control, or combination of related controls, can be expressed in qualitative, semiquantitative, or quantitative terms. The main focus of the control assessment should be on determining whether existing controls are adequate in reducing risk to an acceptable level, or whether improved control measures are needed.
3.11 Risk Evaluation
Risk evaluation involves comparing the estimated risk levels with the defined risk criteria to determine the significance of the level and type of risk. It is based on the combination of estimated consequences and likelihood and uses information from the hazard/risk identification and risk analysis phases to make recommendations for decision makers. These decisions may include implementing further controls, other forms of risk treatment, or avoiding the hazard or operation all together. Additional inputs to the decision‐making process include legal, financial, ethical, and other considerations. This process may also be used to prioritize possible actions should more than one possible action be feasible.
Methods for defining risk criteria can range from a single‐level dividing risks that require treatment from those that do not, to multiple levels of risk requiring graduated degrees of actions. Decisions on treating a risk will likely depend on the costs and benefits of risk and the costs and benefits of implementing improved controls. The “as low as reasonably practicable” or
ALARP criteria are used to determine when the cost of further reduction is disproportionate to the benefits gained in risk reduction and safety. Figure 3.5 provides an illustration of the ALARP principle.
Figure 3.5 The ALARP model.
The established risk criteria and matrix are used to consider both the consequence and likelihood risk levels for each risk. The risk assessment matrix example provided in Table 3.1 is qualitative in nature with risks ranging from “High” to “Low”. In the example matrix, risks that fall in the “Low” category would most likely be considered acceptable by an organization, while those in the “Medium” category may be considered acceptable with some additional controls. Risks in the “Serious” category would require immediate action, and those in the “High” category are considered the highest risk and would be unacceptable to an organization, requiring immediate action to avoid or reduce the risk to acceptable levels. In each case, the criteria for severity of consequence and likelihood of occurrence will need to be customized and defined by the organization’s stakeholders.
In Fred Manuele’s article “Acceptable Risk; Time for SH&E professionals to adopt the concept” published in Professional Safety, May 2010, he suggests that safety professional have yet to fully embraced the concept of “acceptable risk.” The fact is that there will always be some level of residual risk.
The ultimate goal is to reduce the risk of the hazard or operation to an acceptable level so as to feel confident in engaging in the activity. This may be accomplished though the implementation of additional or better controls according to the Hierarchy of Controls concept mentioned throughout this book, or it may involve other forms of risk treatment. Avoiding the risk by deciding not to engage in the hazard is always an option if the risk of engaging in it cannot be reduced to an acceptable level. A personal example might include a homeowner that decides not to clean their gutters because it is too dangerous or risky to work at heights. Instead, they hire a contractor who has better equipment and is better trained to perform the work. The homeowner decided the risk was not acceptable, so they avoided it by having a contractor perform the work.
It should also be mentioned that risk assessments are a process of continuous improvement. Risks that are estimated to be acceptable today may not be acceptable in the future. For example, as an organization’s operational risk management system matures, new technologies and more effective controls are incorporated through continuous improvement, reducing the organization’s ALOR. The term “acceptable” refers to a point in time and will not likely be true in the future as expectations rise and what is considered acceptable in terms of risk lowers. As the highest risks are treated and reduced, the next highest risks are addressed until all risks are reduced to an ALOR.
3.12 Risk Treatment
Risk treatment is the process of modifying risk. As mentioned previously, risks that are judged unacceptable to an organization must be “treated” to reduce risk through the use of risk controls. Risk treatment generally involves the selection and implementation of one or more risk‐control measures or enhancements to existing controls. The risk treatment process involves: (i) the assessment of a risk treatment; (ii) determining if residual risk levels are tolerable; (iii) selecting new risk treatments for those residual risks that are not acceptable; (iv) and assessing the effectiveness of any new control measure. Selection of control options should be made using the Hierarchy of Controls model. Figure 3.6 illustrates the Hierarchy of Controls model reprinted with permission from ANSI/ASSP Z590.3.
Figure 3.6 Risk reduction hierarchy of controls.
Source: Reprinted with permission from ANSI/ASSP Z590.3‐2011(R2016). Courtesy of the American Society of Safety Engineers.
As indicated in ANSI/ASSP/ISO 31000, risk treatment options are not always mutually exclusive or appropriate for all situations. Treatment options include: (i) avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; (ii) removing the risk source; (iii) changing the likelihood; (iv) changing the consequences; (v) sharing the risk with another party such as insurance contracts and risk financing; and (vi) retaining the risk by informed decision.
3.13 Communication
Successful risk assessment processes are dependent on effective communication among stakeholders prior to, during, and after the process. Without proper communication, severe consequences can occur. Take for instance, the NASA’s Space Shuttle Columbia explosion which occurred on 1 February 2003 claiming seven lives. The investigation that followed determined that a significant root cause to the incident was a lack of effective communication of critical safety information. The Synopsis of the Report of the Columbia Accident Investigation Board concluded that organizational causes including lack of communication contributed to the incident. “Cultural traits and organizational practices detrimental to safety were allowed to develop, including: reliance on past success as a substitute for sound engineering practices…, organizational barriers that prevented effective communication of critical safety information and stifled professional differences of opinion; lack of integrated management across program elements; and the evolution of an informal chain of command and decision‐making processes that operated outside the organization’s rules. (p. 9)”
Communication is a provision of both ANSI/ASSP/ISO 31010 and ANSI Z590.3, and is also required by virtually all of the national and international risk management, and safety management standards such as ANSI/ASIS/RIMS RA.1, Risk Assessment, ANSI/ASSP/ISO 45001, ANSI/ASSP Z10.0, as well as the OSHA VPP. In spite of guidance provided, ineffective communication continues to be a leading cause to poor outcomes such as FSI.
As with many other functions in organizations, it should be made a priority to communicate effectively when performing risk assessments. Those involved in the risk assessments should think about who could help them do the risk assessment more effectively. For example, they could ask others within their own departments for input. Alternatively, they