Actions

Risk Assessment

Revision as of 18:29, 19 March 2020 by User (talk | contribs)

A risk assessment is a process to identify potential hazards and analyze what could happen if a hazard occurs. A business impact analysis (BIA) is the process for determining the potential impacts resulting from the interruption of time sensitive or critical business processes.[1]

Broadly speaking, a risk assessment is the combined effort of:

  • identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. risk analysis); and
  • making judgments "on the tolerability of the risk on the basis of a risk analysis" while considering influencing factors (i.e. risk evaluation).

Put in simpler terms, a risk assessment determines possible mishaps, their likelihood and consequences, and the tolerances for such events.[1] The results of this process may be expressed in a quantitative or qualitative fashion. Risk assessment is an inherent part of a broader risk management strategy to "introduce control measures to eliminate or reduce" any potential risk-related consequences.[2]


The Importance of Risk Assessment[3]

Risk assessments are very important as they form an integral part of an occupational health and safety management plan. They help to:

  • Create awareness of hazards and risk.
  • Identify who may be at risk (e.g., employees, cleaners, visitors, contractors, the public, etc.).
  • Determine whether a control program is required for a particular hazard.
  • Determine if existing control measures are adequate or if more should be done.
  • Prevent injuries or illnesses, especially when done at the design or planning stage.
  • Prioritize hazards and control measures.
  • Meet legal requirements where applicable.


Performing an Effective Risk Assessment[4]

Once you have gathered the data and set the scope for a risk assessment project, the process moves on to conducting the risk assessment itself. Risk assessment serves many purposes for an organization, including reducing operational risks, improving safety performance and achieving objectives. While many individuals are involved in the process and many factors come into play, performing an effective risk assessment comes down to three core elements: risk identification, risk analysis and risk evaluation.

  • Risk Identification: To effectively address the hazards and risks within a workplace, you must first properly identify them. When conducting risk identification, the ISO 31000-2018 standard recommends that safety professionals and stakeholders examine a wide variety of factors, including:
    • Tangible and intangible sources of risk
    • Threats and opportunities
    • Causes and events
    • Consequences and their impact on objectives
    • Limitations of knowledge and reliability of information
    • Vulnerabilities and capabilities
    • Changes in external and internal context
    • Indicators of emerging risks
    • Time-related factors
    • Biases, assumptions and beliefs of those involved

The risk assessment team can use tools such as risk assessment matrices and heat maps to compare and, therefore, prioritize hazards. These tools allow safety professionals to place risks into the matrix or map based on the likelihood and severity of a potential incident. From there, decision-makers can analyze each risk to determine the highest-level risks to address.

  • Risk Analysis: Working from the information gathered during risk identification, stakeholders can then begin to analyze the risk levels of certain hazards and prioritize actions based on existing controls, among other criteria. Risk analysis involves a detailed consideration of uncertainties, hazards, consequences, likelihood, events, scenarios, controls and their effectiveness. An event can have multiple causes and consequences and can affect multiple objectives. Earlier identified hazards can be included in preliminary hazard analysis. In such an analysis, an assessor analyzes current conditions with existing controls and a potential future state with proposed additional controls. Tools such as risk assessment matrices and heat maps can be used to compare, and therefore, prioritize hazards. These tools allow safety professionals to place risks into the matrix or map based on the likelihood and severity of a potential incident. From there, decision makers can then analyze each risk to determine the highest-level risks to address. The results from a preliminary hazard analysis can then be transferred to a more detailed approach such as a bow-tie risk assessment diagram for further evaluation to provide more in-depth information to decision makers. In terms of finding acceptable solutions for a particular hazard, a layer of protection analysis (LOPA), studies whether existing or proposed barriers are able to achieve acceptable risk levels. When conducting a LOPA, safety professionals select hazards and consequences, and independent protection layers (IPLs) are identified for each hazard/consequence pair. IPLs are physical barriers such as engineering controls, design changes or warning devices designed to prevent the initiating cause proceeding to the unwanted consequence.

Taking this type of approach to risk analysis allows safety professionals to consider what additional IPLs could be installed to prevent a particular risk and calculate the impact that those controls would have on the severity and likelihood of an incident.

  • Risk Evaluation: As the final step of risk assessment, risk evaluation calls on safety professionals to examine the results of the risk analysis and compare them to established risk criteria in order to determine where additional controls may be required and what those controls might be. As noted, bow-tie risk analysis is a technique for risk evaluation that has gained traction in the safety profession because it provides a more holistic view of risk and paints a picture of a specific hazardous event. The bow-tie analysis is centered around a potential incident, examining its causes, the preventive controls in place, the mitigative controls if it were to occur and the consequences of the incident.

The benefit of a bow-tie analysis is the ability to better visualize a specific hazardous event, how it could occur, the consequences and how those consequences could be prevented or mitigated. Such an analysis does not, however, usually include a risk scoring mechanism, nor does it reflect the effectiveness of controls. Regardless of the method, keep in mind that risk-based decision-making should take into account the wider context as well as the actual and perceived consequences to internal and external stakeholders.

  • Risk Communication: Threaded throughout all steps of the risk assessment process is a fourth element, equally crucial to effective risk management – risk communication. Safety professionals must keep in mind that they must communicate the risks identified, analyzed and evaluated during the assessment to all involved so that everyone has a comprehensive understanding of the existing risks and how they can best be prevented or mitigated to achieve organizational objectives. Taking these steps enables all involved to have a comprehensive understanding of the hazards and risks that exist within facilities and processes, the consequences of the hazards present, and how those can be prevented or mitigated to protect workers’ health and safety.


Implementing Control Measures[5]

After identifying and assigning a risk rating to a hazard, effective controls should be implemented to protect workers. Working through a hierarchy of controls can be an effective method of choosing the right control measure to reduce the risk.


Hierarchy of controls
source: iAuditor


  • Eliminate or control all serious hazards immediately.
  • Use interim controls while you develop and implement longer-term solutions.
  • Select controls according to a hierarchy that emphasizes engineering solutions (including elimination or substitution) first, followed by safe work practices, administrative controls, and finally personal protective equipment.
  • Avoid selecting controls that may directly or indirectly introduce new hazards.
  • Review and discuss control options with workers to ensure that controls are feasible and effective.
  • Use a combination of control options when no single method fully protects workers.


See Also

Risk Analysis
Risk Assessment Framework (RAF)
Risk Management
Risk Management Framework (RMF)
Information Technology Risk (IT Risk)
Enterprise Risk Management (ERM)
Risk IT Framework
Risk Based Testing
Risk-Adjusted Return
Risk-Adjusted Return on Capital (RAROC)
Risk Matrix
Risk Maturity
Risk Maturity Model (RMM)
Risk Mitigation
Operational Risk
Operational Risk Management (ORM)
Architectural Risk


References

  1. Defining Risk Assessment Ready.Gov
  2. A broad definition of Risk Assessment Wikipedia
  3. Why is Risk Assessment Important? CCOHS
  4. Conducting a Risk Assessment assp.org
  5. How to Implement Control Measures? iAuditor
Retrieved from "https://cio-wiki.org//index.php?title=Risk_Assessment&oldid=5650"