GRC Tuesdays: Governance, Risk, and Compliance supporting Operational Integrity in the Intelligent Enterprise
Operational Integrity in the Intelligent Enterprise
Intelligent Enterprises are organizations that use data to run more efficiently. To become Intelligent Enterprises, organizations integrate data and processes, build flexible value chains, innovate with industry best practices all of which provides them with the ability to understand and act on their customer, partner, and employee sentiment, and how to manage their environmental impact — to grow more resilient, more profitable, and more sustainable.
OK, so that’s the lay of the land and now the question is: what does this have to do with Governance, Risk, and Compliance (GRC)?
Well, one regular comment that I have encountered over the years is that Governance, Risk Management, and Compliance is a theoretical exercise. Yes, based on actual threats the company faces, but where the results don’t directly tie back to the ground activities.
I would agree that it is difficult to picture strategic or reputational risks associated to a given physical production tool, but that is definitely not the case for operational risk. And this activity is a key component of operational integrity.
As direct application of the Intelligent Enterprise, Operational Integrity integrates data and processes for risk, governance, safety, compliance, asset management, training, certifications and operational performance. This approach enables organizations to reduce complexity, streamline operations, improve situational awareness and operating efficiency, while reducing overall costs.
In a nutshell, the objective of operational integrity is to focus on operating consistently by proactively reducing risks, enhancing process safety, and improving overall infrastructure efficiency. This of course includes threats to the health and safety of employees but also to the assets that are essential to the functioning of the value chain.
And here’s where GRC can really play a part: supporting the process and making it run better. Especially within an Intelligent Enterprise where data is truly leveraged, and not just collected.
Putting Governance, Risk, and Compliance in the picture
GRC is a wide topic of course, but below I will try to suggest some areas that I feel can support the operational integrity approach:
Access control: this will define who has access to what, both digitally and physically. To protect an infrastructure from malicious or unauthorized usage, restraining access is usually a good first step.
Training and certification: here, the intent is to ensure that employees have the relevant training to operate the asset, and that certifications (including their limitations) are registered and can be retrieved if necessary. Going back to the previous bullet point, access could also be conditioned by a certain certification. Would you really let anyone operate the levers in the control room of a nuclear power plant? The same applies for some production software for instance where misuse could have an impact on operations.
* Risk Management
Identification: being able to map risks to assets is an important component. Otherwise, the exercise will most likely remain at the theoretical level as mentioned in introduction.
Mitigation: the worst that could happen in risk management is that risk owners think the risk is being taken care of but that the mitigation activity defined has not been implemented fully. This creates a false perception and will skew the analysis. Being able to tie the mitigation activities from the risk management process directly into the asset maintenance process for instance removes this mismatch.
Monitoring: asset performance is usually well tracked at the infrastructure level. And that works fine of course. But why not add composite Key Risk Indicators at the risk level to monitor the overall exposure trend? The same applies to incidents: why not collect the near misses and the confirmed incidents and roll-them out to the risk associated to the asset? Should a certain threshold be met, then this could trigger a proactive maintenance process for instance.
Control documentation and testing: this will maximize operational effectiveness by monitoring performance and managing risk for key business processes.
Multi-compliance framework: in some cases, regulatory requirement will have to be tracked on certain assets. Applying a multi-compliance framework where one control test applied to an asset is associated to multiple requirements helps ensures compliance by unifying control management across the enterprise through a single system of record that adapts to changing business needs.
(Quality) audits: including assets alongside processes and organizations in the risk universe could help in extending the audit scope. I have noticed that more and more organizations tend to bring together Internal Audit and Quality Audit teams so as to be able to perform an end-to-end cycle. In addition, and much like what Internal Audit does when it kick-starts its audit planning with Risk Based Audit (RBA), this would enable quality auditors involved operational integrity to implement a Risk Based Inspections (RBI) approach where the focus is on quality audit or asset inspection rather than a business process review.
Benefits of Operational Integrity
That’s all good and well, of course, but what are the benefits that an organization can expect by implementing this approach?
Operational integrity enables greater confidence to manage the business, while maintaining safe operations. This is achieved since plant managers drive improvements by proactively managing tasks, incidents, and risks.
This results in an additional side benefit: it improves efficient and sustainable asset management – i.e. enhanced asset performance and extended asset remaining life – thanks to optimized maintenance strategies and increases efficiency of the maintenance work management process.
In case you wanted to build the case for operational integrity supported by Governance, Risk, and Compliance activities, below are some value drivers you might be interested in:
How about you, has your organization implemented an operational integrity approach? If so, has it associated GRC to it? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard