Turning the Management of Safety Risk into a Business Function: The Challenge for Industrial Sociotechnical Systems in the 21st Century

Since World War II, the history of safety in industrial sociotechnical systems has evolved through different paradigms. From the days of “operate-break-fix-operate”, through system safety, human factors, organizational factors and “cognition in the wild”, engineering and social disciplines have contributed to the safety of industrial systems that require close interaction between people and technology to achieve their production goals. Yet, regardless of paradigms, disciplines or industries, the hierarchical status of safety has remained largely unaltered: safety may be claimed to be the first priority of industrial systems, but boardrooms agendas seldom reflect that assertion. The contention in this chapter is that if safety is to elevate its status within other functions in industrial systems, if it is to become an out-of-the-ordinary topic on boardrooms agendas, it must contribute to the management of overall organizational risk, along the same lines and at the same level as the financial, legal, quality, human resources or any other business functions of the organization. The chapter provides a conceptual outline of the building blocks of a system that would contribute towards such an end. Central to this system is its capability to support an evidence-based allocation of prioritized safety resources, as well as the use of procedures and a language that parallels the procedures and the language of other business functions. The chapter builds on and mostly discusses the experience of the aviation industry, because it is the sector that has, until now, taken a lead in the direction proposed. Nevertheless, it is asserted that the notion of the management of safety as a business function is transversal to all industrial sociotechnical systems.


Introduction
The proposal to turn the management of safety (or safety management) into a business function hinges around three key ideas that apply regardless of the industry and across the typical range of conditions under which industrial sociotechnical systems operate and deliver their services.
First, safety must evolve from its historical role-without abandoning it -, which was almost exclusively focused on accident risk reduction, and broaden into a function that contributes to the overall risk management of the organization. To this end, it becomes necessary to develop processes and activities for the management of safety risk (or safety risk management) that mirror the processes and activities for the management of risk in other functions that support overall risk management.
Second, it is almost impossible for industrial systems to address all the safety concerns that they face during their service delivery operations: the cherished notion of zero accidents is closer to an idealized concept than to a realistic possibility. Therefore, industrial systems must prioritize safety concerns through the anticipated management of safety risk, in a manner consistent with the prioritization of risk of other business functions, rather than "run after the last accident" while requesting, after the fact, limitless resources to avoid repetition.
Third, involvement in decision-making regarding the management of safety risk must move up the organizational ladder-as does involvement in decision-making regarding the management of risk in other business functions-from the subject matter expert level to executive leadership level.
The chapter starts by providing a brief account of the disciplines that nurtured safety in industrial socio-technical systems after World War II. This is because a proposal based on evolutionary change is essential, given the documented abhorrence for revolutionary change of socio-technical systems. Following this account, the chapter develops a conceptual proposal for a system for the management of safety risk as a business function, and briefly discusses-as the cornerstone of the proposal-a particular perspective on the notions of management and risk. The chapter lastly discusses the three key ideas outlined above, as the vehicles turn-in practice-the management of safety into a business function.

System Safety
System safety was the first post-World War II contributor to industrial systems safety and remains, after more than 60 years, the reference for technological industrial design regardless of industry [3]. Two footnotes regarding the potential of system safety to contribute to the management of safety as a business function are relevant here. First, system safety was conceived exclusively for the improvement of technical systems (an aircraft, ship, car, engine, pump, etc.). Second, within the strong engineering credo of system safety, the human operator is considered a liability, due to the potential for human mishandling of technology during service delivery operations.

Human Factors
Human factors joined system safety in contributing to industrial systems safety circa 1970s [6]. Three footnotes are relevant here. Human factors was conceived for application to socio-technical systems, of which industrial systems are prime examples. Second, from the cognitive perspective, human factors considers the human operator an asset, due to the ability of humans to "think on their feet" and provide responses to operational situations unforeseen by design and planning [2,5,10]. Third, from the organizational perspective, human factors considers human error as a symptom of deficiencies in the architecture of the system rather than the cause: operational error is an indication of problem(s), but not the problem(s) itself [8].

