EHS Data Analysis Heuristics: Turning Performance Data Into Better Decisions

Posted on June 7, 2026 by Chet Brandon

By Chet Brandon

EHS data is only useful when it helps leaders make better decisions and take timely action. Incident reports, corrective action records, hazard observations, audit findings, injury data, exposure information, and corrective action trends all contain signals. The leadership challenge is knowing which signals deserve action now, which need more investigation, and which are simply background noise.

In this context, heuristics are not guesses or shortcuts used to avoid thinking. They are practical decision strategies that help leaders make timely judgments when information is incomplete, time is limited, and operational complexity is high. Gigerenzer and Gaissmaier (2011) describe heuristic decision making as a way to simplify judgment under uncertainty, which is directly relevant to EHS leadership where decisions often must be made before every fact is perfectly known.

That matters because EHS leaders rarely operate with perfect information, unlimited time, or a fully controlled operating environment. We often have enough information to detect signals, enough experience to recognize patterns, and enough responsibility to act before risk becomes consequence.

Over my career, I have learned that effective EHS analysis does not require unnecessary complexity. It requires disciplined review, practical judgment, and a strong bias toward action. A dashboard that does not change a decision is just decoration. The purpose is to understand what the system is telling us and act before weakness becomes failure.

These heuristics are experience-based review tools. They do not replace technical analysis, regulatory review, industrial hygiene assessment, engineering evaluation, or legal guidance where those are required. Their value is helping leaders recognize patterns quickly enough to start the right work.

These tools and tactics were not developed in a classroom or from theory alone. They come from roughly 35 years of experience in heavy industry, including chemicals, metals, glass, aerospace, manufacturing, and industrial services. They were also sharpened through extensive work with an asbestos legal defense team for a Fortune 500 manufacturing company, where I learned how important it is for EHS decisions to be fact-based, well-documented, professionally sound, and explainable under serious scrutiny. That experience reinforced a practical lesson: if an EHS decision cannot be clearly explained and ethically defended, it probably needs stronger analysis before it is accepted.

A Practical 6-Step EHS Data Review Method

When reviewing EHS performance data, I generally use six practical questions.

1. What Is the Trend?

Start with the trend. Is performance improving, deteriorating, stable, or shifting unexpectedly?

Look at magnitude, direction, velocity, and stability. A large number may matter, but a sudden change in an otherwise stable pattern may matter even more. When data moves quickly in the wrong direction, leaders should not dismiss it as noise until they understand what changed.

A spike in injuries, a sudden increase in corrective action delays, a change in severity potential, or a shift in event location may indicate a change in exposure, work mix, staffing, supervision, procedure quality, or control effectiveness.

The first leadership question is simple:

What changed, and why?

2. What Are the Top Recurring Drivers?

After reviewing the trend, apply Pareto logic.

Most EHS performance issues are not evenly distributed. A small number of event types, tasks, locations, hazards, or control failures often account for a large share of the total impact. I typically look for the top three to five recurring issues because those are often the most actionable.

This keeps the organization from spreading improvement energy too thin. The goal is not to fix everything at once. The goal is to focus first on the issues creating the most repeated failures or the greatest operational risk.

The key question is:

What few issues are driving most of the problem?

3. What Separates the Best From the Worst?

The next step is to compare the Best of the Best with the Worst of the Worst — the BOBs and WOWs.

When one site, department, shift, crew, or process is performing much better than another, the difference is usually not accidental. The best performers may have stronger planning discipline, better supervision, more effective pre-job reviews, stronger engineering controls, better housekeeping, faster corrective action closure, or more consistent frontline engagement.

The value of this comparison is that it identifies solutions already working inside the organization. Instead of importing a theoretical best practice, leaders can transfer a proven internal practice to weaker areas. The Shainin System is a problem-solving system associated with strategies and tools for quality improvement and identifying dominant causes (Steiner et al., 2008).

The practical question is:

What are the best performers doing that the worst performers are not?

4. What Severe Exposure May Be Hiding in the Data?

Frequency is important, but it is not enough.

Some serious exposures may not appear often in the data but still carry severe consequence potential. These are the plausible Black Swan-type events that may be hidden inside routine work. A task may have few recorded injuries but still contain fatality, serious injury, fire, explosion, chemical exposure, or environmental release potential.

Leaders need to ask:

What low-frequency, high-consequence event could occur here?

Taleb’s Black Swan concept is commonly associated with events that are highly improbable, difficult to predict, carry major impact, and are often explained too easily after the fact (Taleb, 2007). In EHS leadership, the practical value is not debating whether an event is perfectly unpredictable. The value is forcing ourselves to look beyond the most frequent items in the data and ask where the operation could fail severely.

I am especially interested in severe risks that can be meaningfully reduced with modest resources. If a high-consequence exposure can be reduced through a practical control, it should not be ignored simply because it does not dominate the incident count.

Pareto analysis tells us where we are failing often. Black Swan thinking tells us where we could fail badly. Both are necessary.

5. Are the Corrective Actions Strong Enough?

Once the patterns are understood, the next question is whether the proposed corrective actions are strong enough to control the risk.

The NIOSH Hierarchy of Controls is a useful starting point. NIOSH identifies the preferred order of controls as elimination, substitution, engineering controls, administrative controls, and personal protective equipment. NIOSH also notes that elimination, substitution, and engineering controls are generally more effective because they control exposures with less reliance on human interaction (National Institute for Occupational Safety and Health [NIOSH], 2024).

That does not mean every solution can be engineered immediately. It does mean leaders should avoid over-relying on weak controls when stronger controls are feasible.

There also needs to be balance. Engineering controls can be highly effective, but they may require capital, design time, or longer implementation. Procedural and behavioral controls can move faster, but they depend on consistent human execution. A strong corrective action plan often uses layers: immediate interim controls, practical near-term actions, and stronger long-term controls where needed.

Before accepting a corrective action, I ask:

  1. Does this reduce the actual exposure, or does it only remind people to be careful?
  2. Is it aligned with the hierarchy of controls?
  3. Can it be implemented quickly enough to matter?
  4. Does it apply beyond one isolated event?
  5. Does it address a recurring driver or a credible severe-risk exposure?
  6. Is there an owner, due date, verification method, and effectiveness check?
  7. Would this action prevent the same event under real operating conditions?

If the answer is no, the corrective action is not ready.

6. Which Actions Deserve Priority?

Prioritization should consider both potential impact and resource requirement.

High-impact actions that require modest resources should move quickly. These are often the best opportunities to strengthen the system without waiting for a major program, capital project, or lengthy redesign.

A simple prioritization model works well:

PriorityImpactResource RequirementLeadership Response
1HighLowAct immediately
2HighMedium or HighEstablish interim controls and plan permanent correction
3MediumLowImplement through routine improvement work
4LowHighDefer unless required for compliance, strategy, or risk reduction

This does not mean difficult high-risk issues can be ignored. If a credible high-risk exposure exists, some level of control is required. The task is to sequence the work intelligently: immediate containment, practical short-term improvement, and sustainable long-term control.

Is the Decision Ethically Defendable?

A final test I use before accepting a significant corrective action or risk decision is whether the decision is ethically defendable.

In practical terms, I ask myself a hard question:

If I were on the stand in a court of law explaining this decision, would I be comfortable defending it?

That question sharpens the analysis. It moves the decision beyond preference, convenience, budget pressure, or organizational habit. It forces a leader to consider whether the action was reasonable, informed, timely, and consistent with the known risk.

This is not about making every EHS decision from a defensive legal posture. That would slow the organization down and weaken judgment. It is about testing whether the decision can withstand honest scrutiny.

In a court of law, a position is defended through facts, records, credible reasoning, and consistency with accepted professional practice. For expert testimony, Federal Rule of Evidence 702 addresses whether testimony is based on sufficient facts or data, uses reliable principles and methods, and applies those principles and methods reliably to the facts. That is a useful practical screen for EHS decision-making even outside litigation (Legal Information Institute, n.d.).

For EHS decisions, I ask:

  1. What facts supported the decision?
    Data, observations, audits, interviews, photos, risk assessments, or technical findings.
  2. Was the reasoning documented?
    Who was involved, what was considered, what alternatives were evaluated, and why the final action was selected.
  3. Was the method professionally sound?
    Did we use recognized standards, hierarchy-of-controls thinking, competent judgment, and reliable information?
  4. Did we consider feasible stronger controls?
    A weak control is hard to defend if a stronger practical control was available.
  5. Was the response proportional to the risk?
    Higher-severity exposures require stronger and faster action.
  6. Was the decision ethically aligned?
    The action should reflect the professional obligation to protect people, the environment, property, and professional integrity.
  7. Could I explain it clearly under questioning?
    A defensible decision should be easy to explain: what we knew, what we considered, what we did, why we did it, and how we verified it.

As part of that final evaluation, I also use the BCSP Code of Ethics as a professional cross-check. BCSP requires applicants, candidates, and credential holders to uphold its Code of Ethics, and the Code includes the duty to hold paramount the safety and health of people and the protection of the environment and property (Board of Certified Safety Professionals [BCSP], n.d.).

For me, that means the decision should place protection ahead of convenience, pressure, or expediency. It should be honest, fact-based, professionally competent, free of improper conflict, and consistent with the integrity expected of the safety profession.

The courtroom test strips away excuses. It forces the question: did we make a responsible decision with the facts, resources, and options available at the time?

Ethically defendable does not always mean perfect. Leaders often make decisions with incomplete information, competing priorities, and real operational constraints. But ethically defendable does mean the decision was made with integrity, competence, urgency, and proportionality to the risk.

If I would not feel comfortable explaining the decision under oath, or if the decision does not align with the professional obligations reflected in the BCSP Code of Ethics, then the decision is not ready. It needs stronger analysis, stronger controls, better documentation, faster timing, clearer ownership, or a different course of action.

The leadership standard is simple:

Make decisions you can defend because they were technically sound, ethically grounded, professionally responsible, and aligned with the duty to protect people, the environment, and the business.

A Practical Example

Consider a company reviewing 12 months of hand injury data.

The trend shows a sharp increase in the last quarter. Pareto analysis shows that most events involve line-clearance, jam-clearing, and minor adjustment tasks. A BOBs/WOWs comparison shows that the best-performing site uses fixed guarding standards, pre-task verification, and supervisor field observation. The worst-performing site relies mostly on verbal reminders and retraining after events.

A Black Swan review identifies a credible amputation pathway: unexpected startup or incomplete energy isolation while an employee’s hand is inside the point of operation. The hierarchy-of-controls review shows that the existing corrective actions are too dependent on employee attention and memory.

A stronger action plan would include:

  • Immediate verification of guarding and energy-control expectations
  • Temporary restrictions on higher-risk adjustment tasks until controls are confirmed
  • Engineering review of guarding, interlocks, access points, and potential bypass conditions
  • Standardized pre-task verification for line-clearance and jam-clearing work
  • Supervisor field verification for high-risk tasks
  • Targeted retraining only as a supporting action, not the primary control
  • Follow-up review to confirm whether hand injuries, bypass conditions, and high-risk observations decline

This is the difference between reporting data and using data to improve control of the operation.

Red Flags That Should Trigger Executive Attention

Certain patterns should immediately raise concern:

  • High-energy incidents or near misses
  • Extreme changes in otherwise stable data
  • Repeating failures across multiple sites, departments, shifts, or crews
  • Poorly written incident descriptions that suggest weak understanding
  • Repeat involvement by the same individuals, tasks, equipment, or supervisors
  • Significant outliers
  • Clustering by body part, equipment type, location, task, contractor group, or failure mode

These patterns may indicate more than isolated failure. They may signal a weakening management system, inconsistent supervision, poor hazard recognition, ineffective corrective actions, or loss of operational discipline.

EHS Data Review Worksheet

A practical EHS data review should answer these questions:

  1. What changed?
  2. Is the trend stable, improving, deteriorating, or shifting suddenly?
  3. Where is the issue concentrated?
  4. What are the top three to five recurring drivers?
  5. Who are the BOBs and WOWs?
  6. What are the best performers doing differently?
  7. What severe exposure could be hidden in the data?
  8. What controls currently exist?
  9. What is the highest feasible level of control?
  10. Which corrective actions are high-impact and practical?
  11. Is the decision ethically defendable?
  12. Would I be comfortable defending the decision under oath?
  13. Is the decision consistent with the BCSP Code of Ethics?
  14. Who owns each action?
  15. When will it be completed?
  16. How will effectiveness be verified?

If a review does not answer these questions, it is not complete.

The Leadership Standard

The value of EHS data is not in the dashboard. It is in the decision the dashboard enables.

A strong review process should identify where risk is moving, what is driving it, what controls are weak, and which actions will most effectively improve the system. Leaders should expect data analysis to produce clear conclusions, prioritized action, assigned ownership, timing, and verification of effectiveness.

Good EHS analysis answers four basic questions:

What is changing?
What is driving the change?
What risk does it create?
What action will reduce that risk?

EHS performance improves when leaders turn information into disciplined execution. That means identifying trends, focusing on the vital few, learning from internal high performers, staying alert to severe-risk exposure, using the hierarchy of controls, testing decisions for ethical defensibility, and prioritizing corrective actions that are timely, practical, scalable, and effective.

The goal is not simply to understand the data.

The goal is to strengthen the operation.

References

Board of Certified Safety Professionals. (n.d.). BCSP code of ethics. https://www.bcsp.org/hubfs/8981246/Downloads-PDFs-and-PPTs/BCSPcodeofethics.pdf?hsLang=en

Gigerenzer, G., & Gaissmaier, W. (2011). Heuristic decision making. Annual Review of Psychology, 62, 451–482. https://doi.org/10.1146/annurev-psych-120709-145346

Legal Information Institute. (n.d.). Rule 702. Testimony by expert witnesses. Cornell Law School. Retrieved June 7, 2026, from https://www.law.cornell.edu/rules/fre/rule_702

National Institute for Occupational Safety and Health. (2024, April 10). Hierarchy of controls. Centers for Disease Control and Prevention. https://www.cdc.gov/niosh/hierarchy-of-controls/about/index.html

Steiner, S. H., MacKay, R. J., & Ramberg, J. S. (2008). An overview of the Shainin System for quality improvement. Quality Engineering, 20(1), 6–19. https://doi.org/10.1080/08982110701648125

Taleb, N. N. (2007). The black swan: The impact of the highly improbable. Random House.

Posted in Uncategorized | Tagged , , , , , , | Leave a comment

Contractor Safety Management: The Contractor Operational Integrity Model

Posted on May 28, 2026 by Chet Brandon

Contractor safety management is entering a new era.

For years, many organizations treated contractor management primarily as a compliance process. The contractor had to provide insurance. Training records had to be complete. Safety statistics had to meet a threshold. Prequalification forms had to be submitted, reviewed, and approved.

Those requirements still matter. But they are no longer enough.

The next era of contractor safety will be won by organizations that move from contractor qualification to work readiness — and from compliance confidence to verified control of work.

That is the central shift facing the profession.

The future of contractor safety management will not be defined by more forms, longer checklists, or thicker qualification packets. It will be defined by how well organizations control real work in real conditions, with real people, under real operational pressure.

Contractor management is no longer just a compliance process. It is an operational integrity system.

This article extends my earlier operational integrity work for heavy manufacturing. In that work, I wrote that operational integrity is the condition in which an organization consistently operates its assets, processes, people systems, and management routines within defined expectations and with a commitment to excellence for stakeholders (Brandon, 2026a). Contractor operations require the same discipline, but with a more complex boundary because work is executed through a shared operating system between the hiring organization and the contractor.

For contractor operations supporting heavy industry, contractor operational integrity is the demonstrated ability of the hiring organization and its contractor network to plan, authorize, execute, verify, and improve contracted work within defined risk, operational, compliance, and performance expectations. It exists when both parties protect workers, assets, communities, customers, production continuity, and other stakeholders through disciplined planning, capable supervision, reliable controls, and honest learning.

That shift matters because contractor risk has become enterprise risk. A serious contractor failure can affect safety, environmental compliance, process reliability, product quality, production continuity, schedule performance, legal exposure, and reputation at the same time. Contractor safety is not a side program managed outside the business. It is part of how the business protects its people, its assets, and its license to operate.

The Old Model Has Reached Its Limit

The traditional model of contractor safety management was built around prequalification, documentation, lagging indicators, and legal defensibility.

That model created value. It established minimum expectations. It helped organizations screen contractors. It brought needed structure to contractor selection and onboarding. It gave safety, procurement, and operations teams a common starting point. Prequalification and compliance assurance remains an important foundational activity for contractor safety management, however, excellence is driven with more impactful actions in the field during execution of the work. Avetta did a nice job of initiating discussion on these advanced topics at their conference this year.

But the model has limits.

A contractor can be compliant and still not be ready for the actual work. A company can pass prequalification and still fail at the point of execution. A scorecard can be green while serious exposure is building in the field.

This is one of the most important lessons for the profession: compliance does not equal safe operations.

Compliance tells us whether certain requirements have been met. It does not prove that the crew understands the task, that isolations are correct, that simultaneous operations have been coordinated, or that a supervisor can recognize when the job has drifted outside the plan.

The old model asked, “Is this contractor qualified?”

The future model asks, “Is this contractor capable, ready, supervised, aligned, and able to control the specific risk of this specific job under today’s conditions?”

That is a materially different question.

The Contractor Landscape Has Changed

Organizations are relying on contractors for more specialized, higher-risk, and business-critical work than in the past. Contractors support shutdowns, turnarounds, maintenance, construction, capital projects, logistics, environmental services, specialty technical work, and tasks that may sit directly on the critical path of operations.

At the same time, contractor capability is uneven.

Some firms are excellent. They have strong supervision, disciplined planning, capable craft workers, mature safety systems, and the ability to execute under pressure. Others are stretched by labor shortages, turnover, rapid scaling, new workers, fragmented crews, and inconsistent field execution.

That does not make contractors the problem. It means the contractor ecosystem is more complex than it used to be.

The modern workforce is also more mobile, diverse, and dynamic. Crews change. Supervisors change. The mix of experience changes. A job that looked stable yesterday may have a different risk profile today because one key person left, one assumption changed, or one handoff failed.

Culture is not static. It is human-centered and fluid. One supervisor, one crew, one shift, or one poorly managed transition can change how risk is understood and controlled in the field.

That is why the next generation of contractor safety management must focus less on whether the file is complete and more on whether the work is truly ready to proceed safely.

Introducing the Contractor Operational Integrity Model

To meet this next era, organizations need a stronger operating model. I call it the Contractor Operational Integrity Model.

The model is built on a simple premise:

Contractor safety performance is strongest when qualification, work readiness, critical risk control, field verification, and corrective learning operate as one integrated management system between the hiring organization and the contractor.

In heavy industry, this matters because contracted work often occurs inside high-energy, high-complexity operating environments where safety, reliability, environmental compliance, quality, production, and schedule performance are interdependent. A contractor failure is rarely just a contractor failure. It is a signal about the strength of the shared operating model.

The Contractor Operational Integrity Model has six core elements:

Model ElementCore QuestionWhat Good Looks Like
1. Critical Risk DefinitionWhat contractor work can seriously injure people or disrupt operations?The organization knows its highest-risk contractor activities and applies focused controls.
2. Capability and Capacity VerificationCan this contractor perform this work under these conditions?Task-specific readiness is verified, not assumed from general qualification.
3. Control of Work DisciplineAre the work boundaries, energy states, interfaces, and stop-work triggers clear?Workers can explain the plan, the controls, the failure modes, and when to stop.
4. Field Verification and Leadership CadenceAre leaders verifying controls where the work is happening?Leadership presence confirms control effectiveness and removes barriers.
5. Performance IntelligenceAre weak signals visible before serious events occur?Leading indicators, repeat findings, planning quality, and field observations guide action.
6. Corrective Learning and System ImprovementAre we fixing the system or just closing action items?Corrective actions prevent recurrence and are scaled across similar work.

These elements are not separate programs. They are connected parts of one operating system.

Prequalification remains important, but it is only the front door. The real test is whether the contractor and the hiring organization can control the work where risk is real.

1. Critical Risk Definition

The model starts with critical risk.

Not all risks are equal. Safety leaders must identify the small number of exposures that can kill people, seriously injure workers, create major environmental impacts, or significantly disrupt operations.

Critical contractor risks often include hazardous energy, line breaking, confined space entry, work at height, lifting and rigging, hot work, mobile equipment, excavation, electrical work, simultaneous operations, process safety interfaces, startup and shutdown conditions, and changes in scope or operating state.

The future of contractor safety management cannot be built around generic compliance categories alone. It must be built around the exposures that matter most.

The practical leadership question is this:

Have we clearly defined the contractor activities that can produce serious harm or serious business disruption, and have we built reliable controls around them?

If the answer is unclear, the system is not mature enough.

2. Capability and Capacity Verification

Experience matters, but it cannot be assumed.

A contractor may be experienced as a company, but that does not mean the specific crew is experienced. A supervisor may be qualified on paper, but that does not mean they can manage a complex job under pressure. A contractor may have strong historical performance, but that does not guarantee current capacity if they are dealing with turnover, labor shortages, rapid scaling, or unfamiliar work conditions.

The Contractor Operational Integrity Model requires verification of both capability and capacity.

Capability means the contractor can perform the work safely and effectively.

Capacity means the contractor can perform the work safely and effectively under the actual schedule, staffing, complexity, and operating conditions presented.

Both matter.

A contractor can be capable in principle but not ready in practice. That gap is where serious risk can develop.

Organizations should evaluate demonstrated task experience, supervision quality, crew stability, training relevance, planning quality, equipment readiness, subcontractor control, and prior performance on similar work. They should also pay attention to whether the contractor has the leadership depth and operational bandwidth to perform safely while meeting schedule and quality expectations.

The practical leadership question is this:

Are we verifying readiness for this work, or are we relying on general confidence from past qualification?

3. Control of Work Discipline

The future of contractor management is not more paperwork. It is better control of work.

Control of work is where contractor safety becomes operational. Before the job starts, the work boundaries must be clear.

What is the system condition? What is the energy state? What has been isolated? What assumptions are being made? What other work is occurring nearby? What has changed since planning? What are the stop-work triggers? Who has authority to stop the job? What changes require reassessment?

Most serious failures do not begin with bad intent. They usually begin when assumptions go untested, interfaces are unclear, handoffs lose important risk information, or field conditions change faster than the management system responds.

Contractor safety failures often occur at the seams: the handoff between planning and execution, the handoff between the client and contractor, the handoff between operations and maintenance, the handoff between shifts, the handoff between one contractor and another, and the handoff when scope changes, a permit is revised, an isolation is removed, or startup begins.

These are the moments where risk becomes unstable.

A mature contractor management system treats handoffs as critical control points. Poor handoffs create uncertainty, and uncertainty is one of the most dangerous conditions in field execution.

The practical leadership question is this:

Can the people doing the work clearly explain the work boundary, the critical controls, the failure modes, and the conditions that require stopping or reassessing the job?

If they cannot, the work is not ready.

4. Field Verification and Leadership Cadence

Prequalification is the front door. Field verification is where trust is earned.

No digital platform, management system, or prequalification process can replace visible leadership where risk is real.

Leaders need to be present in the field — not to create theater, not to perform safety, but to verify, reinforce, listen, correct, and remove barriers.

The work system learns from what leaders consistently see, challenge, reinforce, resource, and follow through on.

If leaders only inspect paperwork, the organization will optimize paperwork. If leaders verify critical controls in the field, the organization will learn that control of work matters. If leaders respond constructively when workers raise concerns, people will speak up. If leaders ignore weak signals, the system will drift.

Field verification should focus on the critical few controls that prevent serious harm. It should test whether plans match field conditions. It should confirm that workers understand the hazards, controls, and stop-work expectations. It should also identify barriers that make safe execution harder than it needs to be.

Contractors should be treated as part of the operating system. That means clear expectations, mutual accountability, respect, and fast response when concerns are raised.

A strong contractor relationship is not soft. It is disciplined. It is built on clarity, fairness, and follow-through.

The practical leadership question is this:

Are leaders verifying risk control where the work is happening, or are they managing contractor safety from conference rooms and dashboards?

5. Performance Intelligence

The profession needs better contractor safety intelligence.

Lagging indicators have value, but they are incomplete. They tell us what has already happened. They do not always show where control is weakening now.

Serious and fatal exposures can remain hidden inside apparently healthy systems when leaders rely on indicators that confirm activity rather than control.

The Contractor Operational Integrity Model requires leaders to look for weak signals and system patterns. These may include repeat permit issues, poor job hazard analyses, unclear incident descriptions, turnover in key contractor roles, repeated audit findings, supervision gaps, stop-work trends, poor job brief quality, recurring housekeeping or barricading issues, schedule pressure, uncontrolled simultaneous operations, and corrective actions that do not prevent recurrence.

Leaders should also look across contractors, sites, work types, and time periods. The goal is to identify the top recurring drivers of risk and act before those patterns produce a serious event.

This is where technology and analytics can help.

Digital tools, artificial intelligence, mobile platforms, and connected contractor systems can help organizations evaluate contractor capability faster and more deeply. They can identify patterns that may not be visible through traditional review. They can support better onboarding, improve communication, accelerate learning, and provide real-time insight into readiness and risk.

But technology has a dual nature.

We can use it to improve risk management, but we must also manage the new risks it creates. Poor data, false confidence, weak governance, privacy concerns, unequal access, and overreliance on automated scoring can create new blind spots.

The opportunity is not simply to digitize old processes. The opportunity is to use technology to improve judgment, planning, verification, and execution.

The practical leadership question is this:

Are our metrics helping us see risk earlier, or are they mainly helping us explain performance after the fact?

6. Corrective Learning and System Improvement

Many organizations close corrective actions. Fewer actually correct the weakness.

The next generation of contractor safety management must focus on corrective action quality. When the same failure mode returns through a different contractor, crew, shift, or location, the issue was not solved. It was documented.

Strong corrective actions address the system conditions that allowed the problem to occur. They balance engineering, procedural, supervisory, and behavioral controls, with preference for more reliable controls where feasible. This logic is consistent with the hierarchy of controls, which places elimination, substitution, and engineering controls above administrative controls and personal protective equipment (National Institute for Occupational Safety and Health [NIOSH], 2025). They also prioritize high-impact actions that can be implemented in a timely way and scaled across similar work.

Administrative closure is not the objective. The objective is a durable reduction in the probability or severity of recurrence.

Corrective learning also requires humility. If a contractor raises a concern, stops a job, reports a near miss, or identifies a planning weakness, the hiring organization should treat that as valuable intelligence. Punishing the messenger teaches silence. Responding with discipline and speed builds trust.

The practical leadership question is this:

Are we learning across the system, or are we closing actions one job at a time while the same risks keep returning?

A Practical Example: Line Break Work During a Turnaround

Consider a contractor crew assigned to perform line break work during a plant turnaround.

Under the old model, the contractor may have been prequalified, trained, insured, and approved. The job package may include a permit, a job hazard analysis, and a lockout or isolation plan. On paper, the work may look ready.

The Contractor Operational Integrity Model asks a deeper set of questions.

Has line breaking been identified as a critical risk for this site? Has the contractor demonstrated capability on this specific type of system? Is the assigned supervisor experienced with turnaround conditions, compressed schedules, and simultaneous operations? Are the isolations verified in the field? Are blinds, valves, drains, vents, and energy states understood by both operations and the contractor crew? Has anything changed since the permit was prepared? Are nearby crews performing hot work, confined space entry, or other tasks that could interact with this job? Can the workers explain what would cause them to stop?

This is where the model changes the conversation.

The issue is not whether the contractor file is complete. The issue is whether the work is controlled at the point of execution.

If a field verification finds that the crew cannot clearly explain the isolation boundary, that is not a paperwork problem. It is an operational integrity problem. If the same confusion appears on multiple jobs or across multiple contractors, it is a system weakness. The corrective action should not be limited to coaching one crew. It should improve the way the organization plans, communicates, verifies, and governs line break work across the site or enterprise.

That is the difference between managing contractor documentation and managing contractor risk.

From Old Model to Future Model

The shift facing the profession can be stated plainly.

The old model emphasized contractor qualification. The future model emphasizes work readiness.

The old model relied heavily on lagging metrics. The future model uses leading intelligence and field verification.

The old model focused on documentation. The future model focuses on critical control effectiveness.

The old model treated contractors as external parties to be managed. The future model treats contractors as part of the operating system.

The old model asked whether requirements were met. The future model asks whether risk is controlled.

This is not a rejection of compliance. It is a recognition that compliance must be connected to execution.

Compliance is the foundation. Operational integrity is the standard.

What Different Leaders Must Do Now

This shift cannot be owned by the safety department alone.

Safety leaders need to define critical contractor risks, strengthen field verification, improve corrective action quality, and help the organization see weak signals before they become serious events.

Procurement and supply chain leaders need to evaluate more than price, availability, and paperwork. They need to understand contractor capability, capacity, supervision quality, and risk maturity as business-critical selection criteria.

Operations leaders need to treat contractor work as part of operational discipline. The same expectations applied to internal work — planning, control of work, supervision, accountability, and learning — must apply to contractor work.

Executives need to ask better questions. Not only, “Are our contractors qualified?” but also, “How do we know critical contractor work is being controlled in the field?”

Contractors also have a responsibility. They need to be honest about capability, staffing, supervision, and readiness. They need to raise concerns early, stop work when conditions change, and bring disciplined execution to the job.

The strongest systems will be built on mutual accountability.

The Role of Technology in the Next Era

Technology will change contractor safety management, but it will not save weak systems by itself.

The most valuable technology will help organizations answer practical questions:

Are the right controls in place?

Are they understood?

Are they being used?

Has anything changed?

Are weak signals emerging?

Are the same issues repeating across crews, sites, or contractors?

Are corrective actions actually strengthening the system?

Technology should improve visibility, knowledge transfer, risk recognition, and decision speed. It should help teams manage real-time uncertainty and constant planning. It should support better handoffs from shift to shift and better learning across contractor networks.

But leaders must avoid false confidence. A digital score is not the same as control. A completed workflow is not the same as readiness. A dashboard is not the same as leadership presence.

The future belongs to organizations that combine better tools with better judgment and deliberately people-centered activity. Technology should make the human parts of contractor safety stronger: better pre-job conversations, clearer handoffs, more informed supervision, faster escalation of uncertainty, stronger stop-work decisions, and more disciplined learning after the job is complete. The winning organizations will not use digital systems to distance leaders from the work; they will use them to bring leaders, contractors, and frontline crews closer to the conditions where risk is changing. In contractor operational integrity, technology creates advantage only when it improves human understanding, reinforces accountability, and helps people make better decisions before exposure becomes consequence.

The Future Standard

The organizations that will lead in contractor safety management will share several characteristics.

They will define critical risk clearly. They will verify contractor capability and capacity for the actual work. They will manage handoffs as critical control points. They will connect contractor safety to reliability, process safety, environmental compliance, quality, production discipline, and business performance.

They will use technology to improve visibility and knowledge transfer, not just administrative efficiency. They will verify controls in the field. They will treat contractors as part of the operating system. They will expect strong planning, capable supervision, and disciplined execution. They will respond to weak signals before they become serious events.

And they will understand that contractor safety is owned by the business.

Call to Action

The future of contractor safety management is not about choosing between safety and speed. It is about building systems that allow work to be done safely, efficiently, and reliably.

We need to use new tools and technology to better manage risk and meet rising expectations for performance and capability. But the fundamentals remain the same: clear expectations, competent people, strong controls, disciplined planning, leadership presence, and timely corrective action.

Contractor management is becoming a test of operational maturity.

The organizations that perform best will not be the ones with the most forms. They will be the ones that know where their critical risks are, verify that controls are working, and lead contractor work with the same discipline they expect from their own operations.

That is the Contractor Operational Integrity Model.

It is a shift from prequalification to readiness.

From documentation to control.

From compliance confidence to verified execution.

And from contractor management as an administrative process to contractor safety as a core measure of operational integrity.

That is the future of contractor safety management.

And it is where the profession needs to lead.

References

Brandon, C. (2026a, May 11). Operational integrity: The operating model heavy manufacturing needs. LeadingEHS.com. https://leadingehs.com/2026/05/11/operational-integrity-the-operating-model-heavy-manufacturing-needs/

Brandon, C. (2026b, May 13). Avetta Safety Summit 2026: Emerging safety trends: Managing the next generation of contractor risk [Unpublished conference speaking notes]. Avetta Summit Chicago 2026.

National Institute for Occupational Safety and Health. (2025, January 31). Hierarchy of controls. Centers for Disease Control and Prevention. https://www.cdc.gov/niosh/hierarchy-of-controls/about/index.html

Posted in AI, Artificial Intelligence, contractor safety, enterprise risk management, Innovation | Tagged , , , , , , , , , , , , , , , | Leave a comment

Decision-Ready Information: The Modern Standard for Leadership in Complex Organizations

Posted on May 19, 2026 by Chet Brandon

From data chaos to disciplined judgment: transforming signals, alerts, and dashboards into decision-ready information for accountable leadership action.

Organizations are drowning in information and starving for judgment.

In the AIoT risk series that Fay Feeney and I developed, we discussed the importance of decision-ready information for executives and boards. The concept is simple but powerful: leaders do not need more data, dashboards, alerts, or technical noise. They need information that has been analyzed, interpreted, tested against context, connected to risk, and shaped into a form that supports timely, accountable decisions.

Executive Takeaway

Decision-ready information is the modern extension of completed staff work. It converts data into insight, insight into options, and options into accountable action. In complex organizations, this discipline is essential for governance, risk management, and leadership effectiveness.

While our discussion emerged from artificial intelligence, operational technology, and cyber-physical risk, the concept applies far more broadly. AIoT simply makes the problem more visible. Every major leadership function now faces the same challenge: converting complex, fragmented, and time-sensitive information into insight that supports sound action.

That idea has a strong historical parallel in the long-standing management concept of completed staff work. Completed staff work means that a staff professional does not merely identify a problem and pass it upward. Instead, they investigate the issue, evaluate alternatives, consider implications, anticipate questions, and present a recommended course of action that is ready for executive review.

In today’s organizations, that discipline matters more than ever.

Signals are not strategy. Data is not judgment. Alerts are not decisions.

The work of modern professionals is to convert complexity into decision-ready insight.

From Completed Staff Work to Decision-Ready Information

Completed staff work emerged from a world where organizational hierarchy was more linear and information moved more slowly. A staff member studied an issue, prepared a recommendation, and elevated it in a form that allowed the leader to approve, reject, or redirect the proposed action.

At its best, completed staff work demonstrated professional discipline. It respected executive time. It avoided upward delegation of unfinished thinking. It required the staff professional to own the analysis, weigh the tradeoffs, and make a recommendation.

Decision-ready information builds on that same foundation, but it must operate in a more complex environment.

Today, the question is not only, “Have you completed the analysis?” The question is also, “Is the information reliable, contextualized, risk-ranked, explainable, timely, and connected to enterprise consequences?”

Completed staff work was the discipline of not pushing unfinished thinking upward.

Decision-ready information is the modern discipline of not pushing unprocessed complexity upward.

A Simple Framework for Decision-Ready Information

A useful way to think about decision-ready information is this progression:

Data → Information → Insight → Options → Recommendation → Decision

Each step adds value.

Data tells us what was observed.
Information organizes the facts.
Insight explains why the facts matter.
Options define what could be done.
Recommendation identifies what should be done.
Decision converts judgment into accountable action.

Many organizations stop too early in this chain. They produce data, package information, and assume they have supported leadership. But executives and boards do not merely need to know what is happening. They need to know what it means, what could happen next, what choices exist, and what action is recommended.

In practical terms, decision-ready information should reduce the cognitive burden on leaders without reducing their accountability. It should make the decision clearer, not easier in a superficial sense. The purpose is not to hide complexity, but to organize it so leaders can act responsibly.

A second, even simpler test is this:

What is happening? Why does it matter? What could happen next? What should we do?

If the information does not answer those four questions, it may not yet be decision-ready.

Why This Matters Across the Enterprise

AIoT, automation, and cyber-physical systems are powerful examples because they produce enormous volumes of technical information. But the need for decision-ready information extends across nearly every major executive domain.

