Why Risk Assessment?

Assessing risks is a crucial element of Risk Management, a wide ranging concept applied in many different and varying sectors such as the occupational work arena and finance and counter terrorism.  This short discussion will focus on the occupational sector and the role it plays.   The key tool to effective risk management is a good risk assessment.

The first question to be addressed is “why assess risks at all?”  To answer this it is necessary to go back to the basic origins of the systems Safety Professionals are familiar with currently.  These are based, more or less, on the outcomes of the Robens’ Commission findings established by the UK Labour Government in the early 1970’s.  The commission was established in response to industry disgruntlement with the mire of legislative Acts and Regulations that existed in the occupational areas at that time and the costs and complexity involved in attempting compliance in a time of industrial and technological upheaval.

The Legal Landscape

These laws included the Offices Shops and Railway Premises Act, the Factories Act and the myriad regulations and enormous amount of detailed and very specific requirements that existed in the various work sectors, for example regulations such as the Protection of Eyes Regulations, Docks Regulations, Shipbuilding and Ship Repair Regulations and Power Presses Regulations.  Some of these regulations created legal frameworks that were impossible to achieve.

One of the best examples of this legal conundrum was the case of John Summers & Son Ltd vs Frost where Mr Frost was injured in the course of using a grinder.   He was subsequently injured and initiated action against the employer citing failure to comply with the provisions for “fencing” (guarding) under the Factories Act s 14.   This section required the “…dangerous parts of any machinery must be securely fenced as to be safe…” This was deemed by the High Court to be an “absolute duty” and that such guarding would in fact render the machine unusable was not relevant.  It is evident that such a condition could not be allowed to exist for industry and thus was laid the requirements for the “Abrasive Wheels Regulations” to be created to amend this anomaly.

The exceptional aspect of the Robens Commission, headed by Lord Robens, was that it was one of a very few Commission reports that was adopted into law by the government almost verbatim of the findings and recommendations.  This then, is the genesis of the UK’s Health and Safety at Work etc Act 1974 (HASAWA).  This law established a legislative template that has since been adopted in many places throughout the world to a greater or lesser degree, including Australia.

The key differentiator of the HASAWA was the change in philosophy which Robens developed based on the principle that it should be for “the creator” of the risk to also be “the controller” of the risk.  In other words, where a business or undertaking creates a risk which employees are subjected to, then that business must ensure there are processes or controls in place to protect the employees from that risk.  In this manner the framework was, in a way, distancing the requirements for creating workplace law from the legislative arms of government and placing it into the hands of the business sectors responsible for the creation of the risk.

How Much Control is Needed?

The next challenge then was for the “risk creators” to know “how far do we need to go to control the risk?”.  As has already been demonstrated the use of the “absolute duty” eg “must”, “shall” and similar words have very powerful legal meanings to the point of impossible compliance.  In recognition of this, the HASAWA had two other legal standards enshrined within it.  The standard of “practicable” and “so far as is reasonably practicable” (sfairp, commonly pronounced “sefarp”). 

The difference between these two standards is subtle but important.  In essence the standard of “practicable” means that if something CAN be done – then it MUST be done – irrespective of cost, difficulty or any other confounding variables.  This standard is epitomized in the Control of Major Accident Hazard Regulations which require that “…Every operator shall take all practicable measures necessary to prevent major accidents and limit their consequences…” There is NO consideration for “reasonableness” or “cost” – essentially if it can be done – it must be done.

In contrast, the standard of sfairp means that the creator of the risk can do what amounts to a “cost benefit analysis” or economic risk assessment.  In this case the risk and the controls that are, or may be, required for that risk can be subjected to a consideration of what was called, in law, the “COILS” test.  This is where the “Cost” – in terms of not only money but also effort, time, manpower, business impact and any other relevant factors, the “Obviousness” of the risk, the “Inherent nature” of the risk, the “Likelihood” of the risk manifesting itself and finally the “Severity” of the outcome(s) are all considered as a whole, and balanced against the risk. A decision is then made as to whether something is “reasonably practicable”.

The outcome of this is that most modern legislation for workplace safety has requirements that are phrased in a form which is similar to requiring that the “employer” (or similar variants) shall (the ABSOLUTE DUTY) do all reasonably practicable to ensure the safety and health of all their employees whilst engaged in their employment. In this way the risk creator is required absolutely to try and do everything they can reasonably do to ensure their employees are safe from the risk of the activity they are undertaking.

