The nuclear crisis still unfolding at Fukushima Daiichi continues to threaten a meltdown as core temperatures and radiation leaks continue to fluctuate. The disaster is one of the worst nuclear disasters in history. However the vulnerabilities at the power station are not isolated to Japan or utility companies; they are common risk management shortcomings in operational practices seen in every country and every industry. Here are a few lessons for managers from this crisis.
1. Link controls to the assets they depend on.
Managers’ often make the mistake of assessing the effectiveness of a single control without expanding the scope of assessment to the assets that control depends on.
For example, the Fukushima plant had multiple backup cooling systems to prevent a core meltdown. However they all depended on a single diesel generator and battery backup system. When the system was discovered to be damaged, battery backup was depleted within hours and the cooling systems were rendered useless.
Managers will have better business results by expanding the scope of risk analysis beyond a control to the systems and assets it depends.
2. Evaluate risk impact for each business process.
It’s very typical for managers to over-invest in risk controls for one area while leaving other areas widely vulnerable. This over-focus on a single area stems from risk analysis ending at the business unit level without considering how each business process will be impacted.
Going back to the plant at Fukushima, while extreme attention had been paid to containing a potential reactor meltdown, the same level of attention was not invested to protect spent fuel. This under-investment in controls for spent fuel pools has lead to highly unstable conditions including radiation leaks and a potential meltdown outside the main containment vessel.
Managers at the business process level have the best knowledge to identify and evaluate the possible impact of a risk. At Fukushima Daiichi that means managers would assess the impact of a natural disaster on for each business process managing fuel storage, cooling systems, backup generators, all the way down to employee performance; not just the impact on reactors.
According to the RIMS State of ERM Report 98% of organization’s fail to assess risk at the front-line. This is a widespread problem for risk management programs in every sector.
3. Routinely revisit risk assumptions to reveal emerging risks.
While executives recognize the business environment is constantly changing, the State of ERM Report shows 86% of business continuity plans are based on outdated assumptions. This leads to outdated controls whose effectiveness may no longer be valid in the current environment.
For the Japanese nuclear plant this means assessing the increased probability of natural disaster stemming from global climate change and updating models based on the latest geological information. Managers need to regularly revisit risk assumptions to prevent controls from becoming outdated.
4. Evaluate risk from vendor relationships.
Every organization depends on partners to maintain key equipment and provide key services under emergency situations. Yet, according to the RIMS report, 96% of organizations today do not cover risks from their vendor partners adequately.
Examples are everywhere, whether you look at the BP disaster and it’s outsourced oil rig from Deepwater Horizon or the Japanese nuclear crisis stemming from vulnerabilities in the original GE reactor design.
Managers must evaluate how vendor relationships impact every area of operations and what essential processes may depend on these relationships. While a process or a technology may be outsourced to a vendor, you ultimately own the risk.
Risk management isn’t about trying to predict the future, it’s about being prepared in the right places where it matters most. These practices reveal the relationships between risks and activities within processes, and allow managers to spend less time fixing preventable problems and more time reaching their strategic goals.
Comments
I completely agree that risk management should be proactive. However, we must be prepared to put the plane into the river.
In the case of the nuclear plant in Fukushima the only thing that was known for sure was that a meltdown could occur. And that is the one thing that no one seems to have been willing to acknowledge or prepared to handle. The same can be said for the Deepwater Horizon disaster. The only thing known for sure was that the well could blow and that a large quantity of oil could leak into the ocean.
Both of these operations were proactive in mitigating the likelihood and severity of an event. Neither of them seemed to be prepared to deal with an actual worst case scenario. We are already hearing stories that the nuclear plant officials delayed in reacting to the event and that the delay likely increased the severity of the event. We know the same was true with the Deepwater Horizon event.
I believe risk management needs to focus additional efforts on preparing organizations to react. How many people are really prepared to react to a fire in a building or a flooded neighborhood? No matter how great the mitigation strategies the only thing we know for sure is that we cannot prevent a fire, flood, meltdown or well blowout.
How much money is spent on fire suppression equipment vs. fire extinguisher use and building evacuation training?
We may be prepared but, are we as risk managers ready to react?
Thank you for your comment Scott. While situations are much easier to prepare for than root-causes, risk management is about being proactive, not reactive, about mitigating risk.
Take the situation in Fukushima. TEPCO had a plan if there was a loss of power, if the diesel generators failed to start, if cooling began to fail, etc. They planned for each risk in isolation (such as a single ambulance in the event of a radiation leak) and as a result they were severely under prepared when the actual event occurred.
What they failed to plan for was a single source event triggering all of these risks in concert. A single earthquake caused a tsunami that disrupted power from the grid, disabled the backup generators, damaged equipment, etc.
The same can be said for any company. If you're not monitoring root-causes you'll forever be reacting to the business environment rather than tracking emerging risk and preparing for the future.
While it would be unreasonable to ask that TEPCO anticipate a record-setting earthquake, earthquakes and resulting tsunamis are a normal part of operating in Japan, and it's coming to light that TEPCO had a long history of failed inspections.
I agree that we need to rethink the way we approach risk management. Hopefully what we’re beginning realize and learn from the recent environmental and finical crisis’s are to concern ourselves more with the when rather than the why and how.
Situations are a lot easier to predict than causes. Rather than trying to identify the Black Swans, prepare for the aftermath of their visit. Knowing the likelihood or the reasons why an area might flood are far less important than knowing what to do when an area does flood. The Fukushima Daiichi disaster is not as much the result of an unpredictable disaster as it the result of a very predictable likelihood that power, including onsite back up power is lost for an extended time.
After Japan crisis there seems to be a better understanding in some companies on how to tackle risks management issues, in order to get prepare for future contingencies.
This contribution certainly triggers the need to reassessing the way we manage risks in our operations.
The points made are valid and extend throughout the entire field of risk management. Reevaluating risk particularly those related to foreign suppliers/logistics and offshore facilities is critical. Constant attention must be paid to political risk for those companies doing business in the MENA and West African areas. The political situations that are evovling will impact operational and fiancial risk factors globally.
Endorse the points stated. Risk Management, especially Operational Risk Management, is all about putting adequate checks and controls in place and reviewing them periodically to ensure that they remain current.