(9b) Managing Risk: Beyond the Due Date

Focusing on risk can be difficult beyond managing corrective actions by due dates. While having guidance on setting due dates of corrective actions can be helpful, it is common to be overwhelmed by corrective actions. The backlog can be caused by many reasons including: stacking up of PHA Recommendations, deep dive audits from outside agencies, insurance or compliance audits, incident investigations, organizational changes, or lack of bandwidth of resources. The challenge of managing a backlog or long list of corrective actions can be that due dates may be arbitrary. They are often set without consideration or the workload of the action owner, his/her already open corrective actions, and other needed resources such as design or capital. The factors can be compounded when people change roles or leave the company. So how does risk rank corrective action based on risk and not due date?

We created a scoring method of evaluating open actions based on the following criteria: the corrective action source (Audit/PHA/Incident), if there was temporary mitigation in place, the frequency of the potential event, if it was a re-occurrence, and due date. The factors were given weighted values to create an index score for the risk of the open action items. Other factors included: capital required, cost, whether a shutdown or turnaround was needed to implement the solution and owner of the action. These factors were used to assist in sorting criteria. Other factors to consider that are not part of our index are Regulatory Deadlines, Consent Decrees and MI inspection data that may not be tracked in the same way. Our methods do not address poorly worded corrective actions such as incident investigation that does not directly impact the cause of the incident.

The method creates an index that provides a numerical value for each corrective action that can then be sorted to represent the risk. The value this index adds to a single site can help to allocate resources if they are limited and help leadership to understand where to get the efficient use of resources. For multisite companies, using the same criteria for all the sites can create an enterprise-wide risk registry. Future steps include integrating the sorting criteria into the action tracking software to make the risk register evergreen.