Resilience as a means to analyze business processes on
the structure of vulnerability
Gifun, J.
DOI:
10.6100/IR675415
Published: 01/01/2010
Document Version
Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)
Please check the document version of this publication:
• A submitted manuscript is the author’s version of the article upon submission and before peer-review. There can be important differences
between the submitted version and the official published version of record. People interested in the research are advised to contact the
author for the final version of the publication, or visit the DOI to the publisher’s website.
• The final author version and the galley proof are versions of the publication after peer review.
• The final published version features the final layout of the paper including the volume, issue and page numbers.
Link to publication
Citation for published version (APA):
Gifun, J. (2010). Resilience as a means to analyze business processes on the structure of vulnerability
Eindhoven: Technische Universiteit Eindhoven DOI: 10.6100/IR675415
General rights
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.
• Users may download and print one copy of any publication from the public portal for the purpose of private study or research.
• You may not further distribute the material or use it for any profit-making activity or commercial gain
• You may freely distribute the URL identifying the publication in the public portal ?
Take down policy
If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately
and investigate your claim.
Download date: 18. Jun. 2017
Resilience as a Means to Analyze Business Processes
on the Structure of Vulnerability
PROEFSCHRIFT
ter verkrijging van de graad van doctor aan de
Technische Universiteit Eindhoven, op gezag van de
rector magnificus, prof.dr.ir. C.J. van Duijn, voor een
commissie aangewezen door het College voor
Promoties in het openbaar te verdedigen
op woensdag 30 juni 2010 om 16.00 uur
door
Joseph Frederick Gifun
geboren te Chelsea, Verenigde Staten van Amerika
Dit proefschrift is goedgekeurd door de promotoren:
prof.dr.ir. A.C. Brombacher
en
prof.dr. D.M. Karydas
Copromotor:
dr.ir. J.L. Rouvroye
Copyright © 2010 by Joseph F. Gifun
All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted, in any form or by any means, electronic, mechanical,
photocopying, recording, or otherwise, without prior written permission of the
copyright owner.
A catalogue record is available from the Eindhoven University of Technology Library
ISBN: 978-90-386-2268-2
Printed by: University Printing Office, Eindhoven
Cover design by: Paul Verspaget
Acknowledgements
So many people have contributed to this body of work that I harbor the fear that I might miss
thanking everyone. If the reader finds that my fear is founded in truth I apologize, the failure
is mine alone to bear.
I am humbled and eternally grateful to Jane, my wife, for enduring much during the past few
years and for doing so with love, considerable poise, understanding, and a resolute positive
attitude.
I am indebted to the members of my dissertation committee; Professor Dimitrios Karydas for
sharing his knowledge in many things, his dedication to my doctoral learning and research
experience, his faith in my ability, but most of all his friendship; Professor Aarnout
Brombacher for his direct and kind critique of my work and his steadfast support during the
entire process; Dr. Jan Rouvroye for his attention to detail, his knowledge of and ability to
navigate confusing and complex processes, and for his language translation assistance;
Professor George Apostolakis for demonstrating his confidence in me by granting me the
opportunity to participate in his graduate students’ research and to engage his students in
mine, their tough questions caused me to think much harder and learn more; and Professor
Jan de Jonge and Professor Hans Pasman for their thought provoking questions and detailed
comments on this dissertation.
I send many thanks to the anonymous workshop participants for their generosity and candor.
Your participation made all the difference.
Thank you, thank you, thank you to Aunt Mary for her generosity, encouragement, and
whose remedy for writer’s block, setbacks, and frustration is a batch of freshly baked hermits.
During the years of work behind this dissertation I ate many.
It is my pleasure to thank Vicky Sirianni, an extraordinary person and leader who has helped
so many people see the untapped possibilities they had within. I am honored that she took the
time to convince me that there were a few within me too.
iii
My gratitude extends to the MIT DRU project team, Bill VanSchalkwyk, Susan Leite, Dave
Barber, Bill McShea, and Jerry Isaacson with special thanks to Hua Li a great thinking
partner from whom I learned so much.
Thanks to Jim Wallace for his support and for sharing his personal experiences regarding
balancing the daily obligations of family and work with the demands of doctoral study.
I value all that I learned about organizational leadership, process, behavior, and internal
politics from Professor Jim Bruce. I am grateful to have learned by his example that a clever
technical solution is incomplete if people affected by the solution have not participated in its
development.
I am grateful to Dr. Barbara Ash for convincing an old buck like me that I should become a
student once again. While I expected that the younger students might benefit from my
experience I did not expect that I would learn much more than I contributed.
Special thanks to Dr. Carol Zulauf whose enthusiasm in organizational learning and systems
thinking is infectious. I learned that systems can be difficult to understand completely but
they are knowable if one is willing to put aside preconceptions and focus on uncovering the
truth.
Thank you to Dottie Winn for her unflagging support and considerable knowledge of the state
and national political landscape.
I am grateful to Walt Henry for the example of excellence that he demonstrates daily and his
words of encouragement.
And thanks to Dick Amster, William Elliot, Joe Pinciaro, my colleagues, my friends at
Perfecto’s Caffe, and so many others for their support and at times, words of comfort.
This dissertation is dedicated to Dr. Charles “Chuck” Devoe whose words of wisdom, humor,
and encouragement always came when I needed them most.
iv
Resilience as a Means to Analyze Business Processes
on the Structure of Vulnerability
Summary
The impact of global societal trends regarding product reliability provides society with great
benefits and yet comes with the consequence of increased organizational vulnerability. The
goal of this research was to examine these issues and develop the means for organizations to
mitigate the potential negative effects of disturbances from within and external to the
organization for the purpose of sustaining organizational resilience. As a result of this
research the Highly Reliable Resilient Organization (HRRO) methodology was developed to
provide a consistent and customizable methodology to assess organizational vulnerability.
The purpose of this methodology is to determine current and potential levels of vulnerability
and to select and prioritize vulnerability elimination and mitigation initiatives and projects
using pre-established monetary and non-monetary factors. Moreover, the HRRO
methodology provides the means to identify, define, and assess the prerequisite criteria of an
organization that enable it to be resilient. These prerequisite criteria are the foundation for the
organization’s core function; its culture, its ability to manage risk, and its governing
processes, i.e. its ability to be resilient, or at the very least available to fulfill monetary and
non-monetary goals and enjoy a better chance for sustained viability. The HRRO
methodology is a generalizable analytic-deliberative process that was validated by
stakeholders, nine well known organizational models, a prioritization methodology that has
been in use for several years, independent case studies, and an independent and widely used
location risk quality benchmarking algorithm. To foster sustained use, the HRRO
methodology strikes a balance between complexity and simplicity, i.e. the model is
sufficiently comprehensive to reflect reality and sufficiently simple to be manageable.
The methodology used in this dissertation is based upon transformative-reflective design
processes. The first step in this process was, in this case, the creation of a construct that was
analyzed, validated and adapted during subsequent steps.
v
vi
Preface
This dissertation is directed to organizational resilience by the assessment of the vulnerability
of complex technical operational systems, the relative comparison of vulnerabilities, and the
prioritization of vulnerability elimination and mitigation efforts. A practical objective of this
research was to identify, analyze, and incorporate as many existing organizational models and
methods as was needed. Although the models analyzed within were suitable for their intended
purposes they were deficient in terms of the organizational prerequisites needed to enable
resiliency. These deficiencies were the motivation for the development of the Highly Reliable
Resilient Organization (HRRO) methodology. However, two of the criteria within the HRRO
methodology are rated by acquired existing methods. Because of the requirement to
customize the HRRO methodology for specific organizations one may find and incorporate
different and more suitable methods for other applications. The HRRO methodology was
designed with the flexibility for customization.
This dissertation is presented as follows.
Chapter 1 establishes the context for the research described herein by providing an example
of the pervasiveness and magnitude of organizational vulnerability and the overall negative
effect thereon by societal trends for reliability. This chapter also provides the reader with
definitions of primary terms and concepts, a brief historic overview, and several success
stories.
Chapter 2 focuses on the reason organizational vulnerability is a problem and identifies and
explains the sources of vulnerability including inherent vulnerabilities, the multi-domain
nature of the problem of vulnerability, and the deleterious effects that can be caused by
cognitive bias. The research questions answered by this dissertation are included.
Chapter 3 describes the process used to accomplish the research within this dissertation.
Chapter 4 describes the development of the Highly Reliable Resilient Organization (HRRO)
methodology by examining existing organizational models and extracting relevant criteria.
This chapter also describes the stakeholder workshop process and aspects of the HRRO
vii
methodology such as its constructed scales and survey forms. Supporting examples from
results achieved by stakeholder workshops are provided wherever applicable.
Chapter 5 describes the use of the HRRO methodology by way of flowcharts showing several
applications of the methodology as means to assess and prioritize; including the use of
benefit-to-cost concepts.
Chapter 6 is devoted to discussions validating the methodology by way of relevant literature,
the author’s experiences, case studies, a comparison made using a complex and independent
risk quality benchmarking algorithm, and user feedback.
Chapter 7 presents the conclusion of this research by way of the answers to the research
questions, commentary regarding generalizability of the HRRO methodology, and
recommendations for related future research.
Appendices provide information that is necessary to this dissertation yet so voluminous that
the reader could find the dissertation difficult to follow. These appendices show the results of
the mapping exercise to determine the effect of societal trends on vulnerability, descriptions
of organizational models used to create the HRRO methodology, workshop results, various
worksheets used to develop the HRRO methodology, constructed scales, the complete set of
stakeholder survey forms, stakeholder feedback, and several case studies used to support the
validity of this research.
viii
Table of contents
Acknowledgements
iii
Summary
v
Preface
vii
Table of contents
ix
List of figures
xii
List of tables
xiii
External publications related to the dissertation
xv
Acronyms
xvi
Glossary
xvii
1
Context
1
1.1 Trends and consequences
1
1.2 Primary terms and concepts
2
1.3 Targeted historic overview
3
1.4 Success stories
4
1.5 Chapter summary
6
Why is organizational vulnerability a problem?
9
2.1 Sources of vulnerability
9
2.2 Research questions
16
2.3 Chapter summary
17
Research methodology
19
3.1 Methodology
19
3.2 Chapter summary
31
2
3
4
Development of the Highly Reliable Resilient Organization
methodology
33
4.1 Introduction
33
4.2 Criteria found in existing models
34
4.3 Initial workshop and stakeholder feedback
39
4.4 Post initial workshop
41
ix
5
6
7
4.5 Second workshop
47
4.6 Chapter summary
48
Application of the Highly Reliable Resilient Organization
methodology
49
5.1 Application of processes
49
5.2 Prioritization: benefit-to-cost
57
5.3 Chapter summary
57
Analysis and reflection
59
6.1 Validity
59
6.2 Reflection
71
6.3 Chapter summary
73
Conclusions and recommendations
75
7.1 Conclusions
75
7.2 Recommendations for future research
78
References
Appendix A
Appendix B
Appendix C
79
Mapping of vulnerabilities, General Motors, to
reliability trends
87
Existing models
99
B.1 The High Reliability Organization
101
B.2 Disaster Resistant University
110
B.3
DRU at MIT
114
B.4
Resilient Enterprise
121
B.5 Enterprise Risk Management
123
B.6
Risk-Based Process Safety
127
B.7 Reactor Oversight Process
130
B.8 Hearts and Minds
133
B.9
138
Business Continuity Planning
B.10 Rejected models
140
Analysis of model decomposition and criteria themes
145
x
Appendix D
Materials distributed to stakeholders to prepare for
Workshop No.1
179
Appendix E
Assessor responses and priority
193
Appendix F
Constructed scales
195
Appendix G
Survey forms
203
Appendix H
Prioritizing infrastructure renewal projects in MIT
Department of Facilities
229
H.1 Intent
229
H.2 Process design and management
229
H.3 Stakeholder engagement
230
H.4 Lessons learned
231
Appendix I
Compilation of assessor feedback
233
Appendix J
Comparison of recommendations from Baker Panel
report and HRRO
Appendix K
237
Comparison of recommendations from COT
Institute for Security and Crisis Management report
and HRRO
Appendix L
243
Comparison of recommendations from Ernst and
Young report and HRRO
245
Curriculum vitae
247
xi
List of figures
Figure 1
HRRO hierarchical tree
38
Figure 2
Example: constructed scale for safety culture based on Hearts
and Minds
43
Figure 3
Example: safety culture survey form based on Hearts and Minds
45
Figure 4
HRRO process flowchart for baseline assessment purposes
50
Figure 5
HRRO process flowchart for estimating effect of potential
disturbance of prerequisite organizational criteria
Figure 6
HRRO process flowchart for organizational improvement
prioritization purposes
Figure 7
50
52
Disturbance elimination and mitigation project prioritization
Process
55
Figure 8
Implied HRO hierarchical tree
108
Figure 9
Implied DRU hierarchical tree
113
Figure 10 DRU at MIT framework
116
Figure 11 ERM objectives, components, and units
126
Figure 12 Hierarchical tree, (partially shown), Risk-based Process
Safety
129
Figure 13 Reactor Oversight Process
130
Figure 14 The health, safety, and environment culture ladder
135
Figure 15 Hearts and Minds hierarchical tree
136
Figure 16 HRDRO hierarchical tree (max score = 1.00)
183
Figure 17 HRDRO hierarchical tree (max score = 100)
184
Figure 18 HRRO constructed scales
195
Figure 19 HRRO survey forms
203
xii
List of tables
Table 1
Mapping of vulnerabilities, General Motors, to reliability trends
(sample)
11
Table 2
Example: biased assessment of covariation
15
Table 3
Mapping of decision-making styles to requirements
23
Table 4
Mapping of decision-making models to requirements
25
Table 5
Analysis by model decomposition for Risk-based Process
Safety
Table 6
28
Example of themes derived from criteria by category and
application
29
Table 7
Summary criteria numbers by themes
30
Table 8
Categories and applications
40
Table 9
Stakeholder summary sheet – Assessor A
47
Table 10 Prioritized criteria improvement opportunities from second
workshop (without deliberation)
61
Table 11 Comparison of recommendations from Baker Panel report and
HRRO
66
Table 12 Comparison of recommendations from COT Institute for
Security and Crisis Management and HRRO
68
Table 13 Comparison of recommendations from Ernst and Young and
HRRO
69
Table 14 Mapping of vulnerabilities, General Motors, to reliability trends
87
Table 15
109
Impact on People
Table 16 Corrective example based on Li et al
120
Table 17 Performance indicator, initiating events
131
Table 18 High Reliability Organization, analysis of model decomposition
and criteria
145
Table 19 Disaster Resistant University, analysis of model decomposition
and criteria
149
Table 20 Disaster Resistant University @ MIT, analysis of model decomposition
and criteria
150
xiii
Table 21 Resilient Enterprise, analysis of model decomposition
and criteria
151
Table 22 Enterprise Risk Management, analysis of model decomposition
and criteria
155
Table 23 Risk-Based Process Safety, analysis of model decomposition
and criteria
160
Table 24 Reactor Oversight Process, analysis of model decomposition
and criteria
162
Table 25 Hearts and Minds, analysis of model decomposition
and criteria
163
Table 26 Business Continuity Planning, analysis of model decomposition
and criteria
166
Table 27 Decomposition of models to extract themes
168
Table 28 Summary: Criteria Number by Theme
176
Table 29 Assessor responses and priority
193
Table 30 Chronology
230
Table 31 Compilation of stakeholder feedback
233
Table 32 Comparison of recommendations from Baker Panel report and
HRRO
237
Table 33 Comparison of recommendations from COT Institute for
Security and Crisis Management and HRRO
243
Table 34 Comparison of recommendations from Ernst and Young
and HRRO
245
xiv
External publications related to the dissertation
The following publications refer to prior research in which the author had participated.
References to these works are made in this dissertation wherever each publication specifically
applies. Moreover, as these works represent the author’s journey in the subjects of
organizational vulnerability and risk-informed decision-making they are considered to be
overarching influences.
Gifun, J. F., & Karydas, D. M. (2010). Organizational attributes of highly reliable complex
systems. Quality Reliability Engineering International, 26(1), 53-62.
Karydas, D. M., & Gifun, J. F. (2006). A method for the efficient prioritization of
infrastructure renewal projects. Reliability Engineering & System Safety, 91(1), 84-99.
Gifun, J. F., Karydas, D. M., Brombacher, A. C., & Rouvroye, J. L. (Submitted for
publication). Resilience as a means to analyze business processes on the structure of
vulnerability.
Li, H., Apostolakis, G. E., Gifun, J. F., VanSchalkwyk, W., Leite, S., & Barber, D. (2009).
Ranking the risks from multiple hazards in a small community. Risk Analysis, 29(3), 438456.
xv
Acronyms
AHP
Analytic Hierarchy Process
BCP
Business Continuity Planning
BCR
Benefit-to-cost ratio
DRU
Disaster Resistant University
ERM
Enterprise Risk Management
FEMA
Federal Emergency Management Administration
FY
Fiscal Year
H&M
Hearts and Minds
HRRO
Highly Reliable Resilient Organization
HRO
High Reliability Organization
MAUT
Multi-Attribute Utility Theory
MIT
Massachusetts Institute of Technology
RBPS
Risk-Based Process Safety
RE
Resilient Enterprise
ROP
Reactor Oversight Process
xvi
Glossary
Analytic hierarchy Process: AHP is a method where the criteria of a decision are
arranged in a hierarchy and weighted according to a 1 to 9 scale. This scale provides the
means for decision maker to assign a degree of preference of the criteria relatively by way
of pairwise comparisons. The numerals 1 to 9 indicate the extremes of the scale where 1
represents equal preference and 9 represents absolute preference of one criterion to
another. Numerals between 1 and 9 represent intermediate levels of preference. The result
of each pairwise comparison is placed in a square matrix and squared until the difference
of normalized row sums of sequential iterations equals or closely approximates zero.
Once achieved, the values in the normalized row sums represent the matrix’s eigenvector
and the weight of each attribute relative to each other (Saaty, 1980).
Cognitive bias: A distorted perception of reality caused by beliefs of the likelihood of
uncertain events. Occasionally such beliefs are expressed numerically as subjective
probabilities and to reduce the complex tasks associated with assessing probabilities and
predicting values to simpler judgmental operations, heuristics are employed. While
economical in the decision-making process the reliance on heuristics can result in poor
decisions when situations are overly simplified and important data is not considered
(Tversky & Kahneman, 1974).
Complex system: To explain the difference between simple and complex systems, the
terms interconnected or interwoven are somehow essential. Qualitatively, to understand
the behavior of a complex system we must understand not only the behavior of the parts
but how they act together to form the behavior of the whole. It is because we cannot
describe the whole without describing each part, and because each part must be described
in relation to other parts, that complex systems are difficult to understand. This is relevant
to another definition of complex: not easy to understand or analyze (Bar-Yam, 1997). A
system is complex if it consists of diverse agents who are connected whose behaviors and
actions are interdependent and who adapt (Page, 2009).
xvii
Disturbance: A generic term used to denote an unintended interruption or variation in
regular process or system state. Disturbance refers to the result caused by any credible agent
that could upset or adversely influence the core business of an organization or actual does so.
Hazard: A generic term used to denote natural or human induced threats including but not
limited to flood, earthquake, influenza, fire, and terrorism.
Impact: According to the Commission of the European Communities’ Green Paper on the
European Programme for Critical Infrastructure Protection (Commission of the European
Communities, 2005):
Impacts are the total sum of the different effects of an incident that take into account at least
the following qualitative and quantitative effects:
•
Scope: The loss of a critical infrastructure element is rated by the extent of the
geographic area which could be affected by its loss or unavailability - international,
national, regional or local.
•
Severity: The degree of the loss. Among the criteria which can be used to assess
impact are:
o Public (number of population affected, loss of life, medical illness, serious
injury, evacuation);
o Economic (effect on gross domestic product, significance of economic loss
and/or degradation of products or services, interruption of transport or energy
services, water or food shortages);
o Environment (effect on the public and surrounding location);
o Interdependency (between other critical infrastructure elements).
o Political effects (confidence in the ability of government);
o Psychological effects (may escalate otherwise minor events) both during and
after the incident and at different spatial levels (e.g. local, regional, national
and international).
•
Effects of time: This criterion ascertains at what point the loss of an element could
have a serious impact (i.e. immediate, 24-48 hours, one week, other).
xviii
Model: A representation of a system that allows for investigation of the properties of the
system and, in some cases, prediction of future outcomes (Investorwords, n.d.).
Organization: An organization, a group of people intentionally organized to accomplish
an overall common goal or set of goals, is a system of systems, an organized collection of
parts that are highly integrated in order to accomplish said overall goal. Feedback among
the various parts ensures that they are and remain aligned. The system has various inputs
which are processed to produce certain outputs that together, accomplish the overall goal
desired by the organization. Inputs include resources, i.e. raw materials; money,
technologies, and people. Outputs are 1) tangible results produced by the system’s
processes, i.e. products or services for consumers and 2) benefits for consumers, e.g. jobs
for workers and enhanced quality of life for customers.
An organization operates according to an overall purpose or mission and culture.
Organizations consist of numerous subsystems, e.g. departments, programs, projects,
teams, and processes, each with its own boundaries, inputs, processes, outputs, and
outcomes. The organization is defined by its legal documents (e.g. articles of
incorporation and bylaws), mission, goals and strategies, policies and procedures, and
operating manuals and is depicted by its organizational charts, job descriptions, and
marketing materials. Furthermore, the organizational system is maintained or controlled
by policies and procedures, budgets, information management systems, quality
management systems, and performance review systems (McNamara, n.d.).
Reliability: The ability of a [system] to perform a required function, under given
environmental and operational conditions and for a stated time (Murthy, Rausand, & Osteras,
2008).
Resilience: The ability of a system to withstand a major disruption within acceptable
degradation parameters and to recover within an acceptable time and composite costs and
risks (Haimes, 2009).
Stakeholder: The individuals and organizations that could benefit from a decision and the
individuals and organizations that could be affected by a decision (Accorsi, Zio, &
Apostolakis, 1999). The term stakeholder consists of entities that could be categorized as
xix
investors, society, customers and suppliers, employees and subcontractors, and local
communities (Solvay S.A., n.d.). In this dissertation the term stakeholder is used in the
generic case as well as when referring to the participants in the first workshop. Assessor is a
synonymous term and is used to differentiate stakeholders who participated in the second
workshop.
Technical Operational System: an organizational system that uses technology in its day-today activities.
Threat: The intent and capability to adversely affect (cause harm or damage to) the system
by adversely changing its states (National Research Council, 1996).
Vulnerability: Vulnerability is a characteristic of a critical infrastructure’s design,
implementation, or operation that renders it susceptible to destruction or incapacitation by a
threat (International Risk Governance Council, 2006; President's Commission on Critical
Infrastructure Protection, 1997).
xx
Chapter 1 Context
This chapter provides the reader with a glimpse of the current state of organizational
resilience and vulnerability knowledge and introduces the effect of technology trends thereon
as the motivation for this research. Several terms and concepts are defined in the manner that
they are used throughout this dissertation. Also several cases describing the benefit of
mitigating the potential impact of risk are provided as successful examples where
organizations addressed threats to resilience and vulnerability in a preemptive manner. The
intent of this chapter is to provide the reader with a sense of the author’s motivation for this
dissertation.
1.1 Trends and consequences
Our global society is faced with four trends regarding product reliability (Brombacher, de
Graef, den Ouden, Minderhoud, & Lu, 2001):
1) The increasing integration of (increasingly complex) technology in our society and
the increasing expectation of users that these systems will function at all times
2) The increasing dynamics of business processes where stability (due to ever changing
economic demands) and overview (due to globalization and outsourcing) are hard to
establish
3) The increasing role of information and communications technology and the increasing
dependence on computer systems by society
4) The increasing withdrawal of government from the social infrastructure in favor of
private business. For example, non-government control of the internet
Society has gained many benefits from technology and the inclusion of thoughts and actions
from people throughout the world; however, such benefits come with consequences;
increasing complexity, unpredictability, vulnerability, and the ease by which a disturbance
can propagate through a system. While both trends and consequences apply to individuals
and organizations this dissertation focuses on vulnerability within organizations and leaves
the several combinations of trends and consequences to future research. The potential effect
of these trends on organizational vulnerabilities is discussed in detail in §2.1.
1
1.2 Primary terms and concepts
To align reader with the author’s intent a few definitions of terms and concepts used in this
dissertation are in order: These terms are shown directly below and supplement those
provided in the glossary.
•
Complexity: an inherent state of an organization that is a group of diverse, interacting,
interrelated, interdependent, and adaptive agents [that include components and criteria
or attributes, physical and intangible, to form a unified whole] (Page, 2009).
•
Unpredictability: a state of difficulty foreseeing, declaring or indicating in
advance, a specific outcome on the basis of observation, experience, or scientific
reason (Merriam-Webster, 2010). Organizations that do not even attempt to
predict the risk of a disturbance by way of identifying and analyzing the potential
for the disturbance to occur and the potential consequences that could result, and
then take measures to eliminate or mitigate the impact of the disturbance
preemptively will most likely suffer therefrom (ASIS International, 2009; British
Standards Institute, 2006).
•
Vulnerability: a characteristic of a critical infrastructure’s design, implementation,
or operation that renders it susceptible to destruction or incapacitation by a threat
(International Risk Governance Council, 2006; President's Commission on
Critical Infrastructure Protection, 1997). Thus, organizations with high levels of
vulnerability recover less quickly, or not at all, and spend more money to do so
when compared to organizations with low levels of vulnerability [resilience]
(Sheffi, 2005). Organizations are at risk for spending money inappropriately or
making ineffective funding choices when such actions or inactions drain monetary
resources from core business needs and reserves for contingencies and the
recovery from disturbances.
•
Propagation: the measure of the depth a disturbance passes into an organizational
system. The safety and risk management literature contains many examples of
relatively small and in some instances unpredictable or difficult to predict
2
disturbances that have resulted in catastrophic results because the disturbance had
the ability to pass unchecked deep into the system. A classic example tells of a
March 2000 lightning strike that caused a fire in a Philips’ semiconductor
fabrication plant in New Mexico that was extinguished in 10 minutes and yet
caused a shift in the balance of corporate power between Ericsson, Philips’s radio
frequency chip customer, and Nokia, Ericsson’s competitor. The impact of the
shutdown of the Philips plant took more than nine months to resolve and at the
end of 2000 Ericsson announced a $2.34 billion loss in its mobile phone division
where at least $400 million is due to loss of potential revenue directly attributed to
the cascading results of the fire while Nokia took over a major part of the
market.(Latour, 2001).
1.3 Targeted historic overview
The following represents a short targeted portion of the history of risk management as the
first of two examples of the reason organizations are subject to vulnerability and the need for
its elimination or mitigation. The second example is introduced and explained in §2.1.
In 2002 a McKinsey & Company survey found that due to nonexistent or ineffective risk
management processes, extra-financial risks received only anecdotal treatment in the board
room (Felton & Watson, 2002) as cited in (Tonello & Brancato, 2007). In 2004 The
Conference Board conducted research on 271 companies and found that despite a positive
disposition toward Enterprise Risk Management (ERM) most firms were in the early stages
of designing a comprehensive risk management structure where only 18% had the most basic
elements in place, 16% had integrated advanced ERM thinking into business practices, and
4% of responders had addressed performance metrics or compensation policies (Gates &
Hexter, 2005) as cited in (Brancato, Tonello, Hexter, & Newman, 2006). In 2004
PricewaterhouseCoopers found that 20% of 1,400 chief executives surveyed reported that
they understood their accountability with respect to managing business risk
(PricewaterhouseCoopers, 2004). In June 2006 The Conference Board and McKinsey &
Company and KPMG’s Audit Committee Institute showed that few executives can point to
the use of robust ERM techniques by their companies (Brancato et al., 2006). From these
results, while one can conclude that corporate executives understand the need to mitigate or
eliminate vulnerability they give little attention to implementing vulnerability elimination and
3
mitigation efforts. Thus, while most likely not the intent of these corporate executives, the
little attention given to identifying, analyzing, eliminating and mitigating vulnerabilities
makes their organizations vulnerable.
1.4 Success stories
While the safety and risk management literature is rich with failures and dreadful accidents
resulting in deaths, injuries, large monetary losses, and protracted legal proceedings all is not
hopeless as there are organizations that have dealt well with the potential for vulnerability;
several examples are provided below.
Mount Pinatubo
On the morning of June 15, 1991, Mount Pinatubo on the island of Luzon in the Philippines
erupted. In anticipation of such a possibility due to a series of small steam-blast explosions,
monitoring equipment was put in place in April 1991 by the Philippine Institute of
Volcanology and Seismology and the U.S. Geological Survey. The purpose of monitoring
volcanic activity was to mitigate vulnerability by providing advance knowledge of an
eruption so that evacuations could be undertaken and protective measures put in place before
the eruption commenced. The advanced notice and preemptive implementation of protective
measures saved the lives of 5,000 to 20,000 people and avoided property losses estimated to
be between $350 million and $475 million. The cost to monitor the volcano, protect property,
and evacuate people amounted to $56 million (United States Geological Survey, 2005).
Flood Hazard Mitigation in North Carolina
The state of North Carolina has a long history of destruction by hurricanes because its
protruding coastline falls in line with the track for tropical cyclones that curve northward in
the western Atlantic Ocean. A hurricane or tropical storm makes landfall in North Carolina
on the average of once every 4 years and a tropical cyclone affects the state every 1.3 years
(State Climate Office of North Carolina, n.d.).The federally funded Hazard Mitigation Grant
Program provided matching funds to the State of North Carolina to elevate structures above
flood water levels and prior to Hurricane Isabel (category 2) in 2003 182 structures had been
elevated. In Belhaven, North Carolina the cost to mitigate the damage from flooding caused
4
by hurricanes was $7.1 million and the losses avoided by Hurricane Isabel alone were $2.6
million (Flood Insurance and Mitigation Division, n.d.). If one assumes that the life-cycle of
the construction required to raise the structures above flood waters is 20 years, a hurricane
similar to Isabella occurs every 4 years of the life-cycle, losses due to each storm occurrence
are $2.6 million, and the discount rate is 2% then the present value of the avoided risk is
$12.91 million. A similar case can be made for efforts undertaken in Kinston, North Carolina
where 100 homes were acquired and demolished prior to Hurricane Floyd in September 22,
1999 saving $6.4 million in avoided losses for a cost of $2.1 million (Division of Emergency
Management, 2002).
Nokia
The shift in market share described in §1.2 highlights Nokia’s ability to manage risk
particularly its ability to identify and analyze potential disturbances and develop and
implement solutions. That is once the extent and potential effect of the disturbance on
Nokia’s production capability became known Nokia focused efforts aggressively on
acquiring radio frequency chips from Philips and other suppliers with whom Nokia had
relationships. The result being that Nokia’s share in the world handset market increased
from 27% to 30% while Ericsson’s fell from 12% to 9% (Latour, 2001).
United States Coast Guard and Hurricane Katrina
Success regarding diminishing the vulnerability for others was exemplified by the preparation
for and execution of emergency response activities by the United States Coast Guard for
Hurricane Katrina in 2005. The Coast Guard’s ability to be flexible and decentralized and
take measured risks set it apart from the sluggish centralized bureaucracy of the Department
of Homeland Security of which it is part thereof. Prior to the strike of Hurricane Katrina and
before the mandatory evacuation order given by the mayor of New Orleans the Coast Guard,
mitigating vulnerability to its assets, moved personnel and equipment out of the area so that it
could be moved back in behind the storm no matter which direction it took. The Coast Guard
gives extraordinary responsibility to enlisted personnel so decisions can be made quickly by
the person closest to the situation. Despite the fact that almost half of Coast Guard personnel
lost their own homes due to the hurricane they rescued or evacuated 33,500 people (Ripley,
2005).
5
Incident Command System
The incident command system (ICS) is an emergence response and management structure
currently used in the United States by federal and state public safety agencies; municipal
police, fire, and public works departments; and many other organizations, including
universities. ICS enables the control the temporary systems deployed to manage personnel
and equipment at a wide range of emergencies that could require expansion, contraction, or
modification of response assets. ICS was the result of knowledge gained from the harmful
disorder that occurred among various organizations during the suppression of extensive
wildland fires in California during the 1970s. The ICS is a formal hierarchical structure that
consists of five major functions: command, planning, operations, logistics, and finance and
administration and is modifiable and scalable to any type of emergency. It represented a
significant departure from previous large-scale emergency management methods and since its
inception in the 1970s it has been tested broadly by way of actual events, modified
accordingly, and because of its demonstrated success it is now required by the Federal
government for state, local, or tribal entities as a condition for Federal preparedness
assistance under the National Incident Management System (Bigley & Roberts, 2001; Ridge,
2004).
1.5 Chapter Summary
Organizations are vulnerable because of the inherent complex nature of organizational
systems, the unpredictability of potential disturbances, and the uncertain path a disturbance
may take into an organization as well as the confounding effect of societal trends regarding
product reliability. The societal trends were introduced as they provide one with a way to test
an organizational system in terms of the future and will be discussed in greater detail in
Chapter 2. Astonishing results were presented from research by others for the purpose of
bringing into the discussion the potential deleterious effect on an organization by
organizational leaders who are not aware of the risks their organizations face and the
management efforts in place to counter such risk. The value of planning and preemptive
action is one of the foundations of this dissertation and several successful examples were
provided. These examples tell of the plans and preemptive actions put in place to mitigate the
effects of a disturbance, e.g. the planning and staging operation by the United States Coast
6
Guard prior to the strike of Hurricane Katrina in 2005. Chapter 2 is founded on the reality
presented in Chapter 1 and describes why organizational vulnerability is a problem.
7
8
Chapter 2 Why is organizational vulnerability a problem?
Discussed in this chapter are sources of vulnerability including external, internal, and
inherent vulnerabilities such as vulnerabilities due to cognitive bias. A comprehensive list of
vulnerabilities, compiled by General Motors, was mapped to the societal trends introduced in
Chapter 1. The purpose of the mapping is to use the vulnerabilities provided by General
Motors as an example to determine whether vulnerability would increase, decrease, or
remain the same should the manifestation of the societal trends occur. This chapter concludes
with the research questions that were the motivation for this dissertation.
2.1 Sources of vulnerability
Organizational vulnerability
Organizational vulnerability is a multi-domain problem. Organizations are vulnerable to
disruptions that originate from directly identifiable causes internal and external to the
organization and to disruptions that are due to the inherent characteristics of the
organizational system. Inherent vulnerability will be discussed in the following sub-section.
Organizations are also vulnerable to the uncertainty associated with the magnitude of the
disruption and its ability to propagate through the organizational system. The basis of Table 1
is a list of the types of vulnerabilities, internal and external, faced by General Motors (GM)
(Elkins, 2003). Knowing that the list does not represent the vulnerabilities of every
organization the author suggests that it is comprehensive enough to familiarize the reader
with a fundamental, albeit incomplete, list of organizational vulnerabilities. The original list
was augmented to map each of GMs vulnerabilities against the societal trends introduced
earlier in §1.1 for the purpose of determining whether organizational vulnerability is a valid
problem. This analysis provides the second of two examples of the reason organizations are
subject to vulnerability and the need for its elimination or mitigation. Table 1 should be read
as follows; for each trend would organizational vulnerability due to; for example, disruptions
to the organizations debt and credit rating; become more of an issue or get worse (indicated
by -), become less of an issue or get better (indicated by +), or remain neutral (indicated by o)
under trend 1, 2, 3, or 4 or any combination thereof. In this example the author believes that
the societal trends 2 and 4, for the reasons stated in Table 1 could increase the level of
9
vulnerability for an organization should they occur. To refresh the reader’s mind the four
trends regarding product reliability are (Brombacher, de Graef, den Ouden, Minderhoud, &
Lu, 2001):
1) The increasing integration of (increasingly complex) technology in our society and
the increasing expectation of users that these systems will function at all times
2) The increasing dynamics of business processes where stability (due to ever changing
economic demands) and overview (due to globalization and outsourcing) are hard to
establish
3) The increasing role of information and communications technology and the increasing
dependence on computer systems by society
4) The increasing withdrawal of government from the social infrastructure in favor of
private business. For example, non-government control of the internet
The complete Table 1 reveals that the societal reliability trends affect the 105 vulnerabilities
as follows; the vulnerability becomes more of an issue or gets worse 54, the vulnerability
becomes less of an issue or gets better 12, and the vulnerability remains neutral 14 times. In
25 instances vulnerabilities were affected by multiple trends, i.e. becomes more of an issue or
gets worse plus becomes less of an issue or gets better. Breakdown by individual trend is not
relevant to the present paper. Overwhelmingly the trends have a deleterious effect on the
vulnerabilities identified by GM.
10
Vulnerability
Trend
1
Debt & credit
rating
Health care &
pension costs
Uncompetitive
cost structure
Trend
2
Trend
3
-
-
o
o
o
Trend
4
Reason (example)
-
Trend 2 - Negative interpretation of
dynamical state of business by
conservative financial markets result in
less flexibility regarding debt.
Trend 4 - Less government involvement
results in increasing degradation of
oversight, data collection capability,
information transfer, and consistently
applied controls
+
Trend 1 - More expensive treatment costs
to offset drug and diagnostic equipment
development costs. Higher costs passed to
employers therefore fewer funds available
for other employee benefits, e.g. pensions.
Trend 4 - Less government involvement
increases competition in the marketplace
and results in lower costs
o
Not related to trends as poorly priced
products and services will not be
competitive
Legend: - indicates that selected vulnerability becomes more of an issue or gets worse, +
indicates that selected vulnerability becomes less of an issue or gets better, and o
indicates neutrality
Table 1 – Mapping of Vulnerabilities, General Motors, (Elkins, 2003) to Societal
Reliability Trends (Brombacher et al., 2001) (sample, entire table in Appendix A)
Inherent vulnerability
Organizations are subject to vulnerabilities from internal and external sources as well as
vulnerabilities inherent to the organization. A discussion of internal and external sources of
vulnerability was presented in the previous sub-section addressing organizational
vulnerability while a discussion related to inherent vulnerability, albeit a kind of
organizational vulnerability is presented separately as follows. To be clear inherent
vulnerabilities are not to be confused with errors in the vulnerability assessment process but
with vulnerabilities due to aspects of the system that make vulnerabilities hard to see due to
system complexities such as the remoteness of interdependent operations and the negative
effects imposed on the organizational system due to cognitive bias on organization leadership
decisions.
11
While the list of vulnerabilities provided in Appendix A is fairly comprehensive it does not
specifically identify sources of vulnerabilities that are inherent to systems both locally and
remotely. For example, an earthquake occurring near the site of a manufacturer’s
organization, even if it does not cause physical damage to the organizations assets can
damage transportation systems and hinder the movement of supplies, product, and personnel
to and from their intended destinations or destroy the utility infrastructure that supports the
manufacturer. Similarly, an earthquake could occur in the vicinity to the manufacturer’s
primary supplier but remote to the manufacturer and still have devastating effects on the
manufacturer’s ability to fulfill its core responsibilities by way of damage to the suppliers
physical assets, transportation systems between the supplier and manufacturer, and utility
infrastructures Organizational structures put in place because of manufacturing concepts such
as lean manufacturing are particularly vulnerable, although the vulnerability is not intended.
The reason is that lean organizations are designed to function at high levels of efficiency;
however, when a disturbance occurs there is little or no slack in the system to accommodate
the disturbance. For example, in the instance mentioned above where an earthquake, remote
to both the supplier and manufacturer, prevents the movement of materials from the
supplier’s location to the manufacturing plant the impact to the manufacturer’s production
capabilities could be devastating if an alternative supplier is not available. In this instance it is
prudent to find a balance between organizational lean-ness and profit while taking into
consideration credible potential impact due to the potential occurrence of a particular
vulnerability. Thus, to mitigate the vulnerability of material delivery interruption due to an
earthquake a manufacturer should develop relationships with alternative suppliers, stock
some materials on site, or a combination of both (Sheffi, 2005). Another example of
vulnerability inherent to systems has to do with the desire for a company to provide its
customers with a high level of support through unimpeded access to its employees and
product information by way of the internet also provides access to individuals wishing to
commit cyber crime.
Cognitive bias
A systematic approach such as the HRRO methodology also mitigates the destructive effects
of cognitive bias (defined in the glossary of this dissertation) on behalf of the decision makers
as cognitive biases can play a strong role in the decision-making process where they can
12
diminish the correctness of the decision. Thus, cognitive bias is a source of human error in
the decision-making process, especially in decisions that are made by intuition and
inexperienced decision makers. With decisions that require consideration of various courses
of action and their implications, a structured formal approach can help reduce the risk of
error. Some of the more common cognitive biases are listed below.
1.
Confirmation: The migration to evidence that supports a preexisting hypothesis. Not
only is this evidence found more persuasive and convincing, contradicting evidence is
discounted (Roberto, 2009).
2.
Overconfidence: Human beings are systematically over confident and optimistic in
their judgments (Roberto, 2009). Overconfidence occurs most often when the
estimator lacks expertise or knowledge about the quantity they are estimating, thus
fails to include all of the possibilities (Goodwin & Wright, 2000)
3.
Sunk cost trap: The tendency for people to escalate commitment to a course of action
in which they have made substantial prior investments of time, money, and other
resources (Roberto, 2009)
4.
Availability bias: Ease of recall is not associated with probability, i.e. easily recalled
events are not necessarily highly probable. Also, easily imagined events are not
necessarily the most probable, therefore associated risks could be overestimated and
in situations where expertise is lacking, underestimated. In addition, current
information could be problematic in estimating quantities as decision makers may
anchor on the current value and make insufficient adjustments for the anticipated
effect of future conditions (Goodwin & Wright, 2000)
5.
Illusory correlation: A form of the availability bias where fact less based
preconceptions could lead one to the wrong conclusion about the relationship between
two variables when no causal relationship exists (Goodwin & Wright, 2000; Roberto,
2009). For example, if one had the opinion that foreign made products were less
reliable; the frequency of unreliable foreign made products could be overestimated
6.
Anchoring bias: Anchoring refers to the notion that we sometimes allow an initial
reference point to distort our estimates (Roberto, 2009). People tend to overestimate
the probability of the occurrence of conjunctive events because they anchor on the
probability of one of the events occurring. Overestimating probabilities for
conjunctive events may lead to unjustified optimism. With disjunctive events the
13
tendency is to anchor on one event and underestimate the probability (Goodwin &
Wright, 2000; Tversky & Kahneman, 1974)
7.
Hindsight bias: The more time passes, the more that we think that we predicted, or
could have predicted, the eventual outcome to a situation (Roberto, 2009)
8.
Egocentricism: When we attribute more credit and blame to ourselves for a particular
group or collective outcome than an outside party would attribute (Roberto, 2009)
9.
Ignoring base-rate frequencies: People tend to base probability estimates on how
representative a subject or item is to descriptive information not the statistics
representing the base-rates (Tversky & Kahneman, 1974)
10. Expecting sequences of events to appear random: When a sequence of events is
generated by random processes we expect the sequence to represent the characteristics
of randomness. This bias could lead to errors in forecasts when data from few events
is misinterpreted as representative of the systematic patterns of many events
(Goodwin & Wright, 2000)
11. Expecting chance to be self correcting: This is another consequence of the belief that
random sequences of events should be representative of what the random process is
perceived to look like. For example, if a fair coin is tossed, given that no trickery is
present, the probability of the occurrence of a head or tail is 0.5. In a sequence of
tosses one expects the resulting number of heads and tails to be approximately equal.
