Risk Assessment and Management

Every safety professional should be familiar with the risk management process.
After all, managing risks is one of the primary functions of the safety professional.
Risk management can be defined as the identification, assessment, and
prioritization of risks followed by coordinated and economical application of
resources to minimize, monitor, and control the probability and impact of
unfortunate events or to maximize the realization of opportunities. Risks to a
company can come from a wide variety of sources, including financial, natural
disasters, intentional acts by employees or outside personnel, employee injuries, and
others. Risks from employee injuries will be the primary focus of this chapter.
There are a wide variety of specific methods used in risk management depending on
the type of industry or service where the risk is being assessed. However, in this
chapter, the five basic steps of risk management are discussed. Examples are
provided to illustrate both quantitative and qualitative assessments.

Definitions
 Risk: The chance or probability of occurrence of an injury, loss, or a
hazard or potential hazard.
 Risk assessment: The process of assessing the risks associated with each
identified hazard, in order to make decisions and implement appropriate
control measures to prevent the hazard from occurring.
 Hazard: A condition with the potential to cause injury, illness, or death
of personnel; damage to or loss of equipment or property; or mission
degradation.
 Hazard identification: The process of examining each work area to
identify the hazards associated with each job or task.
 Probability: The likelihood that a given event will occur.
 Severity: The degree of undesired consequences.
Risk Management Process
In this chapter, the risk management process in terms of five basic steps
Each of these steps is discussed in more detail within the scope of this chapter.

Hazard Identification
As mentioned previously, a hazard is an actual or potential condition, situation, or
event that can result in injury, illness, or death of personnel. In addition, a hazard
can result in damage, loss, or destruction of equipment or a serious degradation of
capabilities or total failure of the project or mission. Hazards are found in all
environments and in all situations. Hazards are identified through experience,
historical data, intuitive analysis, judgment, standards, brainstorming, and a large
variety of other means and methods. Hazard identification is, without a doubt, the
most important step, in the risk management process. It must also be noted that
hazard identification is

Hazard
identification

Assessment
Supervise and Assessment of
reevaluate hazards

Management

Controls
Implement developed
controls and decisions
made

FIGURE
Risk management process.
a continuous process and should be repeated throughout the work period. The
specific method of hazard identification will change from site to site and from task
to task. However, the basic process to systematically identify hazards in the
workplace includes the following:

• Identify specific work areas;

• Review previous documents or data involved in the operation to determine
if prior injuries or accidents have occurred as a result of this task;
• Conduct an onsite, visual inspection of the work area;
• Determine the individual job tasks of individuals;
• Break the individual job tasks into steps;
• Analyze each job task, and identify the hazards or potential hazards
involved in performing these tasks.

An important step, often overlooked, is to get the employee performing the actual
work involved in the hazard identification process. No one knows more about the
job task being performed than the employee performing the work. Useful
information that may save lives or prevent property and equipment damage can be
obtained.

Hazard Assessment
Once all known hazards have been identified, they must be assessed in terms of
their probability and severity to determine the risk level of one or more of the
hazardous incidents that can result from exposure to the hazard. In this step of the
process, the hazards are assessed individually. This process is systematic in nature
and uses charts, codes, and numbers to present a methodology to assess probability
and severity to obtain a standardized risk level. The charts and graphs presented in
this chapter are only included to illustrate the risk management process and uses.
They can be modified to fit your individual needs. The incident must be credible in
that it must have a reason- able expectation of happening. The end result is an
estimate of risk from each hazard and an estimate of the overall risk to the job task or
project caused by hazards that cannot be eliminated.1
Two major components in the hazard assessment step are the probability of the
hazard occurring and the severity of the hazard. As we have mentioned in this
chapter, probability is defined as the likelihood that a given event or incident will
occur. The incident must be credible in that it must have a reasonable expectation of
happening. The end result is an estimate of risk from each hazard and an estimate
of the overall risk to the job task or project caused by hazards that cannot be
eliminated.1 Severity, for our purposes, can be defined as the degree of undesired
consequences.
Probability
Probability is the likelihood of an event actually occurring. This is a subjective
estimate of the probability, given the information that you know. The probability
levels estimated for each hazard are based on the job or project being performed at
the time. There are five levels of probability that we will use in our assessment of
the hazards. They include the following ratings: frequent, likely, occasional,
seldom, and unlikely.

Severity
Severity is expressed in terms of the degree to which an incident will affect the
safety and health of employees or the project being performed. The degree of
severity is somewhat subjective but is estimated for each hazard based on the
knowledge of results from similar past events.
As mentioned previously in this section, the end result is an estimate of risk from
each hazard and an estimate of the overall risk to the job task or project caused by
hazards that cannot be eliminated.
Once all hazards have been identified and a risk assessment has been per- formed
on each hazard, the highest level of risk will determine the overall risk assessment.
Executive management should determine the level of risk the company should
assume. For example, the decision to proceed with the project or task for a low-risk
project/task can be made by a line supervisor, whereas an extremely high-risk
decision is to be made by the chief executive

Risk Assessment Scenario

Using the following scenario, we will perform a risk assessment. Company XYZ
has been contracted to provide industrial cleaning services, which involve the high-
pressure water jetting of tube bundles within a condenser. The process involves
project mobilization, project setup, performance of high-pressure water jetting,
project cleanup, and demobilization. We will look at some of the major hazards
associated with this project for illustration

Qualitative Analysis
On the basis of the initial assessment, the highest rating in each category resulted in
this project being an extremely high rating. One of the things to remember with
regard to a simplified risk assessment rating system is that the rater determines the
rating. No two raters will rate each category the same. For example, one rater may
determine that the probability of occurrence is “frequent,” while another may rate it
as “likely” or “occasional.” Neither one would be wrong, if they based their
decisions on the criteria listed previously. More in-depth methods may attempt to
quantify each method to reduce the variations in assessments. As you can see from
the above assessment, most projects will have one or more of the hazards listed as
an “extremely high risk.” If this were the case, most managers would not attempt to
assume that level of risk, which means that little or no work would ever be
accomplished. Therefore, Step 3 in the process is intended to reduce the level of
risk, by implementing controls and making decisions.
Quantitative Analysis
Another method frequently used to assess hazards is through quantitative analysis.
The following is an example of such an analysis. Numerical values are placed on
variables, such as the likelihood of occurrence, frequency of exposure, degree of
potential harm, and the number of persons at risk.

