Over the past ten years the public has become all too familiar with events where companies either failed to anticipate, or didn’t properly manage, enterprise risk. Companies in industries as diverse as oil and gas (Macondo), banking (Wells Fargo), automotive (Volkswagen), technology (Facebook), and tourism (Duck Boats) have experienced very public failures to identify and manage risk. The reputational ramifications that result from these failures have included, in some cases, investor pressure or stock price constriction. In the case of Macondo, an investigation revealed the highly embarrassing fact that BP leaders were present on the Deepwater Horizon rig on the day of the oil spill as part of a safety celebration related to conventional injury and accident metrics. As health and safety practitioners, it is critical for our profession to understand these failures of enterprise risk management as well as traditional accident metrics. This knowledge allows us to implement tools and processes to identify and manage risk with the goal of mitigating adverse outcomes for our employees, companies, and investors.

UPSIDE AND DOWNSIDE
Risk is the likelihood (or probability) of an event multiplied by the consequences associated with that event. In its pure form, the term “risk” embodies both potential upsides and downsides associated with future events. Risk appetite often determines whether a person perceives the benefits of a risk as greater or lesser than its potential downsides. Health and safety professionals tend to focus on the potential downside of risk and need to be mindful, particularly when speaking to an audience of people from diverse backgrounds, that not everyone perceives risk-taking in the same way, or as inherently negative. In fact, one of health and safety professionals’ favorite approaches to hazard control is requiring the use of extensive checklists that assess the extent to which controls are in place for every imaginable hazard. This approach can overwhelm the user of the checklist and create the impression that every hazard has equal consequence and requires equal attention. A more nuanced view that accounts for consequence can help the user understand the hazard and apply a hierarchy-of-controls approach. In the industrial and field settings where many IHs work, this approach is more likely to create the necessary awareness of hazards. 
In our experience, debating potential consequences associated with risk-taking is less fruitful than providing teams with tools that can facilitate meaningful discussions about risk. These discussions can educate and align team members on the perception of a risk and its potential impact (positive or negative) to the business. Below, we discuss several tools that teams can use to better quantify and manage risk.
Heat Mapping
Heat maps are visual representations of the relative risks or potential consequences of various tasks and operations. Figure 1 is an example of a heat map. The X axis shows the likelihood of an event, from least to most likely, and the Y axis shows the potential negative impact (absent controls), from negligible to extreme, of the outcome from that event. Tasks, operations, and hazards in a facility are mapped against these two criteria to create a graphical array of the relative risk associated with these tasks.  A heat map is easily understood by team members from various functions across the enterprise, allowing for a more holistic discussion of how resources are managed and applied to address risks. A heat map mitigates our instinct as health and safety professionals to focus on what’s directly in front of us—the easily-auditable hazards—to make sure that we pay attention to lower-probability but extremely high-consequence events that lurk beneath the surface of our operations. Heat mapping encourages a broader understanding of the importance of control processes such as preventive maintenance and pre-use inspections to ensure proper functioning of engineering controls and adherence to procedures.
RESOURCES U.S. Chemical Safety and Hazard Investigation Board: “Investigation Report Volume 3 – Drilling Rig Explosion and Fire at the Macondo Well” (
PDF
, April 2016)
Many facilities have taken the logical next step of tracking the number of concern reports, near misses, and accidents associated with the different tasks, operations, and hazards on a heat map. (In Figure 1, these numbers appear in parentheses.) We endorse this practice because it indicates where health- and safety-related issues are happening at a facility at a point in time. However, we caution organizations not to let the frequency of events define the potential consequence associated with the event. Just because an event hasn’t happened doesn’t mean it never could happen or that it won’t have significant consequences. The value of the hazard heat map is that it illuminates risks that are not easily identifiable from our auditing eyes and within our datasets. In fact, we urge leaders to focus on those relatively high-consequence, low-probability events that are not generating concerns, near misses, and accidents. These events are the invisible hazards within the routines of the operation, and we should pay more attention to controlling them. 
Strength of Defense Matrix and Scenario-Based Audits
A strength of defense matrix, or SODM, is a tool that lists different controls against hazards (see Figure 2). The SODM leverages the principles from the industrial hygiene hierarchy of controls and takes it one step further to highlight the intent behind the control. Knowing the intent is necessary to implement a scenario-based auditing technique that allows for the validation of controls in different situations.  To better understand the controls for different risks, leaders select a hazard (based on its placement on a heat map) and develop an SODM for that hazard, grounded in the specifics of site operations. Properly written regulatory requirements and companies’ EHS management system expectations are exactly the controls that should be put in place to manage hazards. In an ideal world, the EHS community would abandon our tendency for checklist authorship and embrace the notion of SODM as a far more actionable and understandable way to describe expectations for controlling hazards and risk. 
Debating potential consequences associated with risk-taking is less fruitful than providing teams with tools that can facilitate meaningful discussions about risk.
Figure 1. A heat map places various tasks, operations, and hazards on a matrix to illustrate their relative frequency and potential consequences. The numbers in parentheses indicate the frequency of concern reports, near misses, and accidents associated with a given task, operation, or hazard.
Tap on the figure to open a larger version in your browser.
Figure 3: Basic design of a bow tie analysis. 
Tap on the figure to open a larger version in your browser.
