Unit ID 1 Learning Outcome - 4

Unit ID1
Know – workplace health
and safety principles
(International)
Learning outcome 4

PAGE 1 Redhat Safety

Unit ID 1 Learning Outcome - 4

Contents
Learning outcome 4..................................................................................................................... 3
4.1 Recognise and apply different hazard identification techniques - Hazard
identification techniques............................................................................................................. 4
4.1.1 Types of hazard identification techniques ................................................................... 4
4.1.2 The importance of worker input .................................................................................... 9
4.2 Explain the principles of implementing and maintaining a sensible risk management
programme - Managing health and safety risks.................................................................... 10
4.2.1 The meaning of the term sensible risk management and the importance of
applying proportionality when assessing and controlling risk .......................................... 10
4.2.2 Principles of and differences between qualitative, semi-quantitative and
quantitative assessments ....................................................................................................... 13
4.2.3 How to engage workers at all levels in the risk assessment process ...................... 17
4.2.4 When dynamic risk assessments/situational awareness should be used .............. 19
4.2.5 The link between the outcomes of risk assessments and the development of risk
controls ..................................................................................................................................... 21
4.2.6 Factors affecting the choice of sensible and proportionate control measures .. 22
4.2.7 Organisational arrangements for implementing and maintaining an effective risk
assessment programme ......................................................................................................... 26
4.2.8 Acceptability/tolerability of risk ................................................................................... 31
4.3 Outline what should be considered in a risk management strategy for an
organisation - Risk management ............................................................................................. 33
4.3.1 Organisational risk profiling .......................................................................................... 33
4.3.2 Why health and safety risks must be integrated into main business risk ................ 38
4.3.3 The concepts of avoidance, reduction, transfer and retention ............................. 43
4.3.4 Circumstances when each of the above strategies would be appropriate ....... 45
4.3.5 Factors to be considered in the selection of an optimum solution based on
relevant risk data .................................................................................................................... 47
4.3.6 The principles and benefits of risk management in a global context ................... 50

PAGE 2 Redhat Safety

Unit ID 1 Learning Outcome - 4

Learning outcome 4
You will be able to understand risk management including the techniques for
identifying hazards, the different types of risk assessment, considerations when
implementing sensible and proportionate additional control measures and
develop a risk management strategy.

PAGE 3 Redhat Safety

Unit ID 1 Learning Outcome - 4

4.1 Recognise and apply different hazard identification techniques -

Hazard identification techniques

4.1.1 Types of hazard identification techniques

Hazard is not deemed to be synonymous with risk, although it can be an

important determinant of risk. Although risk may be related to a chance event
and expressed as a probability, there is much more to it than that. Probability is
not an entirely haphazard one of course, but relates to a number of factors
which will be discussed further.
However in safety management terms, a better definition would be:

 Hazard is the potential to cause harm;

 Risk on the other hand is the likelihood of harm (in defined circumstances,
and usually qualified by some statement of the severity of the harm).

The relationship between hazard and risk must be treated very cautiously. If all
other factors are equal - especially the exposures and the people subjected to
them, then the risk is proportional to the hazard. However, all other factors are
very rarely equal.

Using observation

Observe and record information about the worker performing the job. First
observe the worker and subsequently ask the worker to provide verbal
explanation while walking through the steps.

Informal Observation and Formal Observation Programs

An informal observation process is nothing more than being watchful for hazards
and unsafe behaviours throughout the work shift. No special procedure is

PAGE 4 Redhat Safety

Unit ID 1 Learning Outcome - 4

involved. All employees should be expected to look over their work areas once
in a while.

One of the most effective proactive methods to collect useful data about the
hazards and unsafe behaviours in your workplace is the formal observation
program because it includes a written plan and procedures. For example, safety
committee members or other employees may be assigned to complete a
minimum number of observations of safe/unsafe behaviours during a given
period of time. This data is gathered and analysed to produce graphs and
charts reflecting the current status and trends in employee behaviours. Posting
the results of these observations tends to increase awareness and lower injury
rates. But, more importantly, the data gives valuable clues about safety
management system weaknesses.