In EHS and operational risk, leaders need to know where serious injury and fatality potential is increasing, where critical controls may be weakening, and where operational discipline may be drifting.

In sustainability and ESG, executives need more than emissions data or disclosure metrics. They need insight into regulatory readiness, customer expectations, supplier risk, capital allocation, climate exposure, and the business consequences of inaction.

In operations, leaders need to understand where reliability, quality, maintenance, staffing, and production pressures are creating risk to performance, resilience, or safe execution.

In cybersecurity and OT risk, technical alerts must be translated into potential consequences for safety, production, emergency response, business continuity, and enterprise value.

In human capital and organizational performance, leaders need insight into capability, trust, fatigue, leadership effectiveness, retention risk, and the ability of the organization to execute its strategy.

The common issue is not whether information exists. It almost always does.

The harder question is whether that information is ready to support a decision.

A Process Safety Example: When Information Is Not Decision-Ready

The chemical industry provides powerful examples of why this matters. In its investigation of the 2010 Tesoro Anacortes refinery explosion and fire, the U.S. Chemical Safety and Hazard Investigation Board reported that seven employees were fatally injured when a nearly 40-year-old heat exchanger catastrophically failed during maintenance activity to switch a process stream between parallel banks of exchangers.

The CSB report describes the naphtha hydrotreater unit as having parallel banks of heat exchangers used to preheat process fluid before it entered a reactor, with the failed E heat exchanger constructed of carbon steel. Workers were in the final stages of startup activity when the event occurred.

This type of event illustrates the difference between technical information and decision-ready information.

A process safety system may contain inspection history, metallurgy information, operating conditions, maintenance history, leak history, startup procedures, process hazard analysis records, mechanical integrity data, and industry knowledge about damage mechanisms. But unless that information is integrated and translated into operational risk, leaders may not receive the decision-quality insight they need.

Decision-ready information in a case like this would not simply say:

“The exchanger has a history of service, fouling, repairs, and inspection findings.”

It would say something closer to:

“This exchanger operates in a damage-mechanism environment where material condition, operating history, startup activities, and worker exposure create credible catastrophic failure potential. Continued operation or startup activity without additional safeguards presents an unacceptable risk. The recommended decision is to remove the equipment from service, upgrade metallurgy, revise startup exposure controls, and require senior process safety authorization before restart.”

That is the difference.

The first version reports information.

The second version supports a decision.

The Problem with Raw Information

One of the great traps of modern management is the belief that more information automatically improves decision-making. In reality, more information can make decisions worse if it is not filtered, interpreted, and prioritized.

Raw information can overwhelm leaders with volume. It can create false confidence when dashboards look authoritative but are built on incomplete or poorly governed data. It can separate indicators from consequences. It can delay action when information is ambiguous or presented without a recommendation.

Most importantly, raw information can shift accountability in the wrong direction. When staff simply escalate data without analysis, executives are forced to do interpretive work that should have been completed before the issue reached them.

Completed staff work reminds professionals that their job is not merely to report.

Their job is to think.

What Makes Information Decision-Ready?

Decision-ready information has several defining characteristics.

It is relevant because it focuses on the decision that must be made.

It is contextualized because it explains why the issue matters in relation to operations, risk, compliance, strategy, stakeholder expectations, and enterprise value.

It is prioritized because it distinguishes between noise, weak signals, emerging concerns, and material risks requiring action.

It is validated because it identifies what is known, what is uncertain, what assumptions are being made, and how reliable the data appears to be.

It is consequence-based because it translates technical findings, performance indicators, or emerging conditions into potential outcomes for people, environment, assets, operations, reputation, and financial performance.

It is action-oriented because it presents options, tradeoffs, timing considerations, and a recommended path forward.

This is the difference between a report and an executive decision product.

The Role of Professionals in Complex Organizations

Decision-ready information is not created by technology alone. It is created by professionals who understand both the data and the operating context.

A dashboard may show a trend. A professional must determine whether the trend matters.

A system may generate a risk score. A professional must determine whether that score reflects actual exposure.

A report may identify a variance. A professional must understand whether the variance represents noise, normal fluctuation, organizational drift, or an emerging failure mode.

This is especially important in EHS, sustainability, operations, cybersecurity, and enterprise risk because the most important signals are often not clean, obvious, or easily reduced to a single metric.

They require judgment.

They require knowledge of how work is actually performed.

They require understanding of how controls fail, how people adapt, how organizations drift, and how small weaknesses can combine into major events.

The professional’s role is not simply to transmit information upward. It is to convert information into meaning.

The Governance Dimension

For executives and boards, decision-ready information is not a convenience. It is a governance requirement.

Boards are not expected to manage every operational detail. Executives are not expected to personally interpret every technical signal. But they are expected to exercise informed oversight, ask disciplined questions, and ensure that management systems are capable of identifying and controlling material risk.

Decision-ready information helps leaders understand what is changing, what matters, what could happen, what choices are available, and what action is recommended.

It also helps avoid one of the most dangerous governance gaps: assuming that because an issue is being monitored, it is being governed.

Monitoring is not governance. Reporting is not governance. Dashboard visibility is not governance.

Governance requires that information be converted into insight, insight into choices, and choices into accountable action.

AI Can Help, But It Cannot Replace Judgment

Artificial intelligence can be a powerful tool for creating decision-ready information. It can summarize large volumes of data, detect patterns, identify anomalies, compare scenarios, generate options, and accelerate analysis.

But AI does not eliminate the need for human judgment. In fact, it increases the need for it.

AI outputs still require validation. Data quality must be questioned. Assumptions must be examined. Operational reality must be considered. Human factors must be understood. Ethical and governance implications must be evaluated.

A model may identify a pattern. A professional must determine whether the pattern matters.

A system may produce a recommendation. A leader must understand whether that recommendation is appropriate, explainable, and aligned with organizational values and risk appetite.

Decision-ready information is not simply AI-generated information. It is human-accountable information, strengthened by technology but governed by professional judgment.

A Practical Test Before Elevating an Issue

Before elevating an issue to senior leaders or the board, professionals should ask:

  • What decision is required?
  • Who needs to make it?
  • What is the consequence of delay?
  • What are the material risks?
  • What options were considered?
  • What is the recommended action?
  • What assumptions support the recommendation?
  • What uncertainties remain?
  • What controls, resources, or governance actions are needed?
  • What will we monitor after the decision is made?

If those questions cannot be answered, the information may not yet be decision-ready.

The New Professional Standard

The future of leadership will not be defined by who has the most data. It will be defined by who can convert data into trustworthy insight and trustworthy insight into better decisions.

That is the modern extension of completed staff work.

Decision-ready information respects leadership time, strengthens governance, improves risk visibility, and supports action before harm occurs. It helps organizations move beyond reporting what happened and toward understanding what is changing, what matters, and what should be done next.

AIoT may have made this need more visible, but the principle applies everywhere leadership decisions are shaped by complexity, uncertainty, and consequence.

Organizations are not short on information. They are short on disciplined judgment.

Because the real measure of information is not whether it is available.

The real measure is whether it helps leaders make better decisions when the stakes are high.

References

Army and Navy Journal. (1942, January 29). The doctrine of completed staff work. Reprinted by GovLeaders.org. https://govleaders.org/completed-staff-work.php

International Organization for Standardization. (2018). ISO 31000:2018 Risk management—Guidelines. ISO. https://www.iso.org/standard/65694.html

Spetzler, C., Winter, H., & Meyer, J. (2016). Decision quality: Value creation from better business decisions. Wiley.

U.S. Chemical Safety and Hazard Investigation Board. (2014). Catastrophic rupture of heat exchanger: Tesoro Anacortes Refinery, Anacortes, Washington, April 2, 2010 (Report No. 2010-08-I-WA). https://www.csb.gov/assets/1/7/tesoro_anacortes_2014-may-01.pdf

Posted in Business Accumen, EHS Management, Leadership, Professional Skills, Uncategorized | Tagged , , , , , , , | Leave a comment

The Discipline of Space: What Miles Davis’ Music Continues to Teach Me

Posted on May 17, 2026 by Chet Brandon

Miles Davis reminds us that people often crowd their lives with noise when what they really need is the courage to leave space...

…that is part of why I keep returning to Kind of Blue. It does not chase the listener. It waits. It creates room. And when I am ready to listen carefully, it has something new to teach me.

Some music entertains us. Some music impresses us. And then there is music that keeps returning at different points in life, revealing something new each time—not only about the artist, but about ourselves. For me, Miles Davis’ Kind of Blue is that kind of music.

I have developed a deep appreciation for the jazz of Miles Davis, especially his work from the late 1950s and early 1960s. There is something in that period of his music that consistently reaches me. It is not just technical brilliance, although there is plenty of that. It is the feeling the music creates. For me, it carries a sense of lift, movement, elation, and possibility. It sounds like good things are ahead.

That may be an unusual way to describe music often associated with restraint, coolness, and sophistication. But that is part of its power. Miles Davis did not need to fill every space. He understood that what is left out can be just as important as what is played. His music from this era is clean, uncluttered, and disciplined, but never simple. The arrangements create room for the musicians to speak with clarity. The result is music that feels precise and emotionally alive at the same time.

That balance is what draws me back.

When I listen to Kind of Blue, I hear musicians operating at an extraordinary level of skill, but I also hear trust. No one seems to be trying to dominate the room. The music breathes. Each player contributes something distinctive, but always in service of the whole. There is structure, but there is also freedom. There is discipline, but not rigidity. There is space, but never emptiness.

That is a rare combination.

As I have gotten older, I find myself increasingly drawn to work that does not try too hard to announce its importance. Kind of Blue has that kind of maturity. It trusts the listener. It trusts the musicians. It trusts space, timing, and restraint. That confidence is part of what makes the album feel not only beautiful, but wise.

Miles Davis was a complicated person. Like many highly consequential artists and leaders, his life and personality do not fit neatly into a simple narrative. But one of his great gifts was his ability to bring out excellence in the people around him. He had a remarkable instinct for talent, timing, sound, and atmosphere. He knew who belonged in the room. He knew what kind of framework would allow them to do their best work. He seemed to understand that leadership is not always about saying more, directing more, or controlling more. Sometimes it is about setting the conditions where great people can create something that exceeds the plan.

That lesson applies well beyond music.

In leadership, as in jazz, the best outcomes rarely come from noise, clutter, or over-control. They come from clear expectations, capable people, disciplined preparation, and enough room for judgment. The leader’s role is to establish direction, define the standard, and create the conditions for strong performance. Then the leader must have the confidence to let people perform.

That is part of what I hear in Miles Davis’ best work. I hear restraint with purpose. I hear confidence without unnecessary force. I hear people listening to each other. I hear complexity made accessible because the structure is sound.

Each time I listen to Kind of Blue, I discover something new. Sometimes it is in the music: a phrase, a pause, a shift in tone, a moment between musicians that I had not fully noticed before. Other times, the discovery is in myself. The album seems to meet me differently depending on where I am in life, what I am thinking about, and what I need to hear.

That is the mark of enduring work. It does not exhaust itself. It continues to reveal.

We do not always need more volume, more activity, or more complexity. Sometimes we need more clarity…

A Listening Sequence: Before, During, and After Kind of Blue

Apple Music Playlist: Kind of Blue Influence

As I have spent more time with Kind of Blue, I have also become interested in the music that helped lead Miles Davis toward that masterpiece, and the music that followed after it. I am building a playlist that listens to Kind of Blue not as an isolated album, but as the center point in a larger musical conversation.

The playlist has three movements: the music that influenced the album, the album itself, and the music that carried its influence forward.

Before Kind of Blue: The Ingredients

The first section begins before Kind of Blue, with several pieces that help prepare the ear for what Miles Davis would later accomplish.

Ahmad Jamal’s “Pavanne” is a good place to start. Jamal’s influence on Miles was not about playing louder, faster, or more densely. It was about space, elegance, restraint, and timing. Jamal showed how silence and simplicity could create tension and sophistication. That sense of space becomes essential to understanding Miles’ late-1950s work.

George Russell’s “Concerto for Billy the Kid” brings in another major influence: musical architecture. Russell’s thinking helped move jazz toward a more modal approach, where improvisation could be organized around scales and tonal centers rather than fast-moving chord changes. This piece also matters because of Russell’s connection to Bill Evans, whose piano voice would become central to the sound and atmosphere of Kind of Blue.

Ahmad Jamal’s “Poinciana” deepens the point. It is patient, hypnotic, and rhythmically confident. It demonstrates how repetition, groove, and restraint can create emotional momentum without clutter. Miles clearly valued that discipline.

Bill Evans’ “Peace Piece” brings the emotional color closer to Kind of Blue. It has a quiet, suspended quality that points directly toward the mood of “Flamenco Sketches.” It is meditative, spacious, and deeply expressive without being sentimental.

Thelonious Monk / Miles Davis’ “Round Midnight” adds a different kind of influence to the sequence. Monk’s composition brings angular beauty, restraint, and emotional economy. Miles’ interpretation shows how much power can come from tone, timing, and what is left unsaid. The piece does not rush to explain itself; it creates tension through space and resolves it with quiet authority. In that sense, “’Round Midnight” belongs naturally in the path toward Kind of Blue. It prepares the listener for the idea that disciplined restraint can carry more emotional weight than excess.

Miles Davis’ “Milestones” is the direct bridge. This is Miles testing the modal concept before making it the organizing principle of Kind of Blue. After listening to Jamal, Russell, and Evans, “Milestones” sounds like Miles gathering those ideas and shaping them into his own language.

Kind of Blue: The Center of Gravity

Then comes Kind of Blue itself.

“So What” opens the album with unmistakable authority. The bass figure, the call-and-response structure, and the relaxed confidence of the performance announce that the listener has entered different territory. The music is sparse, but not thin. It is disciplined, but not stiff. It gives the musicians room to speak.

“Freddie Freeloader” brings the blues back into focus. It is more earthy and swinging, with Wynton Kelly adding a different piano character than Bill Evans. The track reminds me that Miles was not abandoning tradition. He was expanding it.

“Blue in Green” may be the emotional interior of the album. It is spare, reflective, and beautifully controlled. The arrangement creates space for feeling to become the focal point. This is music that does not tell the listener what to feel. It creates the conditions for feeling to emerge.

“All Blues” opens the room again. The 6/8 motion gives the track lift and movement. It has confidence without force. There is a forward motion in it that feels almost optimistic to me.

“Flamenco Sketches” closes the album not with finality, but with openness. The musicians move through a sequence of scales, but the experience is not academic. It feels patient, searching, and human. It is the right ending because it does not close the conversation. It leaves space for the listener to continue it.

After Kind of Blue: The Language Expands

The final section of the playlist follows the influence of Kind of Blue into the music that came after it.

John Coltrane’s “My Favorite Things” takes modal thinking and stretches it into a new kind of exploration. A familiar melody becomes a platform for extended improvisation. Where Miles often used space and restraint, Coltrane used repetition, intensity, and expansion.

John Coltrane’s “Impressions” is one of the clearest descendants of “So What.” It carries similar modal DNA but moves with a different kind of urgency. Coltrane takes the open structure and drives it harder, faster, and further.

John Coltrane’s “Acknowledgement,” from A Love Supreme, shows the modal language becoming something more spiritual and declarative. The music is still structured, but the structure serves a larger emotional and personal statement.

Herbie Hancock’s “Maiden Voyage” represents a more refined post-Kind of Blue evolution. It keeps the spaciousness and suspended harmony, but carries it into a new generation of jazz. It feels elegant, controlled, and expansive.

Wayne Shorter’s “Footprints” is a fitting endpoint for the playlist. It shows the modal idea becoming more elastic and modern. The blues foundation remains, but the rhythm and harmony move with a new freedom. This is not imitation. It is development.

Taken together, the playlist tells a powerful story. Ahmad Jamal contributes the space. George Russell contributes the architecture. Bill Evans contributes the color. Miles Davis brings the judgment, taste, and leadership to make it all cohere. Then Coltrane, Hancock, and Shorter show what happens when that language enters the bloodstream of modern jazz.

Why I Keep Returning to Miles

For me, Miles Davis’ music is not background music. It asks for attention, but it does not demand it loudly. It rewards patience. It reminds me that excellence can be quiet, that precision can serve emotion, and that simplicity, when earned, can carry tremendous power.

There is a leadership lesson in that. There is also a human lesson.

We do not always need more volume, more activity, or more complexity. Sometimes we need more clarity. More space. More discipline. More trust in the people around us. More confidence that the right note, played at the right time, can say more than a dozen unnecessary ones.

That is why I keep returning to Miles Davis.

His music renews my personal and professional energy. It sharpens my focus while also opening something deeper and more reflective. Each piece creates a rich tapestry where my intellect can immerse itself in the emotion, fabric, and joy of the music. Listening becomes the experience of exploring a familiar yet exhilarating work of art—one that continues to challenge, restore, and inspire me.

And that is why Kind of Blue still feels alive every time I hear it.

References

  • Davis, M. (2009). Kind of blue: Legacy edition [Album]. Columbia/Legacy.
  • Nisenson, E. (2000). The making of Kind of Blue: Miles Davis and his masterpiece. St. Martin’s Press.

Posted in Leadership, Personal Growth, Personal Reflection, Professional Skills | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Operational Integrity: The Operating Model Heavy Manufacturing Needs

Posted on May 11, 2026 by Chet Brandon

Discipline, Reliability, Resilience, and Leadership Cadence as the Foundation for Sustainable Performance

By Chet Brandon

Heavy manufacturing does not fail all at once. It usually fails in layers.

A procedure is bypassed because the job is urgent. Equipment runs outside normal condition because production needs the tonnage. A near miss is explained away because no one was hurt. A maintenance backlog becomes normal. An alarm becomes background noise. A supervisor accepts a workaround because “that is how we have always done it.”

None of those decisions may look catastrophic in isolation. Together, they signal something larger: the erosion of operational integrity.

Operational integrity is the condition in which an organization consistently runs its assets, processes, people systems, and management routines within defined expectations, with a commitment to excellence for the benefit of all stakeholders. It is not simply safety, reliability, compliance, quality, or production performance. It is the disciplined alignment of all of them into one operating model that protects people, strengthens trust, sustains performance, and creates long-term value.

