Risk Management and Safety

risk-managementIf you’re in safety or EHS, you may have heard of risk management.

Maybe you know exactly what that means. If so, great.

But maybe you don’t, and maybe you’ve wondered. If so, this post is for you. We’ll explain what risk management is and how risk management and safety are related.

Let’s start by defining some terms. ISO Guide 73:2009 includes the following definitions:

  • Risk–the effect of uncertainty on objectives
  • Risk management–coordinated activities to direct and control an organization with respect to risk

Now let’s look at each of those a little more closely in the sections below.

And if this article has caught your attention,  with it’s forward-thinking-focus,  you may also enjoy our article on EHS leading indicators.


The definition from ISO Guide 7903 says risk is “the effect of uncertainty on objectives.” Let’s break that down a bit.

The average business has any number of objectives. These include things like creating a new product, making a profit, and ensuring safety (but there are lots more, as you’d imagine).

Various things can have an effect on a business’s chances of meeting each of those objectives. Those effects, in which the outcome can depart from expectations, can be either positive or negative. So yes, risk management studies both things that affect objectives in a positive sense AND things that affect objectives in a negative sense. (Still, it’s probably most common to think of risk management and to perform risk management for risks that have negative effects.)

Risk Management

ISO 7903 not only states that risk management is the set of “coordinated activities to direct and control an organization with respect to risk,” it also fleshes that out for us a bit. According to the standard, the risk management process includes the following activities related to risk:

  • Communicating and consulting
  • Establishing a context
  • Identifying
  • Analyzing
  • Evaluating
  • Treating
  • Monitoring
  • Reviewing

We’ll look more closely at several of these aspects below–especially risk identification, risk analysis, risk evaluation, and risk treatment.

Risk, Risk Management, and Safety

As noted above, risk and risk management apply to many different parts of a business or organization. For example, risk management is big in finance, and if you read up on the Enron scandal or the recent Great Recession, you’ll run into references to the risk management departments of the companies involved. Likewise, pharmaceutical industries take great interest in risk management, and when a class of drugs called NSAIDs (this include ibuprofen) were found to elevate the risk of cardiac problems, the risk management departments at these companies sprung into action.

But in this article, we’re primarily interested in risk management and how it applies to EHS and safety. In particular, to risks with a possible negative effect–pretty much what OSHA calls a hazard. Here’s OSHA’s definition of a hazard drawn from an OSHA guide to the job hazard analysis:

“A hazard is the potential for harm. In practical terms, a hazard often is associated with a condition or activity that, if left uncontrolled, can result in an injury or illness. “

So in the context of safety or EHS, risk management is primarily concerned with identifying, analyzing, evaluating, and “treating” the risk to avoid, control, reduce, accept, or transfer the risk. That’s what we’ll focus on for the rest of this post.


Identify the Risk

Risk management begins with risk identification. Let’s begin by seeing how ISO 7903 explains this phase (we’ll do the same thing with the other phases listed below too).

Risk identification is “process of finding, recognizing and describing risks….it involves the identification of risk sources, events, their causes, and their potential consequences.” 

And since we’re talking about safety and hazards, let’s see what ISO 7903 has to say about hazards:

A hazard is “a source of potential harm” and a hazard “can be a risk source.”

How does a safety expert identify risks (what we’re calling hazards in this safety-specific example)? The job hazard analysis is a good place to start. Read our earlier blog post about the job hazard analysis or check out this OSHA guide to the job hazard analysis for more information on that.

Analyze the Risk

Once you’ve identified a risk, it’s time to analyze it. Here’s the description from ISO 7903:

Risk analysis is a process undertaken to “comprehend the nature of risk and to determine the level of risk.” ISO 7903 also states that “risk is often expressed in terms of a combination of the consequences of an event…and the associated likelihood of occurrence.”

To put that into every day language, once you’ve identified a risk, analysis includes the process of determining:

  1. What are the chances that the risk or hazard will cause some kind of problem (an injury or illness in safety and health terms, a leak or release or expose in environmental terms)? This is often referred to as the probability or likelihood that the hazard will lead to a negative effect.
  2. If the risk DID create a problem, how big of a problem would that be? This is often referred to as the consequence or severity.

These two ideas–the likeliness that the risk or hazard could cause cause harm and the severity of the consequences–are often displayed in a risk matrix.

Risk Matrix

You can create a risk matrix to represent the likelihood and severity of a given risk (or hazard).

The matrix is typically set up to allow you to analyze two different characteristics of the risk. These are the risk’s likelihood (or probability) and its severity (or consequences). Each can be categorized from lesser to greater, as shown below.

Likelihood or probability (these go in order from least likely to most likely)

  • Rare
  • Unlikely
  • Possible
  • Probable
  • Very likely

Severity or consequence (these go in order from least severe to most severe)

  • Minor
  • Serious
  • Major
  • Catastrophic/critical

The risk matrix is often presented in a table, as shown below.

Minor Serious Major Catastrophic/Critical
Very Likely

As you’d guess, for each risk (or hazard), you’d determine the likelihood and the severity and check the appropriate box in the table.

For example, here’s risk that’s happens only rarely and would lead to only minor harm.

Minor Serious Major Catastrophic/Critical
Very Likely
Rare X

And, here’s a risk that is very likely to occur and would lead to a catastrophe.

Minor Serious Major Catastrophic/Critical
Very Likely X

The risk matrices shown above are just one example of how you can do this. You and/or your organization may make your own, and here are a few others to consider:

Evaluate the Risk

Once you’ve analyzed the risk, perhaps putting it into your risk matrix, it’s time to evaluate. Here’s how ISO 7903 explains evaluation:

Risk evaluation is the “process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.”