Business Management
Until business management appeared in industrial safety, some twenty-five years ago, the paradigmatic safety goalpost had been the absence of low frequency, high-severity events: safety was viewed as freedom from accidents. Under business management thinking applied to safety-"one cannot manage what one cannot measure"-it is necessary to prospect higher frequency, lower severity events as alternative safety goalposts that provide the larger volume of data necessary for the development of safety risk management information. Business management applied to safety also leads the organization to assign sense to the safety dollar: is the safety return worth the resources invested for its achievement?
Two final footnotes are relevant here. It is intrinsic to business management that the organization must develop multiple sources of information acquisition during service delivery operations. Accident investigation as the sole source of safety data does not generate the volume (or the calibre) of information necessary for the management of safety risk. Second, business management applied to safety does not aim at an "ideal" safety status (safety first, zero accidents, safety is everybody's business, safety starts at the top, and so forth), but at service delivery operations under conditions of "acceptable" (i.e. controlled) safety risk.

A Conceptual Proposal
The proposal for a system for the management of safety risk as a business function builds upon the integration of aspects from system safety, human factors and business management.
From system safety, the proposal retains the two basic entities of hazard and risk and introduces a third entity: potential consequence (the anticipated outcome of hazards). This provides guidance for the capture of high frequency, low severity safety concerns in a volume appropriate to the need of "measuring what must be managed," and to support the evaluation of the safety concerns for prioritization purposes.
From human factors, the proposal retains organizational psychology (the organizational accident) and cognitive psychology (human performance as an asset rather than a liability) as central linchpins. These provide guidance to define the context where the capture of information on hazards takes place and allows a perspective of operational human performance vis-à-vis features of the workplace that may negatively affect it. From this perspective, it is essential not to lose sight of the fact that "work as imagined" (procedures) and "work as delivered" (practices) are frequently asymmetrical. Since operations are delivered according to practices and not procedures, the implications of this asymmetry in industrial systems service delivery operations safety become clear [9].
The integration of elements from system safety and human factors covers two of the central activities in the management of safety risk as a business function: hazard identification and analysis and safety risk evaluation and mitigation.
From business management, the proposal retains the three basic elements of organizational control theory (direction, supervision and control) to monitor the effectiveness of the mitigations implemented for the management of safety risk. The result is the third central activity in the management of safety risk as a business function: safety performance monitoring using safety performance indicators and safety performance targets.
Interfacing hazard identification and analysis with safety risk evaluation and mitigation and with safety performance monitoring, conforms to a process known as safety risk management, which is the conceptual basis for the management of safety as a business function [7].

The Terms Management and Risk
A conceptual proposal for a system for the management of safety risk as a business function cannot avoid a discussion of the terms management and risk. These terms are common currency in the safety language of industrial systems; yet, they are often applied in a colloquial sense.
The term management derives from the early Italian verb maneggiare, meaning, "to ride a horse with skill" [4]. At face value, the meaning appears as an irrelevant metaphor. However, riding a horse with skill requires directing, supervising and controlling the horse so that it does what the rider wants in order to reach the intended destination. From this angle, the implications of the etymology of the term in providing direction, supervision and control to safety risk management activities become explicit.
The term risk also derives from an early Italian verb: risicare, meaning, "to dare" [1]. As the etymology of the term suggests, risk is not about fate but about decision and choice: we decide to accept or reject the choice(s) resulting from the evaluation of risk.
Combining the two terms into a single clause-risk management-and drawing from their respective etymologies, it is proposed that risk management involves daring to make decisions about choices that provide direction, supervision and control to specific activities. Extending this to safety, safety risk management involves daring to make decisions about choices that provide direction, supervision and control to safety activities.
Risk is not limited to safety; risk may be related to finance, legal, economics, quality or any other function of an industrial system. In fact, the term enterprise risk has been coined to encompass the overall risks faced by an industrial system, and to underline the importance of their joint management.
The joint management of overall enterprise risk-enterprise risk managementis important because it ensures the continued viability of an organization. Thus, the management of safety risk through a dedicated management system goes beyond accident risk prevention, to become a contributor to organizational viability. Safety risk management is therefore the essential business function to be delivered by the safety structure of the industrial system to support enterprise risk management.

