In our latest installment of Ask the Expert, brought to you by Avetta as part of EHS Technology Week, we talk to Scott DeBow, CSP, ARM, Principal of Health/Safety & Environment for Avetta, about using technology to manage EHS risks.
Q: What are the commonly missed business risks that even experienced safety leaders often overlook?
Experienced safety professionals often overlook how important it is to take a systems-wide approach to better understanding how their business operates, and how decisions made “upstream” in a business process can multiply risk “downstream” at the operational end. For example, understanding the impact of how goals and objectives in say the procurement process can reduce capacity to manage risk downstream, where operations teams inherit the decisions made by others earlier in the process, and often outside of the actual physical work environment. Understanding this and considering “how can my voice better help our organization understand and manage risk” is important, and it can help a safety professional have a better “Up and Out” perspective of decisions, influences and dependencies in the business environment, and the correlation to risk experience at the worker level.
I’d also add how easy it is for us to become overconfident in our formal, compliance-based activities we do at the beginning of a project, such as trainings and orientations. It is easy to overestimate these formal elements of our risk programs and underestimate what work is really like at the operational end. This is unfortunately a fairly common occurrence, and very important to understand. We need to know how our formal safety methods connect to our informal methods of monitoring and assessing risk, as this is what really keeps us connected to what’s happening at the operational end. And, I have also found it helpful to consider our “line of sight” into who is in our supply chain or who is in our work environment, and what work is scheduled. And then take time to evaluate: how did work go? It really requires a dedicated process from end to end, and being connected to the business systems, from procurement to IT to HR and certainly production, is a necessity to gain this line of sight that helps us anticipate error, and ensure resources are appropriate for the inevitable change and risk fluctuations in our work environments.
The final thing I’d share is that it’s easy to assume that in the absence of failure, risk events, risk problems, or catastrophes, it must be because we’re safe or our risk controls are effective, or our business is operating acceptably. The absence of failure does not mean the presence of safety or the presence of risk controls. We need to understand how risk really operates and is multiplied in our systems. The contingent labor (contractor/temp agency) and supply chain industry is just another example of where we should be gaining better line of sight into the unique risks and vulnerabilities associated with contingent labor, alongside the opportunity to gain improvements and efficiencies from working with the best partners.
Back to the scope and boundaries and systems approach, I think that’s the best place to start. But you know, unfortunately it is one of the most common things to overlook or understand, but I’d add it’s exciting to learn about.
Q: Are there additional risks that are tied into the use of technology or incorporating technology into safety?
Yes, and it’s only increasing! Ten years ago, I was director of safety and security where part of my job was upgrading our CCTV (closed circuit television) and access controls, and this was really before the big cyber risk concerns, so I really wasn’t thinking about that. But a few years ago, I was on a similar project and realized, wow, you hang a camera anywhere in your facility, that is a potential access point for cyber exposure or risk exposure, an IT breach, or a data breach. It’s very important we think of how we depend on technology, and its interconnectedness within adjacent business systems. We depend on CCTV and access control. We depend on things to keep us connected. It’s really important to understand that we have a process to evaluate the risk. We also need a good methodology to understand how technology helps us identify and manage risk. Risk control can itself become a risk. That’s why safety pros need to collaborate closely with IT professionals and other business departments in a sense of achieving a shared goal, appreciating there is risk others see that we can’t, and how do we achieve these shared goals for the organization together.
One other interesting area, if I may add, is in the area of Internet of Things (IoT), such as wearables for ergonomics, proximity sensors to moving equipment and lone worker technology. These advances are fantastic, yet it’s easy for a safety pro to become excited about the benefits to “their world” without understanding the implications of introducing technology platforms that must be compatible with their business, have a strategy for implementation and adoption supported by a strong business case.
We talk about technology from a data management standpoint, we talk about technology from worker access or being connected to our workforce, the whole IoT and how we connect to workers, there’s a lot of things involved to keep in mind.
Q: What methods can hiring clients use to evaluate risk and implement effective monitoring and review processes?
There is a risk assessment technical report by ASSP that came out in 2020 and I know we’re talking about technology here, but the premise and the approach in this report is just outstanding. I would recommend it for any business leader, certainly not just safety or risk manager folks, but anyone, because grounded in there is the basics and methodology of a common approach to managing risk, and so one of the early messages in this report is that risk operates in a continuum.
It is important to understand that we don’t just approach and address one risk and it’s always good. Risk operates in a life cycle. And it’s important we’re all on the same page when it comes to that. But when it comes to our approach to how we evaluate risk together, there are three things to bear in mind. One is how are we identifying the risks in our organization? That’s the first step and to do that well, you really need to understand my former point about scope and boundaries and having a systems mindset.