In other words–once you’ve analyzed the risk to determine its likelihood and its severity, are you willing to “live with it” or do you want to do something to address the risk?

Risk evaluation includes a process of ranking the risks in terms of their magnitude–the biggest risks to the smallest risk–and comparing them against a set of risk criteria to determine which risks should be addressed.

Here’s what ISO 7903 has to say about risk criteria:

Risk criteria are “terms of reference against which the significance of a risk is evaluated…risk criteria are based on organizational objectives and external and internal context…risk criteria can be derived from standards, laws, policies, and other requirements.”

Considering our two examples above, a risk that’s a near certainty to cause harm and that would lead to catastrophic consequences is something you wouldn’t find acceptable or tolerable. By contrast, if something’s very unlikely to happen and would cause only a minor issue if it did occur, you probably would find that risk acceptable or tolerable.

Treat the Risk

With the risk identified, analyzed, and evaluated, it’s time to consider treating the risk. What does that mean?

Here’s how ISO 7903  states explains risk treatment:

Risk treatment is a “process to modify risk…risk treatment can involve avoiding the risk by deciding not to start or continue with the activity that gives risk to the risk, taking or increasing risk to pursue an opportunity, removing the risk source, changing the likelihood, changing the consequences, sharing the risk with another party or parties, and retaining the risk by informed decision.”

Let’s look at a few of those treatment options in the context of safety.

First, consider “retaining the risk by informed decision.” This would be a situation in which you’ve decided you’re willing to accept the risk and do nothing to modify it. This would probably be something like a risk that happens only rarely and that leads to minor consequences.

Next, consider “sharing the risk with another party.” An example would be getting an insurance policy to cover your building in the event of fire.

Finally, consider “avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk.” An example of this would be recognizing that a production process results in dangerous off-gassing and halting production.

Since you’re presumably a safety expert if you’ve read this far, we assume you can think of your own examples for “removing the risk source,” “changing the likelihood,” and “changing the consequences.”

As a group, the risk treatments that deal with negative consequences are often referred to as risk mitigation, risk elimination, risk prevention, and/or risk reduction. We discuss those in further detail in the next section.

Deliver. Report. Manage. Convergence Training EHS Course Library

Risk Treatments for Safety: The Hierarchy of Controls

In safety, there ARE some risks that you’re willing to tolerate, but there are lots that you’ll want to “treat” by controlling them. One standard way to select a control (or several controls) for a specific hazard is by working through the hierarchy of controls.

The idea behind the hierarchy of controls is to work though different classes or types of controls when you’re trying to figure out how to control a specific hazard. Those types of controls are listed in order within a hierarchy. You should try the first type of controls–shown at the top of the list below–before you go on to the second, third, and fourth type of controls.

With that said, here’s the hierarchy of controls:

  • Elimination or Substitution
  • Engineering Controls
  • Administrative Controls
  • Personal Protective Equipment

So, for every hazard you’re trying to control, you’d consider elimination or substitution first, engineering controls next, administrative controls after that, and then finally personal protective equipment (PPE). In some cases, you’ll use more than one type of control, and PPE should be considered only a last means of controlling a hazard.

Here’s a helpful OSHA document if you want more information on the hierarchy of controls.

And here’s an article we wrote about the hierarchy of controls, which even includes a free Hierarchy of Controls eLearning course you can watch online (for free) or download a copy of (for free).

Risk Management Standards and Guides

We’ve referenced ISO 7903 throughout this article, but there are several different risk management standards. Here are a few:

To top that off, here’s a nice comparison of the risk management standards above.

Risk Management and Safety: Your Experiences and Thoughts?

We’d be curious to know your own exposure and experience with risk management. If you’re involved in safety at work, does your company have a risk management program? Either way, do you use some or all of these techniques described above at work? What are your experiences with them?


Effective EHS Training: A Step-by-Step Guide

Learn how to design, create, deliver, and evaluate effective EHS training by following these best practices with our free step-by-step guide.

Download Free Guide



Jeffrey Dalto

Jeffrey Dalto

Jeffrey Dalto is an Instructional Designer and the Senior Learning & Development Specialist at Convergence Training. Jeff has worked in education/training for more than twenty years and in safety training for more than ten. You can follow Jeff at LinkedIn as well.

8 thoughts on “Risk Management and Safety

  1. Nowadays the paper still beats the Technics. A proper planning doesn’t mean a proper control if the established barriers in risk management are not practically in place. So again the practice needs to beat the theory to have an efficient risk management, although the theory is the base of knowledge. I’ve encountered many times in the work site a proper planning in the papers, was looking grate, but just in the papers; the reality was different. So this is another risk that we assumed, not to put in practice the control measures established since the planning stage of the job.

    1. George, very true.

      Someone made a similar comment in a recent blog post we ran about the JHA (job hazard analysis), although I think that person said that simply doing the JHA and stating that certain controls had to be put into place wasn’t enough, but that putting those desired controls down on paper tended to help ensure that they’d take place in real life as well. Still, it’s the same basic point–talking/writing about it or doing it, and something’s only really done when it is, in fact, done.

    1. Ayub, glad you liked it.

      Stay tuned…we’ve got a larger, more comprehensive article about Risk Perception that we are planning to write soon.

      And even before that, there’s an article coming up about EHS Leading Indicators that you may find interesting.

      Have a good one, and thanks for the comment.

Leave a Reply

Your email address will not be published. Required fields are marked *