The nuclear crisis still unfolding at Fukushima Daiichi continues to threaten a meltdown as core temperatures and radiation leaks continue to fluctuate. The disaster is one of the worst nuclear disasters in history. However the vulnerabilities at the power station are not isolated to Japan or utility companies; they are common risk management shortcomings in operational practices seen in every country and every industry. Here are a few lessons for managers from this crisis.
1. Link controls to the assets they depend on.
Managers’ often make the mistake of assessing the effectiveness of a single control without expanding the scope of assessment to the assets that control depends on.
For example, the Fukushima plant had multiple backup cooling systems to prevent a core meltdown. However they all depended on a single diesel generator and battery backup system. When the system was discovered to be damaged, battery backup was depleted within hours and the cooling systems were rendered useless.
Managers will have better business results by expanding the scope of risk analysis beyond a control to the systems and assets it depends.
2. Evaluate risk impact for each business process.
It’s very typical for managers to over-invest in risk controls for one area while leaving other areas widely vulnerable. This over-focus on a single area stems from risk analysis ending at the business unit level without considering how each business process will be impacted.
Going back to the plant at Fukushima, while extreme attention had been paid to containing a potential reactor meltdown, the same level of attention was not invested to protect spent fuel. This under-investment in controls for spent fuel pools has lead to highly unstable conditions including radiation leaks and a potential meltdown outside the main containment vessel.
Managers at the business process level have the best knowledge to identify and evaluate the possible impact of a risk. At Fukushima Daiichi that means managers would assess the impact of a natural disaster on for each business process managing fuel storage, cooling systems, backup generators, all the way down to employee performance; not just the impact on reactors.
According to the RIMS State of ERM Report 98% of organization’s fail to assess risk at the front-line. This is a widespread problem for risk management programs in every sector.
3. Routinely revisit risk assumptions to reveal emerging risks.
While executives recognize the business environment is constantly changing, the State of ERM Report shows 86% of business continuity plans are based on outdated assumptions. This leads to outdated controls whose effectiveness may no longer be valid in the current environment.
For the Japanese nuclear plant this means assessing the increased probability of natural disaster stemming from global climate change and updating models based on the latest geological information. Managers need to regularly revisit risk assumptions to prevent controls from becoming outdated.
4. Evaluate risk from vendor relationships.
Every organization depends on partners to maintain key equipment and provide key services under emergency situations. Yet, according to the RIMS report, 96% of organizations today do not cover risks from their vendor partners adequately.
Examples are everywhere, whether you look at the BP disaster and it’s outsourced oil rig from Deepwater Horizon or the Japanese nuclear crisis stemming from vulnerabilities in the original GE reactor design.
Managers must evaluate how vendor relationships impact every area of operations and what essential processes may depend on these relationships. While a process or a technology may be outsourced to a vendor, you ultimately own the risk.
Risk management isn’t about trying to predict the future, it’s about being prepared in the right places where it matters most. These practices reveal the relationships between risks and activities within processes, and allow managers to spend less time fixing preventable problems and more time reaching their strategic goals.