Interestingly there are very few areas where the duty of “practicable” as properly defined is used to any great extent in other jurisdictions outside the UK that have adopted the Robens model. Although under previous Australian state legislation, some used the word “practicable” in their acts but was then, under the definitions/interpretations section, defined as being “reasonably practicable” eg WA OSHA 1984 Pt1 s3 (1) “Terms Used”.

The Risk Assessment

Risk-AssessmentHow then, in view of all these requirements and standards, can the risk creator show that they have done all that is sfairp to control the risk and to ensure safety? The answer to this question lies with the “risk assessment” and its role in assisting the considerations of establishing sfairp and thus enable the risk creator to prove that all reasonable had been done to ensure the effective control of the risk and therefore demonstrate compliance.

Much is made of risk assessment and the various processes which are used to carry out the process.  Often it is quoted as being a “quantitative” or “qualitative” risk assessment.  The basic premise here is that, for the former, the process relies on mustering all the possible empirical data in relation to the risk. This may include such information as, for example:

  • the number of times a micro-switch will correctly operate before failure,
  • the reliability data for a particular piece of equipment or
  • even other processes such as Technique for Human Error Rate Prediction (THERP) for quantification of the number of times an “average human” will operate a switch correctly in response to a cue of some descriptions such as a warning.

For the latter, it relies on the “qualitative” process of assessing the risk on the broader and arguably less scientific approach of subjective experience, best guess, previous history and then applying a series of “pseudo-quantitative” matrices or other tools to arrive at a consideration of how serious the risk is.

In both cases there is then the process of applying controls to the risk sometimes called “risk treatments” and then re-evaluate the figures to establish how effective the actual or proposed risk control appears to be.

The reality is that both techniques really are qualitative to some degree.  The very high level quantitative systems really only minimise subjectivity via the application of some evidential data. The qualitative aspect still remains as no failure data can ever be fully trusted as an accurate predictor – only an indication of potential for failure when historically accurate data is used.  However all are familiar with the number of times the 1:100 year flood can occur, or how the switch with a rated failure rate of 1: 3000000 operations fails after 200 operations but the next apparently identical switch lasts for 6000000 and similar other examples.

Irrespective of which matrix or assessment technique is used, the same principles apply:

  • Establish the “hazard”
  • How does hazard manifest as a “risk”
  • A qualitative evaluation of “how serious”, “how often” and “how likely”
  • Application of a control strategy
  • Final re-assessment of the risk to validate the efficacy of the control in managing the risk.

There are many variations on these principles however the core remains the same.  Some tools also integrate questions in relation to “cost”, some consider “raw risk” which is to say the absolute risk with no controls at all even if they are self evident and always applied.

If this process is done correctly, the system should provide evidence of consideration of the risks and a review and consideration of the controls to be applied or currently applied to the risk and whether they are “reasonably practicable”.

Predictive vs Existing

In the ideal world all assessments would be done in a “predictive manner” meaning before the activity is to take place.  However the reality is that only a few industries can actually have this luxury.  For many industry sectors the activity is already being carried out.  Examples include the production sectors such as car manufacturers, food manufacture and processing where by definition, the assessment is being carried out on existing processes and practices.

The unique advantage of an established process or activity is that as the assessment(s) are regularly reviewed, there is great opportunity to always be at the forefront and continuously identifying current and future ways of improving it.  This can have significant advantages commercially, financially and competitively as well as in terms of safety.

The major risk of the stable process or activity is that of complacency and the trap that “it’s been OK for the last 10 years – it must be alright!”

Truly predictive assessments really are the realm of “dynamic” workplaces or new undertakings.  These are typified by the characteristics of change and rapid evolution; one example of this is in construction where even though the process may have been done many times before, the unique characteristics of specific locations change and therefore change the assessment of the process.  An ideal example includes crane operations where there are overhead lines, changing ground conditions, “tandem” lifts, proximity of public and adjacent structures and a myriad of other variables that must be identified and considered as part of the assessment.

The other major area of concern in dynamic work environments, processes or activities are that  the persons tasked with the conduct of the assessment are also changing.  There is also a greater reliance on the “generic” assessment.  In itself this is not a bad thing and has considerable advantages in time savings but they must be accurately and carefully reviewed for applicability to the current situation.

The assessor(s) must be aware of and understand

  • the true nature of the task at hand,
  • the nature of those conducting the activity,
  • the extent of knowledge in relation to the activity and
  • maintain a current technological knowledge in respect to the process/activity and the environment in which it occurs.

