If you’re in safety or EHS, you may have heard of risk management.
Maybe you know exactly what that means. If so, great. We even encourage you to leave your insights, knowledge, and experience at the bottom of this article in the comments section.
But maybe you don’t, and maybe you’ve wondered about risk. If so, this post is for you. We’ll explain what risk management is and how risk management and safety are related.
Let’s start by defining some terms. ISO Guide 73:2009 includes the following definitions:
Now let’s look at each of those a little more closely in the sections below.
In addition, you’ll probably be excited to know there’s a free guide to using risk-based approaches for occupational safety and health management at the bottom of this article.
The definition from ISO Guide 7903 says risk is “the effect of uncertainty on objectives.” Let’s break that down a bit.
The average business has any number of objectives. These include things like creating a new product, making a profit, and ensuring safety (but there are lots more, as you’d imagine).
Various things can have an effect on a business’s chances of meeting each of those objectives. Those effects, in which the outcome can depart from expectations, can be either positive or negative. So yes, risk management studies both things that affect objectives in a positive sense AND things that affect objectives in a negative sense. (Still, it’s probably most common to think of risk management and to perform risk management for risks that have negative effects.)
You can read more on risk here.
ISO 7903 not only states that risk management is the set of “coordinated activities to direct and control an organization with respect to risk,” it also fleshes that out for us a bit. According to the standard, the risk management process includes the following activities related to risk:
You can read more about these principles of risk management here.
We’ll look more closely at several of these aspects below–especially risk identification, risk analysis, risk evaluation, and risk treatment.
As noted above, risk and risk management apply to many different parts of a business or organization. For example, risk management is big in finance, and if you read up on the Enron scandal or the recent Great Recession, you’ll run into references to the risk management departments of the companies involved. Likewise, pharmaceutical industries take great interest in risk management, and when a class of drugs called NSAIDs (this include ibuprofen) were found to elevate the risk of cardiac problems, the risk management departments at these companies sprung into action.
But in this article, we’re primarily interested in risk management and how it applies to EHS and safety. In particular, to risks with a possible negative effect–pretty much what OSHA calls a hazard. Here’s OSHA’s definition of a hazard drawn from an OSHA guide to the job hazard analysis:
“A hazard is the potential for harm. In practical terms, a hazard often is associated with a condition or activity that, if left uncontrolled, can result in an injury or illness. “
So in the context of safety or EHS, risk management is primarily concerned with identifying, analyzing, evaluating, and “treating” the risk to avoid, control, reduce, accept, or transfer the risk. That’s what we’ll focus on for the rest of this post.
For even more on risk management and safety, check out the following interviews we’ve done with safety & risk expert Pam Walaski:
Risk management begins with risk identification. Let’s begin by seeing how ISO 7903 explains this phase (we’ll do the same thing with the other phases listed below too).
Risk identification is “process of finding, recognizing and describing risks….it involves the identification of risk sources, events, their causes, and their potential consequences.”
And since we’re talking about safety and hazards, let’s see what ISO 7903 has to say about hazards:
A hazard is “a source of potential harm” and a hazard “can be a risk source.”
How does a safety expert identify risks (what we’re calling hazards in this safety-specific example)? The job hazard analysis is a good place to start. Read our earlier blog post about the job hazard analysis or check out this OSHA guide to the job hazard analysis for more information on that.
Once you’ve identified a risk, it’s time to analyze it. Here’s the description from ISO 7903:
Risk analysis is a process undertaken to “comprehend the nature of risk and to determine the level of risk.” ISO 7903 also states that “risk is often expressed in terms of a combination of the consequences of an event…and the associated likelihood of occurrence.”
To put that into every day language, once you’ve identified a risk, analysis includes the process of determining:
These two ideas–the likeliness that the risk or hazard could cause cause harm and the severity of the consequences–are often displayed in a risk matrix.
You can create a risk matrix to represent the likelihood and severity of a given risk (or hazard).
The matrix is typically set up to allow you to analyze two different characteristics of the risk. These are the risk’s likelihood (or probability) and its severity (or consequences). Each can be categorized from lesser to greater, as shown below.
Likelihood or probability (these go in order from least likely to most likely)
Severity or consequence (these go in order from least severe to most severe)
The risk matrix is often presented in a table, as shown below.
