When you hear about risk management, what is your first thought? Is it lawyers and insurance brokers, and lots of paperwork? If those are the images recalled, it is time to rethink risk and where it comes from. Risk is often perceived as something to be afraid of because the consequences can often be devastating and expensive. However, the reality is that operational risk is present everywhere in every organization. As a result, there needs to be a renewed focus on operational risk management in student transportation.
What is operational risk?
We will use the definition of operational risk provided by Tony Blunden and John Thirwell in their book “Mastering Operational Risk”:
“The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.”
The key focus here will be on loss attributed to failed internal processes, people, or systems. However, what is important to recognize is that in this definition “loss” ’is not limited to loss of life. It could be lost efficiency, lost opportunity, or lost capability.
The focus throughout this article will be on three operational areas that student transportation managers should regularly assess for risk. They are:
These three categories provide a starting point to begin considering the question of where risk comes from and what can be done to manage risk.
Responding to operational risk
There are three fundamental activities that must be performed on each operational area:
• Identify the types of risks that are most prevalent and disruptive.
• Mitigate the risks with changes to policies and practices.
• Manage impacts through established tools and practices.
The 3 by 3 matrix of operational categories and activities serve as the starting point for your operational risk management plan.
Identifying operational risks
If the underlying premise that risk is all around us is correct, then finding it should not be that hard. Systematically assessing each operational area to identify possible losses, defined broadly, and identifying what the source of those losses might be is the first task. Below are some questions to start the process of risk identification:
Identifying people risks
When transportation operations consider personnel risks, they are often exclusively focused on drivers. However, it is imperative that we conduct a risk analysis for all positions. Considering six stages of a people management cycle offers an opportunity to identify sources of risk.
- Recruiting – how do we define job offerings and how does that impact the people being recruited to fill those positions?
2. Vetting – how are we assessing each candidate for the position? Is this criterion used for each candidate consistent and documented?
3. Onboarding – what are we doing to ensure that qualified candidates are retained and unqualified candidates are screened out efficiently?
4. Training – what are we training each individual position on and how? When does the training occur? Do we have recurrent and new training opportunities?
5. Operating – how are staff transitioning into their operating role? Do they have direction on expectations, timelines, and seeking help?
6. Evaluating – are we evaluating staff? Based on what? How frequently? Against what criteria?
Student transportation operations dependency on individuals creates an imperative to perform this type of evaluation.
Identifying technology risks
Technology risk is perceived by most as some type of external hacking incident. While this is a real possibility, more mundane risks are just as potentially costly. Management of systems and ensuring the checks are in place to reduce the opportunity for unauthorized system access should be a point of focus.
• Who receives access to what systems? The basic principle is that individuals should have access to the data they need when they need it to do their work. However, it is not true that everyone needs an account for every system you have. Defining what determines the need to access a system will reduce the possibility of loss.
• What access does each role receive? When it is determined that someone requires an account of the system, what type of access they need must be clearly defined. While there are several philosophies and constructs for this structure, creating an environment where individuals have the minimum access to system resources to perform their job can limit the possibility of loss.
• Who can give access to others? Gatekeeping is an important consideration in risk management. This should include who activates and deactivates accounts, who can upgrade and downgrade permissions, who can provide internal and external access to the system, and who can manage archival and backup data. Having a process that ensures that those with the “keys to the kingdom” are regularly reviewed should be part of a basic audit protocol to limit the opportunities for loss.
• How is technology evaluated and by whom? Determining who will be responsible for ensuring your technologies do not become technically or functionally obsolete is critical. Individuals often have a personal stake in the systems they have built which makes them unable to clearly assess the ongoing value of the system. Creating a team or identifying individuals who can regularly assess system functioning, performance, and effectiveness can support a program of loss reduction.
Identifying process risks
Process reviews do not seem exciting because most do not want to “fix what isn’t broken.” Unfortunately, this perspective can cause a great degree of risk exposure to every operation. Regularly assessing why an organization does what it does can be a highly effective way to reduce the opportunity for loss. A basic set of questions that can determine the extent to which a process needs better definition, better implementation, or extensive revisions is:
• In the event of a common or a highly consequential incident, how complete is each staff members knowledge of what their role is, what their requirements are, and what actions to take?
• How do you measure if staff members know what resources are available, where the resources are located, and whether they would be able to access them to support resolving questions of process or responding to
• What resources are provided for staff members on how, where and what to document?
• Do all employees have training and resources on documenting to meet expectations and allow for a structured and disciplined sequence of events?
In many instances process risk can seem mundane. For transportation professionals it can be a matter of life or death. The simple act of printing emergency response process and procedure statements (e.g., accident response, lost child, school lockdown, etc.) on obvious contrast paper (i.e., red, yellow) to make them easier to access in high stress, high demand situations can reduce both the possibility and severity of a loss. Process matters. Preparation is necessary.
Mitigating operational risk
Risk mitigation is a formal strategy to reduce the likelihood and frequency of negative events. In other words, it is the practice you use to manage the risks. Each operational category should have a formal process of imagining what types of negative events and losses could occur and what efforts could be put in place to prevent them. A basic set of questions can help guide the process. Those include:
· What documentation is required? Where is it kept? By whom? For how long? In what location? Who has access to it?
· What policies, procedures, practices, and forms have been developed? What information is required to be on the forms. Who determines policies and procedures? How frequently are they reviewed & revised?
· What is the tracking mechanism to identify when incidents or events have occurred where there was not clarity on the expected response? How are those issues resolved? How and who follows up?
· How do the expectations of policies and procedures get communicated to all staff and by what forms of communication? Where and how is this being documented?
Managing operational risk
Managing operational risk is about minimizing impact. Measuring the impact is a prospective and reactive set of activities designed to reduce the likelihood or severity of impact. There is no “one size fits all” type of impact assessment. The need to test the mitigation efforts in multiple ways and evaluate the outcomes to ensure they are robust is critical. Basic options that are available include:
· Simulation practice- where actual individuals’ response and process can be tested are extremely valuable.
· Tests – we often train and explain expectations to staff, but we much less frequently test them on whether they absorb the material. Even basic testing can be helpful for reinforcing and evaluating the mitigation efforts and categories.
· Spot audits – going out and checking to see if individuals are doing what they are supposed to is a straightforward way to evaluate understanding of the mitigation expectations and compliance with the requirements.
· Third party audits – integration of systemic audits by outside parties can be an effective way to remove organizational biases that might understate the strengths or weaknesses of practices. ·
Advisory committee– Creating a diverse committee of team members allows for a team approach and valuable information to be shared on matters that directly affect the operation.
· Premortems – this is a technique first popularized by Professor Gary Klein. In short, the process is to assume, before you have started something, that what you have done has failed. Documenting the story of why the effort failed can expose weaknesses in the design of the effort that can be addressed before they become a vulnerability. This article provides the needed details and explanation of the premortem technique.
Understanding that risk is not just an insurance problem and embracing risk management will increase safety and improve service for the students. It is necessary to be creative and open minded because it is a lack of imagination that is the most limiting constraint in risk identification and mitigation. Finally, we must be prepared to test, retest, and test again. Identifying, Mitigating, and Managing risk with regular evaluation; clear and concise record keeping, thorough training and documentation is the pathway to success.