Analysing High-Potential Incidents to Strengthen Critical Risk Programme

What did I do?

Approximately five years ago, I lead a project to develop and roll-out a Critical Risk Programme. Initially, I took a BowTieXP case-file for relevant risks from our Australian business, and translated the language and structure for the NZ context.

I worked with subject matter experts from our operational teams, and we agreed on the highest priority Critical Risk scenarios (based on exposure/ relevance), and defined some Critical Controls for each risk scenario. Our managers and supervisors then verified the implementation and effectiveness of these Critical Controls using an infield survey tool – with results displayed in a dashboard.

Two years ago, I started reviewing our reported High-Potential (Hi-Po) events. First I considered whether each event was related to an existing Critical Risk which most were, but not all. I then reviewed the investigations (usually ICAM) with particular focus on the Critical Control performance outcomes - I had added a section to the ICAM template to capture the information I was looking for. Specifically I looked at whether the relevant Critical Control(s) had been implemented and if so, and the event still occurred, I considered what had failed. I report my findings monthly, and then work with the operational teams to make improvements to the Programme based on findings.

Over the last two years, this has led to:

• the introduction of a new Critical Risk scenario to plug a gap in our profile, and
• adding five new Critical Controls to be implemented and verified for existing Critical Risk scenarios.

Reflection – what did I learn?

The initial introduction of the Critical Risk programme was a major change for the organisation, and so we decided to start with a limited number of risks and a relatively small number of controls. The focus was on introducing the tools and concepts of Critical Risk Management, and we deliberately kept the scope small to manage the change impact. The plan was always to introduce more Critical Risks over time, as the impact of adding them later is lower after the key concepts are embedded.

The initial Critical Controls were defined in a workshop, based on a BowTie risk assessment. By also using analysis of actual Hi-Po events, I am able to define the Critical Controls based on empirical evidence of where things typically go wrong, rather than hypothetical scenarios in a workshop.

The other aspect that worked well was continuing to engage with the operational teams on the proposed changes. I did not want to be too reactive in adding new Critical Risks and Controls, and so I was watching for trends and multiple similar events. We are a very diverse business and so the definitions have to be relevant and appropriate in a wide range of situations. I’m reliant on:

• honest reporting of Hi-Po events by the operational business, and
• constructive participation and feedback on the proposed changes.

I have found that the more you involve the operational teams, the more they are willing to contribute.

A bonus for this programme has been an improvement in the quality of our investigation reports. In addition to looking at Critical Risk performance, I am checking that senior managers are reviewing and signing off the reports as part of the their governance duty. Now that the reports are getting additional attention, more effort is made in completing them.

How will this impact future practice?

This has been an effective way to launch an entirely new programme, and I would repeat the approach next time. It has also demonstrated the importance and benefits of working collaboratively with a wide range of representatives from across the business.