Apologies for encroaching into what might be seen as the HSE (health, safety and environment) discipline but I want to list some of the areas I frequently see needing consideration in task risk assessment procedures. This is certainly not a primer on risk assessment and I’m only focusing on the commonly used qualitative two factor (Severity x Probability = Risk) approach. These are personal views and I don’t claim they’re universally applicable; I expect everyone will be able to offer exceptions and these points are only suggestions for consideration:
- Risk assessment reports frequently list all the controls used to manage the particular hazard – aspects that are part of the organisation’s normal operation, which may include: the requirement for personnel to be trained, references to standard PPE, or compliance with standard procedures. The implication is that, without the risk assessment being documented (and read out at the toolbox talk), people won’t be trained, etc. It’s fine to list the main controls but this list can occupy most of the resulting report and mask any new or extra controls being identified. If there is a need to list the existing controls, keep them separate from any new ones. Start an assessment from where you are, not from where you used to be (management-wise).
- When describing new or additional control measures, be specific. For example, try not to use terms like “Wear appropriate PPE” – if there is a need for specific PPE, say what it is and don’t leave it to the people carrying out the task to decide for themselves (unless, for example, you have specific guidance on selection).
- When considering the effect of a control measure it’s almost always to reduce the probability of the hazard consequence, not its severity. I accept that some controls might reduce severity but these are the exception and it is usually better to assume the potential severity remains constant (unless the hazard is removed, of course, when its probability becomes zero).
- Avoid the tendency to always assume the worst; if there are several consequences with significantly different probabilities, assess them separately – don’t match the worst severity with the highest probability.
- Action tables, where the resultant risks are assessed as (typically) high, medium or low, should be realistic. If a “high” risk is not tolerable (i.e. work should stop or not commence), make sure it doesn’t result in risks having to be underestimated. If a fatality is not acceptable, no matter how low the probability, you’re unlikely to get much work done – how can staff drive to work, for example? Ensure the actions are practical – otherwise risk assessment will turn into a paper exercise with no real benefit.
- Assigning arbitrary numbers does not make the process quantitative. In most cases, the assessment of severity or probability will be an educated guess (especially for probability – and I’ve something more to say on that in another post). Recognise that it’s not precise and don’t tie yourself in knots trying to be exact. A good scheme should be able to accommodate different (but competent) people coming to different conclusions. The aim is to identify the hazards and their consequences – and to manage risk to an acceptable level. This should, under UK law, be ALARP (al low as reasonably practical) – that doesn’t mean the work has to be safe, just as safe as a “reasonable person” would consider acceptable. The risk assessment process is a tool, not the objective.
Not an exhaustive list, nor points everyone will agree with. Risk assessment is a serious business and needs far more consideration and thought than can be put into a short blog post. Done correctly, it will save lives; at worst, a poor system will lead to a false sense of security and safety and can cost lives. When properly applied to the whole business (and not just as a health and safety tool) it can maximise the effective use of resources, minimise the likelihood of failure and grow the economy. This is just my $0.02 worth in one area!