As you’d guess, for each risk (or hazard), you’d determine the likelihood and the severity and check the appropriate box in the table.
For example, here’s risk that’s happens only rarely and would lead to only minor harm.
And, here’s a risk that is very likely to occur and would lead to a catastrophe.
The risk matrices shown above are just one example of how you can do this. You and/or your organization may make your own, and here are a few others to consider:
Once you’ve analyzed the risk, perhaps putting it into your risk matrix, it’s time to evaluate. Here’s how ISO 7903 explains evaluation:
Risk evaluation is the “process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.”
In other words–once you’ve analyzed the risk to determine its likelihood and its severity, are you willing to “live with it” or do you want to do something to address the risk?
Risk evaluation includes a process of ranking the risks in terms of their magnitude–the biggest risks to the smallest risk–and comparing them against a set of risk criteria to determine which risks should be addressed.
Here’s what ISO 7903 has to say about risk criteria:
Risk criteria are “terms of reference against which the significance of a risk is evaluated…risk criteria are based on organizational objectives and external and internal context…risk criteria can be derived from standards, laws, policies, and other requirements.”
Considering our two examples above, a risk that’s a near certainty to cause harm and that would lead to catastrophic consequences is something you wouldn’t find acceptable or tolerable. By contrast, if something’s very unlikely to happen and would cause only a minor issue if it did occur, you probably would find that risk acceptable or tolerable.
With the risk identified, analyzed, and evaluated, it’s time to consider treating the risk. What does that mean?
Here’s how ISO 7903 states explains risk treatment:
Risk treatment is a “process to modify risk…risk treatment can involve avoiding the risk by deciding not to start or continue with the activity that gives risk to the risk, taking or increasing risk to pursue an opportunity, removing the risk source, changing the likelihood, changing the consequences, sharing the risk with another party or parties, and retaining the risk by informed decision.”
Let’s look at a few of those treatment options in the context of safety.
First, consider “retaining the risk by informed decision.” This would be a situation in which you’ve decided you’re willing to accept the risk and do nothing to modify it. This would probably be something like a risk that happens only rarely and that leads to minor consequences.
Next, consider “sharing the risk with another party.” An example would be getting an insurance policy to cover your building in the event of fire.
Finally, consider “avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk.” An example of this would be recognizing that a production process results in dangerous off-gassing and halting production.
Since you’re presumably a safety expert if you’ve read this far, we assume you can think of your own examples for “removing the risk source,” “changing the likelihood,” and “changing the consequences.”
As a group, the risk treatments that deal with negative consequences are often referred to as risk mitigation, risk elimination, risk prevention, and/or risk reduction. We discuss those in further detail in the next section.
In safety, there ARE some risks that you’re willing to tolerate, but there are lots that you’ll want to “treat” by controlling them. One standard way to select a control (or several controls) for a specific hazard is by working through the hierarchy of controls.
The idea behind the hierarchy of controls is to work though different classes or types of controls when you’re trying to figure out how to control a specific hazard. Those types of controls are listed in order within a hierarchy. You should try the first type of controls–shown at the top of the list below–before you go on to the second, third, and fourth type of controls.
With that said, here’s the hierarchy of controls:
So, for every hazard you’re trying to control, you’d consider elimination or substitution first, engineering controls next, administrative controls after that, and then finally personal protective equipment (PPE). In some cases, you’ll use more than one type of control, and PPE should be considered only a last means of controlling a hazard.
Here’s a helpful OSHA document if you want more information on the hierarchy of controls.
And here’s an article we wrote about the hierarchy of controls, which even includes a free Hierarchy of Controls eLearning course you can watch online (for free) or download a copy of (for free).
We’ve referenced ISO 7903 throughout this article, but there are several different risk management standards. Here are a few:
To top that off, here’s a nice comparison of the risk management standards above.
Please check out these articles on this topic as well:
We’d be curious to know your own exposure and experience with risk management. If you’re involved in safety at work, does your company have a risk management program? Either way, do you use some or all of these techniques described above at work? What are your experiences with them?
One last thing: don’t forget to download the free guide to occupational safety and health management using risk-based approaches below.
Download this free guide to using risk management for your occupational safety and health management program.