Observation is important because it can be a great tool to effectively identify

behaviours that account for fully 95 percent of all workplace injuries. The walk-
around inspection, as a method for identifying hazards, may not be as effective
as observation in identifying unsafe behaviours.

Note: An important policy for successful formal observation procedures is that

they are not, in any way, linked to discipline. Observers should not discipline or
"snitch" on employees: To do so ensures any observation program will fail as an
accurate fact-finding tool. I recommend using only employees who do not have
authority to discipline as observers in the program. If you must use managers or
supervisors, make sure they do not observe in their own areas of responsibility,
and make sure they understand the policy regarding "no discipline" as a
consequence of an observation. it is also important for observers to express
appreciation when safe behaviours are observed, and remind or warn
employees to use safe practices if they are not performing a task safely.

PAGE 5 Redhat Safety

Unit ID 1 Learning Outcome - 4

Task analysis and checklists

What Is Task Analysis?

Task analysis is any process of assessing what a worker does and why, step by
step, and using this information to design a new system or analyse an existing
system.

The term 'task analysis' refers to a methodology that can be carried out by many
specific techniques. These techniques are used to describe or evaluate the
interactions between the humans and the equipment or machines. They can be
used to make a step-by-step comparison of the capabilities and limitations of
the operator with the requirements of the system. The resulting information is
useful for designing not only equipment, but also procedures and training.

Why Should Task Analysis Be Used?

Evaluation and design of a task or job using task analysis more effectively
integrates the human element into the system design and operations.

Benefits

Provides knowledge of the tasks that the user wishes to perform. Thus it is a
reference against which the value of the system functions and features can be
tested.

Checklists

Checklists produce a detailed examination of the process plant by applying

experience of everyday operations and previous incidents in similar plants. If an
assessment of a process is to be performed with the aid of a checklist, it is
believed that the use of a detailed list early on will minimise the inventiveness of

PAGE 6 Redhat Safety

Unit ID 1 Learning Outcome - 4

the team members, and so only a coarse list should be used to aid in the
direction of the work. Once the brainstorming has been completed the detailed
checklist can then be used to identify areas that have been overlooked.

The main task for the assessment team is to identify the potential hazards of the
process. Once a hazard has been identified, recommendations should be
made of possible methods for it to be minimised. When the assessment has been
completed a report should be produced, in co-operation with the people who
have to perform the modifications, giving the alterations required as well as an
appropriate timescale for completion.

Advantages of checklists

 Easy to apply. The principle behind the technique is simple, compares a

list of predefined questions to the process to aid in the identification of
hazards.
 A simplistic assessment can be performed by inexperienced practitioners.
Little experience is required to perform a simplistic assessment consisting of
checking the list against existing conditions.

Disadvantages of checklists

 The assessment will only be as complete as the list used. The methodology
will only ask questions stated in the checklist; if this is not comprehensive
areas might be left unevaluated, leaving possible hazards unidentified.
 Not easy to apply to novel processes. A check list is generally formulated
from past experience. For new plants there is no past experience limiting
the information available for the preparation of an appropriate checklist.

PAGE 7 Redhat Safety

Unit ID 1 Learning Outcome - 4

Failure tracing techniques

Hazard and operability study (HAZOP)

A HAZOP study or its equivalent should be carried out to determine deviations

from normal operation in the installation, and operational malfunctions which
could lead to uncontrolled events.

This technique can be used anytime. Sometimes, these studies or reviews are
called HAZOP‘s, What-If Reviews, process analyses, and other names. In many
cases, OSHA and EPA require these studies for some chemical processes. Every
chemical process would benefit from this type of review. The purpose of this
review is to prevent or minimize the consequences of catastrophic releases of
toxic, reactive, flammable and explosive chemicals by identifying improper
procedures, equipment, employee training, management systems, and
maintenance. For example, during the study, you may find that galvanized
piping has been used for a chemical that is highly reactive to galvanized piping.