In heavy manufacturing, operational integrity should be treated as a core business system, not a side initiative.

The Executive Framework

A practical operating model for heavy manufacturing can be stated simply:

Operational Integrity = Operating Envelope + Operational Discipline + Operational Reliability + Operational Resilience + Leadership Cadence

Each element answers a different leadership question.

  • Operating envelope: Do we know the risk boundaries of the operation?
  • Operational discipline: Are we doing the work the right way, consistently?
  • Operational reliability: Will assets, processes, and controls perform as intended?
  • Operational resilience: Can people and teams maintain control when conditions change?
  • Leadership cadence: Are leaders seeing weak signals, making decisions, and following through?

This framework matters because heavy manufacturing risk rarely stays inside one functional box. A single weakness can show up as a safety event, quality defect, production loss, environmental release, maintenance failure, or regulatory exposure.

Operational integrity gives leaders a way to manage those risks as one system.

What Operational Integrity Means

Operational integrity means the operation performs as intended, within known risk limits, with reliable controls, competent people, effective supervision, and credible data.

It asks:

  • Are we operating inside the design and risk envelope?
  • Are critical controls understood, verified, and maintained?
  • Are people doing the work as planned, or has informal practice replaced the standard?
  • Are equipment failures predictable and managed, or are we living in reaction mode?
  • Are leaders seeing weak signals early enough to act?
  • Are corrective actions reducing risk, or only closing items in a database?

The test is not whether the plant had a good month. The test is whether the plant can explain why it had a good month and whether that performance is repeatable under pressure.

That distinction matters. Heavy manufacturing environments are full of energy: heat, pressure, chemicals, molten material, rotating equipment, mobile equipment, suspended loads, confined spaces, electrical systems, dust, and stored mechanical energy. When the management system weakens, the consequences are rarely theoretical.

The Executive Environment That Makes Operational Integrity Work

Operational integrity will not succeed through procedures, dashboards, or slogans alone. It requires an executive management environment where leaders consistently create the conditions for disciplined execution, reliable controls, timely escalation, and honest learning. Senior leaders must make clear that good outcomes are not enough if they are achieved through weak controls, workarounds, deferred maintenance, or unrecognized risk. The expectation must be control, not luck.

That environment requires both accountability and enablement. Employees and supervisors must be able to surface weak signals, report abnormal conditions, stop work, and challenge drift without fear of blame or retaliation. At the same time, leaders must insist that standards are followed, critical controls are protected, and deviations are escalated. Executive management must also ensure that resources follow risk, including maintenance capacity, reliability support, engineering effort, training time, and capital for critical equipment and infrastructure.

The executive role is to make operational integrity visible, resourced, and sustained. That means reviewing degraded controls, asking direct field-based questions, responding consistently to drift, and ensuring that lessons are transferred across sites and functions. Operational integrity becomes credible when leadership expectations are reflected in budgets, staffing, investigations, recognition, audits, and daily decisions. People watch what leaders tolerate, fund, and follow up on.

Specific Elements for a Successful Operational Integrity Program:

  • Visible executive commitment to control, not just outcomes.
  • Clear expectations for operational discipline and critical control protection.
  • Psychological safety that allows employees to raise concerns, stop work, and report weak signals.
  • Accountability for following standards, escalating deviations, and correcting drift.
  • Resource alignment with high-consequence risk, including maintenance, engineering, training, and capital.
  • Cross-functional ownership across operations, maintenance, engineering, EHS, quality, and site leadership.
  • Timely corrective action focused on risk reduction, not administrative closure.
  • Transparent reporting of degraded controls, abnormal conditions, and high-energy near misses.
  • Leadership presence in the field to verify reality, not just review dashboards.
  • Consistent response to workarounds, bypassed controls, deferred maintenance, and normalized deviation.
  • Organizational learning that transfers lessons across sites, departments, and functions.
  • Leadership follow-through reflected in budgets, staffing, recognition, audits, and daily decisions.
  • Stable priorities and long-term planning discipline that prevent Operational Integrity from being displaced by short-term production pressure, leadership turnover, budget cycles, or initiative fatigue.

Operational Integrity as an Overarching Operating Model

Many organizations manage safety, quality, maintenance, production, environmental compliance, and process safety as separate programs. Each has its own metrics, meetings, priorities, audits, and corrective action systems.

That structure may be administratively convenient, but it often misses how risk actually behaves.

Poor shift turnover can create a safety event, quality defect, production loss, and environmental release. Weak preventive maintenance can do the same. So can poor management of change, contractor control, procedure quality, or supervision.

Operational integrity brings these disciplines into one management frame. It treats the plant as an integrated system where reliability, discipline, compliance, safety, quality, environmental performance, and human adaptability are interdependent.

The objective is simple: run the operation the right way, every day, under normal and abnormal conditions.

The Operating Envelope

Every heavy manufacturing process has an intended operating envelope. That envelope includes equipment design limits, process parameters, staffing assumptions, maintenance requirements, permit conditions, safe work practices, quality specifications, and emergency response assumptions.

Operational integrity begins by making that envelope visible and manageable.

Leaders should know which controls are critical. Operators should know which deviations matter. Maintenance should know which assets cannot be allowed to degrade. Engineers should know which changes require formal review. Supervisors should know when a job must stop.

A weak operating envelope is often marked by ambiguity. People may know the production target but not the risk boundary. They may know what “usually works” but not what the standard requires.

In a high-hazard manufacturing environment, ambiguity is risk.

Operational Discipline: Doing the Right Things Consistently

Operational discipline is the human and organizational commitment to execute known standards consistently, especially when the work is difficult, urgent, uncomfortable, or inconvenient.

It is not blind rule-following. It is disciplined execution based on clear expectations, competent people, effective supervision, and a culture that does not normalize drift.

Operational discipline shows up when:

  • Pre-job planning is done because the job needs it, not because an auditor is present.
  • Lockout/tagout is verified, not assumed.
  • Critical procedures are followed, not treated as suggestions.
  • Deviations are escalated, not hidden.
  • Shift turnover communicates risk, not just production status.
  • Leaders challenge workarounds before they become culture.
  • Employees stop and ask when conditions change.

Operational discipline is built through repetition and leadership consistency. People pay close attention to what leaders tolerate. If leaders accept shortcuts during production pressure, that becomes the real standard. If leaders reinforce expectations when the schedule is tight, that becomes the culture.

Discipline is not the enemy of productivity. In heavy manufacturing, discipline is what makes productivity sustainable.

Operational Reliability: Equipment, Processes, and Controls That Hold

Operational reliability is the technical and system capability of assets, processes, utilities, controls, and management routines to perform as intended over time.

A reliable operation does not confuse heroic recovery with good performance. A plant that constantly survives breakdowns, expedites parts, bypasses alarms, and depends on a few experienced employees to “save the day” may be committed, but it is not reliable.

Operational reliability depends on asset integrity, preventive and predictive maintenance, spare parts strategy, engineering standards, process control, inspection programs, and disciplined management of change.

Not all assets are equal. A nuisance failure and a critical control failure should not receive the same attention. The organization must know which equipment protects life, prevents loss of containment, maintains environmental control, protects quality, or prevents major business interruption.

Reliability also includes administrative systems. A poorly maintained procedure, weak training matrix, ineffective corrective action process, or unreliable inspection routine can create as much exposure as a failing pump or valve.

Operational integrity is broader than maintenance excellence. It is not only about keeping machines running. It is about keeping controls effective.

Operational Resilience: Maintaining Control When Conditions Change

If operational discipline is the commitment to follow the standard, and operational reliability is the ability of assets and controls to perform as intended, operational resilience is the human and organizational capacity to maintain control when conditions are no longer normal.

Heavy manufacturing does not operate in a laboratory. Equipment fails. Production pressure rises. Procedures encounter conditions they did not fully anticipate. Staffing changes. Contractors enter the system. Weather disrupts routines. Supply chains affect parts availability. Abnormal situations emerge.

Resilient organizations recognize weak signals early, escalate concerns without hesitation, adapt without abandoning risk controls, recover without creating new hazards, and learn quickly.

Operational resilience is not undisciplined improvisation. It is the capability to adapt intelligently while staying anchored to the controls that matter most.

Resilience depends on several human-centered capabilities:

  • Situational awareness: People recognize changing conditions, weak signals, and abnormal risk.
  • Competence and judgment: Employees and leaders understand not only what to do, but why it matters.
  • Psychological safety with accountability: People can stop, question, escalate, and report concerns without fear, while still being held to clear standards.
  • Adaptive capacity: Teams can respond effectively when the written procedure does not fully match the real condition.
  • Learning discipline: The organization extracts lessons from near misses, deviations, recoveries, and failures.
  • Recovery capability: The plant can stabilize after disruption without creating secondary risk.

Resilience does not replace discipline; it prevents discipline from becoming brittle. It does not replace reliability; it protects the organization when reliability is challenged.

Leadership Cadence: Turning Intent Into Control

Operational integrity requires a leadership cadence strong enough to detect drift before the system fails.

Cadence is the rhythm of review, decision-making, field verification, and follow-through. It is how leaders keep the operating model alive after the kickoff meeting is over.

A strong operational integrity cadence reviews:

  • Critical risk controls.
  • Asset integrity and reliability threats.
  • High-energy events and serious near misses.
  • Management of change quality.
  • Procedure health and field execution.
  • Corrective action effectiveness.
  • Environmental and regulatory compliance stability.
  • Recurring cross-site failure patterns.
  • Human and organizational resilience during abnormal conditions.

The cadence should be practical, not bureaucratic. Leaders should not create another meeting to admire another dashboard. The purpose is to identify weak signals, make decisions, assign ownership, remove barriers, and verify that corrective actions improved control.

The discipline of the meeting matters less than the discipline of the follow-through.

How the Model Works Together

Reliable equipment supports disciplined work. Disciplined work protects reliable equipment. Resilient people and teams maintain control when reliability is stressed or the work no longer matches the plan.

When equipment is unreliable, people create workarounds. When workarounds become normal, discipline weakens. When discipline weakens, equipment is operated improperly, inspections are missed, defects are accepted, and early warning signs are ignored. When resilience is weak, the organization does not recognize drift until the event has already occurred.

The reverse is also true. When standards are clear, preventive maintenance is respected, abnormal conditions are escalated, people are competent to make good judgments, and leaders respond to weak signals, the system strengthens.

This is the heart of operational integrity: technical reliability, human discipline, organizational resilience, and leadership cadence reinforcing each other through a strong management system.

Case Study: Imperial Sugar and the Cost of Lost Operational Integrity

The 2008 Imperial Sugar refinery explosion in Port Wentworth, Georgia, is a powerful case study in the importance of operational integrity.

The event was not simply an explosion. It was the catastrophic result of multiple layers of control weakness aligning over time.

A massive combustible dust explosion and fire killed 14 workers and injured dozens more. The U.S. Chemical Safety Board concluded that the explosion was fueled by significant accumulations of combustible sugar dust throughout the packing building. The primary explosion likely began inside a sugar conveyor beneath large storage silos. That conveyor had been enclosed with steel panels, creating a confined, poorly ventilated space where sugar dust could accumulate to an explosive concentration. The initial explosion then disturbed additional dust on equipment, floors, and elevated surfaces, producing a destructive cascade of secondary explosions.

This event illustrates failure across all five elements of the model.

The operating envelope was not adequately understood or controlled. Combustible sugar dust was a known hazard, but the boundary between normal housekeeping conditions and catastrophic dust accumulation was not effectively managed.

Operational discipline was weak. Housekeeping expectations and dust control practices did not prevent hazardous accumulations. When abnormal buildup becomes normal, the organization has already started to lose control.

Operational reliability was compromised. Equipment design, dust collection, conveying systems, maintenance, and ventilation were not reliable enough to prevent dust release and accumulation. Reliability was not just about keeping equipment running. It was about ensuring equipment did not create or amplify a catastrophic hazard.

Operational resilience was insufficient. A resilient organization recognizes weak signals, learns from smaller fires and precursor events, and escalates concerns before conditions become catastrophic.

Leadership cadence did not drive effective correction. The organization needed a stronger rhythm of hazard recognition, critical control review, housekeeping verification, engineering review, and corrective action closure.

The lesson is clear. Catastrophic events are often preceded by visible signals: buildup, leakage, repeat maintenance issues, minor events, abnormal conditions, unclear ownership, and weak corrective actions. Operational integrity is the leadership system that makes those signals matter before they become history.

Data Must Reveal Control, Not Just Count Events

Heavy manufacturing organizations often track lagging indicators: injuries, environmental events, downtime, quality defects, audit findings, and cost impacts. These measures matter, but they are not enough.

Operational integrity requires data that shows whether the system is in control.

Leaders should look for trends, changes in direction, sudden deviations, recurring causes, outliers, and clustering across departments or sites. Pareto analysis should identify the top three to five recurring drivers creating the greatest risk or operational drag. Best-performing areas should be compared with worst-performing areas to identify transferable practices and missing controls. High-energy near misses, repeat failure types, unclear incident descriptions, and recurring involvement of the same equipment, tasks, or conditions should be treated as red flags, not statistical noise.

The goal is not more charts. The goal is better judgment.

A strong operational integrity review should ask:

  • What is changing?
  • Where is performance unstable?
  • Which failures repeat?
  • Which controls are degrading?
  • Where are we lucky rather than good?
  • Which high-impact exposure can be reduced quickly with reasonable resources?
  • Where are people adapting successfully, and what can we learn from that?
  • Where are people compensating for weak systems, and how long can that continue?

Data should drive decisions, not decorate presentations.

Corrective Actions Must Strengthen the System

A weak corrective action process is one of the most common threats to operational integrity.

Too often, corrective actions are written to close the investigation rather than strengthen the operation. They rely heavily on retraining, reminders, toolbox talks, or procedure revisions. Those actions may have a place, but they are rarely sufficient by themselves.

Operational integrity requires corrective actions that improve control quality. That means applying the hierarchy of controls, balancing engineering, procedural, and behavioral actions, and prioritizing actions that are high-impact, practical, timely, and scalable.

The best corrective actions do at least one of four things:

  1. They eliminate or reduce the hazard.
  2. They make the correct action easier.
  3. They make the wrong action harder.
  4. They improve the organization’s ability to detect and respond to deviation.

Corrective actions should also be coherent. A plant should not have hundreds of disconnected improvement items competing for attention. The work should roll up into a clear improvement strategy tied to the most significant operational risks.

Closure is not the same as control. A corrective action is only effective when it changes the probability or severity of recurrence.

Where to Start

A manufacturing organization does not need to launch a large new program to strengthen operational integrity. It needs to start with the highest-consequence risks and the controls that matter most.

Five actions will create momentum.

1. Define the critical operating envelope

Identify the highest-risk processes, assets, materials, and tasks. Clarify the boundaries that must not be crossed: process limits, equipment limits, permit limits, safe work requirements, staffing assumptions, and emergency response assumptions.

2. Identify the top five operational integrity risks

Use incident history, near misses, audit findings, maintenance data, environmental events, quality losses, and leadership judgment to identify the top recurring or high-consequence exposures. Do not let volume alone drive priority. A low-frequency, high-consequence exposure deserves attention.

3. Verify critical controls in the field

Move beyond paper confirmation. Confirm whether critical controls are present, understood, maintained, and used as intended. Field verification should include operators, maintenance, engineering, EHS, and supervision.

4. Connect reliability work to risk reduction

Review the reliability strategy for assets that prevent serious injury, loss of containment, environmental release, major quality failure, or business interruption. Maintenance priority should reflect consequence, not only downtime.

5. Build a leadership cadence around weak signals

Create a routine leadership review focused on operating envelope deviations, critical control health, high-energy events, repeat failures, management of change quality, corrective action effectiveness, and emerging risk.

The goal is not more meetings. The goal is better control.

Author’s Note: Fully operationalizing operational integrity is beyond the intended scope of this article. The purpose here is to define the concept, explain why it matters, and provide a practical leadership framework for heavy manufacturing organizations. For readers who want to move from concept to execution, I have also prepared an Operational Integrity Implementation Guide that provides a more detailed roadmap, including implementation phases, leadership cadence, roles and responsibilities, metrics, maturity assessment, and practical templates. The guide can be downloaded here: Operational Integrity Implementation Guide_Chet Brandon.pdf

Leadership’s Role in Operational Integrity

Operational integrity cannot be delegated to EHS, maintenance, engineering, or quality. Those functions are essential, but they do not own the full operating model.

Operational integrity belongs to line leadership.

Plant managers, operations leaders, maintenance leaders, technical leaders, and frontline supervisors set the pace. They decide what gets attention. They decide whether standards are real. They decide whether weak signals are acted on or explained away.

Senior leaders must insist on visibility into risk, not just performance outcomes. A green dashboard does not always mean a healthy operation. It may simply mean the organization has not yet experienced the consequence of its drift.

The conversation should be candid and operational. The goal is not blame. The goal is control.

Culture Follows the Operating Model

Many organizations say they want a stronger safety culture, reliability culture, or compliance culture. Those are worthy goals, but culture is not built by aspiration. Culture follows the operating model.

If planning is weak, the culture becomes reactive.

If maintenance is deferred without risk review, the culture accepts degradation.

If supervisors are not trained to recognize critical controls, the culture depends on luck.

If leaders reward production while tolerating procedural drift, the culture learns the real priority.

If people are afraid to report concerns, the organization loses early warning signals.

If corrective actions do not address root causes, the culture sees investigations as paperwork.

Operational integrity creates the conditions for a stronger culture because it aligns expectations, systems, decisions, and follow-through. People trust what they see consistently reinforced.

What Good Looks Like

A mature operational integrity model has visible characteristics.

Leaders understand the highest-risk operations and critical controls.

Operators understand the operating envelope and know when to stop or escalate.

Maintenance strategies are risk-ranked and connected to safety, environmental, quality, and production consequences.

Procedures are accurate, usable, and field-verified.

Management of change is treated as a core control, not an administrative burden.

Near misses and weak signals are valued because they reveal system vulnerability.

Corrective actions are prioritized by risk reduction, not ease of closure.