However, in a sequence of tosses resulting in heads, many people will think that the
occurrence of a tail is overdue (Goodwin & Wright, 2000)
12. Ignoring regression to the mean: People expect extremes to be followed by similar
extremes; however, the unusual event is probably a result of a particularly favorable,
or unfavorable, combination of chance factors which are unlikely to recur in the
following period. Failure to consider this bias could result in overestimating or
underestimating resources needed to address the most likely event (Tversky &
Kahneman, 1974)
13. The conjunction fallacy: The co-occurrence of two events cannot be more probable
than each event on its own (Tversky & Kahneman, 1974)
14. Believing desirable outcomes are more probable: People tend to view desirable
outcomes as more probable than those which are undesirable (Goodwin & Wright,
2000)
15. Biased assessment of covariation: A bias similar to illusory correlation that can occur
when people are presented with tables showing the number of times events occurred
14
or failed to occur together. For example, consider the following information, Table 2,
based on the records of 27 patients:
Illness Present
Illness Absent
Symptom Present
12
6
Symptom Absent
6
3
Table 2 – Example: Biased Assessment of Covariation
According to research by Arkes, Harkness, and Biber, as cited in Impediments to
Accurate Clinical Judgment and Possible Ways to Minimize Their Impact by H. Arkes
(Arkes, 1986), many people would conclude that there was a relationship between
symptom and disease. In Table 2, the large value 12 and the suggestion that people
only consider the frequency of cases where both symptom and disease are present
creates the illusion of a relationship; however, the conditional probabilities reveal that
the probability of a relationship between illness and symptom is 12/18 = 2/3 and the
probability of no relationship between illness and symptom is 6/9 = 2/3. Therefore,
the presence or absence of the symptom has no effect on the probability of having the
illness.
The author observed the following instance of cognitive bias. The subject was an
organizationally powerful and highly competent stakeholder (a secondary stakeholder
external to the process but a person who could enable the improvement of the process and its
proliferation throughout the broader organization) who believed that the only viable method
for selecting and funding projects was to initiate as many projects as could be afforded and to
do so as quickly as possible. A method the stakeholder referred to as going after the low
hanging fruit. In this instance the manifestation of the confirmation bias was observed. The
stakeholder was comfortable in a discipline where quick response reflects due diligence.
Thus, one should select projects that could be implemented quickly. While some of the low
hanging fruit could have been projects that were low in cost and high in benefits there was no
guarantee that this practice would result in funding and implementing the optimal set of
projects based on the combination of benefit and cost. One might conclude that this
stakeholder had adopted a satisficing strategy, i.e. a decision-making strategy where an
15
adequate non-optimal solution is acceptable, but because of this persons emphatic position in
context of due diligence the author rejects this notion.
Some decision makers do not experience such judgment difficulties as shown above and in
these situations cost can be considered an attribute within the hierarchical tree (Goodwin &
Wright, 2000). Because of the uncertainty of knowing how well the decision-makers are able
to judge costs versus intangible benefits, particularly in a group decision making process; the
author recommends that monetary and non-monetary aspects be kept separate unless
experience with the decision makers proves otherwise. This process aligns with the
traditional concept of benefit-to-cost analysis where the goal is to maximize net benefits from
an allocation of resources (Federal Highway Administration, 2007).
2.2 Research questions
The impact of vulnerability described in the historic overview regarding corporate leadership
and ERM, the mapping example provided in Table 1, and the impact of vulnerability caused
by inherent characteristics of systems support the conclusion that organizational vulnerability
is a problem. Vulnerability presents a multi-domain problem whose magnitude and ability to
penetrate into an organization is difficult to determine with certainty. Also, organizational
vulnerability is hard for an organization’s leaders to support because the benefit-to-cost
relationship of risk avoidance is hard to prove (Karydas & Rouvroye, 2006), information
related to terrorism is impossible to get for the typical business organization (Pate-Cornell &
Guikema, 2002), the impact of risks, especially large impacts, are perceived as rare events
and ignored (Sheffi, 2005), and the role of cognitive bias in organizational decision-making is
not often taken into consideration (Page, 2009).
The major contributions by this paper are the responses to the following research questions.
1. By what means can an organization systematically identify and assess and either
eliminate or mitigate vulnerability that takes into consideration prerequisite
organizational factors and cost?
2. How would an organization prioritize vulnerability mitigation or elimination projects
or initiatives
16
2.3 Chapter summary
Organizational vulnerability is a problem because if unaddressed the organizational system
could suffer and in turn the organizations ability to fulfill its core responsibilities, e.g. the
fabrication and delivery of a product to a customer. Organizations are systems of complex
systems therefore knowing the vulnerabilities the organization could face, whether internal,
external, or inherent are essential to the sustainability of the organization. The research
questions at the conclusion of §2.2 target the underlying, prerequisite, organizational factors
and practices that enable an organization to identify and assess and either eliminate or
mitigate vulnerability. The methodology undertaken to accomplish this research is described
in Chapter 3.
17
18
Chapter 3 Research methodology
This chapter describes the methodology undertaken to understand the magnitude of
organizational vulnerability and decision-making processes in context of the stakeholders
associated with the process. During the present phase of the research existing models were
identified and analyzed for the purpose of determining whether they are suitable as models
for examining vulnerability in context of organizational prerequisites in their entirety or
whether they should be incorporated in a new model.
3.1 Methodology
To resolve the problems described in the previous chapter the main goal of the present
research is to develop a systematic, consistent, and customizable methodology to assess
organizational vulnerability for the purpose of supporting organization decision-making. A
desired outcome of this methodology is the ability to determine current and potential levels of
vulnerability and to select and prioritize vulnerability elimination and mitigation initiatives
and projects using both monetary and non-monetary factors. The process behind this research
consists of the ten major steps below.
1. Reflect on personal experience gained during 36 years of professional practice and
reflections offered by others,
2. Review relevant literature
3. Identify requirements in context of user perspective
4. Identify and analyze decision-making styles for selection consideration
5. Map decision-making styles to requirements
6. Select decision-making process that fits requirements best
7. Identify and analyze decision-making models consistent with decision-making
process
8. Map decision-making models to requirements
9. Develop new model that mitigates deficiencies, and;
10. Validate new model
19
Each of these steps will be explained in detail below or in appendices as referenced.
Step 1: Reflect on personal experience gained during 36 years of professional practice
and reflections offered by others
This step provided the basis for this research, i.e. the author’s reflection upon experiences
(sometimes painful) and learning acquired recently and over the years as a professional
engineer and as a facility manager of an academic and research university. This step also
incorporates invaluable reflections by other practitioners whether offered directly to or sought
out by the author. Since the research process is iterative and took place over several years this
step is considered overarching as experiences were recalled and reflected upon throughout the
research.
Step 2: Review relevant literature
Like Step 1 the review of literature was an overarching activity as every newly discovered
idea and journal article or recommendation offered by a practitioner resulted in deeper review
of the relevant literature and learning.
Step 3: Identify requirements in context of user perspective
Knowing that the methodology would be validated by stakeholders the author, including the
input from others, made a first pass at identifying its requirements using personal experience
and relevant literature particular to organizational structure, reliability, and resilience as
guides. These requirements are criteria an organization must possess as prerequisites in
addition to those needed to conduct its core function. The intent was to put before the
stakeholders text they could react to and revise, including discarding, if necessary. This
process is explained in §4.3. The requirements and a brief description are provided as
follows.
•
Culture – the ability of the methodology to capture the degree the organization values
and protects its employees and how the employees value and protect the organization.
Also, how the organization elicits ideas and feedback from employees and how the
organization and employees learn from experiences,
20
•
Risk management – use of the methodology to identify, analyze, eliminate, mitigate
risks including its ability to manage emergencies when they occur,
•
Governance – application of the methodology as a means to measure an
organization’s overarching leadership and management structure including its
functions, policies, and procedures,
•
Expressed / expressible as hierarchical tree – the ease by which a methodology can be
structured in levels of attributes representing important aspects of the organization,
•
Preemptive use – use of the methodology to predict the magnitude of an impact before
it occurs,
•
Corrective use – use of the methodology as a means to determine the magnitude of an
impact after it occurs,
•
Customizable – the ease by which the methodology can be modified to fit specific
user requirements,
•
Defendable – a clearly defined process,
•
Repeatable – the ability of the methodology to yield identical results when provided
with identical inputs,
•
Implementable – the readiness by which the methodology can be put into practice in
an organization,
•
Quantifiable – the outcome of a methodology where a numerical value provides a
decision makers with the means of comparing and selecting alternatives in relative
terms,
•
Systematic – structured logical approach, i.e. set of steps, and;
•
Monetary application – the ability of the methodology to take into consideration cost.
Step 4: Identify and analyze decision-making styles for selection consideration
Since most decision scenarios in organizations are participative to varying degrees four
decision-making styles particular to participative process will be explained and then
evaluated (in Step 5) according to suitability to stakeholder requirements identified in Step 3.
The four types of participative decision-making are (Daugherty, 1997):
21
•
Autocratic – the leader maintains total control and ownership of the decision
•
Consultative – the leader encourages input from other participants regarding ideas,
perception, knowledge, and information but maintains total control of the decision
and is the sole decision maker
•
Democratic – the leader relinquishes control and lets other participants vote. While a
decision can be rendered quickly no one takes responsibility for the decision
•
Consensus – the leader gives up complete control and responsibility for the decision
to all of the participants. All must agree and come to the same decision. While the
decision process can be lengthy the best decisions are rendered because the skills and
ideas of many people are involved
Step 5: Map decision-making styles to requirements
In Table 3 decision-making styles are mapped against requirements to determine the most
beneficial style, i.e. to determine whether specific requirements are included in a specific
decision-making style. For example the autocratic style defines an organizational structure
with a single decision maker that does not take advantage of feedback from employees, thus
the requirement of culture, as defined earlier, is not included. Table 3 reveals by a factor of 2
that the consensus decision-making style matches best with the requirements.
22
Requirements
Culture
(generic)
Risk
Management
(generic)
Governance
(generic)
Expressed or
expressible as
hierarchical
tree
Preemptive use
Corrective use
Customizable
Defendable
Repeatable
Implementable
Quantifiable
Systematic
Monetary
application
Ratio (number
of responses
reflecting
inclusion) /
(total possible
responses)
Autocratic
Decision-Making Styles
Consultative Democratic
Consensus
-
-
+
+
+
+
-
+
+
+
-
+
+
+
+
+
-
+
+
+
+
-
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
0.54
0.54
0.38
1.0
Legend: + indicates that the selected decision-making style incorporates the
specific requirement, - indicates that the selected decision-making style does
not incorporate the specific requirement
Table 3 – Mapping of Decision-Making Styles to Requirements
Step 6: Select decision-making process that fits requirements best
Multi-attribute utility decision support processes support consensus-based decision-making
by including additive utility functions [such as the requirements listed above] and displays
objectives and sub-objectives of the decision making process formatted in a hierarchical tree
(Clemen, 1996). Thus, a methodology based on the principles of multi-attribute utility theory
(MAUT) is preferred.
23
Step 7: Identify and analyze decision-making models consistent with decision-making
process
While nine existing models were selected for analysis; the High Reliability Organization
(HRO), the Disaster Resistant University (DRU), Massachusetts Institute of Technology’s
version of the Disaster Resistant University model (DRU at MIT), the Resilient Enterprise
(RE), Enterprise Risk Management (ERM), Risk-Based Process Safety (RBPS), Reactor
Oversight Process (ROP), Hearts and Minds (H&M), and Business Continuity Planning
(BCP) others were rejected as they were either similar enough to a model that was already
selected that inclusion would have resulted in duplication, for which little detail was available
to fully describe the model, or lacked the rigor and efficiency of the analytic-deliberative
process (Gifun & Karydas, 2010). For example intuition is a common means for making
judgments but was rejected because it does not provide a systematic, defendable, or
repeatable approach. Complete descriptions and analyses of the selected organizational
models and a brief commentary of the rejected models are provided in Appendix B.
Step 8: Map decision-making models to requirements
Table 4 shows the decision-making models as mapped to the requirements for the purpose of
showing whether each model addresses each requirement. All are valid models within
specified areas of interest but none address all of the requirements, although HRO and DRU
at MIT come closest.
24
Decision-making Models
Requirements
(In context of
organizational
vulnerability)
Culture
(generic)
Risk
Management
(generic)
Governance
(generic)
Expressed or
expressible as
hierarchical
tree
Preemptive use
Corrective use
Customizable
Defendable
Repeatable
Implementable
Quantifiable
Systematic
Monetary
application
Ratio (number
of responses
reflecting
inclusion) /
(total possible
responses)
HRO
DRU
DRU
at
MIT
+
-
-
-
-
-
-
-
-
+
-
+
+
+
-
-
-
+
+
-
-
-
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
0.77
0.54
0.77
0.31
0.38
0.46
0.54
0.62
0.69
RE
ERM
RBPS
ROP
H&M
BCP
Legend: + indicates that the selected decision-making style incorporates the specific
requirement, whereas - indicates that the selected decision-making style does not
incorporate the specific requirement
Table 4 - Mapping Decision-Making Models to Requirements
Step 9: Develop new model that mitigates deficiencies
Table 4 shows the similarities and dissimilarities of the several models and the strength of
each model by way of the inclusion of requirements. A brief commentary regarding each
model is provided as follows (Gifun & Karydas, 2010).
25
•
HRO provides a comprehensive high-level view of an organization but does not
provide the means for implementation
•
DRU focuses on hazards and threats (primarily physical) external to the organization
and like HRO does not provide explicit means for implementation
•
DRU at MIT is similar to DRU but provides greater guidance regarding
implementation
•
RE provides broad principles but no method for implementation
•
ERM focuses broadly on corporate risk but does not provide a method for
implementation
•
RBPS is excessively comprehensive and provides so much detail that implementation
would be unmanageable
•
ROP is specifically applied to public health and safety as a result of reactor operation
and provides the means for implementation
•
H&M provides a comprehensive view of an organization in context of safety and the
means for implementation, and;
•
BCP does not provide the means for implementation but provides an organization
with a comprehensive model that focuses on preemptive action
All of the models recognize the potentially devastating impact of hazards and threats to an
organization but do so with levels of detail and in areas of application that makes
organization-wide implementation impractical without modification. Thus, the new
methodology labeled The Highly Reliable Resilient Organization (HRRO) must mitigate the
deficiencies in the individual models and include the means for implementation, recognition
of organizational cultural complexity, a structured analytic-deliberative decision-making
process, and the means to inform risk avoidance decisions. The HRRO methodology is
intended to provide the means to measure organizational reliability and resiliency against
organizationally derived criteria. To develop the hierarchical tree as indicated in Tables 3 & 4
in support of a consensus-based model, the nine organizational models mentioned earlier
were decomposed at the criterion level according to the broad categories of culture, risk
management, and governance and whether each criterion could be applied preemptively,
correctively, or both. The purpose of this analysis was to determine where deficiencies might
be in each model and to derive themes that would become the criteria of the HRRO
methodology.
26
The description of each criterion was read carefully to determine whether the criterion could
be considered, at least minimally related to culture, risk management, or governance and
whether the description shows that the criterion should be considered for preemptive or
corrective use, or both. For example given the HRO criterion Preoccupation with failure, as
shown in Appendix A, the description tells of the need to encourage the reporting of errors
and warns of complacency as a reason for unexpected events to go undetected. Thus, because
of the organizational behavior aspect of the reporting of errors and the temporal nature of the
description, i.e. precedes bigger problems, the author classified the criterion as cultural and
preemptive. Once the criteria of each model were analyzed and similarly classified duplicates
were removed (strikethrough) as shown in the columns below the heading Model criteria
sets, refer to Table 5 and Appendix C. Table 5 shows an extract from the complete analysis
provided in Appendix C, Tables 18 - 28. The portion of the analysis shown in Table 5
indicates that RBPS is strongly biased toward the preemptive in the categories of culture, risk
management, and governance. Therefore, adding functionality that includes corrective
components would make it more useful in general applications.
Criteria classified as explained above were scrutinized once again to determine whether each
criterion possessed a generic primary theme and sub-theme. For example in Table 6 the
primary theme derived from the detailed scrutiny for HRO1 was determined by the author to
be cultural and risk-management based while the more specific sub-themes were Safety
culture, Analysis, and Testing. The resulting themes associated with each model’s criteria are
safety culture, analysis, testing, organizational learning, maintenance, solution design,
objectives, strategic direction, policy, rules, regulation, flexibility, emergency response,
implementation, decision-making, communication, management support, and procedures. A
sample of the analysis is shown in Table 6 and a summary of the entire analysis is shown in
Table 7.
27
Definition
Culture
Management ∩
Risk
Preemptive
Culture ∩ Both
Culture ∩
Culture ∩
Management
Risk
Criteria Number
28
N/A
Risk
N/A
N/A
Table 5 – Analysis by Model Decomposition for Risk-based Process Safety (sample, complete analysis in Appendix C, Tables 18 - 28)
N/A
Corrective
RBPS4
Both
0
Risk
RBPS1 RBPS1,
&
RBPS2,
RBPS3 & RBPS3
Corrective
1
1
Management ∩
N/A
Both
3
Corrective
N/A
Management ∩
2
Preemptive
1
Preemptive
RBPS1 &
RBPS3 U
RBPS1,
RBPS2,
& RBPS3
Governance ∩
RBPS2,
RBPS3,
& RBPS4
U
RBPS2,
RBPS1, RBPS3,
RBPS2, & RBPS4
& RBPS3 U RBPS4
Corrective
1
Governance
1
Preemptive
RBPS1 U
RBPS1,
RBPS2,
& RBPS3
M odel Criteria Sets
Governance ∩
1
3
RBPS2,
RBPS3,
&
Sets RBPS1 RBPS4
1
Criteria by A pplication
Both
Proces s s afety culture,
compliance with
s tandards , proces s
s afety competency,
Commit to workforce involvement,
proces s
and s takeholder
s afety
outreach
RBPS1
Incident inves tigation,
meas urement and
metrics , auditing,
management review
and continuos
Learn from improvement,
experiimplementation, and
ence
the future
RBPS4
Number of Criteria
Criteria
Criteria by Category
Governance ∩
29
Definition
Legend:
Safety Culture, Analysis,
Testing, & Maintenance
Safety Culture, Analysis, &
Testing
Organizational Learning
Sub-Themes
Analysis, Solution Design,
Culture, Risk Management, & Objectives, Strategy, Policy,
Governance
& Rules
Safety Culture, Policy,
Culture & Governance
Regulations, & Rules
Culture & Risk Management
Culture & Risk Management
Culture
Primary Themes
(sample, complete analysis in Appendix C, Table 27)
Table 6 - Example of Themes Derived from Criteria by Category and Application
Preemptive and corrective refer to applications
Culture, Risk management, and governance refer to categories
Culture ∩ Preemptive
Encourage the reporting of errors and pay attention to any failures. These
lapses may signal possible weakness in other parts of the organization. Too
often, success narrows perceptions, breeds overconfidence in current practices
and squelches opposing viewpoints. This leads to complacency that in turn
increases the likelihood unexpected events will go undetected and snowball
HRO1 into bigger problems.
DRU4
Training
Like a citizen staffed neighborhood watch program, the people who make up
organizations are its sensory system. Many eyes, ears, and the physical
presence of people who choose to get involved can be deterrence to crime.
Also, employees who learn of potential disturbances that are credible and
could impact the organization and bring such information to the organization,
could provide the organization with sufficient time to implement measures to
RE4
diminish the potential impact
Encompasses the tone of an organization, and sets the basis for how risk is
viewed and addressed, including the organization’s risk management
philosophy and risk appetite, its integrity and ethical values, and the
ERM1 environment in which they operate
Process safety culture, compliance with standards, process safety
RBPS1 competency, workforce involvement, and stakeholder outreach
Criteria
Number
Themes
Safety Culture
Analysis
Testing
Organizational
Learning
M aintenance
Solution Design
Objectives
Strategic
Direction
Policy
Rules
Regulation
Flexibility
Emergency
Response
Implementation
DecisionM aking
Communication
M anagement
Support
Procedures
Criteria Number
HRO1, RE4, RBPS1, H&M3, RE4, RBPS3, ROP2, ROP3, H&M4, RBPS4,
H&M6, MIT1, MIT2, H&M1, H&M2
HRO1, RE4, ERM1, HRO4, HRO2, HRO3, DRU1, RE2, RE3, ERM3, ERM4,
RBPS2, ROP1, BCP1, RBPS4, H&M6, MIT1, MIT2, MIT3, HRO3, ERM2,
H&M8, H&M2
HRO1, RE4, H&M7, RE1, RE5, BCP5, ERM8, H&M8
DRU4, ERM1, HRO4, HRO5, DRU5, H&M3, RBPS2, RBPS3, DRU4
RE4, H&M7, HRO3, RE1, RE5, ERM5, BCP5, ERM8, H&M8
ERM1, ERM3, ERM5, ROP1, BCP2
ERM1, ERM3, ERM2
ERM1
ERM1, RBPS1, HRO5, H&M3, RE8, MIT1, MIT2, MIT3, RE6, ERM2, ERM6,
H&M1, H&M2
ERM1, RBPS1, H&M1
RBPS1
HRO4
HRO4, RE1, RBPS3, ROP1, BCP4, MIT1, MIT2, MIT3
HRO4, DRU3, RE2, ERM5, ROP3, BCP3, MIT1, MIT2, MIT3, ERM6
HRO5, H&M2
ERM7, H&M1, DRU2
HRO3, DRU3, RE5, RBPS4, MIT1, MIT2, MIT3, ERM2, ERM5, ERM6,
H&M1
RE6, H&M6, ERM2, ERM6, H&M5
Table 7 – Summary: Criteria Numbers by Themes
(complete analysis in Appendix C, Tables 18 – 28)
The themes derived from this analysis became the criteria of the HRRO methodology. The
HRRO methodology will be discussed in greater detail in following sections of this
dissertation.
The next steps of the development process entail defining the criteria, as shown in §4.2,
creating the constructed scales, weighting, and stakeholder consensus. Constructed scales are
behind the lowest level criteria, e.g. Safety as shown in Figure 1 (Chapter 4). The constructed
scales depict a progression of weighted levels that range from 0 to the maximum weight of
30
the criterion and enable the stakeholder to select a level that matches the stakeholder’s rating.
Constructed scales once established provide the means to efficiently elicit stakeholder input
(Karydas & Gifun, 2006). Figure 2 (Chapter 4) provides the reader with an example of a
constructed scale from the HRRO methodology.
The levels of each constructed scale and the weighting of criteria and constructed scale levels
are developed by stakeholders directly or by a draft version developed by others and then
modified if necessary and subsequently accepted by stakeholder consensus. Because of the
interrelatedness of the constructed scales and the assessment functionality within the HRRO
methodology constructed scales were developed after the first workshop to take full
advantage of stakeholder input. Thus a more detailed and relevant description is provided in
§4.4.
Step 10: Validate new model
Proof of validity is described by way of a discussion about the models from which new
methodology was derived, testing by stakeholder groups, two case studies where the new
methodology was applied post-disturbance to real situations, and correlation of the
methodologies resulting index to a score resulting from an independent risk quality
benchmarking algorithm model. Validity will be discussed in greater detail in Chapter 6.
3.2 Chapter summary
Chapter 3 shows the methodology used to conduct the research described within this
dissertation that includes the identification of user criteria, the preference for a consensusbased multi-attribute methodology and hierarchical tree structure, and the analysis of existing
decision-making models. While the HRO and DRU at MIT models were the most applicable
considerable deficiencies were present that a new model is required in order to answer the
research questions posited in Chapter 2. The process followed to develop the HRRO
methodology is described in the following chapter.
31
32
CHAPTER 4 Development of the Highly Reliable Resilient
Organization methodology
Chapter 4 builds upon the work described in Chapter 3, continuing with the development of
the HRRO methodology with particular emphasis on stakeholder involvement through
workshop participation.
4.1 Introduction
The HRRO methodology provides a systematic, consistent, and customizable means to
identify, define, and assess the prerequisites of an organization that enable it to be resilient
and supports the prioritization of projects and initiatives to improve prerequisite
organizational criteria to sustain organizational resilience. By becoming (more) resilient the
organizational system will be affected less by various disturbances, i.e. become less
vulnerable. Criteria representing the quality of organizational operations such as annual
revenue, stock price, and market share are not included as traditional means provide better
measures of these criteria. Thus, the author focused on the prerequisite organizational criteria
associated with reliability and resilience, and assumed that the organization’s core business is
viable (Gifun & Karydas, 2010). While success in different types of organizations consists of
varying levels of the combination of monetary and non-monetary achievements the
sustainability of the organization, the result of reliability and resilience, is the true measure of
success, i.e. the organization’s ability to fulfill its purpose over a specified length of time.
Since organizational sustainability includes non-monetary benefits the organization would be
considered sustainable as long as it, at the very least, met its non-monetary goals and was
able to make sufficient money to continue to do so over time. It is the intent of this
dissertation, by way of the HRRO methodology to provide organizations with the means to
enable their decision makers to understand vulnerabilities and make risk-informed decisions
to mitigate such vulnerabilities.
The methodology builds upon relevant work done by or including the author, i.e.
prioritization in A Method for the efficient prioritization of infrastructure renewal
projects (Karydas & Gifun, 2006), risk-informed multi-attribute utility decision support
systems in Ranking the risks from multiple hazards in a small community (Li et al., 2009),
33
complex organizational systems in Organizational attributes of highly reliable complex
systems (Gifun & Karydas, 2010), and organizational resilience and vulnerability in
Resilience as a means to analyze business processes on the structure of vulnerability
(Gifun, Karydas, Brombacher, & Rouvroye, Submitted for publication).
4.2 Criteria found in existing models and stakeholder feedback
To develop the HRRO methodology, the nine organizational models mentioned earlier were
compared at the criterion level against the broad categories of culture, risk management, and
governance and whether they could be applied preemptively, correctively, or both; as shown
in Chapter 3. The purpose of this analysis was to efficiently extract the essence of each
existing model and use this information to create a draft version of a hierarchical tree for
stakeholder review and comment. From this analysis the author learned that an organization
should possess certain criteria as prerequisites in addition to those needed to conduct its core
function. In other words the degree of success therewith is dependent upon the level of
organizational attention and leadership support given to:
1. Culture, safety culture; Worker safety by way of recognition and support inherent in
the organization
2. Culture; organizational learning, quality improvement, & flexibility: Developing
people, deferring to expertise, and learning from organizational experiences
3. Risk management; planning & preparation: Assessing the potential for risk from
within the organization and external thereto and implementing the means for
preemptive elimination or mitigation thereof
4. Risk management; emergency / incident response & business recovery: Accepting
that some risks may cause disruptions no matter the plans made ahead of onset;
therefore, puts in place processes that respond to disruptions for the purpose of
lessening the consequences
5. Governance; objectives & strategic direction: Clearly stating organization objectives,
strategies, policies, procedures, and directives and developing same with a diverse
group of people representing relevant sectors of the organization
6. Governance; internal practices: Developing, but most importantly using transparent
and defendable decision-making methods. Implementing policies and procedures that
are relevant, broadly known, and clearly understood. Communicating multi34
directionally within and external to the organization and to do so proactively.
Demonstrating organizational commitment by overtly supporting risk avoidance
methods and processes and funding the implementation of projects and initiatives that
eliminate or mitigate vulnerability
Using that which was learned in Chapter 3, the requirements of multi-attribute utility
theory (MAUT), and the desire to develop the new model in a hierarchical form by way
of its criteria, the draft of the HRRO methodology was brought to an initial stakeholder
workshop for review and further development. During this workshop a facilitated review
of the preliminary definitions for the criteria was undertaken and stakeholders discussed
the meaning of each criterion and offered revisions to some. A detailed explanation of the
workshop is provided in the following section of this chapter. The primary result of this
workshop was the revision and acceptance of the criteria and their definitions and the
creation of the hierarchical tree. Some of the preliminary definitions were taken from
non-validated online sources solely for the purpose of starting the deliberation among the
stakeholders. The definitions are shown below and the post-workshop form of the
hierarchical tree is shown in Figure 1. The pre-workshop format is shown in Appendix D
along with a copy of the information sent to workshop participants.
The following are the final accepted versions of the criteria definitions.
1. Culture: A basic set of assumptions and traditions that define what those within the
organization pay attention to, what things mean, and how to react emotionally to that
which is going on, and determine which actions to take in various kinds of situations
(Schein, 1992)
2. Risk management: Organizational principles, practices, and structures that enable an
organization to manage uncertainty to either eliminate or mitigate the realization and
expansion of potential consequences or transfer the financial impact of such
consequences to other institutions
3. Governance: Decisions made within the organization that define expectations, grant
power, or verify performance
35
4. Safety (safety culture): Organizational safety culture entails compliance with
standards, process safety competency, workforce involvement, stakeholder outreach,
operating procedures, safe work practices, asset integrity and reliability, contractor
management, training and performance assurance, management of change,
operational readiness, conduct of operations, and emergency management
5. Organizational learning, quality improvement and flexibility: A term that describes an
organization that actively creates, captures, manages, transfers, and mobilizes
knowledge to enable it to adapt to a changing environment (Senge, 1990). Flexibility
refers to the ability of an organization to adapt to changing demands (Weick &
Sutcliffe, 2001; Weick & Sutcliffe, 2007)
6. Planning & preparation: Summary criterion for business continuity planning (British
Standards Institute, 2006 )
a. Analysis: The employment of risk, vulnerability, and threat analyses, impact
scenarios, and other analytic tools and methods to assess the current and
potential state of the organization
b. Solution design: The means to identify and develop the most cost effective
risk mitigation and disaster and crisis recovery solution (including the crisis
management command structure)
c. Implementation: Execution of the design elements identified in solution design
d. Testing & acceptance: The means to detect potential disturbances and
ascertain the effectiveness and acceptance of plans and processes
e. Maintenance: Periodic; 1) information updating and testing, 2) testing and
verification of technical solutions, and 3) testing and verification of
organization recovery procedures
7. Emergency / incident response & business recovery: An emergency / incident is a
situation which poses an immediate risk to health, life, property, reputation, the
environment, and finances. Response and recovery are terms describing the action
taken and resources deployed to mitigate the impact of an emergency / incident and to
recover quickly therefrom to ensure the continuity of the organization’s core business
36
8. Objectives & strategic direction: A strategic direction is a long term plan of action
designed to achieve an objective, i.e. a specific goal
9. Internal practices: Summary criterion for policies, rules, regulations, and operating
procedures that are developed and implemented in accordance with the organizational
charter:
a. Policy: A deliberate plan of action to guide decisions and achieve rational
outcome(s). Rules: Formal and widely-accepted statements, facts, definitions,
or qualifications, informal but widely accepted norms, concepts, truths,
definitions, or qualifications. Regulations: Considered as legal restrictions
promulgated by government authority. Procedure: A specification of series of
actions, acts or operations which have to be executed in the same manner in
order to always obtain the same result in the same circumstance
b. Decision-making process: Transparent fact-based analytic-deliberative
processes and methods for making judgments or reaching conclusions are used
where appropriate
c. Communication: An act or instance of exchanging information, e.g. verbal or
written messages (Merriam-Webster, 2009)
d. Monetary & non-monetary support: Organization-wide policies and practices
that overtly support action, e.g. risk assessment and analysis, implementation
of projects, and funding of initiatives to eliminate and mitigate risks
37
Figure 1 – HRRO Hierarchical Tree
38
4.3 Initial Workshop
A draft proposal approach was taken and a stakeholder workshop was held to verify, test,
modify, and quantify the methodology. Also the draft proposal approach was used to make
better use of the stakeholder’s time as less time and effort is needed to revise something that
has been, formulated already, albeit temporarily and cursorily, than to create a new one
(Karydas & Gifun, 2006; Li et al., 2009).
The stakeholder group was composed of six people with experience and interest in relevant
disciplines. Four out of the six were members of an intact risk management and emergency
response team, i.e. a command level police officer, a medical department manager, a
managing director of an environmental health and safety office, and an environmental health
and safety officer. The other two stakeholders were a Ph.D. engineer with expertise in the
field of property insurance related to chemical plant processes and a doctoral degree
candidate focusing on risk analysis. The emergency and business continuity planner
associated with the intact team mentioned above was not able to participate in the workshop
but reviewed and commented upon the material qualitatively and external to the workshop.
Comments offered by this person were included in deliberations with the stakeholder group
by electronic mail.
Prior to the workshop the stakeholders were presented with a packet of materials. These
materials, provided in Appendix D included a description of the overall research project to
provide context, a description of that which would be expected by the stakeholders during
and following the workshop, a scenario to focus the efforts of the stakeholders should such
focus be necessary (it was not), and the author’s draft proposal version of the hierarchical
tree, criteria descriptions, and pairwise comparisons. The categories and applications table,
Table 8, shows the preliminary weights provided to the stakeholders prior to the workshop
and those resulting therefrom. Analyzing criteria by category and application provides
stakeholders the ability to verify, albeit roughly, that sufficient criteria and criteria weight
were included within the categories of culture, risk management, and governance and the
applications of preemptive, corrective, or both. Per the example shown in Table 5 this
process mimics that which was used to analyze the organizational models. During
stakeholder deliberations the categories and applications were discussed; however, the
information was not used in a formal analytical way.
39
Relative
Weights
Preworkshop
Relative
Weights
Postworkshop
Categories
Culture
Risk Management
Governance
42
33
25
40
36
24
Applications
Preemptive
Corrective
Both
49
14
37
47
18
35
Weights determined by expert opinion via the Analytic Hierarchy Process (AHP)
Table 8 – Categories and Applications
The stakeholders were guided through a review of the hierarchical tree where all potential
revisions were evaluated to make certain that they were in compliance with the principles of
MAUT. The stakeholders suggested two revisions, 1) move the implementation criterion
from preemptive to corrective as implementing plans is an act of correction and 2) add
business recovery to the emergency and incident response criterion to account for the
physical aspects of recovering the business’s key operations. Per the stakeholders the
criterion labeled implementation refers to implementing business continuity plans while
business recovery refers to implementing business recovery measures once a disturbance had
occurred. Thus, the MAUT principle of prohibiting double counting had not been violated.
The preliminary weights were also reviewed and revised according to stakeholder input. The
hierarchical tree shown in Figure 1 incorporates these revisions.
To capitalize on meeting time to discuss concepts, criteria, and definitions the weighting of
criteria was done by each stakeholder external to the workshop, using an Analytic Hierarchy
Process (AHP) model developed by one of the stakeholders 1 (Elliot, 2008). A brief
0
description of AHP is provided in the glossary. Results were returned by way of electronic
mail.
1
Excel spreadsheet that uses sliders for stakeholders to make pairwise comparisons. The sliders show by way of
their position the weight given to each pair under consideration while a bar graph shows the relative weight of
the criteria graphically as the sliders are manipulated.
40
The results were compiled and then distributed to the stakeholders by electronic mail for
additional deliberation as they were too broadly distributed for consensus to be considered
achieved. Each stakeholder was requested to review the weights submitted by the entire
stakeholder group and the revised definitions of the criteria and to make revisions to their
weights should they feel the need to do so. One stakeholder submitted revised pairwise
comparisons (the other stakeholders were satisfied with their initial work); however, the
results did not affect the distribution of the results appreciably, thus consensus could not be
considered achieved by way of a strict application of AHP. The results are provided in
Appendix E. Given that the stakeholder group was not a complete intact team, attempting to
force consensus would not have been productive, especially since the purpose of the
workshop was to verify the HRRO model and not to produce a customized version thereof for
immediate use by a specific organization. Also, as the method used to achieve consensus by
way of stakeholder deliberation in conjunction with the review and revision of criteria
weights is well known practice (Gifun & Karydas, 2010), the author deemed that expending
additional effort would be unnecessary to prove validity. Although consensus was not
achieved the stakeholders accepted the weights as shown in Figure 1.
The stakeholders unanimously agreed that the HRRO methodology represented a highly
reliable complex organization in terms of its ability to anticipate, resist, and recover from
disasters. Stating that the HRRO model could and should be customized for different
organizations, e.g. criteria, definitions, or weights, the stakeholders affirmed that the model is
generalizable.
4.4 Post initial workshop
During the period between the first and second workshop the author developed a draft
version of the constructed scales and survey forms in anticipation of stakeholder review
and consensus, as well as the weights associated with the constructed scales. This draft
version of the entire methodology was produced for the purpose of demonstrating the
HRRO methodology and eliciting opinion during the second workshop.
41
Constructed scales
The constructed scale below each criterion of the hierarchical tree is directly related to a
corresponding survey form, i.e. for every response given on a survey form there is a
corresponding constructed scale level which in turn is directly related by way of a criterion
weight and utility set by the stakeholders to a global weight. The global weight is calculated
by multiplying the utility of the selected level by the criterion weight (Karydas & Gifun,
2006; Li et al., 2009; Weil & Apostolakis, 2001). The survey forms will be discussed in
greater detail below. An example of a constructed scale used in the HRRO methodology is
shown in Figure 2. All of the constructed scales function in a similar manner, i.e. the level
selected is the one where the range shown in the description matches the score resulting from
the applicable survey form. For example, if the score resulting from the safety culture survey
form was 50 it would fall within the range of 37 < Score ≤ 55 and yield a global weight of
9.4. The range divisions within the descriptions provided in the safety culture and
organizational learning, quality improvement, and flexibility constructed scales were from the
developers of each survey form; however corresponding utilities for other criteria were
proportioned according to the author’s expert judgment for demonstration purposes. In other
applications stakeholders would insert utilities that reflect organizational values and
objectives resulting from an analytic-deliberative process. The global weight is the product of
the utility in percent times the weight of the criteria from the hierarchical tree. For example,
Figure 2 shows the weight of the criterion for safety culture as 18.7, thus the global weight
for level 2 is 50% of 18.7 or 9.4. This means that 9.4% of a total global weight of 100 is
attributed to the organization describing itself as calculative with systems in place to manage
hazards in terms of safety culture. The authors’ departed from the use of global weights as
prescribed by the Analytic Hierarchy Process (AHP) (Saaty, 1980) that total to 1.00 because
workshop participants perceived them to imply high levels of accuracy.
42
Safety Culture (maximum criterion weight 18.7 out of 100 global)
Summary level measure of 18 performance measures attained from scoring sheet provided by
the Hearts and Minds safety program. Organizational safety culture entails compliance with
standards, process safety competency, workforce involvement, stakeholder outreach, operating
procedures, safe work practices, asset integrity and reliability, contractor management, training
and performance assurance, management of change, operational readiness, conduct of
operations, and emergency management.
Global
Level
Description
Utility
Weight
Generative - highest level of safety culture where the
organization is informed regarding safety issues and
possesses the highest levels of trust and accountability
4
within. (73 < Score ≤ 90)
1.00
18.70
Proactive - safety leadership and values drive continuous
3
improvement. (55 < Average Score ≤ 73)
0.75
14.00
Calculative - systems in place to manage hazards. (37 <
2
Score ≤ 55)
0.50
9.40
Reactive - safety is important and much is done every time
1
there is an accident. (19 < Score ≤ 37)
0.25
4.70
Pathological - lowest level of safety culture where the
organization does not care about safety unless caught by
0
way of an accident or regulatory violation (0 < Score ≤ 19)
0.00
0.00
Figure 2 – Example: Constructed Scale for Safety Culture, Based on Hearts and Minds
(Energy Institute, 2007)
The levels and definitions for the remaining twelve constructed scales were the result of
expert opinion by the author and stakeholder input to demonstrate the model but should be
redefined by an organization’s stakeholders when applied thereto. The reader will find all of
the constructed scales in Appendix F. The constructed scales should be based upon relevant
and valid checklists or survey instruments similar to those used for the criteria, safety culture
and organizational learning, quality improvement, & flexibility. For example, in the case
studies discussed in §6.1.3 reference is made to checklists used in process safety and property
damage applications.
Survey forms
Survey forms provide decision-makers with an entry point into the methodology. Each survey
form presents a set of statements or questions applicable to each of the criteria shown in the
hierarchical tree. The survey forms are linked directly to the constructed scales and could
take the form of a checklist. Figure 3 shows one survey form out of thirteen. All of the survey
43
forms are provided in Appendix G. While each form is different the basic concepts are
similar, the intent is for the stakeholder, using the applicable response options for each form,
to select the most appropriate rating corresponding to each question and statement. To assess
the organizations level of Safety culture the stakeholder would, for each question and
statement, place a numeral 1 in the box that best matches the stakeholder’s opinion. For
example if the stakeholder’s response for Benchmarking, trends and statistics, see Figure 3, is
Management worries about the cost of accidents and the company's position in the 'league
tables'. Statistics report the immediate causes of accidents; the stakeholder would place a
numeral 1 in the box directly below the statement. When responses have been provided for all
questions the columns are summed and then multiplied by a weighting factor provided by the
developers of the Hearts and Minds program. These products are then summed and the global
weight is determined by the level identified in the applicable constructed scale.
44
45
0
0
Weighted Column Sum
Score
0
0
2
0
0
3
0
0
4
0
Benchmarking is
against others in
the same industry
and is driven by
management - "try
to be the best in
the industry". Look
for leading indicators, analyze
trends, understand
them, and us e
them to adapt strategy. Explain findings to supervisors.
0
5
0
Benchmark outside
the industry, using
both
'hard' (outcome)
and 'soft ' (process)
measures. All levels of the organization are involved in
identifying action
points for improvement.
Figure 3 – Example: Safety Culture Survey Form Based on Hearts and Minds (Energy Institute, 2007)
Global Weight
1
Weighting Factor
0
0
Column Sum
Benchmarking, trends and
statistics
There is compliance with statutory
HSE reporting but
little more than
that. Benchmarking
is only on finance
and production.
Management worries about the cost
of accidents and
the companies' position in the 'league
tables'. Statistics
report the immediate causes of accidents.
Benchmarking oc curs on a wide variety of industry HSE
data. Managers
display lots of data
publicly throughout
the organization.
There is focus on
current problems
that can be measured objectively
and summarized
using numbers.
During discussions following the initial workshop it became apparent that several criteria
matched up well with already proven models, thus they were included in the HRRO model
with no change in content but with some changes in format.
1. The criterion labeled safety culture is the Hearts and Minds safety program. The
survey forms associated with this criterion were extracted from Hearts and Minds
literature. The Hearts and Minds safety program was developed by Shell Exploration
and Production in 2002 and is based upon research with leading universities since
1986 (Energy Institute, n.d.)
2. The criterion organizational learning, quality improvement, and flexibility is assessed
by way of an organizational learning assessment tool developed by P. Kline and B.
Saunders and described in Ten Steps to a Learning Organization (Kline & Saunders,
1998). According to Kline and Saunders, research began in October, 1985 in major
U.S. companies including Kodak
3. The criteria; analysis, solution design, implementation, testing & acceptance, and
maintenance were derived directly from the Code of Practice for Business Continuity
Management by the British Standards Institution (British Standards Institute, 2006)
These models became the survey forms associated with three criteria within the HRRO
methodology. Survey forms for the remaining criteria were developed using knowledge
gained from the first workshop and by reflection upon the author’s experiences during the
development and operation of the prioritization methodology described in A Method for
the efficient prioritization of infrastructure renewal projects (Karydas & Gifun, 2006) and
the methodology described in Ranking the risks from multiple hazards in a small
community (Li et al., 2009).
Summary sheet
At the end of the process opposite the constructed scales is the summary sheet. The summary
sheet accepts the results calculated by way of the survey forms and displays the
corresponding aggregate score known as the HRRO index. Each survey form is linked to the
summary sheet and weighted according to stakeholder input. Table 9 displays the summary
sheet resulting from ratings by one assessor and shows rating for the criteria in terms of
global weight and the HRRO index, i.e. the sum of all ratings. The ratings for each criterion
are subtracted from the maximum possible for the criterion to determine the difference
46
between that which is desired, maximum possible global weight, and that which exists, rated
weight in terms of global weight, i.e. the larger the difference the greater the need for a
mitigation activity that targets the criterion. The priority column in Table 9 reflects this logic
and an explanation of the results is provided in §6.1.2.
