Implementation of Critical Controls Management: A Case Study in an Alumina Refinery

Introduction

Alumina, also known as aluminum oxide, is an essential component in aluminum production, playing a crucial role in the metals and mining industries. Alumina refineries, responsible for extracting this compound from bauxite ores, face significant challenges related to operational efficiency, safety, and risk management due to the complexity of their operations. This case study focuses on the alumina refinery, referred to as 'Refinery A' for analytical purposes.

Critical control management is a key element of risk management, with critical controls being those essential for preventing or detecting events that could significantly affect the organization. Its implementation is a complex task and requires significant commitment from the company to ensure it is effective and sustainable over time. Common challenges may arise during this implementation process, including:

• Lack of understanding of critical risks: Identifying and accurately assessing a company's critical risks can be challenging, especially when the necessary information for this assessment is limited or nonexistent.
• Resistance to change: Significant changes in processes, systems, and company culture may face resistance from employees and leadership.
• Complexity: Implementing critical controls can be complex, involving multiple systems, processes, and departments within the company, making it difficult to coordinate and manage the implementation project.
• Maintenance of controls: Once implemented, critical controls require continuous maintenance and monitoring to ensure their effectiveness over time. This maintenance can be challenging for companies with limited resources or little experience in managing critical controls.

Implementing critical control management can have a significant impact on corporate decision-making, particularly when it comes to allocating financial resources. This approach allows the company to identify and prioritize the necessary investments in critical controls and safety infrastructure, including systems, equipment, training, and qualifications. This makes sure that money is put in the right places and helps reduce risk.

Materials and Methods or Method

This study uses a multi-stage methodology to define an implementation program and assess its impact on risk management maturity in a company. The research is conducted in two phases:

• Propose GCC implementation plan;
• Assess company's risk management maturity;

ISO 31000 and the AIChE/CCPS Risk-Based Process Safety (RBPS) Guidelines will be used as references in creating the evaluation criteria proposed by this work. They are specifically developed to conduct an assessment of the level of development, implementation, and integration of risk management. The proposed evaluation items are listed in the table below:

• Culture: Risk Appetite, Leadership Engagement, and Internal Culture
• Governance & Competence: Governance Model, Integration of the 3 Lines of Defense, and Competence
• Structure: Structure, Process Adherence, Control Testing/Assurance, and Technology

The initial and final diagnosis is performed through document and record review, interviews with company employees, refinery inspections, and its process equipment.

GCC Implementation Plan

The International Council on Mining and Metals (ICMM) published a guidance document in 2015 with good practices for managing critical health and safety controls. This document will be used as the basis for detailing and executing the planning and implementation stages of GCC. The stages adapted for this work are:

1. Planning:

To initiate the implementation of Critical Control Management, it is essential to define a sponsor and ensure the company's management support. The scope of the change in organizational processes must be outlined, with a clear endpoint and defined expectations. A multidisciplinary team must be formed, with an implementation plan containing: objectives, responsibilities, and a detailed schedule.

2. Identification of Undesirable Events and Controls:

At this stage, the refinery considered its annual schedule of Operational Risk Management to reassess risk scenarios in the operational areas. It was decided to coordinate the joint mapping of Undesirable Events (UE) and their corresponding controls. The materiality criterion adopted is based on the impacts on occupational safety, the environment, financial aspects, and operational continuity. During the events in the areas, existing and potential controls to prevent or mitigate risks are identified, following a flow that considers various sources of information.

3. Selection of Critical Controls

When choosing a critical control, it is important to ask specific questions to assess its effectiveness and impact on risk mitigation. The selection of CCs should be done through a CC selection flow from the list of controls raised in the previous phase. The selected controls must be fundamental to ensure the safety, efficiency, and compliance of the company's processes and activities. Controls identified as critical must have an identification sheet with a record of objectives, requirements, expected performance, and other details.

4. Performance Definition and Reporting:

It is essential to clearly define what constitutes adequate performance for critical controls and how to effectively communicate variations between expected and actual performance. To achieve this, the development of various documents summarizing inputs for each stage is proposed. At Refinery A, it was decided to use a control registration form for mapping and detailing critical controls. This form should contain the following information:

• Control Code
• Control Name
• Type
• Control Objectives
• Critical performance requirements of the critical control to achieve the objectives
• Activities within the management systems that support the execution of the critical control
• Records that can be verified to attest to the control's performance
• Expected Performance
• Control trigger for shutdown, review, or investigation
• Control Owner

5. Responsibility Definition:

Assigning responsibilities is crucial to ensuring successful GCC implementation and the effectiveness of critical controls in preventing incidents. It is important to clearly define and communicate responsibilities to all parties involved in the process. A list of event owners, CC owners, and verification responsibilities should be developed. Additionally, a verification and communication plan for the integrity of each CC should be developed. These responsible parties are tasked with ensuring the continuous management of their tasks and form the basis of GCC governance.

6. Monitoring and Reporting:

In this stage of the GCC process at Refinery A, monitoring is conducted through annual self-assessments of effectiveness and Critical Control (CC) audits. Field Monitoring of CCs is performed to ensure their operation as described in the control registration form, which is the responsibility of the control owner. Additionally, Control Self-Assessments and Critical Control Audits are conducted annually by control owners and engineering, respectively. These audits aim to verify the functionality of the controls, identifying strengths and areas for improvement. Finally, a monthly risk report is prepared to communicate the results of risk analysis, assessment of risks and control effectiveness to relevant stakeholders, playing a crucial role in proactive and continuous risk management.

Maturity Assessment

Refinery A has established a strong occupational safety culture but has faced challenges in operational risk management and business continuity. During the implementation of Critical Control Management, it underwent a comprehensive assessment, identifying strengths and areas for improvement. While Risk Appetite is defined, communication needs improvement. Leadership engagement could be more proactive in integrating risk considerations into daily decisions. The organizational culture demonstrates risk awareness, but it needs to be expanded. While there is consistency in process adherence, variations in quality highlight the need for uniformity. Control testing has been incorporated to strengthen operations. These results indicate significant progress in risk management, with ongoing improvement opportunities. Continuous commitment will be crucial to strengthening the risk management program.

Conclusion

This work presented the main stages and challenges for the robust implementation process of critical control management in a company. However, it is important to note that each business presents specific challenges. Therefore, it is recommended that each organization assess its specific needs and contexts when implementing operational risk management, adapting the best practices and guidelines according to its own realities.