Georgi Popov

Risk Assessment


Скачать книгу

control, or combination of related controls, can be expressed in qualitative, semiquantitative, or quantitative terms. The main focus of the control assessment should be on determining whether existing controls are adequate in reducing risk to an acceptable level, or whether improved control measures are needed.

      Methods for defining risk criteria can range from a single‐level dividing risks that require treatment from those that do not, to multiple levels of risk requiring graduated degrees of actions. Decisions on treating a risk will likely depend on the costs and benefits of risk and the costs and benefits of implementing improved controls. The “as low as reasonably practicable” or

Schematic illustration of the ALARP model.

      The established risk criteria and matrix are used to consider both the consequence and likelihood risk levels for each risk. The risk assessment matrix example provided in Table 3.1 is qualitative in nature with risks ranging from “High” to “Low”. In the example matrix, risks that fall in the “Low” category would most likely be considered acceptable by an organization, while those in the “Medium” category may be considered acceptable with some additional controls. Risks in the “Serious” category would require immediate action, and those in the “High” category are considered the highest risk and would be unacceptable to an organization, requiring immediate action to avoid or reduce the risk to acceptable levels. In each case, the criteria for severity of consequence and likelihood of occurrence will need to be customized and defined by the organization’s stakeholders.

      In Fred Manuele’s article “Acceptable Risk; Time for SH&E professionals to adopt the concept” published in Professional Safety, May 2010, he suggests that safety professional have yet to fully embraced the concept of “acceptable risk.” The fact is that there will always be some level of residual risk.

      It should also be mentioned that risk assessments are a process of continuous improvement. Risks that are estimated to be acceptable today may not be acceptable in the future. For example, as an organization’s operational risk management system matures, new technologies and more effective controls are incorporated through continuous improvement, reducing the organization’s ALOR. The term “acceptable” refers to a point in time and will not likely be true in the future as expectations rise and what is considered acceptable in terms of risk lowers. As the highest risks are treated and reduced, the next highest risks are addressed until all risks are reduced to an ALOR.

Schematic illustration of risk reduction hierarchy of controls.

      Source: Reprinted with permission from ANSI/ASSP Z590.3‐2011(R2016). Courtesy of the American Society of Safety Engineers.

      Successful risk assessment processes are dependent on effective communication among stakeholders prior to, during, and after the process. Without proper communication, severe consequences can occur. Take for instance, the NASA’s Space Shuttle Columbia explosion which occurred on 1 February 2003 claiming seven lives. The investigation that followed determined that a significant root cause to the incident was a lack of effective communication of critical safety information. The Synopsis of the Report of the Columbia Accident Investigation Board concluded that organizational causes including lack of communication contributed to the incident. “Cultural traits and organizational practices detrimental to safety were allowed to develop, including: reliance on past success as a substitute for sound engineering practices…, organizational barriers that prevented effective communication of critical safety information and stifled professional differences of opinion; lack of integrated management across program elements; and the evolution of an informal chain of command and decision‐making processes that operated outside the organization’s rules. (p. 9)”

      Communication is a provision of both ANSI/ASSP/ISO 31010 and ANSI Z590.3, and is also required by virtually all of the national and international risk management, and safety management standards such as ANSI/ASIS/RIMS RA.1, Risk Assessment, ANSI/ASSP/ISO 45001, ANSI/ASSP Z10.0, as well as the OSHA VPP. In spite of guidance provided, ineffective communication continues to be a leading cause to poor outcomes such as FSI.

      As with many other functions in organizations, it should be made a priority to communicate effectively when performing risk assessments. Those involved in the risk assessments should think about who could help them do the risk assessment more effectively. For example, they could ask others within their own departments for input. Alternatively, they