Risk Management and Safety

risk-management and safety imageIf you’re in safety or EHS, you may have heard of risk management.

Maybe you know exactly what that means. If so, great. We even encourage you to leave your insights, knowledge, and experience at the bottom of this article in the comments section.

But maybe you don’t, and maybe you’ve wondered about risk. If so, this post is for you. We’ll explain what risk management is and how risk management and safety are related.

Let’s start by defining some terms. ISO Guide 73:2009 includes the following definitions:

  • Risk–the effect of uncertainty on objectives
  • Risk management–coordinated activities to direct and control an organization with respect to risk

Now let’s look at each of those a little more closely in the sections below.

In addition, you’ll probably be excited to know there’s a free guide to using risk-based approaches for occupational safety and health management at the bottom of this article.


The definition from ISO Guide 7903 says risk is “the effect of uncertainty on objectives.” Let’s break that down a bit.

The average business has any number of objectives. These include things like creating a new product, making a profit, and ensuring safety (but there are lots more, as you’d imagine).

Various things can have an effect on a business’s chances of meeting each of those objectives. Those effects, in which the outcome can depart from expectations, can be either positive or negative. So yes, risk management studies both things that affect objectives in a positive sense AND things that affect objectives in a negative sense. (Still, it’s probably most common to think of risk management and to perform risk management for risks that have negative effects.)

Risk Management

ISO 7903 not only states that risk management is the set of “coordinated activities to direct and control an organization with respect to risk,” it also fleshes that out for us a bit. According to the standard, the risk management process includes the following activities related to risk:

  • Communicating and consulting
  • Establishing a context
  • Identifying
  • Analyzing
  • Evaluating
  • Treating
  • Monitoring
  • Reviewing

We’ll look more closely at several of these aspects below–especially risk identification, risk analysis, risk evaluation, and risk treatment.

Risk, Risk Management, and Safety

As noted above, risk and risk management apply to many different parts of a business or organization. For example, risk management is big in finance, and if you read up on the Enron scandal or the recent Great Recession, you’ll run into references to the risk management departments of the companies involved. Likewise, pharmaceutical industries take great interest in risk management, and when a class of drugs called NSAIDs (this include ibuprofen) were found to elevate the risk of cardiac problems, the risk management departments at these companies sprung into action.

But in this article, we’re primarily interested in risk management and how it applies to EHS and safety. In particular, to risks with a possible negative effect–pretty much what OSHA calls a hazard. Here’s OSHA’s definition of a hazard drawn from an OSHA guide to the job hazard analysis:

“A hazard is the potential for harm. In practical terms, a hazard often is associated with a condition or activity that, if left uncontrolled, can result in an injury or illness. “

So in the context of safety or EHS, risk management is primarily concerned with identifying, analyzing, evaluating, and “treating” the risk to avoid, control, reduce, accept, or transfer the risk. That’s what we’ll focus on for the rest of this post.

Identify the Risk

Risk management begins with risk identification. Let’s begin by seeing how ISO 7903 explains this phase (we’ll do the same thing with the other phases listed below too).

Risk identification is “process of finding, recognizing and describing risks….it involves the identification of risk sources, events, their causes, and their potential consequences.” 

And since we’re talking about safety and hazards, let’s see what ISO 7903 has to say about hazards:

A hazard is “a source of potential harm” and a hazard “can be a risk source.”

How does a safety expert identify risks (what we’re calling hazards in this safety-specific example)? The job hazard analysis is a good place to start. Read our earlier blog post about the job hazard analysis or check out this OSHA guide to the job hazard analysis for more information on that.

Analyze the Risk

Once you’ve identified a risk, it’s time to analyze it. Here’s the description from ISO 7903:

Risk analysis is a process undertaken to “comprehend the nature of risk and to determine the level of risk.” ISO 7903 also states that “risk is often expressed in terms of a combination of the consequences of an event…and the associated likelihood of occurrence.”

To put that into every day language, once you’ve identified a risk, analysis includes the process of determining:

  1. What are the chances that the risk or hazard will cause some kind of problem (an injury or illness in safety and health terms, a leak or release or expose in environmental terms)? This is often referred to as the probability or likelihood that the hazard will lead to a negative effect.
  2. If the risk DID create a problem, how big of a problem would that be? This is often referred to as the consequence or severity.

These two ideas–the likeliness that the risk or hazard could cause cause harm and the severity of the consequences–are often displayed in a risk matrix.

Risk Matrix

You can create a risk matrix to represent the likelihood and severity of a given risk (or hazard).

The matrix is typically set up to allow you to analyze two different characteristics of the risk. These are the risk’s likelihood (or probability) and its severity (or consequences). Each can be categorized from lesser to greater, as shown below.