Hazard and operability study (HAZOP) is defined in the ILO Prevention of Major
Industrial Accidents ILO Code of Practice as:

"A study carried out by application of guide words to identify all deviations from
design intent having undesirable effects on safety or operability, with the aim of
identifying potential hazards".

The technique of Hazard and Operability Studies, or in more common terms

HAZOPS, has been used and developed over approximately four decades for
'identifying potential hazards and operability problems' caused by 'deviations
from the design intent' of both new and existing process plants.

PAGE 8 Redhat Safety

Unit ID 1 Learning Outcome - 4

The ILO Prevention of Major Industrial Accidents ILO Code of Practice in relation
to the Assessment of Major Hazards is specific about the use of HAZOPS.

4.1.2 The importance of worker input

To be effective, any safety and health program needs the meaningful

participation of workers and their representatives. Workers have much to gain
from a successful program and the most to lose if the program fails. They also
often know the most about potential hazards associated with their jobs.
Successful programs tap into this knowledge base.

Worker participation means that workers are involved in establishing, operating,

evaluating, and improving the safety and health program. All workers at a
worksite should participate, including those employed by contractors,
subcontractors, and temporary staffing agencies

Worker participation is vital to the success of safety and health programs. Where
workers are represented by a union, it is important that worker representatives
also participate in the program, consistent with the rights provided to worker
representatives.

In an effective safety and health program, all workers:

 Are encouraged to participate in the program and feel comfortable

providing input and reporting safety or health concerns.
 Have access to information they need to participate effectively in the
program.
 Have opportunities to participate in all phases of program design and
implementation.

PAGE 9 Redhat Safety

Unit ID 1 Learning Outcome - 4

 Do not experience retaliation when they raise safety and health concerns;
report injuries, illnesses, and hazards; participate in the program; or
exercise safety and health rights.

4.2 Explain the principles of implementing and maintaining a

sensible risk management programme - Managing health and safety
risks
4.2.1 The meaning of the term sensible risk management and the
importance of applying proportionality when assessing and controlling risk

A sensible approach to health and safety means focusing on the significant risks
– those with potential to cause real harm and suffering - and avoiding wasting
resources on everyday and insignificant risks.

Taking a sensible approach to risk management is about:

 ensuring that workers and the public are properly protected

 enabling innovation and learning not stifling them
 ensuring that those who create risks manage them responsibly and
understand that failure to manage significant risks responsibly is likely to
lead to robust action
 providing overall benefit to society by balancing benefits and risks, with a
focus on reducing significant risks – both those which arise more often and
those with serious consequences
 enabling individuals to understand that as well as the right to protection,
they also have to exercise responsibility

It is not about:

 reducing protection of people from risks that cause real harm

PAGE 10 Redhat Safety

Unit ID 1 Learning Outcome - 4

 scaring people by exaggerating or publicising trivial risks

 stopping important recreational and learning activities for individuals
where the risks are managed
 creating a totally risk-free society
 generating useless paperwork mountains

Assess the risks

Once you have identified the hazards, decide how likely it is that someone
could be harmed and how serious it could be. This is assessing the level of risk.

Decide:

 Who might be harmed and how

 What you're already doing to control the risks
 What further action you need to take to control the risks
 Who needs to carry out the action
 When the action is needed by

Control the risks

Look at what you're already doing, and the controls you already have in place.
Ask yourself:

 Can I get rid of the hazard altogether?

 If not, how can I control the risks so that harm is unlikely?

If you need further controls, consider:

 redesigning the job

 replacing the materials, machinery or process

PAGE 11 Redhat Safety

Unit ID 1 Learning Outcome - 4

 organising your work to reduce exposure to the materials, machinery or

process
 identifying and implementing practical measures needed to work safely
 providing personal protective equipment and making sure workers wear it

Put the controls you have identified in place. You're not expected to eliminate
all risks but you need to do everything 'reasonably practicable' to protect
people from harm. This means balancing the level of risk against the measures
needed to control the real risk in terms of money, time or trouble.

