After the data-gathering phase that sets the foundation for risk management, safety professionals must move into setting the scope, purpose, context and limitations of risk assessment itself. Whether managing the risks associated with a task, a process or an entire facility, the purpose and scope of the assessment must remain top of mind. Having a clear understanding of the specific goals and objectives will help guide the assessment, establish roles and responsibilities for stakeholders, and bring focus to the process.
The purpose and scope of the risk assessment must be aligned with the organization’s risk management process that takes into consideration
both internal and external factors that affect safety and business performance. Within that framework, one then identifies the objectives and decisions that need to be made as an output of the risk assessment.
This the informs the selection of specific risk assessment tools and techniques and the resources (e.g. time, people, data) required to complete the assessment. Note that it is equally as important to identify aspects that are out of scope as it is to define what is within the scope of a risk assessment. Doing so helps focus the assessment on the objectives and minimizes wasted effort.
Once the purpose and scope are established, they must be clearly communicated and well understood by those involved in carrying it out to ensure the assessment proceeds efficiently and effectively. In addition, it is also important for the scope to be reviewed when conducting the risk assessment and revised as necessary as the process moves forward.
When conducting a risk assessment, safety professionals must work with stakeholders to establish criteria for the consequence of the risks present and whether those are in line with the goals and objectives of the assessment. Having an organization-specific set of criteria to measure against is a powerful tool for evaluating operational risk and making effective risk-based decisions.
“An organization must carefully consider appropriate risk criteria to serve its specific needs and attain desired results,” says Georgi Popov, Ph.D., QEP, SMS, ARM, CMC, professor in the safety sciences program at the University of Central Missouri and member of ASSP’s Risk Assessment Committee.
“The basis for developing risk criteria consists of determining and defining the key elements to be used including consequences, likelihood, risk levels, risk acceptability, risk treatments and combined risk,” says Popov. “Safety professionals should select a method that allows stakeholders to consistently and effectively assess, measure and achieve acceptable risk levels.”
Delving further into each element, safety professionals and stakeholders should ask the following questions when examining risk criteria:
- Consequences. What consequences could this risk have on worker safety and health, the environment, business interruption, reputation and legal and regulatory requirements?
- Likelihood. How probable is this risk to cause one of the identified consequences?
- Risk levels. How are we measuring and comparing risks in order to score and prioritize them?
- Risk acceptability. What is the acceptable level of risk based on our culture and objectives, as well as industry, legal and regulatory requirements?
- Risk treatment. What measures are required to achieve acceptable risk?
- Combined risks. How will we account for combinations of risks?
By answering these questions and working from the organization’s established risk criteria, risks can then be scored and prioritized. Risk scoring has traditionally been based on a two-factor calculation involving the likelihood of occurrence and the severity of the consequences. In recent years, other factors such as failure detectability, frequency and control effectiveness have entered the equation.
Tools such as a risk assessment matrix, failure mode and effects analysis and risk heat maps can help safety professionals further examine the potential likelihood and consequences associated with the identified risks and hazards. Risk scoring can be divided into one of three categories:
- Qualitative Risk Assessment - based on subjective definitions with descriptive words for risk factor levels
- Semi-Quantitative Risk Assessment - using qualitative data with numerical values used to develop a risk score
- Quantitative Risk Assessment - using organizational data to assign a numerical value to predict the probability of an incident
Which method you select depends on the availability of data and resources, as well as the complexity and level of detail with which the assessment will be carried out. It should be noted that conducting a truly quantitative assessment can be challenging because the statistical data needed to complete a quantitative analysis is often difficult to obtain.
As noted, the data you gather by establishing risk criteria and risk scoring will provide valuable insight into the current level of risk that employees are facing in a facility or when performing a particular task or process.
An organization’s level of risk tolerance depends on several factors including its objectives, culture, regulatory requirements and available technology, and it is crucial that stakeholders understand and agree on what is an acceptable risk level.
In some cases, organizations may adopt the as low as reasonably practicable (ALARP) model, which is defined in ANSI/ASSP Z590.3-2011(R2016) as “the level of risk which can be further lowered only by an increase in resource expenditures that are disproportionate in relation to resulting decrease in risk.” In other words, when a risk reduction measure will not be positive from a cost/benefit perspective, the risk level can be thought of as being as being “as low as reasonably practicable.”
This is the second in a series of articles that will guide you through the risk assessment process as explained in Addendum A of ANSI/ASSP Z590.3-2011 (R2016), Prevention Through Design Guidelines for Addressing Occupational Hazards and Risks in Design and Redesign Processes.
For further information and guidance on setting the scope and context of risk assessment, consult ANSI/ASSP/ISO 31000-2018, Risk Management - Guidelines and ASSP TR-31010-2020 Technical Report: Risk Management - Techniques for Safety Practitioners.
PTD Before Risk Assessment: A Historical Perspective
Rightsizing Risk Management for Small & Medium Enterprises
Closing the Gap: Between Traditional & Enterprise Risk Management Systems
Hazard Recognition: Bridging Knowledge & Competency for Process & Occupational Safety