HRRO Index
Criteria
Safety Culture
Organizational Learning, Quality
Improvement, and Flexibility
Analysis
Solution Design
Implementation
Testing and Acceptance
Maintenance
Emergency / Incident Response and
Business Recovery
Objectives and Strategic Direction
Policies, Rules, Regulations, and Operating
Procedures
Decision-Making Process
Communication
Monetary & Non-Monetary Support
36.90
Rated
Weight in
Terms of
Global
Weight
9.4
Maximum
Possible
Global
Weight
18.7
Maximum
Possible
Weight Rated
Weight
9.3
Priority
2
10.5
1.0
3.3
0.0
1.1
0.8
21
4.1
6.6
7.1
4.4
3.3
10.5
3.1
3.3
7.1
3.3
2.5
1
9
8
4
8
10
5.4
2.4
10.7
9.7
5.3
7.3
5
3
0.5
1.3
1.2
0.0
2
5.2
4.7
2.5
1.5
3.9
3.5
2.5
11
6
7
10
Table 9 – Stakeholder Summary Sheet – Assessor A
4.5 Second workshop
A second workshop was held to critique the applicability and usefulness of the HRRO
methodology by applying the methodology in a test environment using real organizations
familiar to the stakeholders and to elicit comments regarding its use. Since stakeholders’
schedules prohibited a group session the author prepared each stakeholder individually.
The following describes the process undertaken; whereas, the results are provided in
§6.1.2.
The HRRO methodology was tested by five people, two of which participated in the initial
workshop described earlier. To clearly distinguish stakeholders participating in the first
workshop from those participating in the second workshop the later will be referred to as
assessors. These individuals are in positions where they would be among the people called
47
upon to participate in assessing the level of HRRO-ness of their organizations. Each person
was presented with a digital copy of the model and given instructions to complete the survey
forms and to answer several questions. The assessors were asked to fill in responses in
context of the entire organization, not just the assessor’s department and reflect upon the
resulting numerical index. While specific numerical indices are important to the assessor and
future research, it is more important to the present research to learn whether the methodology
could be useful to the assessor’s organization and whether the index reflected the assessor’s
expectations, relatively. For example, if the assessor believes that the organization is deficient
in many areas and the assessor rated the organization accordingly, the HRRO index should be
low.
4.6 Chapter summary
This chapter described the process by which the HRRO methodology was developed. Two
stakeholder workshops were employed. The first was used to achieve consensus on criteria
definitions and weights presented in draft form while the second focused on achieving
acceptance of the entire methodology as a legitimate means to determine an organizations
level of vulnerability. Comments by the participants in the second workshop are provided in
§6.1.2. In the next chapter applications of the HRRO methodology are discussed.
48
Chapter 5 Application of the Highly Reliable Resilient
Organization methodology
The HRRO methodology provides the functionality to:
1. Assess the vulnerability state of an organization regarding its prerequisite criteria,
2. Estimate the potential impact of a disturbance in terms of prerequisite organizational
criteria,
3. Estimate the effect of a project or initiative under consideration to mitigate or
eliminate vulnerability in terms of prerequisite organizational criteria and use the
estimates to prioritize organizational improvement projects,
4. Estimate the effect of a project or initiative under consideration to mitigate or
eliminate vulnerability in terms of disturbances, infrastructures, and physical assets
and use the estimates for prioritization purposes, and;
5. Measure the success of all of the above
Each of these functions will be explained in greater detail within this chapter along with an
explanation of the use of the methodology in instances where the cost of risk avoidance is
included.
The output of the HRRO methodology is an index representing the stakeholder’s rating of the
survey questions where lower relative indices reflect more vulnerability. In instances where
multiple stakeholders are involved in the process each survey form response should be the
result of deliberation amongst stakeholders and reflect consensus therefrom. This index can
also function as the benefit term in the benefit-to-cost ratio in instances where the monetary
and non-monetary aspects of a risk should be considered together for the purpose of avoiding
a risk.
5.1 Application of processes
5.1.1 Baseline assessment
The assessment process is intended to determine the level of HRRO-ness of prerequisite
organizational criteria at anytime, preferably preemptively, i.e. before the realization of a
49
disturbance but it can be used correctively as well, i.e. following the realization of a
disturbance. The purpose of such assessments is to determine a baseline level of HRRO-ness
to which change can be compared. Figure 4 describes this process in the format of a
flowchart.
1. Complete
Checklists
2. Determine
HRRO Index via
Checklists
3. Level of
HRRO-ness
4. B
Figure 4 - HRRO Process Flowchart for Baseline Assessment Purposes
The steps are explained as follows:
1. Complete checklists: The stakeholder(s) fill in the checklists associated with each of
the criteria shown on the HRRO hierarchical tree in Figure 1
2. Determine HRRO index via checklists: The checklist calculates an index based on the
weights shown on the hierarchical tree and the responses made by the stakeholder(s)
3. Level of HRRO-ness: The result of Step 2. Relative high levels of HRRO are preferred
over relative low levels
4. B: Connector to decision success measurement process
5.1.2 Estimate potential disturbance of prerequisite organizational criteria
To estimate the potential effect of a project or initiative intended to mitigate vulnerability
associated with prerequisite organizational criteria stakeholders respond to the survey form
questions as if the project or initiative had been implemented. This process is described in
Figure 5 as follows.
1. Disturbances
2. Scenario
Development
4. Determine
HRRO Index via
Checklists
3. Complete
Checklists
5. Level of
HRRO -ness
Given
Implementation
Figure 5 - HRRO Process Flowchart for Estimating Effect of Potential Disturbance of
Prerequisite Organizational Criteria
50
6.B
The steps are explained as follows:
1. Disturbances: Identify credible potential disturbances and risks to the prerequisite
organizational criteria
2. Scenario development: Develop and describe scenarios using credible disturbances
3. Complete checklists: The stakeholder(s) fill in the checklists associated with each of
the criteria shown on the HRRO hierarchical tree in Figure 1 in context of each
scenario
4. Determine HRRO index via checklists: The checklist calculates an index based on the
weights shown on the hierarchical tree and the responses made by the stakeholder(s)
5. Level of HRRO-ness given implementation: The result of Step 5 where relative high
levels of HRRO are preferred over relative low levels
6. B: Connector to decision success measurement process
5.1.3 Prioritization of projects or initiatives to mitigate the potential disturbance of
prerequisite organizational criteria
The HRRO methodology provides the means for prioritization where the prioritization
process is intended to aid decision makers with the task of selecting organizational
improvement projects for funding and implementation by using the criteria shown in Figure
1, to determine the benefits that could be realized by implementing such projects or initiatives
and to bring into consideration the cost to do so. Refer to Figure 6 and the explanation of the
steps that comprise the process that immediately follows.
51
Figure 6 - HRRO Process Flowchart for Organizational
Improvement Prioritization Purposes
1. Scenario development: Develop and describe scenarios using credible disturbances
associated with prerequisite organizational criteria, i.e. organizational improvement
projects or initiatives as identified by baseline assessments
2. Develop organizational improvement projects (scope & cost): Using the results of
baseline assessments and the scenarios developed in Step 1 identify where in the
organization vulnerability is unacceptable and develop organizational improvement
projects and initiatives to eliminate or mitigate such vulnerabilities. Develop project
scope statements and estimates
3. Identicalness of benefits: Benefits associated with projects are similar, e.g. the
selection of an accounting system out of several accounting system alternatives
(benefit is accurate and timely financial information) or the benefits are dissimilar,
52
e.g. different projects under selection consideration such as an accounting system
versus a risk identification and assessment methodology
4. For projects with similar benefits:
a. Determine life-cycle cost of each alternative: Use established methods to
calculate life-cycle cost
b. Select alternative with lowest life-cycle cost: Self explanatory; however,
selection could be modified by decision makers
c. Determine HRRO index selected alternative: Determine the HRRO index of
the selected alternative if not already known
5. For projects with dissimilar benefits:
a. Determine life-cycle cost: Determine life-cycle costs for each project or
initiative under consideration
b. Determine HRRO index all alternatives with dissimilar benefits: Determine
HRRO index of each alternative among those with dissimilar benefits
6. Calculate benefit-to-cost ratio: Calculate benefit-to-cost ratio (BCR) for each
organizational improvement project or initiative using HRRO index in numerator and
life-cycle cost in denominator. With all else equal, including results of deliberation,
projects or initiatives with higher BCRs should be selected and funded ahead of those
with lower BCRs as they represent the elimination or mitigation of more vulnerability
at a relatively lower cost. Refer to §5.2
7. A: Connector to balance of process
8. Preliminary prioritized list: List of organizational improvement projects or initiatives
in descending order of benefit-to-cost ratio
9. Deliberation & prioritization: discussion among stakeholders regarding preliminary
list and any required adjustments
10. Prioritized list: List of projects in order established in Step 8
11. Implementation: Funding and actual installation of projects or launch of initiatives
according to established priority
12. Determine HRRO index as implemented: Calculate HRRO index taking into
consideration Scope And Affect Of Implemented Projects
13. Level of HRRO-ness following implementation: The result of Step 12
14. B: Output to decision success measurement process
53
5.1.4 Estimate potential disturbance or impact to infrastructures and physical assets
The methodology needed to estimate the potential effect of a project or initiative intended to
mitigate vulnerabilities associated with infrastructures, physical assets, and disturbances not
related to prerequisite organizational criteria is similar, but not identical to, the methodology
needed to estimate effects on prerequisite organizational criteria. The criteria in this instance
include impact on people and environment, facility condition, external image, and
interruption of operation, thus the criteria in the HRRO methodology do not apply. For more
background information regarding this process please refer to the explanation related to MIT
at DRU in Appendix B and A Method for the efficient prioritization of infrastructure renewal
projects by Karydas and Gifun (Karydas & Gifun, 2006).
5.1.5 Prioritize projects or initiatives intended to mitigate vulnerabilities associated
with infrastructures, physical assets, and disturbances not related to prerequisite
organizational criteria
Prioritization of disturbance elimination and mitigation projects addressing physical assets
such as buildings and utility distribution systems should be evaluated and rated according to
the process described by Karydas and Gifun in A Method for the Efficient Prioritization of
Infrastructure Renewal Projects (Karydas & Gifun, 2006). In this instance the criteria of the
hierarchical tree address potential impacts on people, death or injury, impact on the
environment, loss of cost savings, intellectual property damage, physical property damage,
interruption time, complexity of contingencies, impact on external and internal image, and
programs affected by the project should the project not be implemented. This process is
shown in Figure 7 and is explained in the steps that immediately follow.
54
Figure 7 - Disturbance Elimination and Mitigation Project Prioritization Process
(Karydas & Gifun, 2006)
1. Potential projects: Represents the many sources of projects for funding and
implementation consideration
2. Initial sorting: A pre-screening process to increase effectiveness and efficiency and
minimize implementation delays by sorting projects into groups such as those that
must be implemented, those that should not be implemented, those of low cost that are
better handled within day-to-day operational entities, and those that should be
prioritized according to the methodology
3. Must do: Projects with compelling reasons for implementation without regard for rank
determined by prioritization process, e.g. a leadership directive, a major safety
problem, or a regulatory edict
4. Priority verification: If projects identified by Step 3 are believed to divert resources
from higher risk projects then rating these projects according to the prioritization
process could be useful in deliberations about potential risk to the organization with
those promoting projects identified by Step 3
5. Low cost items: Projects small enough in cost to be undertaken directly by the
organization’s operational entity, e.g. maintenance personnel
6. Must not do: Projects with compelling reasons not to be implemented, e.g. a project in
a building slated for demolition
7. Prioritization methodology: Determination of performance indices for each project
based upon assessor ratings and the hierarchy described in Karydas and Gifun
(Karydas & Gifun, 2006)
8. Initial list: A list of projects prioritized according to each project’s performance index
55
9. Validate: Deliberation process undertaken by assessors to validate or modify the
initial list
10. Final list: Prioritized project list approved for implementation
11. Implementation: Funding and physical installation of projects according to priority
established in Step 10
5.1.6 Implementation Decision Success Measurement Process
The success of vulnerability elimination and mitigation decisions can be determined by
assessing the organization following the implementation of a project or initiative and
comparing the result to the assessment made before implementation. That is if the result from
subtracting the HRRO index post implementation from the HRRO index prior to
implementation yields a positive number vulnerability had been lessened. However, if the
difference is negative vulnerability had been increased
A rough measure of economic effectiveness, actual or speculative, in context of
organizational sustainability regarding an organizational improvement decision can be
determined by the ratio shown in equation 1.
T
OS =
∑F
t =0
T
t
(Eq.1)
∑P
t =0
t
where:
= level of organizational sustainability,
OS
= net profit in period t following implementation of mitigation projects or
Ft
initiatives, and
= net profit in period t prior to implementation of mitigation projects or
Pt
initiatives.
= Duration of period t.
T
The sustainability of an organization that implements organizational improvement projects
can be measured by the degree the risk avoided by implementation of the project affects the
net profit (net assets) of the organization. Thus the sum of improvement efforts undertaken by
an organization in a given time period enable it to sustain itself, if in the same time period,
the ratio of net profit following implementation over net profit prior to implementation equals
or exceeds 1 or does not sustain itself if the ratio is less than 1.
56
5.2 Prioritization: benefit-to-cost
The HRRO methodology can be used to prioritize potential mitigation projects and initiatives
preemptively by way of the HRRO index alone where the resulting index is determined by
speculation, i.e. by way of ratings given that the project or initiative is in place (Karydas &
Gifun, 2006). Therefore, the larger the index the more benefit to be derived. However, the
HRRO methodology is intended to aid decision makers with the task of selecting
organizational vulnerability elimination or mitigation projects for funding and
implementation by determining the benefits that could be realized by implementing such
projects or initiatives and to bring into consideration the cost to do so, i.e. the cost of risk
avoidance. The process enables the organization to make effective prioritization decisions
that include the monetary and non-monetary aspects of each over the life-cycle of the project
or initiative in a single benefit-to-cost ratio (BCR). In this methodology the benefit term of
the BCR is the HRRO index determined for the life-cycle of the benefit while the cost term is
the life-cycle cost of the project or initiative. The ratio of HRRO index, life-cycle over the
life-cycle cost includes a variation of the traditional benefit-to-cost ratio (ASTM
International, 2002) as provided by the AHP (Saaty, 1980). BCRs inform the deliberations
regarding selection and funding as they place all items under consideration in similar terms.
In this instance, all other aspects including results of deliberation equal, projects or initiatives
with higher BCRs should be selected and funded ahead of those with lower BCRs as they
represent the elimination or mitigation of more vulnerability at a relatively lower cost. Since
the use of BCR and its variations are well known in practice and in the literature a more
detailed explanation is not given nor was such functionality tested during stakeholder
workshops.
5.3 Chapter summary
Chapter 5 describes the several ways the HRRO methodology can be applied to
organizational situations regarding vulnerability and risk avoidance by way of a systematic
approach. The HRRO methodology produces a numerical index that enables the organization
to:
1. Assess vulnerability preemptively by way of scenarios, in terms of prerequisite
criteria, as a way to determine the proposed effect of a disturbance or the
implementation of a proposed mitigation project or initiative under consideration,
57
2. Assess the vulnerability of organizational prerequisite criteria correctively, i.e. post
impact to determine its effect on the organization,
3. Prioritize proposed vulnerability mitigation projects or initiatives, organizational
improvement and physical asset, using criteria determined by the organization’s
stakeholders, and;
4. Include the cost of risk avoidance with non-monetary criteria in benefit-to-cost
analyses
Validation of the HRRO methodology remains to be proven; however, it will be addressed in
Chapter 6.
58
Chapter 6 Analysis and Reflection
The intent of this chapter is to describe the validation processes undertaken during this
research and the author’s assessment of the research process.
6.1 Validity
To validate the research done within the scope of this paper the following were undertaken.
1. An examination of the models from which the HRRO methodology is derived, i.e.
validation by way of valid parts
2. Validation of the HRRO methodology by way of stakeholder feedback during
workshops
3. The retrospective application of the HRRO methodology in two case studies
4. Comparison of the HRRO model to a well validated risk quality benchmarking
algorithm
6.1.1 Validation: by way of valid parts
The HRRO methodology evolved from nine proven organizational models. Eight of the
models; High Reliability Organization, the Disaster Resistant University, the Resilient
Enterprise, Enterprise Risk Management, Risk-Based Process Safety, Reactor Oversight
Process, Hearts and Minds, and Business Continuity Planning have been in use for many
years thus considered valid.
DRU at MIT, one of the nine models, was validated by way of a deliberative process with a
diverse group of 50 stakeholders; consisting of members of the academy; administrative staff;
engineers, students, environment, health, and safety professionals, and police. Revisions were
made in response to feedback received during the many workshops. DRU at MIT was
presented to members of the senior administration and accepted. While the model used in
DRU at MIT is different than that used in the HRRO model (they are used for different
purposes) they are based upon fundamental research by Weil and Apostolakis (Weil &
Apostolakis, 2001) that had been adapted to and tested over several years. That is, DRU at
MIT is an adaptation by Apostolakis and Lemon (Apostolakis & Lemon, 2005) of the
59
research undertaken initially by Weil and Apostolakis and subsequently adapted by Karydas
and Gifun (Karydas & Gifun, 2006).
Within the DRU at MIT model and the HRRO methodology are prioritization methodologies
based on work that has been in use for several years by the author to prioritize infrastructure
renewal projects; to date 353 projects have been prioritized. A detailed explanation of the
implementation of the prioritization methodology is provided in Appendix H.
6.1.2 Validation: stakeholder feedback
The summary sheet, as shown in Table 9, serves two purposes 1) it displays the HRRO index
and the portion of the global weight contributed thereto by each criterion and 2) it displays
the difference between the global weights resulting from the assessment and their
corresponding maximum weights. Thus, the summary sheet provides a ranking of criteria in
order of greatest need for improvement. In the example shown in Table 9 the criterion
Organizational Learning, Quality Improvement, and Flexibility exhibits the larger difference
and is therefore is given first priority as the organization will benefit most by implementing
projects or initiatives that target organizational learning, quality improvement, and flexibility
activities. In most organizations multiple stakeholders will participate in the rating and
prioritization process where deliberation is recommended to resolve differences between
stakeholder ratings.
Table 10 shows the prioritized order of improvement opportunities for each assessor
according to the criteria, i.e. one of the results of the second workshop. Assessor responses
and calculated priorities are shown in Appendix E. Since the goal of the workshop was to
verify the HRRO methodology a final prioritized list of areas that could benefit from
improvement opportunities was not a necessary result for this research. Therefore,
stakeholder deliberation was not undertaken.
Because of confidentiality reasons the names of the organizations, the type of industry in
which they compete, location and geographical area, nor the names and affiliations of the
assessor’s will be disclosed. Assessors B, C, D, and E are from the same organization, where
Assessors C, D, and E are from the same department. Assessor A is from a different
organization but within the same industry as represented by B, C, D, and E. Both
organizations are very successful.
60
Priority by Assessor
Criteria
Safety Culture
Organizational Learning, Quality Improvement,
and Flexibility
Analysis
Solution Design
Implementation
Testing and Acceptance
Maintenance
Emergency / Incident Response and Business
Recovery
Objectives and Strategic Direction
Policies, Rules, Regulations, and Operating
Procedures
Decision-Making Process
Communication
Monetary & Non-Monetary Support
A
2
B
3
C
5
D
5
E
3
1
9
8
4
8
10
1
7
6
2
8
10
1
7
6
2
8
11
1
7
8
3
6
9
1
8
6
2
7
11
5
3
5
4
3
4
4
2
4
5
11
6
7
10
12
8
9
11
13
9
10
12
11
8
9
10
13
9
10
12
Table 10 – Prioritized Criteria Improvement Opportunities from Second Workshop
(without deliberation)
Even without the benefit of deliberation Table 10 shows by way of the range of the priority
reported for each criterion by each assessor that several levels of consistency across the two
organizations and among Assessors B – E exist. The evidence suggests that had a full
deliberation process been undertaken higher levels of consistency would have been achieved.
The purpose of Table 10 in practice is to show areas where improvement opportunities can be
targeted; thus, the organization represented by Assessors B, C, D, and E and the organization
represented by Assessor A would benefit from implementing organizational improvement
projects and initiatives in the area of organizational learning, quality improvement and
flexibility.
The majority of the assessors stated that the resulting HRRO index matched their
expectations of their organizations. Equally important the assessors provided valuable
information regarding their experiences with the HRRO model by way of written responses
to questions, written comments, and comments offered during follow-up conversations. The
following are the questions asked of the assessors.
61
•
How well did the resulting index match your expectations, i.e. how well does it reflect
your impression of the organization?
•
Were there any criteria that you believe were missing? If yes, please identify those
that you feel should be added?
•
Were there any criteria that you believe were superfluous? If yes please identify those
that you believe are unnecessary?
•
Would you like to make other changes to the survey forms including text? If yes,
please identify the changes?
•
Are there any additional comments you would like to offer? If yes, what are they?
A compilation of assessor responses offered during conversations with each assessor is
provided in Appendix I. Assessor A provided affirmative feedback but most interesting
though is the feedback offered by Assessors B, C, D, and E as they are employees of the
same organization.
Assessor B, by way of the responses shown, e.g. “Some responses didn’t in my mind match
[reserved to ensure anonymity] practices and I was not convinced that the answer I chose in
default was an accurate reflection of how things are done,” could be considered unqualified
to evaluate the assessor’s entire organization. However, in the author’s opinion the assessor’s
position belies such a conclusion. That is, Assessor B would be one of the individuals whose
day-to-day responsibilities would require participation. Therefore, the author speculates that
Assessor B is either uncomfortable with the use of decision support models or not accepting
of the attribute weights and definitions provided in the HRRO model as presented. Therefore,
this assessor’s comfort and ability to use the HRRO model would be greatly enhanced by
learning more about the principles upon which the model is founded and by participating in
the customization of the model for Assessor B’s organization.
Assessors C responded to all survey questions and several of the most interesting responses
are provided as follows. 1) Assessor C expressed regret in not participating in the weighting
exercises undertaken during the first workshop as such participation would have been useful
means to calibrate responses. 2) There is a need to customize the language of the survey
instrument to match the vocabulary used in the organization being surveyed. 3) A
fundamental question about who in an organization is qualified to complete the survey forms.
62
In the author’s opinion the persons in an organization qualified to fill out the survey forms are
those responsible for risk management and similar functions.
Assessor D provided affirmative feedback.
Assessor E provided thoughtful and detailed comments including the redundancy of several
attributes and the desire to include additional attributes. Referring to the survey forms there is
a conflict between Safety Culture, G Calculative, i.e. there is some on-the-job transfer of
training to other workers and in Organizational Learning, Quality Improvement, and
Flexibility, 10, i.e. there are formal and informal structures designed to encourage people to
share what they learn with their peers and the rest of the organization and 19, i.e. crossfunctional learning opportunities are expected and organized on a regular basis, so that
people understand the functions of others whose jobs are different, but of related importance.
That is sharing of knowledge acquired during training could be counted in both Safety
Culture and Organizational Learning, Quality Improvement, and Flexibility thus the author
should revise the text associated with Safety Culture. However, the text from organizational
learning will remain as written because one focuses on organizational structure while the
other focuses on the development and implementation of opportunities. The text should be
revised to explain the difference. Assessor E further states the need to include succession
planning as an attribute; however, the author believes that it would fit better within
Emergency Incident / Response and Business Continuity. Revisions should be made
accordingly.
The author does not agree with Assessor E’s comment made about the redundancy of
attributes regarding training resources, i.e. “I found some attributes to be slightly redundant,
for example cross-training and devotion to resources for training.” 1) Because in Safety
Culture G the text referring to how money is made available for training following an
incident refers to the quality of the organization in that it does not fund things unless required
or it feels the need to do so because of due diligence. 2) In Organizational Learning, Quality
Improvement, and Flexibility, 28 measures the provision of encouragement and resources for
people to become self directed learners while 30 refers to overall organizational strategy and
demonstrated support for a learning program.
Assessor E also indicates the need for adding attributes that measure employee understanding
of their role in building organizational resilience and how managers communicate these
63
expectations. The essence of this comment is already within the Governance branch of the
hierarchical tree; however, minor revision to the text is required to make it clear. Also
Assessor E poses the need for including financial planning elements that include contingency
plans and vulnerability to supply and service chains and like the previous comment the
existing model already captures the intent. Minor revisions are required to the text associated
with the attributes Emergency Incident / Response and Business Continuity and Analysis. The
shareholder comment is fundamental to this dissertation; explicit and demonstrative
shareholder and leadership involvement and responsibility in the area of organizational
vulnerability. As Assessor E suggests organization leaders and shareholders should be asked
directly their opinion whether or not the HRRO index matches their expectations and reflects
their impressions of the organization.
The following is a summary of the main themes derived from the comments.
•
The instructions given to stakeholders should clearly indicate the boundaries of the
organization under evaluation, such as the entire organization or the stakeholder’s
department
•
Stakeholders should participate in the weighting of the criteria and the development of
the constructed scales. This provides one with in-depth knowledge of the weights and
the definitions of attributes and constructed scale levels and enables the stakeholder to
accept the results
•
The vocabulary used in the forms should be customizable to fit a specific organization
•
The criteria provided in the HRRO model were considered appropriate; however
some revision should be considered
6.1.3 Validation: case studies
Two case studies were used to validate the HRRO model retrospectively that also provide
examples of applicability for the HRRO methodology. The HRRO criteria are compared to
recommendations provided in reports written by others of relevant and external events to
determine whether the HRRO model could have predicted the recommendations. The
comparison process begins with 1) the recommendation offered by the report, 2) the selection
of the HRRO criterion and HRRO survey form question that best matches the intent of the
recommendation, and 3) the means, including relevant standards and checklists, by which the
64
recommendation could have been predicted from deliberations amongst stakeholders using
the HRRO methodology. In practice the HRRO methodology will be used preemptively and
when doing so the following steps should be followed; 1) rate the criteria by responding to
the survey questions and 2) develop actionable recommendations by way of deliberation and
the use of relevant checklists, guidelines, standards such as Guidelines for Risk-Based
Process Safety by the Center for Chemical Process Safety (Center for Chemical Process
Safety, 2007) for criteria related to chemical processes, and industry-proven review
processes. The guidelines and standards could be different for different industries; therefore,
more applicable guidelines should be substituted where necessary.
The first case study has to do with a process accident that occurred on March 23, 2005 at the
BP refinery in Texas City, Texas in the United States of America while the second has to do
with a high-rise building fire that occurred on May 13, 2008 at Delft University of
Technology in The Netherlands.
Catastrophic process accident at BP Texas City refinery on March 23, 2005
The Baker Panel was formed following the accident of March 23, 2005 in response to a
recommendation by the U.S. Chemical Safety and Hazard Investigation Board that conducted
a thorough review of the company’s corporate safety culture, safety management systems,
and corporate safety oversight at its U.S. refineries (Baker et al., 2007). This case study will
focus on the recommendations of the Baker Panel and not specifically on the elements of the
accident. A brief account of the event follows.
On March 23, 2005, at 1:20 p.m., the BP Texas City Refinery suffered one of the worst
industrial disasters in recent U.S. history. Explosions and fires killed 15 people and injured
another 180, alarmed the community, and resulted in financial losses exceeding $1.5 billion.
The incident occurred during the startup of a process unit when a tower was overfilled;
pressure relief devices opened, resulting in a flammable liquid geyser from a stack that was
not equipped with a flare to burn it off. The release of flammables led to an explosion and
fire. All of the fatalities occurred in or near office trailers located close to the unit. A shelterin-place order was issued that required 43,000 people in the vicinity of the refinery to remain
indoors. Houses were damaged as far away as three-quarters of a mile from the refinery (U.S.
Chemical Safety and Hazard Investigation Board, 2007).
65
Table 11 shows a sample version of the recommendations of the Baker Panel alongside
applicable elements within the HRRO model and the means by which BP could have
predicted the recommendation preemptively.
Recommendations of Baker Panel
Process Safety Leadership:
The Board of Directors of BP, BP’s
executive management, and other
members of BP’s corporate
management must provide effective
leadership on and establish
appropriate goals for process safety.
HRRO Criteria and
Survey Form Questions
that Best Match
Recommendation.
(Letters or numerals in
parenthesis that follow
criteria refer to
applicable survey form
questions)
Objectives and strategic
direction (1 )
Suggested means by
which
recommendation
could have resulted
from HRRO
methodology
Process safety culture,
criterion with
applicable performance
measures within the
risk-based process
safety model (Center
for Chemical Process
Safety, 2007)
Table 11 – Comparison of Recommendations of Baker Panel Report (Baker et al., 2007)
and HRRO (Sample)
The complete version of Table 11 is located in Appendix J and shows fourteen
recommendations each of which match specific HRRO criteria and survey form questions.
The Baker Panel Report provides recommendations that matched nine of the thirteen HRRO
criteria at the performance measure level, refer to Figure 1. Four of the nine HRRO criteria
were matched twice and one recommendation matched that which would be the potential
benefit of the entire HRRO methodology when implemented, i.e. transform BP into a
recognized leader in process safety management. The Baker Panel Report did not provide
recommendations that specifically match the performance measures Organizational
Learning, Quality Improvement, and Flexibility; Analysis; Decision-Making Process; and
Communication.
High-rise building fire at Delft University of Technology on May 13, 2008
Three reports were reviewed, i.e. reports by the COT Institute for Security and Crisis
Management, Ernst & Young, and Interseco LTD. Reports by the COT Institute and Ernst &
Young were compared to applicable elements within the HRRO model that could have been
used by TU Delft to preemptively originate and implement the recommendations made in
66
each report. The report by Interseco LTD, coordinated by D. Bakker, does not offer
recommendations but provided considerable background information. A brief account of the
building fire event follows.
On May 13, 2008 a fire occurred in an academic building that was caused by a short circuit in
a coffee machine due to the intrusion of water caused by the failure of a poorly soldered
water pipe fitting. As the pipe fitting failure occurred during the long holiday weekend that
included Monday May 12th, 2008; flooding was extensive. Prior to the fire building
maintenance personnel discovered the flooding and removed electric plugs from wall outlets
in affected areas to protect equipment. However, the plug to a coffee machine on the sixth
floor was not removed because the machine was too heavy to move, thus not accessible.
Eventually a sufficient volume of water flowed into the machine and caused the short circuit
that led to the fire. The building was served by an internal fire hose system and firefighters
found insufficient water pressure because pressurization pumps were turned off and a valve
from a hydrant repair a few weeks earlier was not re-opened. When the problem was
discovered air within the pipes prevented the full flow of water. In the time required to
release the trapped air and provide water to the firefighters the fire had intensified and in fear
of their safety the firefighters were recalled from the building. A portion of the building
collapsed later in the day and eventually it was razed. The building was a total loss and much
of the contents were destroyed (Bakker, 2009; Berg van den, 2008; Delft University of
Technology, Marketing & Communication, 2008; Ernst & Young, 2009; Zannoni, Bos,
Engel, & Rosenthal, 2008). The property loss was €118.5 million (Delft University of
Technology, Marketing & Communication, 2009).
The COT Institute for Security and Crisis Management report entitled Fire at Architecture:
Evaluation of the Crisis Control and Licensing Around the Devastating Fire at the Faculty of
Architecture at TU Delft (Zannoni et al., 2008) was commissioned by the Delft municipality
and focused on municipal emergency responders external to TU Delft.
Table 12 shows a sample version of the recommendations of the COT Institute alongside
applicable elements within the HRRO model and the means by which TU Delft could have
predicted the recommendation preemptively.
67
Recommendations of COT Institute
Report
Develop clear plans for large fire safety
improvement projects that also include
phasing and monitoring
HRRO Criteria and
Survey Form Questions
that Best Match
Recommendation.
(Letters or numerals in
parenthesis that follow
criteria refer to applicable
survey form questions)
Solution design (1 )
Suggested means by
which recommendation
could have resulted
from HRRO
methodology
Property loss
prevention data sheet
(FM Global, 2009a):
10-1 Pre-incident
planning with the
public fire service
Table 12 – Comparison of Recommendations of COT Institute for Security and Crisis
Management (Zannoni et al., 2008) and HRRO (Sample)
The complete version of Table 12 is located in Appendix K and shows nine recommendations
each of which match to specific HRRO criteria and survey form questions. The COT Institute
Report provides recommendations that matched three of the thirteen criteria at the
performance measure level, i.e. Analysis (once), Solution Design (once), and Emergency /
Incident Response & Business Recovery (seven times).
The Ernst & Young report, Evaluation Report: Crisis Management During Fire May 13,
2008 (Ernst & Young, 2009) was commissioned by Delft University of Technology and
GAB Robins, a provider of risk and claims management services and solutions to the
insurance and self-insured marketplace, for the purpose of fact finding.
Table 13 shows a sample version of the recommendations of Ernst & Young alongside
applicable elements within the HRRO model and the means by which TU Delft could have
come up with the recommendation preemptively. The complete version is located in
Appendix L and shows six recommendations each of which match to specific HRRO criteria
and survey form questions. The Ernst & Young Report provides recommendations that match
two of the thirteen criteria at the performance measure level, i.e. Analysis (once) and
Emergency / Incident Response & Business Recovery (five times).
68
Recommendations of Ernst & Young
Report
Scenario-based training at the strategic
level of the organization:
From the learning gained from the
fire develop and implement
scenario-based training that
engages the strategic level of the
organization and incorporates worst
case scenarios that include serious
injury and death of occupants
HRRO Criteria and
Survey Form Questions
that Best Match
Recommendation.
(Letters or numerals in
parenthesis that follow
criteria refer to
applicable survey form
questions)
Emergency / incident
response and business
recovery (2 )
Suggested means by
which
recommendation
could have resulted
from HRRO
methodology
Property loss prevention
data sheet (FM Global,
2009a): 10-2
Emergency Response
Table 13 – Comparison of Recommendations of Ernst & Young (Ernst & Young, 2009)
and HRRO (Sample)
Conclusions from both case studies
From the complete comparison of recommendations for both case studies one can see that the
HRRO methodology can predict recommendations consistent with the Baker Panel report
with regard to the explosion at the BP refinery and the COT Institute and Ernst & Young
reports for the fire at the university in Delft. A shortcoming associated with the TU Delft case
study is that the COT Institute and Ernst & Young recommendations narrowly target fire
prevention and response activities and crisis management while the Baker Panel
recommendations broadly focus on organizational issues that could have prevented the
incident from occurring. Thus the TU Delft case study validates a part of the HRRO
methodology while the BP case study provides a greater level of validation
This result indicates that the HRRO methodology should be applied broadly to an
organization, as it was designed, and can be applied generally in similar applications;
however, the methodology should be customized for each application by the stakeholders
associated with the application.
69
6.1.4 Validation: comparison to an independent risk quality benchmarking algorithm
Assessors B, C, D, and E work within the same organization and since the score based on a
well validated widely-used location risk quality benchmarking algorithm model is known for
this organization, a comparison to the stakeholder’s HRRO index is warranted. The algorithm
is modeled on loss prevention engineering standards and experience gained over 175 years.
Its scores directly correlate to loss frequency and severity and can be used for prioritizing and
budgeting risk improvement opportunities. It uses a 100-point risk quality scale; where high
scores represent well-managed risks with a lower probability of loss and low scores represent
risks with a higher probability of loss. On average the low scores represent losses that are
eight times larger and occur four times more often than losses associated with high scores.
The score produced by the algorithm is apportioned as follows: 36% for fire and equipment
hazards, 30% for natural hazards, 19% for human element and other factors, and 15% for
inherent occupancy hazards. The score includes a measure of both inherent risk (that cannot
be changed), e.g. local climate, as well as risks that can be lessened by implementing
improvement recommendations, e.g. repair of a roof (FM Global, 2008; FM Global, 2009b).
The initial indices offered by Stakeholders B, C, D, and E were 53.4, 53.5, 50.6, and 70.4
respectively and the organization’s risk quality algorithm-based score was 52 2. Direct
1
comparison should not be undertaken because Stakeholders B, C, D, and E did not achieve
consensus on a single index as the complete deliberation process was not done, i.e. it was not
part of the stakeholders’ original scope of work. Also, statistical analyses regarding the
reliability of the stakeholders’ ratings are not necessary because two of the fundamental
principles embedded in the HRRO methodology are (MAUT) and the analytic-deliberative
process. Through the use of MAUT stakeholders establish their alignment with each other by
way of consensus on the attributes, i.e. their definitions and relative weights. In instances
where there may be a difference in opinion the deliberation process is triggered. In the end,
by way of consensus among the stakeholders a single reliable rating is produced.
Given the initial results one could predict that consensus would produce an index in the low
to mid 50s. Although inconclusive at this time further exploration of the alignment of the
HRRO methodology and the risk quality benchmarking algorithm model is warranted.
However, as enticing as it may be it is premature to draw broad conclusions regarding
2
The organization’s actual 2009 score of 41 was adjusted proportionally to 52 on a scale where 100 is the
highest achievable score so that both can be compared properly.
70
alignment or use the risk quality benchmarking algorithm as sole means to support the
validity of the HRRO methodology.
6.2 Reflection
Looking back at the quality of the research in terms of the person who performs the research
and the decisions made during the research process provides commentary on the usefulness
and validity of the work. While the author believes that this reflection supports the validity of
this research and that the result is useful to organizations it is the reader who will finally
decide. During the term of the research many decisions were made and the theoretical,
practical, and personal implications of the major decisions are as follows.
The author’s primary criticism of this research is that the sample size was small and not all of
the functions of the methodology were tested with stakeholders in at least long duration
exercises that mimicked real organizations. To achieve the most convincing results the
stakeholders should have actually worked completely through the methodology from defining
and weighting criteria to measuring the success of implementation decisions. While it is easy
to conclude that one should involve an organization in many months of work in order to get
the research right, the practical implications of doing so were enormous. The stakeholders,
while interested in the present research, simply could not give more time than they did in
order to create a customized model for their organizations. The author empathizes with the
stakeholders because during the development of the prioritization functionality in which the
author was involved much was asked of and given by the stakeholders and they were fully
engaged participants looking for a way to improve project prioritization and funding
decisions (Karydas & Gifun, 2006). That said, the results of this research are useful and valid
as most of the components of the methodology have been tested extensively albeit external to
this research; particularly the application of the analytic-deliberative process, MAUT, AHP,
and the prioritization and benefit-to-cost functions. In the author’s opinion the only aspect of
the methodology that has not benefited from broad use over many years is the combination of
these components, the contribution of this research. Therefore, the benefit to be gained by a
protracted experiment notwithstanding the author decided that the stakeholders should be
subject to only as much work as to prove the value of the methodology.
The draft approach used to prompt reaction during workshops provided efficiency over
creating the material with the stakeholders starting with the very first word. In this instance
71
the stakeholders reacted favorably as they appreciated the value of the time saved. While the
author did not experience any difficulties with this approach one should recognize that some
organizations or people may not react as favorably as they could feel that a preconceived
solution was being forced.
In this research AHP was used only for its calculating functionality pertaining to pairwise
comparisons for criteria weighting. While AHP is a versatile decision support system MAUT
was used to provide the fundamental structure of the HRRO methodology. The reason being
two fold, 1) the author is familiar with MAUT in real applications and 2) the use of MAUT
avoids the criticism directed to AHP as a decision support system and in turn the HRRO
methodology. Among these criticisms is that the introduction of new alternatives can reverse
the rank of existing alternatives and that weights are elicited in AHP without reference to the
scales on which the criteria are measured (Goodwin & Wright, 2000). While careful attention
during the methodology development process can forestall or lessen the impact of the
problems to which the criticisms are founded, avoidance was preferred. In all workshop
instances where new criteria were introduced or where revisions were made such changes
were verified against the principles of MAUT regarding the desirable properties of the set of
criteria (attributes).
•
Completeness: the number of criteria are sufficient to adequately indicate the degree
to which the overall objective is met,
•
Operational: the set of criteria must be conclusive so that they help the decision maker
choose the best course of action,
•
Decomposable: to reduce the inherent difficulties associated with complexity the
criteria can be broken down into smaller parts if necessary but not so far as to
diminish their importance
•
Nonredundancy: the criteria should be defined to avoid the potential for double
counting, and:
•
Minimum size: the set of criteria should be as small as possible to be efficient
(Keeney & Raiffa, 1993).
As expected, the literature review process undertaken throughout this research proved to be
invaluable as the information acquired thereby grounded the research by way of the successes
and failures of others. Unexpectedly though, the literature review process was one of the
72
author’s most valuable experiences personally as it provided information and the means to
acquire information that was directly transferable to the author’s current professional
activities.
6.3 Chapter Summary
The validity of the HRRO methodology, the primary subject of this chapter, was proven by
way of a discussion of the validity of its component parts, stakeholder feedback provided
during workshops, and a retrospective application of the methodology in two case studies. A
comparison was made to a well validated risk quality benchmarking algorithm but the results
were inconclusive. Also, the author provided a brief personal commentary on the research
process that highlights several strong aspects of the research experience and several
shortcomings.
73
74
Chapter 7 Conclusions and Recommendations
This chapter concludes this dissertation by providing the reader with responses to the
underlying research questions introduced at the beginning. A recapitulation of the
applicability of the HRRO methodology and a list of research opportunities discovered
during the term of this dissertation but because of reasons such as time limitations and scope
constraints were left undone.
7.1 Conclusions
This dissertation describes the development, design, and initial validation of a methodology,
the Highly Reliable Resilient Organization, which provides organizations the ability to
sustain their core functions by knowing their vulnerabilities to credible risks and taking
measures to eliminate, or if elimination is not possible or necessary, mitigate such risks. This
methodology is an analytic-deliberative process based on the principles of multi-attribute
utility theory that gives organization decision makers the means to assess risks and prioritize
solutions. Thus, it provides the means to determine the status of organizational vulnerability
and the ability to rank potential risk elimination and mitigation measures using organizational
values and costs. The methodology is an integration of the criteria common to nine
organizational models and stakeholders; therefore, considered prerequisite criteria for a
generic organization.
7.1.1 Response to research question 1
The HRRO methodology addresses the primary purpose of this research. The development of
the means for an organization to systematically identify and assess and either eliminate or
mitigate vulnerability by way of prerequisite organizational factors and cost. Much attention
was given to identifying and evaluating existing organizational models for the purpose of
incorporating an already known entity into the process. While all of the nine models are valid
within the conditions for which they were designed none were applicable to a generic
organization without considerable modification; thus the motivation to develop the HRRO
methodology. The HRRO methodology leverages the benefits of a consensus-based analyticdeliberative decision-support process. It incorporates both monetary and non-monetary
75
factors into decisions regarding organizational prerequisites that in-turn position the
organization to make effective vulnerability elimination and mitigation decisions.
7.1.2 Response to research question 2
The HRRO methodology provides the means for an organization to prioritize vulnerability
mitigation or elimination projects or initiatives. The methodology provides a dimensionless
performance index based upon stakeholder’s responses to checklists relevant to criteria
related to organizational values. This index is a summary score representing expected
benefits associated with removing or mitigating organizational vulnerability and in most
instances will be used in combination with the cost required to remove or mitigate the
vulnerability in a benefit-to-cost ratio. In these instances benefits and costs are determined
over the life-cycle of the project or initiative that is being considered. Since this aspect of the
methodology is preemptive and speculative relatively larger values of benefit-to cost are
preferred as they represent the elimination or mitigation of more vulnerability at a relatively
lower cost than opportunities with relatively smaller benefit-to-cost ratios
7.1.3 The HRRO methodology as a solution
The HRRO methodology provides the organization with a solution. A consistent, systematic,
and customizable methodology that enables the organization to determine whether and to
what degree organizational structure enables the organization to effectively anticipate, resist,
and recover from system disturbances, to assess vulnerability; to compare relatively projects,
initiatives, and other opportunities in context of a pre-established set of organizational
objectives; and to prioritize the implementation of such projects, initiatives, and
opportunities.
A major benefit of the HRRO methodology is that one overarching methodology is used for
all of the applications resulting from this research whether it is to assess organizational
vulnerability, determine the benefit-to-cost ratio for initiatives and projects where a nonmonetary index represents benefit, and prioritize opportunities.
76
7.1.4 Applicability of the HRRO methodology
The HRRO methodology is generalizable in that it can be applied to any organization;
however, it is important to know that the criteria, criteria definitions, constructed, scales,
pairwise comparisons, and weights are specific to an organization. Thus organizational
decision makers should use the methodology as designed and customize it for their
organization. It is because of this designed-in necessity for customization that suggests that it
should not be used across entities within a parent organization or across multiple
organizations without scrutiny. If the model is used without calibrating it to a specific
organization by way of customization the results may not accurately reflect the values of the
organization.
7.1.5 Final reflection
This dissertation should not have been written. Many of the research papers and news stories
studied during its writing regarding accidents and organizational failures report of
extraordinary events in which people were killed and injured and organizations suffered
considerable financial loss. In many instances there was a level of awareness or a signal that
provided foreknowledge of a threat or functioned as a precursor of system degradation. The
fact that little attention has been given by executives to understanding risk management and
the implementation of vulnerability elimination or mitigation measures, §1.3, coupled with
the reality that societal trends regarding reliability will make things worse instead of better,
§2.1, the sustainability of organizations should be questioned. Of lesser magnitude the
literature tells of organizational leadership shortsightedness with regard to decisions that,
while not necessarily malignantly intended, result in less than ideal decisions.
The author entered this present academic and research journey in the early 2000s because of
the need to solve a prioritization problem in the professional arena. In the intervening ten
years the initial problem had been solved but the journey continued and in one sense has
come full circle back to the professional arena. This time though with a solution to a much
larger problem.
77
7.2 Recommendations for future research
During the process of this research opportunities were discovered that the authors chose not
to resolve. None of these opportunities, and in some cases deficiencies, alter the result of the
present research and when developed and incorporated will enhance future versions of the
HRRO model and the relevant body of knowledge.
During the workshop phase several suggestions for improving the methodology were offered.
These comments should be incorporated in a future version.
The HRRO methodology is valid in the context it was developed and tested, i.e. a
methodology to be used within an organization for relative comparisons. Thus, research
should be undertaken to:
1. Expand the mapping of vulnerabilities within organizations to reliability trends to
other combinations of trends and vulnerabilities
2. Validate the HRRO methodology with a larger sample size, i.e. complete intact teams
in organizations from different sectors
3. Develop the model for use across multiple entities (departments) within a single
organization. The authors suggest the following initial approach. Given that the
objectives across the entities are identical, i.e. characteristics such as criteria, weights,
and constructed scales, one could sum the individually calculated HRRO indices
according to each entity’s weight in proportion to the entire organization. Although
intuitive, development and testing is required
4. Determine its applicability across multiple organizations as a means for
benchmarking. The author speculates that because of the differences in organizations
and the requirement of decision maker involvement the acquisition of sufficient data
to attest to its universality could require five to ten years of research
5. Compare HRRO indices and risk quality benchmarking algorithm scores to ascertain
alignment over a larger sample and determine the benefit thereof
6. Examine the influence of cognitive bias at the leadership level on organizational
vulnerability
78
References
Accorsi, R., Zio, E., & Apostolakis, G. E. (1999). Developing utility functions for
environmental decision making. Progress in Nuclear Energy, 34(4), 387-411.
Apostolakis, G. E., & Lemon, D. M. (2005). A screening methodology for the identification
and ranking of infrastructure vulnerabilities due to terrorism. Risk Analysis, 25(2), 361376.
Arkes, H. R. (1986). Impediments to accurate clinical judgement and possible ways to
minimize their impact. In H. R. Arkes, & K. R. Hammond (Eds.), Judgement and decision
making: An interdisciplinary reader (pp. 582-592). Cambridge, UK: Cambridge
University Press.
ASIS International. (2009). Organizational resilience: Security, preparedness, and continuity
management systems - requirements with guidance for use (No. ASIS SPC.1-2009).
Alexandria, VA: ASIS International.
ASTM International. (2002). Standard practice for measuring benefit-to-cost and savings-toinvestment ratios for buildings and building systems (No. E964-02). West Conshohocken,
PA: ASTM International.
Baker, J. A., Bowman, F. L., Erwin, G., Gorton, S., Hendershot, D., Leveson, N., et al.
(2007). The report of the BP U.S. refineries independent safety review panel BP.
Bakker, D. (2009). Fire facts research faculty of architecture TU Delft (No. 30081174). The
Hague, The Netherlands: Interseco BV.
Bar-Yam, Y. (1997). Dynamics of complex systems: Studies in nonlinearity. Reading:
Addison-Wesley.
Berg van den, H. (2008, May 23). TU Delft had geen gebruiksvergunning [TU delft had no
user license]. NRC Handelsblad,
Bigley, G. A., & Roberts, K. H. (2001). The incident command system: High-reliability
organizing for complex and volatile task environments. Academy of Management Journal,
44(6), 1281-1299.
Brancato, C. K., Tonello, M., Hexter, E., & Newman, K. R. (2006). The role of U.S. corporate
boards in enterprise risk management (No. R-1390-06-RR). New York: The Conference
Board.
British Standards Institute. (2006). Business continuity management: Part 1: Code of practice
(No. BS 25999-1:2006). London: British Standards Institute.
79
Brombacher, A. C., de Graef, M. R., den Ouden, E., Minderhoud, S., & Lu, Y. (2001).
Invloed van trends op product ontwikkeling en op bedrijfszekerheid [influence of recent
developments on product development and on reliability of service]. In M. R. de Graef
(Ed.), Betrouwbaarheid van technische systemen: Anticiperen op trends (pp. 54-71). Den
Hague: Stichting Toekomstbeeld der Techniek.
Center for Chemical Process Safety. (2007). Guidelines for risk-based process safety.
Hoboken: John Wiley & Sons.
Clemen, J. T. (1996). Making hard decisions: An introduction to decision analysis (2nd ed.).
Pacific Grove: Brooks/Cole.
Cohen, M. D., & March, J. G. (1974). Leadership and ambiguity: The American college
president (2nd ed.). Boston: Harvard Business School Press.
Cohen, M. D., March, J. G., & Olsen, J. P. (1972). A garbage can model of organizational
choice. Administrative Science Quarterly, 17(1), 1-25.
Commission of the European Communities. (2005). Green paper on the European
programme for critical infrastructure protection (No. COM(2005) 576 final). Brussels:
Commission of the European Communities.
Committee of Sponsoring Organizations of the Treadway Commission. (2004). Enterprise
risk management - integrated framework. Retrieved Aug. 28, 2007, from
http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf
Daugherty, K. (1997). Decision making style and its effect on morale. Retrieved Feb. 13,
2010, from http://leadershipmanagement.com/html-files/decision.htm
Delft University of Technology, Marketing & Communication. (2008). Faculty of
architecture in the media. Retrieved Apr 23, 2009, from
http://www.tudelft.nl/live/pagina.jsp?id=9cecdce4-09cc-4ca5-98b195e2cea664b4&lang=en
Delft University of Technology, Marketing & Communication. (2009). Insurance settlement
reached for fire in the faculty of architecture. Retrieved Jun 26, 2009, from
http://www.tudelft.nl/live/pagina.jsp?id=9cecdce4-09cc-4ca5-98b195e2cea664b4&lang=en
Division of Emergency Management. (2002). Case study - Kinston. Retrieved Jun. 12, 2007,
from http://www.dem.dcc.state.nc.us/Mitigation/case_kinston.htm
Elkins, D. (2005). Managing manufacturing and supply chain risks in global automotive operations.
Retrieved March 2, 2010, from http://mgt.ncsu.edu/pdfs/centers-initiatives/erm/Mar18-2005PPoint.pdf
80
Elliot, M. A. (2008). Analytic hierarchy process, pairwise comparison spreadsheet.
Unpublished.
Energy Institute. (n.d.). Hearts and minds program. Retrieved August 20, 2007, from
http://www.energyinst.org.uk/heartsandminds/index.cfm
Energy Institute. (2007). Winning hearts and minds. The Hague: Shell International
Exploration and Production.
Ernst & Young. (2009). Evaluatierapport: Evaluatie crisismanagement tijdens brand 13 Mei
2008 [Evaluation report: Crisis management during fire may 13, 2008] (No.
19665677/Adj/mvdl/09-0013). The Hague, The Netherlands: Ernst & Young.
Federal Emergency Management Agency. (2003). Building a disaster resistant university (No.
FEMA 443). Washington, D.C.: Federal Emergency Management Agency. Retrieved Feb.
2004 from http://www.fema.gov/institution/dru.shtm
Federal Highway Administration. (2007). Economic analysis primer. Retrieved Mar. 1, 2008,
from http://www.fhwa.dot.gov/infrastructure/asstmgmt/primer05.cfm
Felton, R., & Watson, M. (2002). U.S. director opinion survey on corporate governance 2002.
New York: McKinsey & Company.
Flood Insurance and Mitigation Division. (n.d.). Mitigation preliminary performance
assessment: Losses avoided during hurricane Isabel in North Carolina. Retrieved Jun. 16,
2007, from
http://www.dem.dcc.state.nc.us/Mitigation/Library/Success_Stories/Perf%20Assessment
%20NC%20Print.pdf
FM Global. (2007, Dec.). A piece of the framework. Reason, , 23-25.
FM Global. (2008, RiskMark rolls out enhancements. Reason, 12.
FM Global. (2009a). Property loss prevention data sheets. Retrieved Jan. 9, 2010, from
http://www.fmglobal.com/fmglobalregistration/Downloads.aspx
FM Global. (2009b). RiskMark overview. Retrieved Jan. 17, 2010, from
http://www.fmglobal.com/riskmark_assets/riskmark_overview.htm
Gates, S., & Hexter, E. (2005). From risk management to risk strategy (No. R-1363-05-RR).
New York: The Conference Board.
Ghosh, S. T., & Apostolakis, G. E. (2005). Organizational contributions to nuclear power
plant safety. Nuclear Engineering and Technology, 37(3), 207-220.
Gifun, J. F., & Karydas, D. M. (2010). Organizational attributes of highly reliable complex
systems. Quality Reliability Engineering International, 26(1), 53-62.
81
Gifun, J. F., Karydas, D. M., Brombacher, A. C., & Rouvroye, J. L. (Submitted for
publication). Resilience as a means to analyze business processes on the structure of
vulnerability.
Goodwin, P., & Wright, G. (2000). Decision analysis for management judgment (2nd ed.).
Chichester: John Wiley & Sons.
Haimes, Y. Y. (2009). On the definition of resilience in systems. Risk Analysis, 29(4), 498501.
Hayashi, A. M. (2001). When to trust your gut. Harvard Business Review, 79(2), 59-65.
International Risk Governance Council. (2006). White paper on managing and reducing
social vulnerabilities from coupled critical infrastructures. Geneva: International Risk
Governance Council.
Investorwords. (n.d.). Model. Retrieved May 9, 2009, from
www.investorwords.com/5662/model.html
Kansas, D. (2009). The wall street journal guide to the end of wall street as we know it (1st
ed.). New York: Collins Business.
Karydas, D. M., & Gifun, J. F. (2006). A method for the efficient prioritization of
infrastructure renewal projects. Reliability Engineering & System Safety, 91(1), 84-99.
Karydas, D. M., & Rouvroye, J. L. (2006). Vulnerability avoidance investment: A financial
justification of expenditures for the improved resilience of enterprises. Paper presented at
the Proceedings of the Eighth International Conference on Probabilistic Safety
Assessment and Management, New Orleans, Louisiana, (PSAM-0463). New York: ASME
Press.
Keeney, R. L., & Raiffa, H. (1993). Decisions with multiple objectives: Preferences and value
tradeoffs. Cambridge, U.K.: Cambridge University Press.
Kline, P., & Saunders, B. (1998). Ten steps to a learning organization (2nd ed.). Arlington:
Great Ocean Publishers.
Labaree, L. W., & Bell, W. J. (Eds.). (1956). Mr. Franklin, a selection from his personal
letters. New Haven: Yale University Press.
Latour, A. (2001, Jan 29). A blaze in Albuquerque sets off major crisis for cell-phone giants.
Wall Street Journal, pp. 1-8.
Li, H., Apostolakis, G. E., Gifun, J. F., VanSchalkwyk, W., Leite, S., & Barber, D. (2009).
Ranking the risks from multiple hazards in a small community. Risk Analysis, 29(3), 438456.
82
Massachusetts Institute of Technology. (2007). Multiple hazard mitigation planning (No.
DRU 04-02 (PDMC-DRU04-02MIT0000)). Cambridge, MA: Massachusetts Institute of
Technology.
McNamara, C. (n.d.). Basic definition of organization. Retrieved Oct. 21, 2007, from
http://www.managementhelp.org/org_thry/org_defn.htm
Merriam-Webster. (2009) Communication. Retrieved May 25, 2008, from
http://www.merriam-webster.com/dictionary/communication
Merriam-Webster. (2010). Predictable. Retrieved Jan. 17, 2010, from http://www.merriamwebster.com/dictionary/predictable
Murthy, D. N. P., Rausand, M., & Osteras, T. (2008). Product reliability: Specification and
peformance. London: Springer-Verlag.
National Fire Protection Association. (2010). Standard on Disaster/Emergency management
and business continuity programs (NFPA 1600). Quincy: National Fire Protection
Association.
National Research Council. (1996). Understanding risk: informing decisions in a democratic
society. Washington, D.C.: National Academy Press.
Nickols, F. (2008). Making decisions like Ben Franklin: A job aid for decision-makers.
Retrieved November 8, 2009, from http://home.att.net/~nickols/distance.htm
Page, S. E. (2009). Understanding complexity. [Video/DVD] Chantilly, VA: The Teaching
Company.
Pate-Cornell, E., & Guikema, S. (2002). Probabilistic modeling of terrorist threats: A system
analysis approach to setting priorities among countermeasures. Military Operations
Research, 7(4), 5-20.
Patterson, S. A., & Apostolakis, G. E. (2007). Identification of critical locations across
multiple infrastructures for terrorist actions. Reliability Engineering & System Safety,
92(9), 1183-1203.
President's Commission on Critical Infrastructure Protection. (1997). Critical foundations:
Protecting America’s infrastructures. Washington, D.C.: President's Commission on
Critical Infrastructure Protection. Retrieved n.d. from
http://www.fas.org/sgp/library/pccip.pdf
PricewaterhouseCoopers. (2004). Managing risk, an assessment of CEO preparedness, 7th
annual global CEO survey. New York: PricewaterhouseCoopers.
Reason, J. (1990). Human error. Cambridge: Cambridge University Press.
Reason, J. (1997). Managing the risks of organizational accidents. Ashgate: Aldershot.
83
Ridge, T. (2004). National incident management system. Washington, D.C.: Department of
Homeland Security.
Ripley, A. (2005, Oct. 23). Hurricane Katrina: How the coast guard gets it right. Time, New
York: Time Inc.
Roberto, M. A. (2009). The art of critical decision making. [Video/DVD] Chantilly, Virginia:
The Teaching Company.
Saaty, T. L. (1980). The analytic hierarchy process: Planning, priority setting, resource
allocation. New York: McGraw-Hill.
Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2002).
Schein, E. (1992). Organizational culture and leadership (2nd ed.). San Francisco: JosseyBass.
Senge, P. M. (1990). The fifth discipline: The art & practice of the learning organization.
New York: Doubleday.
Sheffi, Y. (2005). The resilient enterprise: Overcoming vulnerability for competitive
advantage. Cambridge: MIT Press.
Solvay S.A. (n.d.). Towards sustainable development: Assessment and prospects 2008 - 2012.
Brussels: Solvay Sécrétariat Général. Retrieved Nov. 14, 2009 from
http://www.solvaysustainable.com/static/wma/pdf/1/3/8/3/7/RADD_GB_BD2.pdf
State Climate Office of North Carolina. (n.d.). History of hurricanes in North Carolina.
Retrieved Jun. 17, 2007, from http:www.nc-climate.ncsu.edu/climate/hurricane.php
Tonello, M. (2007). Emerging governance practices in enterprise risk management (No. R1398-07-WG). New York: The Conference Board.
Tonello, M., & Brancato, C. K. (2007). Corporate governance handbook 2007: Legal
standards and board practices (No. R-1405-07-RR). New York: The Conference Board.
Tversky, A., & Kahneman, D. (1974). Judgment under uncertainty: Heuristics and biases.
Science, 185(4157), 1124-1131.
U.S. Chemical Safety and Hazard Investigation Board. (2007). Investigation report, refinery
explosion and fire (No. 2005-04-1-TX). Washington, DC: U.S. Chemical Safety and
Hazard Investigation Board.
United States Geological Survey. (2005). Benefits of volcano monitoring far outweigh costs:
The case of Mount Pinatubo. Retrieved Jun. 11, 2007, from
http://pubs.usgs.gov/fs/1997/fs115-97/
United States Nuclear Regulatory Commission. (2001). Reactor oversight process, initial
implementation evaluation panel, final report (No. ADAMS ML011290025). Retrieved
84
Aug. 26, 2007 from
http://www.nrc.gov/NRR/OVERSIGHT/ROP/iiep_final_report050801.pdf
United States Nuclear Regulatory Commission. (n.d.). Comments on revised reactor oversight
process. Retrieved Aug. 25, 2007, from
http://www.nrc.gov/NRR/OVERSIGHT/ROP/ppepfinalreport.pdf
United States Nuclear Regulatory Commission. (2007a). Inspection procedures &
performance indicators by ROP cornerstone. Retrieved Dec. 2, 2007, from
http://www.nrc.gov/NRR/OVERSIGHT/ASSESS/cornerstone.html.
United States Nuclear Regulatory Commission. (2007b). Manual chapter 0305, operating
reactor assessment program. NRC inspection manual. Retrieved Jan. 23, 2008 from
http://www.nrc.gov/reading-rm/doc-collections/insp-manual/
United States Nuclear Regulatory Commission. (2007c). Detailed ROP description. Retrieved
Aug. 26, 2007, from http://www.nrc.gov/reactors/operating/oversight/rop-description.html
Verrico Associates. (1999). The Dow Chemical Company responsible care management
systems verification. Midland MI.: The Dow Chemical Company.
Weick, K. E., & Sutcliffe, K. M. (2001). Managing the unexpected: Assuring high
performance in an age of complexity. San Francisco: Jossey-Bass.
Weick, K. E., & Sutcliffe, K. M. (2007). Managing the unexpected: Resilient performance in
an age of uncertainty (2nd ed.). San Francisco: John Wiley & Sons.
Weil, R., & Apostolakis, G. E. (2001). A methodology for the prioritization of operating
experience in nuclear power plants. Reliability Engineering & System Safety, 74(1), 23-42.
Zannoni, M., Bos, J. G. H., Engel, K. E., & Rosenthal, U. (2008). Brand bij bouwkunde:
Evaluatie van de crisisbeheersing en vergunningverlening rond de verwoestende brand bij
de Faculteit Bouwkunde van de TU Delft [Fire at architecture: Evaluation of crisis
control and licensing around the devastating fire at the Faculty of Architecture building at
TU Delft]. The Hague, The Netherlands: COT Institute for Securities and Crisis
Management.
85
86
Appendix A Mapping of Vulnerabilities, General Motors to
Reliability Trends
Table 14 - Mapping of Vulnerabilities, General Motors (Elkins, 2003) to Reliability
Trends (Brombacher et al., 2001)
Legend: - indicates that selected vulnerability becomes more of an issue or gets
worse, + indicates that selected vulnerability becomes less of an issue or
gets better, and o indicates neutrality
Vulnerability
Trend
1
Debt & credit
rating
Health care &
pension costs
Revenue
management
Uncompetitive cost
structure
Trend
2
Trend
3
-
Trend
4
-
-
+
+
o
o
Asset
valuation
-
Liquidity /
cash
-
o
o
87
Reason (example)
Trend 2 - Negative interpretation of
dynamical state of business by conservative
financial markets result in less flexibility
regarding debt.
Trend 4 - Less government involvement
results in increasing degradation of
oversight, data collection capability,
information transfer, and consistently
applied controls
Trend 1 - More expensive treatment costs to
offset drug and diagnostic equipment
development costs. Higher costs passed to
employers therefore fewer funds available
for other employee benefits, e.g. pensions.
Trend 4 - Less government involvement
increases competition in the marketplace
and results in lower costs
Increased network connectivity enables
quicker movement of revenue and easy and
fast verification
Not related to trends as poorly priced
products and services will not be
competitive
Increased need for municipal revenue to
fund government globalization efforts
results in inappropriate property valuation
to provide cash
Negative interpretation of dynamical state
of business results in less available cash and
increased effort to liquidate
Vulnerability
Trend
1
Adverse
changes in
environmental
regulations
-
Trend
2
Trend
3
Trend
4
-
Accounting /
tax law
changes
-
-
Adverse
changes in
industrial
regulations
-
-
Fuel prices
Currency &
foreign
exchange rate
fluctuations
Currency
inconvertibility
Economic
recession
Financial
markets
instability
+
o
o
-
o
o
-
88
Reason (example)
Trend 1 - Increased availability of
sophisticated technology increases
discovery of contaminants at low levels and
supports the desire by regulators to expand
monitoring efforts and changes in
regulations.
Trend 4 - Less government involvement
results in increasing degradation of
oversight, data collection capability,
information transfer, and consistently
applied controls
Trend 2 - Lawmaker’s negative
interpretation of dynamical state of business
encourages creation of laws. Increased costs
to fund globalization in [un] under
developed countries results in the need for
developed countries to provide funding;
therefore, changes in laws.
Trend 4 - Less government involvement
results in increasing degradation of
oversight, data collection capability,
information transfer, and consistently
applied controls
Trend 2 - Increased unrest in business seen
as opportunities for regulators.
Trend 4 - Less government involvement
results in increasing degradation of
oversight, data collection capability,
information transfer, and consistently
applied controls
Less government involvement increases
competition in the marketplace and results
in lower costs
Negative dynamics (real or perceived) in
global business environment result in
uncertainty and affect currency & foreign
exchange rates
Not affected by trends
Trend 2 - Negative dynamics of
organizations result in an organization more
susceptible (fragile) to uncertainty and
variability of economy.
Trend 4 - Less government involvement
results in increasing degradation of
oversight, data collection capability,
information transfer, and consistently
applied controls
Lean firms could have insufficient capacity
to endure uncertainty due to changes in
economy
Vulnerability
Trend
1
Trend
2
Trend
3
Trend
4
Interest rate
fluctuations
-
Shareholder
activism
-
Credit default
-
Ethics
Union
relations,
labor
disagreements
& contract
frustrations
Inadequate
management
oversight
Budget
overruns or
unplanned
expenses
-
Reason (example)
Trend 2 - Lean firms could have
insufficient capacity to endure uncertainty
due to changes in economy.
Trend 4 - Less government involvement
results in increasing degradation of
oversight, information transfer, and
consistently applied controls
Negative dynamics of organizations result
in an organization more susceptible
(fragile) to uncertainty and variability of
economy
Negative dynamics of organizations result
in uncertainty thus credit difficult to get
Negative dynamics of organizations result
in uncertainty and increase probability that
an employee would commit an unethical act
-
Lean organizations with tightly coupled
systems have less flexibility with regard to
plans thus potential for tension in labor
relations
Loss of
intellectual
property
Customer
demand
seasonality &
variability
Inadequate management not related to
trends
o
o
o
o
o
o
o
o
Poor budget controls not related to trends
Lean organizations with tightly coupled
systems are not flexible regarding supplier
relationships
Lean organizations with tightly coupled
systems are not flexible regarding dealer
relationships
o
o
Not trend related
Trend 1 - Increased potential for theft of
intellectual property due to easy access to
technology
Trend 3 – Increasing dependence on
technology provides more opportunities for
theft of intellectual property
Supplier
relations
Dealer
relations
Ineffective
planning
-
o
o
-
-
+
More opportunities to sell product
89
Vulnerability
Corporate
culture
Program
launch
Productmarket
alignment
“Gotta have
products”
Technology
decisions
Joint venture /
alliance
relations
Perceived
quality
Product
development
process
Trend
1
Trend
2
-
-, +*
+
-
o
o
Trend
4
o
o
-
-
-, +*
-, +*
-, +*
Offensive
advertising
Timing of
business
decisions &
moves
-
-
o
Product desirability not affected by trends
Ease of defaulting to new technology
instead of appropriate technology
Globalization complicates process
Negative dynamics of organizations result
in uncertainty and increase probability of
market share disputes
o
Reason (example)
Trend 1 - With increased technology more
people working alone.
Trend 2 - More uncertainty in lean
organizations result in employees becoming
more protective of position
*Trend 2 - Corporate culture becomes
richer and more inclusive – new ideas
Trend 1 - More technology results in more
access to customers
Trend 2 - Programs more difficult to launch
globally
Increased complexity with global and more
remote, partners
Increased technology increases ability to
communicate about quality
Trend 1 - Increased technology negatively
impacts quality and increases costs
Trend 2 - Increased speed of development
negatively impacts quality and increases
costs
*Trend 1 - Increased technology positively
impacts quality and decreases costs
*Trend 2 - Increased speed of development
positively impacts quality and decreases
costs
Trend 2 - Increased use of technology
separates designer and engineer from
product
*Trend 2 - Increased technology enables
higher quality engineering and design
which yields higher quality product
Increased globalization yields lack of
awareness and misinterpretation of cultural
norms
-
Product
design &
engineering
Market Share
battles
Pricing &
incentive wars
Trend
3
o
o
90
Not trend related
Vulnerability
Attacks on
brand loyalty
Mergers &
industry
consolidation
New or
foreign
competitors
Trend
1
Trend
2
Trend
3
Trend
4
-
Reason (example)
Pervasiveness and availability of
technology make cyber attacks easy
+
Broadly used technology enhances ability
for mergers and consolidations
-
Public
boycott &
condemnation
-
-
Negative
media
coverage
-
-
Foreign
market
protectionism
-
-
Harassment &
discrimination
-
-
Embezzlement
-, +*
Theft
+
Loss of key
equipment
+
-
91
Globalization enhances competition
Trend 1 – Increased technology provides
the means to spread information to incite a
boycott quickly and broadly
Trend 2 – Negative perceptions or reality of
business dynamics and globalization results
in increased opportunities for exposure to
condemnation
Trend 1 – Increased technology provides
the means to spread negative media
coverage quickly and broadly
Trend 2 – Globalization results in increased
opportunities for exposure to negative
media
Trend 2 - Increased opportunities in global
markets provide incentives for
protectionism
Trend 4 - Less government involvement
results in increasing degradation of
oversight, information transfer, and
consistently applied controls
Trend 2 - Negative perception / reality of
business dynamics increases uncertainty of
future for employees, thus increased
competition for fewer positions, racism, and
xenophobia.
Trend 4 - Increasing degradation of
consistently applied controls
Trend 1 - Increased sophistication and
availability of technology enables
embezzlement by technological means
Trend 3 – Increased dependency on
technology results in increased number of
available opportunities for embezzlement
*Trend 1 - Increased sophistication and
availability of technology improves security
Increased sophistication and availability of
technology result in higher quality security
systems
Increased sophistication and availability of
technology result in higher quality security
systems
Vulnerability
Information
management
problems
Accounting or
internal
control
failures
Trend
1
Trend
2
-
-
+
Health &
safety
violations
HR risks –
key skill
shortage,
personnel
turnovers
Trend
4
-
-
-
-
Vandalism
-
Government
inquiries
-
Arson
-
Kidnapping
-
Extortion
-
Loss of key
personnel
IT system
failures
(hardware,
software,
LAN, WAN)
Trend
3
+
-
Reason (example)
Trend 1 - Increased technology results into
more complexity and potential for problems
Trend 2 - Globalization provides
information managers with more
responsibilities spread over larger distances
Trend 1 - Increased technology results in
sophisticated monitoring system
Trend 2 - Increased business dynamics
overwhelm employees ability to perform
reliably and consistently
Trend 2 - Business dynamics provide
excuses to ignore health and safety rules,
regulations, and procedures.
Trend 4 - Less government involvement
results in increasing degradation of
oversight, information transfer, and
consistently applied controls
Increased business dynamics increases
competition for highly skilled employees
Increased competition and negative
business dynamics increases anger directed
toward company in the form of vandalism
Trend 2 - Increased business dynamics
domestically and globally cause uncertainty
by government oversight agencies, thus
encourage increased scrutiny
Trend 4 - Less government involvement
resulting in fewer inquiries
Increased competition and negative
business dynamics increases anger directed
toward company in the form of arson
Increased competition resulting in
kidnapping of key personnel
Increased competition and negative
business dynamics increases anger directed
toward company in the form of arson
Increased competition resulting in
aggressive recruiting of key personnel by
competitors
Complex technological systems provide
opportunities for failure
-
92
Vulnerability
Trend
1
Computer
virus / denial
of service
attacks
-
Workplace
violence
Operator
errors /
accidental
Restriction of
access /
egress
Dealer
distribution
network
failures
Logistics
provider
failure
Logistics
route or mode
disruptions
Service
provider
failures
Tier 1, 2, 3
…n supplier
problems:
financial
trouble,
quality
“spills”,
failure to
deliver
materials, etc.
Trend
3
Trend
4
-
Reason (example)
Trend 1 - Increased technology and easy
access to technology provides opportunities
for cyber crime
Trend 3 – Increased dependency on
technology provides the motivation to
commit cyber crime
Negative business dynamics increases
competition for highly skilled employees
and the potential for violence
Negative business dynamics decrease
morale and divert attention from the job,
thus operator errors likely
Increased competition resulting in
aggressive contracting action by
competitors
Trend 1 - Increased technology adds system
complexity so that when system
malfunctions restoration or repair by the
customer is difficult or impossible
*Trend 1 - Increased technology enables the
quick dispersal of warranty and recall
notification
Trend 1 - Increased technology increases
the occasions of spurious faults resulting in
incorrect restriction commands
*Trend 1 - Technology enables rapid
changes to access / egress restriction
protocols
Trend 1 - Complex technological systems
provide opportunities for failure
Trend 2 - Globalization increases
complexity
Lean organizations have little reserve to
accommodate failures. Globalization
increases complexity
Lean organizations have little reserve to
accommodate failures. Globalization
increases complexity
Lean organizations have little reserve to
accommodate failures. Globalization
increases complexity
-
Negative business dynamics associated with
suppliers cause organizations that depend
upon the supplier to lose confidence and
seek alternative sources
-
Loss of key
supplier
Warranty /
product recall
campaigns
Trend
2
-
-,+*
-, +*
-
-
93
Vulnerability
Trend
1
Supplier bus
interruption
Utilities
failures,
communicatio
ns, electricity,
water, power,
etc.
damage
Property
damage
Product
liability
Loss of key
facility
General
liability
Boiler or
machinery
explosion
Building or
equipment
fire
Tsunami
Trend
3
Trend
4
-
-, +*
-
+
o
o
o
o
o
Not related to trends
Although not the cause for the loss of a key
facility lean organizations suffer under such
situation because they do no have sufficient
reserve capacity to accommodate the loss
o
o
Not related to trends
Increased technology presents
improvements in control systems and
detection and alarm systems
Increased technology presents
improvements in detection and alarm
systems
Negative perception / reality of business
dynamics increases uncertainty of future for
insurer, thus raise deductible
Trend 1 - Increased technology presents
improvements in control and monitoring
systems
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Trend 2 - Improved monitoring and alarm
systems
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
+
+
-
+
-
+
Reason (example)
Lean organizations have little reserve to
accommodate failures. Globalization
increases complexity
Trend 1 - Connectivity exposes utilities to
attack. Technology provides single source
of failure in electric system as technology
requires electricity.
Trend 4 - Less government involvement
results in increasing degradation of
oversight, information transfer, and
consistently applied controls
*Trend 1 - Increased technology provides
improved equipment and monitoring and
control systems
Technology provides improved research
and development of building materials and
improved system supervisory, failure, and
trouble detection and alerting systems
o
-
Deductible
limits
Land, water,
atmospheric
pollution
Trend
2
-
94
Vulnerability
Trend
1
Wind damage
+
-
+
-
Lightning
strikes
Building
subsidence &
sinkholes
Building
collapse
Worker’s
compensation
Directors &
officers
liability
3rd party
liability
Trend
2
Trend
3
Trend
4
+
o
o
o
o
Reason (example)
Trend 1 - Technology provides improved
research and development of building
materials and improved prediction,
detection, and alerting systems
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Trend 1 - Technology provides improved
prediction, detection, and alerting systems
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Increased technology to examine
underlying soil and predict the possibility of
subsidence and sinkholes
-
Not related to trends
Less government involvement results in
increasing degradation of oversight,
information transfer, and consistently
applied controls
o
o
o
o
Not related to trends
o
o
o
o
Not related to trends
Trend 1 - Increased technology to predict
the possibility of eruption and provide
sufficient warning
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Trend 1 - Increased technology to predict
storms and provide sufficient warning
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Trend 1 - Increased technology to predict
storms and provide sufficient warning
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Volcano
eruption
+
-
Blizzard / ice
storms
+
-
Heavy rain /
thunderstorms
+
-
95
Vulnerability
Hurricane /
typhoon
Trend
1
Trend
2
Trend
3
Trend
4
+
-
Hail damage
Animal /
insect
infestation
+
-
Tornados
+
Disease /
epidemic
-
Wildfire
Terrorism /
sabotage
o
o
o
-
-
-
+
-
-
+
Flooding
Earthquake
o
+
-
96
Reason (example)
Trend 1 - Increased technology to predict
storms and provide sufficient warning
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Trend 1 - Increased technology to predict
storms and provide sufficient warning
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Not related to trends
Trend 1 - Increased technology to predict
storms and provide sufficient warning
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Trend 1 - Increased technology in
transportation systems provides the means
for the rapid and broad spread of disease
Trend 2 - Globalization provides
opportunities for exposure
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Trend 2 - Increased technology results in
the development of effective fire fighting
chemicals and equipment
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Symbols of technology are attractive targets
Trend 2 - Increased technology results in
improved prediction, monitoring, and
alerting systems
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Trend 1 - Increased technology to predict
earthquakes and provide sufficient warning
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Vulnerability
Trend
1
Severe hot /
cold weather
Geopolitical
risks
Cargo losses
Mold
exposure
Asbestos
exposure
Trend
2
Trend
3
+
o
o
Trend
4
-
o
o
+
+
97
Reason (example)
Trend 2 - Increased technology results in
improved prediction, monitoring, and
alerting systems
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Trend 2 - Globalization increases the
probability of a risk occurring
Trend 4 - Less government involvement
results in increasing degradation of data
collection capability, analysis, information
transfer and consistently applied controls
Not related to trends
Increased technology yields improved
sampling and mitigation
Increased technology yields improved
sampling and mitigation
98
APPENDIX B Existing models
The genesis of the HRRO methodology is a result of the following nine organizational
models; the High Reliability Organization (HRO), the Disaster Resistant University (DRU),
Massachusetts Institute of Technology’s version of the Disaster Resistant University model
(DRU at MIT), the Resilient Enterprise (RE), Enterprise Risk Management (ERM), RiskBased Process Safety (RBPS), Reactor Oversight Process (ROP), Hearts and Minds (H&M),
and Business Continuity Planning (BCP). These models were selected; however, others were
rejected as they were either similar enough to a model that was already selected that inclusion
would have resulted in duplication or for which little detail was available to fully describe the
model. Other models were rejected because they lacked the rigor and efficiency of the
analytic-deliberative process. For example intuition is a common means for making
judgments but was rejected because it does not provide a systematic, transparent, defendable,
or repeatable approach.
During the present research several organizational models were identified and evaluated to
ascertain whether each model, individually, could support the focus of this dissertation or
whether attributes of these models could be integrated into one model that could. The nine
models described below were culled from a longer list of models because of their inherent
multi-attributive structure, their actual or potential use generically, and other factors. These
other factors include the prominence of the model in the technical journals or business press,
the author’s personal experience with a particular model, recommendations offered by
experts in the field, the dissimilarity of the model when compared to the others under
consideration, and the diversity of application. The High Reliability Organization was
selected because of its prominence in the relevant technical journals and in the business press
but mostly because of its focus on vulnerability across many types of organizations. The
Disaster Resistant University (FEMA and MIT) was selected because of the author’s
knowledge about the Disaster Resistant University program and the attention given to both
physical assets and business continuity The Resilient Enterprise was included because of its
creator’s expertise in organizational resilience, the applicability of the subject to this
dissertation, and the timeliness surrounding the publishing of the book by the same name.
The Enterprise Risk Management model was selected because of its focus on business and
shareholder risk instead of risks associated with physical assets and natural hazards, i.e. it
was dissimilar in comparison to the others. Risk-Based Process Safety was included because
99
of its prominence in the chemical process industry and the attention brought to the chemical
process industry by recent news broadcasts reporting of large accidents such as the explosion
March 23, 2005 at British Petroleum’s plant in Texas City, Texas. Reactor Oversight Process
was selected because of its application of MAUT in a targeted application dissimilar to the
other models under consideration Hearts and Minds was considered for more detailed
examination because of the fame of its creator in the field of workplace safety and
particularly the models comprehensive focus on safety culture. Business Continuity Planning
was added to the list because of the author’s experience with business continuity and the
difficulties associated with its implementation and the subject’s prominence in news sources.
Comments will be offered addressing each models hierarchical structure or its ability to be
modified as such, its ability to be implemented, whether it can be used to determine whether
an organization possess the requisite attributes to become highly reliable and resilient, and its
suitability as a means to evaluate and assess the impact of a hazard preemptively and
correctively, i.e. post impact.
Each model will be described and analyzed by way of the following approach.
1. Description: A general explanation of the model will be created from information
extracted from literature disseminated by the creators of the model
2. Analysis: Each model will be evaluated according to its ability to be described as a
hierarchical tree whether it be described as such in the literature directly or whether
the hierarchical tree can be implied from the relevant literature
a. If the model can be described in terms of a hierarchical tree it must be
examined for compliance with the principles associated with multi-attribute
utility theory
b. If the model in its original state does not comply with the principles of MAUT
it must be modified
3. Discussion: The applicability of each model to generic use, its ability to be used as a
preemptive (prior to impact) or corrective (following impact) tool will be determined,
and each models strengths and weaknesses will be noted
100
B.1 The High Reliability Organization
Description
High reliability organizations (HRO) create a collective state of mindfulness that produces an
enhanced ability to discover and correct errors before they escalate into a crisis by the
application of the principles and practices that enable the organization to anticipate threats
with flexibility rather than rigidity. The five basic practices for developing mindfulness in
HROs as described in Managing the Unexpected by Weick and Sutcliffe can be divided in
two categories. The first three constitute strategies for preventing the unexpected to develop
to a major event, while the last two describe mitigating efforts once the unexpected strikes
(Karydas & Rouvroye, 2006; Weick & Sutcliffe, 2001; Weick & Sutcliffe, 2007). These
attributes are as follows:
•
Preoccupation with failure: Encourage the reporting of errors and pay attention to
any failures. These lapses may signal possible weakness in other parts of the
organization. Too often, success narrows perceptions, breeds overconfidence in
current practices, and squelches opposing viewpoints. This leads to complacency
that in turn increases the likelihood unexpected events will go undetected and
develop into bigger problems. An organization that is ignorant about failure, its
location, genesis, and trajectory, is less mindful than it could be, thus more
vulnerable
•
Reluctance to simplify interpretations: Analyze each occurrence without
preconceptions and take nothing for granted. Take a more complex view of
matters and look for disconfirming evidence that foreshadows unexpected
problems. Seek input from diverse sources, study minute details, discuss
confusing events and listen intently. Avoid combining details together or
attempting to normalize an unexpected event in order to preserve a preconceived
expectation. That is, systems should be simple enough to understand and manage
but not so simple that complex operations, interactions, and relationships are
obscured
•
Sensitivity to operations: Pay serious attention to minute-to-minute operations and
be aware of imperfections in these activities. Strive to make ongoing assessments
and continual updates. Enlist everyone’s help in fine-tuning the workings of the
101
organization. Avert the accumulation of small events that can grow into bigger
problems
•
Commitment to resilience: Cultivate the processes of resilience, intelligent
reaction and improvisation. Be mindful of errors that have occurred and take steps
to correct them before they worsen. Be prepared to handle the next unforeseen
event
•
Deference to expertise: During troubled times, shift the leadership role to the
person or team possessing the greatest expertise and experience to deal with the
problem at hand. Provide them with the empowerment they need to take timely,
effective action. Avoid using rank and status as the sole basis for determining who
makes decisions when unexpected events occur
Excellence and reliability do not necessarily equate. For example, an organization may
produce the highest quality product in its business sector but not be able to weather
disruptions in its supply chains. Therefore, sales and income are limited by the organizations
ability to manufacture and deliver product during times when disruption occurs. On the other
hand, a company that produces an average quality product may do so reliably during times
when supply change disruptions are present. That is, the average quality producer could have
partnership agreements in-place with primary and back up suppliers of raw materials to get
priority access to materials during times of disruption and access to alternative sources
(Sheffi, 2005).
In Managing the Unexpected Weick and Sutcliffe propose that the HRO looks at all subsets
of the organization that could impact the reliability of the organization (Weick & Sutcliffe,
2001; Weick & Sutcliffe, 2007). Weick and Sutcliffe provide survey forms as a way to assess
the degree an organization is a HRO. The survey forms present attributes by way of
statements that when considered and scored enable an analyst to determine the organization’s
level of HRO-ness (Weick & Sutcliffe, 2001; Weick & Sutcliffe, 2007). The scope and intent
of each survey form is described below.
•
A starting point for your organization’s mindfulness: Measures the degree of the
organization’s mindful infrastructure. Mindfulness is the combination of ongoing
scrutiny of existing expectations, continuous refinement and differentiation of
expectations based on newer experiences, willingness and capability to invent new
expectations that make sense of unprecedented events, a more nuanced appreciation
102
of context and ways to deal with it, and identification of new dimensions of context
that improve foresight and current functioning. It is the willingness of HROs to
organize in a complex manner that helps them deal with a complex world of the
unexpected.
•
Assess your organization’s vulnerability to mindlessness: Assesses the organization’s
potential for mindlessness, i.e. its ability to probe into how often people come into
contact with the unexpected in their day-to-day activities, how strongly people expect
that things will go as planned, and how strong their tendencies are either to solve or to
ignore the disruptions that unexpected events produce. Instances of mindlessness
occur when people confront weak stimuli, powerful expectations, and strong desires
to see what they want to see.
•
Assessing your organization’s tendency toward doubt, inquiry, and updating: Like the
preceding measure, this measure assesses the potential for mindfulness but in context
of the organizations tendency to doubt, inquire, or update.
•
Assessing where mindfulness is most required: Measures the level by which an
organizational system is interactively complex and tightly coupled. That is the more
interactively complex and tightly coupled a system may be, the more mindful it
should be.
