You are on page 1of 7

EH&S Risk Management

by Matt Noth
2 EH&S Risk Management

Introduction
In a typical company, the role of risk management is to identify and evaluate the risks
faced by the organization across multiple disciplines, to communicate these risks to senior
management (and possibly the board of directors and other stakeholders), and to monitor
and manage those risks in a way that ensures the organization bears only the risks to which
its management and board want exposure.
Effective risk management does not provide a guarantee against failure. Risk management
failures can result from using a risk metric that answers the wrong questions.1 But for
businesses to grow and to survive, organizations must take risks that are compatible with
their risk appetites.
Successful organizations manage risk well, while those that dont suffer. As a case in point,
consider the 2008 sugar dust explosions at the Imperial Sugar Manufacturing facility in
Port Wentworth, Georgia, USA, where equipment designs, housekeeping and operational
practices, and emergency response procedures (evacuation plans) were all contributors
to the tragedy. A well-administered risk management plan is essential in order for
organizations to reduce their EH&S and operational risks.

A B O U T M AT T N O T H
Matt Noth, Environmental Sales Specialist with SAI Global, has 15 years experience in engineering
and EH&S compliance management enabling him to provide guidance to organizations trying to
bridge a gap between federal, state, and local regulatory obligations and their organizations business
requirements. Matt holds a B.S. Mechanical Engineering from University of Texas at Austin and an
M.S. Environmental Management from Samford University.

www.saiglobal.com/compliance
EH&S Risk Management 3

AUDITS AND SELF INSPECTIONS


An EH&S risk management program starts with identifying the possible risks associated with
a particular job activity or operational decision. The following should be considered during the
risk evaluation:2
What are the risks?
Who is at the highest risk?
What stakeholders are at risk?
Are the risks predictable?
Are the risks preventable?

The last question, Are the risks preventable?, forms the basis of the mitigation plan. In
order to determine if the risk is preventable, the root cause of each risk has to be determined.
Once the root cause is established, the probability of occurrence can be calculated and the
risk interpreted for severity, frequency, or duration. Following interpretation, the next phase,
designing and implementing the abatement plan, can be started. At this point, a Management
of Change process may also be incorporated to help implement the risk mitigation.
To effectively manage any risk, it is necessary
to identify hazards, assess the possible risks, To be effective in the
and apply the most appropriate controls. Risk
assessments form the basis of controlling management of any risk, it is
hazards.3 They should be seen as an important
tool in ensuring that your activities dont present
necessary to identify hazards,
unacceptable risks and that the controls you
assess the possible risks and
implement are effective.
Risk assessment involves the integration of threat, apply the most appropriate
vulnerability, and consequence information. Risk
management involves deciding the protective controls.
measures to take based on an agreed upon risk
reduction strategy. Many models/methodologies should be developed so that threats,
vulnerabilities, and risks are integrated into the risk management program. These methods
can then be used to determine the cost-effective allocation of resources to reduce identified
risks. For the most part, these methodologies consist of the following elements performed,
more or less, in the following order.4
Identify risks and prioritize those that are most critical
Identify, characterize, and assess threats and possible consequences
Assess the vulnerability of critical assets to specific threats
Determine the risk (i.e. the expected consequences)
Identify ways to reduce those risks
Prioritize risk reduction measures based on a strategy and needs

www.saiglobal.com/compliance
4 EH&S Risk Management

R I S K I D E N T I F I C AT I O N
The organization should identify sources of risk, areas of impacts, events (including changes
in circumstances) and their causes and potential consequences. The risk identification
activity itself focuses on identifying and classifying the risks into a class or family type,
estimating the likelihood, potential consequences, and timing.5
An environmental, industrial health and safety hazard / risk includes anything with the
potential to cause harm to life, health or property. These, including work practices and
procedures, are the primary cause of health and safety problems in a workplace, and can be
identified in a number of ways including:6
Undertaking workplace inspections / audits
Reviewing injury and incident data, including near-misses
Investigating complaints and incidents
Conducting safety audits
Monitoring the work environment
Observing work practices
Consulting with staff (and in some cases clients and visitors)
Responding to information contained on Hazard Report Forms
Equipment manuals
Material Safety Data Sheets

RISK ASSESSMENT
An EH&S risk assessment is the careful examination of what, in or as a result of an
organizations operations and daily business functions, can cause harm to employees and
the environment. The assessment is used to identify hazards and determine controls that are
both precautionary and prevent harm.7
An EH&S risk management program starts with identifying the possible risks (and benefits)
associated with a product or with a process used to develop, manufacture, and distribute the
product. The following questions should be asked at each stage of the products life cycle:8
What are the safety and environmental risks?
Who and what is at the highest risk?
What populations / ecosystems are at risk?
Are the risks predictable?
Are the risks preventable?

Hazard assessments form the basis of controlling hazards. They should be seen as important
tools in ensuring that an organizations activities dont present risks and that the controls
implemented are appropriate.9

www.saiglobal.com/compliance
EH&S Risk Management 5

Risk assessment is defined by the ISO / IEC Guide 73 as the overall process of risk analysis
and risk evaluation.10 The methods that can be used for this process of assessment can be
found in this standard.