How are we identifying risks in the organization? If you ask me, I’ll probably go to physical risk, maybe industrial hygiene elements, injury/illness type things, because that’s my background. However, fortunately, I have been trained to also think in terms of the risk, insurance, or financial standpoint, but that came from working as a team in appreciating how other people think of risk. And our friends in Human Resources think about identifying risks and they’ll think about the same problem a little bit differently.
I’d say first of all, leverage a team approach, but a solid process such as what’s outlined in the ASSP risk assessment technical report, and it teaches us how we identify risk and then what’s our process to analyze risk. We identify risk, we have some agreement, and now let’s go into analyzing these risks and getting a sense for how we are estimating the consequences and severity. And this could be from actual experience within the organization. Or it could be from benchmarking across the industry. We’re trying to get a sense for what are the things we need to manage that happen often but might be less severe and could become severe.
But then how do we get a sense of what are the things that are potentially high consequence, high potential events? Maybe they won’t ever happen, but if they did, you know it’s life or death. It’s a materiality. Understanding that look, our risk identification process as a team leads us to a better process of analyzing these risks, understanding, and estimating the consequences so we can begin to evaluate our risk controls. This is the risk evaluation process.
Step three, we’re basically comparing our analysis from the risk identification and the analysis to understanding:
- What is our present state of controls?
- What are we currently doing to manage these risks?
- Where are we strong and where are we weak?
- What risk controls are needed to manage these?
Those three steps are really important, but I would add two more things that I think are very important and that’s one, to be inclusive in the process—meaning from an end to end, top down, left to right approach. If we want high-value intel about risks in the workforce risks in the business environment, we need the real deal from the people closest to the risk, and those are the workers. And remember that from a worker standpoint, supervisor operational standpoint, we should be anticipating that those in the operations team, depending on the cultural status of the organization, often want to report good news.
But that may be a little different than what’s really happening at the worker level, and our job isn’t to come at it from a punitive approach necessarily, but just to really understand the present level of risk. Again, not assuming that, “Well, we haven’t had any bad things happening, therefore we must have our controls in place.” Let’s really have a better sense of understanding that our risk evaluation process from identification to analysis to risk evaluation requires an inclusive team approach. And fortunately, there’s a lot of guidance out there on how to do that such as the risk assessment technical report.
Q: What are the best practices when prequalifying contractors and suppliers?
I’d ping my first answer in terms of scope and boundaries as an organization and connecting the approach through a reliable system. Best practices before you engage in qualifying anything are like running organizations through a filter. You need to understand your scope and boundaries of what’s being done and from a current state level, right? And it’s easy to understand look, mergers and acquisitions happen a lot outside of our wheelhouse, so to speak. And so, organizations grow, they expand, they contract. The scope of what we used to do in certain plants or certain areas might be changing. We need a present state level and understanding of the scope and boundaries of what we do, and we need to understand who is in our system from the standpoint of contractors and temporary workers. If we think of this from the standpoint of extensibility, we might ask “where are we extending work to other organizations in order to accomplish our mission.” Each extension to another organization serves as either a coupling point (strong), or potentially a fracture or gap (weak) in risk communications and safety practices throughout the supply chain. So, if we want to think of best practices, we need to have a very strong understanding of who is in our supply chain, how do we keep track of requirements and performance and is there a way to better assess risk through this process? In my experience, the connections between employers and suppliers are often weak and fractured, unless there is a dedicated process that connects business systems from compliance to insurance, work practices to continual improvement.
That’s one of the first best practices involved in pre-qualification for contractors and suppliers. We want to understand who’s in our system, so we understand how to manage risk, how to communicate risk, and how to achieve success together. We need a systems approach to be able to do that.
The other thing I’d say is that it’s really important that the organization starts with an informed viewpoint of work systems. And if we look at that ISO 45001 standard, for example, or we look at the ANSI Z10 or really any of the consensus standards; outside of a regulatory guidance approach, consensus standards speak to best practices. You know from academic industrial best practices experts in the field, consensus standards speak to best practices where regulatory guidance falls short or hasn’t spoken to yet or regulations move slower, in other words.
But we look at the consensus standards and they have updated the definition of ‘worker.’ And so, for example, ISO 45001 describes a worker or employee as traditionally employed, but just as much a contractor, temporary worker, or volunteer is a worker in our work system. And so, before we engage in a pre-qualification process, we want to understand that today’s best practices require a corporate leadership viewpoint that no longer holds the position that “These are other people’s workers.” Therefore, our approach to managing risk and safety in our joint-employer work environment includes thinking of and communicating with contractors, temp workers, and others as workers in our environment and part of our safety management systems approach. It’s really important to start with a good foundation and to do that you have to have your systems mindset and you have to have your team up to date on our viewpoint of workers. Right, because that connects with the next step, which is shared vision and goals. This ensures we don’t look at pre-qualifications only from the standpoint of compliance.
