Understanding Risk Control
How does the human element affect risk? And how can RCA help to control it?
- By Brian Hughes, Jimmy Marullo
- Oct 02, 2009
Human behavior is often the focus of safety
investigations. Managers and others are
primarily interested in how to get people
to do the right thing at the right time. Attention
is generally given to risky actions taken by
people. The desire is for people to be careful, to always
watch out, to remember that everyone has a family at
home and that risk recognition and management are
personal responsibilities. But a key element is often
missing from the equation: identification and control
of causes that exist in conjunction with behaviors.
Basics of Risk
Change happens; there is no getting around it. And
there is no reliable way to predict what changes will
come our way or whether these changes will be positive
or negative. We are subject daily to a continuous
stream of uncertainty about what the future holds for
us. This uncertainty increases the further into the future
we look.
Not all outcomes are possible. However, because so
many outcomes fall within the realm of possibility, we
do our best to calculate probabilities and act according
to predictions of what is most likely to occur. But a
calculation that yields a high likelihood of a particular
outcome does not ensure the event actually will happen.
Conversely, a low probability of occurrence does
not guarantee an event will not occur, to which anyone
recently struck by lightning — or those looking at their
March 2009 401(k) statement — can attest.
In engineering, risk is understood to be a subcomponent
of uncertainty. This is because many in industry
define risk as the possibility that change will lead to
an undesirable outcome, whereas uncertainty contains
both the positive and negative possibilities the future
may hold.
The following equation is frequently used to define
risk:
Risk = Probability X Consequence
There are variations on this equation. Sometimes a
variable is included that accommodates the presence
or absence of a barrier that would mitigate undesirable
consequences.
However, not everyone thinks of risk in a purely
negative light. In the world of finance, risk is not a
subcomponent of uncertainty — it is uncertainty. Financial
analysts see risk as the potential that the future
price of an asset will be different than expected. Price
volatility, measured statistically, provides an indication
of risk. In the financial analyst's world, risk includes the
potential for both positive and negative outcomes, not
just the possibility the price will go down. This is where
the notion of a trade-off between risk and return comes
from. To earn large returns in a short amount of time,
the investor is required to take large risks. Of course,
the risk pendulum swings both ways.
Simply put, financial analysts measure total risk as
a combination of two components — systematic risk
and unsystematic risk. Systematic risk is the risk shared
by all firms in a given industry. Think of systematic risk
as the risk associated with the business environment.
For example, all banks share the same environmental
risk component: All are subject to the ups and downs
of the financial services industry. Unsystematic risk is
the risk associated with any individual firm. Each individual
bank has risk factors that differentiate it from
its competitors. This individual risk is the unsystematic
risk component.
This two-part concept of risk has validity beyond
finance. For example, the Bering Sea is an environment
in which all vessels are subject to a baseline risk
level. This level of risk
represents a risk floor that
cannot be lowered. Unsystematic
risk is associated
with any individual
vessel that ventures out
into the environment.
For instance, if the crew
has access to and utilizes
safety equipment, conducts rescue drills, and the ship
is in good repair, it will have a lower level of unsystematic
risk when compared with other vessels. Other
variables, such as size and age, also gauge the unsystematic risk of any individual vessel. The
key distinction is that individuals in any
environment have a degree of control over
their unsystematic risk (their choices and
actions). However, they can do nothing to
lower the systematic risk floor of the Bering
Sea itself. Both types of risk combine to
equal the total risk to which any individual
is subject.
Human Behavior: The Main Cause
of Risk?
Human behavior is often the focus of an incident
investigation. What did someone do (or
not do) that contributed to the outcome of
the event? Many solution recommendations
attempt to control human behavior in one
manner or another. Recommendations such
as writing better procedures, sending people
to additional training, and implementing
best work practices abound. These are good
starting points, but more can be done. These
solutions address only the unsystematic risk
components of an event, not the systematic
environmental risk. Why not focus on dropping
the systematic risk floor to a lower level?
Doing so would subject all individuals to a
lower level of risk, regardless of individual
behaviors.
The primary reason this does not happen
more often is that decision makers often lack
the information required to identify systematic
risks, or the information is presented
in such a way that it is not consistent with a
strategy to reduce risk yet still provide an acceptable
return on investment.
