1. The risk management portal (P2B)
1.1. Required for mapping to bow tie elements
1.1.1. Mapped Items
1.1.1.1. Clauses in Statute
1.1.1.2. Corporate Standard elements
1.1.1.3. Documents
1.1.2. Causes
1.1.2.1. Based on (and mapped to) incidents
1.1.2.2. Safety alerts
1.1.3. Controls
1.1.3.1. Mapped to Clauses and Standards that set requiremetns
1.1.3.2. Linked to causes and outcomes
1.1.3.3. Form part of the management plans
1.1.3.4. Owned by a role in the organisation
1.1.3.5. Linked to supporting documentation
1.1.4. Incidents
1.1.4.1. Grouped by generic loss type
1.1.4.1.1. Typically 16 to 20 Incidents at a site
1.1.4.2. Limited in number to the unique strategic control frameworks
1.1.5. Outcomes
1.1.5.1. Risks that can be ranked (when part of an incident)
1.1.5.2. Linked to mitigating (reactive) controls
1.2. Visual "front end" for access to all aspects of the RM works
1.2.1. Dashboard - as a quick link to source data and analyses
1.2.2. Process maps for contextual links to relevant elements of the process
1.3. Maintenance of controls
1.3.1. Criticality of controls defined
1.3.1.1. Number of causes being addressed
1.3.1.2. Hierarchical position (how strong?)
1.3.1.3. Team perception (which also highlighted weaknesses)
1.3.2. Reminders (actions) developed for each priority control
1.3.3. Controls are "owned" by roles on site
1.3.3.1. A role is only filled by a single person
1.3.3.2. A person can hold a number of roles
1.3.3.3. The set of controls for which a person is responsible is their job description
2. Extending the Portal (P2B)
2.1. Generation of specific risk assessments
2.1.1. For an operating task / area - Identify relevant incident types
2.1.2. Group specific causes (e.g. Human Error)
2.1.3. Examine Mitigating Controls (e.g. Emergency Response requirements)
2.2. Development of an Audit Response
2.2.1. All active clauses linked to controls / documents
2.2.2. Dynamic Plan showing how each requirement is addressed
2.3. System health monitoring
2.3.1. Tracking of Actions
2.4. Control of key document / records
2.4.1. Use of the in-built Document Management system
2.4.2. Content Management System - to generate dynamic published information for consumption on the portal
2.4.3. Forms containing information on key statutory and standards requirements
3. Sequence of activities
3.1. Identifying that WRAC and static MP's were not working
3.1.1. Too many risks - without connected responsibilities
3.1.2. Unreferenced controls (variously named)
3.1.3. No clear linkage between RA and MP
3.2. Review of company and global incident / accident data
3.2.1. Rigour - not missing any relevant losses
3.2.2. Extending the risk ranking basis - having statistical information on the frequency and severity of losses
3.2.3. Grouped according to Incident Type (aligned with control "groups" initially - but also mapped to company Major Hazards).
3.3. Review of statute, standards (AS and XC) and existing MP's
3.3.1. Identifying required controls
3.3.2. Confirming that all clauses of all instruments were known
3.4. Generation of draft bow ties (risk and control charts)
3.4.1. Drawing on RA's from many other operations
3.4.2. Based on root causes identified from fatality and serious incident investigations (SSAI and ICAM studies)
3.4.3. Controls drawn from requirements and risk engineering science