If you’re in safety or EHS, you may have heard of risk management.
Maybe you know exactly what that means. If so, great.
But maybe you don’t, and maybe you’ve wondered. If so, this post is for you. We’ll explain what risk management is and how risk management and safety are related.
Let’s start by defining some terms. ISO 31000, the international standard about risk management, includes the following definitions:
- Risk–the effect of uncertainty on objectives
- Risk management–coordinated activities to direct and control an organization with respect to risk
Now let’s look at each of those a little more closely in the sections below.
The definition from ISO 31000 says risk is “the effect of uncertainty on objectives.” Let’s break that down a bit.
The average business has any number of objectives. These include things like creating a new product, making a profit, and ensuring safety (but there are lots more, as you’d imagine).
Various things can have an effect on a business’s chances of meeting each of those objectives. Those effects, in which the outcome can depart from expectations, can be either positive or negative. So yes, risk management studies both things that affect objectives in a positive sense AND things that affect objectives in a negative sense. (Still, it’s probably most common to think of risk management and to perform risk management for risks that have negative effects.)
ISO 31000 not only states that risk management is the set of “coordinated activities to direct and control an organization with respect to risk,” it also fleshes that out for us a bit. According to the standard, the risk management process includes the following activities related to risk:
- Communicating and consulting
- Establishing a context
We’ll look more closely at several of these aspects below–especially risk identification, risk analysis, risk evaluation, and risk treatment.
Risk, Risk Management, and Safety
As noted above, risk and risk management apply to many different parts of a business or organization. For example, risk management is big in finance, and if you read up on the Enron scandal or the recent Great Recession, you’ll run into references to the risk management departments of the companies involved. Likewise, pharmaceutical industries take great interest in risk management, and when a class of drugs called NSAIDs (this include ibuprofen) were found to elevate the risk of cardiac problems, the risk management departments at these companies sprung into action.
But in this article, we’re primarily interested in risk management and how it applies to EHS and safety. In particular, to risks with a possible negative effect–pretty much what OSHA calls a hazard. Here’s OSHA’s definition of a hazard drawn from an OSHA guide to the job hazard analysis:
“A hazard is the potential for harm. In practical terms, a hazard often is associated with a condition or activity that, if left uncontrolled, can result in an injury or illness. “
So in the context of safety or EHS, risk management is primarily concerned with identifying, analyzing, evaluating, and “treating” the risk to avoid, control, reduce, accept, or transfer the risk. That’s what we’ll focus on for the rest of this post.
Identify the Risk
Risk management begins with risk identification. Let’s begin by seeing how ISO 31000 explains this phase (we’ll do the same thing with the other phases listed below too).
Risk identification is “process of finding, recognizing and describing risks….it involves the identification of risk sources, events, their causes, and their potential consequences.”
And since we’re talking about safety and hazards, let’s see what ISO 31000 has to say about hazards:
A hazard is “a source of potential harm” and a hazard “can be a risk source.”
How does a safety expert identify risks (what we’re calling hazards in this safety-specific example)? The job hazard analysis is a good place to start. Read our earlier blog post about the job hazard analysis or check out this OSHA guide to the job hazard analysis for more information on that.
Analyze the Risk
Once you’ve identified a risk, it’s time to analyze it. Here’s the description from ISO 31000 :
Risk analysis is a process undertaken to “comprehend the nature of risk and to determine the level of risk.” 31000 also states that “risk is often expressed in terms of a combination of the consequences of an event…and the associated likelihood of occurrence.”
To put that into every day language, once you’ve identified a risk, analysis includes the process of determining:
- What are the chances that the risk or hazard will cause some kind of problem (an injury or illness in safety and health terms, a leak or release or expose in environmental terms)? This is often referred to as the probability or likelihood that the hazard will lead to a negative effect.
- If the risk DID create a problem, how big of a problem would that be? This is often referred to as the consequence or severity.
These two ideas–the likeliness that the risk or hazard could cause cause harm and the severity of the consequences–are often displayed in a risk matrix.
You can create a risk matrix to represent the likelihood and severity of a given risk (or hazard).
The matrix is typically set up to allow you to analyze two different characteristics of the risk. These are the risk’s likelihood (or probability) and its severity (or consequences). Each can be categorized from lesser to greater, as shown below.
Likelihood or probability (these go in order from least likely to most likely)
- Very likely
Severity or consequence (these go in order from least severe to most severe)
The risk matrix is often presented in a table, as shown below.
As you’d guess, for each risk (or hazard), you’d determine the likelihood and the severity and check the appropriate box in the table.
For example, here’s risk that’s happens only rarely and would lead to only minor harm.
And, here’s a risk that is very likely to occur and would lead to a catastrophe.
