Many facilities have taken the logical next step of tracking the number of concern reports, near misses, and accidents associated with the different tasks, operations, and hazards on a heat map. (In Figure 1, these numbers appear in parentheses.) We endorse this practice because it indicates where health- and safety-related issues are happening at a facility at a point in time. However, we caution organizations not to let the frequency of events define the potential consequence associated with the event. Just because an event hasn’t happened doesn’t mean it never could happen or that it won’t have significant consequences. The value of the hazard heat map is that it illuminates risks that are not easily identifiable from our auditing eyes and within our datasets. In fact, we urge leaders to focus on those relatively high-consequence, low-probability events that are not generating concerns, near misses, and accidents. These events are the invisible hazards within the routines of the operation, and we should pay more attention to controlling them.  A strength of defense matrix, or SODM, is a tool that lists different controls against hazards (see Figure 2). The SODM leverages the principles from the industrial hygiene hierarchy of controls and takes it one step further to highlight the intent behind the control. Knowing the intent is necessary to implement a scenario-based auditing technique that allows for the validation of controls in different situations.  To better understand the controls for different risks, leaders select a hazard (based on its placement on a heat map) and develop an SODM for that hazard, grounded in the specifics of site operations. Properly written regulatory requirements and companies’ EHS management system expectations are exactly the controls that should be put in place to manage hazards. In an ideal world, the EHS community would abandon our tendency for checklist authorship and embrace the notion of SODM as a far more actionable and understandable way to describe expectations for controlling hazards and risk. 

The SODM is validated through an audit process known as a “scenario-based audit” or SBA. A cross- functional team is created to conduct the SBA, and a specific hazard is selected from the hazard heat map for the scope of the audit. Critical to a successful audit is participation by both outside auditors and people who are intimately familiar with the operation. “Auditees” we’ve worked with have told us that the SBA process feels more like an action workout in the style of lean manufacturing than a traditional (checklist-driven) audit. The team designs a scenario that causes the hazard (selected from the hazard heat map) to be “released”—that is, for the hazard to result in the negative consequence for which it was placed on the hazard heat map. The hazard and the scenario should be of interest to both the team and the company leaders responsible for resources that might be needed to address any gaps identified during the SBA. In our experience, this technique works best when the hazard and event are physical in nature. The SBA process is difficult to execute with general hazards (generic noncompliance, for example) and unspecific events (such as untrained employees). The scenario should be detailed, practical, and realistic enough that it could occur during facility operations. We have also learned that team composition and size are critical. The team should include experts in the processes that give rise to the hazard as well as outsiders who are unfamiliar with the processes but have highly evolved skills in facilitation and auditing. This combination creates the most valuable discussions around the risk management elements that are intended to be validated as part of the SBA. The team can use specially designed software, flip charts, sticky notes, or a white board to map the threats that could induce the hazard and event in question. During this process, the team should assume that no defenses are in place. For example, a leak of flammable hydrocarbons from a tank could be caused by filling the tank past capacity, corroded piping, high temperature, or an external event such as a forklift running into the tank. For each threat, the team brainstorms to identify which barriers should be in place to prevent the threat from causing the scenario in question. For example, the barrier against corroded piping may be a specification that requires the use of corrosion-resistant piping in all equipment installations.  The result of this process is a map that includes threats, consequences, and barriers (or controls) designed to prevent the hazard or mitigate its consequences. As seen in Figure 3, the completed array resembles a bow tie. (Proprietary “bow tie” software is available that can create these graphics.)

The SBA tests the extent to which the systems and processes in the operation prevent threats and consequences. The team creates inspection checklists, questions for interviews with process experts and employees, and lists of materials and conditions to observe, and evaluates the extent to which these barriers are in place. Figure 2 expresses the results of an SODM audit through colored fonts: missing or broken defenses are in red, active defenses are in green, and defenses suggested by the audit team are in blue. This audited, color-coded SODM visually displays the extent of controls that exist around the hazard and can take the place of a lengthy written audit report. In our experience, operational leaders have shown a strong affinity for audit results presented through SODMs and SBAs instead of lists of required actions. It is critical to assign responsibility for addressing any issues identified and tracking these issues to closure.  The concepts and tools discussed in this article can be used at various levels in an enterprise and across departments. Though we most commonly use them at a plant level, we have also leveraged these tools for specific departments, tasks, and scenarios. We have also created higher-level enterprise risk maps that show accumulated hazards across multiple plants. These higher-level risk maps encourage conversations that gravitate from the traditional focus on EHS hazards to encompass the entire business, which is exactly the kind of C-suite conversations you want business leaders engaging in to understand the risks and opportunities of the enterprise.  Other industries use similar approaches to pinpoint risk areas. One example is the “stress tests” required by banking regulations after the 2009 financial crisis. These tests, regularly conducted on financial systems and reported in filings of the U.S. Securities and Exchange Commission, use similar approaches to a bow tie analysis to define threats and recoveries in specific scenarios. Applied more broadly, these risk management tools can be used to identify and shores up weaknesses in overall corporate governance processes. With the right combination of subject-matter experts alongside others who understand audit and root-cause investigation techniques, these tools can reveal previously unidentified gaps and make an organization better able to prevent and recover from high-hazard events.  The next step is to establish clear lines of accountability in an organization. This is accomplished by assigning monitoring and oversight responsibility to specific functions or individuals for each barrier for enterprise-level hazards. For physical hazards, sensors or monitors can result in a digital dashboard that depicts the degree to which an organization is protected against a potentially catastrophic hazard. Advances in technology, machine learning, and artificial intelligence will afford us the opportunity to optimize risk management based on real-time monitoring of barriers, domain expertise, and trends, instead of simply reacting based on events. These tools offer an opportunity to move our profession forward by encouraging the use of resources to address both traditional threats to health and safety as well as potentially catastrophic enterprise risks.   Acknowledgment: The authors thank Vincent Giordano for his encouragement and advice on the topic of risk. Send feedback to The Synergist.