Controls Development and Decision Making

As mentioned in the previous step, most projects or tasks have at least one step that
has an extremely high risk, which is unacceptable to most every- one. Therefore, in
this phase of the risk management process, it is necessary to develop controls to
reduce the level of risk posed by the hazards. After assessing each hazard,
supervisors and managers develop one or more controls that either eliminate the
hazard or reduce the risk of a hazardous incident. When developing controls, the
supervisors or managers consider the reason for the hazard, not just the hazard
itself.

Types of Controls
The types of controls can take many forms, but fall into three main categories:
educational controls, physical controls, and avoidance.
 • Educational controls: These controls are based on the knowledge and
skills of the employees or individuals performing the task. Effective
control is implemented through individual and collective training that
ensures performance to a standard.
• Physical controls: These controls may take the form of barriers and guards
or signs to warn employees and others that a hazard exists. Additionally,
special controller or supervisory personnel responsible for locating
specific hazards fall into this category.
• Avoidance: These controls are applied when supervisors and man- agers
take positive action to prevent contact or exposure with the identified
hazard.

Criteria for Controls

To be effective, each control developed must meet the following criteria:

• Support. Availability of adequate personnel, equipment, supplies, and

facilities necessary to implement suitable controls.
• Standards. Guidance and procedures for implementing a control are clear,
practical, and specific.
• Training. Knowledge and skills are adequate to implement a control.
• Leadership. Supervisors and managers are competent to implement a
control.
• Individual. Individual employees are sufficiently self-disciplined to
implement a control measure.2
Some examples of control measures include the following:
1. Engineering or designing to eliminate or control hazards;
2. Avoidance of identified hazards;
3. Limiting the number of personnel and the amount of time they are exposed
to hazards;
4. Providing protective clothing, equipment, and safety devices;
5. Providing warning signs and signals.
A key element in developing and implementing control measures is to specify who,
what, when, where, and how each control is to be used. Taking the scenario above
under the “Controls Development and Decision Making” section, we will continue
to expand upon the work sheet to illustrate the development of controls.
As you can see in Table 24.5, after controls have been developed, the hazards and,
subsequently, the risks associated with this project or task have been reduced to a
moderate risk. This level of risk is acceptable to most man- agers and supervisors.
Once the control measures have been accepted, the responsible level of authority
determines the overall residual risk. The residual risk is defined as the risk
remaining after controls have been selected for the hazards.2

Decision Making
A key element of the risk decision is determining if the risk is justified. The
supervisor or manager responsible for the project must compare and balance the
risk against the benefits. If the residual levels are too high, then the senior
supervisor or manager on the project may elect to do one of the following:
• Add additional control measures to further reduce the risks;
• Limit the scope of work, which eliminates the high-risk tasks;
• Make the decision to discontinue the project.

Implement Controls
Managers and supervisors must ensure that controls are integrated into the standard
operating procedures, written and verbal instructions, and toolbox talks prior to the
beginning of the project or task. The critical check for this step, with oversight, is to
ensure that controls are converted into clear, simple instructions understood at all
levels. Implementing controls includes coordination and communication with
appropriate superiors and employees.

Supervise and Evaluate

During project or task preparation, managers and supervisors must ensure that
employees understand how to execute the risk controls. In addition, the manager or
supervisor of the project or task must continually assess the risks during the
operational phase of the project. Methods to supervise and evaluate the effectiveness
of control measures include spot checks, inspections, daily reports, and close, direct
supervision. After the project or task has been completed, it is recommended that a
post-project evaluation, which includes all employees on the project, be conducted.
The results of this post-project evaluation, and any changes, should be maintained
in the project file, for future use.

Key Information to Remember on Risk Assessment

and Management
1. Risk is defined as the chance or probability of occurrence of an injury,
loss, or a hazard or potential hazard.
2. Risk assessment is the process of assessing the risks associated with each
identified hazard, in order to make decisions and implement appropriate
control measures to prevent the hazard from occurring.
3. Hazard is a condition with the potential to cause injury, illness, or death of
personnel; damage to or loss of equipment or property; or mission
degradation.
4. Hazard identification is the process of examining each work area to
identify the hazards associated with each job or task.
 5. Probability is defined as the likelihood that a given event will occur.
6. Severity is defined as the degree of undesired consequences.
7. The five basic steps in the risk management process are hazard
identification, hazard assessment, development of controls and decision
making, implementation, and supervision and evaluation.
8. The types of controls can take many forms, but fall into three main
categories: educational controls, physical controls, and avoidance.
9. A key element in developing and implementing control measures is to specify
who, what, when, where, and how each control is to be used.
10. A key element of the risk decision is determining if the risk is justified.
11. The critical check for controls implementation, with oversight, is to ensure
that controls are converted into clear, simple instructions understood at all
levels.