Once you have gathered the data and set the scope for a risk assessment project, the process moves on to conducting the risk assessment itself. Risk assessment serves many purposes for an organization, including reducing operational risks, improving safety performance and achieving objectives.
While many individuals are involved in the process and many factors come into play, performing an effective risk assessment comes down to three core elements: risk identification, risk analysis and risk evaluation.
To effectively address the hazards and risks within a workplace, you must first properly identify them. When conducting risk identification, the ISO 31000-2018
standard recommends that safety professionals and stakeholders examine a wide variety of factors, including:
- Tangible and intangible sources of risk
- Threats and opportunities
- Causes and events
- Consequences and their impact on objectives
- Limitations of knowledge and reliability of information
- Vulnerabilities and capabilities
- Changes in external and internal context
- Indicators of emerging risks
- Time-related factors
- Biases, assumptions and beliefs of those involved
Focusing on these areas, a risk assessment team can then use several different methods to identify the hazards present in the workplace. One such method is a hazard identification (HAZID) study that offers a qualitative, structured technique for risk identification.
HAZID uses guide words and/or checklists to identify potential hazards, their causes and consequences. Along with its qualitative structure, HAZID can also include qualitative analysis to determine the potential severity of a particular hazard, as well as the likelihood of occurrence.
The risk assessment team can use tools such as risk assessment matrices and heat maps to compare and, therefore, prioritize hazards. These tools allow safety professionals to place risks into the matrix or map based on the likelihood and severity of a potential incident. From there, decision-makers can analyze each risk to determine the highest-level risks to address.
Working from the information gathered during risk identification, stakeholders can then begin to analyze the risk levels of certain hazards and prioritize actions based on existing controls, among other criteria.
Risk analysis involves a detailed consideration of uncertainties, hazards, consequences, likelihood, events, scenarios, controls and their effectiveness. An event can have multiple causes and consequences and can affect multiple objectives.
Earlier identified hazards with HAZID can be included in preliminary hazard analysis. In such an analysis, an assessor analyzes current conditions with existing controls and a potential future state with proposed additional controls. Tools such as risk assessment matrices and heat maps can be used to compare, and therefore, prioritize hazards. These tools allow safety professionals to place risks into the matrix or map based on the likelihood and severity of a potential incident.
From there, decision makers can then analyze each risk to determine the highest-level risks to address. The results from a preliminary hazard analysis can then be transferred to a more detailed approach such as a bow-tie risk assessment diagram for further evaluation to provide more in-depth information to decision makers.
In terms of finding acceptable solutions for a particular hazard, a layer of protection analysis (LOPA), studies whether existing or proposed barriers are able to achieve acceptable risk levels. When conducting a LOPA, safety professionals select hazards and consequences, and independent protection layers (IPLs) are identified for each hazard/consequence pair. IPLs are physical barriers such as engineering controls, design changes or warning devices designed to prevent the initiating cause proceeding to the unwanted consequence.
Taking this type of approach to risk analysis allows safety professionals to consider what additional IPLs could be installed to prevent a particular risk and calculate the impact that those controls would have on the severity and likelihood of an incident.
As the final step of risk assessment, risk evaluation calls on safety professionals to examine the results of the risk analysis and compare them to established risk criteria in order to determine where additional controls may be required and what those controls might be.
As noted, bow-tie risk analysis is a technique for risk evaluation that has gained traction in the safety profession because it provides a more holistic view of risk and paints a picture of a specific hazardous event. The bow-tie analysis is centered around a potential incident, examining its causes, the preventive controls in place, the mitigative controls if it were to occur and the consequences of the incident.
The benefit of a bow-tie analysis is the ability to better visualize a specific hazardous event, how it could occur, the consequences and how those consequences could be prevented or mitigated. Such an analysis does not, however, usually include a risk scoring mechanism, nor does it reflect the effectiveness of controls.
Regardless of the method, keep in mind that risk-based decision-making should take into account the wider context as well as the actual and perceived consequences to internal and external stakeholders.
Threaded throughout all steps of the risk assessment process is a fourth element, equally crucial to effective risk management – risk communication.
Safety professionals must keep in mind that they must communicate the risks identified, analyzed and evaluated during the assessment to all involved so that everyone has a comprehensive understanding of the existing risks and how they can best be prevented or mitigated to achieve organizational objectives.
Taking the steps outlined in this article enables all involved to have a comprehensive understanding of the hazards and risks that exist within facilities and processes, the consequences of the hazards present, and how those can be prevented or mitigated to protect workers’ health and safety.
ASSP's Risk Assessment and Management Courses and Events
Risk Assessments: Top 10 Pitfalls & Tips for Improvement
Rightsizing Risk Management for Small & Medium Enterprises
Risk & Crisis Communication: Essential Skills for Today’s SH&E Professional
Risk: Assessing & Mitigating to Deliver Sustainable Safety Performance
Communicating & Managing Risk: The Key Result of Risk Assessment
The Art of Assessing Risk: Selecting, Modifying & Combining Methods to Assess Operational Risks