R I S K A N A LY S I S
Risk analysis involves developing an understanding of the risk so that the organization can
determine whether the identified risks need to be treated and, if so, the strategies and
methods to use.
Risk analysis methods and techniques include: 11

SWOT Analysis
Event Tree Analysis
Treat Analysis
Fault Tree Analysis
Failure Mode and Effect Analysis

Other methods and techniques are available and many of the most commonly used are
described in the ISO / IEC Guide 73 document.

R I S K E VA LU AT I O N
Risk evaluation is the decision-making process of
determining which risks and threats need treatment
and how they are to be prioritized. It typically involves
comparing the level of risk found during the analysis
process with risk criteria established when the context
was considered. Based on this comparison, the need for
treatment can be considered. 12

R I S K T R E AT M E N T
When the risk analysis and evaluation processes have been completed, it is necessary to
compare the estimated risks against risk criteria which the organization has established.
The risk criteria may include associated costs and benefits, legal requirements,
socioeconomic and environmental factors, concerns of stakeholders, etc. Risk evaluation
therefore, is used to make decisions about the significance of risks to the organization and
whether each specific risk should be accepted or treated.10
Risk treatment is the process of selecting the best risk abatement methods and
implementing them. This includes continual review of the effectiveness of the new or
modified controls implemented and what, if any, residual risks need to be addressed.12
Risk treatment involves a cyclical process of:
Assessing the risk treatment(s) for an identified risk
Deciding whether residual risk levels are tolerable
Assessing the effectiveness of that treatment

www.saiglobal.com/compliance
6 EH&S Risk Management

PROGRAM MONITORING & REVIEW


Effective risk management requires a reporting and review structure to ensure that risks are
effectively identified and assessed and that appropriate controls and responses are in place. Regular
audits of policy and standards compliance should be carried out and standards performance reviewed
to identify opportunities for improvement.10

BENEFITS OF RISK MANAGEMENT


Benefits of EH&S risk management which many organizations have realized include:13
Lower / fewer risks (Operational, EH&S, Business, etc.)
Reduced potential liabilities
Improved EH&S performance
Enhanced EH&S legal compliance
Lower EH&S and insurance costs
Enhanced management awareness
Safer products
ISO 14000 / 31000 and OSHAS 18001 Compliance (whether in-house or customer driven)
Satisfaction of stakeholder expectations
New customer opportunities

C I TAT I O N S / R E F E R E N C E S
1. Risk Management Failures: What Are They and When Do They Happen?; Rene M. Stulz; Cornerstone Research

2. Risk Management Programs for the Pharmaceutical Industry; Edward Griffith

3. Managing Health and Safety Risk; University Newcastle Australia; 2012

4. Risk Management and Critical Infrastructure Protection: Assessing, Integrating, and Managing Threats, Vulnerabilities,
and Consequences; Congressional Research Service - The Library of Congress; September 2, 2004

5. The Risks with Risk Identification; Robert N. Charette; ITABHI Corporation; 1996

6. Policy on Occupational Health and Safety Risk Management; The Northcott Society; 2007

7. Five steps to risk assessment; Health and Safety Executive; June 2011

8. Risk Management Programs for the Pharmaceutical Industry; Edward Griffith; 2004

9. Managing Health and Safety Risk; University Newcastle Australia; 2012

10. A Risk Management Standard; AIRMIC, ALARM, IRM; 2002

11. ISO / IEC Guide 73:2009; Risk Management Vocabulary; 2009

12. ISO 31000:2009; Risk Management Principles and Guidelines; 2009

13. EHS Risk Management; Carl Wirdak, Occidental Petroleum Corporation; October 2001

www.saiglobal.com/compliance
USA Europe Australia Asia
info.americas@saiglobal.com info.emea@saiglobal.com info.asiapac@saiglobal.com info.asiapac@saiglobal.com

Houston, TX Warwickshire, UK Sydney Jakarta


T: +1 713 954 4970 T: +44 (0) 1926 523149 T: +61 2 8206 6060 T: +62 21 720 6460
F: +1 713 954 4980 F: +44 (0) 1926 523130 F: +61 2 8206 6019

Plainsboro, NJ Melbourne
T: +1 (877) 470-SAIG [7244] T: +61 3 9278 1555
F: +1 609 924 9207 F: +61 3 9278 1556

Waltham, MA Perth
T: +1 781 891 9700 T: +61 8 9444 2777
F: +1 781 891 9701 F: +61 8 9444 2477

Alpharetta, GA
T: +1 678 992 0262
F: +1 678 992 0266

About SAI Global


The SAI Global Cintellate EH&S Software Suite supports solutions for environmental management,
health & safety management, risk management and compliance management. With a global client
base, our software is robust, scalable and extremely flexible. Configurable in multiple languages, it
interfaces with other business software, facilitating reporting across business silos to give visibility
across business operations. Request a demonstration and find out how you can turn information into
actionable knowledge. For more information, please call us at the full service location nearest you or
visit:
www.saiglobal.com/compliance

2012 SAI Global Ltd. The SAI Global name and logo and Cintellate name are trademarks of SAI Global Ltd. RSKMWP1204a

All Rights Reserved.