Selection of Control(s)

The key to successful risk management is the correct selection of the control(s) to manage the risk identified. To be truly effective it is essential that the controls work and as far as practicable should work without human input. It is a fact that humans are inherently fallible – that is the nature of humans. They are subject to emotions, distraction and many other things that takes their focus off the activity they are doing. This is even more pronounced in repetitive and cyclical tasks where the risk is that of “zoning out” or daydreaming.

Therefore the “best controls” are those that rely least on humans and human decision making or actions. In recognition of this there is a clearly established “hierarchy of control” which has been developed and accepted as good practice. In essence it comprises of 5 steps to be considered and implemented from the highest level of control to the lowest level. These are:

  • Elimination – in this case the control is by completely eliminating the risk ie DON”T DO IT!
  • Substitution – this is where the hazard or risk is substituted by a different process or material to achieve the same outcome – a simple example of this is the use of water based paint instead of solvent based;
  • Engineering – controls of this nature are normally of the type where guarding is used or “light curtains” and fast-stops where machines are immediately brought to a halt if anything enters the danger zone;
  • Administrative – the administrative controls are best known as operation instructions, Safe Systems of Work and other similar names, These rely on people following a documented process or set of instructions to ensure safety;
  • Personal Protective Equipment (PPE) – the lowest level of control which comprises of hard hats, respirators, safety glasses, gloves and similar.

The most important aspect of the hierarchy of control is that the decision making in using it, is that each level of control is applied sfairp before going to the next level. It is NOT an “either or other” choice. So in attempting to apply we must consider “can we eliminate” the risk. If we can then the problem is solved!  In most cases however the answer will be “no”. At this point now we must move to the next level and try to substitute it – OK, now a simple example would be that we have substituted our paint, but we still need some good ventilation in our confined room so we put in some local ventilation, which is an engineering control. But we must ensure that all doing the job understand it so we move to the next level of administrative control and make a job instruction backed up with a Pre-start briefing and then finally we give them PPE in the form gloves for their hands as the data sheet tells you to avoid skin contact.

This is a simplistic example, however it demonstrates how the hierarchy needs to be applied in all cases. Obviously every case will be different but if this process is followed diligently and recorded then the demonstration of “sfairp” will be satisfied.

Common Mistakes and Failures

Regrettably there are many and varied reasons why risk assessments fail and prosecutions result.  Some of the more common reasons are listed below:

  • The assessments being used to justify the existing systems rather than critically question and examine;
  • There is a reliance on “generic” assessments without truly examining the specific situation;
  • Risk are considered in isolation and fail to consider synergistic effects which may be otherwise benign (cumulative risk);
  • Assessors look too closely at the “hazard” and fail to recognise the “risk” and how it manifests itself;
  • Assessors fail to adequately consider all potential controls or genuinely seek controls in use elsewhere;
  • The assessment does not include the key personnel in the process – and in particular those who must “take the risk” ie the workers themselves;
  • Assessors fail to fully consider ALL controls applicable to a particular risk and are attracted by the “easy fix” – also known as application of “the Hierarchy of Control”;
  • Assessors do not recognise that in some cases the treatment itself can pose its own set of risks or impact on another process;
  • Assessors fail to adequately translate the results of the assessment into a suitable “system of work” supported by training and information to those conducting the activity.

The above list is not exhaustive and there are other causes – but these are the most commonly encountered and certainly the most frequent in terms of resulting in some form of regulatory action or other action including possible punitive measures.

In Conclusion

The process of risk assessment is a way of permitting an undertaking the management of risks to a business, its personnel and others who may be affected.  There are many ways in which it can be less than satisfactory and many ways it can fail to deliver or meet expected outcomes.

Nevertheless, if performed correctly and in a competent and capable manner, there is no doubt that it provides a method that allows for innovation, improvement and maximisation of risk control. It can also deliver the “double bottom line” of not only being safer but also more effective, productive and improve business competitiveness and advantage.

It is often forgotten that risk is also in the business of creating advantage as well as avoiding unacceptable consequences.  It is often said that “legal compliance is the minimum standard”.  When the term “sfairp” is properly understood – how can anyone perceive this to be considered in any way the minimum standard? It is in fact the very highest standard that any organisation can achieve by the very definition of the words and is then fully defensible anytime and anywhere.