•
Assessing your organization’s preoccupation with failure: An organization that is
ignorant about failure, its location, genesis, and trajectory, is less mindful than it
could be. Therefore, the present measure probes the degree to which the organization
has a healthy preoccupation with failure.
•
Assessing your organization’s reluctance to simplify: Assesses the organization’s
capability to prevent simplification in order to improve the organization’s capacity for
mindfulness.
•
Assessing your organization’s sensitivity to operations: A measure of how prepared
the organization is to avert the accumulation of small events that can grow into bigger
problems.
•
Assessing your organization’s commitment to resilience: Resilience is about bouncing
back from errors and about coping with surprises in the moment, i.e. how well
prepared is the organization to manage the unexpected when it does happen.
•
Assessing the deference to expertise in your organization: Effective HROs enact more
flexible decision-making processes when something goes wrong, i.e. they allow
103
decision making and problems to migrate to the person or team with the expertise in
that choice-problem combination.
Analysis
At first blush the survey forms provide one with the foundation of an hierarchical tree and the
means to represent degree of HRO-ness; however, while the forms provide a good starting
point, more detail is needed to convert the survey forms into a hierarchical tree. There are
some statements within the survey forms as provided that stand alone and some that are
similar, or similar enough, to be consolidated into one statement to avoid duplication. Most
importantly, the text accompanying the survey forms is more complete and provides detail
not captured in the forms. It is the author’s opinion that the text and forms should be
considered together; however, the text should be considered superior information. The
following shows the author’s method to create the attributes comprising the HRO hierarchical
tree in accordance with the principles of MAUT.
1. Consolidate similar statements within the same survey form. For example, within the
form that enables one to assess preoccupation with failure, the first four statements,
a. We focus more on our failures than our successes;
b. We regard close calls and near misses as a kind of failure that reveals potential
danger rather than as evidence of our success and ability to avoid disaster;
c. We treat near misses and errors as information about the health of our system
and try to learn from them; and,
d. We often update our procedures after experiencing a close call or near miss to
incorporate our new experience and enriched understanding, were simplified
as follows:
We focus on failures and regard and learn from close calls and near
misses as a kind of failure that reveals potential danger rather than as
evidence of our success and ability to avoid disaster
2. Consolidate similar statements across different survey forms, e.g. the statement that
emerged from step 1 was combined with a similar statement from the survey form
regarding reluctance to simplify. That is,
104
a. We focus on failures and regard and learn from close calls and near misses as
a kind of failure that reveals potential danger rather than as evidence of our
success and ability to avoid disaster; plus,
b. People generally prolong their analysis to better grasp the nature of the
problems that come up. When something unexpected happens people are more
concerned with listening and conducting a complete analysis of the situation
than with advocating for their view, were combined as follows:
Learn from experiences, including close calls and near misses. Make
adjustments when facts dictate, assumptions change, and as higher
quality and more complete information becomes available. Do so by
way of a complete and thorough analysis of each situation employing
the most quantifiable methods available and appropriate
3. The third step is to use the text to verify the consolidation process and identify the
attributes subordinate to the high-level attributes, such as preoccupation with failure
as shown in Figure 9.
4. Verify and define all attributes. Since the high level attributes, e.g. preoccupation with
failure were defined previously, the definitions for the subordinate attributes, derived
from Weick’s and Sutcliffe’s work, are as shown below. Within this step all attributes
are evaluated in context of the principles of MAUT, i.e. to make certain that there are
no redundancies and that no attribute is missing from the process. Conflicts among
attributes are surfaced and resolved at this time. The outcomes of this step are the
following definitions.
a. Vulnerability assessment: Embrace failure, describe that which should not fail
and how it can fail no matter how embarrassing the consequences might be,
e.g. the failure of a strategic objective. Ask three questions; what do people
count on, what do people expect from the things they count on, and in what
ways can the things people count on fail? Expectations as to acceptable levels
of risk and failure are broadly known
b. Potential disturbance sensing system: Systematically detect and anticipate the
potential for failures. Pay attention to weak signals of failures, such as
105
deviations from normal states over time, as they may be precursors to larger
failures.
c. In-depth critique of all systems and operations in context of potential realized
disturbances: Review and critique all systems and practices continuously to
maximize the probability that nothing has been ignored
d. Encouragement of divergent viewpoints: Divergence in viewpoints provides
the group with a broader set of assumptions and sensitivity to a greater variety
of inputs
e. Organizational culture: Being sensitive to operations is a unique way to
correct failures of foresight. The readiness to make large numbers of small
adjustments keeps errors from accumulating. The likelihood that any one error
will become aligned with another and interact with it in ways not previously
anticipated is reduced. Quantitative versus qualitative knowledge and contextfree formalization, (engineering) versus experience-based context bound
interventions, (operations) are equally important. Learn from close calls as
near misses are a kind of failure that reveals potential danger. People feel safe
enough to speak up and share information and question assumptions. Routine
work is anything but automatic.
f. Degree of separation between front line and management: Appraisal of the
degree to which leaders and managers maintain continuous contact with the
operating system or front line and the extent to which they are accessible when
important situations develop. The extent that there is ongoing group
interaction and information sharing about actual operations and workplace
characteristics
g. Flexibility and improvisation: A culture that adapts to changing demands.
Should problems occur, someone with the authority to act and necessary
resources are readily available. People are familiar with their jobs and
operations external to their own jobs. Work to create a climate that encourages
variety in people’s analyses of the organization’s technology and production
processes and establish practices that allow those perspectives to be heard and
to surface information not held in common
h. Training and support: Commitment to resilience is directly proportional to
learning, knowledge, and capability development. Expanding people’s general
knowledge and technical capabilities improves their abilities both to see
problems in the making and deal with them
106
i. Preparation for the unexpected: Anticipate possible failure modes. Resilience
is achieved through the use of expert networks, an extensive action repertoire,
and skills with improvisation. Commitment is also evident in a capacity to use
knowledge in unexpected ways. This capacity might be evident in informal
networks of people who self-organize to solve problems, in enthusiasm to
share expertise and novel solutions across unit boundaries, and in continual
investments in improving technical systems, procedures, reporting processes,
and employee attentiveness
j. Management of recovery efforts: HROs accept the inevitability of error and
shift attention from error prevention to error containment. That is, people deal
with surprises not only through anticipation, by weeding them out in advance,
but also through resilience, by responding to them as they occur. Resilience is
about bouncing back from errors and about coping with surprises in the
moment
k. Preemptive mitigation: Take action prior to the onset of a failure to prevent or
mitigate consequences. Please note that the text implies the need for
preemptive action but does not state the need specifically
l. Rewards, recognition, ownership, and accountability: Demonstration of
expertise being valued, regardless of rank within the organizational hierarchy.
People own problems until they are resolved. Encourage and reward error
reporting. Please note that the notion of rewarding people for reporting errors
was from the text associated with preoccupation with failure; however, the
author believed that it fit better in the present attribute
m. Clarity, awareness, and flexibility of decision-making processes and practices:
Decision making and problem resolution migrate to the person(s) most capable
to make the decision or resolve the problem. People within the organization
know the, person(s) with expertise, to call when something out of the ordinary
occurs.
Figure 8 shows the resulting hierarchical tree implied from the work of Weick and Sutcliffe.
107
Figure 8 - Implied HRO Hierarchical Tree
The hierarchical tree, once weights are assigned to each attribute will, 1) describe the current
HRO state of the organization, 2) provide the means to determine the potential effect of
organizational initiatives and projects under funding and implementation consideration, and
3) provides a measure of potential consequences associated with a hazard or threat; all in
terms of the organization values expressed by the criteria.
Discussion
The principles and practices of the high reliability organization as presented by Weick and
Sutcliffe are intended to be used preemptively, prior to the impact of an undesirable hazard or
threat. The hierarchical tree could be used to determine an organization’s current state of
HRO-ness; therefore, identify the areas where the organization should focus its mitigation
resources given that a higher level of HRO-ness is desired. For example, if an organization
chose to improve its score for the attribute labeled training they might consider several
108
improvement alternatives related to training. Of these alternatives the one that resulted in the
highest HRO index would be the alternative that would be implemented, all else being equal.
Also, the hierarchical tree could be used to diagnose impacts and provide the analyst with a
base level of HRO-ness at the time of the impact. Like the preemptive case above, target
areas for improvement can be identified. For example when the hierarchical tree is
completed, one using observation and other evidence could rate the organization’s ability to
learn from mistakes. Such a rating describes the organizations current state of HRO-ness in
context of its ability to learn from mistakes and illustrates an area for improvement if the
rating was lower than desired (Weick & Sutcliffe, 2001). Moreover the hierarchical tree
could be used correctively following a hazard event to prove the validity of the process and
evaluate initial prioritization assumptions and aid recalibration if necessary.
The hierarchical tree provides one with the means to rate each project against a preestablished standard reflecting the ideals of the organization by way of the HRO index.
Following internal deliberations, using the indices as its basis, the organization would
prioritize projects ultimately selecting projects that maximize value to the organization. To
determine an index of a potential project one would rate the project in accordance with
performance measures that reflect pre-established levels of each attribute. An example of a
constructed scale associated with a performance measure is shown in Table 3 where the table
displays the performance measure for impact on people (Karydas & Gifun, 2006). In this
instance the constructed scale enables one to rate a project in terms of its potential impact on
people if the project was not undertaken (thus the use of disutility). For example, if one
believes that the implementation of a project would prevent the potential occurrence of long
term exposure to a contaminant, one would select level 2.
Level
3
2
1
0
Constructed Scale - Impact on People
Description
Disutility
Fatality or lethal exposure (single or
multiple), e.g., roof collapse, falling
brick masonry, and inhalation of arsine
gas
1
Major exposure with long term effects,
e.g., lead poisoning
0.46
Minor injury or exposure, e.g., broken
arm or laceration
0.05
No personal injury
0
Table 15 - Impact on People
109
Weick and Sutcliffe imply that by assessing an organization by way of the survey forms; one
could determine the degree of HRO–ness of the organization. The conversion of the survey
forms into a hierarchical tree provides one with a higher level quantitative tool than that
which is provided by the survey forms alone.
While the concepts of the HRO will provide the basis for the proposed solution to achieve
this dissertation’ objective, modifications are necessary to eliminate shortcomings. The
author believes that,
1. Bona fide support and physical action to eliminate and mitigate hazards is not
specifically included in the survey forms and is only implied throughout the text; and,
2. The content and intent of the four attributes in addition to the five basic principles, is
important and should either be captured in additional basic principles or incorporated
within the five basic principles; the author chose the latter
B.2 Disaster Resistant University
Description
The Disaster Resistant University (DRU) program initiated in the United States by the
Federal Emergency Management Administration provides funding, planning guidance, and
Federal and Local government leadership support to applicant universities for the purpose of
assessing the vulnerability of the university campus to potential impacts from a multiple of
hazards, whether natural or human-induced. In this instance university is defined to include
all forms of institutions of higher learning. The program is described in FEMA publication
titled Building a disaster-resistant university. Depending upon the cause and magnitude of
the impact, members of a university’s community could be subject to death or injury and the
university’s academic and research programs and its physical assets and infrastructures, to
damage or total destruction. Along with the tragic result of death or injury, universities could
suffer losses such as faculty and student departures, decreases in research funding (the
Federal government funds $15 billion of research at American universities annually), and
increases in insurance premiums. These losses could have been substantially reduced or
eliminated through comprehensive pre-disaster planning and mitigation actions. Natural and
human-induced disasters represent a wide array of threats to the instructional, research, and
public service missions of higher education institutions. The DRU program provides planning
110
guidance to these institutions to identify risks, assess vulnerability, and develop hazard
mitigation plans (Federal Emergency Management Agency, 2003). The authors suggest that
the mere mechanics of the DRU vulnerability assessment and report writing process could
motivate university decision makers to become more aware of risks and their impact and to
see the benefits that could be gained by implementing projects to eliminate or mitigate risks.
Also, as risk eliminating or mitigating projects are implemented, talked about broadly, and
become more visible to the university’s community, the university’s culture will shift to
becoming more risk aware (Federal Emergency Management Agency, 2003). The attributes
of a DRU are as follows.
•
Risk awareness: An organization’s ability to identify, assess vulnerability, estimate
consequences, and prioritize potential hazards
•
Stakeholder engagement: The degree by which an organization communicates with
and involves internal and external service providers, including utility and municipal
government entities
•
Preemptive intervention: Prioritization, funding, planning, and implementing hazard
mitigation efforts prior to the realization of the hazard. The degree mitigation efforts
are integrated with local, state, and Federal government entities
•
Training: To develop individual and team competencies in risk awareness and
management
•
Organizational Learning: The organization’s ability to learn from its experiences and
situations experienced by others and to make adjustments when facts dictate,
assumptions change, and when more complete information becomes available
Building a disaster-resistant university suggests a four step approach:
1. Organize resources: Identify and engage interested stakeholders and collect available
plans and documents. Develop a project plan that includes scheduled deliverables
2. Hazard identification and risk assessment: From the full complement of natural and
human-induced hazards, identify credible hazards to the university and assess the
university’s vulnerability thereto
3. Developing the mitigation plan: A comprehensive and updatable plan that draws from
and complements existing plans and is integrated with local and state jurisdictions and
reflects the unique mission and characteristics of the university
111
4. Adoption and implementation: Identifies the shift in focus from developing the plan to
taking action on the plan. Experience has shown that this can be difficult as
institutions face the consequences of changing operations and affecting the
university’s culture
Analysis
Although DRU documents do not show by way of a concise enumerated list the attributes
that distinguish a disaster resistant university from a university that does not resist disasters,
the following list was deduced from DRU publications and captures the essence of the DRU
program. A DRU is an academic institution that to protect its students, faculty, and staff and
sustain its education, research, and public service missions has supportive leadership and
processes in-place to:
•
Perform risk assessment and analysis
o Identify and prioritize potential hazards
o Inventory campus assets
o Assess the institution’s vulnerability to potential hazards
o Estimate consequences
•
Partner with stakeholders
o Engage stakeholders internal and external of the institution including utility
and municipal service providers
o Communicate frequently
•
Intervene preemptively
o Prioritize, fund, plan, and implement hazard mitigation efforts
o Integrate mitigation efforts with local, state, and Federal government entities
•
Provide training
•
Learn from experiences and make adjustments when facts dictate, assumptions
change, and when more complete information becomes available
This bulleted list is easily transformed into a hierarchical tree as shown in Figure 9.
112
Figure 9 – Implied DRU Hierarchical Tree
Discussion
While DRU can be portrayed in the form of a hierarchical tree more work is needed to ensure
that it will perform effectively where implemented. To this end MIT built upon the work
done by FEMA, as shown in §B.3.
The DRU method would be more useful with attributes that are weighted relative to each
other in a manner that reflects the values of the organization for which it is being used. For
example, if an organization favors, by a factor of two, implementing hazard mitigation efforts
over conducting inventories of physical assets, implementing hazard mitigation efforts would
carry twice the weight of conducting inventories of physical assets in decisions. Weighted
scales reflecting the levels of each attribute would make the method more useful. With regard
to organizational preconditions attributes addressing safety and business related concerns are
not present.
113
B.3 DRU at MIT
Description
The DRU project at Massachusetts Institute of Technology (MIT) provides an application of
the objectives, principles, and practices of FEMA’s DRU program and considers such an
application necessary to become disaster resistant (Li et al., 2009).
The Massachusetts Institute of Technology (MIT) is potentially vulnerable to natural and
human induced hazards and threats and could suffer monetary losses, disruption to its
teaching and research mission, and expose students, employees, and guests to danger should
one of these hazards or threats occur. Pre-disaster planning and the implementation of the
results of such planning could prevent or mitigate the impact. In addition to satisfying the
requirements of the DRU program MIT developed a systematic methodology to assess, rank,
and manage multi-hazard risks. The methodology consisted of the following elements
(Massachusetts Institute of Technology, 2007).
1. Natural hazard identification;
2. Human-induced hazard identification;
3. Development of hazard screening criteria;
4. Delineation of infrastructures and key campus assets (macro-groups);
5. Identification of interdependencies;
6. Scenario development including initiating event, event trees, and consequences;
7. Generation of hierarchical trees, performance index, and expected performance index
8. Preliminary risk ranking;
9. Deliberation and final risk ranking; and,
10. Data validation
The concept of the macro-group refers to the often decentralized elements of a university’s
infrastructure and key assets that are aggregated into groups of similar character. Risks, their
analyses, and resulting mitigation activities are consistently applied to all of the entities that
comprise each macro-group (Patterson & Apostolakis, 2007). The campus consists of the
fourteen macro-groups listed below.
114
Mission Related
•
Research and education offices
•
Chemical-dominant laboratories
•
Biological-dominant laboratories
•
Animal-dominant laboratories
•
Shared-facilities laboratories, e.g. an electron microscopy laboratory available
to all researchers
•
Other laboratories
•
Classrooms
Support and Services
•
Medical center
•
Administration offices
•
Residential halls
•
Athletic centers
Other Key Assets
•
Central utility generation plant
•
Research reactor
•
Information technology (data and telephony) assets
The present application of MAUT was based upon fundamental work by Weil and
Apostolakis (Weil & Apostolakis, 2001) and further developed by Karydas & Gifun (Karydas
& Gifun, 2006) and Apostolakis & Lemon (Apostolakis & Lemon, 2005). The hierarchical
tree is shown in context of the entire framework, (within the large dashed line area between
Performance Measures and Performance Index), in Figure 10.
115
Figure 10 – DRU at MIT Framework (Li et al., 2009)
116
The attributes of the hierarchical tree are defined as follows.
•
Impact on people: Death, injury and illness (excluding psychological impact) on
individuals. Major injuries are chronic injuries or acute injuries that require
hospitalization while minor injuries are acute injuries that do not require
hospitalization. This attribute is measured in terms of potential severity and number of
injuries
•
Impact on the environment: Contamination of the environment where the degree of
impact is determined by the quantity of the chemical that could be released in context
of regulatory thresholds
•
Physical property damage: The cost in dollars to restore the affected physical property
and contents (land, buildings, and equipment) were damage to occur
•
Interruption of Institute academic activities and operations: The length of time needed
to restore academic activities and Institute operations (teaching and research) and
other supporting aspects such as work environment or living accommodations)
•
Intellectual property damage: The degree of potential damage, (on a scale of no
damage to destruction of long-term experiments) on the affected intellectual and
intangible property
•
Impact on external public image: The degree of negative image, that could be reported
by local, national, or international media, held by parents of prospective students,
granting agencies, donors, and regulatory agencies
•
Impact on internal public image: The degree of negative image that could be held by
parents of existing students, students, faculty, staff, and other members of the MIT
community. This attribute is measured by the degree of adverse publicity generated
by verbal complaints, published negative articles, and petitions and demonstrations
•
Program affected: The impact on the business, operation, employment, and objectives
of Institute programs (departments, laboratories, or centers) as measured by number
of employees and departments that could be affected
Analysis
The framework will not be fully examined within this dissertation; therefore, the reader is
encouraged to refer to Ranking the risks from multiple hazards in a small community (Li et
al., 2009) should more detailed information be required.
117
Discussion
A major learning from the MIT DRU project emerged from the preliminary risk ranking
process shown in Figure 11 within the dashed line area labeled scenario impact evaluation. In
this process, risk scenarios were rated by stakeholders and given an index reflecting the
rating. Each risk received two indices; one that did not include the probability of the scenario
event occurring, i.e. the Performance Index (PI) and the other that did, i.e. the Expected
Performance Index (EPI). Because of the low probabilities of the risks addressed in the
project, the EPI of such risks could be considered too low to be a concern. Thus for risks with
low probability of occurrence and high consequences the PI should be used. This means that
the decision-makers should include in their mitigation deliberations risks ranked by PI and
EPI. An example will be discussed in the section below on the applicability of the DRU
model as a preemptive or post impact event assessment tool
MIT’s DRU project resulted in several transferable opportunities, 1) a methodology to
describe a university in terms of its values regarding established criteria, understand potential
risks in context of the reality of the campus and to prioritize the implementation of such
opportunities using stakeholder value and technical analysis, 2) the concept of the macrogroup that can be applied to other universities with little adaptation and to other organizations
and small communities with a bit more, and 3) the value of ranking risks with and without the
probability of the risk scenario occurring.
The purpose of the DRU program is to provide universities with a framework to determine
the vulnerability of the university to potential hazards and threats so that the university is
better able to implement effective mitigation and protective measures. While the DRU
method was designed to be used preemptively MIT’s version can be used both preemptively
and correctively as described below.
Preemptive example: Consider the scenario of an uncontrolled fire. In this instance an
uncontrolled fire refers to a fire that takes place in a space that is intentionally not
protected by fire sprinklers. An example of the questions one should ask during
deliberation is; are the spaces around the un-sprinkled space served by fire sprinklers? If
yes, then the fire could be contained and the impact would be less than had the fire
occurred in a building that does not have fire sprinklers. If no, then more extensive
protective measures should be considered including the relocation of the hazard. The
118
point being that by understanding high consequence low probability events lower cost
mitigation possibilities could emerge (Li et al., 2009).
Corrective example: Given the hypothetical example of an occurrence of a highconsequence / low-probability event, i.e. an uncontrolled fire where a fire suppression
system is not present within the room where the fire originated. In this example a building
system component exploded causing the death of two people and a fire. The room
housing the component was not protected by a sprinkler system as was permitted by local
regulators, albeit the balance of the building was. Although the doors to the room were
found open by responding firefighters and two fire sprinkler heads in an adjacent corridor
were activated, the fire was contained to the room.
One could determine the level of impact of each of the performance measures to
determine the index for the scenario. That is, the level selected for each performance
measure would be based upon the rater’s interpretation of an actual event not a fabricated
scenario. This process would be useful for comparing repair and future mitigation
opportunities to the impact of the hazard.
Given the example above, Table 16 shows the authors’ ratings using the performance
measures provided in Ranking the risks from multiple hazards in a small community (Li et
al., 2009). While considerable information was gathered from the aforementioned paper
the author’s expert judgment was used to complete the necessary information for the
purpose of this demonstration.
119
Performance
Measure
(Global Weight)
Impact on people
(0.295)
Impact on the
environment
(0.196)
Physical property
damage
(0.049)
Interruption of
Institute academic
activities and
operations
(0.056)
Intellectual
property damage
(0.128)
Impact on external
public image
(0.083)
Impact on internal
public image
(0.055)
Program affected
(0.138)
Impact
Disutility
Two fatalities plus
twenty five to thirty
people taken to local
hospitals for
treatment and then
released*
Contaminant levels
below regulatory
reporting threshold*
Repairs made to
damaged areas,
equipment replaced,
plus upgrades of
several building
systems required by
local authorities.
Estimated cost less
than $10 million*
Temporary
accommodations
readily available, say
less than 1 week to
restore operation*
Data not backed up
when power to
building interrupted.
Worst case - work
undertaken during
morning of event
probably lost*
Event was reported
by local media and
on-line news outlets.
Regulatory agencies
conducted
investigations*
No adverse publicity*
No impact*
Performance Index
% of
Performance
Index
0.67
Weight
(Global
Weight ·
Disutility)
0.198
0.04
0.008
2.8
0.27
0.013
4.8
0.06
0.003
1.2
0.05
0.006
2.3
0.57
0.047
17.2
0
0
0
0
0
0
71.7
0.276
* Expert judgment
Table 16 – Corrective Example Based Upon Li et al (Li et al., 2009)
120
Seventy two percent of the performance index is due to the performance measure, impact
on people and is attributed to the fatalities that occurred during the explosion and fire.
Clearly, in this example any risk mitigation project should be implemented to prevent the
explosion of building system components and fires from occurring.
Considering the attributes of the DRU, gleaned from FEMA documentation, as the basis for
ranking risks and making hazard mitigation decisions, one can readily see that there are no
duplicates and that the attributes represent the main facets of a decision. It is not known
whether most organizations would find the attributes presented as representative or sufficient
to make decisions, but MIT selected attributes that were based on the values of the MIT
community. The methodology used by MIT to develop the DRU Framework, including the
hierarchical tree was rigorous and included many checks for consistency, sensitivity of select
variables, and compliance with MAUT principles (Li et al., 2009).
B.4 Resilient Enterprise
Description
According to Yossi Sheffi, author of the Resilient Enterprise, the resilient enterprise (RE)
overcomes vulnerability for competitive advantage. The resilient enterprise requires that the
organization be a good learning organization, i.e. to fulfill the principles it must think beyond
its line of business and do more to understand its environment, develop relationships with
suppliers and employees, and develop its physical and organizational systems (Sheffi, 2005).
The principles of the resilient enterprise are:
•
Organizing for action: Security and business continuity. The RE as much as it
prepares knows that it could be faced with a hazard or impact that may overpower it.
This does not mean that the company is worried that something is going to happen but
realistic to know that something could happen someday and by being prepared, the
impact could be lessened and the recovery time faster
•
Assessing vulnerabilities: This principle requires that one should evaluate all of the
potential vulnerabilities and determine which credible events could happen, the
severity and likelihood of the event happening, and to take steps to prevent them from
occurring or to implement measures to diminish the potential impact
121
•
Reducing the likelihood of disruptions: Early detection can influence the likelihood of
a disturbance by making the organization aware that action is needed, e.g. a
preventative maintenance inspection that discovers the early stage of a system failure.
Also, early detection can influence the potential impact of a disturbance as it could
provide sufficient time to implement measures to diminish the potential impact
•
Collaborating for security: Like a citizen staffed neighborhood watch program, the
people who make up organizations are its sensory system. Many eyes, ears, and the
physical presence of people who choose to get involved can be deterrence to crime.
Also, employees who learn of potential disturbances that are credible and could
impact the organization and bring such information to the organization, could provide
the organization with sufficient time to implement measures to diminish the potential
impact
•
Building in redundancies: Backup systems and surpluses. The goal is to provide
resources, backups, and redundancies for systems that are prioritized in order of
decreasing importance to the organization
•
Designing resilient supply chains: Relationships with suppliers. While the
organization may be fully functional it may suffer disturbances in its supply chain that
could prevent or diminish the level of production to which it is capable. One way to
develop resilient supply chains is to develop relationships with suppliers before the
emergency, during the course of typical operations, so that if the supplier is impacted
in such a way that it is not able to produce enough parts for all of its customers, the
organization is in good enough stead to have priority access on the parts that it needs.
Another aspect is to develop relationships with several suppliers so that stock can be
purchased, perhaps at a higher price, but purchased nonetheless. Another possibility is
to stock critical components on site or to pre-purchase supplies so that there is always
a reserve of supplies available
•
Investing in training and culture: People make organizations work and require training
to do so. Also, in order for the organization to be the best it must train its people in
understanding risks and the processes associated with removing risks, knowing about
the operation so that they can make suggestions for improvements. The people need to
know how to do their job well and must possess the skills to relay their concerns and
know when something is wrong
122
Analysis and Discussion
As written, the principles of the RE cannot be viewed directly and are too broadly defined to
be modified into in the form of an hierarchical tree but these principles and the examples
provided in the text can be used to create one. That is, as long as an organization is willing to
invest the time and effort to do so. While the Resilient Enterprise did not provide a fully
structured hierarchical tree it provided much to the development of the hierarchical tree that
will be introduced later in this dissertation.
B.5 Enterprise Risk Management
Description
Enterprise risk management (ERM), a result of the Sarbanes-Oxley Act of 2002 (Sarbanes &
Oxley, 2002), differs from the fragmented and compartmentalized risk management solutions
already in place in many organizations as it elevates risk discussions to a strategic level, it is a
fully supported top-down initiative, and it offers a holistic view of the enterprise to capture a
variety of risks throughout the firm. ERM supports organizational emphasis on strategy by
helping the organization find a better balance between loss-prevention, risk mitigation, and
risk taking efforts (Tonello, 2007). ERM is an approach to identifying and evaluating all
relevant risks an organization faces, aligning strategies with risk appetite, and perpetually
managing exposures so that the entity’s strategic plan is achievable (FM Global, 2007).
According to the 2004 report by the Committee of Sponsoring Organizations of the Treadway
Commission entitled Enterprise risk management – integrated framework, value is
maximized when an entity’s management sets strategy and objectives to achieve an optimal
balance between growth and return goals and related risks, and efficiently and effectively
deploys resources to achieve such objectives (Committee of Sponsoring Organizations of the
Treadway Commission, 2004).
The following capabilities, from Enterprise risk management – integrated framework, help
management achieve performance and profitability targets and prevent loss of resources.
ERM helps ensure effective reporting and compliance with laws and regulations, and helps an
organization avoid damage to its reputation and associated consequences.
123
•
Aligning risk appetite and strategy: Risk appetite is considered when evaluating
strategic alternatives, setting related objectives, and developing the means and
methods to manage related risks
•
Enhancing risk response decisions: A rigorous approach for identifying and
selecting among alternative risk responses – risk avoidance, reduction, sharing,
and acceptance
•
Reducing operational surprises and losses: Enhanced capability to identify
potential events and establish responses, reducing surprises and associated costs or
losses
•
Identifying and managing multiple and cross-enterprise risks: Enterprise risk
management facilitates effective response to interrelated impacts, and integrated
responses to multiple risks that could affect different parts of an organization
•
Seizing opportunities: By considering a full range of potential events,
management is positioned to identify and proactively realize opportunities
•
Improving deployment of capital: Robust risk information allows management to
effectively assess overall capital needs and enhance capital allocation
The ERM framework consists of three sets of factors, i.e. objectives, components, and
units. The four objectives are:
•
Strategic: High-level goals, aligned with and supporting its mission
•
Operations: Effective and efficient use of resources
•
Reporting: Reliability of reporting
•
Compliance: Compliance with applicable laws and regulations
Also, the framework consists of eight interrelated components or criteria:
•
Internal environment: Encompasses the tone of an organization, and defines the
basis for how risk is viewed and addressed, including the organization’s risk
management philosophy and risk appetite, its integrity and ethical values, and the
environment in which they operate
•
Objective setting: Objectives must exist before management can identify potential
events affecting their achievement. Therefore enterprise risk management ensures
that management has in place a process to set objectives and that chosen
124
objectives support and align with the organization’s mission and are consistent
with its risk appetite
•
Event identification: Internal and external events affecting achievement of an
organization’s objectives must be identified and differentiated between risks and
opportunities. Opportunities are channeled back to management’s strategy or
objective setting processes
•
Risk assessment: Risks are analyzed, considering likelihood and impact, as a basis
for determining how they should be managed. Risks are assessed on an inherent
and a residual basis
•
Risk response: Management selects risk responses, avoiding, accepting, reducing,
or sharing risk and develops a set of actions to align risks with the organization’s
risk tolerances and risk appetite
•
Control activities: Policies and procedures are established and implemented to
help ensure the risk responses are effectively carried out
•
Information and communication: Relevant information is identified, captured, and
communicated in a form and timeframe that enables people to carry out their
responsibilities. Effective communication occurs within and across all levels of
the organizational hierarchy
•
Monitoring: The entirety of enterprise risk management is monitored and
modifications are made as necessary. Monitoring is accomplished through
ongoing management activities, separate evaluations, or both
In addition the framework incorporates a third dimension, the organization and its
subsets, i.e. its subsidiaries, business units, divisions, and the combination thereof. ERM
is a multidirectional, iterative process where almost any component can and does
influence another. There is a direct relationship between the objectives, i.e. that which an
organization strives to achieve, and the components, i.e. that which is needed for an
organization to achieve its objectives. This three-dimensional matrix is depicted by the
cube shown in Figure 11 (Committee of Sponsoring Organizations of the Treadway
Commission, 2004).
125
Figure 11 – ERM Objectives, Components, and Units (Committee of Sponsoring
Organizations of the Treadway Commission, 2004)
Analysis and Discussion
ERM provides guidance for an organization to examine itself and determine the potential
impact of hazards for a specific scenario, preemptively. However, other than pointing one
toward areas where investigation or analysis should be undertaken a formal method is not
provided. Also, ERM is not based upon multi-attribute utility theory nor does it suggest a
hierarchy. Thus, it cannot be expressed as an hierarchical tree. However, ERM provides a
good foundation for the development of an hierarchical tree but the text does not provide
enough detail for one to be extracted there from.
126
While not part of this research it is interesting to note that the Sarbanes-Oxley Act had no
noticeable effect on the economic downturn in the fall of 2008. This regulation increased
oversight of the public accounting firms that oversee publicly traded companies’ balance
sheets and the amount of regulation of publicly traded companies. Many public companies
complained that Sarbanes-Oxley was too onerous because it required more paperwork and
more intensive internal control mechanisms. Many companies that went private following the
implementation of Sarbanes-Oxley cited the new rules as being the reason for leaving the
public markets. The shift in the number of public offerings from New York to London and
Hong Kong is attributed by some critics to be the result of Sarbanes-Oxley. A survey
undertaken in 2008 by BDO Seidman reported that 65% of technology company chief
financial officers said that the rules related to improved controls and processes had
strengthened their company. Some efforts were made to curtail Sarbanes-Oxley but such
efforts failed (Kansas, 2009).
B.6 Risk-Based Process Safety
Description
The Center for Chemical Process Safety (CCPS) was created by the American Institute of
Chemical Engineers in 1985 after the occurrence of chemical disasters in Mexico City,
Mexico and Bhopal, India. To promote process safety management excellence and
continuous improvement, CCPS developed risk-based process safety (RBPS) as a
comprehensive process safety management framework. RBPS is built upon four pillars;
commitment to process safety, understand hazards and risk, manage risk, and learn from
experience (Center for Chemical Process Safety, 2007). Note the similarity between the four
pillars in RBPS and Moody’s four pillars of risk management assessment; risk governance,
risk management, risk analysis and quantification, and risk infrastructure and intelligence
(Tonello, 2007).
Analysis
As can be seen in Figure 12 the hierarchical tree (partially shown) represents information
provided by CCPS in its book, Guidelines for Risk Based Process Safety. The four pillars are
divided into 20 elements which are then divided into 314 sub-elements and then 634
performance measures. Treating the framework as a hierarchical tree the constructed scales
127
below each performance measure would consist of a total of 2,058 levels (average of 3 per
performance measure).
Discussion
The RBPS framework is based on the principles of MAUT and provides a comprehensive
view of a process organization: however, its comprehensiveness renders both narrowly and
broadly focused applications unmanageable. However, RBPS functioned as a reference for
the development of the integrated model proposed by this dissertation.
128
Figure 12 – Hierarchical Tree (partially shown), Risk-based Process Safety
129
B.7 Reactor Oversight Process
Description
The reactor oversight process (ROP), a regulatory oversight process developed by the U.S.
Nuclear Regulatory Commission to achieve the agency’s four performance goals: 1) maintain
safety, 2) increase public awareness, 3) increase regulatory effectiveness and efficiency, and
4) reduce unnecessary regulatory burden. The ROP was tested by way of a pilot program in
1999 and then extended to all commercial reactors in 2000 (United States Nuclear Regulatory
Commission, 2001; United States Nuclear Regulatory Commission, n.d.). To achieve the
Agency’s goals the regulatory framework shown in Figure 13 was developed and consists of
three key performance areas: reactor safety, radiation safety, and safeguards. The NRC
evaluates plant performance by analyzing two distinct inputs: inspection findings resulting
from NRC's inspection program and performance indicators reported by the licensees.
Figure 13 – Reactor Oversight Process (United States Nuclear Regulatory Commission,
2007a)
Within each strategic performance area are cornerstones that reflect the essential safety
aspects of facility operation, i.e. initiating events, mitigating systems, barrier integrity,
emergency preparedness, public radiation safety, occupational radiation safety, and physical
protection. Licensee performance is measured by way of established performance indicators
130
where satisfactory licensee performance provides reasonable assurance that the facility is
being operated safely and that NRC’s safety mission is being accomplished.
Analysis
Performance indicators and inspection protocols exist for each of the cornerstones. For
example, the objective of the cornerstone labeled, initiating events, is to limit the frequency
of events that upset plant stability and challenge critical safety functions during shutdown as
well as power operations. If such an event was not properly mitigated, and if multiple barriers
were breached, a reactor accident could result which might compromise public health and
safety. Thus, licensees can reduce the likelihood of a reactor accident by maintaining a low
frequency of these initiating events. Heat sink performance is one of the twenty three
inspections required for this cornerstone. An example of the thresholds associated with the
initiating events, i.e. unplanned scrams, scrams with loss of normal heat removal, and
unplanned power changes is shown in Table 17 (United States Nuclear Regulatory
Commission, 2007a; United States Nuclear Regulatory Commission, 2007b).
Initiating Events
Indicator
Unplanned Scrams
Scrams with Loss of
Normal Heat Removal
Unplanned Power
Changes
Thresholds*
(White)
(Yellow)
Increased Regulatory Required Regulatory
Response Band
Response Band
> 3.0
> 6.0
> 2.0
> 10.0
> 6.0
N/A
(Red)
Unacceptable
Performance Band
> 25.0
> 20.0
N/A
*A column for met objectives, i.e. those that would be colored green is not included
Table 17 – Performance Indicator, Initiating Events (United States Nuclear Regulatory
Commission, 2007a)
Affecting all aspects of safe operations are three cross cutting areas; human performance,
safety-conscious work environment, and problem identification and resolution. All of these
cross-cutting areas are related to organizational factors and processes. In Organizational
Contributions to Nuclear Power Plant Safety by Ghosh and Apostolakis organizational
failures were important contributors to the accidents at the Chernobyl and Three Mile Island
reactors in 1986 and 1979, respectively and organizational deficiencies continue to present
themselves in less severe incidents. These experiences underscore the importance of safety
131
culture and other organizational factors in the safe operation of nuclear power plants, and are
applicable to other high-risk industries. Nuclear power plant safety is affected by way of the
following mechanisms from operating experience:
•
Organizational processes as they can contribute to common-cause failures of multiple
redundant components, e.g. deficient maintenance practices used on multiple
components
•
Organizational processes and factors because they can contribute to common-cause
failures of diverse components
•
Latent organizational weaknesses such as inadequate training
•
The pervasiveness of safety culture where weaknesses therein could be revealed when
the system is challenged
•
Organizational contributions to unreliability are not captured explicitly and could be
sources of uncertainty and incompleteness. Initiating events caused by plant personnel
actions during routine activities could be a source of incompleteness, as well
•
Organizations and people provide a layer in the plant’s defense-in-depth scheme.
•
Organizations that handle challenging situations are well-positioned to handle
challenging situations and may be better at averting accidents (Ghosh & Apostolakis,
2005)
The colors indicated in Table 17 represent the level of achievement for each criterion for both
the inspections and the performance indicators where green indicates performance within an
expected performance level in which the related cornerstone objectives are met; white
indicates performance outside an expected range of nominal utility performance but related
cornerstone objectives are still being met; yellow indicates related cornerstone objectives are
being met, but with a minimal reduction in safety margin; and red indicates a significant
reduction in safety margin in the area measured by that performance indicator (United States
Nuclear Regulatory Commission, 2007c).
Discussion
Although developed for a specific safety purpose the ROP provides a good example of the
application of MAUT and an example of modifications that can be done to hierarchical trees.
132
Since ROP is focused on safety in reactors it is not applicable, without expansion, to
generalized applications that include other aspects of the organization.
B.8 Hearts and Minds
Description
The Hearts and Minds safety program developed by Shell Exploration & Production and
based on fundamental research on organizations, errors, accidents, and safety culture by
James T. Reason and others focuses on the health, safety, and environmental aspects of the
organization (Energy Institute, 2007) (British Standards Institute, 2006).
Reason’s model, a description of the trajectory of an accident, is both simple and profound. It
is referred to as the Swiss cheese analogy where slices of Swiss cheese, representing layers of
defenses, are placed between the hazard and the impact of the hazard and it is when the holes
in the layered defenses line up, the impact of the hazard is realized. Ideally defenses would be
impenetrable; however, in reality each layer has weaknesses. In Reason’s model the
weaknesses, i.e. holes in the slices may be due to active failures, latent conditions, or both
and the defensive layers could represent the likes of organizational policies, practices, or
physical countermeasures. The system that produces the impact event consists of three levels;
organizational factors, local workplace factors, and unsafe acts. Organizational factors
include strategic decisions and generic organizational processes, e.g. forecasting, budgeting,
allocating resources, planning, scheduling, communicating, managing, and auditing.
Workplace factors (likely to promote unsafe acts) include undue time pressure, inadequate
tools and equipment, poor human-machine interfaces, insufficient training, under-staffing,
poor supervisor to worker ratios, low pay, low status, macho culture, unworkable or
ambiguous procedures, and poor communications. Local factors, combined with natural
human tendencies to produce unsafe acts, i.e. errors and violations committed by individuals
and teams at the human-system interface. According to Reason, large numbers of these
unsafe acts are made but only very few create holes in the defenses. For example, active
failures can create holes in defenses in at least two ways,1) front-line personnel may
deliberately disable certain defenses to achieve local operational objectives and 2) front-line
operators may fail in their role as the system’s most important lines of defense, e.g. wrong
diagnosis that leads to inappropriate recovery actions (Reason, 1990; Reason, 1997).
133
The performance of a health, safety, and environmental program depends upon the
organization’s culture to accept scrutiny of existing practices and policies and its ability to
learn from experience and institute change based upon those experiences. The program
consists of a set of training tools where participants identify local strengths, understand other
people’s perceptions and identify how commitment is turned into action, learn how to
manage change and support improvement processes and organizational change, understand
and mitigate risks, learn to make better risk-based decisions, manage rule-breaking, improve
the non-technical skills of supervisors, build on and support existing programs, and improve
driving behavior (Energy Institute, 2007). The program consists of two interrelated aspects;
1) An overall framework (high-level view) in the form of a ladder, see Figure 14,
representing levels of cultural maturity. Thus, the ladder provides the means to
measure progress on the organizational change continuum. The goal is to increase the
level of cultural maturity from pathological to generative while the process focuses on
three key elements: 1) personal responsibility - understanding and accepting what
should be done and know that which is expected, 2) individual consequences understand and accept that there is a fair system for reward and discipline, and 3)
proactive intervention - work safely as one is motivated to do the right things
naturally, not just because one is told to, and intervene and actively participate in
improvement activities
2) The processes and learning modules needed to facilitate change by developing the
skills, practices, expectations, and systems within the organization to preemptively
prevent and mitigate the occurrence and impact of accidents
134
Figure 14 - The Health Safety and Environment Culture Ladder (Energy Institute, 2007)
The literature associated with H&M clearly states that success is dependent upon leaders
being personally motivated to make a difference and that everyone involved, especially
senior managers, see the advantages and are prepared to commit to follow through. The
distinction between the skills needed by managers and supervisors is reflected in the H&M
training, i.e. one half of the modules are intended for managers while the other half are
intended for supervisors (Energy Institute, 2007).
Analysis
The hierarchical tree displayed in Figure 15 was extracted from printed H&M materials,
without textural modification (H&M literature does not display the model in the form of an
hierarchical tree). Furthermore, H&M does not provide relative weights for any of the
elements that form the hierarchical tree but provides sufficient detail to identify and define
impact categories such as leadership and commitment and performance measures such as
commitment level of workforce and level of care for colleagues. The distinction between
manager and supervisor is reflected in the hierarchical tree; performance measures associated
with management are above the horizontal line while those associated with supervision are
below the line.