Using Root Cause Analysis
to Minimize Risk
A comprehensive root cause analysis (RCA)
program can help organizations better understand
and mitigate risks of human behavior.
In order to reveal systematic risk
elements effectively, RCA must go beyond
the traditional Five Whys method (which
is overly simplistic) or Fishbone method
(which is confusing and inconsistently applied).
The purpose of this article is not to
illustrate the downside to these widely used
methods, but to explain elements of more
advanced alternatives that, if employed effectively,
will provide greater visibility into
systematic risks. This, in turn, will present
decision makers with a more complete set of
options when choosing a course of corrective
action.
More advanced RCA methodologies
have specific differences but generally include
a variation of the following steps.
Please keep in mind that each proprietary
root cause analysis method uses unique terminology.
Problem Definition
The first step in any thorough analysis is to
define the problem. It cannot be assumed
that each team member understands the
problem in the same way. In fact, the best
teams are well diversified. This virtually
guarantees initial disagreement on the exact
nature of the problem. However, effective
RCA methods manage this diversity by
choosing a starting point which all members
can get behind. Once the problem is determined,
additional information — such as
time, date, location, and significance — are
documented.
It is a good idea to do a risk assessment
during the problem definition step. What is
the risk this problem could have been worse
or will recur? The process of assessing risk
can be formal or informal. Regardless, it will
be important later in the analysis when deciding
which solutions to recommend.
Causal Analysis
Once the problem is defined, the causes of
the problem need to be identified. There are
multiple proprietary methods for accomplishing
this task. The primary difference is
whether the methodology utilizes a variation
of a modified logic diagram or cause
categories. Regardless of method, causes
should be supported with evidence. Evidence
minimizes the influence of conjecture
and provides decision makers with confi-
dence in the report's findings.
The methods that account for both action-
type causes (such as "operator opened
valve") and conditional causes (such as "system
under pressure") will most effectively
compare to the financial risk model presented
above. These types of methods help
illuminate risk because the action causes are
more uncertain than the conditional causes.
Actions are usually momentary and generally
involve people. The risk associated
with conditions is often lower because these causes are highly predictable and generally
stable over time.
Identify/Implement Solutions
Effective solutions are effective only because
they control one or more causes of the event.
Because both actions and conditions are
required in order to create an effect, removing
either or both reduces the risk of recurrence.
The best solution recommendations
mimic the diversification strategy of a wellbalanced
portfolio. They control multiple
causes, which helps to reduce the risk of
recurrence.
How Does the Human Element Affect Risk?
Returning to the earlier discussion on systematic
and unsystematic risks, let's now
look at behaviors as variables in the causal
equation. Recall that actions and conditions
come together to create effects. Conditions
generally represent the systematic risk in any
environment. Actions, particularly when associated
by human behavior, represent the
unsystematic risk. Total risk is the combination
of each.
The work environment can be controlled,
and it can be done much more easily
than changing a worker's decision-making
processes. This does not mean that awareness
campaigns, training, and even occasional
discipline should not be a part of any
solution strategy. But risk can be controlled
more effectively by controlling the systematic
constants (conditional causes), not the
unsystematic variables (action causes).
Editor's Note: The concepts in this article were discussed
by safety professionals in a panel discussion
at the 2008 NSC Congress and Expo moderated
by Brian Hughes, who is vice president
of Apollo Associated Services, a Midland,
Mich.-based provider of root cause analysis
consulting, training, and soft ware. Co-author
Jimmy Marullo is director of instructor certifi
cation and public services for Apollo Associated
Services. As a Licensed Master of Social
Work concentrating on clinical studies, he has
a keen understanding of human behavior as
it applies to problem solving. He works with
leaders in industries such as power generation,
manufacturing, construction, mining,
and health care. Hughes has led significant
safety-related incident investigations, including
those related to major explosions,
chemical releases, consumer product contamination,
and supply chain processes, and
has helped clients achieve savings in excess of
$100 million as well as significant improvements
in safety, reliability, and quality. For
more information, visit www.apollorca.com or contact Hughes at bhughes@apollorca.
com or 206-331-2569.
This article originally appeared in the October 2009 issue of Occupational Health & Safety.