75.7 F
Washington D.C.
Monday, June 5, 2023

PERSPECTIVE: Successful Critical Infrastructure Risk Management Isn’t About Compliance, It’s About Culture

By studying human factors, organizations can gain deeper insight into the health of their current safety culture to identify gaps that compliance audits and regulatory guidance may overlook.

With many of the country’s most essential services handled by private entities in coordination with federal and local agencies, critical infrastructure leaders understand the importance of their operations to the lives and livelihoods of Americans. They’re certainly no strangers to managing risk, and they’ve become familiar with the task of keeping up with changing regulations.

However, just keeping up with regulations isn’t always enough. Pursuing certifications and ensuring compliance can help operators set a solid foundation for a safe environment – but that’s all these guidelines can ever do. Why? Because each operation is unique, as are the threats to its essential functions. At the end of the day, complying with guidance generally means only that a facility has achieved the minimum acceptable standards for hazard and risk mitigation in their industry.

Of course, some enterprises go above and beyond compliance, proactively outlining policies that exceed the bounds of current regulatory guidance. Still, those companies may have more to do. At the end of the day, safety is not about your guidelines or rulebooks. All of that is meaningless without workers and leaders who take workplace safety seriously. For this reason, safety and security efforts within critical operations cannot start and end with regulations. It must become a central driver of each business’ operations, decisions, and company culture.

Building from the Baseline

Cultivating a culture that prioritizes safety across the organization can help industrial firms reduce risk, maximize uptime, and minimize the impacts of a potential incident. As we saw in the recent train derailment in East Palestine, Ohio, and subsequent probe into the event, something as small as wayside defect detector settings can lead to significant consequences for the wider community.

While the probe is ongoing and the causes of the event remain uncertain, the widespread impact of this event illustrates how seemingly inconsequential decisions can lead to significant hazards – and the importance of developing a culture that understands and prioritizes safe procedures at every step.

This means doing more than sharing regulatory guidance or hanging posters in break rooms. Risk management teams should raise the visibility of the potential hazards throughout the organization, starting at the cultural level, and encourage a focus on safety that underlies any and all decisions. To begin fostering (or strengthen) a safety-centered culture, risk management teams can:

  1. Conduct self-audits. The first step for operators looking to strengthen their cultural commitment to safety is to conduct a self-audit with an eye toward the human factor. It should seek to identify not only operational and process-related factors that contributed to these events, but also those related to organizational culture and attitudes as well. Auditors should review historical data related to previous near-misses, chronic issues, and accidents as well as conduct interviews with or surveys of employees at all levels. This can help provide a comprehensive view of how high-level decisions, company policies, and communications related to job safety are interpreted by staff to highlight areas of opportunity for improvement.
  2. Tailor procedures. Armed with the knowledge from the self-audit, risk management teams can now get a better understanding of their current policies. The team should examine existing safeguards and polices critically, considering whether these policies adequately address risks and safety concerns identified in the audit. This assessment should apply to both internally developed guidelines and those adopted as part of compliance practices, with the understanding that even those outlined in regulatory guidance may need to be updated to accommodate the realities of the enterprise.
  3. Center education. With new procedures in place, teams can begin to build a culture of understanding about and respect for the importance of safety to the business. Training cannot be a one-time or annual endeavor or reserved for full-time staff. In an organization that centers safety, education is a part of daily life, extends beyond rote memorization of guidelines, and is offered to all workers, regardless of whether they’re contractors or full-time employees. Furthermore, these efforts should focus on communicating why protocols are in place (what they aim to avoid), not just what the protocols are.
  4. Encourage communication. Safety has no hierarchy. Anyone working on the floor is smart enough to know when they aren’t safe, and the issues they raise should be taken as seriously as feedback coming from the CEO or Board of Directors. Putting a system for reporting concerns into place is crucial to overall workplace safety as is reviewing and addressing feedback when it’s given.
  5. Be open to change. Each event – whether within your facility or in a similar environment elsewhere – gives new insight into the risks to your business. Risk management teams must be open to acknowledging when things can be improved and doing the work to improve them – and they must have this outlook in perpetuity. They must accept that they don’t know everything and be willing to adjust course when needed.
  6. Ask for help. Internal and external experts can provide valuable and objective feedback on how things are going. If there are managers or teams within the enterprise who are excelling at fostering a worker-safety-centered culture, use them. Ask them their thoughts and be receptive to their feedback. The same can be said for third parties that specialize in risk management auditing and analyses. They can act as a new set of eyes, helping to highlight areas of opportunity that internal reviewers may not see – and suggesting informed solutions that can help operators achieve their safety and security goals.

Although it’s often forgotten, the human factor is always at play in an organization, and attitudes toward safety can have a significant effect on outcomes. By studying human factors, organizations can gain deeper insight into the health of their current safety culture to identify gaps that compliance audits and regulatory guidance may overlook, helping them transcend compliance and achieve safer, more secure operations for employees, leaders, and communities.

It’s only when we look beyond compliance, at a company’s culture and attitude around safety and risk management, that we can get a complete view of a facility’s areas of opportunity for improvement based on the assets in and functions of a given enterprise. And it often falls to risk management teams to champion these endeavors.


The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected].

Chris LeBoeuf
Chris LeBoeuf is Global Head of the Extreme Loads and Structural Risk division of ABS Group, based in San Antonio, Texas. He leads a team of more than 60 engineers and scientists in the US, UK, and Singapore specializing in management of risks to structures and equipment related to extreme loading events, including wind, flood, seismic and blast. Chris has more than 20 years of professional experience as an engineering consultant and is a recognized expert in the study of blast effects and blast analysis and design of buildings. Chris holds a Bachelor of Science in Civil Engineering from The University of Texas at San Antonio and is a registered Professional Engineer in 12 states.

Related Articles

- Advertisement -

Latest Articles