Georgi Popov - Risk Assessment

A central theme in this text is the concept of assessing risk within the principles, framework, and process of risk management. According to the American National Standard Institute’s ANSI/ASSP/ISO 31000 risk management standard, risk management is defined as “coordinated activities to direct and control an organization with regard to risk.” In a way, it is the process of making management decisions based on known risks and the organization’s acceptance of those risks.

The term “risk assessment” is often misused. It’s the authors’ experience that some organizations (and even some safety professionals) refer to hazard inspections, analyses, surveys, and compliance audits as “risk assessments.” Thus, a clear understanding of the term is necessary. ANSI/ASSP/ISO 31000 states there are three distinct sequential components to the act of “risk assessment” which are:

1 Risk Identification – finding, recognizing, and recording hazards.

2 Risk Analysis – understanding consequences and probabilities and existing controls.

3 Risk Evaluation – comparing levels of risk and considering additional controls.

Consequences are the potential outcomes of an undesirable event which is measured by severity. Probability or likelihood is an estimation of the chances of the undesirable event occurring over a unit of time or for a specific activity. Risk assessment is an attempt to “predict” the worst event that could reasonably happen as a result of the hazard or operation, and how likely it is to occur. This estimation is often qualitative in nature; however, some are semiquantitative or quantitative based. It is important to remember that the risk level relates to uncertainty and its effect on an organization’s ability to achieve its objectives.

Within the risk management process, risk assessment is the primary component. This is illustrated in Figure 3.1adapted from the ANSI/ASSP/ISO 31000 risk management consensus standard.

Figure 3.1 The Risk Management Process.

Source : Adapted from ANSI/ASSP/ISO 31000–2018.

Unfortunately, risk assessments have not been a common practice in the United States. One example is the 20 April 2010 Deepwater Horizon incident. According to estimates, the losses from the offshore oil rig accident resulted in 11 lives lost, $40 billion dollars, and 4.9 million barrels of oil released in the Gulf during the 87‐day incident. BP’s internal investigation team of the Deepwater Horizon accident (i.e. “Deepwater Horizon Accident Investigation Report” 8 September 2010; page 36) concluded that one of the eight key causes to the accident was that no risk assessment was performed of the cement slurry barrier application. The report stated, “the investigation team has not seen evidence of a documented risk assessment regarding annulus barriers”. The accuracy of cement slurry barriers was described as “critical” in the report, yet no formal risk assessment was performed.

Other examples indicate risk assessments are inconsistently performed. In a webinar hosted by the American Society of Safety Professionals (ASSP), “Prevention through Design: Guidelines for Addressing Occupational Hazards and Risks in Design and Redesign Processes” 30 November 2011, one of the webinar facilitators, Bruce Main, quoted a study conducted by a Fortune 500 company indicating that 65% of serious incidents had no previous risk assessment. This number may be indicative of other Fortune 500 companies and supports the authors’ experience that many smaller companies perform very few if any risk assessments.

The takeaway message here is that organizations should establish a strategy for determining when and how risks should be assessed. Basic criteria for a written policy for conducting risk assessments and when assessments are needed might include some of the following:

Projects or tasks that have not had a formal risk assessment.

New facilities, processes, or equipment.

When there are a number of risks present or introduced that make it necessary to apply risk priorities in an organized way.

When there is a risk which could have serious consequences, and where control measures are unclear.

Where there is a planned change to equipment, machinery, or a particular process (as outlined in ANSI Z10.0 8.5 – Design Review and Management of Change).

As within the risk management framework, risk assessment is central to an Operational Risk Management System. The ultimate goal of an Operational Risk Management System is to effectively manage risks and associated costs of occupational incidents through a “management‐lead” continual improvement process that involves its employees. This is evidenced in the ANSI/ASSP Z10.0‐2019 Occupational Health and Safety Management Systems standard and other management system standards and guidelines. For instance, the process of hazard analysis and risk assessment is a “required” core element in the following standards and guidelines:

Occupational Safety and Health Administration’s (OSHA) Voluntary Protection Program (VPP)

ANSI/ASSP/ISO 45001‐2018, Occupational Health and Safety Management Systems – Requirements and Guidance for Use

ANSI/ASSP Z10.0‐2019, Occupational Health and Safety Management Systems

BS OHSAS 18001‐2007, Occupational Health and Safety Management

International Labor Office ILO‐OSH 2001 “Guidelines on Occupational Safety and Health Management Systems”

ISO 14001‐2015, Environmental Management Systems – Requirements with Guidance for Use

Operational Risk Management Systems are based on a continual improvement process using the Plan, Do, Check, Act (PDCA) model promoted by Dr. Edwards Deming, known for his efforts in continuous improvement and quality initiatives. The OHSMS continual improvement process is illustrated in Figure 3.2.

Figure 3.2 The OHSMS Plan‐Do‐Check Act process.

The effectiveness of an Operational Risk Management System requires the continual identification, analysis, and evaluation of risks to understand their magnitude of loss, and potential of occurring, as well as adequacy of existing control measures and needed improvements within the organization. Therefore, the risk assessment process is crucial to understanding and managing risks to an acceptable level within an Operational Risk Management System.

Risk assessments can be performed for many reasons and have many purposes. According to the ANSI/ASSP/ISO 31010, Risk Management – Risk Assessment standard, the purpose of risk assessment is to “help people understand uncertainty and the associated risk in this broad, complex and diverse context, for the purpose of supporting better‐informed decisions and actions.” The use of a consistent risk assessment process allows an organization to understand risk levels, compare those risks, and address those with the greatest risk first.

Generally, operational risk assessments are performed by safety professionals to determine the risk level resulting from a risk source (hazard or operation) and apply appropriate risk‐control measures according to the Hierarchy of Controls to reduce risk to an acceptable or tolerable level. Other forms of risk treatment are available to risk management through insurance or other risk financing mechanisms to cover incidents that are not prevented.