Importance of applying proportionality when assessing and

controlling risk

Proportionality is a concept that should be applied to determine the allocation

of resource and effort to a safety and environmental argument based on its risk.
It is a difficult concept to attempt to distil into a process as each Product,
System or Service will have different risks, objectives, priorities and interfaces that
make a ‗one size fits all‘ approach impossible.

This section describes an approach that may be used to assist in applying the
concept of proportionality; it seeks to guide you in understanding where a
proportionate amount of effort can be directed, while at the same time
maintaining the overriding principle that Risk to Life must be managed.
Defence Regulators require that a proportional approach is used and there are
many methods that try to achieve this. Some focus on the amount of evidence
needed to justify a safety argument; some provide more emphasis on the
application of activities that are required to make a safety argument and some
consider that fulfilling certain criteria can lead to an assessment of risk, but the
one requirement that is at the centre of any proportional approach is that safety
risks are ALARP.

PAGE 12 Redhat Safety

Unit ID 1 Learning Outcome - 4

A fundamental consideration of a proportional approach is considering

compliance against assessment criteria. The Health and Safety Executive‘s view
is that there should be some proportionality between the magnitude of the risk
and the measures taken to control the risk. The phrase ―all measures necessary‖
should be interpreted with this principle in mind. Both the likelihood of accidents
occurring and the severity of the worst possible accident determine
proportionality. Application of proportionality should highlight the hazardous
activities for which the Duty Holder should provide the most detailed arguments
to support the ALARP demonstration.

4.2.2 Principles of and differences between qualitative, semi-quantitative

and quantitative assessments

Risk assessment is a process in which hazard, and risk exposure are evaluated.
These evaluations determine whether an exposed population is at greater-than-
expected risk of injury, and/or ill-health, or whether there will be equipment and
machinery damage that leads to lost production etc.

Once this is established, the magnitude and nature of the increased risk can be
explored further, using either qualitative or quantitative approaches.

Qualitative Risk Assessment

Qualitative risk assessments are generally descriptive and indicate that disease
or injury is likely or unlikely under specified conditions of exposure. On the other
hand, quantitative risk assessments provide a numerical estimation of risk based
on mathematical modeling. For example, under specific exposure conditions, it
is expected that one person per 1,000 would develop an occupational disease
or injury.

PAGE 13 Redhat Safety

Unit ID 1 Learning Outcome - 4

Qualitative risk assessment has its roots in the beginning of human history.

For example, people observed that human exposure to particular plants, such
as hemlock, led to adverse health effects. In addition, they noted that some
beneficial materials, such as wine, had adverse effects when taken in excess.

As a result, they recognised both qualitatively and quantitatively that some

products of the environment posed risks. In the main, the effects they noted
were those that occurred almost immediately. Long-term effects were difficult to
discern, especially when life spans were short and other health problems,
particularly infectious diseases, were more prevalent.

In a qualitative assessment it is appropriate to complete just the following steps:

 Identify the hazards;

 Identify the possible consequences (Decide who might be harmed and
how);
 Evaluate risk (and decide whether the existing precautions are adequate
or whether more should be done);

 Record the findings.

Qualitative risk analysis tends to be more subjective. It focuses on identifying risks

to measure both the likelihood of a specific risk event occurring during the
project life cycle and the impact it will have on the overall schedule should it hit.

The goal is to determine severity. Results are then recorded in a risk assessment
matrix (or any other form of an intuitive graphical report) in order to
communicate outstanding hazards to stakeholders.

PAGE 14 Redhat Safety

Unit ID 1 Learning Outcome - 4

Semi-quantitative risk assessment

In many intermediate cases where the hazards are neither few and simple, nor
numerous and complex, for example if there are some hazards that require
specialist knowledge, such as a particular complex process or technique, it may
be appropriate to supplement the simple qualitative approach with a semi-
quantitative assessment.