Safety beyond Accident Risk Reduction: Direction and Supervision
The first key idea for operationalizing a system for the management of safety risk as a business function focuses on the need to broaden the scope of the safety function in industrial systems and acknowledge the difference between accident risk reduction (the term commonly used by industrial systems is accident prevention) and safety risk management. This is a difference that goes beyond semantics.
Accident risk reduction/accident prevention involves activities to avoid experiencing low-probability/high severity negative outcomes. The link between accident risk reduction activities and the avoidance of accidents is explicit and direct.
Safety risk management involves activities that generate information to support the choice of senior leaders regarding priorities in the allocation of resources to address potential consequences of hazards. The link between safety risk management activities and the avoidance of accidents is implicit and indirect.
There is a likelihood that safety risk management may prevent accidents. This would be a by-product-as opposed to a goal-of safety risk management. Accident risk avoidance is the province of safety programmes. Safety risk management is the vehicle for a system for the management of safety risk as a business function. Safety programmes are resourced, or not resourced, as a function of choices in the priorities regarding the allocation of resources that result from safety risk management information.
It is worth emphasising this point: safety risk management is about decisions on priorities regarding the allocation of resources (including the decision to not allocate resources) to contribute to the management of overall enterprise risk.
Applying the three basic elements of organizational control theory to the management of safety risk just as they apply to the management of financial, quality, human resources or any other risk within an industrial system provides: • Direction, by setting risk management targets; in this case, safety performance targets; • Supervision, through the collection and analysis of information regarding risk monitoring indicators; in this case, safety performance indicators; and • Control, through the allocation/re-allocation of resources based on the analysis of information, to achieve the risk management targets that have been set; in this case, monitoring progress of safety performance indicators towards their associated safety performance targets.
In developing safety performance indicators and safety performance targets, there should be less focus on the use of outcomes and more emphasis on the parameters that are the forerunners of the outcomes. The following example is taken from the aviation industry.
Aircraft must respect what is known as a "stable approach" to landing. Unstable approaches may lead to a number of undesirable outcomes and are a quintessential safety concern in aviation.
To conform to stable approach criteria, aircraft must be within specified position(s) of the flight controls and the landing gear, at specified indicated speed(s), and at specified engine(s) regime(s)-all this encompassed under the term "configuration"-at fixed points along the approach to the runway. These fixed points typically are 10 miles from touchdown; the final approach fix (or FAF), and the point in which the flight crew must decide whether to continue to land or initiate another approach if the approach is not stable ("the window").
The safety risk management activities involved in this example would be: • Implementing mitigations that aim at ensuring that flight crews and aircraft meet the requirements to conform to stable approaches • Providing direction for monitoring the effectiveness of mitigations by establishing safety performance targets -Expected aircraft configuration at 10 nautical miles from touchdown; -Expected aircraft configuration at the FAF; and -Expected aircraft configuration at "the window". It must be emphasized that safety risk management involves the monitoring and measurement of the parameters (the configuration values) underlying proposed mitigation(s), as opposed to monitoring the outcome that the mitigation(s) seeks to avoid (unstable approaches). Monitoring parameters will generate a larger amount of data than monitoring outcomes, and capture information regarding the success of the mitigation(s) (number of flights that do meet stable approach criteria) rather than the failure of the mitigation(s) (number of flights that do not meet stable approach criteria). Comparing rate of success to rate of failure allows a relationship to be established between safety achievement and the investment required for the safety achievement (return on investment). Data about failure (unstable approaches) would make it difficult to establish this relationship.

