Following on from my previous post on what I see as problems with many risk assessment…
Most businesses I audit use a two-factor risk assessment process, multiplying a severity rating of a consequence by the probability it will happen to reach a value of risk. Whilst many schemes assign numbers to the two factors it’s still a qualitative (or subjective) process – the numbers are no more than a ranking.
The severity side of the equation is relatively easy to assess and assign a code, often a range of injuries ranging from first aid to one or more fatalities or major disabilities. The table used may also include a range of environmental or business severity descriptions – good if it isn’t used to try and make comparisons between, say, injuries and cost. The probability side usually does something similar, with probability descriptions using terms such as “unlikely”, “possible”, “likely”, “very likely”, “extremely likely”, “almost certain” – the list goes on and users are expected to pick one from a list of, maybe five. The guidance usually implies there is a right answer. But, with any qualitative assessment of risk (that is, one without precise data such as incident statistics) it is purely a judgement call – a best guess.
So why do I refer to steak in the title? Think how people order a steak in a restaurant (with apologies to any vegetarians reading this) – most often with five bands from “rare”, through “medium-rare”‘ “medium” and “medium-well” to “well-done”. They’re not precise bands, nor determined by any formally agreed standard, yet most people involved in ordering, preparing and eating manage to agree (most of the time – I’ll admit there are occasions when a steak has to go back).
Why not adopt a similar process for assessing probability during risk assessments? Let’s walk it through:
Is the probability low, medium or high? Most folk who understand the work well enough to be assessing the risk should be able to assess that. If it’s low, consider whether it’s as low as it could be or whether medium-low would be a more comfortable choice; if high, consider if it’s as high as it could be… I think you get the idea. It’s very subjective, neither scientific nor precise but most people should usually come to a similar conclusion (at least within one grading); if the rest of the risk management system is robust, such differences should not have a significant impact its effectiveness.
This approach removes the difficulty comparing definitions to pick just one, it emphasises the fact that it’s subjective and, perhaps most importantly, I think it reminds users that the way to manage the hazard consequences (if the hazard can’t be removed) is to make them less likely to happen.
And this approach need not be limited to health and safety risks. Many other business risks don’t have reliable probability data so isn’t it better to recognise the uncertainty and not kid ourselves we know more than we do?