In carrying out semi-quantitative risk assessments, simple qualitative techniques,

supplemented by for example measurements to identify the presence of
hazards from chemicals or machinery, or the use of simple modelling techniques
may be appropriate. Simple modelling techniques may be used to derive order
of magnitude estimates of the severity of the consequences and likelihood of
realisation of hazards. These estimates can be combined to obtain estimates of
the order of magnitude of the risk.

PAGE 15 Redhat Safety

Unit ID 1 Learning Outcome - 4

Figure - Semi-quantitative risk assessment matrix

Quantitative Risk Assessment

Quantitative Risk Assessment (QRA) is a formalised, specialist method for

calculating numerical individual, environmental, employee and public risk level
values for comparison with regulatory risk criteria. Satisfactory demonstration of
acceptable risk levels is often a requirement for approval of major hazard plant
construction plans, including transmission pipelines, offshore platforms etc.

Each demonstration must be reviewed periodically to show that risks are

controlled to an acceptable level according to applicable legislation and
internal company governance requirements.

Quantitative risk assessment is a method of estimating the magnitude of risk. It

provides a degree of objectivity, and a facility for ranking risks and priorities. It
does however involve some degree of subjectivity as they rely to a certain
extent on past events and/or experience.

An example is the hazard rating number system, which involves quantifying:

1. The probability of exposure to the hazard;

2. The frequency of exposure to the hazard;

3. The number of persons at risk;

PAGE 16 Redhat Safety

Unit ID 1 Learning Outcome - 4

4. The maximum probable loss.

For each of these factors a short table assigns numerical values to various
descriptive phrases i.e. the probability of exposure to/contact with hazard factor
has a table which ranges from 0 (impossible) to 15 (certain).

The values assigned to each factor are also weighted depending on their
relevancy, and the hazard rating number is arrived at by multiplying the four
figures together. The answer (hazard rating number for that risk) is then related
to a table which ranges from acceptable risk to unacceptable risk.

4.2.3 How to engage workers at all levels in the risk assessment process

It is critically important that all companies have comprehensive risk assessment

plans in place, as part of their comprehensive workplace safety programs.
Although these plans are key for all companies, they are absolutely vital for
companies operating in sectors where there are heightened risks to employees‘
health and well-being. For example, a risk assessment plan may be more
important for a metals and mining company with underground mines than it is
for a clothing store in the local mall.

No matter what industry a company is operating in, however, there is a

tendency for companies to put in place risk assessment plans that do not take
into account the feedback and concerns of the employees. It is easy to lay the
blame for this on indifferent management teams that are just ensuring they
have a risk assessment plan in place to meet various requirements, but this over-
simplifies the actual situation (learn how to get the whole team involved with
Teamwork: Working Together Towards a Safer Tomorrow).

Yes, frequently management teams do a poor job of soliciting feedback. On the

other hand, employees are often reluctant to step forward and participate in
PAGE 17 Redhat Safety
Unit ID 1 Learning Outcome - 4

developing a best practice risk assessment plan. This leaves the nagging
question: How can a company generate more organic involvement from all
stakeholders in the process?

There are three steps that any company should take:

1. The company needs to work to develop a level of trust and support with
its stakeholders, in this case, primarily employees. Employees need to
believe that the company is genuinely interested in building a safer and
healthier workplace for them. Therefore, the risk assessment plan cannot
be presented as a one-off initiative - instead, it has to be part of an
ongoing comprehensive and well-developed workplace safety program
(get your employees involved with Simple and Easy Employee
Engagement Ideas for Improving OHS).
2. Despite legal protections offered to whistle-blowers and others who raise
concerns about health and safety issues, many employees are naturally
reluctant to speak up and offer input on these issues - particularly in a
face-to-face setting. Therefore, it is essential to set up multiple channels
that employees can offer feedback through. These channels may
include, but not be limited to: suggestion boxes in the workers‘ cafeteria,
an anonymous telephone hotline, or an email address that accepts
suggestions.
3. Finally, many workers are crunched for time between the responsibilities of
their job and home life. Therefore, they are naturally reluctant to take on
more responsibility to participate on committees or in listening sessions.
Thus, companies must clearly communicate to workers that if they
participate in these projects, they will be compensated for the time spent.
More workers are going to be willing to step up if they do not see this as
an entirely volunteer position.