Performance reviews examine stability, trend movement, and control health.

Sites learn from each other by comparing best performers with poor performers.

Teams adapt when conditions change without abandoning critical controls.

The organization acts before weak signals become major events.

That is operational integrity in practice.

Why It Matters Now

Heavy manufacturing is operating under increasing pressure: labor constraints, aging infrastructure, supply chain volatility, cost pressure, decarbonization expectations, regulatory scrutiny, and higher stakeholder expectations. These pressures do not reduce risk. They amplify it.

The answer is not more programs layered onto already busy organizations. The answer is a clearer operating model.

Operational integrity gives leaders a way to integrate safety, reliability, environmental compliance, quality, production performance, and human adaptability into one disciplined system. It helps the organization move from reactive correction to proactive control and distinguish between good luck and good management.

The standard is not perfection. Heavy manufacturing will always involve complexity, variability, and risk. The standard is disciplined control of the things that matter most.

Operational integrity is how a manufacturing organization earns the right to run. It protects people, assets, communities, customers, and business continuity. It turns values into routines, data into decisions, and leadership expectations into operational reality.

In the end, operational integrity is not a slogan. It is the daily proof that the organization can be trusted to operate with discipline, reliability, resilience, leadership cadence, and control.

Author’s Note

There is a certain irony in this moment for heavy manufacturing. We are surrounded by remarkable technology: advanced automation, predictive analytics, digital twins, artificial intelligence, process control systems, robotics, real-time monitoring, and engineering tools previous generations of manufacturing leaders could hardly have imagined.

And yet, the greatest challenge remains deeply human.

The strength of an operating entity still depends on whether people understand the mission, believe the standards matter, have the capability to execute, and are properly directed by leaders who know what to reinforce. Technology can detect, calculate, automate, and inform. But it cannot replace leadership judgment, workforce engagement, operational discipline, or the credibility created when leaders follow through on what they say matters.

That is the real work of operational integrity. It is not choosing between technology and people. It is using technology to better enable people, while recognizing that people remain the decisive force in whether the system actually works.

The future of manufacturing will be more digital, connected, and intelligent. But the organizations that perform best will still be those that motivate, enable, and direct their people with clarity, discipline, and purpose. Advanced tools may raise the ceiling of what is possible. People determine whether the organization reaches it.

Source Note: Case study information on the 2008 Imperial Sugar refinery combustible dust explosion is based on findings from the U.S. Chemical Safety and Hazard Investigation Board, Investigation Report: Sugar Dust Explosion and Fire, Imperial Sugar Company, Port Wentworth, Georgia, February 7, 2008, Report No. 2008-05-I-GA, September 2009. The CSB reported that the incident resulted in 14 worker fatalities and numerous injuries, and concluded that combustible sugar dust accumulations, enclosed conveyor conditions, inadequate dust control, equipment design, maintenance, and housekeeping contributed to the catastrophic explosion and fire. Weblink: https://www.csb.gov/imperial-sugar-company-dust-explosion-and-fire/

Posted in Culture, Employee Engagement | Tagged , , , , , , , , , , , , , , , , | Leave a comment

Cyber-Physical Risk in the Age of AI: How Safety Professionals Help Directors Make Better Operational Technology Investment Decisions – Part 4

Posted on May 6, 2026 by Chet Brandon
Business professionals in a conference room reviewing cybersecurity and factory operations data on screens and laptops
A Board of Directors discusses cybersecurity metrics and factory operations in a conference room overlooking an industrial facility.

By Fay Feeney and Chet Brandon

Series Context

This four-part series examines how artificial intelligence is reshaping cyber risk in operational technology and what it means for industrial organizations. It brings together perspectives from safety leadership, cybersecurity, operations, and board governance to address cyber-physical risk as an enterprise issue. The series is co-authored by Chet Brandon, a global Environmental, Health & Safety (EHS) and operational risk leader, and Fay Feeney, an expert in board governance and enterprise risk oversight.

The first three articles argued that Operational Technology cyber risk has moved from technical concern to operational and resilience challenge. This final article asks a harder question: How should boards govern, resource, and make capital decisions in response?

Introduction

The next major Operational Technology (OT) capital request your board reviews may not be a modernization project at all. It may be a proposal for new robots, AI-enabled inspection systems, autonomous material-handling assets, or other connected technologies that promise more throughput, less labor strain, and sharper quality performance.

Those proposals often arrive wrapped in the language of innovation and competitiveness. But for directors, the more important question is not whether the technology is impressive. It is whether management is asking the board to approve capital expenditures that build a better business, or simply a faster way to create new categories of operational risk.

That is the boardroom challenge. OT cyber risk is no longer merely a management issue boards oversee; it is increasingly a fiduciary obligation boards must actively govern.

Operational technology now sits at the intersection of strategy, safety, cyber risk, resilience, and capital allocation. When directors approve spending on new OT-enabled assets, they are not merely approving equipment. They approve of a new operating model, a new risk profile, and a new set of assumptions about how the company will create value. Boards that understand this will demand decision-ready information.

Executive summary

This article advances a straightforward proposition: safety professionals who work close to operational technology are among management’s most underused assets in improving business decision quality. They see weak signals before they become failures. They understand how controls perform under pressure. They recognize where workarounds, maintenance drift, procedural gaps, and human-machine interaction begin to erode resilience.

When their observations are translated through operational leadership, the CISO, and enterprise risk management, they give the CEO and the board a clearer picture of what a proposed OT investment really means for the business.

For directors, the lesson is practical. OT is not a narrow engineering or technical issue. It is the equipment and the control and monitoring systems that run the physical side of the business—the plants, production lines, machines, robots, and connected assets that make, move, and deliver value in the real world.

If information technology runs data and transactions, operational technology runs physical processes and assets. As a result, OT failures, design flaws, or cyber intrusions can become safety, production, regulatory, financial, and reputational events with remarkable speed.

The broader governance implication is clear: new OT investments should come into the boardroom as enterprise risk and strategy decisions. The board should expect management to show how those investments change risk appetite, resilience, strategic capacity, and long-term value, not merely productivity or obsolescence.

Why decision quality is essential for digital investments.

Boards are generally disciplined about reviewing outcomes. Yet many spend less time examining the quality of the decision process that produced them. In complex operating business systems, management teams still default too easily to speed, confidence, precedent, and partial information. In manufacturing, where robotics, automation, quality, workforce safety, supply chain, continuity, and cybersecurity increasingly intersect, those habits create dangerous blind spots.

This is why decision quality is now a board issue that deserves a renewed assessment. Directors should not stop at asking, “Do we have the right recommendation?” They should also ask, “Did management frame the issue correctly? Did it examine credible alternatives? Did it test assumptions and develop fallback plans?” In OT-intensive environments, those questions are not process niceties. They are part of governing resilience and enterprise value.

Safety professionals matter here because their disciplines are grounded in structured inquiry. Hazard identification, root-cause analysis, barrier management, scenario assessment, and learning from near misses are not only safety disciplines. They are decision-quality disciplines. They help management resist optimism bias, sunk-cost thinking, and the temptation to mistake a confident proposal for a sound one.

Resetting boardroom decision-ready expectations from leadership

“As Technology, Risk, or Audit Committee members, our role is to oversee Operational Technology and ensure that OT decisions are treated as enterprise risk and strategy decisions. We expect management to bring us OT issues and investments framed through safety, cyber, and ERM lenses, so we can see how they affect the company’s risk appetite, resilience, and long-term value.”

Why safety matters in new OT investments

As manufacturers invest in a new generation of connected physical assets, safety professionals should be viewed as contributors to enterprise judgment, not simply compliance resources. Robots, cobots, autonomous mobile systems, machine-vision tools, and AI-enabled controls do more than improve throughput. They change how people interact with equipment. They alter line dependencies and operating rhythms while expanding the digital attack surface. They create new failure modes and recovery challenges. And they change the company’s future operating risk profile.

That makes safety professionals especially valuable. They are often the first to see where human-machine interaction may be misunderstood, where safeguards may be overestimated, where maintenance assumptions may be unrealistic, or where emergency fallback procedures are too theoretical to be useful.

They help management determine whether a proposed investment is ready for deployment, whether risks are understood, and whether the company is considering the impact on their enterprise risk profile.

For Directors, that is an important distinction. The question is not whether new OT creates value. It often does. The question is whether management has done enough to ensure that the value case and the risk case are being considered together.

In practice, safety professionals do not usually brief the board directly. Their value depends on what happens next—how their observations move upward and are translated.

The first step is operational leadership. Plant managers, engineering leaders, maintenance and reliability teams, production executives, and quality leaders add context around throughput, asset performance, labor implications, customer commitments, and commercial performance. They connect operational evidence to business reality.

That translation becomes more powerful when joined by the CISO and ERM. The CISO contributes the cyber-physical perspective: how connectivity, software updates, vendor access, identity management, remote diagnostics, segmentation weaknesses, and monitoring gaps could affect the safe and reliable operation of robots and other connected equipment. In a connected manufacturing environment, the relevant question is rarely whether a cyber event is “IT” or “OT.” The question is whether it can disrupt physical production, compromise worker safety, or degrade the integrity of critical assets and what level of reputation risk the organization is prepared to accept.

ERM adds portfolio discipline. It helps convert site-level observations into a small number of scenarios, consequence ranges, likelihood bands, and treatment options that can be assessed alongside other capital and strategic choices. This is where management should demonstrate not merely that a project is technically feasible, but that it is a sound decision relative to the company’s risk appetite, strategic priorities, and competing uses of capital.

The CEO’s role is to bring these threads together in a board-ready form. Directors do not need a stack of technical details. They need a board paper that shows how safety, operations, cyber, finance, and enterprise risk perspectives converge on a recommendation. Where that integration is absent, the board is being asked to approve spending. Where it is present, the board is being invited to make a business decision.

Artificial intelligence is increasingly embedded in many of the OT investments now coming before boards. Robotics, machine vision, and connected control systems rely on AI, introducing more complex behavior, tighter interdependencies, and less predictable failure modes. For directors, this does not change the responsibility—it raises the standard for it. Management should demonstrate how these systems perform under both normal and degraded conditions, and how resilience is maintained when assumptions do not hold.

A simple operating model for directors

A useful way for directors to think about this flow is as a simple operating model.

First, safety professionals detect and interpret operating risk. They identify control weaknesses, unsafe interactions, maintenance drift, procedural non-conformance, resilience gaps, and weak signals in OT-dependent operations.

Second, operational leaders integrate those findings with production and asset context, linking them to continuity, quality, labor, customer commitments, and commercial performance.

Third, management, the CISO, and ERM translate the issue into enterprise risk language—documenting scenarios, consequences, alternatives, assumptions, and response options in forms suitable for executive and board review.

Finally, executives and the board receive decision-useful reporting, so the issue appears not as a narrow technical matter but as a governance question involving risk appetite, resilience, capital allocation, and strategic tradeoffs.

Once that model is in place, directors can hold management accountable for using it consistently rather than episodically.

The Artificial Intelligence Operational Technology (AIOT) Resilience Index: Turning Operational Reality into Board-Level Oversight

As OT environments become more connected, automated, and AI-enabled, boards need a practical way to evaluate whether the organization is genuinely becoming more resilient—or simply becoming more technologically complex. That requires more than isolated cybersecurity metrics or compliance reporting. Directors need a disciplined framework that translates operational risk into decision-useful information that can be monitored over time. One approach is the use of an AIOT Resilience Index: a board-level measurement framework designed to evaluate how effectively the organization is managing cyber-physical risk across operations, safety, resilience, and governance.

The purpose of the index is straightforward. It is intended to help directors and executives understand whether the organization is improving its ability to anticipate, withstand, respond to, and recover from disruptions affecting operational technology. Rather than focusing only on technical vulnerabilities, the index evaluates the operational realities that determine whether an organization can continue to operate safely and reliably under strain.

The AIOT Resilience Index combines both reactive and proactive dimensions of performance. The reactive side evaluates capabilities such as incident detection, emergency shutdown readiness, operational recovery, corrective action closure, and crisis communications. These indicators help leadership understand how effectively the organization can stabilize operations and limit consequences once an event occurs. The proactive side focuses on activities more directly within management’s control, including critical asset risk profiling, safeguard integrity, governance maturity, predictive monitoring capability, and strategic investment in modernization and resilience.

Importantly, the index is designed around factors management can actively influence rather than abstract external threat conditions. That distinction matters in the boardroom. Directors cannot govern geopolitical uncertainty or the existence of cyber threats, but they can oversee whether management is systematically reducing exposure, strengthening safeguards, improving resilience, and investing appropriately in risk reduction. The index therefore becomes less a technical scorecard and more a governance tool for evaluating operational readiness and long-term resilience.

The value of the index is not the number itself. Its value is the discipline it creates. A well-constructed index allows directors to identify trends, compare facilities or business units, evaluate whether risk reduction investments are producing measurable improvement, and determine where exposure may exceed the organization’s stated risk appetite. It also helps frame more informed discussions about capital allocation, legacy asset exposure, third-party dependency, and the operational implications of AI-enabled systems.

Used properly, the AIOT Resilience Index becomes a mechanism for connecting plant-floor realities to boardroom oversight. It gives management a structured way to present operational risk in enterprise terms and gives directors a clearer basis for evaluating resilience, strategic readiness, and long-term value protection in increasingly connected industrial environments.

The illustration below shows how the AIOT Resilience Index™ can translate complex operational technology risk into a board-ready view of resilience, readiness, and governance performance. By separating reactive capabilities from proactive risk leadership, the index helps directors see not only how well the organization can respond to disruption, but how effectively management is reducing exposure before an event occurs.

Case study: approving new robots and connected equipment

Consider a board reviewing a request for a $32 million multi-year investment to deploy a new robotic assembly cell, AI-enabled machine-vision inspection system, and autonomous material-handling platform at a high-volume plant. The proposal includes collaborative robots working near people, new safety interlocks, integration with legacy line controls, expanded network connectivity, vendor remote support, and software that coordinates production flow and inspection data.

The initial management narrative is familiar: labor constraints are tightening, throughput can improve, quality escapes can be reduced, and the facility needs more automation to remain competitive. For a board, however, that framing is incomplete.

The real board question is broader. Does this investment materially improve the company’s future strategic capacity and resilience, and does the organization understand the new operating risk profile it is about to create? The board is not simply approving equipment. It is approving a new way of operating.

For that reason, the CEO should bring six elements into the boardroom.

  • Strategic context: how the new robotic system supports growth, margin improvement, workforce availability, customer commitments, and longer-term automation strategy.
  • Current operating risk: where existing manual or semi-automated processes create safety exposure, quality variation, rework, downtime, or throughput constraints.
  • Scenario-based consequences: a small number of realistic situations such as unsafe robot-human interaction, software or sensor malfunction, failure of a safety interlock, network disruption affecting production flow, or vendor access creating cyber-physical vulnerability.
  • Alternatives and tradeoffs: phased deployment, pilot testing, a more limited automation scope, or deferral, each with different cost, risk, and speed implications.
  • Portfolio fit: what other projects this request displaces and why management believes this investment deserves priority now.
  • Execution and contingency planning: operator training, maintenance readiness, cybersecurity controls, vendor dependency, fallback procedures, and the plan if the technology underperforms or deployment takes longer than expected.

This is precisely where safety professionals, the CISO, and ERM add visible value. Safety professionals can identify where workers may be exposed, where safeguarding assumptions are weak, where human-machine interaction is poorly understood, and where recovery procedures are unrealistic.

The CISO can explain how insecure remote support, software patching failures, weak segmentation, or poor access control could magnify the operational consequences of the new asset base.

ERM can place the entire picture into the context of enterprise exposure, risk appetite, and competing capital priorities. Together, they transform an innovation proposal into a strategic capital decision worthy of board judgment.

Questions directors should keep asking

The board’s role is not to second-guess engineering design. It is to insist that management present OT investment in decision-ready form. As directors upgrade their board’s AI, digital, and cybersecurity expertise and raise overall skills, then can begin now by asking a short set of practical questions:

  • How does this investment change our future operating risk profile, not just projected productivity?
  • What assumptions about workforce readiness, vendor support, and change management sit beneath the expected return?
  • Which risks are genuinely reduced, and which new risks are introduced?
  • If rollout slips or technology performs below expectations, what is the fallback position?
  • How are safety, cybersecurity, and resilience being governed together rather than as separate workstreams?
  • Where does this proposal sit relative to other opportunities and risk-reduction investments competing for capital?

These questions do more than improve oversight of one proposal. They raise the standard by which management prepares OT matters for the board.

Some Closing Thoughts

The companies that will benefit most from robotics, connected automation, and intelligent equipment will not necessarily be the ones that buy the most technology first. They will be the ones whose leaders understand that every new OT investment is also a decision about resilience, safety, cyber-physical exposure, and the company’s long-term capacity to perform under strain to deliver innovation at scale.

That is why this conversation belongs in the boardroom. Safety professionals are not merely helping management avoid incidents. Properly integrated with operational leadership, the CISO, and ERM, they help the CEO bring better business decisions to the board—decisions grounded in operating reality, tested against risk appetite, and weighed against strategic alternatives.

When directors insist on that discipline, they do more than improve oversight of OT. They improve the quality of the judgments on which the company’s future value will depend. Their investors and stakeholders will appreciate the dividends that delivers.

In the age of AI-enabled operational technology, the companies that govern this well will not simply reduce cyber risk; they will build safer, more resilient, and more valuable industrial enterprises.

Posted in AI, Artificial Intelligence, EHS Management, enterprise risk management, Leadership, Machine Learning, Sustainability Leadership | Tagged , , , , , , , , , , , , , , , | Leave a comment

Cyber-Physical Risk in the Age of AI: How Safety Professionals Identify and Manage OT Cyber Risk – Part 3

Posted on April 22, 2026 by Chet Brandon

Translating Cyber-Physical Risk into Action

Cybersecurity professionals working together in a control room with multiple monitors displaying global cyber threat data

By Chet Brandon and Fay Feeney

Series Context

This four-part series examines how artificial intelligence is reshaping cyber risk in operational technology and what it means for industrial organizations. It brings together perspectives from safety leadership, cybersecurity, operations, and board governance to address cyber-physical risk as an enterprise issue. The series is co-authored by Chet Brandon, a global Environmental, Health & Safety (EHS) and operational risk leader, and Fay Feeney, an expert in board governance and enterprise risk oversight.

