Levels. Levels? Yeah...

Seinfeld fans may remember this short exchange. Kramer might have been on to something and it had nothing to do with interior design. In my research and work, I've been butting up against a few theoretical roadblocks. But I am starting to think that these roadblocks are actually different levels. Internet guru1 Merlin Mann often observes that people need to solve the right problem at the right level. And now, I'm starting to think that is exactly what I need to do.

Identifying the different levels has been my task of late, and it is a task in need of completion.

This is where I'm at so far...

I was initially running with a military-style strategic/operational/tactical taxonomy. Specifically, strategic being the highest level and involving long-term, executive-level decisions through to frontline, troop-level decisions at the tactical level.

But these terms come loaded, so I've been looking elsewhere. Although, I don't think there are any terms left which don't carry some form of baggage.

So I've started down this road:

  • Executive - the highest level; involving the executive oversight or governance of the organisation; typically strategic although may be concerned with lower level issues from time to time.
  • Management - obviously, somewhere between the executive and the shopfront; probably characterised best as the level where enabling work gets done - things like personnel management, information management or hardware management.2
  • Operations - the real do-ers; practical actions taken in the extremely dynamic, real world.

I've been visualising this arrangement as something like this:

Different Levels

So what does this mean?

I believe the point of recognising the existence of the different levels is to accept that within each level, different objectives exist. As such, different tools and techniques may be required.

In thinking about this problem, I realised I posted something related to this before. In that post, I used different risk evaluation techniques at the different levels. While the overall risk management process should be consistent across all levels, the details differ because the objectives, contexts, and decisions differ.

At the highest/executive level, the context was related more to assurance with the decision about whether to accept the determined level of risk or to do more. As the risk picture changed, the executive decided to do more and directed the management level to produce a plan. At this level the risk evaluation methodology was quite different and quite tailored to the wildlife management context and the set of decisions required at that level - what to do about the various bird species.

Different Levels of Risk Assessments

I hinted at a third level of risk management but, to be honest, I haven't really seen that level employed in the real world in this context. OHS practitioners would be familiar with Job Safety Analyses (JSAs) which are a very operations-level activity which I thought would be similar to what I was thinking here.

I guess the moral of this rather rambling post is that I am becoming more and more convinced that an all-encompassing "enterprise risk management system" is not a simple case of having the same small set of tools for all levels. Instead, you need a framework that recognises the different levels (the different contexts, objectives and decisions) and creates linkages between these levels. My immature thoughts at this stage centre around the decisions and their resulting actions being those connections.

For example, the risk management being carried out at the lowest level may itself be a risk control measure for the next level up and so on. This becomes a bit circular but we might as well accept that it's turtles all the way down, people!

There may be more to come on this one, but right now, its bedtime!

1. He would so hate that title ;)

2. Safety management? I'm not too sure. I've been pondering this lately as well and when that thought is half-finished, I'll post it here too.

"Compliance Doesn't Equal Safety"

I've heard this saying quite a bit over the last few months and in at least one aspect, I agree with the statement. It tends to be true that regulations have failed to keep pace with industry. As such, blind compliance with the regulation no longer ensures an accident-free existence.

Apparently, there is a Venn diagram making the rounds. I've been told it looks like this:

Safety Doesn't Equal Compliance

So what is the solution?

In most conversations, I heard "systems-based" or "risk-based" auditing touted as the answer. Unfortunately, that, in my opinion, is not the answer.

Now, don't get me wrong. Please. Old check-box auditing is not the answer either.

So what is? Let's break it down into pieces...

Firstly, we need to define "compliance". Often, people infer from compliance, a high level of prescription within the legislation, regulation or standard. In the past this was true but nowadays, it's becoming less the case. Regardless, when auditing, especially in a highly-regulated environment, the standards are everything. Issuing findings outside of the standards is unacceptable and you can forget about enforcement action.

We have no choice but to move the "compliance" circle to match up with the "safety" circle. Easier said than done.

The above Venn diagram is mis-leading. Safety is not a neat circle. It's not the same for each industry sector, or even between operators within the same sector. And it's not stable. Not only is aviation a, generally, growing industry, it's diverging as well. "Safety" could probably be drawn like this instead:

The safety profiles of various operators differ

That leaves old-school compliance with two options. Be a well-rounded set of requirements aimed at achieving a generally good level of safety or becoming a complex monster of requirements aimed at ensuring safety across all areas - see below. In the first case (C), gaps between safety and compliance still exist (just to refresh - that means an operator could comply with the rules and still not "be" safe). And in both cases (C & D), all operators are burdened by requirements which have nothing to do with safety in their environment.

The different ways to apply old-school compliance

I mentioned above that the standards are becoming less prescriptive. The still fairly new concept of safety management systems is a different kind of regulation. Instead of telling operators how to address known safety risks, it requires operators to establish a system to identify, assess and mitigate risk within its own environment1. This approach can fill the gaps between traditional compliance and safety. It also goes a long way to supporting "systems-based" and "risk-based" auditing.

Diagram E is probably a good indication of where we are at the moment. In most cases, an SMS requirements has been added to the existing regulatory regime and a "fill the gaps" approach has been taken. This is a valid approach. SMS is relatively new and the industry needs time to grow into the philosophy.

The way compliance looks now and may look in the future

In the future, I imagine it will be possible to reduce the prescriptive side of the compliance equation. A greater level of flexibility is obviously good for the industry as it would reduce the nugatory regulatory burden on some operators but ensure a level of safety acceptable to the regulator.

That retreat will require careful planning and sure-footed execution. A lot of work will need to be done before then, but I'll hold on to it as my "I have a dream" concept2.

1. It actually requires more than a risk management system but lets keep things simple for the sake of this short but rambling post. Check out the link above for more information. 2. I know it's nowhere near the level of nobility of the original but each of us hopes to influence the world in our own way.