135
Figure 15 - Hearts and Minds Hierarchical Tree
136
Not shown on the hierarchical tree are the constructed scales that provide one with the means
to quantify a particular performance measure. While constructed scales are not provided by
H&M, suitable level descriptions consistent with the progression of the ladder rungs shown in
Figure 15, are. For example the constructed scale for the attribute, is management interested
in communicating HSE issues with the workforce, would include the following levels:
•
Pathological: Management only communicates Health, Safety, and Environment
(HSE) issues by telling workers not to cause problems
•
Reactive: After incidents ‘flavor of the month’ HSE messages are passed down from
top management. Any interest gets less over time as things ‘get back to normal
•
Calculative: Management shares a lot of information with workers and has frequent
HSE initiatives. Management does a lot of talking but is not really listening
•
Proactive: There is a two-way process of communication about HSE issues in place.
Asking as well as telling goes on
•
Generative: There is frequent and clear two-way communication about HSE issues in
which management gets more information back then they provide. Everyone knows
when there is an incident
Discussion
While relative weights of each attribute and level are not provided an organization choosing
to adopt H&M could establish such weights. Hearts and Minds can be expressed in a
hierarchical tree and incorporates the principles of MAUT as the criteria are both exhaustive
and conclusive. This hierarchical tree can be used in two ways, 1) vertically as a way to
express hierarchical nature of the organization and a score representing HSE culture and 2)
horizontally as a way to determine the quality of management and supervision by way of the
rating resulting from the performance measures associated with each. For the same reasons
expressed in the section on the HRO, the H&M hierarchical tree is applicable for use
preemptively and correctively.
A major shortcoming of H&M, when considering its applicability as a means to describe an
organization, is that it focuses on safety, health, and environmental issues and does not
address other functions of the organization directly. Therefore, prior to implementation in an
137
organization where a comprehensive view is desired, as in this dissertation, modification is
necessary.
B.9 Business Continuity Planning
Description
Business continuity planning (BCP), also referred to as business continuity management
(BCM), is a management and governance process that enables an organization 1) to identify
potential threats and predict the consequences of such threats should they be realized and 2)
to preemptively implement the means to eliminate or mitigate the impact of such threats and
quickly recover there from; all for the purpose of ensuring the continuity of core processes
(the delivery of critical products and services) by building organizational resilience. The key
elements of BCP as provided by the British Standards Institute are (British Standards
Institute, 2006):
•
BCM program management: Management structure and practices that enable the
organization to establish and maintain its business continuity capability
•
Understanding the organization: Understanding comes from information that
describes an organization’s critical products and the activities and resources necessary
for their delivery, identifying objectives and stakeholder obligations, identifying and
analyzing the impact and consequences associated with failures and threats, and
estimating recovery requirements
•
Determining options: The preemptive evaluation of a range of strategies and tactical
options (solutions) to support response decisions that are based upon acquired data
and analysis and considers the resilience and countermeasure options already in place
•
Developing and implementing a response: The creation of business continuity and
incident management plans and the implementation of measures to eliminate or
mitigate the likelihood of threats. Such measures include coordinated organizationwide responses to the incident and the restoration of the organization’s activities
•
Exercising, maintenance, auditing and self-assessment: The results generated by this
element enable the organization to demonstrate that its strategies, plans, and
equipment are reliable, effective, credible, and operational. The motive is to verify
138
that the organization can recover from an impact by making certain that plans,
training programs, and processes work
•
Embedding BCM in the organization: Enables BCM to become part of the
organization’s core values and instills confidence in stakeholders in the ability of the
organization to cope with major disruptions
Analysis
The degree of effectiveness of a BCP program is dependent upon the level of importance and
support given by the organization’s leadership and the degree to which it is embedded within
its culture. Both the British Standards Institute in its Code for practice for business continuity
management and the National Fire Protection Association in NFPA1600 Standard on
disaster/emergency management and business continuity programs (National Fire Protection
Association, 2004) provide comprehensive and adaptable definitions and guidance for
establishing and maintaining an effective BCP; however, organizations can and should
customize the definitions of the key elements to match specific needs. The key elements
incorporate (British Standards Institute, 2006):
•
Understanding
o The overall context within which the organization operates
o Organizational objectives and its core processes and critical products and
services
o Potential barriers and interruptions
o How the organization can continue to achieve its objectives given an
interruption
o The likely range of outcomes given that controls and mitigation strategies are
implemented
o The criteria by which incident and emergency response and business recovery
procedures are implemented
•
Ensuring that all personnel understand their roles and responsibilities
•
Building consensus and commitment to the implementation, deployment, and
exercising of business continuity
•
Integrating BCP into the organization’s routine practices and culture
139
Discussion
BCP provides a structure that when followed, implemented, and supported should maximize
an organizations ability to recover quickly from disasters that it cannot avoid. BCP presents a
cyclical organizational process where the organization is expected to repeatedly pass through
the process and incorporate changed conditions or revisions due to shortcomings identified
during tests, exercises, or actual experiences as they occur. BCP is applicable in both
preemptive and corrective situations.
B.10 Rejected Models
While nine models were selected (explanations for each are provided in §B.1 – §B.9) those
rejected included several multi-attribute models that were simply similar enough to a model
that was already selected that inclusion would have resulted in duplication or for which little
detail was available to fully describe the model as prescribed by this dissertation. Other
models were rejected because they lacked the rigor and efficiency of the analytic-deliberative
process. Supporting the later cause for rejection several examples are provided below.
Pro and Con
The pro and con list, a list of arguments for and against a particular consideration, is used by
many decision-makers because it is systematic but was rejected because of its inherent lack of
rigor and quantification. The method requires the decision-maker to:
1. List the pros and cons
2. Estimate respective weights
3. Strike out offsetting pros and cons
4. Review non-offsetting pros and cons and make a decision
An important aspect of this process is that Step 4 should be given sufficient time, a day or
two, to make certain that nothing new occurs on either side that could influence the outcome.
The entire pro and con process is explained in a letter from Benjamin Franklin to Joseph
Priestley dated September 19, 1772 (Labaree & Bell, 1956). The explanation given by
Benjamin Franklin does not tell us how to weight each pro and con; however, refinements
have been made since to include the probability of the realization of a pro or con and a
140
numerical weight for each (Nickols, 2008). While quantification is an improvement the
process is not efficient as each time a decision is to be made a new set of pros and cons,
including probabilities and weights must be created
Responsible Care®
Dow Chemical’s Responsible Care (a registered service mark of the American Chemistry
Council) program was rigorously examined but rejected because the criteria were not
sufficiently described. While it appears that the model is comprehensive and could fulfill the
requisites of this dissertation the lack of available detail behind the criteria labels caused it to
be rejected. Literature indicates the existence of a set of open-ended questions; however, as
they were not available it is not know whether they would have provided the lacking detail
and caused the model to be selected. That said the Responsible Care program as described
captures the essence of the integrated model and is worthy of more explanation.
The structure of Responsible Care was developed in 1989 by the American Chemistry
Council, formerly the Chemical Manufacturers Association, is designed to evaluate five
management systems; 1) policy and leadership, 2) planning, 3) implementation, operation,
and accountability, 4) performance measurement and corrective action, and 5) management
review and reporting, by way of attributes and open-ended questions. The following outline
was extracted from a management system verification study by Verrico Associates in 1999
and shows the programs structure and hints at its potential (Verrico Associates, 1999).
1. Policy and leadership
a. Management and company commitment
b. Relevance of policies
c. Goals and objectives
d. Communications
e. Employee involvement and awareness
2. Planning
a. Assessment of hazards and risks
i. Product risk
ii. Process risk
iii. Distribution and transportation risk
b. Maintaining goals, objectives, and targets
141
c. Regulatory information
d. Resource allocation
e. Assessment of community and employee concerns
3. Implementation, operation, and accountability
a. Responsibility and accountability
b. Training programs
c. Operating and maintenance procedures
d. Emergency response plans
e. Transportation emergency response
f. Commercial partners
i. Carriers
ii. Contractors
iii. Customers
iv. Distributors
v. Suppliers
vi. Tollers
vii. Waste disposal contractors
viii. Waste reduction and groundwater protection programs
4. Performance measurement and corrective action
a. Tracking and investigation of emissions, releases, accidents, and incidents
b. Reviewing performance of commercial partners
i. Carriers
ii. Contractors
iii. Customers
iv. Distributors
v. Suppliers
vi. Tollers
vii. Waste disposal contractors
c. Audit of compliance
d. Measuring effectiveness of communications
5. Management review and reporting
a. Periodic review of objectives and policies
b. Reporting mechanism to stakeholders
c. Benchmarking
d. Performance management system for employees
142
Intuition
Intuition is a common means for making judgments but was rejected because it does not
provide a systematic, transparent, defendable, or repeatable approach. According to the
Harvard Business Review in an article titled When to trust your gut by Alden Hayashi various
management studies have found that executives rely on their intuition to solve complex
problems when logical methods (such as benefit-to-cost methods) are not applicable. Intuition
is often wrong and is exacerbated by the factors that prevent the realization of how faulty
intuition can be, i.e. cognitive bias (Hayashi, 2001).
Garbage Can Model
The Garbage Can model was developed in 1972 as a means to explain decision situations in
organizations:
1. That operate on a loose collection of ideas instead of a coherent structure; where the
organization discovers preferences through action more than it acts on the basis of
preferences,
2. That operate on the basis of trial-and-error procedures, the residue of learning from
accidents of past experience, and pragmatic inventions of necessity, and;
3. Where the audiences and decision makers for any particular kind of choice change
impulsively and unpredictably
These properties are particularly found in public, educational, and illegitimate organizations
and suggest that such organizations can be considered as collections of choices (garbage
cans) looking for problems, issues, and feelings looking for decision situations in which they
might be aired, solutions looking for issues to which they might be an answer, and decision
makers looking for work (Cohen, March, & Olsen, 1972). The Garbage Can model does not
do a good job of resolving problems; however, it does enable choices to be made and
problems to be resolved in organizations that posses the properties enumerated above (Cohen
& March, 1974).
As enticing and as interesting as it would be to include a model that describes organizational
choice within a university, the Garbage Can model does not employ a rigorous analyticdeliberative process or support the purpose of this dissertation and is therefore rejected.
143
144
Criteria
Preoccupation
with
failure
Encourage the
reporting of errors and
pay attention to any
failures. Thes e lapses
may signal possible
weakness in other
parts of the
organization. Too
often, success narrows
perceptions, breeds
overconfidence in
current practices and
squelches oppos ing
viewpoints. This leads
to complacency that in
turn increases the
likelihood unexpected
events will go
undetected and
snowball into bigger
problems .
Definition
Criteria Number
HRO1
Criteria by Category
Culture
1
Criteria by Application
Preemptive
1
Culture ∩
Corrective
Culture ∩
Preemptive
HRO1,
HRO4, ∩ HRO1,
HRO5 & HRO4, &
HRO1, HRO5 ∩
HRO2, & HRO4 &
HRO3
HRO5
Culture ∩ Both
N/A
Model Criteria Sets
Table 18 – High Reliability Organization, Analysis of Model Decomposition and Criteria The mes
Appendix C Analysis of Model Decomposition and Criteria Themes
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
HRO2 &
HRO3 ∩ HRO2 &
HRO1, HRO3 ∩
HRO2, & HRO4 &
HRO3
HRO5
Risk
Management ∩
Both
N/A
Governance ∩
Corrective
Governance ∩
Preemptive
HRO3,
HRO4, & HRO3,
HRO5 ∩ HRO4, &
HRO1, HRO5 ∩
HRO2, & HRO4 &
HRO3
HRO5
N/A
Governance ∩
Both
Both
Corrective
Governance
Risk
Management
145
HRO2
HRO3
SensitiviPay serious attention
ty to
to minute-to-minute
operaoperations and be
tions
aware of imperfections
in these activities.
Strive to make ongoing
assessments and
continual updates.
Enlist everyone’s help
in fine-tuning the
workings of the
organization.
Criteria Number
Definition
Analyze each
occurrence through
fresh eyes and take
nothing for granted.
Take a more complex
view of matters and
look for disconfirming
evidence that
foreshadows
unexpected problems.
Seek input from diverse
sources, study minute
details, discuss
confusing events and
listen intently. Avoid
lumping details
together or attempting
to normalize an
unexpected event in
order to preserve a
preconceived
expectation.
Criteria
Reluctance to
simplify
interpretations
Criteria by Category
Risk
Management
Governance
1
146
1
1
Preemptive
1
1
Criteria by Application
Model Criteria Sets
Governance ∩
Both
Governance ∩
Corrective
Governance ∩
Preemptive
Risk
Management ∩
Both
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
Culture ∩ Both
Culture ∩
Corrective
Culture ∩
Preemptive
Both
Corrective
Culture
Criteria
Definition
Commitment to
resilience Cultivate the processes
of resilience, intelligent
reaction and
improvisation. Be
mindful of errors that
have occurred and take
steps to correct them
before they worsen. Be
ready to handle the
next unforeseen event.
Criteria Number
HRO4
Criteria by Category
Culture
1
Governance
1
Criteria by Application
Corrective
1
Model Criteria Sets
Governance ∩
Both
Governance ∩
Corrective
Governance ∩
Preemptive
Risk
Management ∩
Both
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
Culture ∩ Both
Culture ∩
Corrective
Culture ∩
Preemptive
Both
Preemptive
Risk
Management
147
Criteria Number
Culture
1
3
HRO1,
HRO4,
&
HRO5
Corrective
Preemptive
Governance
1
1
3
3
2
HRO3,
HRO2 HRO4, HRO1,
HRO2, & HRO4, &
&
&
HRO5
HRO3 HRO5 HRO3
Risk
Management
2
Criteria by Application
148
N/A
0
Both
Sets
Criteria
Definition
Deference During troubled times,
s hift the leaders hip role
to
expertise to the person or team
pos s es s ing the
greates t expertis e and
experience to deal with
the problem at hand.
Provide them with the
empowerment they
need to take timely,
effective action. Avoid
using rank and status
as the s ole bas is for
determining who makes
decisions when
unexpected events
occur.
HRO5
Number of Criteria
Criteria by Category
Model Criteria Sets
Governance ∩
Both
Governance ∩
Corrective
Governance ∩
Preemptive
Risk
Management ∩
Both
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
Culture ∩ Both
Culture ∩
Corrective
Culture ∩
Preemptive
Definition
Criteria Number
149
2
DRU1
&
DRU3
2
3
DRU2 DRU1,
DRU3, &
&
DRU4 DRU4
1
DRU2
1
1
DRU5
Corrective
1
2
DRU4
&
DRU5
Risk
Management
1
1
N/A
Risk
Management ∩
Corrective
1
Culture ∩ Both
N/A
N/A
Risk
Management ∩
Both
1
Both
1
Culture ∩
Preemptive
DRU1 &
DRU3 ∩
DRU1,
DRU3, &
DRU4
DRU2 &
DRU4 ∩
DRU1,
DRU3, &
DRU4
N/A
Governance ∩
Corrective
Sets
Culture
1
Governance
1
Preemptive
1
Culture ∩
Corrective
DRU4 &
DRU5 ∩
DRU1, DRU4 &
DRU3, & DRU5 ∩
DRU4
DRU5
Model Criteria Sets
Risk
Management ∩
Preemptive
1
Criteria by Application
Governance ∩
Preemptive
Identify and prioritize
potential hazards,
inventory physical
Risk
assets, assess
assessment and vulnerabilities, and
analysis estimate consequences DRU1
Frequent
communication and
Partnering stakeholder
with stake- engagement (internal
and external)
DRU2
holders
Implement hazard
Preemp- mitigation projects and
integrate mitigation
tive
Interven- efforts with
government entities
DRU3
tion
Training Training
DRU4
Learning
from
experiences
Organizational learning
DRU5
Number of Criteria
Criteria
Criteria by Category
Table 19 – Disaster Resistant University, Analysis of Model Decomposition and Criteria The mes
DRU2 &
DRU4 ∩
DRU2
Governance ∩
Both
Culture
0
Risk
Management
Criteria Number
150
Governance
N/A
0
N/A
0
Preemptive
N/A
1
3
MIT1,
MIT2,
&
MIT3
N/A
0
Corrective
Sets
Impact on external
public image, impact on
internal public image,
and programs affected
MIT3
Number of Criteria
MIT1,
MIT2, &
MIT3
1
3
1
Culture ∩
Corrective
N/A
N/A
Culture ∩ Both
1
Culture ∩
Preemptive
N/A
N/A
Risk
Management ∩
Preemptive
MIT2
Both
1
N/A
Risk
Management ∩
Corrective
1
MIT1,
MIT2, &
MIT3
N/A
Governance ∩
Preemptive
MIT1
Model Criteria Sets
Risk
Management ∩
Both
Impact on people and
impact on environment
Physical property
damage, interruption of
institute academic
activities and
operations, and
intellectual property
damage
Definition
Criteria by Application
N/A
Governance ∩
Corrective
Stakeholder
impact
Criteria
Health,
safety,
and
environment
impact
Economic
impact on
property,
academic,
and
institute
operations
Criteria by Category
Table 20 – Disaster Resistant University at MIT, Analysis of Model Decomposition and Criteria The mes
N/A
Governance ∩
Both
Criteria Number
RE1
RE2
Definition
Security and bus iness
continuity. The RE as
much as it prepares
knows that it could be
faced with a hazard or
impact that may
overpower it. This
does not mean that the
company is worried
that something is
going to happen but
realistic to know that
something could
happen someday and
by being prepared, the
impact could be
lessened and the
recovery time faster
This principle requires
that one should
evaluate all of the
potential vulnerabilities
and determine what
credible events could
happen, the severity
and likelihood of the
event happening, and
to take s teps to
prevent them from
occurring or to
Asses s- implement measures to
ing vulner- diminish the potential
impact
abilities
Preemptive
Culture ∩
Corrective
N/A
Culture ∩ Both
N/A
Risk
Management ∩
Corrective
N/A
N/A
Risk
Management ∩
Both
Risk
Management
151
1
1
RE1,
RE2,
RE3,
RE4,
RE5, &
RE6 ∩
RE1,
RE2,
RE3,
RE4,
RE5,
RE6, &
RE7
RE1 &
RE6 ∩
RE1,
RE2,
RE3,
RE4,
RE5,
RE6, &
RE7
N/A
Governance ∩
Corrective
1
Governance
1
Culture ∩
Preemptive
RE4 &
RE7 ∩
RE1,
RE2,
RE3,
RE4,
RE5, &
RE6
Model Criteria Sets
Risk
Management ∩
Preemptive
1
Criteria by Application
Governance ∩
Preemptive
Organizing for
action
Criteria
Criteria by Category
Table 21 – Resilient Enterprise, Analysis of Model Decomposition and Criteria The mes
N/A
Governance ∩
Both
Both
Corrective
Culture
Definition
Early detection can
influence the likelihood
of a disturbance by
making the
organization aware that
action is needed, e.g. a
preventative
maintenance
inspection that
discovers the early
stage of a system
failure. Also, early
detection can influence
the potential impact of
a disturbance as it
Reduc-ing could provide
the likeli- sufficient time to
implement measures to
hood of
diminish the potential
disrupimpact
tions
Like a citizen staffed
neighborhood watch
program, the people
who make up
organizations are its
sensory system. Many
eyes, ears, and the
physical presence of
people who choose to
get involved can be
deterrence to crime.
Also, employees who
learn of potential
disturbances that are
credible and could
impact the organization
and bring such
information to the
organization, could
provide the
organization with
sufficient time to
implement measures to
Collaborating for diminish the potential
securi-ty impact
Criteria
Criteria by Category
Criteria Number
1
1
Culture
RE4
Risk
Management
1
152
1
1
Preemptive
RE3
Criteria by Application
Model Criteria Sets
Governance ∩
Both
Governance ∩
Corrective
Governance ∩
Preemptive
Risk
Management ∩
Both
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
Culture ∩ Both
Culture ∩
Corrective
Culture ∩
Preemptive
Both
Corrective
Governance
Definition
Back up systems and
surplus es. The goal is
to provide res ources ,
back ups, and
redundancies for
sys tems that are
Building in prioritized in order of
decreasing importance
redunto the organization
dancies
p
suppliers. W hile the
organization may be
fully functional it may
suffer disturbances in
its supply chain that
could prevent it from
producing or diminis h
the level of production
to which it is capable.
One way to develop a
resilient supply chains
is to develop
relationships with
suppliers before the
emergency, during the
course of typical
operations , so that if
the supplier is
impacted in s uch a way
that it is not able to
produce enough parts
for all of its customers,
the organization is in
good enough stead to
have priority access on
the parts that it needs.
Another aspect is to
develop relationships
Designwith several suppliers
ing
so that stock can be
resilient
purchased, perhaps at
supply
a higher price, but
chains
Criteria
Criteria Number
RE6
Risk
Management
1
1
Governance
1
Criteria by Application
1
1
Preemptive
RE5
Criteria by Category
Model Criteria Sets
Governance ∩
Both
Governance ∩
Corrective
Governance ∩
Preemptive
Risk
Management ∩
Both
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
Culture ∩ Both
Culture ∩
Corrective
Culture ∩
Preemptive
Both
Corrective
Culture
153
Criteria Number
Culture
Risk
Management
6
Governance
2
Preemptive
1
7
RE1,
RE2,
RE3,
RE4,
RE5,
RE6, &
RE7
154
N/A
0
Corrective
RE1,
RE2,
RE3,
RE4,
RE4 & RE5, & RE1 &
RE6
RE6
RE7
1
2
Criteria by Application
N/A
0
Both
Sets
Definition
People make
organizations work and
require training to do
s o. Also, in order for
the organization to be
the best it must train its
people in
unders tanding risks
and the proces ses
associated with
removing ris ks,
knowing about the
operation so that they
can make s uggestions
for improvements. The
people need to know
how to do their job well
and mus t posses the
Invest-ing s kills to relay their
in training concerns and know
when something is
and
wrong
RE7
culture
Number of Criteria
Criteria
Criteria by Category
Model Criteria Sets
Governance ∩
Both
Governance ∩
Corrective
Governance ∩
Preemptive
Risk
Management ∩
Both
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
Culture ∩ Both
Culture ∩
Corrective
Culture ∩
Preemptive
Criteria Number
ERM1
ERM2
Definition
Encompasses the tone
of an organization, and
sets the basis for how
ris k is viewed and
address ed, including
the organization’s risk
management
philosophy and risk
appetite, its integrity
and ethical values , and
the environment in
which they operate
Objectives must exist
before management
can identify potential
events affecting their
achievement. Therefore
enterprise ris k
management ensures
that management has
in place a process to
set objectives and that
chosen objectives
support and align with
the organization’s
mission and are
Objective consistent with its risk
appetite
setting
Culture
1
Governance
1
Criteria by Application
Preemptive
Culture ∩
Corrective
N/A
Risk
Management ∩
Preemptive
Culture ∩ Both
ERM3,
ERM4,
ERM5, &
ERM8 ∩
ERM8
Risk
Management ∩
Corrective
ERM3,
ERM4,
ERM5, &
ERM8 ∩
ERM1,
ERM2,
ERM3,
ERM1 & ERM4,
ERM7 ∩ ERM5, &
ERM7
ERM6
Risk
Management ∩
Both
N/A
ERM2,
ERM5, &
ERM6 ∩
ERM1,
ERM2,
ERM3,
ERM4,
ERM5, &
ERM6
N/A
Governance ∩
Corrective
155
1
1
Culture ∩
Preemptive
ERM1 &
ERM7 ∩
ERM1,
ERM2,
ERM3,
ERM4,
ERM5, &
ERM6
Model Criteria Sets
Governance ∩
Preemptive
Internal
environment
Criteria
Criteria by Category
Table 22 – Enterprise Risk Management, Analysis of Model Decomposition and Crite ria Themes
N/A
Governance ∩
Both
Both
Corrective
Risk
Management
Definition
Internal and external
events affecting
achievement of an
organization’s
objectives mus t be
identified and
differentiated between
ris ks and
opportunities .
Opportunities are
channeled back to
management’s strategy
Event
identifica- or objective s etting
proces ses
tion
Ris ks are analyzed,
considering likelihood
and impact, as a bas is
for determining how
they s hould be
managed. Ris ks are
as sess ed on an
Risk
inherent and a res idual
as sess basis
ment
Criteria
Criteria by Category
Criteria Number
156
1
Culture
ERM4
Risk
Management
1
1
1
Preemptive
ERM3
Criteria by Application
Model Criteria Sets
Governance ∩
Both
Governance ∩
Corrective
Governance ∩
Preemptive
Risk
Management ∩
Both
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
Culture ∩ Both
Culture ∩
Corrective
Culture ∩
Preemptive
Both
Corrective
Governance
Management selects
ris k respons es ,
avoiding, accepting,
reducing, or s haring
ris k and develops a s et
of actions to align ris ks
with the organization’s
ris k tolerances and ris k
appetite
Policies and
procedures are
establis hed and
implemented to help
ensure the ris k
responses are
effectively carried out
Definition
Criteria Number
Risk
Management
1
157
1
1
Governance
ERM6
ERM5
Criteria by Application
1
1
Preemptive
Control
activities
Ris k
res ponse
Criteria
Criteria by Category
Model Criteria Sets
Governance ∩
Both
Governance ∩
Corrective
Governance ∩
Preemptive
Risk
Management ∩
Both
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
Culture ∩ Both
Culture ∩
Corrective
Culture ∩
Preemptive
Both
Corrective
Culture
Definition
Relevant information is
identified, captured,
and communicated in a
form and timeframe that
enables people to carry
out their
respons ibilities .
Effective
communication occurs
Informa- within and across all
tion &
levels of the
communi- organizational
cation
hierarchy
Criteria
Culture
1
Criteria by Application
1
Both
Criteria Number
158
ERM7
Criteria by Category
Model Criteria Sets
Governance ∩
Both
Governance ∩
Corrective
Governance ∩
Preemptive
Risk
Management ∩
Both
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
Culture ∩ Both
Culture ∩
Corrective
Culture ∩
Preemptive
Corrective
Preemptive
Governance
Risk
Management
Monitoring
Criteria
Criteria Number
Culture
Risk
Management
1
4
Governance
3
Preemptive
6
ERM1,
ERM3,
ERM2,
ERM4, ERM2, ERM3,
ERM1 ERM5, ERM5, ERM4,
&
&
&
ERM5, &
ERM7 ERM8 ERM6 ERM6
2
Criteria by Application
Corrective
159
ERM8
1
1
ERM7
1
Both
Sets
Definition
The entirety of
enterprise risk
management is
monitored and
modifications are made
as necessary.
Monitoring is
accomplished through
ongoing management
activities, separate
evaluations, or both
ERM8
Number of Criteria
Criteria by Category
Model Criteria Sets
Governance ∩
Both
Governance ∩
Corrective
Governance ∩
Preemptive
Risk
Management ∩
Both
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
Culture ∩ Both
Culture ∩
Corrective
Culture ∩
Preemptive
Definition
Culture
Criteria Number
160
1
Risk
Management
1
1
1
Culture ∩
Corrective
N/A
N/A
Culture ∩ Both
RBPS3
Preemptive
1
RBPS2,
RBPS3,
& RBPS4
U RBPS4
N/A
Risk
Management ∩
Both
1
Governance
1
Risk
Management ∩
Preemptive
RBPS2,
RBPS3,
& RBPS4
U
RBPS1,
RBPS2,
& RBPS3
RBPS1 &
RBPS3 U
RBPS1,
RBPS2,
& RBPS3
N/A
Governance ∩
Corrective
RBPS2
1
Culture ∩
Preemptive
RBPS1 U
RBPS1,
RBPS2,
& RBPS3
Model Criteria Sets
Risk
Management ∩
Corrective
RBPS1
Criteria by Application
Governance ∩
Preemptive
Process safety culture,
compliance with
standards, process
safety competency,
Commit to workforce involvement,
process
and stakeholder
safety
outreach
Process knowledge
Undermanagement and
stand
hazard identification
hazards
and risk analysis
and risk
Operating procedures,
safe work practices,
asset integrity and
reliability, contractor
management, training
and performance
assurance,
management of
change, operational
readiness, conduct of
operations, and
emergency
Manage
management
risk
Criteria
Criteria by Category
Table 23 – Risk-based Process Safety, Analysis of Model Decomposition and Crite ria Themes
N/A
Governance ∩
Both
Both
Corrective
Criteria Number
Culture
Corrective
Preemptive
Governance
Risk
Management
1
1
3
2
3
1
RBPS2,
RBPS3, RBPS1 RBPS1,
&
&
RBPS2,
RBPS1 RBPS4 RBPS3 & RBPS3 RBPS4
1
Criteria by Application
161
N/A
0
Both
Sets
Definition
Incident inves tigation,
meas urement and
metrics, auditing,
management review
and continuos
Learn from improvement,
implementation, and
experithe future
RBPS4
ence
Number of Criteria
Criteria
Criteria by Category
Model Criteria Sets
Governance ∩
Both
Governance ∩
Corrective
Governance ∩
Preemptive
Risk
Management ∩
Both
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
Culture ∩ Both
Culture ∩
Corrective
Culture ∩
Preemptive
Definition
Criteria Number
Culture
162
0
N/A
ROP1,
ROP2, &
ROP3
N/A
Risk
Management
1
3
Governance
0
Preemptive
1
3
ROP1,
ROP2,
&
ROP3
Corrective
1
Both
N/A
N/A
Risk
Management ∩
Preemptive
N/A
0
N/A
Culture ∩
Corrective
1
Culture ∩
Preemptive
N/A
Culture ∩ Both
1
N/A
Risk
Management ∩
Both
1
Risk
Management ∩
Corrective
ROP1,
ROP2, &
ROP3 ∩
ROP1,
ROP2, &
ROP3
Model Criteria Sets
N/A
Governance ∩
Preemptive
N/A
0
Criteria by Application
N/A
Governance ∩
Corrective
Sets
Initiating events ,
mitigating sys tems,
barrier integrity,
emergency
Reactor
preparedness
ROP1
safety
Public radiation safety,
Radia-tion occupational radiation
s afety
ROP2
safety
Safeguards
Physical protection
ROP3
Number of Criteria
Criteria
Criteria by Category
Table 24 – Reactor Oversight Process, Analysis of M odel Decomposition and Criteria The mes
N/A
Governance ∩
Both
Governance
Pree mptive
1
Both
1
Culture ∩ Pree mp tive
N/A
Culture ∩ Corrective
H&M 3
&
H&M 7
U
H&M 6,
H&M 7,
&
H&M 8
Culture ∩ Both
H&M 3
&
H&M 7
U
H&M 2,
&
H&M 3
Model Criteria Sets
Risk Management
∩ Pree mptive
H&M 4
&
H&M 6
U
H&M 1,
H&M 4
&
H&M 5
Risk Management
∩ Correct ive
H&M 4
&
H&M 6
U
H&M 6,
H&M 7,
&
H&M 8
Risk Management
∩ Both
N/A
H&M 1,
H&M 2,
H&M 3,
H&M 5,
H&M 7,
&
H&M 8
U
H&M 2
&
H&M 3
H&M 1,
H&M 2,
H&M 3,
H&M 5,
H&M 7,
&
H&M 8
U
H&M 6,
H&M 7,
&
H&M 8
Governance ∩ Preemptive
163
1
1
Criteria by Application
Governance ∩ Corrective
Policy
and strategic
objectives
Management interested in commun icating HSE issues
with the workforce,
rewards for good
HSE performance,
and commit ment
level of workforce
and level of ca re for
colleagues
H&M 1
Cause (who) of accidents in the eyes of
manage ment and
balance between
HSE and profitability
H&M 2
Definition
Criteria Nu mber
Leadership and
commitment
Criteria
Criteria by Category
H&M 1,
H&M 2,
H&M 3,
H&M 5,
H&M 7,
&
H&M 8
U
H&M 1,
H&M 4,
&
H&M 5
Table 25 – Hearts and Minds, Analysis of Model Decomposition and Criteria The mes
Governance ∩ Both
Correct ive
Risk Management
Culture
Definition
Contractor
management, s ize and
status of HSE
department, and
workers interes t
competency / training
W ork planning
including permit to
Hazards
and effect work and journey
manage- management and work
site job safety
ment
Criteria
Organization,
responsibilities,
resources,
standards,
and doc.
Criteria Number
Culture
1
Risk
Management
1
Governance
1
Criteria by Application
Preemptive
1
1
Both
164
H&M4
H&M3
Criteria by Category
Model Criteria Sets
Governance ∩
Both
Governance ∩
Corrective
Governance ∩
Preemptive
Risk
Management ∩
Both
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
Culture ∩ Both
Culture ∩
Corrective
Culture ∩
Preemptive
Corrective
Risk
Management
Criteria Number
165
2
1
6
3
H&M1,
H&M2,
H&M3,
H&M5, H&M1,
H&M3 H&M4 H&M7, H&M4,
&
&
&
&
H&M7 H&M6 H&M8 H&M5
1
2
H&M2,
&
H&M3
1
3
H&M6,
H&M7,
&
H&M8
1
1
Corrective
2
1
1
Both
Sets
Culture
1
1
Governance
H&M5
Criteria by Application
Preemptive
Incident / accident
reporting, investigation
and analysis, hazard
and unsafe act reports,
checking HSE on a dayImplemen- to-day basis, after
tation and accident feedback, and
monitoring feel of HSE meetings
H&M6
Audit
Audits and reviews
H&M7
Benchmarking, trends,
Review
and statistics
H&M8
Number of Criteria
Criteria
Definition
Planning
and procedures
Purpose of procedures
Criteria by Category
Model Criteria Sets
Governance ∩
Both
Governance ∩
Corrective
Governance ∩
Preemptive
Risk
Management ∩
Both
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
Culture ∩ Both
Culture ∩
Corrective
Culture ∩
Preemptive
Risk
Management
Criteria Number
1
1
N/A
Culture ∩
Corrective
BCP2
Culture ∩
Preemptive
N/A
N/A
N/A
Risk
Management ∩
Preemptive
Solution
design
Preemptive
1
Culture ∩ Both
1
N/A
Risk
Management ∩
Both
BCP1
Risk
Management ∩
Corrective
BCP1,
BCP2,
BCP3,
BCP4, &
BCP5
Model Criteria Sets
N/A
Governance ∩
Preemptive
Identify most cost
effective disaster
recovery solution to
determine the cris is
management command
structure, the location
of a secondary work
site, telecommunication
architecture between
primary and secondary
work sites, data
replication
methodology between
primary and secondary
work sites, the
application and
software required at
the secondary work
site, and the type of
physical data
requirements at the
secondary work site
Definition
Impact analysis, threat
analysis, impact
scenarios, and
recovery requirement
documentation
Criteria by Application
N/A
Governance ∩
Corrective
Analysis
Criteria
Criteria by Category
Table 26 – Business Continuity Planning, Analysis of Model Decomposition and Crite ria Themes
N/A
Governance ∩
Both
Both
Corrective
Governance
Culture
166
167
Maintenance
Criteria Number
BCP4
N/A
BCP1,
BCP2,
BCP3,
BCP4,
& BCP5
0
N/A
1
5
BCP1,
BCP2,
BCP3,
BCP4, &
BCP5
Corrective
N/A
0
Governance
1
5
1
1
N/A
0
Both
Sets
Culture
0
1
1
Risk
Management
BCP3
Criteria by Application
Preemptive
Three periodic
activities; 1)
information update and
testing, 2) testing and
verification of technical
solutions, and 3)
testing and verification
of organization
recovery procedures
BCP5
Number of Criteria
Definition
Execution of the design
elements identified in
Implemen- the solution design
phase
tation
Crisis command /
emergency operations
team activation tes ting,
Testing
effect transfer from
and
organiza- primary to secondary
work sites and
tional
secondary to primary
acceptwork sites
ance
Criteria
Criteria by Category
Model Criteria Sets
Governance ∩
Both
Governance ∩
Corrective
Governance ∩
Preemptive
Risk
Management ∩
Both
Risk
Management ∩
Corrective
Risk
Management ∩
Preemptive
Culture ∩ Both
Culture ∩
Corrective
Culture ∩
Preemptive
Table 27 – Decomposition of Models to Extract Criteria Themes
Criteria
Number
Primary
Themes
Definition
Culture ∩ Preemptive
Encourage the reporting of errors and pay attention
to any failures. These lapses may signal possible
weakness in other parts of the organization. Too
often, success narrows perceptions, breeds
overconfidence in current practices and squelches
opposing viewpoints. This leads to complacency
that in turn increases the likelihood unexpected
events will go undetected and snowball into bigger
HRO1
problems.
DRU4
Culture
Safety Culture,
Analysis, &
Testing
Organizational
Learning
Culture & Risk
Management
Safety Culture,
Analysis, Testing,
& Maintenance
Culture & Risk
Management
ERM1
Training
Like a citizen staffed neighborhood watch
program, the people who make up organizations
are its sensory system. Many eyes, ears, and the
physical presence of people who choose to get
involved can be deterrence to crime. Also,
employees who learn of potential disturbances that
are credible and could impact the organization and
bring such information to the organization, could
provide the organization with sufficient time to
implement measures to diminish the potential
impact
Encompasses the tone of an organization, and sets
the basis for how risk is viewed and addressed,
including the organization’s risk management
philosophy and risk appetite, its integrity and
ethical values, and the environment in which they
operate
Culture, Risk
Management, &
Governance
RBPS1
Process safety culture, compliance with standards,
process safety competency, workforce
involvement, and stakeholder outreach
Culture &
Governance
RE4
168
Sub-Themes
Analysis, Solution
Design, Objectives,
Strategy, Policy, &
Rules
Safety Culture,
Policy,
Regulations, &
Rules
Criteria
Number
Primary
Themes
Definition
Sub-Themes
Culture ∩ Corrective
HRO5
Cultivate the processes of resilience, intelligent
reaction and improvisation. Be mindful of errors
that have occurred and take steps to correct them
before they worsen. Be ready to handle the next
unforeseen event.
During troubled times, shift the leadership role to
the person or team possessing the greatest
expertise and experience to deal with the problem
at hand. Provide them with the empowerment they
need to take timely, effective action. Avoid using
rank and status as the sole basis for determining
who makes decisions when unexpected events
occur.
DRU5
Organizational learning
H&M7
Audits and reviews
HRO4
Culture & Risk
Management
Culture &
Governance
Culture
Risk
Management
Culture∩ Both
Relevant information is identified, captured, and
communicated in a form and timeframe that
enables people to carry out their responsibilities.
Effective communication occurs within and across
ERM7
all levels of the organizational hierarchy
Contractor management, size and status of HSE
department, and workers interest competency /
H&M3
training
169
Governance
Culture &
Governance
Organizational
Learning,
Flexibility,
Analysis,
Emergency
Response,
Implementation
Organizational
Learning,
Decision-Making,
and Policy
Organizational
Learning
Testing &
Maintenance
Communication
Safety Culture,
Organizational
Learning, & Policy
Criteria
Number
Primary
Themes
Definition
Risk Management ∩ Preemptive
Analyze each occurrence through fresh eyes and
take nothing for granted. Take a more complex
view of matters and look for disconfirming
evidence that foreshadows unexpected problems.
Seek input from diverse sources, study minute
details, discuss confusing events and listen
intently. Avoid lumping details together or
attempting to normalize an unexpected event in
HRO2
order to preserve a preconceived expectation.
Pay serious attention to minute-to-minute
operations and be aware of imperfections in these
activities. Strive to make ongoing assessments and
continual updates. Enlist everyone’s help in fineHRO3
tuning the workings of the organization.
Identify and prioritize potential hazards, inventory
physical assets, assess vulnerabilities, and estimate
DRU1
consequences
DRU3
RE1
RE2
RE3
Implement hazard mitigation projects and integrate
mitigation efforts with government entities
Security and business continuity. The RE as much
as it prepares knows that it could be faced with a
hazard or impact that may overpower it. This does
not mean that the company is worried that
something is going to happen but realistic to know
that something could happen someday and by
being prepared, the impact could be lessened and
the recovery time faster
This principle requires that one should evaluate all
of the potential vulnerabilities and determine what
credible events could happen, the severity and
likelihood of the event happening, and to take
steps to prevent them from occurring or to
implement measures to diminish the potential
impact
Early detection can influence the likelihood of a
disturbance by making the organization aware that
action is needed, e.g. a preventative maintenance
inspection that discovers the early stage of a
system failure. Also, early detection can influence
the potential impact of a disturbance as it could
provide sufficient time to implement measures to
diminish the potential impact
170
Sub-Themes
Risk
Management
Analysis
Risk
Management &
Governance
Analysis,
Maintenance &
Management
Support
Risk
Management
Risk
Management &
Governance
Analysis
Implementation &
Management
Support
Risk
Management
Testing,
Maintenance,
Emergency
Response
Risk
Management
Analysis &
Implementation
Risk
Management
Analysis
Criteria
Number
RE4
RE5
RE6
ERM3
ERM4
ERM5
Primary
Themes
Definition
Like a citizen staffed neighborhood watch
program, the people who make up organizations
are its sensory system. Many eyes, ears, and the
physical presence of people who choose to get
involved can be deterrence to crime. Also,
employees who learn of potential disturbances that
are credible and could impact the organization and
bring such information to the organization, could
provide the organization with sufficient time to
implement measures to diminish the potential
impact
Backup systems and surpluses. The goal is to
provide resources, backups, and redundancies for
systems that are prioritized in order of decreasing
importance to the organization
Relationships with suppliers. While the
organization may be fully functional it may suffer
disturbances in its supply chain that could prevent
it from producing or diminish the level of
production to which it is capable. One way to
develop a resilient supply chains is to develop
relationships with suppliers before the emergency,
during the course of typical operations, so that if
the supplier is impacted in such a way that it is not
able to produce enough parts for all of its
customers, the organization is in good enough
stead to have priority access on the parts that it
needs. Another aspect is to develop relationships
with several suppliers so that stock can be
purchased, perhaps at a higher price, but purchased
nonetheless. Another possibility is to stock critical
components on site or to pre-purchase supplies so
that there is always a reserve of supplies available
Internal and external events affecting achievement
of an organization’s objectives must be identified
and differentiated between risks and opportunities.
