5 Easy Steps to Begin Implementing a Risk-Based Approach to Occupational Safety: An Interview with Pam Walaski

Risk-Based Safety Management Image

In an earlier interview, Pam Walaski gave us an introduction to Systems Thinking, Risk Management, and Safety Management Systems. If you haven’t seen that one, we recommend you check it out either before or after reading this article.

And in this article, we’re excited because Pam has agreed to come back and continue the conversation, giving us 5 easy tips to follow to begin making the change from a compliance-based OSH strategy to a risk-based OSH strategy.

This should be a very helpful article for occupational safety and health managers and professionals who are looking to take those first steps toward a systems that’s less focus on purely compliance and more focused on risk and risk management.

We’ve got an audio recording of the discussion immediately below. If you’d prefer to read instead of listen, just click the MORE button to see the transcript. Also, feel free to download the free guide to risk-based approaches to occupational safety and health management at the bottom of this article.


Implementing Risk Management for Occupational Safety

Convergence Training: Hi, everybody! This is Jeff Dalto of Convergence Training. This is part of a Convergence Training webcast series we’ve been doing on issues related to safety, training, and safety training. And we’ve got a special guest today, one who has been with us in the past. It’s Pam Walaski of GAI Consultants, so my first tip to you is if you have not yet heard the earlier podcast with Pam talking about moving from compliance-based safety systems to systems that incorporate systems thinking, risk thinking, and safety management, you should definitely check that out, and we’ll include a link to get you from here to there.

But today she’s going to be giving some really practical tips about how to implement that at work. She’s going to give us five tips about how to start this up.

So with that, let me say hello and welcome to Pam, and of course hi to everyone out there, and Pam, how are you doing today?

Pam Walaski: I’m great, Jeff, how are you?

Convergence Training: I am well, thank you. Thanks again for coming onboard and talking with us about this. We had a lot of great reaction to the first time around, so we’re excited you’re going to give us some practical tips.

Before we get into that, for people who are new to this webcast series or who are new to you, can you tell us who you are and what you do and why we should find your thoughts on this interesting?

Pam Walaski: OK. So, as you mentioned, I work for an engineering firm called GAI Consultants. We do environmental, energy-based engineering and construction work. We’re based in Pittsburgh, PA, which is where I’m sitting right now at our headquarters office, but we have about 20 offices, primarily throughout the eastern part of the United States, from Green Bay, WI to Palm Beach Gardens, FL. We have lots of engineers, we have lots of field staff who are out doing wetlands delineation and species habitation surveys and monitoring construction of roads and bridges, and also we do a lot of support for a number of other energy clients.

I’m the health and safety director here, so my responsibility is our staff, about 1,000 of them as I said, and anywhere from 300-400 of them are out in the field every day, and those are the ones that I primarily pay attention to. I’ve been in occupational health and safety for about 25 years now, I’ve had a variety of different positions with a variety of different companies. Primarily, as I’ve worked over the years, I’ve gone from sort of a standard kind of health and safety commodity work to more systems thinking and risk management work.

I’m also fairly actively involved with the American Society of Safety Professionals, which is a big group that has most of the occupational safety and health folks involved. I’m currently serving a three-year term as an at-large member of the Board of Directors, and that just started in July, so that’s very exciting. I get to participate in sort of helping to shape and form some of the organizational activities for the next couple of years. And that’s me.

Convergence Training: Hey, that’s great. I didn’t know that about the Board of Directors, congratulations!

Pam Walaski: Yeah, thank you. It’s a very exciting time for the organization and I’m really looking forward to the next three years.

Convergence Training: Well, speaking of the ASSP, just to toot your horn one last time before we get into our questions, Pam frequently writes for the ASSP’s Professional Safety magazine, that’s where I first came across Pam in a really excellent article on issues related to today’s conversation, and also speaks at a lot of ASSP conferences and other things, so look for Pam in safety journals and at safety conferences and that will be worth your time.

Alright, so let’s get right it. Pam, if this whole webinar is about moving away from compliance-based safety and into risk-based safety, maybe you could tell us what you mean by compliance and risk, and why one would move from compliance-based to risk-based safety management?

What Does It Mean to Be Compliance-Based or Risk-Based in Safety?