The SODM is validated through an audit process known as a “scenario-based audit” or SBA. A cross- functional team is created to conduct the SBA, and a specific hazard is selected from the hazard heat map for the scope of the audit. Critical to a successful audit is participation by both outside auditors and people who are intimately familiar with the operation. “Auditees” we’ve worked with have told us that the SBA process feels more like an action workout in the style of lean manufacturing than a traditional (checklist-driven) audit. The team designs a scenario that causes the hazard (selected from the hazard heat map) to be “released”—that is, for the hazard to result in the negative consequence for which it was placed on the hazard heat map. The hazard and the scenario should be of interest to both the team and the company leaders responsible for resources that might be needed to address any gaps identified during the SBA. In our experience, this technique works best when the hazard and event are physical in nature. The SBA process is difficult to execute with general hazards (generic noncompliance, for example) and unspecific events (such as untrained employees). The scenario should be detailed, practical, and realistic enough that it could occur during facility operations. We have also learned that team composition and size are critical. The team should include experts in the processes that give rise to the hazard as well as outsiders who are unfamiliar with the processes but have highly evolved skills in facilitation and auditing. This combination creates the most valuable discussions around the risk management elements that are intended to be validated as part of the SBA. The team can use specially designed software, flip charts, sticky notes, or a white board to map the threats that could induce the hazard and event in question. During this process, the team should assume that no defenses are in place. For example, a leak of flammable hydrocarbons from a tank could be caused by filling the tank past capacity, corroded piping, high temperature, or an external event such as a forklift running into the tank. For each threat, the team brainstorms to identify which barriers should be in place to prevent the threat from causing the scenario in question. For example, the barrier against corroded piping may be a specification that requires the use of corrosion-resistant piping in all equipment installations.  The result of this process is a map that includes threats, consequences, and barriers (or controls) designed to prevent the hazard or mitigate its consequences. As seen in Figure 3, the completed array resembles a bow tie. (Proprietary “bow tie” software is available that can create these graphics.)
Figure 2. A strength of defense matrix highlights the intent of control measures. Green text indicates a validated barrier or control, red indicates a failed control, and blue indicates a new or proposed control.
Tap on the figure to open a larger version in your browser.
The SBA tests the extent to which the systems and processes in the operation prevent threats and consequences. The team creates inspection checklists, questions for interviews with process experts and employees, and lists of materials and conditions to observe, and evaluates the extent to which these barriers are in place. Figure 2 expresses the results of an SODM audit through colored fonts: missing or broken defenses are in red, active defenses are in green, and defenses suggested by the audit team are in blue. This audited, color-coded SODM visually displays the extent of controls that exist around the hazard and can take the place of a lengthy written audit report. In our experience, operational leaders have shown a strong affinity for audit results presented through SODMs and SBAs instead of lists of required actions. It is critical to assign responsibility for addressing any issues identified and tracking these issues to closure. 
ASSIGNING RESPONSIBILITY
The concepts and tools discussed in this article can be used at various levels in an enterprise and across departments. Though we most commonly use them at a plant level, we have also leveraged these tools for specific departments, tasks, and scenarios. We have also created higher-level enterprise risk maps that show accumulated hazards across multiple plants. These higher-level risk maps encourage conversations that gravitate from the traditional focus on EHS hazards to encompass the entire business, which is exactly the kind of C-suite conversations you want business leaders engaging in to understand the risks and opportunities of the enterprise.  Other industries use similar approaches to pinpoint risk areas. One example is the “stress tests” required by banking regulations after the 2009 financial crisis. These tests, regularly conducted on financial systems and reported in filings of the U.S. Securities and Exchange Commission, use similar approaches to a bow tie analysis to define threats and recoveries in specific scenarios. Applied more broadly, these risk management tools can be used to identify and shores up weaknesses in overall corporate governance processes. With the right combination of subject-matter experts alongside others who understand audit and root-cause investigation techniques, these tools can reveal previously unidentified gaps and make an organization better able to prevent and recover from high-hazard events.  The next step is to establish clear lines of accountability in an organization. This is accomplished by assigning monitoring and oversight responsibility to specific functions or individuals for each barrier for enterprise-level hazards. For physical hazards, sensors or monitors can result in a digital dashboard that depicts the degree to which an organization is protected against a potentially catastrophic hazard. Advances in technology, machine learning, and artificial intelligence will afford us the opportunity to optimize risk management based on real-time monitoring of barriers, domain expertise, and trends, instead of simply reacting based on events. These tools offer an opportunity to move our profession forward by encouraging the use of resources to address both traditional threats to health and safety as well as potentially catastrophic enterprise risks.  
JEANNE FALLON-CARINE, CIH,
is global HSE director, Measurement & Controls, Baker Hughes, a GE Company.
GRETCHEN N. HANCOCK
is senior director, Corporate EH&S – CSR, Stanley, Black & Decker, Inc.
Acknowledgment: The authors thank Vincent Giordano for his encouragement and advice on the topic of risk. Send feedback to The Synergist.
Coming Soon: Enterprise Risk Management Body of Knowledge
An AIHA body of knowledge, or BoK, on enterprise risk management is under review and expected to be published soon to the AIHA website. A BoK outlines the knowledge and skills a competent person should possess in a specific topic. More information about BoKs is available at
AIHA.org
.
Tools for Enterprise Risk Management
BY JEANNE FALLON-CARINE AND GRETCHEN N. HANCOCK
Revealing 
Hidden Risks