A Three Part Series By Thomas Helmer, Senior Director, CS&A International Risk And Crisis Management
Welcome to my three part series on Emergency Management! Over the next couple of months I will be posting short blogs covering current best practices in emergency management:
Part One – PREVENTING AND PREPARING FOR EMERGENCIES
Part Two – MANAGING EMERGENCIES
Part Three – LEARNING FROM EMERGENCIES
Keeping in mind that different business sectors may require different response types, the overarching priority of any emergency response is to manage the People aspects first, then the impact on the Environment, followed by protecting Assets and last but not least, protecting Reputation. Often referred to as the P-E-A-R model, this is a good place to start.
Part One
PREVENTING AND PREPARING FOR EMERGENCIES
When tasked with setting up an emergency management system for your company, the following steps will ensure that you have used a proven best-practice methodology and can implement it effectively.
1. Identifying Hazards and Effects
A hazard can be described as a threat posing situation. This thread can be to life, health, assets, or the environment. Most hazards are dormant or potential, with only a theoretical risk of harm; however, once a hazard materialises, it can easily create an emergency situation. A hazardous situation that has come to pass is called an incident. Hazard and possibility interact together to create risk.
Hazards must be controlled effectively to reduce the risk of creating adverse effects. Therefore, each organisation needs to identify its hazards and effects. The process, called the Hazards and Effects Management Process (HEMP), was pioneered in the Oil and Gas sector, but is equally relevant to other industries and is the first step to determine the potential exposure a company must be prepared for.
Together with a multi-disciplinary team, start the process by listing all the potential hazards imaginable and then sort them in logical categories. For example –
Pressurised Gases and Liquids
Chemical substance (storage, handling, use)
Dynamic Situations (e.g. Trucks, Cranes, Rotating Equipment)
Differences in Height (e.g. working at height, objects overhead, slopes)
Ergonomic (e.g. workspace, human machine interface)
Biological (e.g. animals, insects, plants, bacteria)
Security (e.g. civil unrest, terrorism, crime)
Natural Environment (e.g. weather, flooding, earthquakes)
Environmental Aspects (e.g. use of water, discharges, emissions)
Etc.
Consider the hazards that have lead to incidents in the past in your company, but also in similar industries. Once the list is more or less complete, begin to identify where these hazards are in the organisation’s operations, sites and facilities, make an inventory and describe what the effect(s) could be if control is lost.
Then list the current controls for each of the identified hazards and rate their effectiveness.
Results from this process must be documented in a Hazard and Effects Register and reviewed and updated annually. Best practice advocates that this Hazard and Effect Register should be externally audited every two years as a minimum.
TYPICAL ORGANISATIONAL PITFALLS
The organisation has not developed or is not aware of the existence of a Hazard and Effects Register.
The Hazard and Effects Register is out of date, incomplete, or not accessible.
2. Determining and Mitigating Risk
Each organisation must consider the risks they need to manage. Typically a Company Risk Register is used and updated monthly as part of financial controls.
Many companies choose to use a structured risk matrix to plot the severity of impact and likelihood of occurrence and to rate risks (low, medium, high, critical) and prioritise mitigation plans accordingly. ISO 31000:2009 guidelines that were developed for the Oil and Gas Industry can serve as a good starting point if nothing is in place yet.
When managing major risks affecting People, Environment and Assets, the high-level business risk management process (documented in the Company Risk register) is often insufficient to cover further associated risks. A deeper and more detailed risk assessment process is warranted for this purpose. Often structured to follow business functions or departments such as HSE (Health, Safety and Environment), Security and Reputation among others, these detailed risk registers are designed to catalogue specific risks with assigned owners and controls and where needed corresponding mitigating actions.
For both the high level Company Risk Register and the detailed risk registers, the following applies:
Each risk must have a designated owner who shall be held accountable to manage that risk.
Each identified barrier must have a designated owner who shall be held accountable to verify the effectiveness of the barrier at least annually.
Each identified improvement opportunity must have a designated owner who shall be held accountable to scope the improvement.
Opportunities must be ranked/prioritised annually.
A sufficient number of opportunities must be selected for execution in the yearly business plan.
The management team, acting as company risk committee, must review the high level risk register at least quarterly and consider whether priorities need to be changed.
Following this systematic methodology to identify risk enables your organisation to mitigate the risks to As Low As Reasonably Practicable (the ALARP principle) and also to develop the kind of response organisation and capability required in the unlikely event of a significant emergency occurring.
Results from this process must be documented in a Corporate/Site-specific Risk Register and updated annually which typically should be audited at least every two years by third party.
TYPICAL ORGANISATIONAL PITFALLS
Risk registers are created by people with too little experience in what can go wrong.
The organisation has not developed or is not aware of the existence of the Corporate/Site-specific Risk Register.
Detailed Risk Registers are out-of-date, incomplete, and/or not accessible.
Risk review meetings are not held and/or not treated seriously.
Mitigation plans are not executed.
3. Developing the Emergency Response Organisation, Procedures and Practice
Following is a step-by-step approach to developing a robust Emergency Response Organisation:
Define how the response organisation should be structured to manage the listed potential emergencies that could occur.
Define what skills-sets are needed in what location.
Nominate staff to be members of your Emergency Response Team. Ensure back-ups are also designated.
Train the teams and practice regularly (minimum twice a year)
Identify which external resources need to be mobilised and/or informed.
Develop mutual aid contracts with other companies/agencies in areas where your own organisation lacks the capability to respond effectively. E.g. call centres, Oil Spill Response, Fire Fighting, rescue and evacuation, medical and psychological support.
List all stakeholders involved that could be involved, collect their contact details and keep them up-to-date.
Results from this process must be documented in an Emergency Management Manual that must be updated annually. Most companies audit the results from the above process at least every two years.
TYPICAL ORGANISATIONAL PITFALLS
Documents are out of date, incomplete, and/or not accessible.
Staff nominated for Emergency Response duties are not trained
Emergency drills and exercises are not conducted and/or do not develop skills of the nominated staff.
Insufficient resources are nominated to provide 24/7 cover if needed.
With the above guidelines, you are equipped to spearhead and monitor the development of an effective risk management and emergency prevention system for your organisation. For additional support or questions, please contact Thomas Helmer at thomas.helmer@csa-crisis.com.
Thomas Helmer is Senior Director with CS&A International Risk, crisis and Business Continuity Management, a specialist firm working globally with multi-national clients across industry sectors. Prior to CS&A, Thomas had a long and distinguished career in the oil and gas industry with particular expertise in HSE and extensive experience as an emergency coordinator.
REFERENCES:
– ISO 31000:2009, Risk management – Principles and guidelines, provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector. Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment.
– ISO 17776:2000, Petroleum and natural gas industries — Offshore production installations — Guidelines on tools and techniques for hazard identification and risk assessment.