Risk management in the workplace

Irrespective of the industry we work in or the nature of our particular workplace, we are all exposed to differing levels of risks from hazards. Whether those hazards actually pose a 'real risk' is often unknown. Does your workplace have a risk register? Does your company use risk management as a means to achieve strategic business goals? Are you just one step ahead of the regulator? Answers to questions such as these help set the context for risk management. Understanding the context and having a reasonable understanding of the risk management process is essential when planning your approach as to how best to spend your 'safety' dollars.

Risk management is a wide ranging subject but this commentary is concerned with managing industrial hazardous events that have the potential for adverse impact on personnel safety (injury or death), the environment or a company's financial performance (as a result of equipment damage, subsequent repair/replacement/clean-up costs, business interruption, loss of market confidence or liabilities).

What is a hazard?

The appropriate definition will depend on the acts, regulations, standards and guidance documents that govern your workplace. AS4360 Risk Management and AS3931 Risk Analysis of Technological Systems define a hazard as "a source of potential harm or a situation with a potential to cause loss".

For engineers and scientists a more graphic definition could be a source of potentially damaging energy (mechanical, chemical, electrical, biological, etc) where the uncontrolled release of that energy has the potential to cause harm.

What is risk?

Risk is dimensionless, and in simplified terms is the product of hazard likelihood (a term covering either probability or frequency) and the severity of the worst-case credible consequence, should the hazard arise.

Risk management in essence means identifying hazards, assessing the associated risk, where risk is unacceptable changing the situation until it is, then controlling the situation to avoid or mitigate the remaining hazards. Like all management, the process is ongoing. "Set and forget" does not work.

AS4360 provides a simple but insightful risk model as shown in Figure 1. The management system must be simple, integrated and effective - often this is not the case and layers of complexity can be built up within a company that actually detract from safety.

Understanding the prevailing safety and risk culture operating within an organisation is essential when assessing both the effectiveness and possible failures of the various controls. Developing this understanding, in the context of other operating influences, requires a sound appreciation of managerial and psychological aspects (behaviour-based safety) as well as the industry technical aspects. Hence the implementation of risk management is rarely straightforward.

Risk assessment involves hazard identification, likelihood and consequence analysis (qualitative or quantitative depending on the hazard) and evaluating the effectiveness of controls to achieve a tolerable level of risk. Generally, the higher the level of risk the greater effort which is required to understand the initiating event frequency and how the hazard propagates through the layers of controls. Similarly, the potential consequences of high-risk events may need more detailed study to understand both the effects and how they can be best mitigated. There are numerous techniques available for use in the risk assessment process and include:

Top down approach

• What-if questions, checklists;
• Vulnerabilities;
• QRA (quantified risk assessment);
• Layer of protection analysis;
• Fault trees;
• Cause-consequence (combined fault trees and event trees with time arrow).

Bottom up approach

• Modified HAZOP;
• Failure mode effect and criticality assessment.

A combination of techniques is normally used, again dependent on the nature of the hazards and specific project, company or industry requirements. The important point is that the risk assessment is consistent, systematic and is carried out in the correct context. This also means that all potential hazards should be documented even if they are considered improbable and hence low risk.

A company risk matrix is a clear way to communicate to all concerned key elements of the company's risk policy ie, the levels of risk that are considered tolerable to that organisation. Tolerable risk in the workplace is defined in the context of industry's operational and regulatory environment which attempts to balance society's ever-changing perceptions to risk with the need to minimise production costs and burdens. Hence the definition of tolerable risk is as much a social construct as a mathematical one. The risk assessment process produces valuable deliverables but verification against accepted industry practice should be undertaken before applying the results.

It should also be noted that risks which are accepted as part of everyday life (eg, driving a car) may not be tolerable in the context of a company; an important subtlety to recognise if driving a car is a significant component of a company's activities.

The table shows a typical example of a risk matrix - the likelihood and consequence scales would be defined and form part of the matrix.

The details of the risk matrix should be consistent with the hazards in question. For example, Occupational Health and Safety hazards (eg, manual handling, dust exposure, heat stress, etc) tend to be task based and hence higher frequency with relatively low consequences while major hazards are characterised by low frequency and higher consequence. Trying to compare these directly on the same risk matrix will result in the risk from major hazards swamping the OHS risks, reducing the latter to low risks. This may not be the appropriate outcome, especially when, say, OHS risks are being targeted as part of a worksite continual improvement program.

In this case, multiple risk matrices may be appropriate.

When addressing industrial hazards the well-known hierarchy of controls is elimination, substitution (eg, with a less hazardous process), engineering controls, administrative controls and finally personal protective equipment. Following this guide is usually self-evident at the early stages of a new project, but technology and regulatory changes mean that existing hazards and controls should also be reviewed with this hierarchy foremost in mind. An example could be the use of ammonia as a refrigerant in a cooling water circuit since even a relatively small amount of ammonia could result in a site being classified as a major hazard facility. The substitution with a non-toxic (or less toxic) chemical during the operational phase may increase the capital cost but provide an inherently safer plant as well as significantly reducing the life cycle cost of compliance.

The levels of risk with no controls in place should be estimated first so as to have an understanding of the inherent risk (ie, the worst that can happen) associated with particular plant, equipment or process. Tolerable levels of risk are then achieved mostly through the hierarchy of controls mentioned above.

Inherent risk is an important concept as people tend to have a somewhat irrational sense of trust in controls.

Relating levels of individual voluntary risk is sometimes used when assessing workplace risk as shown in Figure 3. Note that the risk of car accident death is unacceptable in most industries which have tolerable risk targets set one or two orders more stringent. This is a point to bear in mind if road travel is an integral part of the workplace.

So when is risk assessment carried out? In the project phase to ensure everything is OK to get the operating licence? Only revisited on a case-by-case basis when either a modification comes along or when there is an incident?

The answer largely depends on the safety culture of the industry, the company and the particular workplace. Some companies are pro-active and utilise regular risk assessments as a means to maintain a safe place of work and as an element in assuring investor confidence by dependable performance. Risk management, like any other system, needs to adapt to a changing business environment, hence risk assessment should be carried out on a regular basis. Some of the benefits from this approach include:

• Dependable business operations;
• Safer workplace;
• Employee and public confidence;
• Managed liabilities;
• Auditable compliance.

Risk assessment is a competency that needs to be developed, at least to the level of an informed consumer. So should you develop these competencies in-house or buy in expertise?

A combination of both is required as the ownership of the risk management process must be with the managers, supervisors and workers in the workplace, hence whether in-house or external facilitation is used all relevant stakeholders must be involved. This way the risk management system will form part of the "way we do things around here". The use of external consultancy expertise is warranted to give you independent unbiased opinion of the risks and to help get the basics of the overall risk management process right.

Conclusion

The risk management process within the workplace provides a framework for implementing and communicating company risk policy and standards to employees. The implementation of risk management in industry has both technical and cultural aspects requiring integration with other business management systems if the process is to have an effective business outcome.

Risk assessment is a structured tool for making decisions which reflects the risks that a company is prepared to accept as described in their policies and standards. Decision-makers need to understand the basis and assumptions used for the risk assessment and limitations of the process. Above all, decision-makers need to have due regard for established good practice and technology changes, and ensure decisions are auditable.