Pam Walaski: Sure. So, just to sort of recap that conversation we had before, a compliance-based focus is where we take a regulation and we read what it says we’re supposed to do and then we do it. And so it’s kind of a line-by-line, regulation-by-regulation approach to developing workplace health and safety programs. For most of us, it’s OSHA. Some of us also have responsibilities for environmental things, so we’re paying attention to the EPA, some of us have responsibilities for transportation, so we may be aware of what DOT says–those kinds of things.

Risk-based approaches are approaches that focus our energy on the risk of the tasks that we do and a constant and continuous drive to reduce the risk of our tasks to the lowest, most acceptable level for our organization.

When we rely on compliance and regulations, we end up in a couple of different problems situations. The first one is that regulations don’t change very quickly. And so when new and different thinking comes on the horizon, those regulations don’t often catch up with it. So if you rely only on regulations to base our programs, we’re not really looking at newer thinking.

The second problem is that compliance has always only been intended to be the ground floor, the basic. And so if you’re complying with what the regulations say, that’s not really saying much about your organization.

And then the third one is the notion of a regulation being a stand-alone requirement. There’s no systems basis to it. You may have a confined space entry program, or a PPE program, or a fall protection program, but when you have tasks that involve confined space and heights and PPE all at the same time, you now have three different documents that you have to manipulate to work on that particular task. So the important thing about systems-based or risk-based safety is that it’s designed to work together, and that everything kind of smoothly and seamlessly overlaps and moves back and forth.

So that’s kind of what we’re talking about when we talk about risk-based or management-based approaches to occupational health and safety.

Convergence Training: Great, and before we move forward, just in case anyone out there has some warning lights flashing red in their head at this point, picking up stuff I’ve read from you in the past, you’re not arguing to ignore compliance, and what you’re saying is that compliance will come as a side-effect of the safety management, is that correct?

Pam Walaski: Sure. So if you think about fall protection, and you think about what OSHA says you should do in terms of fall protection, if you are doing a risk-based approach, you are going to be working on getting workers working at the lowest possible level, or designing out systems where they don’t have to work at heights at all, and if they have to work at heights, you are going to make sure that they are wearing the proper systems and everything works together.

So, as you say, doing a risk- or systems-based approach to safety ends up complying with most regulatory frameworks anyway. Except for the things that don’t have to d with risk, like posting the OSHA poster, the Recordkeeping Standard–those kind of things that aren’t tied as directly to risk but still need to be done.

Implementing Risk-Based Safety Management One Bite at a Time

Convergence Training: Good addition. So, you’ve been kind enough to agree to come in and give us a five-step road map for implementing risk-based safety and health management systems. And I wonder if, before you dig into each of those steps in detail, if you could give us a bird’s-eye view and a road map of that process.

Pam Walaski: The process of moving from one system to another is what you’re asking? So, sometimes that feels very overwhelming. You sit down and think about where you might be now in your organization versus where you think some other organizations who are doing this now are, you can look at that gap between the two and it seems insurmountable.

But if you think of that adage about “how do you eat an elephant?,” that’s usually the way I try to get people to think about it. You eat an elephant one bite at a time. And while it may be overwhelming and impossible to eat an elephant, any major initiative or project (or eating an elephant) can be broken down into manageable pieces or bites. And once you start to do that, you can find that path forward. It’s like any other large project, when you begin to break it out into individual tasks and create a plan for yourself, that’s how you get to that point.

Each step may not be consequential, and at first they are baby steps and little things. But you get closer and closer and closer. And at the same time as you begin to do that, I think you begin to create a momentum that gets you to the place where you’re ready to turn that ship in a different direction. So that’s the way I like to think about making these types of changes.

The first bigger, overarching change that I think we have to make has to do with some of the paradigms or some of the paradigms. Most particularly, the one that told us that if we reduce the frequency of incidents, we would reduce the severity of them as well. And we know now from data, from looking at incident reviews and other kinds of data that is out there, that that really isn’t true. We know there’s a percentage of all incidents that have a potential to be a severe incident–a serious injury, a fatality, major property damage, or whatever factor you might want to think about. And so we need to rethink that and come up with a different way to approach it, and a risk-based approach allows you to begin to look at severity first, rather than frequency, by looking at higher-risk tasks first.

One way to do that is to look at those kinds of precursor situations and causes that are unique to your organization. Every organization has them–you need to figure out what they are. We need to get ourselves away from chasing those kind of trivial situations, elevating the trivial near-misses where we spend hours and hours of time looking at all of our near-miss reports and trying to investigate each and every single one of them. We need to really look at those near-miss reports and say “Which one of these had the potential to cause a serious injury or fatality?”, and that’s the one that we want to focus our time on, and shift ourselves to those kind of incidents, those kind of tasks, those kind of hazard assessments. And again, it’s going to be unique to your organization. We’ll talk some more as we go through our time together about how to begin to make that shift and to identify those.

But like the OSHA parallel that we were just talking about, we are not talking about ignoring minor injuries or first aid cases. We are not saying we don’t care if somebody has a minor recordable or has a minor injury that doesn’t result in lost time. But we have to start somewhere, and so back to the elephant analogy, we can’t keep doing the things that we have been doing, so we have to begin in a different place.

And similarly, I think, when we begin to really attack the kind of situations that have the potential to cause a SIF (serious injury and fatality) or FSI (fatality and serious injury) or whatever acronym you choose to use, we can then turn our attention to less-serious incidents, and in the same time I think the cascade effect of the risk-based approach will also have a natural effect of reducing those other kind of non-serious injuries and first-aid cases as well.

Convergence Training: OK, that’s a nice way to look at a couple of things. One is the move from Heinrich’s Pyramid or Heinrich’s Safety Pyramid, with a focus on minor issues in the hopes that doing so will prevent serious incidents, and then kind of a step towards using risk-based approaches as well.

I’ve seen you write about a five-step process that involves:

  • Becoming the expert
  • Stop saying “OSHA says”
  • Adopting a leading metric
  • Taking a deep dive into data
  • Finding a few risk champions

Would that five-step process be a good place to begin taking a deep dive now at this point?

Step 1: Becoming an Expert in Risk Management for Occupational Safety and Health

Pam Walaski: Yeah. I think it’s helpful for people to identify those baby steps and identify things they can do. So if you have nothing at all, where do you start? And these are five things that anybody, regardless of your understanding and knowledge and expertise in risk and safety management systems, these are easy things that you can begin to do right now, with limited time and limited resources, while you begin to start to each that elephant.

Convergence Training: Great. Tell us more then, if you will, about step one: becoming the expert.

Pam Walaski: If your familiarity is with OSHA regulations, you may be a real expert in them. You can spout of the number and citation and all of those wonderful things that are in there. So what I’m asking you to do is to do the same thing with the various voluntary consensus standards that are out there, and become that kind of expert on them.

Unfortunately, they’re not available like the OSHA standards are by going to OSHA.gov. You have to buy them–they’re available for purchase. ASSP obviously is one organization that sells them, but other organizations do as well, depending upon who published them. So you’ve got to buy them and you’ve got to read them. And not just the standard itself, because I think you’ll see once you start to get familiar with them, the standards are not prescriptive at all, they’re not going to tell you how to do things, they’re going to give you an end point and tell you “this is where you need to be.” So the standard itself is a pretty brief part of the document–it may only take a couple of brief pages to talk about one particular aspect of the standard. Each one of them has addenda at the end of the standard that is designed to give you guidance or explore a particular issue. They may provide you wish resources like a risk management report format or a management of change policy. And those are all samples that you can take and adopt or manipulate to meet your organization’s needs. They have commentaries that allow you to explore the sections and resources that include things like books and websites and articles and other kinds of things.

So, once you think of the individual standard as kind of like a “hub,” the “spokes” off of that standard are all kind of different things that you can begin to take a look at as you begin to deepen your understanding of one particular standard or one particular issue. It may take you a while, but you’ve just got to jump in there with both feet and start getting yourself really deep into those and start looking around. And then your natural curiosity is going to take you other places as well.

[In terms of the specific standards], the biggest one in Risk Management is the ANSI/ASSP Z690 series of standards, and there is the ISO version of them as well, and there are three of them. Z690.1, which is also ISO guide 73, and that’s the vocabulary for risk management; Z690.2, the ISO version is ISO 31000, and that’s the principles and guidelines behind risk management; and then Z690.3, or ISO 31010, which is the techniques (of risk management), and that’s a description of the different risk tools that are available to you.

Side note: Here’s a good intro to Risk Management and Safety for you.

In addition to that, and built into the the safety management piece would be either ANSI/ASSP Z10, which is the North American version of an occupational safety and health management standard, or the recently published ISO 45001, which is more geared toward organizations that want a global standard or may want to be certified by ISO for their safety management system.

Side note: See these articles for more on ANSI Z10 and ISO 45001.

And then last but not least is ANSI/ASSP Z590.3, which is prevention through design. And the importance of that particular standard is that if you’re really serious about reducing the risk of your organization’s tasks and activities, you’re going to have to focus on higher-level controls, which means getting away from PPE and training and administrative practices. And prevention through design gives you a road map for how to get to that process, so that’s a good one to tuck into your back pocket as well.

Convergence Training: Great, thanks. That’s a good list. So we’ve got Z690 for risk, Z10 and ISO 45001 for safety management, and Z590.3 for prevention through design. And I really liked that you mentioned the appendices or annexes of these standards. I am working on the ANSI/ASSP Z490.2 standard myself, and by far my favorite part is the annexes, and that was true with Z10, I thought the Z10 annexes were really helpful. And I think the other thing I’d remind people out there is that you should get these standards for sure, and you should read them for sure. But there are other places to learn as well, including from people like Pam, and Pam, I am sure that you could tell me if I’m right or wrong that places like the ASSP offer continuing education on topics like risk as well. Is that true?

Side note: Read this overview of the in-progress Z490.2 and its appendices.

Pam Walaski: Sure. ASSP offers certificates in risk assessment and a certificate in ISO 45001. They offer global training certificates and a whole variety of training resources if you want to deepen your expertise and your resume if you will on those topics kinds of things.

I’ll also mention I spend a fair amount of time on LinkedIn. I know a lot of people have developed profiles and then never gone back because they think it’s not the greatest place in the world. But if you’re very targeted about who you follow and what you do, I think there are some really good resources there. For example, I follow a group called ISO 31000 Risk Management Standards. And that group is a very active group. There are threads that are being added to every day, there are new things being posted there every day, there a lot of good things there. There’s another good group there called Safety Differently, which I think you’re familiar with as well, and it focuses on some of the work Sydney Dekker started years and years ago. It’s great because a lot of the articles, discussions, and postings there really get you to think about safety differently, and to me that begins to broaden your thinking processes and your approaches and gets you chewing on some of that new and different stuff.

I also like to pay attention to some people like Ron Gantt, who I know you know; there’s a Dutch gentleman Carsten Busch who writes some really interesting things; Todd Conklin is a great guy to really get you thinking and wondering if maybe you really need to rethink your philosophy, he really gives you some clear understanding of that. And I also follow an organization called Krause-Bell Group, which is Tom Krause’s consulting group, he partnered up with Kristen Bell, and they do some interesting content as well.

So LinkedIn can be a really good resource if you pay attention to certain people and to certain groups. It can give you a lot of good information.

And the last thing I always tell people is that when you go to conferences, speakers are generally always happy to chat with you after the session. Seek them out, ask them a question, share a business card, connect after the event so that you can begin to sort of develop that network of people who have thinking around risk and safety management so that you can build on that. Those are great people to go to when you have a question, when you want to explore something in a little greater detail, that’s what you need to begin to build. So become the expert, read the stuff on paper, but also get to know the experts, the people experts, and get to know them a little bit, which is an important piece of this process.

Convergence Training: Good call. There’s also a nice LinkedIn group on ISO 45001, put together by Chris Ward, who helped create that standard as well.

Step 2: Stop Saying “OSHA Says”

Convergence Training: OK, so if that’s how to become the expert, both on your own and also using the expert community at large, what can you tell us about step 2, stop saying “OSHA says.”

