Managing risk is not an esoteric exercise. It is not an exercise in which only the Health, Safety, Security or Risk Manager gets involved. It is not about the dollars and cents impact on the bottom line. Managing risk – or more accurately, not managing risk – is an intensely personal experience.
Top tier companies operating in the oil industry have an impressive approach and record to the management of risk. They have records of falling lost time injury frequency ratios and fatalities. Their risk management systems are sophisticated. They need to be. It is so easy to kill people in the oil industry, so easy to pollute vast ecosystems and so easy to harm whole economies.
Their systems have been built, as have many advanced risk management systems in dangerous industries, on the back of the deaths of people over what is now hundreds of years of operations. Deaths caused by known risk events lead to investigations conducted by the companies themselves, and often by the state within which they were operating. The investigations determined issues which, if corrected, could have prevented the risk event occurring. The reports about these issues generated new policies, processes and procedures and, as a result, safety improved. Doing this for a hundred years – along with the deaths of hundreds, if not thousands, of people – helped create a much safer working environment for the people that followed them into the industry.
In the last forty years, the oil industry (along with other industries) has put a lot of effort into preventative risk treatment measures which operate at the level of the psyche of people and their attitudes towards risk. People from all walks of life and all levels in the hierarchy of organisations were trained and encouraged to assess hazards and the likelihood of risk events which, if they occurred, would create a negative consequence with regard to either the reputation of the organisation, physical or financial assets, the environment, or people.
Hence, when I was working in the oil industry, it really became part of my life, waking up each morning and going to work to imagine the probability of a risk event occurring and its possible consequences, as we tackled different projects or completed our business-as-usual tasks.
On a couple of occasions, this attitude towards risk was not enough – or I was not on my game enough to prevent unacceptable consequences.
One time, I thought that we needed an unloading dock at a processing plant I had just taken control of, where drums of product were delivered from a truck tray by dropping them on to a large tyre on the ground. The tyre acted as a cushion for the drums, which weighed over 200kg. When the drum bounced off the tyre, it was controlled by a man at ground level grabbing the drum on the rebound. I did not have the budget for the work and prevaricated for a week about going ahead with the work. In the end, I decided to go ahead. Three days before the work was completed, one of our staff , in grabbing a drum being delivered was off balance, tried to hold the drum nonetheless. He ended up with a hernia, which had to be operated on in hospital.
Another time, we had an incident in Fiji, which was investigated. It was found that the causes of the incident – where our gatekeeper broke his ribs and had to have his spleen removed – were abnormal work conditions not being evaluated properly for risk, new people in the terminal not being inducted properly, and existing procedures not being followed. It could have easily been a fatality.
After the investigation was completed, I flew to the neighbouring country of Tonga (where we had an operation for which I was also responsible) and spent a day explaining to staff what had happened in Fiji and why and what they had to be vigilant about. My rationale was that if the combination of circumstances to cause such an incident were in Fiji, they were likely to be in Tonga too. I flew home that evening thinking I had done all the right things. I landed in Nadi to be told that there had been an explosion in Tonga. I could not believe my ears. The circumstances, the underlying causes of the incident, seemed identical to that which occurred in Fiji.
Tens of telephone calls to officials in Tonga and Fiji, and to New Zealand to the emergency aerial ambulance service to attempt to get a man injured in the explosion to a hospital in New Zealand came to nought. He died.
I flew back to Tonga with the duty to tell the man’s wife that he had died. The impact on me personally of the moment the woman opened her door are etched in my mind and in my heart. The impact on her and her family were undoubtedly even more profound.
The task of telling her that her husband had died whilst in my care haunts me to this day when I think about risk and its management. It haunts me when I see people and organisations treating risk management as a “tick the box” exercise. For example, one organisation instituted a system for recording visitors and policed it vigorously, but still maintained a boardroom set up with numerous trip hazards and electrical overload risks. They did this because they were to be audited on their visitor registration system.
It also haunts me when I see, more often than not, organisations ignoring procedures most likely built on the bodies of hundreds – if not thousands – of people who have died before, or environmental incidents which have damaged whole ecosystems, in the search of speed or reduced cost or perceived personal inconvenience.
For example, in the BP Deepwater Horizon Oil Spill, more than 200 million gallons of crude oil was pumped into the Gulf of Mexico for a total of 87 days, making it the biggest oil spill in U.S. history. In 2011, a White House commission likewise blamed BP and its partners for a series of cost-cutting decisions and an insufficient safety system. In essence, existing procedures were not followed, and incidents were not effectively followed up to improve policies and procedures.
In that incident, eleven people did not come home and seventeen people did not come home in the same state they left for work.
Over the past few years, I have worked with two clients whose method of managing risk leaves me cold. So cold, because I can see if they do not “get it” about managing risk, they will kill someone too. One by inattention to keeping proper records of engineering works. The other by not taking proper attention to minor breaches in important policies and procedures which are in place to prevent catastrophic risk events, thus creating a culture of it being OK to flaunt risk management policies and procedures.
When it becomes OK to flaunt risk management policies and procedures, there is no telling how much people will flaunt them – usually until the risk even occurs and we, as leaders, get to live to regret our inability to be insistent, persistent and consistent with regard to those policies and procedures.
Managing risk is serious business. ISO 31000 is a great standard to use. But we have to be serious about managing risk in our setting up and enforcement of policies and procedures and in our regular identification, assessment and evaluation of risk. We have to take it seriously in our creation of treatment plans and our execution of them. We have to take it seriously in our day-to-day work. If we don’t, too often it becomes very personal when another loved one answers the door to a visit they do not want.