There is nothing quite like a difference around a particular risk assessment technique to ruffle feathers. Working as a Certification Auditor in various industries and as a Clients Agent in the Construction Industry I have seen some interesting risk assessment techniques to say the least.
To some people a risk assessment technique is like an algebra equation where there is only one method that can be applied to reach the desired answer, I strongly disagree. There is nothing like preparing a risk assessment for a project which is based on internationally recognised standards to have someone say that they want you to redo the entire process because they feel they have found the one and only risk assessment technique.
I have had the great privilege over the past 10 years of training under and lecturing with Professor Johan Nel & Theunis Meyer for North West University – Centre for Environmental Management. This relationship has generated some very interesting discussion on the topic and help inform my own technique of risk assessment.
In this month’s blog I thought I would touch on this Holy Grail of a topic to generate some thought provoking discussion. Please note that I am not saying that I have achieved risk assessment nirvana or found the holy grail, I prompt discussion merely as a risk assessment scholar who is passionate about risk assessment and achieving an assessment outcome that is value adding and will hold water if held up to external scrutiny.
I would say that more than 60% of the risk assessments I have seen as an auditor would not stand up in a court of law as they do not meet basic legal minimum requirements and were basically prepared as a quick and dirty on a Friday afternoon.
So where do I begin, well perhaps a starting point would be the objective outcome of a risk assessment. Here I would start with the Law, ostensibly the regulators states that the point of OHS Legislation is for the prevention of injury and ill health in the workplace i.e. – (To provide for the health and safety of persons at work, the health and safety of persons in connection with the use of plant or machinery, and the protection of persons other than persons at work against hazards to health and safety arising out of or in connection with the activities of persons at work; to establish an advisory council for occupational health and safety; and to provide for matters connected therewith). So therefore a risk assessment is a tool for that task. In the case of OHSAS 18001:2007 the risk assessment is the foundation of the system and a key tool in achieving those commitments made in your OHS Policy.
I would like to suggest that when a risk assessment is reviewed that it be done against legal requirements and international standards.
Legislation does not provide us with a method for risk assessment, it does however state that:
1. Hazards must be identified
2. Risk must be assessed and reduced as far as is reasonably practicable
3. A hierarchy of controls applied to hazards before resorting to PPE i.e.
c. Engineering Controls (isolate; segregate; contain etc)
d. Administrative Controls (training, supervision, inspections, etc)
4. Hazard identification should incorporate OHS Representatives (and various roll players as part of the team) and for health related issues external subject matter experts and their analysis.
5. Hazard identification, risk assessment and suitable mitigation should be applied to the life cycle of your activity as alluded to in the OHS act i.e. transportation; handling, use, storage, waste etc.
Let’s also use ISO 31000 as a guide for suitable risk assessment techniques.
ISO 31000 proposes the following approach for risk assessment:
1. Mandate & Commitment – do you have permission and authority to proceed
2. Design a Framework for managing risk – confirm technique and train participants
3. Implement risk management:
a. Communication& Consultation
b. Establish Context – who , what, where, when, how , how much, how long etc
c. Risk Assessment:
i. Risk Identification – process of finding, recognizing and describing risks
ii. Risk Analysis – process to comprehend the nature of risk and to determine the level of risk
iii. Risk Evaluation – process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable
iv. Risk Treatment – process to modify risk
4. Monitor & Review
5. Continual Improvement
Having prepared many Health & Safety Specification for Construction Projects I state that the above mentioned legal requirements and internationally recognised techniques should be considered in your risk assessment but im not dictatorial in my approach.
If I found a risk assessment which did not meet the basic minimum requirements I would challenge it, however if someone had used a different approach which was still value adding and met basic legal minimum requirements and followed the above international standards im happy to accept it.
I wonder how much risk is created in projects by forcing someone to use a foreign technique to assess risk. I not saying for a minute that weak risk assessment techniques should not be corrected, but I would propose that we evaluate the process against a similar guideline as above.
A simple process I use for risk assessment is detail below (but not limited to)
1. Populate hazards from the hazard & aspect checklist into the hazard assessment
2. Consequence – what is the consequence if exposed to the hazard i.e serious injury & electrocution
3. SHEQ – is the hazard related to Safety, Health, Environmental or Quality (if applicable to multiple each hazard must be assessed individually
4. Who’s at Risk – who is exposed to the hazard i.e. the operator and assistant or the public
5. Inc History – Are you aware of previous incidents associated with the hazard (this is key information to assess Consequence, Likelihood & effectiveness of controls)
6. Exposure – how many times and for how long are employees exposed to the hazard (aids in confirming Likelihood)
7. Consequence – Outcome of the hazardous event i.e. multiple fatalities or minor injury
8. Likelihood – Chance of the hazardous event happening
9. PR – Pure Risk the estimation of combination of the consequence and likelihood
10. Engineering – As per the info from the Hazard & Aspect Checklist state the existing Engineering Controls
11. Administration – As per the info from the Hazard & Aspect Checklist state the existing Administration Controls i.e. Signage, Supervisions, Training, Audits & Inspections
12. PPE – Personal protective equipment directly involved in mitigating the hazard i.e. ear plugs
13. Control Type: Do the existing controls affect consequence of likelihood (too many teams change the outcome of the residual risk when their controls only affect likelihood)
14. Effective – Are the stated controls effective i.e. are they are per the legal requirements and based on incidents and the outcome of inspections are the controlling the risk.
15. Consequence – Outcome of the hazardous event i.e. multiple fatalities or minor injury
16. Likelihood – Chance of the hazardous event happening
17. RR – Residual Risk the estimation of combination of the consequence and likelihood after considering the hierarchy of controls, their type and effectiveness
18. Action – Risk Estimation Outcomes:
• Tolerate and Maintain can be stated for all acceptable risks i.e Maintain & Alarp
• Risks that are rated as treat will be linked to an action plan and addressed through the hierarchy of controls
• Risks rated as Intolerable can be eliminated or some form of substitution sought
A risk assessment is an exceptionally value adding process, it can be highly complex and require a team of competent persons. Risk assessment techniques vary, however a common framework in regards to objective, process and outcome can be agreed upon. When reviewing a risk assessment don’t throw the baby out with the bath water, look if the objective, process and outcome meets the legal and international standards requirements. Find ways of working together to achieve the project outcome.