Over the last six years, as I’ve talked to others about their journey into pipeline safety management system (SMS), a common perspective has been debated; what needs to happen first–improve your safety culture or implement an SMS? It’s an interesting debate that could be unnecessary because the goals of the API 1173 are to improve the safety culture and reduce risk. The later goal, to reduce risk, is the key contributor to improving safety culture, or at least provides the mechanism to do so and to accelerate its progress through risk management.
In our introductory blog on SMS , we discussed how risk management is the engine that drives the SMS processes. It creates opportunities for stakeholder engagement, establishes the need for education and awareness, engages leaders in governance and decision making, drives goal and objective setting, creates the basis for continuous improvement, and, ultimately, improves safety culture.
Throughout API 1173, the authors included requirements to ensure that risk management is at the heart of SMS and repeatedly reinforced those expectations throughout the different elements. The Risk Management element describes the requirements to develop and implement risk management processes. The element of Leadership and Management Commitment describes requirements to make risk management routine and intentional. They set expectations for Stakeholders to be communicated with and engaged in risk identification and management. In fact, most of the elements include some requirement or reference to risk or risk management.
The most important requirement regarding risk management is it must be routine and intentional. When we think of all the compliance requirements and related activities, the requirements, particularly the frequency with which compliance tasks are performed, are defined to make them intentional and routine. This allows them to be measured, establishes the criteria for the management system, and, because of audits, measures whether the work is completed as required.
Corrosion reads, valve inspections, and regulator inspections must be completed “annually, not to exceed 15 months.” This is an example of routine and intentional activities.
In the introduction, the authors of API 1173 write, “the individual elements, when executed as deliberate, routine, and intentional processes, are designed to result in a stronger safety culture.” It is the leadership’s responsibility to ensure the entire system is executed in such a way to achieve the desired outcome and to ensure that routine and intentionality are defined. So, what might a routine and intentional risk management process look like?
First, it starts with a defined set of procedures that describe how the process will be executed. The procedures break down the process into the different components: risk collection, decision making and governance, risk information management, risk assessment, and mitigation planning. These procedural details are important to enable the individuals to manage or execute the risk management processes, ensure consistency in the execution of the processes, and to ensure the process continues to achieve its intended purpose as the organization’s personnel transition and evolve over time.
At least annually, the owner of the risk management process meets with the different stakeholder groups and has a facilitated discussion about the operational risks that are relevant to them. A great time to do this may be early in the fourth quarter of the year or in combination with the integrity management teams. This allows you to reflect on the performance and experiences of the prior 12 months, discuss new or changing risks, and then develop a plan for the upcoming year to mitigate risks.
The output of this process becomes an input into the Management Review and Continuous Improvement process. The results of the SMS and, more specifically, the risk management process can be communicated to your stakeholders, informing them of your progress and the goals and objectives for the upcoming year.
Now that you’ve decided on your goals and objectives for the year, which include which risks you are going to proactively work on, the team can start conducting more deep-dive risk assessments on individual risks. These, too, are facilitated sessions that thoroughly review risk and the associated operational controls and create a defined improvement plan.
Then, the improvement plan and specific improvement projects can be worked on, the results of which will be cycled back into the risk management process and become part of the management review process and the subsequent year’s risk management process, starting the cycle all over again.
By creating structure in the process and establishing intentional engagement activities, the expectations that are defined in API 1173 are reinforced. This helps ensure that the voices of all your stakeholder groups are heard and incorporated into risk management.
The outcome of the process establishes a clear operational focus for the upcoming year, which sets safety improvement priorities for the enterprise, business unit, operating region, or department, creating tangible safety goals for leaders and their employees.
At its best, an SMS reduces risk before an incident occurs. But, incidents do occur, so the process needs to incorporate risks that may surface during the normal course of business or because of an incident. Most of the risks in the risk register will be identified as part of the facilitated and routine execution of the risk management process outside of an incident, which is when you’d prefer to identify and work them to avoid the incident in the first place.
As part of the Incident Investigation process, you evaluate the effectiveness of your controls as well as consider additional or changing risks because of the incident. Therefore, your process must be flexible to address urgent and emergent issues.
One of the common questions that we hear about risk management is, “Don’t we already do this as part of the integrity management programs?” Clearly, the development and advancement of the integrity management programs ushered in a much greater understanding of how to leverage risk management concepts and advanced our thinking around pipeline safety.
However, the integrity rules are so asset-focused and data-rich that you often make mitigation and investment decisions about hundreds, thousands, or millions of pipeline segments, and the solutions are often engineering or operational. The models are complex and continue to evolve as we gather more data and get smarter about the assets and the environment around them. Additionally, they have specific compliance requirements that are unique to each program.
We often help our clients with the development of additional asset-specific risk models, such as regulator stations, valves, or other equipment. These models complement the primary risk models and help the operator make decisions about those asset groups.
Similarly, when you gather risks as a part of your SMS, you start collecting risks related to processing issues, customer service concerns, technology, attrition, training, and others and some asset risks. The mitigation of these risks is not typically to replace an asset or deciding on which assessment tool to run, but rather an examination of the controls that are in place and whether those controls are effective at preventing the risk from occurring or mitigating it if it does occur. Often, an increase in risk in your integrity risk model can be attributed to a process failure related to an operational control.
The SMS risk management process bridges the gap between the detailed asset-based integrity processes and the high-level enterprise risk management process and helps complete the picture of all your risks that affect the safe operation of your systems.
What are some of the challenges when implementing the risk management process? The process can be time-consuming because there are a lot of stakeholders. You likely will not be able to seek input from all of them directly, especially in a large organization. Therefore, your process needs to allow for others, beyond the SMS team, to lead engagement with stakeholders, facilitate the discussions on risk, and represent the views of the masses.
This requires having strong Competency, Awareness, and Training related to SMS to educate those who are supporting the effort. They need to understand what an SMS is, how the process works, what happens next, how their team members will be involved going forward, and be able to communicate all this in terms that are meaningful to the audience.
The SMS process generates a lot of diversity in the types of risks. Each risk should have specific metrics to measure the level of risk and improvement. These measures help establish and support the risk scoring. The risk register needs to be built to allow you to rank the diverse risks while ensuring statistical validity so that you are confident in your decision-making and working on the highest-level risks.
Finally, it may take many cycles to observe measurable improvements from your efforts to mitigate risk. Being dedicated to the process and persistent in the approach is necessary to achieve the highest level of risk reduction or at least the level of risk that your organization is comfortable with. Improvement may come over several years and require dozens of small improvements to see the bigger win–this is another reason why the structure and procedural detail are so important.
Here at EN Engineering, we are helping many of our clients with the development of their risk management processes and procedures. This can include the development of the different tools and templates used to execute the risk management process, such as the risk register, risk submission templates, and the analytical tools to aid in decision making and assessing the effectiveness of the risk management process.
We have an experienced team of experts on staff who can help execute your risk management process. This can include facilitating risk workshops, conducting data evaluations and gap assessments, facilitating risk assessments, facilitating improvement plans, or providing project management services to mitigate specific risks. We also support our clients by assessing the effectiveness of their risk management process and auditing to ensure that the requirements and the intent of the standard are being met.
For more information on implementing an SMS, please contact Jim Francis at firstname.lastname@example.org or 713-324-3950.