Georgi Popov - Risk Assessment

For operational risks, hazards are the source of risk. Thus, if risks are to be assessed, hazards must first be identified and described. Risk identification is defined as the process of finding, recognizing, and recording risks. Its purpose is to identify what might happen and/or the situations that could impact the system or organization. Risk identification should include the identification and description of the source of the risk (hazard in the context of physical harm) and its causes; events, situations, or circumstances which could have a material impact upon objectives; the nature of impact; and any existing controls for the identified risk (ANSI/ASSP/ISO 31010, 2019).

Methods for identifying existing and potential risks in the workplace are many. A likely starting point might begin with collecting available information about the operations to be assessed. Some hazards (risk sources) are easily identified intuitively or through recent or past experience, while others require more systematic methods of identification. Depending on the operation or subject of the assessment, the level of effort will vary accordingly. A simple job or task may only require a job hazard analysis, while a more complex system may require a series of methods to identify existing and potential hazards.

There are many ways to go about identifying hazards and operations for assessment, but a systematic approach will likely be more thorough and reliable. Some of the more common methods and sources used by safety professionals to identify hazards are listed below.

Brainstorming

Checklists

Regulations (OSHA, EPA, DOT, etc.)

Consensus industry standards (ANSI, ASTM, NFPA, etc.)

Experts (external or internal)

Job Hazard Analyses/Job Safety Analyses

Accident/incident investigations

OSHA Injury and Illness Records

Insurance claims

Formal hazard/risk identification techniques42 listed in ANSI/ASSP/ISO 31010‐2019 and50 methods listed in ANSI/ASSP TR 31010‐2020 Technical Report on Risk Assessment

Each risk identification method has its strengths, limitations, complexity level, resource requirements, and outputs. In some cases, more than one technique may be used to identify the risk‐related information needed. These techniques are used in conjunction with the established risk criteria and context that is discussed in the next chapter.

Upon identifying risk sources, the team will analyze the potential risk. As stated by ANSI/ASSP/ISO 31010, risk analysis involves developing an “understanding” of the risk. This analysis of each hazard/risk includes:

determining the severity of consequences

estimating the likelihood of occurrence

assessment of the effectiveness of existing controls

an estimation of the risk level

The level of risk takes into consideration a combination of the possible consequences and likelihood. A single event or task can have many possible consequences and impact multiple assets.

Risk analysis can be qualitative, semiquantitative, or quantitative in nature depending upon the context of the assessment, and available data. Qualitative analyses are the most common and use descriptors such as “high”, “serious”, “medium,” and “low” for degrees of severity of consequence, likelihood of occurrence, and risk level. Semiquantitative methods use numerical ratings for consequence and likelihood to produce a level of risk, which are based on qualitative descriptive criteria rather than quantitative data. Quantitative analyses which are not as common, use estimated values for consequences and their likelihood producing numerical values of risk in specific units defined in the context. As stated by ANSI/ASSP/ISO 31010, full quantitative analysis may not always be possible or desirable due to insufficient information or the needs of the assessment. In many cases, a comparative semiquantitative or qualitative ranking of risks by qualified assessors is desired for the assessment.

The assessment team determines the nature and type of consequences that could result for exposure to a particular hazard or risk source. A single risk source may produce a number of impacts with various magnitudes (levels of severity) and could affect multiple assets or stakeholders. The assessment’s context determines the types of consequence analyzed and stakeholders affected.

Consideration and direction should be given to how certain impacts will be handled. Some risk sources may present a low severity level of consequence but a high likelihood of occurrence, while others may present a high severity, and a low likelihood of occurrence. An organization’s acceptable level of risk (ALOR) will help determine the priorities for these types of risk. As mentioned in ANSI/ASSP/ISO 31010, it may be appropriate to focus on risks with potentially very severe outcomes such as Fatal and Serious Incident (FSI)‐type consequences, as these are often of greatest concern to managers. In other situations, it may be important to analyze both high and low consequence risks separately. Guidance should be established during the development of the context for such decisions.

Determining probability or likelihood generally involves: (i) a review of relevant historical data to identify events or situations which have occurred; (ii) predictive‐type techniques such as fault tree analysis and event tree analysis, and; (iii) a structured systematic process guided by a qualified, knowledgeable expert(s). Any available data used should be relevant to the focus of the assessment. Where historical data shows a very low frequency of occurrence, it may be difficult to properly estimate probability. Therefore, it may be necessary to consider exposure frequency, time, and duration to a certain hazard or event in the likelihood analysis.

The adequacy and effectiveness of existing control measures greatly affect the level of risk and must be assessed. This assessment of controls should include determining the type of controls for each specific risk, and a judgment of their effectiveness based on the Hierarchy of Controls. For instance, controls such as permanent or fixed guards (engineering controls) are considered more effective than employee training, warnings (administrative controls), or personal protective equipment. The assessment should ensure existing controls are being applied/operated as intended, and that their effectiveness can be demonstrated and verified. The effectiveness for a single control, or combination of related controls, can be expressed in qualitative, semiquantitative, or quantitative terms. The main focus of the control assessment should be on determining whether existing controls are adequate in reducing risk to an acceptable level, or whether improved control measures are needed.

Risk evaluation involves comparing the estimated risk levels with the defined risk criteria to determine the significance of the level and type of risk. It is based on the combination of estimated consequences and likelihood and uses information from the hazard/risk identification and risk analysis phases to make recommendations for decision makers. These decisions may include implementing further controls, other forms of risk treatment, or avoiding the hazard or operation all together. Additional inputs to the decision‐making process include legal, financial, ethical, and other considerations. This process may also be used to prioritize possible actions should more than one possible action be feasible.

Methods for defining risk criteria can range from a single‐level dividing risks that require treatment from those that do not, to multiple levels of risk requiring graduated degrees of actions. Decisions on treating a risk will likely depend on the costs and benefits of risk and the costs and benefits of implementing improved controls. The “as low as reasonably practicable” or