What is risk?
Risk is defined in ISO 31000 as:
effect of uncertainty on objectives
The opening paragraph of the introduction to the standard explains that risk is the consequence of an organisation setting and pursuing objectives against an uncertain environment. The uncertainty arises from those internal and external factors and influences that it does not completely control but that may cause the organisation to fail to achieve its objectives or may cause delay. These factors and influences can also lead to the objectives being obtained early or exceeded. Risk therefore is neither positive nor negative but the consequences the organisation experiences may vary from loss and detriment to gain and benefit.
The ISO 31000 definition of risk quite rightly shifts emphasis from past preoccupations with the possibility of an event (something happens) to the possibility of an effect and, in particular, an effect on objectives.
When risk is defined like this, it reveals more clearly that managing risk is, quite simply, a process of optimisation that makes the achievement of objectives more likely. Risk treatment is then concerned with changing the magnitude and likelihood of consequences, both positive and negative, to achieve a net increase in benefit. Controls then are the outcomes of risk treatment, whose purpose is to modify risk.
It also follows that risks are neither just events nor just consequences. They are descriptions of what could happen and what it could lead to in terms of how objectives could be affected. Risks do not eventuate, happen, manifest themselves or occur other than when an organisation or a person decides that they want to achieve something; when they set objectives.
In the past, it has been common for risk to be regarded solely as a negative concept that organisations should try to avoid or transfer to others. However, it is now widely understood that risk is simply a fact of life and is neither inherently good nor inherently bad. To avoid it entirely is to forgo the opportunity of pursuing objectives. If we can successfully detect and understand risk, including how it is caused and influenced, we can, if necessary, change it so that we are more likely to achieve our objectives and might even do this faster, more efficiently and with improved results.
Risks are either changed or created in all decisions people make: how those decisions are made and the information they are based on will affect whether objectives are achieved in a reasonable time scale. Decision making is, in turn, an integral part of day-to-day existence and nowhere more prominent in an organisation than at times of change and when responding to external or internal developments. This is why risk management is an inseparable aspect of managing change and other forms of decision-making.
What are hazards?
Some people are still confused as to what is a hazard and what is a risk. Indeed, some (incorrectly) use the terms interchangeably. Worse still, some organisations apply risk-rating processes to hazards in the belief that this is all the risk assessment they need to do.
A hazard is defined as a source of potential harm. The harm can occur to people, the environment or to organisations. Unlike risks, you can normally see hazards or can detect their presence through direct measurement. They are tangible, real and often physical and only relate to damage, loss or detrimental outcomes.
Hazards are a class of things that are described as risk sources. These are things which alone or in combination have the intrinsic potential to give rise to risk. In other words, if there is no risk source there is no risk. This is why zero-harm initiatives focus on hazard identification and removal and avoid considering how likely it is that harm will actually occur.
While a hazard has the potential to cause harm, this does not automatically occur. It requires some event (or action) to occur and interact with the hazard. So, for example, a drum of flammable liquid may be a hazard but no harm will manifest until someone punctures it or it is caught in a fire. In the western world we generally focus our safety programs on hazard elimination or containment; but as an alternative, we could tolerate lots of hazards in the workplace and focus our attention on stopping relevant events or actions occurring. This second philosophy is present in some parts of the world and in some industries where hazards such as dangerous parts of machinery are left unprotected and the emphasis is on personal discipline and thinking before you act.
What are the links between hazards and risks?
If hazards are eliminated, then risk changes – often for the better. In that risk is non tangible and is only associated with uncertainty in forming and achieving objectives, an effective hazard management programme will generally lead to an organisation achieving its objectives where those are just concerned with the minimisation of harm or detriment. However, if those objectives are concerned with the achievement of other types of goals or outcomes, then risk management requires a process of optimisation where cost benefit analysis has to be applied to a range of risk treatment options to determine the optimal set and therefore the level of risk that will be tolerated.
In practice, this means that risk management is best applied ‘top-down’ in an organisation so that it is involved with the setting and achievement of objectives. In safety management, for example, this means using risk management to set objectives and to develop strategies to help achieve them.
Modern safety management therefore involves:
- At a strategic level, setting safety objectives and developing risk treatment plans using the risk management process
- Hazard identification and elimination in the workplace
- For complex or high risks, using sophisticated risk identification, analysis and evaluation tools to fully understand the risks and their causes and to develop appropriate risk treatment strategies.
Importantly, organisations have moved away from risk-rating of hazards approaches using matrices and look up tables (often on pocket-sized cards), which are technically invalid and rely on users being able to predict reliably both the severity of the harm that can occur and also its likelihood. This kind of approach so often involves combining some measure of the likelihood of an event with a measure of the consequences (in many cases, worse case consequences) that could possibly arise. However, this often grossly overestimates the current level of risk because it fails to take into account the existing controls and leads to ill-focussed and unreliable risk treatment and prioritisation. When combined with an escalation process it can lead to risk management being reduced to just a risk-register-filling, paper-shuffling exercise where members of management are required to sign off on risks and assessments of risk that actually have no credibility. Unfortunately, for some organisations this kind of activity still gives them some sense of security.
The association of a measure of likelihood to a level of consequences requires in-depth knowledge of:
- How events can occur under particular circumstance;
- The effectiveness and influence of controls (inherent as well as explicit) in the workplace concerned and for the activities that could take place;
- The relevance, reliability and availability of controls in different work situations, timings and circumstances;
- Historical experience and its applicability or not to the workplace being considered and to the activities that could occur.
However, unfortunately, those who are often called upon to judge likelihood rarely have this kind of information and therefore have to rely on their personal experiences to provide the basis for the decision on how likely it is that someone could get hurt. If they have never experienced that event or circumstances before, it is human nature to assume that it will not occur to them or is unlikely in those particular circumstances.
Delegating decisions on the likelihood that harm will occur in this manner can be seen as an abrogation of authority by management who are, by law, accountable for the management of the risks to their employee’s health and safety.
Applying a simple risk rating process to more complex hazards or where the severity of the potential consequences is high also often reflects poor risk management. Qualitative risk analysis using a matrix system is acceptable for screening risks out for more detailed analysis and for prioritising risks for attention. However, more complex or significant risks require and often justify more sophisticated and detailed approaches to risk assessment so as to rigorously analyse and evaluate the risks and develop appropriate risk treatment measures.
Hazards and risks are simply not the same. Indeed, confusing the two concepts is unhelpful and can be detrimental.
Risks are concerned with the effect of uncertainty on objectives and only occur when objectives are set. Hazards reflect a potential for harm and intrinsically if they are present, they give rise to risk.
For safety management, in particular, the use of matrix-based methods to rate hazards can lead to poor risk management, to employees being exposed unintentionally to high risks and to effort and resources being wasted and misdirected. This can occur because the existing controls and their effectiveness are ignored when the level of risk is determined (incorrectly) as a product of the likelihood of an event and a measure of its consequences. Also, quite simply, those being called upon to make decisions about likelihood are not often equipped with the information they need and are therefore likely to judge that intolerable risks are tolerable.
Effective safety risk management requires a three-element approach:
- Strategy setting and risk treatment definition through the top-down application of the risk management process
- A pronounced focus on hazard identification and elimination in the workplace
- The use of sophisticated risk identification, analysis and evaluation methods for complex and high risks to ensure appropriate risk treatment occurs.