AI Generated by Fortune India
From compliance to effectiveness: The next shift in operational risk managementJuly 9, 2026, 18:26 IST
Loading AI Hub...
Disclaimer : Certain content on this page, including summaries, timelines, FAQs, glossaries, highlights, insights, and other supplementary informational features, maybe generated or assisted by artificial intelligence tools. While reasonable efforts are made to review and verify such content, AI generated output may occasionally contain errors, omissions or inconsistencies. Readers are advised to independently verify any information before relying upon them for professional, legal, financial, medical or other decisions. The publisher along with its affiliates and contributors do not warrant accuracy of AI-generated content and disclaim any liability, loss or damage arising from its use.

From compliance to effectiveness: The next shift in operational risk management

/4 min read

ADVERTISEMENT

The organisations that outperform are those that move beyond measuring compliance and focus on whether the actions taken on paper translate into safer operations in practice.
From compliance to effectiveness: The next shift in operational risk management
Many organisations measure risk management performance through audits, absence of non-compliance, training completion rates, and reporting metrics.  

While compliance remains an important foundation, effectiveness on the ground is what ultimately matters. As India’s manufacturing, infrastructure, energy, and process industries continue to scale and become more complex, organisations face a different challenge: distinguishing activity from effectiveness. Being busy is not the same as creating value. Procedures may be completed, audits may be passed, and dashboards may remain green, but none of these guarantees that critical risks are understood or controlled.

Sign up for Fortune India's ad-free experience
Enjoy uninterrupted access to premium content and insights.

The organisations that outperform are those that move beyond measuring compliance and focus on whether the actions taken on paper translate into safer operations in practice. The real measure of operational risk management is not the quality of the documentation, but whether organisations can identify, prioritise, and manage the risks that matter most before failures occur.

Recent industrial incidents reinforce why this distinction matters more than ever. The challenge is rarely an absence of procedures, governance frameworks, or compliance requirements. More often, organisations become highly effective at developing policies, procedures, and standards that satisfy requirements but fail to influence behaviours and decisions where work is actually performed. Detailed standards designed to improve safety meet the intent but rarely end up delivering the desired outcome of “zero incidents”.

Compliance creates confidence, complacency, and a false sense of security. However, this does not translate into continuous improvement in awareness and risk reduction. The watermelon remains green on the surface while red inside, hiding serious gaps and lapses in practice.

The Limits of the Compliance Mindset

Compliance-led risk management is designed for accountability, assurance and consistency. But it alone does not ensure that critical risks are understood, prioritised, and managed on the shop floor, where most serious incidents originate.

Many organisations measure risk management performance through audits, absence of non-compliance, training completion rates, and reporting metrics. While valuable, these indicators often say little about whether the controls preventing catastrophic events are functioning effectively.

After every incident, organisations tend to add another procedure, another checklist, another control, another layer of reporting. Over time, the system and processes become more complex, teams lose sight of what’s mission-critical versus what’s merely administrative, and that loss of clarity becomes a risk in its own right. This also adds to “procedural fatigue” where people are required to fill out more documents over time. “Risk awareness” as a concept gets buried under mountains of documented routines.

Effective operational risk management asks a different set of questions: Are critical risks genuinely being controlled? Are people making safer, better decisions under real operating conditions? Are controls resilient enough to prevent incidents, not just satisfy audit requirements?

This is where technology, including AI-enabled analytics, is helping organisations identify patterns, detect weak signals, and monitor the health of critical controls far earlier than traditional reporting allows. But technology is only useful when leaders use these insights to sharpen focus, direct attention, resources, and accountability toward the risks that matter most.

From Policy to Practice: Where the Work Actually Happens

Operational risk management that exists only in policy documents, dashboards and board presentations is not risk management. It is risk theatre, mistaking reporting for reality, activity for effectiveness, and compliance for control.

The organisations that outperform are rarely those with the most documentation. They are the ones that create visibility, accountability, and discipline around the risks that matter most.

This shift demands a move beyond checklists towards understanding how work is actually performed. It requires leaders to focus on the strength of operational discipline, quality of critical controls, and the behaviours that shape everyday decisions.

First, leadership is visible and accountable. Senior leaders do not delegate risk to a safety function and assume it is managed. They spend time on the floor, observing, engaging, and asking questions, making it clear that production never takes precedence over the integrity of critical controls. The signals leaders send determine whether people feel safe raising concerns or feel pressure to work around them.

Second, frontline teams have genuine ownership. Across metals, mining, and process industries, some of the most significant improvements in operational safety have come not from new systems but from giving frontline supervisors and operators clear, simplified accountability for a defined set of critical controls, with the authority and expectation to act when those controls are compromised. Clarity of ownership, more than sophistication of process, is what creates discipline in the field.

Third, contractor risk should be treated with the same discipline as any permanent employee risk. A disproportionate share of serious incidents in the Indian industry involves contractor workforces. But legislation sets a floor, not a ceiling. Organisations that wait for compliance requirements before integrating contractor safety into core operating systems are often responding to risk too late.

Culture is not defined by what is written in standards, but by what leaders consistently demonstrate, what organisations are willing to challenge, and what frontline workers choose to tolerate.

The Business Case Is Already Made

The conversation around operational risk effectiveness is too often framed as a safety issue, when in reality it is a business performance issue. An unplanned shutdown, a serious incident, or regulatory intervention creates consequences far beyond the immediate event, from lost production and supply chain disruption to weakened investor confidence and lasting reputational damage. In capital-intensive industries, operational resilience is becoming a competitive advantage.

Boards increasingly recognise operational resilience as a strategic capability, not simply an HSE responsibility. As India's high-risk industries continue to scale, compliance will remain an essential foundation, but it is not enough.

The future belongs to organisations that treat compliance as the baseline and effectiveness as the objective. When operational risk management systems are measured by outcomes rather than activities, it becomes a strategic enabler of resilience, reliability and sustained business performance.

The question leaders should now be asking is no longer, “Are we compliant?” but “Are we effective?”

(The author is India Managing Director, dss+. Views are personal.)