Risk management by competency

Risk management by competency

It may be obvious that companies with high levels of competency throughout their organisation are better performers in the medium to long term and deal more effectively with change.

The same observation applies to competency in both risk and safety management. Organisations that commit to understanding and managing the risk to their business, their employees and the public, are much better equipped to prevent unplanned events occurring and to recover from disruptions if something does go wrong.

Despite the relentless drive of new technology, all businesses are managed by people, and it is the competency of individuals to carry out their tasks and to act in unison with others, that provides inherent risk management and resilience for so many companies.

In successful companies, risk and safety management is a continuous process which is part of day-to-day management activities. But there is not a "one size fits all" solution. In implementing an effective approach to risk and safety management, organisational, industrial and national cultures also need to be taken into account.


Competency in risk analysis

At the heart of good safety and risk management is Risk Analysis - the process of identifying and assessing credible risks (to the business, its people, its processes, the environment, etc.). Without a clear understanding of the risks faced, the implementation of appropriate risk control measures is not possible.

Essential to all good quality risk analysis is competent people: people with specific knowledge of the business and its dependencies, and those with the skills to assimilate and analyse information and draw conclusions. It is important to appreciate that risk analysis provides a "snap-shot" and is constrained by the knowledge and experience of the participants and the availability of information.

Outputs from the risk analysis are the credible risks that the business faces, together with the required (existing or not) controls or safeguards that reduce risks to an acceptable level.

Competency in preventing loss of control

The business may decide that additional controls are warranted to reduce risk levels to meet company standards, industry best practice or legislative requirements. For ease of understanding, controls can be categorised into 'operational' or 'engineered'. Operational controls are those which are directly operated by people, whereas engineered controls are active or passive systems which operate without direct intervention by people.

In order to ensure continuous risk management, it is of course vital that these controls are maintained. For operational controls this is achieved by ensuring that operators remain competent to carry out their tasks. Their competency will be supported by ongoing training and assessment and it is particularly important that new operational staff are also competent.

Engineered controls require regular maintenance and it is essential that the maintenance is carried out by competent people. Where systems must be taken out of service for maintenance, it is critical that they are reinstated properly. Periodic checks of safeguards may be appropriate to ensure their ongoing availability.

Competency in recovering from unplanned events

The risk analysis provides a clear understanding of how events could, if not managed, develop into serious problems. The organisation has the opportunity to plan for these "nightmare" scenarios and ensure that competency requirements of personnel to respond to such scenarios are captured.

One of the more difficult challenges for organisations is to decide on how rigid their systems for managing risk should be. This will be influenced by the type of risks faced by the business and the culture of the organisation and the industry it operates in. Simplistically, for routine activities with high levels of maturity (i.e. changes are slow), operating procedures can be relatively prescriptive.

However, the tendency is for additional procedures or instructions to be added which, over time can result in bureaucratic systems. For non-routine or unplanned events, experience may be limited and there are dangers associated with introducing overly prescriptive controls which may not be adequate to deal with such events. In these circumstances, there is benefit in relying on competent people to manage the situation within a set of guidelines.

The benefits of competency

For organisations with a strong focus on competency there is a major benefit that is often not clearly recognised. Competent organisations are well equipped to deal with both routine and non-routine events which, if not managed properly, could escalate to become much more serious with significant detrimental impacts on the business.

In today's highly competitive environment, where there is a constant pressure for businesses to become leaner, much of the traditional in-built redundancy and replication has been removed. Whilst this improves short-term business performance, the resistance to unplanned events can be compromised. By investing in their people, and focusing on the competency to carry out both routine and non-routine tasks, companies can build in considerable resilience to the risks they face and thus better prevent, deal with and recover from adversity.

Just as human error (lack of competence) is a major contributor to accidents, so too is human ingenuity (competence) a major contributor to loss prevention.

Defining competency

This article first appeared in RISKworld Issue 3.

Copyright © Risktec Solutions Ltd 2018. All rights reserved.