Articles & Blogs

Risk is a permanent feature of our lives—and industrial companies are no exception. Today’s organizations face a variety of challenges, from human error to cyberattacks and natural disasters. Each of these threats can potentially disrupt operations, jeopardize safety and erode profitability. 

Operational Risk Management (ORM) aims to provide companies with a proactive way to identify, understand and manage risks to an operating facility before they impact safety, the environment and cost. By systematically identifying potential threats and implementing measures to minimize their impact, ORM ensures that businesses can maintain resilience and continuity even when faced with unexpected disruptions. 

The benefits of ORM extend beyond risk reduction. A comprehensive approach to industrial risk not only supports compliance requirements but also enhances operational efficiency, reduces costs and helps move companies one step closer to the much-touted "single pane of glass" paradigm that empowers their workforce to perform better. 

Understanding the ORM Layer Cake 

To understand how ORM works, let’s first describe the multiple layers of protection, both formal and informal, that protect a facility from operational risks. 

These layers form an onion, where the core is the process design itself and each layer adds protection in case the previous one failed.  

Around that core, the first layer is the control system, which is designed to maintain steady-state operations and automatically manage minor process disturbances using regulatory control loops. If these loops fail, operators serve as the next line of defense, guided by alarms and a properly designed HMI to identify and address abnormal situations. However, alarm overload or poorly designed interfaces can hinder their ability to respond effectively. 

If a situation escalates beyond control, there will typically be a safety system, which is designed to safely shut down the process. Any malfunction in this system poses significant risk. Effective operational risk management requires all these layers to function cohesively, with disturbances contained as close to the control system layer as possible. Monitoring performance and driving improvement to these layers ensures the integrity of the entire system. 

Why Industrial Risks Are Such a Difficult Beast to Tame 

Over the years, companies have invested tremendous sums of money, time and resources to implement effective layers of protection to mitigate operational risk. However, minor incidents and major accidents still occur daily.  

Major accidents are, of course, only the visible part of the iceberg. Industry organizations often represent the severity of incidents as a pyramid, with the most serious Tier 1 incidents—the ones that make headlines—at the top and the least severe Tier 4 incidents at the base. For every Tier 1 incident reported, there are numerous Tier 2 incidents, even more Tier 3 incidents and countless Tier 4 events that have already occurred. 

Addressing and reducing the frequency of lower-tier incidents can significantly lower the likelihood of severe, high-tier events. But it is easier said than done: Managing operational risk remains a complex undertaking, and most incidents have multiple causes, such as human error, delayed maintenance or equipment being operated outside its designed parameters. In addition, when trying to understand these causes, industrial facilities often struggle with siloed data and outdated tools from multiple vendors.  

The difficulties in accessing the right data mean that risk is often analyzed in the micro, using lagging indicators, historical trends and past events instead of real-time data. To improve their risk profile, companies need to shift toward leading indicators to identify potential risks before they escalate. For instance, monitoring metrics like the frequency of operating limit breaches or the performance of control loops provides actionable insights into emerging issues, allowing companies to take preventive measures. 

The Limits of Human Attention 

Lastly, human factors also exacerbate these challenges. Workforce trends show that typical workers stay in their roles for less than three years, while experienced operators who rely on intuitive skills like detecting unusual vibrations or sounds are retiring. 

In addition, operators find themselves at the receiving end of technology challenges, being overloaded with unactionable and noisy information. 

This includes floods of alarms, the need for frequent control loop adjustments and nuisance alarms, all of which increase the likelihood of human error. Operator overload is a common issue among companies beginning their Operations Risk Management journey. 

For example, one major oil and gas operator faced alarm floods with console operators expected to manage up to 4,000 alarm events per hour during peak conditions—an unmanageable volume that severely heightened the risk of safety incidents. To address this, we introduced technology to identify and reduce nuisance alarms and facilitated alarm rationalization workshops. These workshops helped implement best practices, such as properly prioritizing alarms, journaling informational alerts and clearly documenting expected operator responses. As a result, alarm rates were reduced from peaks of 4,000 per hour to an industry-standard average of three per hour. 

Two Keys to ORM Success: Aiming for Impact and Encompassing Human Factors 

This example demonstrates that while these challenges are significant, solutions exist, with the required diligence, collaboration and a commitment to implementing effective practices. 

And it doesn’t have to be a big bang, or an all-or-nothing approach. Companies can begin with small, targeted steps, such as benchmarking alarm performance or evaluating the most critical areas of their operations. By focusing on high-priority risks and gradually integrating digital tools like operational risk management platforms and digital twins, organizations can transform their approach to risk. 

These technologies automate data collection and analysis, ensuring that teams have the information they need to respond to challenges proactively rather than reactively. 

And while technology can help, human factors shouldn't be overlooked. Operational Risk Management is not just a technical challenge but also a cultural one. It requires processes to ensure proper knowledge retention and smooth communication. Operators and technicians must not only have access to up-to-date procedures and information, but also be able to work collaboratively on inspections, services or maintenance tasks. They must also have the skills needed at a time when many of the most experienced workers are retiring. If industrial risk management is best understood as a layer cake, it only makes sense that the solution is to act at multiple levels—and none of them, unfortunately, is as easy as pie.