Likelihood or probability (these go in order from least likely to most likely)

  • Rare
  • Unlikely
  • Possible
  • Probable
  • Very likely

Severity or consequence (these go in order from least severe to most severe)

  • Minor
  • Serious
  • Major
  • Catastrophic/critical

The risk matrix is often presented in a table, as shown below.

Minor Serious Major Catastrophic/Critical
Very Likely

As you’d guess, for each risk (or hazard), you’d determine the likelihood and the severity and check the appropriate box in the table.

For example, here’s risk that’s happens only rarely and would lead to only minor harm.

Minor Serious Major Catastrophic/Critical
Very Likely
Rare X

And, here’s a risk that is very likely to occur and would lead to a catastrophe.

Minor Serious Major Catastrophic/Critical
Very Likely X

The risk matrices shown above are just one example of how you can do this. You and/or your organization may make your own, and here are a few others to consider:

Risk Treatments for Safety: The Hierarchy of Controls

In safety, there ARE some risks that you’re willing to tolerate, but there are lots that you’ll want to “treat” by controlling them. One standard way to select a control (or several controls) for a specific hazard is by working through the hierarchy of controls.

The idea behind the hierarchy of controls is to work though different classes or types of controls when you’re trying to figure out how to control a specific hazard. Those types of controls are listed in order within a hierarchy. You should try the first type of controls–shown at the top of the list below–before you go on to the second, third, and fourth type of controls.

With that said, here’s the hierarchy of controls:

  • Elimination or Substitution
  • Engineering Controls
  • Administrative Controls
  • Personal Protective Equipment

So, for every hazard you’re trying to control, you’d consider elimination or substitution first, engineering controls next, administrative controls after that, and then finally personal protective equipment (PPE). In some cases, you’ll use more than one type of control, and PPE should be considered only a last means of controlling a hazard.

Here’s a helpful OSHA document if you want more information on the hierarchy of controls.

And here’s an article we wrote about the hierarchy of controls, which even includes a free Hierarchy of Controls eLearning course you can watch online (for free) or download a copy of (for free).

Risk Management Standards and Guides

We’ve referenced ISO 7903 throughout this article, but there are several different risk management standards. Here are a few:

To top that off, here’s a nice comparison of the risk management standards above.

More Articles on Risk Management and Safety

Please check out these articles on this topic as well:

Risk Management and Safety: Your Experiences and Thoughts?

We’d be curious to know your own exposure and experience with risk management. If you’re involved in safety at work, does your company have a risk management program? Either way, do you use some or all of these techniques described above at work? What are your experiences with them?

One last thing: don’t forget to download the free guide to occupational safety and health management using risk-based approaches below.


Free Download–Guide to Risk-Based Safety Management

Download this free guide to using risk management for your occupational safety and health management program.

Download Free Guide

Jeffrey Dalto

Jeffrey Dalto

Jeffrey Dalto is an Instructional Designer and the Senior Learning & Development Specialist at Convergence Training. He's worked in training/learning & development for 20 years, in safety and safety training for more than 10, is an OSHA Authorized Outreach Trainer for General Industry OSHA 10 and 30, has completed a General Industry Safety and Health Specialist Certificate from the University of Washington/Pacific Northwest OSHA Education Center, and is a member of the committee creating the upcoming ANSI Z490.2 national standard on online environmental, health, and safety training.

10 thoughts on “Risk Management and Safety

  1. Nowadays the paper still beats the Technics. A proper planning doesn’t mean a proper control if the established barriers in risk management are not practically in place. So again the practice needs to beat the theory to have an efficient risk management, although the theory is the base of knowledge. I’ve encountered many times in the work site a proper planning in the papers, was looking grate, but just in the papers; the reality was different. So this is another risk that we assumed, not to put in practice the control measures established since the planning stage of the job.

    1. George, very true.

      Someone made a similar comment in a recent blog post we ran about the JHA (job hazard analysis), although I think that person said that simply doing the JHA and stating that certain controls had to be put into place wasn’t enough, but that putting those desired controls down on paper tended to help ensure that they’d take place in real life as well. Still, it’s the same basic point–talking/writing about it or doing it, and something’s only really done when it is, in fact, done.

    1. Ayub, glad you liked it.

      Stay tuned…we’ve got a larger, more comprehensive article about Risk Perception that we are planning to write soon.

      And even before that, there’s an article coming up about EHS Leading Indicators that you may find interesting.

      Have a good one, and thanks for the comment.

  2. This article and the Four Steps to Implement provided me with extra thoughts and how important Risk Management and OHSMS implementation to my Engineering Department. Hard Work to start with at the end you are satisfied when you have no major incident in your team. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *