An Introduction to Safety Management Systems, Risk Management, and Systems Thinking in Safety: An Interview with Pam Walaski


Risk Management Image

If you’ve had your ear to the ground for the past 10-15 years, you’ll know there’s been a bit of a seismic shift in occupational safety and health that involves a movement toward risk management, safety management systems, and systems thinking.

We wanted to learn more and pull together a nice introduction to all this, so who better to talk with than Pam Walaski? Chances are good you already know Pam by name and by her work, but if not, we encourage you to check out this article, to follow her on social media, and to catch her giving at presentation at an ASSP conference or elsewhere, as she’s a great source of information on this.

So, let’s get started. Many, many thanks to Pam for her time and insights. Also, a quick head’s-up that since we published this webinar/interview, Pam has also completed a second interview with us that focuses on 5 Easy Steps for Implementing Risk-Based Safety Approaches.

We’ve got an audio recording of the discussion immediately below. If you’d prefer to read, we also created a transcript–just click MORE for that. Also, there’s a free guide to risk management for occupational safety and health management at the bottom of this article for you. 🙂

Safety Management Systems, Risk Management, and Systems Thinking in Safety

Convergence: Hi everybody and welcome. We’re really excited today, we have a great guest here at our recording/audio/podcast series. It’s Pam Walaski. Pam works for GAI Consultants. Over the years, I’ve had the good fortune of reading quite a few really great pieces that Pam’s put together, and I’ve learned a great deal from Pam, so thanks to Pam for that, and that’s why we got here to be on the show here, so that you can all share in everything that she’s sharing. And so with that I’m going to introduce Pam, thank Pam, and…Pam, thanks so much for being on the show with us.

Pam: Thanks, I appreciate it, Jeff, it’s good to talk with you today on one of my favorite topics, and we’ll get into that as we go along.

As you said, a little bit about myself, I’ve been a safety professional for 20+ years, 25 or something like that, if I got a calculator out I could tell you exactly how many, but I’m not sure. I’ve done a lot of work over the years, I’ve had my own practice, right now I am working for an environmental engineering consulting firm called GAI Consultants, so I’m an internal safety consultant right now, my responsibility is the 1,000 or so employees who work for GAI. We’ve got about 1,000 folks in 20-some offices, primarily in the eastern part of the United States. We do a lot of energy consulting, infrastructure consulting, design work, and we specialize in some really cool stuff like wetlands and species habitation surveys, and we have folks who are specialist in snakes and gopher tortoises and bats, so we have some really interesting stuff going on here. I’ve been with GAI for about three years now.

Convergence: Alright, great, that sounds pretty interesting, I didn’t know all that. Pam mentioned we’re going to talk about some pretty interesting stuff, and as a quick head’s-up, we’re going to be talking about issues related to risk management and safety, safety management systems and safety, and systems thinking and safety.

Pam, I’ve been reading you saying there’s a bit of a revolution going on in terms of how occupational safety and health professionals do their work. I wonder if you could kind of briefly speak to that and give us a quick overview before we dive into more granular, detailed looks at that.

Pam: Sure. So, I think any of us who have been around in occupational safety and health for a number of years can think back to sort of the early days of our career and what we were learning wherever we were getting our formal education, what we learned in those early years on the job, and things like Heinrich’s Pyramid, and the idea that 88% of our accidents are from unsafe acts and the remaining 12% were from unsafe conditions….all of those sacred tenants or sacred cows, if you will, they formed the foundation of my practice and the practice of lots and lots of people. I always joke that in the basement of my house I have overheads for overhead projectors that have those things on them, and they’ve been sitting in the basement for a really long time.

About ten years ago, I guess, maybe a few more than that, I started reading articles from leading thinkers and listening to presentations at conferences, and they all started talking about the same theme–that we were starting to see a flat-lining, if you will, of incident rates. In some areas they were even increasing. Fatalities and serious injuries, particularly, we just weren’t making progress. And they began to suggest that maybe those tenants of our practice, those sacred cows, maybe they weren’t correct, or maybe they weren’t working like we thought they were, because if they were we’d see better progress.

Over time, I think you began to hear more and more from those folks, and over time people joined in on that mainstream thinking, but at first they were pretty revolutionary, and I included myself in the group of people who would sort of listen with a skeptical ear, and there are still some folks who think that they’re pretty revolutionary, but I think over time their ideas and their thinking have become more accepted, and many more OSH professionals are beginning to revolutionize their thinking.

I think we are kind of in the middle of that revolution, if you will, if you think about the scale of it, but I also..from reading and attending conferences and things, I think we’re really working down the backside of it now, so more and more of us are beginning to really think differently about what we do and how we practice.

Convergence: Alright, great, that was a good intro. Thank you.

So if we’re currently moving, as you say, kind of away from (amongst other things) a compliance-based OSH management to something else, could you talk to us first about what exactly you might mean by compliance-based OSH management and explain what are some of the faults with it and why we’re moving away from it?

Moving from Compliance-Based OSH Management

Pam: Sure. Historically, I think the foundation of our OSH programs has been the mandatory regulations that have been established. And so complying with those regulations, or developing a program that is compliance-based, means that we look at those regulations, and that’s what we do. We read the regulation and we do what it says.

For OSH professionals, it typically means a federal- or state-based program, and for some of us who might also support our organization’s environmental program, the EPA or other state-related environmental groups. But it is a regulatory process. It’s what the law says needs to be done.

As for the problems with that approach, the first of course is that anybody who’s observed regulatory processes knows they are EXTREMELY slow to change. It can take 10-15 years just for a revision to an existing standard to make its way through the processes that are established before it becomes a law or a requirement. And so the thinking or information that may be new doesn’t find its way into regulations, it leaves us kind of behind the eight ball when we want to incorporate that new thinking into our programs, if we’re just relying on what the regulation says.

I think the other problem is that if you talk to any compliance officer from OSHA federal or state and ask them if being in compliance with OSHA means we can put up a flag and say “we are best in class,” they will all tell you no, that’s only the floor. All the regulations are intended to do is establish the ground floor about which you are intended to establish your programs. So if you’re an OSH professional, and want to lead your organization into safety excellence, you obviously have to go above and beyond that.

Third and probably the most important part of what we’re talking about today–a regulation is a stand-alone requirement. There’s no system to it. If you look up a regulation that covers your organization’s operations, like Respiratory Protection or Confined Space Entry, and you read through what it says you have to do to create a program that meets that requirement–now you have a program, a Confined Space Entry program, a Respiratory Protection program, but they don’t meet each other anywhere, so you have a bunch of separate components or silos, and they don’t lend themselves to any kind of integration in a systematic way.

So those are really the flaws, but before we leave that particular point, I always, whenever I talk about this, make it clear that I’m not advocating ignoring any regulatory requirements. We obviously cannot do that. But I am suggesting that complying with them, and believing we have good compliance going, is not going to get us where we want to be. And I also believe that if you implement an effective management system, which we’re going to talk about, if your OSH program is based upon systemic components and a management system process, I betcha you’re going to be in compliance with what the regulations say, it’s just going to happen. Except for things like putting up the OSHA poster or having your OSHA logs, those kind of things, but those are not the hard parts of complying with regulations.

Convergence: Alright, that was a good answer and well said. I couldn’t have said it as well myself. To kind of summarize, your point one was OSHA changes slowly; point two was you should think of OSHA requirements as a floor; and then point three was the “siloing” effect of having programs as opposed to systems.

To that second point, I’m an instructional designer who’s worked in safety for about ten years, but I’m no safety expert. So I continue taking courses, and I just took a course on industrial hygiene, and speaking of the OSHA requirements being a floor, it’s shocking how dangerous a lot of PELs are for certain hazardous chemicals.

Pam: Right. If you think about the OSHA regulations that we currently are dealing with, they were developed when OSHA came into being 40-plus years ago, and they took them from voluntary consensus standards, and those standards have marched on and been revised, but the regulations have not.

So if you look at the regulation and you look at the timing of when it was adopted, there are still some OSHA regulations that are 40 years old, and the PELs are an excellent example of situations where we know that exposure at the PEL doesn’t protect the worker at the point where they need to be, because we know more about the exposure and what it does, or on the other side, it’s way too low and needs to be changed. But I think the last year on the PELs as 1989, so that’s a good example.

Moving Towards Systems Thinking in Safety & Safety Management

Convergence: Alright. So if that’s what we’re moving away from, that kind of compliance-based focus, what are we moving towards?

Pam: We are moving to systems-based thinking. We are moving toward management of our organization’s operations with regards to occupational safety and health from a management perspective. So it’s OSH management systems. That’s what we are moving towards, that whole systemic approach, an approach that creates integrated pieces, that breaks down those silos, gets away from a program approach and looks more at occupational safety and health as systemic and systems-based.

Convergence: OK, and we’ll get more on that in just a little bit.

I’ve heard you write and talk about systems, and I’ve also heard you talk in a related manner about risk management and risk-based approaches to safety and health. Can you tell us about that as well and what that means?

Risk Management & Safety

Pam: Sure. So putting it together with the OSHA management system, a risk-management approach is how the organization approaches the risk from an occupational safety and health basis and how it manages them. And if you think about how management systems are, the Plan-Do-Check-Act cycle, the risk management part of it is the plan part, when an organization says “how do we figure out what the risks are to our workers and to our organization, how do we quantify those risks, how do we mitigate those risks in a systemic manner that assures we have some sort of continual improvement?”

You know, the overall goal is reducing that risk, of occupational safety and health hazards, to an acceptable level. So risk management is part of occupational safety and health management systems–it’s a critical part of it, it’s a big part of it, and it’s got to be a piece that’s integrated into any kind of an OSH management system.

Convergence: I like that and I want to call out one point that I’ve read you writing on as well. So if risk part of your OSH management approach, and if it’s the “P” (or plan) in your Deming P-D-C-A cycle, that’s true, but to call out one of the things that you wisely call out as well, and that’s that risk is actually a bigger thing than just safety, it applies to more than just safety, and one thing people can do in their organization is to partner up with people who might be experts in risk, maybe in finance for example. Is that true as well?

Pam: Sure. Risk is risk. And what many OSH professionals have found, those that take that risk-management approach, is that they find a lot of friends in their organization who are already approaching the organization’s processes and procedures and organizations from a risk approach. So financial risk, talk to you CFO or anyone in your accounting department, and how they manage the financial risks to the organization. They are identifying them, quantifying them, and mitigating them, just the way we are with someone getting hurt. We look at supply-chain risk, we look at business continuity risk, it’s all a risk-based approach. And the OSH management systems should fit into the overall risk management approach in the organization to whatever the risk are at the organization.

Convergence: Good answer, thanks. And I apologize for dragging you off over there, but I’ve appreciate that point I’ve seen you make in the past.

OK, really quickly then, if risk is this universal thing that can be applied at an organization in any number of ways, but it’s also kind of the “P” or “plan” within safety in that context, can you break down the process for using risk in safety, just give us a bird’s-eye view or road map for using risk in safety?

Pam: Sure, the standards which address risk management, which would be the ANSI/ASSP Z690 standard, which is an adoption of the ISO 31000 standard, has a really nice framework in it that lays it out very graphically in a simple way to look at risk management.

And the thing that you notice first about that graphic is that it has a lot of arrows that go back and forth between all of the pieces, which is that whole critical systemic approach. Those arrows go back and forth for a reason–because all of those systems are inter-related. It’s not a straight line from Step 1 to Step 2 to Step 3. It’s Piece A, which is connected to Piece B, connected to Piece C, etc.

So if you look at that framework, risk assessment is really the key piece of risk management, and it kind of occupies the center part of that framework. And risk assessment is risk identification–what are the hazards, what are the consequences of those risks, what is the source of energy of those risks, and identifying all of that process.

The second step of that is risk analysis. How do we figure out the severity of that risk in terms of how badly someone can get hurt? How do we figure out the likelihood of that risk and give it some kind of a score or a process of understanding where it fits in a hierarchy. And then the third part is the evaluation of the risk. How do we then take the controls that are available to us and mitigate it in some way, to take it from a score of 20 to a score of 3, or a red to a green, or however your organization organizes it.

That’s the center. That’s the big piece of it. But then it’s also complemented by the risk treatment part, which is: now that we’ve figured out how we’re going to mitigate that risk, what’s the plan for doing it? How will the controls be implemented? How will the controls be monitored and reviewed? How are we going to make sure the resources are developed to get those controls in place and to get them going?

And then on either side and on top of that framework are three other major components. At the top really, and you almost have to talk about it first, is establishing the context of the organization. So what parameters does the organization need to consider when it’s managing risk in determining the scope of its process. What are the threats and opportunities that the organization has to consider in terms of managing its risk? The context of an organization that performs construction, builds skyscrapers, that’s the key–the context of their risk is completely different than the context of the risk at GAI Consultants, where our employees are out in the field doing stream and wetland delineation. Completely different context but the same process is used.

Then the other sides of it includes the communication and consultation pieces, where an organization gathers information from external and internal stakeholders, consults with them, shares information, and uses that process to identify risks and implement the whole management process.

And then on the other side is the “check and act” process of the Plan-Do-Check-Act cycle, which is monitor and review. So, now that we’ve got this risk treatment plan in place, how are we observing it? Is it working? Are the controls effective? Are we achieving our objectives? How do we look for new and emerging risks to our organization, that process of surveilling out internally and externally?

And so that’s kind of risk management in a nutshell. Again, it’s very well laid our in the Z690 standard, ANSI/ASSP Z690. And it gives a very good process for plan-do-check-act, and for implementing that into your continual processes.

Side note: For more on this, check our Risk Management and Safety article.

Teaching Employees About Risk and Risk Management

Convergence: OK, good, thank you very much. And yes, we do recommend everyone go check out those standards, but that was a helpful overview.

We were just talking about risk and risk management, and one of the things you talk about is the importance of teaching employees about risk and and performing risk analysis and helping them manage risk on their own. I wonder if you could share with us any tips for teaching employees about risk, risk analysis, risk management, and so on?

Pam: Sure. I think it’s a process, just like OSH professionals have gotten to a place where they have learned about risk and understood risk, and understand how it can help an organization do what it needs to do. I think we as OSH professionals are responsible to lead our employees in that process as well. And so, when a worker comes to you as an OSH professional as a hazard that needs to be controlled or that they’re concerned about, you’re sitting around in a safety committee meeting, and people are talking about a particular brand-new process that’s being implemented in your organization, or you’re doing an incident investigation with your employees, that’s an opportunity to introduce the whole concept of risk and risk analysis. So, talking through the hazard, at those opportunities, and working with the groups of employees to help them understand the risk in terms of the likelihood, the consequence if it does occur, and begin to incorporate those ideas and concepts into that discussion. Then you’re focusing the conversation with employees on a risk-based approach. Doing the work that you’re already typically doing…incident investigations, JHA development, or walking the floor and somebody comes up to you with a concern or a safety suggestion, it achieves a lot of different objectives.

First, it sort of in a back-door approach teaches the worker about risk assessment. You don’t have to sit them down in a training course and say “Here’s risk assessment, everybody, this is how we do it.” Instead, you can actually do it when you have opportunities as you go throughout the day. It allows them to apply those concepts to a real-life hazard that they are exposed to, that they understand and can relate to in a very specific way.

The second thing I think it does is it gives them the ability then to approach hazards in the future in the same way. And that may be with your collaboration, or it may be on their own. Ultimately, we need to give employees the tools to learn how to approach hazards from a risk-based approach on their own. And giving them that tool by working with them, collaborating with them, and then allowing them to apply those concepts.

And then the third thing I think that’s the other piece, it’s a little more nuanced, is it changes the language that we use with our workforce-the language that says risk, severity, consequence, probability, and hierarchy of controls, and all of those terms that are just a big piece of risk management. It allows us to begin to change that language. And so we’re no longer talking about OSHA and what OSHA says, we’re talking about what risk is and how can we control it.

And so that ultimately begins the process of changing your system, or changing how the people who implement your system approach it from an occupational safety and health perspective.

Convergence: Alright, I like that. One of the things I liked was when you’re talking about how to teach employees about risk is that essentially you said “do it within the context of their job,” when you’re walking the floor, when they see something on the job, and that’s one of the big lessons from my field, of instructional design and training, is how important it is to be able to deliver training and instruction and feedback and discussion right in the context of the job as opposed to going off to the isolated training room, to have that discussion.

Pam: Yeah, we know about adult learning concepts, and we know how adults learn better. They learn by doing, they learn by applying, and they don’t learn very well by sitting in a training room with a PowerPoint in front of them. They learn in lots of different ways, and so this sort of learning by doing, if you want to incorporate risk management into what we do, there are a lot of great ways to help our employees understand those concepts. And it’s not hard to do–and once you begin by apply it to a real-life hazard, it’s much easier then to take that situation the next time, and do it either more independently or understand how to apply those concepts to different hazards, because risk is risk, hazards are hazards, and those concepts can be applied in lots of different ways.

Systems v. Programs for Safety Management

Convergence: So you talked about the importance of systems and management systems. Can you walk us through again how that’s related, what does that mean in the context of occupational health and safety management, and how exactly is that different than a program–systems as opposed to programs?

Pam: Sure, sure. So a management system is a set of inter-related policies, processes, procedures, and they are intended to address a particular function of an organization.

So an occupational safety and health management system is intended to address the occupational safety and health functions of the organization. But they also apply to things like financial management, supply-chain management, business continuity…those are the examples that we were just talking about a couple of moments ago.

But again, just to reinforce, and this concept can’t be overstated, the difference between a program and a system is that a program stands alone: a confined-spaced entry program, a fall protection program, a respiratory protection program, etc. While parts of a system, like risk assessment and communication and consultation and the monitoring that we do, all work together and those arrows on that framework that I was just alluding to, that’s what those mean. Those arrows go back and forth because those pieces go together.

So, in an occupational safety and health management system, the objective very broadly is to reduce workplace injuries and illnesses to an acceptable level. Each organization has to figure out what the acceptable level of risk is, what the risk are that they’re exposed to, that’s establishing the context, and earlier I was talking about a couple of examples of completely different organizations and what their context might be, and to achieve those objectives, we solicit information about the risk from our stakeholders, whether they’re internal stakeholders or external stakeholders, though communication and consultation, dialogue and joint decision making. We figure out how our workers could get hurt, how badly hurt they could get, what’s the likelihood of it happening to them, and the whole risk assessment process. We implement a plan to reduce those risks through risk treatment. And then we check to make sure the plan is working, revise it if it isn’t, and then monitor and review.

So each of those pieces functions together and the whole cycle, that circular plan-do-check-act cycle that we talked about, it’s a critical piece of any kind of management system, whether it’s financial health, occupational safety, or whatever kind of system you’re dealing with.

Safety Management Systems Standards

Convergence: All right, great. I know that earlier, when we talked about risk, you gave us some specific examples of standards related to risk, and I wonder if you could call out a couple ISO or ANSI standards related to safety management systems as well?

Pam: Sure, and it’s important to talk about these, because as OSH professionals, many of us spend a lot of our time on, and looking at regulations. But if we’re going to lead our organization into this change, to a systems approach, through risk and occupational safety and health management systems, we have to know what these standards are, we have to understand them, and we have to be able to lead from that as our foundation. So it’s important to understand what they are, how they fit together, and how we can implement them.

So we talked already about ANSI/ASSP Z690, that’s the American adoption of the ISO 31000 standards on risk management. In addition, there are a couple of occupational safety and health management systems standards that people should be familiar with, if they’re not already. The newest kid on the block is the ISO 45001 standard, just published in March of this year, and that was a four-plus year process of developing and building consensus for that particular standard.

It is based upon several other standards–there are five or six of them out there–but the two that most OSH professionals might be familiar with are the ANSI/ASSP Z10 standard and the OHSAS 18001 standard. The former, Z10, is currently being reviewed by the ANSI-accredited standards committee, and I just literally got an email before I logged in here this morning that indicated that ANSI/ASSP Z10 is being approved and updated to align with ISO 45001. So those standards should mirror each other. They’re based on similar concepts, and that has been adopted by the Z10 committee.

And so for many of us who are familiar with that (Z10) standard–that’s been around for ten years or so–it provides a safety management system that is OSH-based, so it is specifically an occupational safety and health management system, that is used primarily in North America. It is not a standard that can be easily certified by a third party, but it is a great standard for many organizations who want to self-certify themselves. They can use it as a benchmark to mark their safety management system against, or to implement or revise their system.

The other one, OHSAS 18001, was a big part of ISO 45001, it was one of the two foundational standards that was used (including

Want to Know More?

Reach out and a Vector Solutions representative will respond back to help answer any questions you might have.