of inputs that went into it. So one of the inputs was incident investigations and key performance indicator analysis following up on specific incidents and trends both within our company and the industry, looking at causal analysis in determining what critical controls had failed and where were those companies in use across the operation in the company. Looking at major operational risks and control reviews. So as you saw in that hierarchy we asked, tried to develop an enterprise risk management program, and where we had risk inventories at the front line, driving through the risk registries at the VP level, driving through to a list of principal risks at the executive and board level, and looking at what those level one risks were that in aggregate constituted came together to be a principal risk and even within those which were the highest level one risks, as we designed our audit program.

We also looked at OEMS operations integrity, operations excellence management system self-assessments and audits, so in our company every auditable unit had to do an annual self-assessment of all 18 elements and that data was available to us to see where we had systemic weakness in the management system implementation across the company. And then we would look at our strategy and values to see where the company was driving itself and then of course prior audits and assessments so that we didn’t duplicate effort. Those things led into our topper of things that we would propose to look at.

So we developed a role in five to seven year audit plan which ensured the coverage of the companies, 51 auditable units around the world with higher risk operations. Those with hazardous processes audited on a 3-year frequency and lower risk operations audited in a 5-years frequency, reaching in the right of course to audit at a higher frequency based on their performance. So there were facilities that we visited every year.

Within that timeline we also took into account basically all the things that I just mentioned. So the principal risks, consultation with business units, the strategy, value drivers, prior audit insights, external risks, risk registries that contained all the level one risks and, you know, associated controls, legal registries. And we came up with three categories of audits that we did annually. So one set of audits was an OEMS audit where we would do deep dives on the weaknesses that we saw within the self-assessments for the operations sector management system. For non-hazardous operations were processes they didn’t apply and then for those that actually had process safety requirements they had to meet and we would do deeper dives on their process hazard analysis, their mechanical integrity, quality insurance, inspection reportings all the extra requirements that fall into process safety and then a series of annual risk-based audits, which were environmental, safety, emerging risks, clients depending on what was the need of the individual business unit.

This slide lists some of the audits that were considered as inputs into that funnel of inputs. One dealt with, for a given year, one dealt with Facility Siting. So this is basically Texas City, blasts and toxics, looking at EPA standard compliance and Suncor’s own standard on facility siting. Another one looked at Risk Transparency and the effectiveness of the risk identification and management programs in individual units. And other looked at Pipeline Integrity of non-regulated lines. And this is just a sample of some of the audits that would be considered in a given year.

So in summary, all of our programs have limited resources and you deminimize their impact on operations. It’s therefore important to focus efforts on providing insurance of the controls used to prevent incidents with the highest consequence or frequency you’re operating with efficacy. You need to ensure that your front lines operational leadership clearly identifies their hazards, their risks and associated controls and who owns them. They are the first line of defense and they need evidence that the controls are adequate in terms of the nature and depth and working properly.

The second line of defense is the management level above that risk and control owner, who need to validate that those frontline leaders have accepted the responsibility and that they as leaders have provided them the resources needed to close any incidents, audit findings or fund additional controls that are needed.

And then the third line of defense is the corporate audit team which I suspect most of the people on the line are. Internal audit, health safety, environment quality, corporate teams. I suggest that you start with your own level one inherent risk controls and work your way down the food chain, recognizing again that the frontline risk control owners have that ultimate responsibility.

In an ideal world they will have already assessed the efficacy of the risks and controls under their purview and you’re simply confirming that they got it right. That’s a multi-year journey to get to that point, but that’s really where you want to be over about a five-year period.

That covers off what I wanted to cover in this webinar. I think we’ve got about twenty minutes left for questions.


Kim: Yes. So thank you, John for that incredibly informative session on Risk Management. So attendees, please drop down any last minute questions you may have and then I’ll proceed to share these with John. But before I do, I just wanted to quickly point out that Nimonik would love to be part of your efforts to improve your regulatory compliance. So please feel free to give us a call or send us an e-mail for more info. And with that in mind we’ll tackle a few questions. So the first question here for you John is. Who gets to decide on what is audited, the corporate audit group or the business leadership team?


John: It’s usually a collaborative process depending on the nature or degree of independence that you’ve been granted. I was very lucky that I’ve actually reported straight to the Suncor Org. But most people report through to an EHS vice president who often reports through either to Health and Operations VP or perhaps an HR – VP. So usually it’s a collaborative process based on discussion of a kind of what keeps them awake at night and, you know, are they happy with the controls that they’ve got in place to manage their most significant risks. And then it’s an analysis sitting down with them, depending on the quality of the risk registries that they’ve got, any incidents that they had or the incidents that happened in the industry, to figure out where the team can add the most value. So I would say in the best companies it is very much a collaborative process. In the really really really high performing companies it’s a collaborative process. But the corporate audit group should have thus the ultimate say.


Kim: Great. I have a second question for you here. Some of the risk and critical control audits you mention don’t appear to have clear audit criteria and/or audit protocols. How do you audit them?


John: Right. So in some cases you’ll run into a situation where there’s a risk and there isn’t necessarily a correspondingly clear regulatory requirement or indeed an internal corporate standard. So in those cases, usually what we did, we used the 18 elements of our Operations Excellence Management System as the lens to look at  particular risk and the efficacy of the controls, basically how they were managing that risk. Because they’re usually controls there, they just didn’t have often operating procedures or good training programs etc. associated with them. So we would use the lens of the OEMS.


Kim: Perfect. Third question here. Building the risk inventories and registries looks like a lot of work. How do you get buy-in and data quality?