Opportunities are channeled back to
management’s strategy or objective setting
processes
Risks are analyzed, considering likelihood and
impact, as a basis for determining how they should
be managed. Risks are assessed on an inherent and
a residual basis
Management selects risk responses, avoiding,
accepting, reducing, or sharing risk and develops a
set of actions to align risks with the organization’s
risk tolerances and risk appetite
171
Sub-Themes
Culture &
Governance
Safety Culture,
Analysis, Testing,
& Maintenance
Testing,
Maintenance,
Management
Support
Governance
Policy & Procedure
Risk
Management &
Governance
Analysis, Solution
Design, &
Objectives
Risk
Management
Analysis
Risk
Management
Solution Design,
Implementation, &
Maintenance
Culture
Criteria
Number
Primary
Themes
Definition
Sub-Themes
Process knowledge management and hazard
identification and risk analysis
Operating procedures, safe work practices, asset
integrity and reliability, contractor management,
training and performance assurance, management
of change, operational readiness, conduct of
operations, and emergency management
Culture & Risk
Management
Risk
Management
ROP2
Initiating events, mitigating systems, barrier
integrity, emergency preparedness
Public radiation safety, occupational radiation
safety
Organizational
Learning, &
Analysis
Safety Culture,
Organizational
Learning, &
Emergency
Response
Analysis, Solution
Design, &
Emergency
Response
ROP3
Physical protection
Culture
Culture & Risk
Management
Safety Culture
Safety Culture &
Implementation
H&M4
Work planning including permit to work and
journey management and work site job safety
Culture
Safety Culture
Risk
Management
Analysis
RBPS2
RBPS3
ROP1
BCP1
BCP2
BCP3
BCP4
BCP5
Impact analysis, threat analysis, impact scenarios,
and recovery requirement documentation
Identify most cost effective disaster recovery
solution to determine the crisis management
command structure, the location of a secondary
work site, telecommunication architecture between
primary and secondary work sites, data replication
methodology between primary and secondary
work sites, the application and software required at
the secondary work site, and the type of physical
data requirements at the secondary work site
Execution of the design elements identified in the
solution design phase
Crisis command / emergency operations team
activation testing, effect transfer from primary to
secondary work sites and secondary to primary
work sites
Three periodic activities; 1) information update
and testing, 2) testing and verification of technical
solutions, and 3) testing and verification of
organization recovery procedures
172
Culture & Risk
Management
Risk
Management
Risk
Management
Solution Design
Implementation
Risk
Management
Emergency
Response
Risk
Management
Testing &
Maintenance
Criteria
Number
Primary
Themes
Definition
Risk Management ∩ Corrective
The entirety of enterprise risk management is
monitored and modifications are made as
necessary. Monitoring is accomplished through
ongoing management activities, separate
ERM8
evaluations, or both
RBPS4
H&M6
Incident investigation, measurement and metrics,
auditing, management review and continuous
improvement, implementation, and the future
Incident / accident reporting, investigation and
analysis, hazard and unsafe act reports, checking
HSE on a day-to-day basis, after accident
feedback, and feel of HSE meetings
Risk
Management
Sub-Themes
Culture, Risk
Management, &
Governance
Testing &
Maintenance
Safety Culture,
Analysis, &
Management
Support
Culture, Risk
Management, &
Governance
Safety Culture,
Analysis, &
Procedures
Risk Management ∩ Both
MIT1
Impact on people and impact on environment
Culture, Risk
Management, &
Governance
MIT2
Physical property damage, interruption of institute
academic activities and operations, and intellectual
property damage
Culture, Risk
Management, &
Governance
MIT3
Impact on external public image, impact on
internal public image, and programs affected
Risk
Management &
Governance
Governance ∩ Preemptive
Pay serious attention to minute-to-minute
operations and be aware of imperfections in these
activities. Strive to make ongoing assessments and
continual updates. Enlist everyone’s help in fineHRO3
tuning the workings of the organization.
DRU4
Training
Risk
Management &
Governance
Culture
173
Safety Culture,
Analysis,
Implementation,
Emergency
Response, Policy,
& Management
Support
Safety Culture,
Analysis,
Implementation,
Emergency
Response, Policy,
& Management
Support
Analysis,
Implementation,
Emergency
Response, Policy,
& Management
Support
Analysis,
Maintenance, &
Management
Support
Organizational
Learning
Criteria
Number
Definition
ERM5
Security and business continuity. The RE as much
as it prepares knows that it could be faced with a
hazard or impact that may overpower it. This does
not mean that the company is worried that
something is going to happen but realistic to know
that something could happen someday and by
being prepared, the impact could be lessened and
the recovery time faster
Relationships with suppliers. While the
organization may be fully functional it may suffer
disturbances in its supply chain that could prevent
it from producing or diminish the level of
production to which it is capable. One way to
develop a resilient supply chains is to develop
relationships with suppliers before the emergency,
during the course of typical operations, so that if
the supplier is impacted in such a way that it is not
able to produce enough parts for all of its
customers, the organization is in good enough
stead to have priority access on the parts that it
needs. Another aspect is to develop relationships
with several suppliers so that stock can be
purchased, perhaps at a higher price, but purchased
nonetheless. Another possibility is to stock critical
components on site or to pre-purchase supplies so
that there is always a reserve of supplies available
Objectives must exist before management can
identify potential events affecting their
achievement. Therefore enterprise risk
management ensures that management has in place
a process to set objectives and that chosen
objectives support and align with the
organization’s mission and are consistent with its
risk appetite
Management selects risk responses, avoiding,
accepting, reducing, or sharing risk and develops a
set of actions to align risks with the organization’s
risk tolerances and risk appetite
ERM6
Policies and procedures are established and
implemented to help ensure the risk responses are
effectively carried out
RE1
RE6
ERM2
174
Primary
Themes
Sub-Themes
Risk
Management
Testing,
Maintenance, &
Emergency
Response
Governance
Policy & Procedure
Risk
Management &
Governance
Risk
Management &
Governance
Governance
Analysis,
Objectives, Policy,
Procedures, &
Management
Support
Solution Design,
Implementation, &
Management
Support
Implementation,
Policy, Procedures,
& Management
Support
Criteria
Number
RBPS1
RBPS3
H&M1
H&M5
Primary
Themes
Definition
Process safety culture, compliance with standards,
process safety competency, workforce
involvement, and stakeholder outreach
Operating procedures, safe work practices, asset
integrity and reliability, contractor management,
training and performance assurance, management
of change, operational readiness, conduct of
operations, and emergency management
Management interested in communicating HSE
issues with the workforce, rewards for good HSE
performance, and commitment level of workforce
and level of care for colleagues
Purpose of procedures
Governance ∩ Corrective
Cultivate the processes of resilience, intelligent
reaction and improvisation. Be mindful of errors
that have occurred and take steps to correct them
before they worsen. Be ready to handle the next
HRO4
unforeseen event.
During troubled times, shift the leadership role to
the person or team possessing the greatest
expertise and experience to deal with the problem
at hand. Provide them with the empowerment they
need to take timely, effective action. Avoid using
rank and status as the sole basis for determining
who makes decisions when unexpected events
HRO5
occur.
H&M7
Audits and reviews
H&M8
Benchmarking, trends, and statistics
Governance ∩ Both
Frequent communication and stakeholder
DRU2
engagement (internal and external)
Cause (who) of accidents in the eyes of
management and balance between HSE and
H&M2
profitability
Contractor management, size and status of HSE
department, and workers interest competency /
H&M3
training
175
Sub-Themes
Culture &
Governance
Governance
Safety Culture,
Policy, Regulation,
& Rules
Safety Culture,
Organizational
Learning, &
Emergency
Response
Safety Culture,
Policy, Rules, &
Management
Support
Procedures
Culture & Risk
Management
Organizational
Learning, Policy,
& DecisionMaking
Culture &
Governance
Risk
Management
Risk
Management
Testing &
Maintenance
Analysis, Testing,
& Maintenance
Culture &
Governance
Culture & Risk
Management
Governance
Culture, Risk
Management, &
Governance
Culture &
Governance
Communication
Safety Culture,
Analysis, Policy, &
Decision-Making
Safety Culture,
Organizational
Learning, & Policy
Table 28 - Summary: Criteria Number by Theme
Themes
ERM1
Policy
ERM1,
ERM3,
ERM2
Strategic Direction
ERM1,
ERM3,
ERM5,
ROP1,
BCP2,
ERM5
Objectives
176
Solution Design
Maintenance
Organizational
Learning
Testing
Analysis
Safety Culture
HRO1,
RE4,
RBPS1,
H&M3,
RE4,
RBPS3,
ROP2,
ROP3,
H&M4,
RBPS4,
H&M6,
MIT1,
MIT2,
RBPS1,
RBPS3,
H&M1,
H&M2,
H&M3
HRO1,
RE4,
ERM1,
HRO4,
HRO2,
HRO3,
DRU1,
RE2,
RE3,
RE4,
ERM3,
ERM4,
RE4,
DRU4,
RBPS2,
ERM1, H&M7,
ROP1,
BCP1, HRO1, HRO4, HRO3,
RE1,
HRO5,
RE4,
RBPS4,
RE4,
H&M6, H&M7, DRU5,
RE5,
H&M3,
RE1,
MIT1,
RE4, RBPS2, ERM5,
MIT2,
RE5, RBPS3, BCP5,
MIT3,
HRO3, BCP5, DRU4, ERM8,
ERM2, ERM8, RBPS3, HRO3,
HRO4,
RE1,
RE1,
HRO4,
H&M8, H&M7, HRO5, H&M7,
H&M2 H&M8 H&M3 H&M8
ERM1,
RBPS1,
HRO5,
H&M3,
RE8,
MIT1,
MIT2,
MIT3,
RE6,
ERM2,
ERM6,
RBPS1,
H&M1,
HRO5,
H&M2,
H&M3
Themes
Procedures
Management
Support
HRO5,
HRO5,
H&M2
Communication
177
Decision-Making
Implementation
HRO4,
HRO4
Emergency
Response
RBPS1,
RBPS1
Flexibility
Regulation
Rules
ERM1,
RBPS1,
RBPS1,
H&M1
HRO4,
RE1,
RBPS3,
ROP1,
BCP4,
MIT1,
MIT2,
MIT3,
RE1,
RBPS3,
HRO4
HRO4,
DRU3,
RE2,
ERM5,
ROP3,
BCP3,
MIT1,
MIT2,
MIT3,
ERM5,
ERM6,
HRO4
HRO3,
DRU3,
RE5,
RBPS4,
MIT1,
MIT2,
RE6,
MIT3,
HRO3, H&M6,
ERM2,
RE6,
ERM7, ERM5, ERM2,
H&M1, ERM6, ERM6,
DRU2 H&M1 H&M5
178
Appendix D Materials distributed to stakeholders to prepare for
workshop no. 1
Workshop
Assessing the Highly Reliable Disaster Resistant Organization 3
2
Bermuda Conference Room - NE49
June 16, 2008
1:00 PM to 3:00 PM
Joseph F. Gifun, P.E.
(617) 253-4740
[email protected]
Introduction
The purpose of this workshop is to elicit feedback from local experts on an emerging
organization model named the Highly Reliable Disaster Resistant Organization (HRDRO).
HRDRO and its associated research is founded upon the premise; organizations that
effectively anticipate, resist, and recover from disasters and system disturbances follow
successful practices that embody high reliability, disaster resistance, and business resilience.
The HRDRO was derived from the integration of several organizational models; the High
Reliability Organization, the Disaster Resistant University, the Resilient Enterprise,
Enterprise Risk Management, Risk-Based Process Safety, Reactor Oversight Process, Hearts
and Minds, and Business Continuity Planning.
3
Former name for the methodology currently known as the Highly Reliable Resilient Organization
179
The result of this research to date is a hierarchical object tree model based on analyticdeliberative principles that would assist organizations to:
1. Preemptively determine whether or not, and to what extent, the organization is poised
to effectively anticipate, resist, and recover from disasters and system disturbances
and identify the areas in which improvements should be made
2. Diagnostically examine the results of an impact of a disaster or system disturbance on
an organization to determine whether or not, and to what extent, the organization
anticipated, resisted, and recovered from such an impact and identify the areas in
which improvements should be made
Workshop Preparation
To prepare for the workshop, participants are encouraged to complete (or do as much as one
can) the following three tasks.
1. Please review the hierarchical tree, text and Figure [17] 1a or [18] 1b, and comment
upon its completeness, i.e., does it contain the right criteria to determine the level of
an organization’s HRDRO-ness? If no, what revisions would you make?
2. Please review the definitions of the criteria and state your level of agreement. If you
do not agree with the essence of the text that accompanies each definition please
suggest changes. If you suggested a new criterion in 1 above please provide a
definition. Complete grammatically correct sentences are not necessary – bullets are
just fine. Please focus on concepts and do not take the time to wordsmith.
3. Please think about the relative weights of the criteria. Time will be devoted to this
during the workshop
The intent of the following hypothetical event scenario is to enable workshop participants to
focus attention on each task in a consistent way as it provides a real-world context.
180
Hypothetical Event Scenario
Following two weeks of temperatures well below freezing a large diameter water main broke
in the vicinity of a research university in a dense urban setting. The break occurred during the
mid afternoon of a weekday when the university was fully operational. Much time was
required to secure the flow of water as adjacent valves were found to be inoperable causing a
complete loss of water pressure throughout the campus and adjoining areas of the city for
what ended up to be several hours. Thus, no potable or fire suppression water was available
during this time. In addition policy misunderstandings prohibited incident command staff
from transmitting a message by way of the university web page and telephone to all students
and staff that “hot work” must cease unless doing so would result in greater risk. During this
time when no water pressure was available a fire occurred in a laboratory located on an upper
floor of a high rise building.
HRDRO Hierarchical Tree
The hierarchical tree, Figures [16] 1a and [17] 1b employs a conventional vertical
hierarchical format. The output of the hierarchical tree is a numerical index that represents
the degree of compliance with the criteria and is employed preemptively, diagnostically, and
as the means for the prioritization of alternatives, as follows.
1. In a preemptive application the numerical index is used to determine the
organization’s current degree of HRDRO, i.e. a numerical index of greater value
represents a greater level of HRDRO. Moreover, the index enables one to see the
organization’s strengths and organizational areas that are in need of improvement.
The intent of examining the organization preemptively is to prevent, or at the very
least mitigate, the impact of disasters or system disturbances
2. Diagnostically the use of the index is similar to the preemptive application except that
it is used after the impact of a disaster or system disturbance
3. The index enables the comparison and ranking of alternatives against a set of preestablished criteria. For example, several alternatives are identified during the
preemptive application above, the index for each is determined, and the course of
action with the most attractive index is implemented (corrective)
181
As the hierarchical tree supports an analytic-deliberative process the raw calculated indices
must be deliberated upon in order to determine final ranking.
182
Figure [16] 1a – HRDRO Hierarchical Tree (Max score = 1.00)
183
Figure [17] 1b – HRDRO Hierarchical Tree (Max score = 100)
184
Verification of Criteria Definitions
The following definitions, or fragments thereof, of the criteria shown in Figures [17]
1a and [18] 1b are to be considered preliminary and subject to scrutiny and revision
by workshop participants.
1. Culture - a basic set of assumptions that defines what those within the
organization pay attention to, what things mean, and how to react emotionally
to what is going on, and what actions to take in various kinds of situations
(Edgar Schein, 1992, Organizational Culture and Leadership, Jossey-Bass, 2nd
Ed, p. 22) [(Schein, 1992)].
2. Risk Management – organizational principles, practices, and structures that
enable an organization to manage uncertainty to either eliminate or mitigate
the realization and expansion of potential consequences
3. Governance – relates to decisions that define expectations, grant power, or
verify performance. It consists either of a separate process or of a specific part
of management or leadership processes. In the case of a business, governance
relates to consistent management, cohesive policies, processes, [practices and
procedures, authority] and [financial and operational] decision-rights for a
given area of responsibility.
4. Safety – The condition of being protected against [unacceptable levels of]
physical, social, spiritual, financial, political, emotional, occupational,
psychological, educational or other types or consequences of failure, damage,
error, accidents, harm or any other event which could be considered nondesirable. This can take the form of being protected from the event or from
exposure to something that causes health or economical losses. It can include
protection of people or of possessions Organizational safety culture entails
compliance with standards, process safety competency, workforce
involvement, stakeholder outreach, operating procedures, safe work practices,
asset integrity and reliability, contractor management, training and
185
performance assurance, management of change, operational readiness, conduct
of operations, and emergency management.
5. Organizational Learning – describes an organization that actively creates,
captures, transfers, and mobilizes knowledge to enable it to adapt to a
changing environment. The disciplines of the learning organization are
Systems Thinking, Personal Mastery Mental Models Building Shared Vision
and team Learning and can be thought of on three distinct levels; practices
(what you do), principles (guiding ideas and insights), and essences (the state
of being of those with high levels of mastery in the discipline) (Senge, P. M.
(1990) The Fifth Discipline: The Art & Practice of The Learning
Organization, Doubleday, New York) [(Senge, 1990)].
Systems Thinking: A conceptual framework, a body of knowledge to make
full patterns clearer, and to help one how to change them effectively.
Personal Mastery: The discipline of continually clarifying and deepening our
personal vision, of focusing our energies, of developing patience, and of
seeing reality objectively. An organization’s commitment to and capacity for
learning can be no greater than the commitment to and capacity for learning of
its members
Mental Models: Deeply ingrained assumptions, generalizations, or even
pictures or images that influence how we understand the world and how we
take action.
Building Shared Vision: The practice of shared vision involves the skills of
unearthing shared “pictures of the future” that foster genuine commitment and
enrollment rather than compliance.
Team Learning: The discipline of team learning starts with dialogue, the
capacity of members of a team to suspend assumptions and enter into a
genuine thinking together. The discipline of dialogue also involves learning
how to recognize the patterns of interaction in teams that undermine learning.
Unless teams can learn, the organization cannot learn
Development of scenarios for internal training exercises, problems, mistakes,
errors, and failures are considered learning opportunities, solutions include
186
root cause and latent contributors, all personnel associated with the problem,
mistake, error, or failure regardless of rank participate in after action reviews
6. Flexibility – Decision making and problem resolution migrate quickly to the
person(s) most capable to make the decision or resolve the problem. People
within the organization know the, person(s) with expertise to contact when
something out of the ordinary occurs. An organization that embodies
flexibility adapts to changing demands and should problems occur, someone
with the authority to act and necessary resources are readily available. People
are familiar with their jobs and operations external to their own jobs and work
to create a climate that encourages variety in people’s analyses of the
organization’s technology and production processes and establish practices
that allow those perspectives to be heard and to surface information not held in
common (Weick, K. E. and Sutcliffe, K. M. Managing the Unexpected:
Assuring High Performance in an Age of Complexity. San Francisco: JosseyBass, 2001 [(Weick & Sutcliffe, 2001)]. Weick, K. E. and Sutcliffe, K. M.
Managing the Unexpected: Resilient Performance in an Age of Uncertainty
(2nd ed.). San Francisco: John Wiley & Sons, 2007 [(Weick & Sutcliffe,
2007)].
7. Planning & Preparation – summary criterion, business continuity planning
a
Analysis – the employment of impact analysis, threat analysis, impact
scenarios, and other analytic tools and methods to assess the current
and potential state of the organization (Business continuity planning.
b
Solution Design – the means to identify the most cost effective
disaster recovery solution and determine the crisis management
command structure, the location of a secondary work site,
telecommunication architecture between primary and secondary work
sites, data replication methodology between primary and secondary
work sites, the application and software required at the secondary work
site, and the type of physical data requirements at the secondary work
site
c
Implementation – execution of the design elements identified in the
solution design phase
187
d
Testing & Acceptance – the means to ascertain the effectiveness of
the crisis command / emergency operations team including the
effective transfer from primary to secondary work sites and secondary
to primary work sites
e
Maintenance – the conduction of periodic activities; 1) information
update and testing, 2) testing and verification of technical solutions,
and 3) testing and verification of organization recovery procedures
8. Emergency / Incident Response – an emergency is a situation which poses
an immediate risk to health, life, property or environment. Most emergencies
require urgent intervention [emergency / incident response] to prevent a
worsening of the situation, although in some situations, mitigation may not be
possible and agencies may only be able to offer palliative care for the
aftermath. Whilst some emergencies are self evident (such as a natural disaster
which threatens many lives), many smaller incidents require the subjective
opinion of an observer (or affected party) in order to decide whether it
qualifies as an emergency. The precise definition of an emergency, the
agencies involved and the procedures used, vary by jurisdiction, and this is
usually set by the government, whose agencies (emergency services) are
responsible for emergency planning and management. In order to be defined
as an emergency, the incident should be one of the following:
a
Immediately threatening to life, health, property or environment.
b
Have already caused loss of life, health detriments, property damage or
environmental damage
c
Have a high probability of escalating to cause immediate danger to life,
health, property or environment
Whilst most emergency services agree on protecting human health, life and
property, the environmental impacts are not considered sufficiently important
by some agencies. This also extends to areas such as animal welfare, where
some emergency organizations cover this element through the 'property'
definition, where animals which are owned by a person are threatened
(although this does not cover wild animals). This means that some agencies
188
will not mount an 'emergency' response where it endangers wild animals or
environment although others will respond to such incidents (such as oil spills
at sea which pose a threat to marine life). The attitude of the agencies involved
is likely to reflect the predominant opinion of the government of the area.
Personnel who respond to emergencies either to mitigate impacts directly or to
work with or pass on information to emergency responders, e.g. local fire
service and internal personnel responsible for decisions regarding the control
of emergencies from onset to conclusion and the development of emergency
response and management procedures and training opportunities.
9. Objectives & Strategic Direction – A Strategy is a long term plan of action
designed to achieve a particular goal, most often "winning". Strategy is
differentiated from tactics or immediate actions with resources at hand by its
0
nature of being extensively premeditated, and often practically rehearsed.
Strategies are used to make the problem easier to understand and solve.
10. Policies, Rules, Regulations, & Operating Procedures – A policy is a
deliberate plan of action to guide decisions and achieve rational outcome(s).
The term may apply to government, private sector organizations and groups,
and individuals. Presidential executive orders, corporate privacy policies, and
parliamentary rules of order are all examples of policy. Policy differs from
rules or law. While law can compel or prohibit behaviors (e.g. a law requiring
the payment of taxes on income) policy merely guides actions toward those
that are most likely to achieve a desired outcome. Policy or policy study may
also refer to the process of making important organizational decisions,
including the identification of different alternatives such as programs or
spending priorities, and choosing among them on the basis of the impact they
will have. Policies can be understood as political, management, financial, and
administrative mechanisms arranged to reach explicit goals.
A procedure is a specification of series of actions, acts or operations which
have to be executed in the same manner in order to always obtain the same
result in the same circumstances (for example, emergency procedures). Less
189
precisely speaking, this word can indicate a sequence of activities, tasks, steps,
decisions, calculations and processes, that when undertaken in the sequence
laid down produces the described result, product or outcome. A procedure
usually induces a change.
Regulation can be considered as legal restrictions promulgated by government
authority. One can consider at least two levels in democracies -- legislative
acts, and implementing specifications of conduct imposed sanction (as a fine).
This administrative law or implementing regulatory law is in contrast to
statutory or case law.
Rule - a formal and widely-accepted statement, fact, definition, or
qualification, an informal but widely accepted norm, concept, truth, definition,
or qualification.
Policies are clearly written, broadly distributed, and reflect organization
mission. There is a consistent organization-wide understanding, acceptance,
and application of policies, processes, and practices. All policies are easily
understood, clearly written, published, and consistently applied and enforced.
The basis for policies and the decision processes employed during their
development is published and broadly known. Personnel are able to question
policies without retaliation and the organization’s level of acceptable risk is
well know by all personnel
11. Decision-Making Process – transparent analytic deliberative processes and
methods are used where appropriate. Risks are considered, even for decisions
that may appear quite mundane by asking questions such as, what will happen
next. The probability of the occurrence of credible risks and hazards are
considered. All policies are easily understood, clearly written, published, and
consistently applied and enforced. The basis for policies and the decision
processes employed during their development is published and broadly
known. Personnel are able to question policies without retaliation. The
organization’s level of acceptable risk is well know by all personnel
190
12. Monetary & Non-Monetary Support – Organization-wide policies and
practices that overtly support action, e.g. risk assessment and analysis,
implementation of projects, and funding of initiatives to eliminate and mitigate
risks. Budget set-asides for risk identification, assessment, elimination, and
mitigation. Action or deliberate inaction by the organization closely matches
that which the organization had said, displayed, and published and provides a
measure of the organization’s level of support. Support includes resources
such as money, people, time, and materials. Budgets include reserves for
vulnerability assessments and mitigation projects. Levels of support are
established by risk management methods
13. Communication – An act or instance of transmitting information, e.g. verbal
or written messages. A process by which information is exchanged between
individuals through a common system of symbols, signs, or behavior. A
system (as of telephones) for communicating. A technique for expressing
ideas effectively (as in speech). The technology of the transmission of
information (as by print or telecommunication) (Merriam-Webster, 2009)
Movement of information quickly with no constraints as to rank and the
person with information has the obligation to pass it on. Information regarding
imminent and potential risks, whether brief or detailed, is distributed
throughout the organization
Open and established process to engage stakeholders in solutions and open
relationships with regulators and other authorities
Elicitation of Criteria Weights
Preliminary relative weights are provided for the criteria shown in Figures [17] 1a and
[18] 1b. The two versions provide the workshop participant with a choice as some
people find it easier to work with whole numbers. Figure [17] 1a provides relative
weights with a maximum total of 1.00 while Figure [18] 1b provides relative weights
with a maximum total of 100. All other aspects of the figures are identical.
191
192
193
10.7
9.7
Eme rgency / Incident Response and Business
Objectives and Strategic Direction
100
HRRO Inde x 36.9 53.5 53.4 50.6 70.4
1.5
3.9
3.5
2.5
5.3
7.3
10.5
3.1
3.3
7.1
3.3
2.5
11
6
7
10
5
3
1
9
8
4
8
10
1.0
2.6
2.3
1.2
5.3
0.0
10.5
3.1
4.9
7.1
2.2
1.6
12
7
8
11
3
13
1
6
4
2
9
10
Table 29 – Assessor Responses and Priority
2
5.2
4.7
2.5
1.5
3.9
3.5
1.3
Policies, Rules, Regulations, and Operating Pro - 0.5 1
1
1
Decision-Making Process
1.3 2.6 1.3 3.9
Co mmunicat ion
1.2 2.4 2.4 2.4
Monetary & Non-Monetary Support
0 1.3 1.3 1.3
5.4 5.4 8 5.4 8
2.4 9.7 4.9 2.4 7.3
21
4.1
6.6
7.1
4.4
3.3
Attribute
A
B
C
Safety Cu lture
9.4 14 14
Organizational Learning, Quality Imp rovement,
and Fle xibility
10.5 10.5 10.5 10.5 10.5
Analysis
1
1 2.1 1 2.1
Solution Design
3.3 1.7 3.3 5
5
Imple mentation
0
0 1.8 1.8 3.6
Testing and Acceptance
1.1 2.2 1.1 1.1 3.3
Maintenance
0.8 1.7 1.7 0.8 1.7
1.0
3.9
2.3
1.2
2.7
4.8
10.5
2.0
3.3
5.3
3.3
1.6
12
5
8
11
7
3
1
9
6
2
6
10
1.0
1.3
2.3
1.2
5.3
7.3
10.5
3.1
1.6
5.3
3.3
2.5
12
10
8
11
3
2
1
6
9
3
5
7
0.5
1.3
1.2
1.2
2.7
2.4
10.5
2.0
1.6
3.5
1.1
1.6
10
7
8
8
3
4
1
5
6
2
9
6
A
B
C
D
E
Max.
Max.
Max.
Max.
Max.
Possible
Possible
Possible
Possible
Possible
W eight
W eight
W eight
W eight
Max. W eight
PossiW eight Priority W eight Priority W eight Priority W eight Priority W eight Priority
ble
E
E
D
D
C
C
B
B
A
A
D
E W eight
14 18.7 18.7
9.3
2
4.7
5
4.7
4
4.7
4
0.0
11
Global W eights by As-
Assessors
Appendix E Assesso r respo nses a nd prio rity
194
APPENDIX F Constructed scales
Figure 18 – HRRO Constructed Scales
Note: Constructed scales are for demonstration and testing purposes only and they
should be developed in the context of the organization in which they are to be
used.
Safety Culture
Summary level measure of 18 performance measures attained from scoring sheet provided by
the Hearts and Minds safety program. Organizational safety culture entails compliance with
standards, process safety competency, workforce involvement, stakeholder outreach, operating
procedures, safe work practices, asset integrity and reliability, contractor management, training
and performance assurance, management of change, operational readiness, conduct of
operations, and emergency management.
Utility
Global
Weight
4
Generative - highest level of safety culture where the
organization is informed regarding safety issues and
possesses the highest levels of trust and accountability
within. (73 < Score ≤ 90)
100
18.7
3
Proactive - safety leadership and values drive continuous
improvement. (55 < Average Score ≤ 73)
75
14.0
2
Calculative - systems in place to manage hazards. (37 <
Score ≤ 55)
50
9.4
1
Reactive - safety is important and much is done every time
there is an accident. (19 < Score ≤ 37)
25
4.7
0
Pathological - lowest level of safety culture where the
organization does not care about safety unless caught by
way of an accident or regulatory violation (0 < Score ≤ 19)
0
0
Level
Description
195
Organizational Learning, Quality Improvement, and Flexibility
Summary level measure of 10 performance measures from the assessment tool provided in
Ten Steps to a Learning Organization by Peter Kline and Bernard Saunders. A term that
describes an organization that actively creates, captures, manages, transfers, and mobilizes
knowledge to enable it to adapt to changing demands.
Level
Description
Utility
Global
Weight
4
The organization exhibits the qualities of organizational
learning and quality improvement to a very great
extent. (4 < Average Score ≤ 5)
100
21.0
3
The organization exhibits the qualities of organizational
learning and quality improvement to a great extent. (3
< Average Score ≤ 4)
75
15.8
2
The organization exhibits the qualities of organizational
learning and quality improvement to a moderate
extent. (2 < Average Score ≤ 3)
50
10.5
1
The organization exhibits the qualities of organizational
learning and quality improvement to a slight extent. (1
< Average Score ≤ 2)
25
5.3
0
The organization does not exhibit, or does so poorly,
the qualities of organizational learning and quality
improvement. (0 < Average Score ≤ 1)
0
0.0
Analysis
The employment of risk, vulnerability, and threat analysis, impact scenarios, and other analytic
tools and methods to assess the current and potential state of the organization.
Level
4
3
2
1
0
Description
The organization uses analytical tools and methods to
assess the current and potential state of the
organization to a very great extent. (4 < Average Score
≤ 5)
The organization uses analytical tools and methods to
assess the current and potential state of the
organization to a great extent. (3 < Average Score ≤ 4)
The organization uses analytical tools and methods to
assess the current and potential state of the
organization to a moderate extent. (2 < Average Score
≤ 3)
The organization uses analytical tools and methods to
assess the current and potential state of the
organization to a slight extent. (1 < Average Score ≤ 2)
The organization does not, or to a minimal level, use
analytical tools and methods to assess the current and
potential state of the organization. (0 < Average Score
≤ 1)
196
Utility
Global
Weight
100
4.1
75
3.1
50
2.1
25
1.0
0
0.0
Solution Design
The means to identify and develop the most cost effective risk mitigation and disaster and crisis
recovery solutions (including crisis management command structure).
Level
Description
Utility
Global
Weight
4
The organization identifies and develops cost effective risk
mitigation and crisis recovery solutions to a very great
extent. (4 < Average Score ≤ 5)
100
6.6
3
The organization identifies and develops cost effective risk
mitigation and crisis recovery solutions to a great extent. (3
< Average Score ≤ 4)
75
5.0
2
The organization identifies and develops cost effective risk
mitigation and crisis recovery solutions to a moderate
extent. (2 < Average Score ≤ 3)
50
3.3
1
The organization identifies and develops cost effective risk
mitigation and crisis recovery solutions to a slight extent. (1
< Average Score ≤ 2)
25
1.7
0
The organization does not identify or develop cost effective
risk mitigation and crisis recovery solutions or does so
minimally. (0 < Average Score ≤ 1)
0
0.0
Implementation
Execution of risk mitigation and disaster and crisis recovery solutions that emerge from the
solution design phase.
Level
Description
Utility
Global
Weight
4
The organization funds and executes designed solutions to
a very great extent. (4 < Average Score ≤ 5)
100
7.1
3
The organization funds and executes designed solutions to
a great extent. (3 < Average Score ≤ 4)
75
5.3
2
The organization funds and executes designed solutions to
a moderate extent. (2 < Average Score ≤ 3)
50
3.6
1
The organization funds and executes designed solutions to
a slight extent. (1 < Average Score ≤ 2)
25
1.8
0
The organization does not, or poorly, funds or executes risk
mitigation and disaster recovery solutions. (0 < Average
Score ≤ 1)
0
0.0
197
Testing and Acceptance
The means to detect potential disturbances and ascertain the effectiveness and acceptance of
plans and processes.
Utility
Global
Weight
4
The organization detects potential disturbances and
determines the effectiveness and acceptance of risk
mitigation plans and solutions to a very great extent. (4 <
Average Score ≤ 5)
100
4.4
3
The organization detects potential disturbances and
determines the effectiveness and acceptance of risk
mitigation plans and solutions to a great extent. (3 <
Average Score ≤ 4)
75
3.3
2
The organization detects potential disturbances and
determines the effectiveness and acceptance of risk
mitigation plans and solutions to a moderate extent. (2 <
Average Score ≤ 3)
50
2.2
1
The organization detects potential disturbances and
determines the effectiveness and acceptance of risk
mitigation plans and solutions to a slight extent. (1 <
Average Score ≤ 2)
25
1.1
0
The organization does not, or minimally, detects potential
disturbances or determines the effectiveness and
acceptance of risk mitigation plans and solutions. (0 <
Average Score ≤ 1)
0
0.0
Level
Description
Maintenance
Periodic; 1) information updating and testing, 2) testing and verification of technical solutions,
and 3) testing and verification of organization recovery procedures.
Level
Description
Utility
Global
Weight
4
The organization tests and updates its systems, solutions,
and procedures to a very great extent. (4 < Average Score
≤ 5)
100
3.3
3
The organization tests and updates its systems, solutions,
and procedures to a great extent. (3 < Average Score ≤ 4)
75
2.5
2
The organization tests and updates its systems, solutions,
and procedures to a moderate extent. (2 < Average Score
≤ 3)
50
1.7
1
The organization tests and updates its systems, solutions,
and procedures to a slight extent. (1 < Average Score ≤ 2)
25
0.8
0
The organization does not test or update its systems,
solutions, and procedures or if it does so, it is done
minimally. (0 < Average Score ≤ 1)
0
0.0
198
Emergency / Incident Response and Business Recovery
An emergency is a situation that possesses an immediate risk to health, life, property,
reputation, the environment, and finances. Business recovery is interested in the organization's
ability to self-restore following an incident.
Level
Description
Utility
Global
Weight
4
The organization responds to emergencies and incidents
and incorporates business recovery methods and practices
to a very great extent. (4 < Average Score ≤ 5)
100
10.7
3
The organization responds to emergencies and incidents
and incorporates business recovery methods and practices
to a great extent. (3 < Average Score ≤ 4)
75
8.0
2
The organization responds to emergencies and incidents
and incorporates business recovery methods and practices
to a moderate extent. (2 < Average Score ≤ 3)
50
5.4
1
The organization responds to emergencies and incidents
and incorporates business recovery methods and practices
to a slight extent. (1 < Average Score ≤ 2)
25
2.7
0
The organization does not, or poorly responds to
emergencies / incidents or employ business recovery
methods and practices. (0 < Average Score ≤ 1)
0
0.0
Objectives and Strategic Direction
A strategic direction is a long term plan of action designed to achieve an objective, i.e. a
specific goal
Utility
Global
Weight
4
The organization broadly promotes and supports the
establishment and use of strategic objectives to a very
great extent. (4 < Average Score ≤ 5)
100
9.7
3
The organization broadly promotes and supports the
establishment and use of strategic objectives to a great
extent. (3 < Average Score ≤ 4)
75
7.3
2
The organization broadly promotes and supports the
establishment and use of strategic objectives to a moderate
extent. (2 < Average Score ≤ 3)
50
4.9
1
The organization broadly promotes and supports the
establishment and use of strategic objectives to a slight
extent. (1 < Average Score ≤ 2)
25
2.4
0
The organization does not, or poorly promote or support the
establishment and use of strategic objectives. (0 < Average
Score ≤ 1)
0
0.0
Level
Description
199
Policies, Rules, Regulations, and Operating Procedures
Deliberate plans of action to guide decisions and achieve rational outcomes by way of
adherence to laws, rules, regulations, and operational requirements.
Level
Description
Utility
Global
Weight
4
The organization uses formal methods to guide decisions
and actions and adheres to laws, rules, regulations, and
operational requirements to achieve rational outcomes to a
very great extent. (4 < Average Score ≤ 5)
100
2.0
3
The organization uses formal methods to guide decisions
and actions and adheres to laws, rules, regulations, and
operational requirements to achieve rational outcomes to a
great extent. (3 < Average Score ≤ 4)
75
1.5
2
The organization uses formal methods to guide decisions
and actions and adheres to laws, rules, regulations, and
operational requirements to achieve rational outcomes to a
moderate extent. (2 < Average Score ≤ 3)
50
1.0
1
The organization uses formal methods to guide decisions
and actions and adheres to laws, rules, regulations, and
operational requirements to achieve rational outcomes to a
slight extent. (1 < Average Score ≤ 2)
25
0.5
0
The organization does not use formal methods to guide
decisions and actions and minimally complies with laws,
rules, regulations, and operational requirements. (0 <
Average Score ≤ 1)
0
0.0
200
Decision-Making Process
Transparent fact-based analytic deliberative processes and methods for making judgments or
reaching conclusions are used where appropriate.
Level
Description
Utility
Global
Weight
4
The organization uses formal methods to guide decisions
and actions and adheres to laws, rules, regulations, and
operational requirements to achieve rational outcomes to a
very great extent. (4 < Average Score ≤ 5)
100
5.2
3
The organization uses formal methods to guide decisions
and actions and adheres to laws, rules, regulations, and
operational requirements to achieve rational outcomes to a
great extent. (3 < Average Score ≤ 4)
75
3.9
2
The organization uses formal methods to guide decisions
and actions and adheres to laws, rules, regulations, and
operational requirements to achieve rational outcomes to a
moderate extent. (2 < Average Score ≤ 3)
50
2.6
1
The organization uses formal methods to guide decisions
and actions and adheres to laws, rules, regulations, and
operational requirements to achieve rational outcomes to a
slight extent. (1 < Average Score ≤ 2)
25
1.3
0
The organization does not use formal methods to guide
decisions and actions and minimally complies with laws,
rules, regulations, and operational requirements. (0 <
Average Score ≤ 1)
0
0.0
Communication
An act or instance of exchanging information, e.g. verbal or written messages.
Level
Description
Utility
Global
Weight
4
The organization communicates effectively internally and
externally to a very great extent. (4 < Average Score ≤ 5)
100
4.7
3
The organization communicates effectively internally and
externally to a great extent. (3 < Average Score ≤ 4)
75
3.5
2
The organization communicates effectively internally and
externally to a moderate extent. (2 < Average Score ≤ 3)
50
2.4
1
The organization communicates effectively internally and
externally to a slight extent. (1 < Average Score ≤ 2)
25
1.2
0
The organization does not communicate well internally or
externally. (0 < Average Score ≤ 1)
0
0.0
201
Monetary & Non-Monetary Support
Organization-wide policies and practices that overtly support action, e.g. risk assessment and
analysis, implementation of projects, and funding initiatives to eliminate and mitigate risks.
Utility
Global
Weight
4
The organization supports projects and initiatives that
eliminate and mitigate risks to a very great extent. (4 <
Average Score ≤ 5)
100
2.5
3
The organization supports projects and initiatives that
eliminate and mitigate risks to a great extent. (3 < Average
Score ≤ 4)
75
1.9
2
The organization supports projects and initiatives that
eliminate and mitigate risks to a moderate extent. (2 <
Average Score ≤ 3)
50
1.3
1
The organization supports projects and initiatives that
eliminate and mitigate risks to a slight extent. (1 < Average
Score ≤ 2)
25
0.6
0
The organization does not overtly support projects or
initiatives to eliminate or mitigate risks or if it does, it does
so minimally. (0 < Average Score ≤ 1)
0
0.0
Level
Description
202
203
A
Is management interested in
communicating health,
safety, and environment
(HSE) issues with the workforce?
Safety Culture
Proactive
There is a two-way
process of communication about HSE
issues in place.
Asking as well as
telling goes on.
Calculative
Management
shares a lot of information whith
work ers and has
frequent HSE initiatives. Management does a lot of
talking but is not
really listening.
Reactive
After incidents
'flavor of the month'
HSE messages are
passed down from
top management.
Any interest gets
less over time as
things get 'back to
normal'.
Pathological
Management only
communicates
HSE issues by telling workers not to
cause problems
Instructions:
For each of the 18 statements / questions Insert a 1 in the box below the description in which you most
agree
Safety Culture (Source: Hearts and Minds)
Figure 19 – HRRO Survey Forms
Appendix G Survey forms
There is frequent
and clear two-way
communication
about HSE issues
in which management gets more
information back
than they provide.
E very one knows
when there is an
incident.
Generative
204
C
B
W har are the rewards of
goo d HSE perform ance?
Commitment level of workforce and level of care for
colleagues
No rewards are
given or expected
for good HSE performance - staying
alive is reward
enough. There are
often pu nishme nts
for failure.
"W ho cares as long
as we don't get
caught?" Individuals look after themselves.
There are punishments for poor
HSE perform ance.
Rewarding behavior is not common.
Bonuses are reduced when there
are accidents.
Look out for yourself' is the rule.
Public statements
about caring for
colleagues are
made just after accidents by both
managem ent and
work force. This
emphasis fades
away after a period
of good HSE performance.
Good HSE performa nce is said to
be very important.
Safety awards such
as T-shirts or baseball hats are made.
There are safety
competitions and
quizes. Incident
rates are used
when calculating
bonuses.
Managem ent's increasing awareness of the costs of
failure spreads
down the org anization. People know
what to say about
HSE, but do not
always complet ely
do what they talk
about.
Good HSE performance is rewarde d and considered in promotion
reviews. Staff appraisal is based on
carrying out the
right processes as
well as (not) having
incidents.
The workeforce
feels proud o f their
HSE perform ance
and wants to do
better. People care
for other people
and the environment.
Recognition of
good HSE perform ance is seen as
being high value.
Good perform ance
motivates people
without them needing extra rewards.
Levels of commit ment and care are
very high at all levels. They are
driven by em ployees who sho w passion about living up
to their high personal standards.
It's seen as a family
trage dy if someone
gets hurt.
205
E
D
Balance between HSE and
profitability
W ho causes accidents in the
eyes of management?
Making money is
the only concern.
HSE is seen as
costing money, and
the only important
issue is avoiding
extra costs.
Individuals are
blamed, and it is
believed that accidents are a part of
the job. Thos e directly involved in
accidents are held
responsible for
them.
Saving money by
cost-cutting is important, but money
is spent to make
the HSE improvements necessary to
comply with legal
requirements. Continuing operations
is priority number
one.
There are attempts
to remove 'accident
-prone' individuals.
It is believed that
accidents are often
just bad luck. Managem ent considers
the lower levels of
the organization to
cause the problems.
It is not clear how
HSE and profitability are balanced.
Line spends most
of its time on operational issues.
Line managers
know how to say
the right things, but
do not always do
what they say they
should do, especially if it costs
money.
Faulty machinery,
poor maintenance
and people are
seen as causes of
incidents. These
are attem pts to
reduce expos ure to
hazards. Accidents
are blamed on 'the
system'.
The company tries
to make HSE the
top priority, while
understanding that
HSE contributes to
making profits. The
company is quite
good at combining
profitability and
HSE, and accepts
delays to get contracts up to standard in terms of
HSE.
Managem ent looks
at the whole HSE
system, including
processes and procedures when considering accident
causes. They admit
that managem ent
must take some of
the blam e.
Managem ent believes that HSE
makes money so
balancing HSE and
making good profits
is a non-issue. The
company 's plans
include time and
resources to get
contractors up to
standard in terms
of HSE.
Blame is not an
issue. Management
accepts responsibility when assessing what they personally could have
done to rem ove
underlying causes.
They take a broad
view of HSE, looking at the overall
interaction of systems and people.
206
G
F
Com petency / training - are
work ers interested?
Cont ractor m anagem ent
W orkers don't mind
exchanging a harsh
working environment for a couple of
hours training off the
job. HSE training is
seen as a neces sary evil; they attend training when it
is required by law.
Cont ractors are expected to get the job
done with minim um
effort and ex pens e.
HSE problems are
entirely the responsibility of the contractor.
Training is aimed at
the person - "if we
can change their
attitudes everything
will be alright". After
an incident some
extra money is
made available for
specific training program mes, but the
effort decreases
over time.
Cont ractor HSE
managem ent becomes important
after an incident.
The most important
issue when selecting a contractor is
price, but poor
safety performance
has consequenc es
for choosing contractors.
Com petence matrices are present and
lots of standard
training is given.