Introduction: From Awareness to Execution

In Parts 1 and 2, we established two critical realities: cyber risk in operational technology (OT) environments is physical risk, with consequences that can include serious injury, environmental harm, and major business disruption; and artificial intelligence is accelerating both the threat landscape and the tools available to manage it. But understanding the problem is not enough. The real challenge facing organizations today is execution—how to translate cyber-physical risk into structured, actionable practices that improve safety, resilience, and operational performance. This is where safety professionals play a central role. For decades, EHS leaders have managed complex, high-consequence risks in industrial environments, and the same disciplines that prevent catastrophic process safety events can be applied to cyber-physical threats—if organizations integrate them effectively.

The Tangible Outputs of EHS Risk Management

EHS professionals create value through structured outputs that guide decision-making and risk reduction. In the context of OT cyber risk, these outputs fall into two primary categories: pre-incident risk identification and prioritization, and post-incident resilience and recovery. Before an incident occurs, safety professionals help organizations identify and prioritize which physical assets that could be compromised by where cyber threats that are likely to impact operations, evaluate those risks in terms of safety, environmental, and business consequences, and prioritize vulnerabilities based on real-world impact. After an incident, they contribute to stabilizing operations, restoring systems safely, and embedding lessons learned into future prevention efforts. This structured approach ensures that cyber risk is managed with the same rigor as other high-consequence operational risks.

Identifying and Prioritizing Cyber-Physical Hazards

The first step in managing OT cyber risk is developing a clear understanding of where system vulnerabilities intersect with high-consequence outcomes. In industrial environments, not all cyber vulnerabilities carry equal weight. Safety professionals bring a critical lens by asking, “If this system is compromised, what happens physically?” This reframes the discussion from technical severity to operational consequence, including impacts on safety, environment, and production.

Effective risk identification begins with mapping critical assets and processes. This includes identifying safety-critical systems such as safety instrumented systems (SIS), emergency shutdown systems, key control loops, and monitoring functions that maintain process stability. It also requires understanding dependencies—how sensors, controllers, networks, and human interfaces interact to maintain safe operation. From there, organizations can identify where cyber vulnerabilities exist, including exposed network pathways, remote access points, legacy systems, or gaps in monitoring and control integrity.

Once critical systems and vulnerabilities are mapped, established safety methodologies can be expanded to include cyber scenarios. Process Hazards Analysis (PHA) and Hazard and Operability Study (HAZOP) studies can be adapted to evaluate how manipulated inputs, false sensor readings, or disabled alarms could drive deviations in process conditions. Teams can explore scenarios such as incorrect temperature signals, overridden interlocks, or delayed shutdown responses, asking how these deviations could propagate through the system. Failure Modes and Effects Analysis (FMEA) can then be used to identify specific failure modes associated with loss of system integrity—such as loss of control, incorrect system response, or delayed operator awareness—and assess their potential impact. Layers of Protection Analysis (LOPA) adds another layer by evaluating whether existing safeguards are sufficient if digital systems are compromised, particularly where multiple protections may rely on shared infrastructure.

Prioritization is where safety professionals add the greatest value. Rather than treating all vulnerabilities equally, risks are ranked based on severity of consequence, likelihood of occurrence, and effectiveness of existing controls. High-priority risks are those where a cyber event could lead to serious injury or fatality, major environmental impact, or significant business interruption—especially where safeguards may be degraded or insufficient. This risk-based approach ensures that mitigation efforts are focused on the vulnerabilities that matter most.

The resulting risk profile becomes a powerful management tool for driving timely and measurable improvement. Rather than remaining a static assessment, it should be actively used to guide decision-making, resource allocation, and performance monitoring. High-risk scenarios identified in the profile can be translated into targeted mitigation actions, such as isolating critical systems, strengthening access controls, improving alarm validation, or enhancing manual backup capabilities. Each action should be assigned ownership, timelines, and expected outcomes.

To ensure progress, organizations should align the risk profile with key risk indicators (KRIs) and performance metrics. These may include reduction in exposure of safety-critical systems, closure rates for high-risk vulnerabilities, improvements in detection and response times, and completion of resilience testing. Regular integration of the risk profile into management reviews ensures that priorities evolve with changing threats and system conditions. By using the risk profile as a living tool, organizations move beyond identifying risk to actively reducing it in a structured and measurable way.

Partnering with Cybersecurity and Process Control Teams

Effectively managing cyber-physical risk requires close partnership between EHS professionals, cybersecurity specialists, and process control engineers. Chief Information Security Officers (CISOs) are a key sponsor for these efforts and help translate findings into information for the executive leaders, and provide executive oversight. No single function has complete visibility into how operational technology systems are designed, how they can fail, or how they may be targeted. Safety professionals bring deep expertise in consequence analysis and risk prioritization, but must collaborate with those who understand system architecture, network design, and control logic to fully assess exposure.

Cybersecurity teams provide insight into threat vectors, access pathways, and system vulnerabilities, while process control and engineering teams contribute a detailed understanding of control system architecture, instrumentation, interlocks, and operating limits. Together, these perspectives allow organizations to map how a malicious attack could move through systems and ultimately impact physical operations.

This collaboration is essential for identifying realistic failure modes triggered by cyber events and evaluating their severity. It also enables more effective prioritization by focusing attention on vulnerabilities with the greatest potential to impact safety, environment, and business continuity. Integrating these perspectives creates a more complete understanding of cyber-physical risk and improves both prevention and resilience strategies.

Protecting Safety-Critical Control Systems

Once high-risk scenarios are identified, the next step is ensuring that critical control systems remain reliable under all conditions—including during a cyber event. In industrial environments, systems such as safety instrumented systems (SIS), emergency shutdown systems, alarm systems, and key control loops are essential to maintaining safe operations. EHS professionals help define which systems are safety-critical, what level of independence is required, and how failures could impact operations.

A foundational step is defining and validating system independence. Safety-critical systems should be architected to operate independently from primary control systems and broader networks wherever possible. This includes physical and logical separation, dedicated controllers, and minimized shared infrastructure to reduce common-cause failure risk.

Network segmentation and controlled connectivity are essential. Critical systems should be isolated within defined security zones with tightly controlled access. Remote access must be limited, monitored, and governed through strict controls to reduce exposure.

Ensuring instrumentation and signal integrity is another key focus. Redundant instrumentation, validation logic, and cross-checking of critical measurements help detect abnormal conditions even if one source is compromised.

Alarm system reliability must be maintained through rationalization, verification, and testing. In cyber scenarios, well-designed alarm systems improve the likelihood that operators will recognize abnormal conditions.

Manual override capability provides an essential layer of protection. Systems should allow operators to intervene safely when automation is unreliable, supported by clear procedures, training and routine hands on practice.

Routine testing and validation of safety functions, including cyber-informed scenarios, ensures safeguards perform as expected. Finally, strong configuration management and change control prevents unauthorized or unintended modifications that could introduce vulnerabilities.

The objective is clear: even if cyber systems are compromised, critical safety functions must continue to operate as intended. At a minimum, segregating OT risk for operational continuity makes shutting down the entire operations unnecessary and allows businesses to operate.

Building Cyber-Aware Process Safety Programs

Cyber-physical risk cannot be managed in isolation; it must be embedded into existing safety systems. This requires evolving traditional process safety programs to explicitly include digital threat scenarios. Cyber risks should be incorporated into hazard analyses, management of change processes should evaluate digital modifications, and operational procedures should reflect potential cyber-driven abnormal conditions. Training programs must also prepare operators to recognize and respond to anomalies that may originate from compromised systems.

A practical way to do this is by integrating cyber scenarios directly into Process Hazard Analyses (PHAs) through targeted “what if” questions that connect digital failure to physical consequence. For example: What if a sensor provides false data due to cyber manipulation? What if control logic is altered or overridden? What if alarms are suppressed or delayed? What if remote access is gained through a vendor or compromised credentials? What if operators lose visibility into critical process conditions? Framing cyber risk in this way allows teams to evaluate how these events could drive process deviations, challenge existing safeguards, and ultimately impact safety, the environment, and operations—bringing cyber risk into the core of process safety decision-making.

Strengthening Operational Resilience

Even with strong preventive controls, organizations must assume that disruptions will occur. Operational resilience is defined by the ability to anticipate disruptions, maintain safe operations under abnormal conditions, and recover quickly from incidents. Safety professionals strengthen resilience through layered protections, structured response frameworks, and disciplined operational procedures.

A critical—and often underappreciated—capability safety professionals bring is the design and execution of emergency shutdown and response strategies. In high-hazard industries, EHS leaders routinely define when and how to transition systems to a safe state under rapidly evolving conditions. This includes establishing clear criteria for initiating shutdowns, ensuring that shutdown systems are independent and reliable, and developing procedures that enable operators to act decisively when system integrity is uncertain.

In cyber-physical events, this capability becomes essential. When control systems are compromised, data integrity is questionable, or system behavior becomes unpredictable, the ability to execute a safe, controlled shutdown may be the most effective way to prevent escalation. Safety professionals ensure that these actions are not improvised—they are pre-defined, tested, and supported by clear decision authority and operator training.

Beyond shutdown, EHS professionals also design incident response structures that coordinate actions across operations, cybersecurity, engineering, and leadership. This includes incident command frameworks, escalation protocols, and communication strategies that maintain situational awareness and enable timely decision-making under uncertainty.

Resilience, therefore, is not just about keeping systems running—it is about knowing when and how to safely stop them, stabilize conditions, and recover without introducing additional risk. This is a core competency of safety professionals and a critical component of managing cyber-physical threats in modern industrial environments.

Business Continuity Planning for Industrial Cyber Events

Traditional business continuity planning often focuses on IT recovery, but industrial environments require restoration of safe operational control. EHS professionals help define shutdown procedures, restart protocols, alternative operating modes, and safety measures for personnel. Effective plans include validated recovery procedures, coordination across functions, and structured communication strategies to ensure recovery is both efficient and safe.

Enabling Visibility Through Metrics and Dashboards

Managing OT cyber risk requires clear visibility. Dashboards and key risk indicators translate technical data into operational insight, helping leadership understand exposure, performance, and improvement over time. Metrics such as asset visibility, vulnerability status, detection performance, and resilience readiness provide actionable information that supports decision-making and continuous improvement.

Applying the Framework: A Practical Assessment and Action Tool

To translate these principles into consistent execution, organizations should use a structured risk assessment process. The concept is demonstrated in this OT Cyber-Physical Risk Assessment and Action Form. This tool enables cross-functional teams—EHS, cybersecurity, and engineering—to work through a standardized process for identifying hazards, evaluating consequences, assessing safeguards, and defining actions.

The form guides teams through key steps, including identifying safety-critical systems, defining cyber-driven failure modes and physical outcomes, evaluating safeguard independence and effectiveness, assessing vulnerabilities and access pathways, and prioritizing risks using severity, likelihood, and control effectiveness. It also drives accountability by requiring defined actions, owners, timelines, and expected risk reduction outcomes.

Importantly, the form supports measurable improvement by linking actions to key risk indicators and performance metrics. When used in workshops or site-level assessments, it helps organizations move beyond discussion to clear, documented actions that improve both security and operational reliability over time.

Integrating People, Process, and Technology

Effective OT cyber risk management requires integration across people, process, and technology. Operators, engineers, cybersecurity professionals, and safety leaders must work together within structured risk management systems supported by appropriate technology, as no single function can manage this risk in isolation. Safety professionals serve as integrators—translating cybersecurity insights into operational implications, connecting them with real-world conditions, and ensuring that risk management approaches align with how work is actually performed in industrial environments.

Conclusion: Turning Risk Insight into Action

Managing cyber risk in operational technology environments requires more than awareness—it requires disciplined execution of systems. By applying proven approaches from process safety and operational risk management, organizations can identify critical vulnerabilities, protect key systems, strengthen resilience, and improve recovery capability. This enables a shift from reacting to cyber threats to actively managing cyber-physical risk as part of core operations.

Looking Ahead to Part 4

In Part 4, we move to the boardroom—examining how directors and executives govern cyber-physical risk and ensure organizations have the capabilities needed to manage this evolving threat.

Addendum – Key Risk Assessment Tools

  • PHA – Process Hazard Analysis, a structured study to identify and evaluate hazards in a process that could harm people, property, or the environment.
  • HAZOP – Hazard and Operability Study, a systematic examination of a process to identify potential hazards and operability problems due to deviations from design intent.
  • FMEA – Failure Mode and Effects Analysis, a step‑by‑step method to identify possible failure modes in a system, assess their effects, and prioritize actions to mitigate them.
  • LOPA – Layers of Protection Analysis, a semi‑quantitative method to evaluate whether existing independent protection layers are sufficient to reduce risk for specific hazardous scenarios.
Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

Automated Reasoning for Human Error Detection in Industrial Operations

Posted on April 11, 2026 by Chet Brandon

Bridging logic, human performance, and operational resilience

Diagram showing common human error pathways including alarm overload, disorientation, procedure violation, miscommunication, fatigue, documentation error, input error, equipment failure, cognitive bias, and lack of training
Common pathways leading to human error in operational control rooms.

Introduction: The Persistent Challenge of Human Error

Despite decades of advancement in engineering controls, automation, and safety management systems, human error remains a dominant contributor to serious incidents in industrial environments. In high-hazard sectors—chemicals, metals, energy, and advanced manufacturing—the issue is not simply that people make mistakes. It is that:

  • Systems are often designed around work-as-imagined, not work-as-done
  • Weak signals of failure are present—but not recognized in time
  • Decision-making under pressure introduces variability that systems fail to anticipate

Traditional approaches—training, procedures, and supervision—have plateaued in effectiveness. What is emerging now is a new capability:

The application of automated reasoning to detect, interpret, and respond to human error potential in real time.

The Opportunity for Industrial Organizations

Industrial operations are entering a period of increasing complexity—driven by advanced technologies, workforce transitions, and rising expectations for safety and performance.

At the same time, organizations are facing a growing challenge:
the loss of deeply experienced professionals who have historically served as the primary line of defense against human error.

What is being lost is not just knowledge—but the ability to recognize when conditions are aligning for failure.

The strategic question for leaders is this: How do we preserve and scale that judgment across the organization—consistently, in real time, and at global scale?

Automated reasoning represents a critical step in that evolution, enabling organizations to move from reacting to errors to understanding and managing the conditions that create them.

What Is Automated Reasoning in This Context?

Automated reasoning is the use of formal logic, structured knowledge, and inference engines to derive conclusions from known conditions.

In the context of human error detection, it moves beyond simple monitoring to answer:

  • Given the conditions, what errors are likely?
  • Are the safeguards sufficient for this specific situation?
  • What is the most probable failure pathway right now?

This is fundamentally different from traditional analytics.

Traditional SystemsAutomated Reasoning Systems
Detect anomaliesExplain why they matter
Monitor conditionsInterpret risk implications
Trigger alarmsEvaluate decision quality and context

While automated reasoning is often grouped under the broader umbrella of artificial intelligence, it represents a fundamentally different capability. Most AI—particularly machine learning—focuses on identifying patterns and making predictions based on data. Automated reasoning, by contrast, applies explicit logic and structured rules to determine cause-and-effect relationships and draw explainable conclusions. In practical terms, AI can tell you something is changing or likely to happen, while automated reasoning explains why it matters, how it could lead to failure, and what should be done about it. This distinction is critical in industrial settings, where transparency, consistency, and defensible decision-making are essential.

The Core Shift: From Data to Logic-Based Insight

Most industrial AI deployments today rely heavily on pattern recognition—identifying deviations in process variables, behaviors, or outcomes.

Automated reasoning introduces a critical layer:

It applies structured logic to determine whether current conditions create a credible pathway to human error.

This includes reasoning across:

  • Task complexity
  • Environmental conditions
  • Time pressure
  • Procedure alignment vs. actual execution
  • Worker capability and experience
  • System fragility and safeguards

While AI-driven pattern recognition is powerful, it is not sufficient on its own to address human error in complex industrial systems. AI can identify anomalies and correlations, but it does not inherently understand cause-and-effect relationships or the operational significance of what it detects. In many cases, this results in signals without clarity—highlighting that something is different, but not whether it meaningfully increases risk or requires intervention. Human error, however, is rarely driven by isolated data points; it emerges from the interaction of conditions, constraints, and system design. Without a layer of structured reasoning, organizations risk reacting to noise or missing the deeper risk pathways entirely.

A more effective path forward lies in combining AI’s ability to detect patterns with automated reasoning’s ability to interpret them—creating a system that not only sees change, but understands its implications. This integrated approach will be explored further later in the article.

A Parallel from Industrial Controls: Automated Reasoning as a Supervisory Safety Channel for AI

One useful way to understand the role of automated reasoning in AI-enabled safety systems is through a concept familiar to industrial practitioners: the use of independent supervisory protection layers in control system design. In modern industrial control architectures—particularly in high-integrity control systems (such as programmable logic controllers) where independent supervisory channels are used to validate safety-critical functions are involved—organizations often add a second channel of supervision to monitor critical functions, validate outputs, and intervene when the primary control path begins to drift, degrade, or behave unexpectedly. This is not done because the primary system is assumed to fail routinely, but because high-consequence systems require independent oversight.

The same principle applies to AI. In process operations, a primary control layer may regulate normal operation, while an independent supervisory or safety layer checks whether signals are plausible, logic outputs remain within safe bounds, conflicting states exist, or hazardous conditions may be developing despite “normal” outputs. The principle is simple but foundational: do not rely on a single decision channel where the consequences of failure are unacceptable. That same principle has direct relevance for intelligent systems.

AI systems—particularly those based on probabilistic models—can identify patterns, generate recommendations, and support decisions at remarkable speed. Yet they can also misinterpret context, produce non-causal correlations, drift from intended behavior, or in some cases generate hallucinated conclusions. This is where automated reasoning can serve a role analogous to an independent safety channel. Rather than replacing AI, it supervises it—testing whether recommendations make logical sense, whether they align with established constraints, whether they violate known risk rules, or whether outputs imply credible failure pathways before action is taken.