John: Right. So the old adage of garbage in, garbage out really does apply here. And too much data, too many controls to consider takes away the focus of management on oversight activities and resourcing activities. So if you go down this path, you really need to think it out and you really need to have good training and good facilitators to help you, so that you start to collect quality data right from the get-go. And that usually means sending kind of a SWAT team around your business, so that you normalize the data, that you get consistent information and consistent interpretation rather than just capturing issues. Now the challenge in that is you don’t always get the buy-in from the risk and control owners at the beginning. But you get much better quality data and that’s really the secret to this process is to have limited data but good data in your risk registries, because you will have tons of stuff flowing out of HAZOPs and PHAs and all that stuff can be managed by the individual risk and control owners at the recommendations that are contained in those. By the time something gets into a VP level risk registry you want it to be pretty good focused level one and two risk and control data. More often certainly the level ones with bow-ties so that they can get a good clear grasp of what their priorities, what they should be focusing their efforts on, what they should be resourcing and where they should be spending their money.


Kim: Great. We have another question here for you, John. Is the selection of a six by six or even a three by three risk matrix established on the basis of pure ballistics or simply more a matter of user preference?


John: A three by three I think is perhaps…that’s probably suitable for a very simple not complex organization. You pretty much do need a five by five or six by six for more complex operations with a lot of hazards and risks and controls and consequences. But again, whether it’s five by five or six by six, that’s really user preference.


Kim: Great. Another question here from James. Would you consider the lack of leadership risk knowledge as a real barrier when setting up CAPEX and OPEX budget? Most organizations do not set up their budget or risk mitigation objectives. Thoughts.


John: Yeah. In fact I actually did a whole audit on the capital allocation process because it was not consistent across the company and what I was seeing in audits was year after year deferral of resource allocations associated with level one risks, which of course put the company into a deeper and deeper and deeper liability hole.  So yes, you need a good business process for capital allocation that takes the incident data and the data from your risk registries and controls and makes it transparent, so that you get a better outcome in the squeaky wheels and getting the grease or, you know, the [44:41] at the moment isn’t getting the resource. It’s a common problem across most organizations and it’s definitely an auditable business process.


Kim: Great. So we have another question here for you. How often do you update your risk registry?


John: Annually at a minimum. But again you should have a management of change process in place so that the registries, like they should be in electronic format if you can in a database, so that you’ve got, you know, as incidents happen, so your management change process, you are updating that, but in terms of a presentation to senior leaders executive in the board, that happen quarterly.


Kim: Perfect. Another question here. Hard choices must be made when industries are facing downturns. As a risk manager, do you change your risk appetite after a downturn when your audit program was significantly reduced?


John: Yes. Now, having said that, those risks don’t go away and what you have to do is put in place interim control measures. So if you’re planning on spending capital to engineer other risk or to downgrade that risk and now you can’t because of the downturn, then what you’re expected to do is put in place additional mitigating controls, which might be an increased frequency, monitoring and measuring or inspection. As again due diligence, just to say, you know, we couldn’t do what we wanted to do because we’ve been downsized and the resources aren’t there, but here’s still the way that we’re managing that risk that we recognized.


Kim: Perfect. Thank you. So attendees, please drop down any last questions that you have. I think you touched upon it earlier a bit, but we have another question about capital allocation. So the question goes. Capital allocation and operating cash allocation. Is risk management conducted on a kind of sliding scale based upon affordability?


John: No. Maybe just repeat the question.


Kim: Yes, sorry. So capital allocation and operating cash allocation. Is risk management conducted on a kind of sliding scale based upon affordability?


John: I would say no and the risk and control only can…sometimes teams will play between operating expense and CAPEX, depending on the…you’re on the property owners’ company. But yeah I know…it’s really a case of how the company is deciding to allocate those resources based on its risk appetite and tolerance. I saw the company, it’s companies that I’ve worked for, you know, spend hundreds of millions of dollars on risk reduction with no corresponding increase in operations or production. You know, obviously those kinds of decisions go all the way up to the board to get blessed, but they’re based on that very clear and common normalized understanding amongst the senior executive team in the board on what they consider to be the company’s risk appetite and tolerance. And some of those things may take years to fund, but they happen.


Kim: We have another question here. Is it required to audit all processes, say at least annually, and more frequent for level one?


John: No. What you need is evidence that those controls are working, those critical controls are working and there’s lots of ways to do that. It could be through observation programs, it could be through monitoring reports, maintenance, inspection programs, there’s different key performance indicators, there’s a host of ways that people demonstrate conformance, control conformance beyond doing audits. Auditors are one tool to do that and certainly you don’t have to do it every year. And you know, for our hazardous operations we did, the corporate team did deep dive service three years, but again it wouldn’t be all 18 ones, it wouldn’t be all 700 [49:48] process safety requirements, it would be focused to dive on critical controls, critical elements with the organizations’ own self-assessments should happen annually, we’re indicating weakness or we want to follow up on effectiveness of mitigating measures that they put in place.


Kim: Great. Perfect. So I think that was our last question for today. Thank you so much everyone for asking these very interesting questions and of course thank you John for giving us this informative presentation. If anyone has any last minute points, I would then redirect you to info@nimonik.com and we’ll be able to answer any questions. So please note that we will send you a copy of the slides and the recording of this presentation later on today or at the beginning of the day tomorrow. So one last big thank you to everyone. Have a great day and we’ll hopefully hear from you soon.


John: Thank you, everyone.