Pam Walaski: Step 2 is about pivoting, and remembering and retraining ourselves to answer questions differently. If a staff person who is running a CNC machine comes up to you and wants to talk to you about a particular hazard he or she is concerned about, or a senior leader nabs you walking down the hall and wants to discuss a particular recommendation that you are making about spending some money to improve the organizational workplace safety program, we have to pivot away from OSHA regulations, we can’t run to the online standards, because every time we answer that way, we perpetuate the notion that that’s where the answers are. And, we have to retrain our workforce and the people we work with to think differently. And so when those kind of questions come up, we have to be prepared to talk to workers and to senior leadership and our middle leadership from a risk-based approach. We begin to talk about how to answer a question about a hazard on a machine by talking about risk, and by focusing on that factors regarding probability and severity, and helping that worker begin to address it from that perspective. Eventually, obviously, the goal is to have that worker learn how to apply those kinds of concepts on their own, so the next time they’re faced with a hazard, they begin to think about a risk-based way of approaching it rather than what OSHA says about it.

Same thing about management. When you talk to them about things, when you talk about needing to spend $500,000 because OSHA says, you see their face just sort of glaze over, but when you begin to talk to them about the return of risk reduction that that particular expense will provide, and how it will get your organization to those kinds of things, they can better understand the recommendation. I have a whiteboard here in my office, and one of the things it says on that white board is “Occupational Safety and Health Risk Management IS Business Risk Management.” And I think it’s really helpful to remember that, because that’s what our organizations are doing. The risk management approach that they’re taking is no different than the risk management approach we should be taking for occupational safety and health.

Convergence Training: And I’ve read you speaking about that last point, and essentially I think what you’re saying is that “safety” currently speaks a different language than the rest of the business organization, and if safety starts adopting risk management procedures and talking in risk language, they will align themselves with the rest of the organization. Is that correct?

Pam Walaski: Yeah, absolutely. It’s already happening, and we want that seat at the table, we want to be part of the C-suite, we want to be respected–all of those kinds of things, the business case for safety, all those phrases that we have been talking about for years, I think we have a better shot of getting to those objectives by talking risk. Because that’s the way our organizations run. Whether it’s financial risk, or supply-chain risk, or enterprise risk management, we are part of that. And that gets us where we need to be with our organization.

Step 3: Identify and Promote One New High-Impact Leading Indicator/Metric

Convergence Training: Alright, great. Tip 2 was stop saying “OSHA says,” and tip 3 is identifying and promoting one new high-impact leading metric this year. And I wonder if you could start that discussion by telling us the difference between a lagging indicator and a leading indicator, and maybe giving us an example of a leading indicator.

Pam Walaski: Sure. Lagging indicators are the ones that we are familiar with. They typically center around incidents and rates associated with incidents, so we might have a total recordable incident rate, or a days away (dart) rate, or a lost-time rate, or a severity rate. Those are the kinds of lagging indicators that are commonly used to demonstrate that we’re doing well or not doing well.

Sometimes you also look at things like the number of completed inspections, like “we completed 25 inspections out of the 25 that we had to do, and isn’t that wonderful,” or “we had 762 near-miss reports this quarter, and our goal was 750, and isn’t that wonderful?” Again, those are things that already happened. They tell us how somebody has gotten hurt. But sometimes they just tell us how lucky we were. Inspections tell us about the hazards that were there at one specific time–it doesn’t tell us anything about how well our fire protection system is working, it doesn’t tell us anything about how well the systems that we’re focusing on are working. It doesn’t mean we shouldn’t be doing them, but they’re not getting us to that systems-based, risk-based approach.

Leading indicators tend to look at proactive initiatives, proactive activities. And so it allows us to spend our time on moving the organization into a proactive focus rather than a reactive focus. So, some of the things that organizations might look at is not just how many near mi

Jeff Dalto, Senior Learning & Performance Improvement Manager
Jeff is a learning designer and performance improvement specialist with more than 20 years in learning and development, 15+ of which have been spent working in manufacturing, industrial, and architecture, engineering & construction training. Jeff has worked side-by-side with more than 50 companies as they implemented online training. Jeff is an advocate for using evidence-based training practices and is currently completing a Masters degree in Organizational Performance and Workplace Learning from Boise State University. He writes the Vector Solutions | Convergence Training blog and invites you to connect with him on LinkedIn.

Contact us for more information