In this model, AI proposes, automated reasoning verifies, and humans decide. That mirrors familiar thinking in high-reliability operations. Just as a basic process control system may govern operations while an independent safety instrumented system provides protection, AI can serve as a primary analytical channel while automated reasoning acts as a supervisory validation layer. The role of automated reasoning, in this sense, is not simply optimization—it is error trapping.

This concept has significant implications for human error reduction. If AI identifies an abnormal condition, flags a procedural deviation, or predicts elevated human error likelihood, automated reasoning can independently assess whether the inference is justified, whether causal conditions are truly present, and whether the recommended intervention is appropriate. That creates protection against two risks at once: human error in operations and decision error within the AI itself.

Viewed this way, resilient intelligent systems should be designed much like resilient industrial systems—with layered protections rather than reliance on a single channel of cognition. Pattern detection, logical supervision, and human judgment each serve a different but complementary role. This is not merely AI with safeguards added; it is high-reliability design thinking applied to intelligent systems.

For decades, process safety has taught a simple lesson: independent layers of protection matter. The same lesson applies to intelligent systems. As AI becomes increasingly embedded in safety-critical decisions, automated reasoning may serve as the supervisory channel that helps keep those systems trustworthy, explainable, and resilient. And that may prove to be one of the most important bridges between traditional safety engineering and the future of AI-enabled risk management.

Capturing Context: The Critical Enabler of Effective Automated Reasoning

One of the most important—and often misunderstood—aspects of automated reasoning is how context is captured, structured, and interpreted.

Without context, even the most advanced reasoning engine becomes little more than a rules engine applying generic logic. With context, it becomes something far more powerful:

A system that understands not just what is happening—but what it means under the current conditions.

Why Context Matters in Human Error Detection

Human error does not occur in isolation. It emerges from the interaction between:

  • The task being performed
  • The conditions under which it is performed
  • The capabilities and state of the individual
  • The design and resilience of the system

The same task can be:

  • Low risk in one context
  • High risk in another

Example:
Opening a valve:

  • Routine, low risk during normal operations
  • High risk during startup, under time pressure, with similar valve configurations

👉 The difference is not the task—it is the context

How Automated Reasoning Captures Context

Automated reasoning systems structure context into four primary dimensions, each representing a different aspect of how work is actually performed.

1. Task Context (What is being done)

This dimension defines the inherent characteristics of the work itself and how prone it is to error under normal conditions.

  • Routine vs. non-routine work
  • Task complexity and step count
  • Precision required
  • Known failure modes

👉 How inherently error-prone is this task?

2. Operational Context (Under what conditions)

This dimension captures the external pressures and environmental conditions that influence how the task is executed.

  • Time pressure and production demand
  • Shift timing (night vs. day)
  • Environmental factors (heat, noise, visibility)
  • Concurrent work and distractions

👉 What external pressures are influencing performance?

3. Human Context (Who is performing the work)

This dimension focuses on the capabilities and current state of the individual or team performing the task.

  • Experience and familiarity
  • Fatigue and cognitive load
  • Interruptions and task switching
  • Supervision and crew dynamics

👉 How capable is the system—through people—right now?

4. System Context (How well the system supports the work)

This dimension evaluates how effectively the system design, procedures, and safeguards support successful execution.

  • Procedure quality and usability
  • Equipment design (e.g., similarity, ergonomics)
  • Safeguards and interlocks
  • Prior incidents or near misses

👉 Is the system enabling success—or inviting failure?

From Context to Insight: The Reasoning Layer

Once context is captured, automated reasoning evaluates how these dimensions interact, rather than treating them as isolated inputs.

Example interaction:

  • Moderate complexity
  • Moderate fatigue
  • Moderate time pressure

Individually → acceptable
Combined → elevated risk of error

Context is not additive—it is interactive

This mirrors what experienced EHS leaders do intuitively—recognizing when normal conditions combine into abnormal risk.

Context as a Dynamic Input (Not a Static Snapshot)

Context in industrial operations is not fixed; it evolves continuously as work progresses and conditions change.

  • A task interruption occurs
  • A supervisor leaves the area
  • Process conditions drift
  • Time pressure increases

The system recalculates in real time:

“Given the updated context, what is the new error likelihood?”

Practical Sources of Context Data

In practice, context is assembled from multiple digital and operational systems across the enterprise.

  • Digital permit-to-work systems
  • DCS / SCADA process data
  • EHS platforms and incident history
  • Training and workforce systems
  • Wearables and environmental sensors
  • Production schedules and constraints

The value is not the data alone—but how it is structured for reasoning

The Limitation: Context vs. Human Judgment

Even with advanced data capture, automated reasoning cannot fully replicate the richness of human situational awareness and experience.

  • Subtle hesitation or uncertainty
  • Team dynamics and trust
  • Intuition developed through experience
  • The sense that “something isn’t right”

These remain distinctly human capabilities.

Strategic Implication

The effectiveness of automated reasoning is directly dependent on how accurately and completely context is captured and represented.

The effectiveness of automated reasoning is directly tied to the quality of context it receives.

This shifts the leadership question from:

  • “How good is the algorithm?”

to:

  • “How well do we capture work as it is actually performed?”

How Automated Reasoning Detects Human Error Potential

1. Contextual Rule Evaluation (Beyond Static Procedures)

Automated reasoning evaluates whether procedures and expectations align with actual working conditions in real time.

  • Procedures fit current conditions
  • Workers are likely to deviate
  • System design forces adaptation

2. Weak Signal Amplification

The system connects small, seemingly insignificant signals into a coherent picture of emerging risk.

  • Minor deviations
  • Workarounds
  • Near misses

3. Error-Likely Situation Modeling

Human performance frameworks are applied to determine which types of errors are most likely under current conditions.

  • Skill-based errors
  • Rule-based errors
  • Knowledge-based errors

4. Dynamic Safeguard Evaluation

Safeguards are continuously evaluated for their presence, effectiveness, and likelihood of proper use.

  • Availability
  • Functionality
  • Likelihood of correct use

5. Decision Quality Assessment

The system evaluates the conditions under which decisions are being made to identify degradation in decision quality.

  • Cognitive overload
  • Bias patterns
  • Goal conflict
  • Degraded situational awareness

Integration with Industrial Systems

Automated reasoning does not function in isolation; it is integrated into the broader digital and operational ecosystem.

  • Process control systems (DCS/SCADA)
  • EHS management platforms
  • Permit-to-work systems
  • Wearables and monitoring tools
  • Incident and near-miss databases

This enables reasoning across both:

  • Technical system state
  • Human system state

A Practical Example: Chemical Reactor Operation

In a typical industrial scenario, automated reasoning evaluates multiple contextual inputs to identify emerging human error risk.

Inputs:

  • Inexperienced operator
  • Non-routine process conditions
  • Prior deviations
  • High time pressure

Output:

  • Elevated knowledge-based error risk
  • Likely parameter misinterpretation
  • Insufficient safeguards

Recommended actions:

  • Add second operator verification
  • Reduce ramp rate
  • Increase supervision

Benefits for Industrial Organizations

Proactive Risk Identification

Automated reasoning enables organizations to anticipate failure before it occurs by identifying error-likely conditions in advance.

  • Shift from “What went wrong?”
  • To “What is likely to go wrong next?”

Consistency Across Operations

It standardizes decision-making logic while still adapting to local context and conditions.

  • Standardized logic
  • Contextual flexibility

Scalable Expertise

The knowledge and judgment of experienced professionals can be embedded and applied consistently across the organization.

  • Captures expert reasoning
  • Distributes it across sites

Stronger Governance

Automated reasoning provides transparency and defensibility in risk-based decision-making.

  • Clear logic pathways
  • Audit-ready decisions

Limitations

Automated reasoning enhances decision-making but does not replace the uniquely human aspects of safety leadership and performance. It can identify error-likely conditions, but it cannot fully influence outcomes in real-world operations.

Trust-Building

Trust is the foundation of safety performance, built through credibility and relationships over time.

  • Enables open reporting of risks and weak signals
  • Drives whether people act on guidance

Automated reasoning can recommend actions, but it cannot build trust or credibility.

Without trust, even the right answer may not be followed

Real-Time Influence

Safety often depends on influencing decisions in the moment under pressure.

  • Challenging shortcuts
  • Reinforcing the right priorities

Automated reasoning can identify risk, but it cannot persuade, adapt messaging, or manage resistance.

Being right is not enough—impact requires influence

Deep Intuition

Experience creates an intuitive sense of risk beyond formal data.

  • Recognizing subtle inconsistencies
  • Acting on incomplete signals

Automated reasoning lacks this depth of experiential judgment and the ability to act confidently in ambiguity.

Intuition bridges the gap between data and reality

Cultural Awareness

Organizational culture shapes how work is actually performed.

  • Informal norms vs. formal procedures
  • Willingness to speak up or deviate

Automated reasoning struggles to fully capture these dynamics.

Culture determines how work really gets done

Closing Insight on Limitations

Automated reasoning can identify when conditions are right for failure.

But only people can:

  • Build trust
  • Influence decisions
  • Interpret nuance
  • Shape culture

That is where safety ultimately succeeds—or fails.

The Future: Human + Reasoning Systems

The most effective safety systems will not rely on a single form of intelligence. Instead, they will combine complementary capabilities into a cohesive system that enhances both insight and action.

At its core, this model integrates three distinct but interdependent strengths:

Machine Learning → Pattern Detection

Machine learning excels at identifying patterns across large, complex datasets that are not visible through traditional analysis.

  • Detects anomalies, trends, and weak signals
  • Identifies correlations across operations, time, and conditions
  • Continuously improves as more data becomes available

Its strength lies in answering:

“What is changing, and where should we pay attention?”

Automated Reasoning → Logical Interpretation

Automated reasoning translates data and conditions into structured, explainable conclusions about risk.

  • Evaluates cause-and-effect relationships
  • Assesses whether conditions create credible failure pathways
  • Provides transparent, auditable logic for decisions

Its role is to answer:

“Given these conditions, what does it mean—and what is likely to happen next?”

Human Expertise → Contextual Judgment

Human expertise brings the ability to interpret nuance, adapt to ambiguity, and influence outcomes in real time.

  • Applies experience, intuition, and situational awareness
  • Adjusts decisions based on context not fully captured in data
  • Builds trust and drives action across the organization

This is the layer that answers:

“What should we do—and how do we ensure it actually happens?”

How These Capabilities Work Together

Individually, each capability is powerful but incomplete. Together, they create a system that is both analytically strong and operationally effective.

  • Machine learning identifies emerging signals
  • Automated reasoning explains risk pathways and implications
  • Human expertise ensures the right decisions are made and executed

Insight without interpretation creates noise.
Interpretation without action creates delay.
Action without insight creates risk.

The integration of all three closes that gap.

Strategic Implication

This combined model represents a shift from fragmented tools to integrated decision systems.

Organizations that embrace this approach will:

  • Detect risk earlier
  • Understand it more clearly
  • Act on it more effectively

Closing Insight on Human + Machine Synergies

The future of safety is not human or machine—it is human with machine.

When pattern recognition, logical reasoning, and human judgment operate together, safety performance moves from reactive to truly predictive and resilient.

Final Perspective

Automated reasoning represents a fundamental shift in how industrial organizations approach human error.

From reacting to failure → to understanding the conditions that make failure likely

When fueled by rich context, it enables organizations to:

  • Anticipate human error
  • Strengthen system resilience
  • Scale expertise across operations

And ultimately:

Create systems that actively support people in making the right decisions—especially when it matters most.

References:

Pavlus, J., 2025. Amazon takes on AI’s biggest nightmare: Hallucinations. Fast Company, 4 December. Available at: Fast Company article

Williams, J.C., 1985. HEART- A proposed method for achieving high reliability in process operation by means of human factors engineering technology. In Proceedings of a Symposium on the Achievement of Reliability in Operating Plant, Safety and Reliability Society (Vol. 16), pp.5/1-5/15.

Posted in Uncategorized | Tagged , , , , , , , , , | Leave a comment

Cyber-Physical Risk in the Age of AI: How Safety Leaders and Boards Can Protect Operational Technology – Part 2

Posted on April 7, 2026 by Chet Brandon
Workers monitoring screens titled OT CYBER RISK: DUAL AI ROLES, AI DEFENSE SYSTEM, and AI ATTACK SIMULATION.
Two industrial workers monitor a high-stakes simulation showcasing the dual roles of AI in cybersecurity defense and attack.

Chet Brandon and Fay Feeney

Series Introduction

This four-part series examines how artificial intelligence is reshaping cyber risk in operational technology and what it means for industrial organizations. It brings together perspectives from safety leadership, cybersecurity, operations, and board governance to address cyber-physical risk as an enterprise issue. The series is co-authored by Chet Brandon, a global EHS and operational risk leader with deep experience in highly automated industrial environments, and Fay Feeney, an expert in board governance and enterprise risk oversight. Together, they connect plant-level realities with boardroom decision-making to provide practical strategies that strengthen resilience, protect operations, and improve risk-informed leadership.

Part 2 – AI and the Cyber Battlefield for Operational Technology

How Artificial Intelligence Is Reshaping Threats, Defense, and Governance

Introduction: AI Is Changing the Nature of Cyber Risk

Artificial intelligence is fundamentally altering the cyber risk landscape—and nowhere is this more consequential than in operational technology (OT) environments.

Historically, cyber attacks against industrial systems required deep expertise in both information technology and industrial control systems. Today, AI is lowering that barrier. It is enabling faster reconnaissance, more precise targeting, and increasingly automated attack execution. At the same time, AI is providing organizations with new tools to detect threats earlier, respond faster, and strengthen operational resilience.

This dual reality defines the modern cyber battlefield: AI is both amplifying the threat and transforming the defense. It has elevated cyber risk oversight from periodic review to dynamic, data-driven foresight

For industrial organizations, the implications are clear. Cyber risk is no longer just a technical issue—it is an operational, safety, and strategic risk that must be actively managed across the enterprise.

How AI Is Increasing Cyber Threats to Operational Technology

AI is accelerating the scale, speed, and sophistication of cyber attacks in ways that directly impact industrial operations.

One of the most significant shifts is in automated vulnerability discovery. AI-driven tools can rapidly scan complex networks, identify exposed assets, and detect weaknesses in system configurations. In OT environments—where systems are often interconnected, legacy-based, and difficult to patch—this creates a larger and more accessible attack surface. We have been managing the internet of things (IoT) and their security challenge since at least the mid‑2000s, and as a chronic enterprise governance issue since the early 2010s.

AI is also enabling more effective targeting of industrial systems. By analyzing system architectures, communication patterns, and process data, attackers can identify which assets are most critical to operations. This allows them to focus on high-impact targets such as distributed control systems, programmable logic controllers, and safety-related systems.

Another key development is the rise of automated attack development. AI can assist in generating exploit code, refining attack pathways, and adapting strategies in real time based on system responses. This reduces the time and expertise required to launch sophisticated attacks.

Another critical—and often underestimated—dimension is the rise of AI-enabled social engineering. Attackers are increasingly using AI to craft highly targeted phishing campaigns, impersonate trusted personnel, and exploit human behavior to gain initial access to systems. Social engineering now represents the primary entry point for most cyber incidents, with the majority of breaches involving human interaction rather than direct technical exploitation. In industrial environments—where operators, engineers, and third-party vendors interact across IT and OT systems—these attacks can provide a pathway into otherwise well-protected networks, making the human element a critical component of cyber-physical risk. This expands the attack surface beyond technology to include people and processes—reinforcing that cyber-physical risk is not purely a technical challenge, but one that requires integration of cybersecurity, operational discipline, and human performance.

These capabilities are particularly concerning when combined with the resources of nation-state actors and organized cyber groups. AI allows these actors to coordinate multi-stage campaigns that move from initial access to operational disruption more efficiently than ever before.

The result is a new category of risk: cyber attacks that are not just disruptive to data, but capable of causing real economic damage and physical consequences.

From Cyber Intrusion to Physical Impact

The defining characteristic of OT cyber risk is its ability to cross from the digital world into the physical world.

AI-enabled attacks can manipulate process conditions, interfere with control logic, or degrade system visibility in ways that directly impact how industrial systems behave. In highly automated environments, even small changes to sensor inputs, control parameters, control logic, or alarm functions can create cascading effects across interconnected processes. These disruptions often occur without immediate detection, allowing abnormal conditions to develop before operators can intervene.

In practice, this can lead to a range of high-consequence outcomes:

  • Unstable operating conditions
    Manipulation of setpoints, sensor readings, or control loops can push processes outside of safe operating limits. For example, false temperature or pressure signals may cause systems to overcompensate, resulting in oscillations, loss of control stability, or drift into unsafe process states.
  • Equipment damage
    Altered control logic or delayed shutdown responses can expose equipment to conditions beyond design tolerances. Overpressure, overheating, improper sequencing, or mechanical overstress can degrade or permanently damage critical assets such as reactors, compressors, turbines, or rotating equipment.
  • Production shutdowns
    Loss of control system integrity or uncertainty about system status often forces operators to initiate precautionary shutdowns. In some cases, automated trips or interlocks may activate unexpectedly, halting production. Restarting complex industrial systems can be time-consuming and requires careful validation to ensure safe conditions.
  • Environmental releases
    Disruptions to process control or safety systems can lead to loss of containment of hazardous materials. This may include uncontrolled emissions, leaks, or spills, particularly if detection systems or alarms are compromised or delayed.
  • Serious injury or fatality (SIF) risks
    The most critical consequence arises when cyber manipulation affects systems designed to protect people. Disabled alarms, altered interlocks, or incorrect process data can place workers in hazardous conditions without adequate warning, increasing the likelihood of severe incidents.

Unlike traditional IT incidents, these outcomes unfold in real time within physical systems and often under conditions of incomplete or misleading information. Operators may be forced to make rapid decisions without full visibility into system status, increasing the complexity and risk of response actions. This dynamic reinforces the need for integrated approaches that combine cybersecurity, process safety, and operational discipline to manage cyber-physical threats effectively.

AI increases this risk by enabling attackers to better understand how industrial processes operate—and how to disrupt them in ways that maximize impact.

For organizations, this reinforces a critical point: cybersecurity in OT environments is fundamentally about operational integrity and safety.

How AI Can Strengthen Defense in OT Environments

While AI is increasing the threat, it is also providing powerful tools for defense.

One of the most impactful applications is advanced anomaly detection. AI systems can analyze large volumes of operational data—sensor readings, control system outputs, and network activity—to identify subtle deviations from normal behavior. These deviations may indicate early-stage cyber activity or manipulation of system conditions.

This capability is particularly valuable in OT environments, where traditional signature-based detection methods are often insufficient.

AI also enhances vulnerability management and risk prioritization. By correlating asset criticality, system exposure, and threat intelligence, AI can help organizations identify which vulnerabilities pose the greatest operational risk. This enables more focused and effective mitigation efforts.

In addition, AI supports continuous monitoring of system integrity, helping organizations detect changes in control logic, unauthorized access attempts, or abnormal communication patterns.

These capabilities shift cybersecurity from a reactive posture to a more predictive and proactive model.

The First Documented AI-Enabled Attack on OT: A Warning Signal for Industry

A recent Dark Reading article: World’s First AI-Driven Cyberattack Couldn’t Breach OT Systems, reinforces the dual nature of AI in OT cyber risk. It described an AI-driven cyberattack attempt where adversaries reportedly used AI to support targeting and exploitation, yet still failed to breach the OT environment. That distinction matters. AI may increase the speed, sophistication, and adaptability of attacks, but strong OT fundamentals—segmentation, access control, asset visibility, monitoring, and response discipline—can still prevent a digital intrusion from becoming a physical operational event.

AI and the Future of Incident Response and Recovery

AI is also transforming how organizations respond to and recover from cyber incidents.

In the event of a disruption, AI can assist in rapid analysis of system data, helping teams identify the scope of an intrusion, isolate affected systems, and determine appropriate response actions. This reduces the time required to stabilize operations. As we’ve recently seen with a Hasbro cyberattack, it provides segregation of risk to only take impacted operations offline. This allows business to work around the affected portion of the system.

AI can also support scenario modeling and simulation. By using digital models of industrial systems, organizations can simulate how cyber incidents might unfold and test response strategies in advance. This strengthens both emergency preparedness and business continuity planning.

During recovery, AI can help guide the safe restoration of operations by analyzing system conditions, verifying configurations, and identifying potential risks associated with restart activities.

In complex industrial environments, where recovery must be carefully managed to avoid additional hazards, this capability is especially valuable.

Enabling Better Decision-Making at the Board Level

AI is not only transforming operations—it is also enhancing how organizations govern cyber risk.

Boards of directors are increasingly expected to oversee cyber-physical risk as a core enterprise issue. To do this effectively, they need clear, actionable insights that connect technical risk indicators to business outcomes.

AI can support this by aggregating data from across the organization—OT systems, cybersecurity platforms, operational metrics, and risk assessments—and translating it into decision-ready information.

AI-enabled dashboards can provide visibility into:

  • asset criticality and exposure
  • vulnerability trends
  • incident detection performance
  • resilience testing outcomes
  • potential business impact scenarios

AI can also support scenario analysis, helping boards understand how different types of cyber incidents could affect operations, safety, and financial performance.

This allows directors to make more informed decisions about risk appetite, resource allocation, and strategic priorities.

Importantly, AI enhances governance—it does not replace it. Effective oversight still depends on informed judgment, director expertise, strong leadership, and alignment between operational realities and strategic decision-making.

We will delve deeper in to the Board level actions to control cyber risk in Operational Technology in Part 4 of this series.

Integrating AI into a Cyber-Physical Risk Strategy

The true value of AI emerges when it is integrated into a broader risk management framework.

The introduction of AI into operations is happening faster than organizations change yet today they can focus on:

  • Aligning AI tools with operational risk priorities
    Establish risk-based use cases by mapping AI applications to high-consequence operational scenarios (e.g., SIF exposure, critical asset failure, business interruption), ensuring AI investments target the most impactful risks.
  • Integrating cybersecurity with safety and process risk management
    Embed cyber threat scenarios into existing safety frameworks such as PHA, HAZOP, and LOPA, and create cross-functional teams that jointly assess cyber-physical risks and define coordinated mitigation strategies.
  • Ensuring data quality and system visibility
    Develop a unified data architecture that integrates OT, IT, and safety system data, and implement data governance practices that ensure accuracy, completeness, and real-time visibility into critical operational conditions.
  • Establishing governance structures for AI use
    Define clear accountability for AI deployment, validation, and monitoring through formal governance processes aligned with enterprise risk management and board oversight expectations.
  • Maintaining human oversight and decision-making authority
    Implement human-in-the-loop controls for AI-driven insights, ensuring that critical operational and safety decisions are reviewed and validated by qualified personnel before execution.

Safety professionals, cybersecurity experts, and operational leaders must work together to ensure that AI-driven insights are translated into practical actions that enhance system safety, strengthen resilience, and reduce operational risk.

Conclusion: Navigating the AI-Driven Risk Landscape

Artificial intelligence is redefining both sides of the cyber risk equation. It is enabling more sophisticated attacks on operational technology, while also providing new capabilities to defend, detect, and recover from those threats.

For industrial organizations, the challenge is not simply to adopt AI, but to apply it effectively within the context of operational risk, safety, and governance.

Those that succeed will be organizations that:

  • understand the physical consequences of cyber threats
  • leverage AI to enhance visibility and decision-making
  • integrate safety, cybersecurity, and operational resilience
  • align plant-level insights with board-level oversight

In the next part of this series, we move from strategy to execution—examining how safety professionals and EHS leaders can operationalize these concepts through structured risk management practices, metrics, and systems that support effective decision-making.

Looking Ahead to Part 3

AI is reshaping both cyber threats and defenses—but technology alone is not enough. The real value comes from how organizations integrate these capabilities into their risk management systems.

In Part 3, we move to execution—showing how safety professionals translate cyber-physical risk into practical frameworks, metrics, and actions that strengthen protection and resilience.

References:

Nelson, N. (2026, May 7). World’s first AI-driven cyberattack couldn’t breach OT systems. Dark Reading. Web:https://www.darkreading.com/ics-ot-security/worlds-first-ai-driven-cyberattack-couldnt-breach-ot-systems

Posted in AI, enterprise risk management, Technical Skills | Tagged , , , , , , , , , , , , , , , , , , | Leave a comment

Cyber-Physical Risk in the Age of AI: How Safety Leaders and Boards Can Protect Operational Technology – Part 1

Posted on March 26, 2026 by Chet Brandon

Chet Brandon and Fay Feeney

Series Introduction: Managing Cyber-Physical Risk in the Age of AI

Industrial organizations are entering a new era of risk—one defined by the convergence of artificial intelligence, cybersecurity, and operational technology. Systems that once operated in relative isolation are now highly connected, data-driven, and increasingly automated. While this transformation is unlocking significant gains in efficiency, productivity, and decision-making, it is also exposing critical operations to a new class of cyber threats with the potential to cause real economic and physical harm.

Unlike traditional cybersecurity risks, attacks on operational technology do not stop at data loss or system downtime. They can disrupt physical processes, damage equipment, trigger environmental releases, and create conditions that lead to serious injury or fatality. As AI accelerates both the scale and sophistication of cyber threats, the challenge facing organizations is no longer simply one of protecting information—it is about protecting operations, people, and enterprise value.

This four-part series explores how organizations can respond to this evolving threat landscape by integrating insights from safety, cybersecurity, operations, and board governance. It reflects a critical reality: no single function can manage cyber-physical risk alone. Success requires alignment from the plant floor to the boardroom.

  • Part 1 examines how cyber risk in operational technology environments becomes safety risk, and why safety professionals play a central role in managing these threats.
  • Part 2 explores the dual role of artificial intelligence—both as a driver of more sophisticated cyber attacks and as a powerful tool for defense, resilience, and governance.
  • Part 3 provides a practical operational playbook, outlining how EHS professionals identify, prioritize, and manage OT cyber risk, including the metrics and systems that support effective decision-making.
  • Part 4 brings the discussion into the boardroom, focusing on governance, oversight, and the role directors play in managing cyber-physical risk as a core enterprise issue.

At its core, this series is about connection—connecting digital risk to physical consequences, connecting operational insight to strategic decision-making, and connecting the expertise of safety professionals with the oversight responsibilities of corporate boards.

The organizations that succeed in this environment will be those that recognize cyber risk for what it has become: a core operational and strategic risk that demands integrated thinking, disciplined execution, and leadership across the enterprise.

AI, Cybersecurity, and Operational Technology: Why Safety Professionals Hold the Key to Industrial Resilience

Introduction: AI, Cyber Conflict, and the New Threat to Operational Technology

The rapid advancement of digital technologies including artificial intelligence is transforming many aspects of the global economy. It is also reshaping the landscape of cyber conflict. AI-enabled tools and soon quantum computing are dramatically lowering the barrier to entry for sophisticated cyber operations, allowing attackers to identify vulnerabilities, automate reconnaissance, generate exploits, and coordinate attacks at a speed and scale that was previously impossible. As a result, cyber threats are evolving from isolated acts of digital intrusion into increasingly coordinated efforts capable of causing real economic disruption and physical damage.

This shift is particularly concerning for operational technology (OT)—the automated control systems that operate industrial facilities, energy infrastructure, transportation networks, and other critical components of modern economies. Unlike traditional information technology systems, OT environments control physical processes. Distributed control systems, industrial control networks, robotics, and safety instrumented systems regulate everything from chemical reactions and electrical generation to manufacturing lines and pipeline operations.

When these legacy systems are compromised, the vulnerabilities and consequences extend far beyond lost data or financial fraud. Cyber intrusions into OT environments can result in production shutdowns, equipment damage, environmental releases, and threats to worker safety.

In addition to economically incentivized hackers operating alongside of nation-state actors increasingly recognize the strategic value of targeting operational technology. Disrupting industrial operations can weaken economic stability, undermine public confidence, and create cascading supply chain effects across entire industries.

The addition of AI-driven cyber capabilities amplifies this risk by enabling adversaries to more effectively identify vulnerabilities within complex industrial systems and develop targeted attacks against critical infrastructure and automated manufacturing environments.

Two Perspectives on Operational Technology Risk

Operational technology cyber risk is often discussed through the lens of cybersecurity specialists and IT professionals. Yet the most consequential impacts of these attacks occur not in data centers, but in industrial facilities where automated systems control physical processes. Understanding and managing this risk requires perspectives that span both operational realities and enterprise governance.

Chet Brandon brings the perspective of a safety and operational risk leader with more than three decades of experience in highly automated heavy industries—including chemicals, metals, aerospace, and advanced manufacturing. In these environments, distributed control systems, safety instrumented systems, robotics, and other forms of operational technology are central to maintaining safe and reliable operations.

Fay Feeney brings a complementary perspective grounded in decades of experience advising corporate boards and insurance organizations on enterprise risk, governance, and emerging technology threats. Her work focuses on how boards evaluate complex risk landscapes, allocate resources, and oversee organizational resilience in the face of rapidly evolving threats—including cyber risk.

Together, these perspectives provide a more complete view of the challenge organizations face today. Cyber attacks targeting operational technology sit at the convergence of safety risk, business interruption, and enterprise governance.

When Cyber Risk Becomes Safety Risk

Operational Technology systems form the operational backbone of modern industry. When these systems are compromised, cyber risk quickly becomes operational risk—and in many cases, a direct threat to worker safety.

An attacker who gains access to operational control systems can manipulate process conditions, disable alarms, or interfere with automated shutdown protections. These disruptions can create pathways to serious injury or fatality (SIF) events, including:

  • loss of containment of hazardous materials
  • unexpected equipment startup
  • overpressure events
  • runaway chemical reactions

These are not hypothetical scenarios. They are the same failure modes safety professionals work every day to prevent.  More strategic opportunities exist to provide options to leaders to intelligently mitigate and transfer the risk.

Why Safety Professionals Are Critical to OT Risk Management

Safety professionals in high-hazard industries have long been responsible for managing low-probability, high-consequence risks—events that can result in serious injuries, environmental harm, major equipment damage, or extended operational disruption. Their work relies on structured methodologies designed to understand how complex industrial systems behave under abnormal conditions, how failures can propagate, and how safeguards prevent catastrophic outcomes.

Disciplines such as Process Hazard Analysis (PHA) and Hazard and Operability Studies (HAZOP) systematically examine how deviations in parameters like pressure, temperature, or flow can create unsafe conditions. These tools encourage teams to evaluate “what if” scenarios and identify the controls needed to maintain safe performance. In operational technology environments, the same approaches can be used to assess how cyber manipulation of control systems, sensor inputs, or alarm functions might lead to unsafe process states.

Failure Mode and Effects Analysis (FMEA) provides a structured way to identify potential failure points in equipment, instrumentation, and control logic, helping organizations prioritize vulnerabilities that present the greatest operational risk. Layers of Protection Analysis (LOPA) further evaluates whether safeguards—such as safety instrumented systems, operator actions, or emergency shutdown procedures—provide sufficient risk reduction, even when digital controls are compromised.

Beyond these tools, safety professionals bring a systems perspective that connects cybersecurity concerns with real operational consequences. They understand how technical, human, and organizational factors influence resilience. As industrial systems become more connected, safety leaders serve as a critical bridge between cybersecurity experts and operational teams, helping integrate cyber risk management into established operational risk frameworks and strengthening the organization’s ability to anticipate, withstand, and recover from cyber-physical disruptions. This unique collection of knowledge can be used to understand how cyber intrusions might manipulate industrial processes. Safety professionals therefore provide a critical bridge between cybersecurity experts and operational leaders.

The Business Interruption Dimension

Cyber disruption of operational technology can trigger large-scale business interruption. In continuous manufacturing industries—such as chemicals, metals, energy generation, and advanced manufacturing—even short outages can have cascading consequences across supply chains. Production losses can quickly reach tens or hundreds of millions of dollars.

Understanding these consequences requires operational insight that safety and operations professionals bring to risk discussions. Without this expertise the systemic nature of the risk is likely not identified, leading to widespread damage and losses. 

The Growing Importance of Operational Resilience

Safety professionals play a central role in designing resilient industrial systems by focusing on anticipating failures, limiting escalation, and enabling safe recovery when disruptions occur. Their systems-based approach—developed through decades of managing high-hazard operations—is directly applicable to cyber-physical risk.

  • Layered safety protections are fundamental to resilience. By establishing multiple independent barriers such as engineered safeguards, safety instrumented systems, alarm strategies, and trained operator responses, safety professionals reduce reliance on any single control. In cyber-physical events, redundancy, manual override capability, and physical isolation measures can help maintain safe conditions even if automated systems are compromised.
  • Emergency response frameworks further strengthen resilience by providing structured processes to stabilize operations during crises. Incident command systems, clear escalation protocols, and coordinated response plans enable organizations to shift to manual control, implement protective shutdowns, and safeguard personnel when digital system integrity is uncertain.
  • Management of change (MOC) processes also play a critical role. As industrial environments become more digitally integrated, safety professionals help evaluate how software updates, network changes, or remote connectivity may introduce new operational vulnerabilities. This proactive discipline supports more reliable system performance and safer recovery from disruptions.
  • Finally, incident investigation and business continuity communication practices help organizations learn and adapt. Rigorous root cause analysis of cyber-physical events can reveal weaknesses in safeguards, procedures, or training, while structured communication ensures accurate information reaches employees, leaders, regulators, and customers during disruptions.

Taken together, these principles demonstrate how safety leadership contributes to an organization’s ability not only to prevent incidents but also to withstand and recover from them. By applying proven approaches from process safety and operational risk management to emerging cyber threats, safety professionals help create industrial systems that are more robust, adaptive, and capable of maintaining safe performance in an increasingly connected and uncertain risk environment.

These risks are driving a growing focus on operational resilience across industrial organizations. In highly automated environments where digital systems control physical processes, resilience is the capability of an organization to continue operating safely even when systems are disrupted or operating conditions become uncertain. It reflects not only the strength of technology and infrastructure, but also the effectiveness of organizational planning, training, and decision-making during abnormal events.

Resilience begins with the ability to anticipate disruptions. This requires organizations to understand where vulnerabilities exist within their operational technology environment and how cyber threats could affect process conditions, safety systems, or plant operations. Scenario analysis, risk assessments, and proactive monitoring of system performance help identify potential failure pathways before they escalate into operational crises.

The second element is the ability to maintain safe operations under abnormal conditions. Industrial systems must be capable of continuing to function safely even when automated controls are degraded or compromised. This often requires layered protections, trained operators who can recognize abnormal situations, and procedures that allow plants to transition to safer operating modes when system reliability is uncertain.

Finally, resilience depends on the ability to recover quickly from incidents. When disruptions occur, organizations must be able to isolate affected systems, stabilize operations, and restore normal production safely and efficiently. Effective recovery requires clear response procedures, coordinated decision-making, and the capability to restart complex industrial processes without creating additional safety risks.

Ultimately, operational resilience has become one of the defining capabilities of modern industrial organizations. As automation, connectivity, and AI-driven technologies continue to reshape how facilities operate, the margin for error narrows while the potential consequences of disruption grow. In this environment, resilience is not simply a technical attribute—it is a leadership outcome shaped by disciplined risk management, informed decision-making, and the ability to translate complex threats into practical operational safeguards. Safety professionals play a pivotal role in this effort by ensuring that industrial systems are designed to withstand shocks, adapt under pressure, and recover without compromising the protection of people, the environment, or business continuity. Organizations that embed these resilience principles into their operations will be better positioned not only to manage cyber-physical risk, but also to sustain performance and trust in an increasingly uncertain industrial future.

Looking Ahead

Cyber threats targeting operational technology represent one of the most significant emerging risks facing industrial organizations. Understanding and addressing this risk requires collaboration across disciplines—from plant operations to cybersecurity to board governance.

In the next article in this series, we examine how artificial intelligence is changing the nature of cyber threats—and how it can also help organizations defend against them.

Posted in AI, Artificial Intelligence, Design for Safety | Tagged , , , , , , , , , , , , , , | Leave a comment