We want to enter the pre-qualification process with the idea that compliance is the baseline, but necessary for us to achieve continual improvement. It’s an opportunity for performance improvement. It’s really important to start with a corporate gut check or review for those best practices and having gone through that, it’s important to say:
- Who are the suppliers in our system?
- How do we know when new suppliers enter our system?
- How do we know contracting companies and employees have the certifications, licensing, insurance requirements, training and other critical basics in order before the start of work?
A strong pre-qualification process driven through leading edge technology to deploy visibility (line of sight) and communications to diverse and geographically dispersed teams has become the crucial starting point for best practices, while considering it as a first step toward continual improvement within this same system.
Ask simple questions like a risk officer might. Or consider what an insurance officer might want to know, like “We’ve added 1,500 suppliers to our system. Do all of them have master service agreements and appropriate insurance?” Can we answer that question, yes, or no? Well, let’s find out and see what we should do.
Another best practice is working with the right partners. That’s from an internal standpoint, internal shareholder, but it also speaks to having the right partner. Experts in the industry, such as Avetta, provide our customers with that line of sight into who is in their work system. And how do we approach from a risk evaluation standpoint to identify, analyze, and evaluate their level of risk within the scope and boundaries of the work system.
And then make sure you’re able to answer those questions. All of them have master service agreements in insurance or 95% of them do, but this 5% doesn’t. There’s been no failure, but let’s go focus on that next 5%, make a risk-based decision and reduce our overall risk exposure from a systems-based approach rather than following a failure-based event. So best practices involve, again, the systems approach, understanding who’s in your system. And it’s hard to see who’s in your system unless you have a dedicated risk-based approach, a systems approach, and the technology that allows you to see and stay connected to all those suppliers in your supply chain.
Q: How can technology mitigate the business risks imposed by the current labor shortage?
When we think of the labor shortage, it’s easiest to think about this like describing the work system or the labor shortage from the standpoint of resources and boundaries. So the resources are the people we need to accomplish the work at hand and the boundaries are the type of work being done, what some contractors do or don’t do.
With the mindset around resources and boundaries, the shortage in the workforce has diminished resources and exceeded the boundaries. For example, I may have traditionally depended on these three suppliers to take care of my rollup doors, maintain my banana coolers, and paint my parking lot, whatever might be. But now you know that good contractor says there’s fewer contractors in the workspace and they have more business. So, the good ones are actually getting more business. There may be fewer contractor resources, of sufficient quality and experience, to pull from.
I need some depth here, because they’re not as responsive if my banana coolers go down, right? Thinking from a business continuity standpoint, who do we need to have in place to keep our business operating? There are fewer resources to pick from, so the tendency is that we’ll just get anybody in there. However, that’s exceeding the boundary of safe operation if we do not introduce new suppliers through a carefully crafted, systems-based method for pre-qualification.
How does technology help us manage that? One, if we have a dedicated process, a dedicated systems approach to entering and qualifying suppliers in place, we can begin to plan for what happens if so and so is not available or not available fast enough, then we have at our fingertips a database. That’s what the Avetta technology allows us to have: a ready and qualified database with depth to continue our business operations, even in a diminished work cycle or decreased availability of workers.
That technology can help us just see who’s available and that same technology can even help us look from a geographic standpoint. Maybe I’m in Chicago, but I need to evaluate what suppliers are green and ready to go or satisfactory and ready to go in Reno, Nevada. Well, I shouldn’t have to fly out there or do a Google search, I should have that technology at my fingertips. Technology helps us to do that, and it can help me strategically if I do this as a regular cadence to better understand where we may be seeing risk change related to a labor shortage. The technology helps us to anticipate errors and find gaps in our system and improve continuity of business.
Q: How can hiring clients source sustainable and diverse suppliers?
We just talked about the technology piece, and if we back it up a little bit in terms of who do we want in our system—we may want certain requirements for suppliers for certain types of jobs or certain risks—we’re actually able to put similar requirements around diversity and sustainability for those in our network and in our supply chain. It’s easy to put something up on a website about our sustainability or diversity position. That’s, in a way, lip service.
But it’s different to go through a process where that is vetted and not just process and procedures or reviewed but looking for the evidence of practices necessary to be a sustainable supplier to satisfy the important elements of Diversity, Equity, and Inclusion and to prioritize those in a way that technology can demonstrate on a dashboard. We often think from a safety standpoint, but we want to see suppliers in our network that prioritize the total care of the workforce.
Prioritization of the workforce and accomplishing good work—that’s what we want to see. That includes care for and prioritization of our environment and sustainability issues. Just like we’re able to leverage technology to find out where else can we find a contractor or just have depth to our bench, so to speak, in that same system and process, we can identify capabilities in the area of sustainability and diversity for our supplier base. And it’s important we can show that. Any company that does that eventually from an RFP standpoint in the future or other organizations we do business with should be asking us, “What’s your commitment to sustainability and diversity?” and with Avetta you have a way to demonstrate that value.