The risk matrices shown above are just one example of how you can do this. You and/or your organization may make your own, and here are a few others to consider:
- US Department of Defense Risk Matrix (link now no longer available, but maybe you can find it if you Google hard enough…)
- ISO 17666: 2003 Space Systems: Risk Management
Evaluate the Risk
Once you’ve analyzed the risk, perhaps putting it into your risk matrix, it’s time to evaluate. Here’s how ISO 31000 explains evaluation:
Risk evaluation is the “process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.”
In other words–once you’ve analyzed the risk to determine its likelihood and its severity, are you willing to “live with it” or do you want to do something to address the risk?
Risk evaluation includes a process of ranking the risks in terms of their magnitude–the biggest risks to the smallest risk–and comparing them against a set of risk criteria to determine which risks should be addressed.
Here’s what ISO 31000 has to say about risk criteria:
Risk criteria are “terms of reference against which the significance of a risk is evaluated…risk criteria are based on organizational objectives and external and internal context…risk criteria can be derived from standards, laws, policies, and other requirements.”
Considering our two examples above, a risk that’s a near certainty to cause harm and that would lead to catastrophic consequences is something you wouldn’t find acceptable or tolerable. By contrast, if something’s very unlikely to happen and would cause only a minor issue if it did occur, you probably would find that risk acceptable or tolerable.
Treat the Risk
With the risk identified, analyzed, and evaluated, it’s time to consider treating the risk. What does that mean?
Here’s how ISO 31000 states explains risk treatment:
Risk treatment is a “process to modify risk…risk treatment can involve avoiding the risk by deciding not to start or continue with the activity that gives risk to the risk, taking or increasing risk to pursue an opportunity, removing the risk source, changing the likelihood, changing the consequences, sharing the risk with another party or parties, and retaining the risk by informed decision.”
Let’s look at a few of those treatment options in the context of safety.
First, consider “retaining the risk by informed decision.” This would be a situation in which you’ve decided you’re willing to accept the risk and do nothing to modify it. This would probably be something like a risk that happens only rarely and that leads to minor consequences.
Next, consider “sharing the risk with another party.” An example would be getting an insurance policy to cover your building in the event of fire.
Finally, consider “avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk.” An example of this would be recognizing that a production process results in dangerous off-gassing and halting production.
Since you’re presumably a safety expert if you’ve read this far, we assume you can think of your own examples for “removing the risk source,” “changing the likelihood,” and “changing the consequences.”
As a group, the risk treatments that deal with negative consequences are often referred to as risk mitigation, risk elimination, risk prevention, and/or risk reduction. We discuss those in further detail in the next section.
Risk Treatments for Safety: The Hierarchy of Controls
In safety, there ARE some risks that you’re willing to tolerate, but there are lots that you’ll want to “treat” by controlling them. One standard way to select a control (or several controls) for a specific hazard is by working through the hierarchy of controls.
The idea behind the hierarchy of controls is to work though different classes or types of controls when you’re trying to figure out how to control a specific hazard. Those types of controls are listed in order within a hierarchy. You should try the first type of controls–shown at the top of the list below–before you go on to the second, third, and fourth type of controls.
With that said, here’s the hierarchy of controls:
- Elimination or Substitution
- Engineering Controls
- Administrative Controls
- Personal Protective Equipment
So, for every hazard you’re trying to control, you’d consider elimination or substitution first, engineering controls next, administrative controls after that, and then finally personal protective equipment (PPE). In some cases, you’ll use more than one type of control, and PPE should be considered only a last means of controlling a hazard.
Here’s a helpful OSHA document if you want more information on the hierarchy of controls.
And here’s an article we wrote about the hierarchy of controls, which even includes a free Hierarchy of Controls eLearning course you can watch online (for free) or download a copy of (for free).
Risk Management Standards and Guides
We’ve referenced ISO 31000 throughout this article, but there are several different risk management standards. Here are a few:
- ISO 31000 Risk Management – Practices and Guidelines
- OCEG “Red Book” 2.0 GRC Capability Model
- BS 31100 Code of Practice for Risk Management
- COSO Enterprise Risk Management-Integrated Framework
- Ferma 2002: A Risk Management Standard
- Solvency II: 2012 Risk Management for the Insurance Industry
To top that off, here’s a nice comparison of the risk management standards above.
Risk Management and Safety: Your Experiences and Thoughts?
We’d be curious to know your own exposure and experience with risk management. If you’re involved in safety at work, does your company have a risk management program? Either way, do you use some or all of these techniques described above at work? What are your experiences with them?
Effective EHS Training: A Step-by-Step Guide
Learn how to design, create, deliver, and evaluate effective EHS training by following these best practices with our free step-by-step guide.