Risk Assessment – The Basic Principles
Managing safety risk effectively is fundamental to the future viability of all organisations, and risk assessment is a key component. It is at the core of our discussions, as we know from far too many industrial accidents what can tragically go wrong when organisations deviate from the path of effective risk management and wander over into ‘fingers crossed’ or gambling territory. As aptly stated, “Discovering weaknesses in control systems by having a major incident is too late and too costly.” If having accidents is not the best approach to developing a risk management strategy, what approach should we take? “Where risk cannot be avoided, it has to be managed.”
Risk management has a number of key principles which can be used as an effective guide when considering safety risk. These principles are also reflected by commonly used hierarchy of controls where specific approaches have been developed to avoid or reduce risk across a range of common activities, such as working at height or exposure to occupational noise.
These principles are:
- avoid risk wherever possible;
- carry out risk assessment to evaluate risks that cannot be avoided;
- take action to reduce risks to ALARP (as low as reasonably practicable) levels;
- reduce risks at source wherever possible.
In addition, a balance has to be struck between the implementation of risk controls and their cost in what is known as the ALARP (As Low As Reasonably Practicable) principle. Let’s take a closer look at these to see how they fit together.
If an operation or activity takes place which contributes significantly to the risk profile of a company then avoiding or eliminating these where it’s feasible might seem to be a logical decision. The feasibility or otherwise of a risk avoidance approach will depend
- The complexity of the operation.
- The financial and opportunity cost.
- The availability and suitability of alternative technologies.
- The legal requirement to eliminate a hazardous substance or product, for example, asbestos.
- The focus on license or permitting compliance issues to the detriment of higher risk but non-compliance issues.
- The risk acceptance profile of top management.
In some instances, it may be possible to export a high-risk activity or process to another organisation and then accept the output of this process back into a production line.
Where risk cannot be avoided, it has to be managed.
This means developing an approach to identify, analyse, evaluate and control risk. This is normally a legal requirement for organisations stated in national legislation regarding occupational health and safety but increasingly includes process safety risk too. The risk management approach required will need to be scaled, depending upon the identified hazards, the severity and likelihood of an adverse event happening and their potential impacts. Whilst risk management methodologies are well understood, the unpredictable human element can add in an additional uncertainty element within each of the risk management steps, often with unintended consequences.
Whilst the term risk management implies that risk is being managed, the fact that risk will continue to be present to some degree will always provide an opportunity for uncertainty and on occasion, failure.
For our discussion, the use of the term uncertainty has two elements to it. Uncertainty exists in the case of an undesirable event that could happen in the real world even where a risk appears to be effectively managed, but it can also be introduced into the risk assessment process itself which could make the assessment process less effective than we might wish.
Uncertainty can be introduced into the risk assessment process in a number of ways:
Even though a risk assessment exists for an activity, this does not guarantee that all hazards and / or their subsequent controls have been fully identified. Insufficient rigor during the risk assessment process could leave unidentified hazards in place.
The risk assessment process is subjective and by definition, introduces bias and preferences from the individuals contributing to it.
The guidelines, references and standards that may be used as part of a risk assessment process may be inaccurate, outdated or even unsuitable for the hazard being assessed but these vulnerabilities may be unknown to the risk assessor.
Risk assessors and their teams may not be competent for the task of using technical risk assessment methodologies for objectively assessing risk in a particular area or in a specific location, although they may have competencies in other related areas.
Management can negatively influence the risk profile of an organisation in subtle and less obvious ways, such as may occur following financial budget cuts or redundancies. The actual real-world impact of these may not be apparent during the risk assessment process.
Hazard mitigation controls are often vulnerable to human errors or violations, which may leave them less effective than originally thought.
Low level or background indications that hazards are present should not be ignored because they are weak. Any indication that hazards are repetitive need to be investigated and assessed. NASA found this out to their cost after the loss of the Columbia shuttle in 2003 due to a foam strike on a protective wing tile. “Ascent risk, so evident in Challenger, biased leaders to focus on strong signals from the Shuttle System Main Engine and the Solid Rocket Boosters. Foam strikes, by comparison, were a weak and consequently overlooked signal, although they turned out to be no less dangerous.”
As Low As Reasonably Practicable (ALARP)
This now very familiar abbreviation is commonly used as a benchmark as to the limits on what is doable when looking to reduce risk but taking the financial cost, time and effort into account in order to achieve meaningful risk reduction.
There is a similar abbreviation used in some locations which is SFAIRP which means “so far as is reasonably practicable” but they mean the same thing in a working environment, although have slightly different meanings in a more formal legal sense.
The ALARP principle is now widely recognised as the measure to which health and safety enforcement agencies and the legal courts would expect to see workplace risk managed, especially in the UK.
The origins of the ALARP principle in the UK comes from an Appeal Court judgment in a legal case known as ‘Edwards v. National Coal Board’ in 1949. The case was brought against the National Coal Board after Mr. Edwards had been killed when a section of unsupported roof gave way on a travelling road in a mine. As other sections of the roof along the travelling road had already been supported, the Court decided that the cost of making that section of the travelling road roof safe was not great in comparison to the risk to life and of possible injury.
The primary impact of using ALARP is that there is now considerable history and knowledge on managing workplace risk which has been distilled into what can be called ‘good practice’. This knowledge can be used by organisations to manage workplace risks without having to re-invent the wheel.
Examples include using formal guidance documents or Approved Codes of Practice for managing prescribed work activities, although the stated requirements of regulations must be met in any event. It also provides the Courts with a well-established baseline which can be used to decide in a formal setting whether ALARP has been applied or not in the event of proceedings following an accident. For more complex activities or operations, the use of more formal decision making processes such as Cost Benefit Analysis can be used to make decisions on whether identified risk is or is not to the ALARP requirement.