By Mark Boult and Mark Fisher

In 1978 Frank Bird and George Germain published the first edition of the International Safety Rating System (ISRS®). It was the result of collaboration with a range of companies and individuals across industries to determine the “ideal” Safety Management System. The ambition was for companies to use ISRS to assess their performance against the “ideal” so they identify improvement opportunities and track their performance in an objective repeatable manner.

41 years later DNV GL published the 9th edition of ISRS (now called the International Sustainability Rating System) continuing the expansion of ISRS beyond health and safety into 10 risk categories. We collaborated with a broad range of clients to define the ideal management system for controlling operational risks.

ISRS has matured into a suite of tools that allow companies to understand their proximity to best practice and support their continual performance improvement. It does this in the context of the interaction of human, organisational and technological risk controls.

At the heart of ISRS is the Core Risk Loop (see figure).

 

This is aligned with ISO, 2018, ISO 31000, “Risk management — Guidelines”, and COSO, 2017, “Enterprise Risk Management – Integrated Framework”, but adds more resolution where experience suggests organisations need greater focus. This is particularly in defining and communicating the risk control strategy (the “S” of the loop) which explains to how risks are to be managed and the performance expected of controls.

At the IRM Risk Leaders Conference in November 2019, we ran two workshop sessions with over 80 people attending from a range of industries. The workshops considered the Core Risk Loop and the current performance of each of its steps. The feedback from the workshops is summarised in the graph.

The results show as broad satisfaction in the performance of the Identify, Analyse, and Evaluate steps of the loop. Sentiments were less satisfactory when considering control Strategy, Communicate and Implement. The results for the Monitor, Review and Update steps were more balanced but receives fewer votes, possibly suggesting more neutrality or less confidence about performance in these areas.

Interestingly, these outcomes correlate with our findings in our consultancy work.

  • Generally, organisations are good at Identifying risks with their core operational activities. (Identifying emerging risks for an organisation is an evolving areas and currently less mature). They are not always so good at Analysing them, sometimes struggle to ensure the quality and consistency of analysis, and as a result, the Evaluation of those risks can, at times, be a bit hit and miss.
  • Risk Control Strategies are often not sufficiently formalised and often missing the big picture context for the control and the specific performance that is required.
  • As the strategy is inadequate, Communication can often miss the people who can make a difference. When it does reach them, those people often don’t understand what has been communicated, what they have to do and, importantly, why it is important.
  • However, when the strategy is well communicated Implementation is generally well executed.
  • Monitoring is generally good in terms of measuring outcome, but leading indicators tend to be more interesting than useful, often being a measure of work done rather than control performance. As a result, management Review is often starved of trusted information and lacks objectivity. Update subsequently misses the areas of poor performance.

Our view is that successful implementation of the Core Risk Loop is how an organisation can demonstrate it had control of its risks. Confidence in the implementation is key and objective measurement and benchmarking develops that confidence.

ISRS 9th Edition Risk Categories

  • Occupational Health
  • Occupational Safety
  • Environment
  • Quality
  • Security
  • Sustainability
  • Process Safety
  • Energy
  • Asset Integrity
  • Knowledge

Mark Boult (CFIRM) and Mark Fisher are directors at DNV GL consultancy. The workshop took place at IRM’s 10th Risk Leaders conference in London in November 2019. The views expressed are the authors’ own and do not represent the views of IRM