Knowledge acquired
on cours es is
tested. Employees
are keen to show
they have attended
all the necessary
courses. There is
some on-the-job
transfer of training
to other work ers.
Cont ractors have to
meet extensive prequali fication requirements, based on
questionnaires and
statistics.HSE standards are lowered if
no contractor meets
the requirements.
Cont ractors have to
get up to a standard
using their own resources.
Leadership fully acknowledges the importance of tested
skills on the job. The
work force is proud
to demonstrate their
skills in on-the-job
assessment. Some
training needs are
identified by the
work place.
Cont ractor prequalification requires proof that
there is a working
HSE-managem ent
system. There are
joint companycontractor HSE efforts and the com pany helps with contractor training.
Inter-pers onal skills
are as important as
technical knowledge. Com petence
development is
seen as a never
ending process. The
work force asks for
training and forms
an integral part of
the process.
No compromises
are m ade for contractor HSE capability. Solutions to HSE
problems are found
together with contractors. Postponement of the job until
HSE requirements
are m et is accepted.
207
I
H
W ork planning including
permit to work (P TW ) and
journey management
W hat is the size / status of
the HSE department?
There is no HSE
planning and little
planning overall.
W ork planning
concentrates on
the quickest and
cheapest completion of the job.
If there is an HSE
department it consists of one pers on
or a small staff in
the HR department.
HSE planning is
based on what
went wrong in the
past. There is an
informal work planning process focused on managing the time taken
for a job.
The HSE department is small and
has little power. It
is seen as a career
dead-end and
once in it is hard to
get out. The staff is
always on call but
usually very much
in the background.
The HSE deoartment is seen as a
police force.
There is a lot of
emphasis on hazard analysis and
permit to work.
There is little use
of feedback from
incidents to improve planning.
People believe that
'the system' works
well and will prevent incidents.
HSE positions are
given to people
with good backgrounds who can't
be placed elsewhere. The HSE
department is large
with some status
and power, mainly
analyzing statistics. The HSE
manager reports to
a manager reporting to the manag-
W ork and HSE
issues are integrated in planning.
Plans are followed
through and there
is some evaluation
of the effectiveness of the planning by supervisors and line managem ent.
HSE is seen as an
important job,
given to high fliers.
HSE advice is appreciated by the
line. All senior people in operations
must have HSE
experience. The
HSE manager reports directly to the
managing director
of the com pany.
There is a thorough planning
process with both
anticipation of
problems and review of the process. Employees
are trusted to do
most planning.
There is less paper, more thinking,
and the planning
process is well
known and dis-
HSE responsibilities are distribut ed
throughout the
company. If there
is an HSE department it is small but
powerful having
equal status with
other departments.
208
K
J
W hat is the purpose of procedures?
W ork-site job safety techniques
The company
makes HSE proc edures only when
really nec essary.
They are seen as
limiting people's
activities in order to
avoid lawsuits or
harm to assets.
The purpose of
HSE proc edures is
to prevent individual incidents from
happening again.
They are oft en written in response to
accidents and their
overall effect may
not be considered
in detail.
After accidents a
standard work-site
hazard management technique is
brought in. There is
little systematic
W ork-site job
use of such techsafety techniques
are not used. "Look niques after their
initial introduction.
out for yours elf".
There are many
HSE proc edures,
serving as 'bariers'
to prevent incidents. Some HSE
procedures are
replaced by training and competency requi rements.
A commercially
available job safety
technique is introduced to meet the
requirements of the
managem ent system. Having this
technique leads to
little action. Numbers of reports are
used to show that
the system is working.
HSE proc edures
spread best practice but are seen
as occaisionally
inconveni ent by a
competent work force. Efforts are
made to remove
rules and procedures that are hard
to follow.
Job safety analysis / job safety observation techniques are ac cepted by the
work force as bei ng
in their own interest. They think
these methods are
standard practice.
W orkers and supervisors tell eac h
other about hazards.
There is trust in
employees that
they can recognize
situations where
the rules should be
challenged. Noncompliance to HSE
procedures goes
through clearly defined channels.
Procedures are
continuously refined for efficiency.
Job safety analysis
as a work -site hazard m anagem ent
technique is often
revis ed using a
defined process.
209
L
Incident / accident reporting,
investigation analysis
There is an informal reporting system and investigaMany incidents are tion of incidents is
not report ed. Inves - aimed only at imtigation only takes
mediate causes,
place after a seriwith a paper trail to
ous accident.
show an investigaAnalyses do not
tion has taken
consider human
place. Investigation
factors nor go befocuses on finding
yond legal require- who is guilty. There
ments. The priority is little systematic
is to protect the
follow up and previcompany and its
ous similar events
profits.
are not considered.
There are trained
incident investigaThere are incident
tors, with systeminvestigation proce- atic follow-up to
dures producing
check that required
lots of data and
changes have
action items, but
taken place and
opportunities to
been maintained.
address the real
Reports are sent
issues are often
out company-wide
missed. Follow-up
to share the lesconcentrates on
sons learned.
local issues. ReThere is little creamedial actions con- tivity in finding how
centrate on training the underlying isand procedural
sues could affect
solutions.
the business.
Investigation and
analysis is driven
by a good understanding of how
accidents happen.
Issues are identified by aggregating
information from a
wide range of incidents. Follow up is
sytematic, to check
that chage occurs
and is maintained.
210
There are no hazard or unsafe act
repairs.
After a n accident
the focus is on the
employees invol ved
and th ey are often
fired. The priority is
to limit damage and
get back to production.
Hazard and unsafe acts reporting
W hat hap pens after an accident? Is the feedback loop
being closed?
M
N
Top management is
seen am ongst the
W orkforce report
Managem ent is
people involved
their own incidents
dissapointed but
directly after an
but maintain disasks about the well- incident. They show
tance with contrac- being of those inperso nal inte rest in
tor incidents. Top
volved. Investigaindividuals and the
managem ent get
tion focus es on un- investigation procangry when they
derlying causes
ess. Employees
hear of an incident - and the results are
take accidents in"what does this do
fed back to the suvolving others personally.
to ourstatistics?"
pervisory level.
Line managem ent
is annoyed by
'stupid' accidents.
After an accident
investigation reports are not
passed up the line
if it can be avoided.
W arning letters are
sent by management.
All levels of the organization acti vely
access and use the
information generated by haza rd and
unsafe act reports
in their daily work.
Rep orting o f hazards and uns afe
acts is simple and
factual. Focus is on
determining who or
what cause d the
situation. The company does not track
what actions are
taken aft er reports
are submitted.
Hazard and unsafe
act repo rting looks
for 'why' rather than
just 'what ' or 'when'.
Quick submission
of reports is normal.
Managem ent sets
goals for quality of
reports and foll ow
up of recom mendations.
Hazard and unsafe
act reports follow a
fixed format for
categoriz ation a nd
documentation of
observations. The
number of reports
is what counts. The
company requires
completed forms
without blank
spaces. Management sets goals
based on the number of rep orts
made.
211
P
O
How do HSE meetings feel?
W ho checks HSE on a dayto-day basis?
HSE meetings, if
they happen, are
seen as a waste of
time. They are run
by the boss or a
supervisor, and are
felt to be a formal ity. Conversation
often turns to sport
or cars.
There is no form al
system for checking for HSE problems on a daily
basis. Individuals
are supposed to
take care of them selves.
HSE meetings are
poorly attended
and unpopular with
the workforce.
They provi de opportunities to blame
people for incidents
and form a standard response to
an accident. Toolbox meetings may
be dominated by
non-work issues.
There is reliance
on outside experts
to spot probl ems.
Superficial checks
are performed by
line supervision /
managem ent when
they are visiting,
mostly after incidents or inefficiencies. There is no
formal system for
follow-up.
HSE meetings are
seen as standard
practice but offer
limited interaction
between supervisors and work force.
The regul ar scheduled meetings are
highly structured.
Toolbox meetings
arerun on a strict
agenda.
Site activities are
regularly checked
by the line for HSE
issues, but not on a
daily basis. Inspections aim to check
that procedures are
being followed.
HSE meetings feel
like a genuine forum for interaction
across the company. At lower levels all meetings are
HSE meetings and
are used to identify
problems before
they occur.
Supervisors encourage work
teams to check
HSE for them selves. Managers
doing walk-rounds
are seen as sincere. Int ernal cross
-inspections, i.e.
between com pany
departments, take
place invol ving
managers and supervisors.
HSE meetings can
be called by any
employee, taking
place in a relaxed
atmosphere, wit h
managers attending by invitati on.
Toolbox meetings
are short and focused on ensuring
everyone is prepared for any problems that might
arise.
E very one checks
for HSE hazards,
looking out for
themselves and
their work-m ates.
Supervisor inspections are largely
unnecessary.
212
Q
Audits and reviews
There is unwilling
compliance with
statutory HSE inspection requirements. Audits are
mainly financial.
HSE audits are unstructured and oc cur only after major
accidents.
People accept HSE
audits as inescapable, especially
after serious or fatal accidents. There
is no schedule for
audits and reviews,
as they are seen as
a punishment.
There is a regular,
scheduled HSE
audit program. It
concentrates on
known high hazard
areas. Managers
are happy to audit
others, but being
audited is less welcome. Audits are
structured in terms
of managem ent
systems.
There is an extensive audit program
including crossauditing within the
organization. Managem ent and supervisors realize
that they may not
be best able to
judge and welcome
outside help. Audits
are seen as positive even though
they are painful.
HSE aspects are
integrated in the
audit system that
runs smoothly with
good follow up.
There is continuous
informal searching
for non-obvious
problems, with outside help when it is
needed. Audits focus on behaviors
as well as hardware and systems.
213
R
0
0
W eighted Column Sum
Score
Global Weight
1
W eighting F actor
0
0
0
Column Sum
Benchmarking, trends and
statistics
There is compliance
with statutory HSE
reporting but little
more than that.
Benchmarking is
only on finance and
production.
0
2
0
Managem ent worries about the cost
of accidents and the
company 's' position
in the 'league tables'. Statistics report the imm ediate
causes of accidents.
0
3
0
Benchmarking oc curs on a wide variety of industry HSE
data. Managers display lots of data
publicly throughout
the organization.
There is focus on
current problems
that can be measured objectively and
summarized using
numbers.
0
4
0
Benchmarking is
against others in the
same industry and
is driven by managem ent - "try to be
the best in the industry". Look for
leading indicators,
analyze trends, understand them, and
use them to adapt
strategy. Explain
findings to supervisors.
0
5
0
Benchmark outside
the industry, using
both
'hard' (outcome) and
'soft ' (process)
measures. All levels
of the organization
are involved in identifying action points
for improvement.
214
5
4
3
2
1
People feel free to speak their
minds about what they have
learned. There is no fear, threat or
repercussion for disagreeing or
dissenting.
Mistakes made by individuals or
departments are turned into constructive learning organizations.
There is a general feeling that it's
always possible to find a better
way to do somet hing.
Multiple viewpoints and open productive debates are encoura ged
and cultivated.
Experimentation is endorsed and
championed, and is a way of doing business.
Organizational Learning, Quality Improvement, and Flexibility
Help
People
Become
Make the
Better
Asse ssW orkRePut
ing Your Promote place
Rew ard source s Learning Map Out Bring the Connect Get the
Learning the Posi- Safe for
Ri sk- for each Pow er to
the
Vision to the Sys- Show on
Culture
Thinking taking
tive
Other
W ork
Vsion
Life
tems the Road
Response o ptions: 1 = Not at all
2 = To a slight extent
3 = To a m oderate extent
4 = To a great extent
5 = To a very great extent
Organizational Learning, Quality Improvement, and Flexibility (Source: Ten Steps to a Learning Organization by Peter Kline &
Bernard Saunders)
215
14
13
12
11
10
9
8
7
6
Mistakes are clearly viewed as positive growt h opportunities throughout
the system.
There is willingness to break old
patterns in order to experim ent with
different ways of organizing and
managing daily work.
Managem ent practices are innovative, creati ve, and periodically risktaking.
The quality of work life in our organization is improving.
There are form al and inform al structures designed to encourage people
to share what they learn with their
peers and the rest of the organization.
The organization is perceived as
designed for problem -solving and
learning.
Learning is expected and encouraged across all levels of the organization: managem ent, employees,
supervision, union, stockholders,
customers.
People have an overview of the organization beyond their specialty
and function, and adapt their working patterns to it.
"Lessons learned" sessions are
conducted so as to produce clear,
specific and permanent structural
and organizational changes.
216
22
21
20
19
18
17
16
15
Managem ent practices, operations, policies and procedures that
become obsolet e by hinderi ng the
continued growt h of people and
the organizati on are removed and
repl aced with workabl e systems
and structures.
Conti nuous improvement is expected and treated recepti vely.
There are clear and specific expectations of each employee to
recei ve a speci fied num ber of
hours of trai ning and education
annually.
W orkers at all levels are specifically directed towards relevant and
valuabl e traini ng and learni ng opportunities - inside and outside the
organization.
Cross-functional learning opport unities are expected and organized
on a regul ar basis, so that people
understand the functions of others
whos e jobs are di fferent, but of
related importance.
Middle m anagers are seen as having the praryim role in keeping the
learning proc ess runni ng smoot hly
throughout the organization.
The unexpected is vi ewed as an
opportunity for learning.
Peopl e look forward to improvi ng
their own competencies as well as
those of the whole organization.
217
Managem ent is sensitive to learning and developm ent differences in
their em ployees, realizing that people learn and improve their situations in many different ways.
30
31
People are encouraged and provided the resources to become selfdirected learners.
There is a formal, on-going education program to prepare middle
managers in their new roles as
teachers, coaches and leaders.
Recognition of your own learni ng
style and those of co-workers is
used to improve communication
and over-all organizational learning.
29
28
27
26
25
24
23
The systems, structures, policies
and procedures of the organization
are designed to be adapti ve, flexible, and responsi ve to internal and
external stimuli.
Presently, even if the environm ent
of the organization is complicated,
chaotic, and acti ve, nevertheless it
is not on overload.
There is a healthy, manageabl e
level of stress that assists in promoting learning.
Continuous improvement is practiced as well as preached.
The difference between training/
education and learning is clearly
understood. (Training an education
can be so conducted that no learning takes place.)
218
36
35
34
33
32
Global Weight
0.0
A verage Score
0
0
0
10
0.0
Column Sum
Num ber of Possible Responses
A verage
Teams are recognized and rewarded for their innovative and
paradigm breaking solutions to
Managers have considerable skills
for gathering information and developing their abilities to cope with
demanding and changing management situations.
Managers enable their staffs to become self-developers, and learn
how to im prove their performance.
There is sufficient time scheduled
into people's professional calendars
to step back from day-to-day operations and reflect on what is happening in the organization.
There is direction and resource allocation planned to bring about
meaningful and lasting learning.
0
11
0.0
0
15
0.0
0
13
0.0
0
14
0.0
0
19
0.0
0
6
0.0
0
9
0.0
0
9
0.0
0
7
0.0
Response options: 1 = Not at all
2 = To a slight extent
3 = To a moderate extent
4 = To a great extent
5 = To a very great extent
Enter
Response
Below
Analysis
1
Formal organizational practices and support
systems in place to identify potential risks and
vulnerabilities including costs associated with
lost production and business interruption,
collateral costs, increased insurance premiums,
drop in market share, and transportation costs.
2
The organization analyzes the potential impact
from both external and internal risks
preemptively and post impact and does so
frequently.
3
Quantitative and qualitative methods and
analytical tools are used where appropriate.
4
Deliberate effort is expended to determine
whether small disturbances and failures, latent
problems, or combinations thereof could credibly
propagate or magnify.
Column Sum
Analysis Average Score
Global Weight
219
0
0.0
0
Enter
Response
Below
Solution Design
1
Formal analytic deliberative decision support
models, that take into consideration potential
credible risks, non-monetary factors,
organizational values, and monetary-based
methods such as life cycle costing and benefit
cost ratio, are used regularly to optimize
solutions and select opportunities for
implementation.
2
The organization's crisis management command
structure is compatible with and operates
according to principles set forth by the National
Incident Management System (NIMS).
Column Sum
0
Average Score
0.0
Global Weight
0
Enter
Response
Below
Implementation
1
Designed solutions are executed preemptively
according to organization-wide priorities derived
by transparent and defendable analyticdeliberative risk-based methods.
2
Risk mitigation and business continuity budget
funds are set aside annually and according to
organization-wide priorities.
Column Sum
220
0
Average Score
0.0
Global Weight
0
Enter
Response
Below
Testing and Acceptance
1
System performance measures of primary and
enabling systems/processes are sampled
frequently and plotted against pre-established
and widely known performance standards.
2
Socio-political and climatic events and external
systems controlled by others (supply chain &
competitors) that could credibly impact the
system are monitored frequently and
systematically.
3
4
5
6
Formal organizational practices and support
systems in place to gather data from individuals,
organizational systems, and external sources.
Small failures are tracked as they could be
precursors to large failures.
Departures from standards and information
regarding disturbances are investigated
immediately and passed on to others for
analysis. It is the obligation of every person, no
matter their rank, to report potential system
disturbances or hazards.
Data is archived and accessible for long-term
investigations.
Column Sum
221
0
Average Score
0.0
Global Weight
0
Enter
Response
Below
Maintenance
1
Comprehensive examinations of all critical
systems, operations, and infrastructures and
their interdependencies are undertaken in
accordance with organization-wide values.
2
Examinations take place no more than one year
apart and are scheduled so that there is time to
complete the installation, including testing, of a
countermeasure before it is needed. That is, if a
countermeasure is intended to mitigate a season
driven hazard the countermeasure should be
installed prior to the next season.
3
Latent problems are surfaced and evaluated.
4
Experiences are collected as events unfold by
comparing plans to actual results and feeding
learning back into the operation continuously so
that changes can be made quickly.
5
Formal after action reviews (AAR) are initiated
within 24 hours of the cessation of the event.
Evaluation, planning, and implementation of
findings begins soon after AAR is completed.
Funding for independent studies following major
accidents is available.
6
Evaluation, design, planning, and
implementation of findings begins soon after the
AAR is completed.
Column Sum
222
0
Average Score
0.0
Global Weight
0
Emergency / Incident Response and Business
Recovery
Roles, hierarchy, responsibilities, span of control,
back-up supplies, methods, and production sites,
available resources, procedures, mass notification
processes, staffing rules and regulations,
supplementary call-in and vendor staff acquisition
processes, resource allocation and reallocation
processes are clearly defined and broadly known and
1 understood.
2
3
4
5
6
Enter
Response
Below
Emergency / incident response and business recovery
systems are tested by way of credible scenario-based
drills that mimic real emergencies and recovery
opportunities.
Relevant information is readily and effectively passed
to and from external responders, i.e. local fire and
police services, and business recovery assistance
entities, internal and external, when situations dictate.
Funding is available from internal and readily
acquirable external (insurance) sources to respond
and recover from emergencies and incidents. For
example, for the repair or replacement of damaged or
destroyed equipment, rental of temporary equipment,
repairs made to buildings, off-site assets,
compensation for internal personnel, contractor costs,
lost time, fire and emergency medical services, health
monitoring, fines, court costs, costs to neighbors, loss
of exports and increased imports, and lost tax
revenue.
Emergencies and incidents are quickly stabilized and
the site is quickly protected. Evacuation and support
systems, environmental cleanup, decontamination,
and restoration, and temporary accommodations and
facilities are quickly implemented.
Training and refresher training is comprehensive and
conducted frequently.
Column Sum
223
0
Average Score
0.0
Global Weight
0
Enter
Response
Below
Objectives and Strategic Direction
1
2
3
Organizational strategic objectives are clearly
articulated and broadly disseminated and
known.
Strategic objectives are created by way of input
from a diverse group of employees.
A system is in place to measure performance
against objectives.
Column Sum
Average Score
0.0
Global Weight
0
Policies, Rules, Regulations, and Operating Procedures
1
2
3
4
5
0
Enter
Response
Below
Organization mission, policies, and procedures are
clearly written, broadly available, and consistently
applied throughout the organization.
The organization analyzes the potential impact from both
external and internal risks preemptively and does so
frequently.
Updates are made when required and quickly
disseminated.
Performance is measured against compliance.
Policies and procedures are created by way of input from
a diverse group of employees.
Column Sum
224
0
Average Score
0.0
Global Weight
0
Enter
Response
Below
Decision-Making Process
1
2
3
The decision-making process is widely known and is
consistently applied. All personnel clearly know how
decisions will be made for given circumstances and their
place in the process, e.g. the decision-making process
for emergencies is different than the decision-making
process for non-emergencies; however, each person
knows the process that is in-place at any time.
All personnel know the bounds of their decision
authority.
4
Decision processes are transparent and defendable.
Analytical methods are used in the decision-making
process where appropriate.
5
Risks are considered, even for decisions that may
appear quite mundane by encouraging personnel to ask
questions such as, what could happen next.
Column Sum
225
0
Average Score
0.0
Global Weight
0
Enter
Response
Below
Communication
1
The person (s) with information has the obligation to
pass it on to those who need it or in a better position to
respond. The flow of information is not impeded by rank
or affiliation, e.g. customer.
3
A proactive system exists for informing stakeholders, e.g.
personnel, customers, abutters, and the surrounding
community and for eliciting, receiving and responding to
concerns there from.
Managers and supervisors seek opportunities to
reinforce communication concepts and practices.
4
Managers and supervisors monitor a variety of
information sources to gain confidence that critical
messages are communicated.
2
6
Multiple, secure, and anonymous means exist for all to
report potential hazards and provide input on operations
and safety policies, issues, and needs without fear of
retaliation.
Management promptly responds to customer and
personnel concerns.
7
Communication processes and practices are reviewed
frequently with personnel during basic orientation and
other training.
5
Column Sum
Implementation Average Score
Global Weight
226
0
0.0
0
Enter
Response
Below
Monetary and Non-Monetary Support
1
The organization seeks out opportunities to prevent the
impact of, or mitigate if prevention not possible, a hazard
or disturbance by putting into place protective measures
or implementing modifications prior to the onset of a
hazard or disturbance. Preemptive intervention applies to
physical constructions as well as changes and additions
to organizational processes.
2
Practices in place, and part of the core business, to
accept a recommended and prioritized list of projects,
adjust if necessary, and make final decision whether and
to which level each project is funded, staffed, and given
other resources, and to do so in context of the entire
organization.
3
Countermeasure and mitigation project funds are
established on an annual basis as a separate line item
that cannot be easily used for other purposes.
Column Sum
Testing and Acceptance Average Score
Global Weight
227
0
0.0
0
228
Appendix H Prioritizing infrastructure renewal projects in MIT
Department of Facilities
H.1 Intent
The purpose of the following is to substantiate by example the process used to develop the
HRRO model introduced in this dissertation, i.e. describe the project management process
that led to the development of a decision support methodology, stakeholder engagement and
involvement, the evolution of the model since its inception, and lessons learned. If the reader
desires a detailed technical discussion please refer to A method for the efficient prioritization
of infrastructure renewal projects by D. Karydas and J. Gifun (Karydas & Gifun, 2006).
H.2 Process design and management
Two paths were defined and followed during process design and thereafter. One called for the
education of stakeholders in the principles and practices used in the decision sciences,
particularly, multi-attribute utility theory and the analytic hierarchy process. The other
engaged the stakeholders in the construction and operation of the model that would
eventually enable the stakeholders to select infrastructure renewal projects for funding.
Throughout every phase of the project, D. Karydas and J. Gifun, facilitator’s, used a strawman proposal approach, i.e., draft versions of methods and documents were presented to the
stakeholders for their reaction on an iterative basis. This approach was used as the
facilitators’ believed it would achieve a result quicker than starting from the beginning
without a draft proposal. The facilitators’ believed that it did so without sacrificing
stakeholder buy-in and creativity. Along with several ad hoc meetings between stakeholder
and facilitator, the stakeholders participated in four workshops and one meeting devoted to
benchmarking. Table 30 shows the chronology of the project.
229
Date
September 14, 2000
– February 9, 2001
Purpose
Project
development
February 9, 2001
1st workshop
for Facilities’
stakeholders
March 2, 2001
2nd workshop
March 20, 2001
3rd workshop
March 29, 2001
Stakeholder
homework
May 4, 2001
4th workshop
May 4, 2001 – June
29, 2006
Model
development
completion
Benchmark
May 10, 2001
July 16, 2001
August 21, 2001
Develop
environmental
parameters
5th Workshop
Content
• Engage sponsor
• Test concepts with select people and select
stakeholders
• Develop draft of infrastructure renewal
process and vet with stakeholders on
individual basis
• Develop materials for workshops
• Introduction
• AHP tutorial by D. Karydas & J. Gifun
• Research and applications by G. Apostolakis
• Model description
• Define and develop objectives
• Rank objectives
• Pairwise comparisons of impact categories
and 1st round of pairwise comparisons of
performance measures
• Introduce and review draft definitions of
impact categories and performance measure
labels
• Develop constructed scales
• Continue pairwise comparisons
• Review material and accept or revise
constructed scales
• Pairwise comparisons individual effort
• Review constructed scales and continue
pairwise comparisons
• Final draft
• Complete, fine tune model
• Benchmark methodology against projects
ranked without methodology
• Brief environmental lawyer and seek
assistance to develop environmental
constructed scales
• Introduce Expert Choice© computer
application
• Test methodology with real projects
Table 30 – Chronology
H.3 Stakeholder engagement
On February 9, 2001, MIT Department of Facilities (DoF) conducted its first workshop with
a stakeholder group whose primary purpose was to achieve consensus on funding decisions
for building infrastructure renewal projects. The stakeholders were selected based upon their
230
job responsibilities and knowledge in disciplines, such as, finance, utilities and electrical
engineering, architecture, building operations, civil and structural engineering, space
planning, and mechanical engineering. Stakeholder’s external to DoF, with expertise in the
environmental sciences and public relations, were sought out; however, both were not able to
participate due to prior commitments. This project was sponsored by the Director of Facilities
and lead by two co-facilitators.
H.4 Lessons learned
Many of the lessons learned were discussed in A method for the efficient prioritization of
infrastructure renewal projects and the following represent those that have been realized
since.
•
To date 353 projects have been prioritized by the methodology
•
Progress during development stage required more time than originally thought as
concepts were foreign to many stakeholders; however, while stakeholders did not
fully understand the theoretical underpinnings of the methodology the concepts made
sense
•
Stakeholders perceived that an index represented by a decimal less than 1 was
unimportant and falsely precise thus the weights were adjusted to produce a score in
whole numbers less than 100
231
232
233
Given the resources we do
have, are we spending our
money wisely? This is not
explicit but I think is
actually covered in
implementation, objectives
and strategic direction.
But prioritization of
available resources is the
only explicit thing I think
could be added.
These are the attributes or
questions I struggled with:
Organizational Learning,
Quality Improvement, and
Flexibility; Testing and
Acceptance; and
Benchmarking Trends,
and Statistics. In most
cases, I was not familiar
with the processes or
practices in place (or the
fullest extent of such
practices) and believe that
whatever is in place is not
consistently practiced.
No
Were there any attributes
that you feel were
missing? If yes, please
identify those that you feel
should be added?
No
D
50.6
How well did the resulting
index match your
expectations, i.e. how well
does it reflect your
impression of the
The index is lower than
organization?
anticipated but accurate.
Assessor and HRRO Index
C
53.4
If I had to guess these
indexes from anecdotal
and my experiences
contrasting [reserved]
program to others I know
are better and are worse,
I'd say these indexes are
appropriate - they met my
expectations well.
B
53.5
I do not know, since I did
not participate in the
weighting exercises I do
not know how to calibrate
my response. The person
Some responses didn't in filling out the form must be
my mind, match [reserved] clear as to the
practices and I was not
organizational level they
convinced that the answer are evaluating, i.e
I chose in default was an department or entire
accurate reflection of how organization - I tried to get
things are done.
an overall average.
Questions
A
36.9
Table 31 – Compilation of Assessor Feedback
Appendix I Compilation of assessor feedback
I found some of the
attributes to be slightly
redundant, for example
cross-training and
devotion to resources for
training. What I do not
recall seeing was a
reference to whether or
not the organization has
established clear
succession planning
strategies.
The Safety Culture score
seems a bit higher than
expected while the
remaining indexes fairly
paralleled my impression we have accomplished a
few things but still have a
ways to go and risk
analysis needs to be
institutionalized.
E
70.4
234
Yes, customize language
[vocabulary] to relate to
my organization. Survey
form Safety Culture,
question E addresses
profitability; therefore, how
would a non-profit
organization respond? In
my opinion a for profit firm
is more conscious about
safety because it relates to
the bottom line; therefore,
revise vocabulary. Also,
some of the questions
were more specific to
manufacturing.
D
50.6
E
70.4
Other than this is a very
beta GUI and that I am
already a safety
professional, I think the
questions asked are not
leading and are very
appropriate. This tool,
with proper context added
and provided, I think could
make an excellent and
useful tool for many parts
of an organization- labor,
management, technical
resources, financial
personnel, all parts of the
organization.
A couple of elements
should be added to the
financial planning element;
the organization has
contingency plans in place
to deal with an extended
business disruption and
the organization has
analyzed supply and
service chains for
vulnerabilities and has
identified mitigating
factors. This may provide
an additional layer of
drilldown in the emergency
preparadness section.
As for superfluousness, I
would say it's more like
redundancy. See if you
can consolidate the crosstraining questions and add
a few items like
employees understand
their role in building
organizational resilience
and managers clearly
communicate these
No, everything is relevant. expectations.
Assessor and HRRO Index
C
53.4
These are the attributes or
questions I struggled with:
Organizational Learning,
Quality Improvement, and
Flexibility; Testing and
Acceptance; and
Benchmarking Trends,
and Statistics. In most
cases, I was not familiar
with the processes or
practices in place (or the
fullest extent of such
practices) and believe that
whatever is in place is not
consistently practiced.
No
B
53.5
Customize vocabulary to
make the survey more
applicable to the
Would you like to make
organization. Make clear
other changes to the
the organizational
survey forms including
boundaries the assessor is
text? If yes, please identify to consider when filling out Customize the text to
the changes?
the forms.
reflect my organization.
Were there any attributes
that you fell were
superfluous? If yes please
identify those that you fell
are unnecessary?
No
Questions
A
36.9
235
Are there any additional
comments you would like
to offer?
Questions
B
53.5
I may be light on
experience and/or
knowledge for some of the
areas of interest, which
would include professional
development outside of
the offices in which I work,
required training,
performance-based
appraisals, and lingering
influence/lessons learned
Applying the results in the and new practices
followed post incident or
organization is essential
near incident.
for success.
A
36.9
Regarding the 1 - 5 scales
I would have liked to
select a level between the
whole numbers. How do
you determine who in an
organization is qualified to
fill out these forms?
Assessor and HRRO Index
C
53.4
D
50.6
I think the shareholder
issue needs to be
addressed as those driving
financial and investment
planning need some
understanding of the
components of
organizational resilience.
Ask organization leaders
and shareholders directly
whether or not the HRRO
index matches their
expectations and reflects
their impressions of the
organization.
E
70.4
236
Appendix J Comparison of recommendations from Baker Panel
report and HRRO
Table 32 – Comparison of Recommendations from Baker Panel Report (Baker et al.,
2007) and HRRO
Recommendations of Baker Panel
(Baker et al., 2007)
Process Safety Leadership:
The Board of Directors of BP, BP’s
executive management, and other
members of BP’s corporate
management must provide effective
leadership on and establish
appropriate goals for process safety.
Commitment must be demonstrated
by articulating a clear message and
by matching the message with
policies and actions
Integrated and Comprehensive Process
Safety Management System:
Develop a comprehensive process
safety management system that
systematically and continuously
identifies, reduces, and manages
process safety risk
Implement an integrated
comprehensive process safety
management system that
systematically and continuously
identifies, reduces, and manages
process safety risk
HRRO Criteria and
Survey Form Questions
that Best Match
Recommendation.
(Letters or numerals in
parenthesis that follow
criteria refer to
applicable survey form
questions provided in
Appendix G)
Objectives and strategic
direction (1 )
Monetary and nonmonetary support (1)
Solution design (1)
Implementation (1)
237
Suggested means by
which
recommendation
could have resulted
from HRRO
methodology
Process safety culture,
criterion with
applicable
performance measures
within the risk-based
process safety model
(Center for Chemical
Process Safety, 2007)
Process safety culture,
criterion with
applicable
performance measures
within the risk-based
process safety model
Process safety culture,
criterion with
applicable
performance measures
within the risk-based
process safety model
Implementation,
criterion with
applicable
performance measures
within the risk-based
process safety model
Recommendations of Baker Panel
(Baker et al., 2007)
HRRO Criteria and
Survey Form Questions
that Best Match
Recommendation.
(Letters or numerals in
parenthesis that follow
criteria refer to
applicable survey form
questions provided in
Appendix G)
Safety (G)
Process Safety Knowledge and
Expertise:
Develop and implement a system to
ensure that all personnel of all
levels including executive
management posses an appropriate
level of process safety knowledge
and expertise
Process Safety Culture:
Emergency / incident
Involving relevant stakeholders
response and business
develop a positive trusting, and
recovery (3)
open process safety culture within
each U.S. refinery
Clearly Defined Expectations and
Accountability for Process Safety:
Clearly define expectations and
strengthen accountability for
process safety performance at all
levels in executive management
and in the refining managerial and
supervisory reporting line
Support for Line Management:
Provide more effective and better
coordinated process safety support
for the U.S. refining line
Policies, rules,
regulations, and
operating procedures (1)
Monetary and nonmonetary support (1)
238
Suggested means by
which
recommendation
could have resulted
from HRRO
methodology
Process safety
competency, criterion
with applicable
performance measures
within the risk-based
process safety model
Stakeholder outreach,
criterion with
applicable
performance measures
within the risk-based
process safety model
Process safety culture,
criterion with
applicable
performance measures
within the risk-based
process safety model
Process safety culture,
criterion with
applicable
performance measures
within the risk-based
process safety model
Recommendations of Baker Panel
(Baker et al., 2007)
Leading and Lagging Performance
Indicators for Process Safety:
Develop an integrated set of
leading and lagging performance
indicators for monitoring process
safety performance by refining line
and executive management. Work
with U.S. Chemical Safety and
Hazard Investigation Board and
industry, labor organizations, other
governmental agencies, and other
agencies to develop a consensus set
of leading and lagging indicators
for process safety management in
the refining and chemical
processing industries
Implement an integrated set of
leading and lagging performance
indicators for monitoring process
safety performance by refining line
and executive management. Work
with U.S. Chemical Safety and
Hazard Investigation Board and
industry, labor organizations, other
governmental agencies, and other
agencies to develop a consensus set
of leading and lagging indicators for
process safety management in the
refining and chemical processing
industries
HRRO Criteria and
Survey Form Questions
that Best Match
Recommendation.
(Letters or numerals in
parenthesis that follow
criteria refer to
applicable survey form
questions provided in
Appendix G)
Testing and acceptance
(1)
Suggested means by
which
recommendation
could have resulted
from HRRO
methodology
Implementation (1)
Process safety culture,
criterion with
applicable
performance measures
within the risk-based
process safety model
239
Process safety culture,
criterion with
applicable
performance measures
within the risk-based
process safety model
Recommendations of Baker Panel
(Baker et al., 2007)
Maintain and periodically update an
integrated set of leading and lagging
performance indicators for
monitoring process safety
performance by refining line and
executive management. Work with
U.S. Chemical Safety and Hazard
Investigation Board and industry,
labor organizations, other
governmental agencies, and other
agencies to develop a consensus set
of leading and lagging indicators for
process safety management in the
refining and chemical processing
industries
Process Safety Auditing:
Establish and implement an
effective system to audit process
safety performance at U.S.
refineries
HRRO Criteria and
Survey Form Questions
that Best Match
Recommendation.
(Letters or numerals in
parenthesis that follow
criteria refer to
applicable survey form
questions provided in
Appendix G)
Maintenance (1 – 6)
Suggested means by
which
recommendation
could have resulted
from HRRO
methodology
Safety (Q)
Auditing, criterion
with applicable
performance measures
within the risk-based
process safety model
240
Process safety culture,
criterion with
applicable
performance measures
within the risk-based
process safety model
Recommendations of Baker Panel
(Baker et al., 2007)
Board Monitoring:
BP’s Board should monitor the
implementation of the
recommendations of the Panel and
for a period of at least five years
engage an independent monitor to
report annually to the Board on
BP’s progress in implementing the
Panel’s recommendations. BP
should also report publicly on
recommendation implementation
progress and ongoing process
safety performance
Industry Leader:
From the lessons learned from the
Panel’s report transform BP into a
recognized industry leader in
process safety management
HRRO Criteria and
Survey Form Questions
that Best Match
Recommendation.
(Letters or numerals in
parenthesis that follow
criteria refer to
applicable survey form
questions provided in
Appendix G)
Objectives and strategic
direction (3)
Suggested means by
which
recommendation
could have resulted
from HRRO
methodology
A potential result due to
implementing the HRRO
program but not
measured specifically
therein
N/A
241
Auditing, criterion
with applicable
performance measures
within the risk-based
process safety model
242
Appendix K Comparison of recommendations from COT
Institute for Security and Crisis Management
report and HRRO
Table 33 – Comparison of Recommendations from COT Institute for Security and
Crisis Management (Zannoni et al., 2008) and HRRO
Recommendations of COT Institute
Report (Zannoni et al., 2008)
Develop clear plans for large fire
safety improvement projects that also
include phasing and monitoring
HRRO Criteria and
Survey Form Questions
that Best Match
Recommendation.
(Letters or numerals in
parenthesis that follow
criteria refer to
applicable survey form
questions provided in
Appendix G)
Solution design (1 )
Consult with municipal fire
department regarding route taken to
access and means to fight fire
Emergency / incident
response and business
recovery (1 & 3)
Review procedures for large office
buildings including procedures for
alarm and communication
Emergency / incident
response and business
recovery (1 )
Use procedures for large office
buildings including procedures for
alarm and communication to develop
training exercises
Emergency / incident
response and business
recovery (2 )
Provide sufficient designated space for
incident response coordination team
Emergency / incident
response and business
recovery (1 )
243
Suggested means by
which
recommendation
could have resulted
from HRRO
methodology
Property loss
prevention data sheet
(FM Global, 2009a):
10-1 Pre-incident
planning with the
public fire service
Property loss
prevention data sheet:
10-1 Pre-incident
planning with the
public fire service
Property loss
prevention data sheet:
10-1 Pre-incident
planning with the
public fire service
Property loss
prevention data sheet:
10-1 Pre-incident
planning with the
public fire service
Property loss
prevention data sheet:
10-1 Pre-incident
planning with the
public fire service
Recommendations of COT Institute
Report (Zannoni et al., 2008)
Develop clear understanding of
expectations regarding conditions
under which the fire department would
fight a fire within a building when it is
known that no people are inside
Distribute learning to relevant
departments and agencies throughout
region
HRRO Criteria and
Survey Form Questions
that Best Match
Recommendation.
(Letters or numerals in
parenthesis that follow
criteria refer to
applicable survey form
questions provided in
Appendix G)
Analysis (2)
Emergency / incident
response and business
recovery (3)
Develop means to provide emergency
responders information regarding
particular vulnerabilities
Emergency / incident
response and business
recovery (3)
Conduct crisis scenario-based
exercises
Emergency / incident
response and business
recovery (2)
244
Suggested means by
which
recommendation
could have resulted
from HRRO
methodology
Property loss
prevention data sheet:
10-1 Pre-incident
planning with the
public fire service
Property loss
prevention data sheet:
10-1 Pre-incident
planning with the
public fire service
Property loss
prevention data sheet:
10-1 Pre-incident
planning with the
public fire service
Property loss
prevention data sheet:
10-2 Emergency
Response
Appendix L Comparison of recommendations from Ernst and
Young report and HRRO
Table 34 – Comparison of Recommendations from Ernst & Young (Ernst & Young,
2009) and HRRO
Recommendations of Ernst & Young HRRO Criteria and
Report (Ernst & Young, 2009)
Survey Form Questions
that Best Match
Recommendation.
(Letters or numerals in
parenthesis that follow
criteria refer to
applicable survey form
questions provided in
Appendix G)
Scenario-based training at the strategic Emergency / incident
response and business
level of the organization
From the learning gained from the recovery (2 )
fire develop and implement
scenario-based training that
engages the strategic level of the
organization and incorporates
worst case scenarios that include
serious injury and death of
occupants
Emergency / incident
Crisis management task force
Develop a crisis management task responses and business
recovery (1)
force formed from the senior
management level of TU Delft.
The chairperson and members of
the task force must be
knowledgeable of the specific
risks to TU Delft. The task force
should engage those with diverse
knowledge of the fire, security, or
risk management.
245
Suggested means by
which
recommendation
could have resulted
from HRRO
methodology
Property loss
prevention data sheet
(FM Global, 2009a):
10-2 Emergency
Response
Property loss
prevention data sheet:
10-2 Emergency
Response
Recommendations of Ernst & Young HRRO Criteria and
Report (Ernst & Young, 2009)
Survey Form Questions
that Best Match
Recommendation.
(Letters or numerals in
parenthesis that follow
criteria refer to
applicable survey form
questions provided in
Appendix G)
The task force should focus on the Analysis (1)
first three steps of the six step
crisis management preparation
process
1. Identification of potential
causes of crises
2. Identification, development,
and analysis of scenarios
Emergency / incident
3. Formation of the crisis
response and business
management organization
recovery (2 )
4. Provide training and
exercises
5. Produce necessary
documentation
6. Implement a review and
quality improvement
process
Develop and implement a crisis
management project group responsible
for implementing the requirements of
the task force
Learning and improvement
Develop and implement processes
and incorporate and monitor the
recommended improvements by
way of the crisis management
process
Emergency / incident
response and business
recovery (2 )
Emergency / incident
response and business
recovery (2 )
246
Suggested means by
which
recommendation
could have resulted
from HRRO
methodology
Property loss
prevention data sheet:
10-2 Emergency
Response
Property loss
prevention data sheet:
10-2 Emergency
Response
Property loss
prevention data sheet:
10-2 Emergency
Response
Property loss
prevention data sheet:
10-2 Emergency
Response
Curriculum vitae
Joseph F. Gifun was born in Chelsea, Massachusetts United States of America, on March 7,
1952. In May 1974 he received the degree of Bachelor of Science in Civil Engineering from
Lowell Technological Institute in Lowell, Massachusetts and in January 2003 he received the
degree of Master of Science from Suffolk University in Boston, Massachusetts in adult and
organizational learning. In May 2004 Mr. Gifun began doctoral work in complex systems in
the department of Industrial Design, Eindhoven University of Technology.
The doctoral work, in addition to this dissertation, resulted in several papers that have been
presented at international conferences, published in various international journals, or both.
The works not cited in this dissertation are:
D. M. Karydas and J. F. Gifun, “A methodology to assess and mitigate operational
vulnerabilities due to aging water utility system infrastructures,” in Proceedings of the
Eighth International Conference on Probabilistic Safety Assessment and Management,
New Orleans, 2006, p. 277.
J. F. Gifun and S. M. Leite, “Ranking multi-hazard risks: a methodology for riskinformed decision-making,” Conference on Campus Safety, Health and Environmental
Management, St. Louis, 2008.
Mr. Gifun is a registered professional civil engineer in the Commonwealth of Massachusetts.
He has been employed by the Massachusetts Institute of Technology (MIT) for twenty five
years in several capacities within the Department of Facilities where he is currently Assistant
Director of Engineering. Prior to coming to MIT, he worked as a civil engineer in a public
mass transportation agency and consulting firm.
247