While data gathering provides the foundation for risk management, setting the focus allows for a more organized process and conducting a risk assessment offers guidance on reducing operational risk, it is in the risk treatment phase where the organization decides how it will address those risks.
Risk treatment is an iterative process wherein safety professionals and other stakeholders formulate and select options to reduce the risk, assess their effectiveness, determine if they will achieve an acceptable level of risk and plan for implementation of those options. Here are three suggested steps to effectively identifying and implementing risk treatments.
1. Identify the Best Treatments
Determining the most appropriate risk management solution(s) involves balancing the potential benefits of a treatment plan against organizational objectives, costs, efforts and available resources.
The review process needs to consider risk treatments for each hazard and risk scenario identified. During this process, you need to gather input from a variety of stakeholders to be sure the benefit and any unintended consequence of each potential treatment is discussed and well understood before being accepted.
It’s important to keep in mind that while many risk treatments are possible, they are not necessarily mutually exclusive and a particular solution may not be appropriate in all circumstances. As a starting point, consider the following options:
- Avoid the risk
- Eliminate the risk
- Reduce the likelihood of occurrence
- Reduce the consequences
- Share or transfer the risk (e.g., contracts, buying insurance)
- Implement a combination of options
- Discontinue the activity that presents the risk
- Accept the risk by informed decision
Risk treatment selection should always be linked to the concept of the hierarchy of controls to reduce risk to an acceptable level. Hazard and risk control measures vary in their degree of risk reduction, effectiveness and reliability. The hierarchy of controls (HoC) concept is structured with the most effective and reliable risk reduction options at top, descending to the least preferred option.
The hierarchy model generally starts with avoidance of risk, followed by elimination of risk, and then substitution of risk. From there, residual risks are controlled using engineering controls, warning systems, administrative controls, and personal protective equipment.
This framework can help stakeholders determine which treatment(s) are most feasible, advance organizational objectives and help achieve an acceptable level of risk. Stakeholders need to remember that while cost is a consideration, the selection criteria of a particular treatment needs to consider more than costs alone. The objective should be to maximize overall risk reduction and the cost-benefit of each option. Often, neither the least expensive nor the most expensive option is optimal for reducing the overall risk. It’s also possible that no treatment option can sufficiently reduce the risk. If this occurs, the risk should be recorded and kept under ongoing review.
2. Assess the Effect of Implementing Controls
With all of this in mind, how can safety professionals and stakeholders determine which are the best risk treatment options and assess what impact those treatments will have on both safety and business performance? By conducting different analyses of the business operation, all involved can gain a greater understanding of the current state and the implications of instituting different controls.
- Business Impact Analysis (BIA). A BIA provides insights on the consequences of disruption of an organization’s processes and identifies the information needed to develop future state preventive and/or mitigative strategies. This type of analysis determines the impact of negative OSH consequences on key business processes. The overall goal is to identify the costs linked to OSH failures.
- Cost-Benefit Analysis (CBA). A CBA takes into consideration the total expected monetary costs of certain options in order to choose the control that will be the most effective or the most profitable. This should include any direct and indirect costs associated with a particular option. This type of analysis provides guidance as organizations weigh different options for risk treatment to determine which will have the most positive impacts on the operation as whole.
- Financial Analysis. Different from a BIA or a CBA, a financial analysis assigns a monetary value to all direct and indirect costs in the current operation. This type of analysis examines cash flow, net present value (value of inflows versus value of outflows), internal rate of return (potential profitability of investments), return on investment and payback period (amount of time required to recover the amount invested). It is important for safety professionals to examine and understand how risk controls will affect the organization financially in order to make the case for those controls to their executives.
- Non-Financial Benefits Analysis. The advantages of risk controls go beyond their impact on the bottom line. A non-financial benefits analysis examines the factors that may not be able to be quantified, yet are still important. . These can include improved corporate reputation, customer satisfaction and business sustainability. Accounting for these factors alongside the financial benefits can strengthen the case for safety interventions.
- Multi-Criteria Analysis. While the other analyses focus on the impact of a particular risk treatment option or pair of options, a multi-criteria analysis examines the potential performance of a set of options. The intent is to score and rank each option to determine which will be the most preferable treatment.
3. Prepare and Implement Risk Treatment
After completing the review of potential controls and their expected impact, it’s not enough to select a risk treatment option and leave it at that. You have to properly implement and maintain it to achieve optimal effectiveness. A risk treatment plan specifies how your organization will implement treatments to ensure understanding and to monitor effectiveness. The plan should be integrated into existing management systems and processes (e.g., maintenance planning, operating procedures) to make the implementation as seamless as possible. Managing risk should be considered a normal way of doing business and not considered an “add-on” or extra burden to manage.
A risk treatment plan should specify:
- The reasoning behind the selection of treatment options and the anticipated benefits
- Those accountable and responsible for the plan’s approval and implementation
- Resources required, including contingencies
- Proposed actions
- Performance measures
- Required reporting and monitoring
- When actions will commence and be completed
Whichever treatments your organization selects, be sure to communicate that decision to all involved so that they understand the reasoning and how the treatments will be implemented and monitored moving forward. Be sure to acknowledge that a treatment may not produce the expected outcomes as designed or that its effectiveness can degrade over time if not properly monitored and maintained.
In all situations, monitor and review outcomes to ensure that treatments are effective and remain so over time. Doing so enables you to use data to determine adjustments or additional treatments needed to achieve acceptable risk.
This is the fourth in a series of articles that guides you through the risk assessment and risk management process presented in ANSI/ASSP/ISO 31000-2018, Risk Management – Guidelines. Learn more about risk assessment and risk management in Part 1, Part 2 and Part 3 of this series.
Risk Management Tools for Safety Professionals
The Art of Assessing Risk: Selecting, Modifying & Combining Methods to Assess Operational Risks
Residual Risk Reduction: Systematically deciding what is "safe"
Enterprise Risk Assessments: Holistic Approach Provides Companywide Perspective
Communicating & Managing Risk: The Key Result of Risk Assessment