The Prioritization of Safety Concerns: Control
The second key idea for developing a system for the management of safety as a business function refers to "rationing" always-finite resources, since no organization has enough resources to address all the potential consequences of hazards. This responds to the third element of organizational control theory: control.
The first step in "rationing" involves evaluating the safety risk of the potential consequences of hazards identified. Once potential consequences are safety-risk prioritized, implementation of safety risk mitigations according to determined priorities follows. As part of the prioritization, some of the potential consequences may be ignored due to resource availability, but this would be a data-supported choice. Mitigation does not automatically mean solution, and resources allocated to mitigations that do not result in the expected solutions are wasted resources that could be re-allocated for more efficient purposes (no return on investment). Thus, the second step in the "rationing" involves monitoring the effectiveness of mitigations-as close to real time as possible-to ensure the mitigations are delivering the expected safety performances (return on investment).
The aeronautical example in the previous section applies here; however, for broader illustrative purposes, a further example borrowed from the oil industry follows. The example also supports the assertion in this chapter that the management of safety as a business function travels quite well across inter-industry boundaries. Figure 1 depicts the main safety concerns specific to an operation, risk-evaluated and prioritized according to potential severity of the consequence of the concern. 1 The nature of the safety concerns is irrelevant for the purpose of the example; what is relevant is that only 10% of the total resources available to address all safety concerns in the list were allocated to address the two with the greatest potential severity (the two top bars), meaning this operation allocates 90% of its budgeted resources to addressing lesser safety concerns. This does not necessarily mean ineffective accident risk reduction activities (i.e. ineffective accident prevention), but rather that control of safety resources (safety risk management) is not as effective as it could be. Control of safety resources not based on safety risk management may lead an organization to invest in activities that do not bring return on investment. This is often the case when resource allocation is based in opinion instead of data.  Fig. 2 illustrates an observation card, typical of many industries, used to routinely monitor workplace safety practices and conditions. Observation cards reflect-in theory-organizational expectations of where the most severe incidents are likely to occur during service delivery operations. In both cases illustrated above, the contents of the card and the budget allocation to risk prevention were based on personal experience, anecdotal evidence, history and so forth, and not on data. Indeed, in the example of the safety card above, closer inspection showed that nothing related to the two actions with the highest severity were reflected in the aspects to be observed. Since observations are labour-intensive, this raises questions not only related to safety, but also related to the allocation (or rather the mis-allocation) of resources.

Elevating Safety to the Boardroom
The third key idea for operationalizing a system for the management of safety risk as a business function addresses the need to elevate safety to the boardroom. This is because decisions on risk evaluation are purely technical and belong at the subject matter expert level; decisions on risk mitigation are financial, legal and administrative because risk mitigation involves financial, legal and administrative considerations (and costs). As such, decisions on risk mitigation belong-ultimately-in the leadership levels.
Attempts to insert safety into the routine agenda of the leadership from the accident prevention angle are self-defeating, because risk management is part of the procedures and the language of leadership; accident prevention is not. As the history of industrial systems shows, few things are more counterproductive than trying to "force safety down the throat" of leadership, trying to capture its attention by resorting to the moral and ethical undertones assigned to safety or, even worse, trying to turn leadership into safety experts.
As long as accidents do not occur, safety is not part of the routine agenda of the leadership, and rightly so: why and how could the leadership address something that has not happened? How can absence be risk-evaluated and risk-managed? An accident is to safety what bankruptcy is to finance. No financial officer would consider reporting financial success by stating that the organization has avoided bankruptcy. Yet, safety officers consistently report safety success by stating that the organization has avoided accidents.
The proposal of the chapter in this respect is simple and straightforward: if the safety function is to be effectively elevated to the boardroom, if leadership is to be encouraged into regularly making decisions regarding safety risk mitigation as part of its agenda, safety must take some distance from accident prevention and observe the procedures and the language of safety risk management. This will provide for a natural forum for safety-alongside finance, legal, quality, human resources or any of the other functions-in the organization's senior governance decision-making structure.
Are there significant roadblocks to the management of safety as a business function? Only two are envisioned. One relates to traditional mindsets among safety practitioners who mostly have engineering backgrounds, and how to modify deeplyrooted safety practices. The "changing of the guard" regarding professional demographics and the education they are receiving will facilitate removal of this potential roadblock. The other relates to data storage and retrieval. Only aviation has an industry-wide accepted taxonomy, and data management without taxonomy may quickly become a nightmare. By no means an insurmountable roadblock, it only requires minds and subject matter expertise to come together, while remembering that consensus regarding taxonomy definition is labour-intensive and it takes time, as the experience of the aviation industry indicates.

Conclusion
Since World War II, industrial safety has progressed under the guidance provided by three unconnected disciplines: system safety, human factors, and business management. To overcome perceived shortcomings in doing more of the same with more intensity in pursuing industrial safety in the 21st Century, the three disciplines must converge towards a point of confluence. The result of this confluence would be, in practice, the vehicle for the operationalization of the management of safety risk as a business function. The challenge ahead becomes the coordinated integration of the three disciplines into a coherent whole. This chapter has presented an outline of the integration.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.