PAGE 18 Redhat Safety

Unit ID 1 Learning Outcome - 4

Ideally, these steps — along with other plans specifically geared to a company‘s
unique corporate culture — will generate a significantly greater degree of
employee participation in the risk assessment plan.

4.2.4 When dynamic risk assessments/situational awareness should be

used

Dynamic risk assessment is an active observation, assessment and analyzing of

an active work environment while work is ongoing, to identify and manage risk.
A dynamic risk assessment builds on the work of existing risk assessments, though
are conducted in the field, most likely by the worker carrying out a job. This risk
assessment follows the formal risk assessment steps principles.

Formal risk assessments are prepared in advance, recorded and monitored on a

regular basis. Conversely, dynamic risk assessments are ‗dynamic‘ or ever-
changing, and carried out on the spot by an individual when they enter a new
environment or their current environment changes.

However, carrying out a dynamic risk assessment does not mean you do not
need to carry out a formal risk assessment. Dynamic risk assessments should
complement and fill in any gaps that you could not predict when completing
your standard risk assessment. You should carry out a dynamic risk assessment
before entering any new situation and continue to constantly assess the risks
and hazards in case there is a change in circumstances.

Why are dynamic risk assessments important?

A dynamic risk assessment accounts for risk in a live environment that has factors
which may not have been possible to account for in a standard risk assessment.
Regular risk assessments will always be a valuable and legally required part of

PAGE 19 Redhat Safety

Unit ID 1 Learning Outcome - 4

employment law – a dynamic risk assessment allows staff to go further and be

prepared to assess developing situations as they arise.

The purpose of dynamic risk assessments is to enable workers to quickly assess a

situation and take steps to keep themselves and others safe if necessary.

When do I need a dynamic risk assessment?

Dynamic risk assessments should be carried out on the spot by workers as a

situation, job or location changes to be able to spot out risk that was not
covered in the formal risk assessment.

Dynamic risk assessments should be carried out by staff entering people‘s homes
or new locations; for example, housing association workers conducting home
visits. A dynamic risk assessment may include a consideration of the property,
whether it is safe to enter, whether the people they are with are potentially
aggressive, and whether there are sufficient safeguards in place to protect
themselves in the event of an incident.

Benefits of a Dynamic Risk Assessment

Understanding how to carry out a dynamic risk assessment has many benefits.
It‘s specifically important that you know how to carry one out if you work in
constantly varying environments. If you can carry out a dynamic risk assessment,
you will:

 Be able to take a proactive approach to safety. You will have the

knowledge needed to instantly assess risks and hazards of any new,
variable situation.
 Feel confident in your ability to assess your environment. As you will have
the appropriate training needed to instantly observe, analyse and react

PAGE 20 Redhat Safety

Unit ID 1 Learning Outcome - 4

to risks and hazards in new situations, you will feel confident making
decisions that ensure the safety of you and your team.
 Feel more confident doing your job. By having the skills needed to do your
job safely, you will feel more confident entering new, unknown situations.
 By understanding how to carry out a dynamic risk assessment, you will
have the tools needed to confidently assess any situation you encounter
and ensure you work safely.

4.2.5 The link between the outcomes of risk assessments and the
development of risk controls

It is very useful to keep a written record of the risk assessment even if there are
less than five employees in the organization. For an assessment to be ‗ suitable
and sufficient ‘, only the significant hazards and conclusions need be recorded.
The record should also include details of the groups of people affected by the
hazards and the existing control measures and their effectiveness. The
conclusions should identify any new controls required and a review date. The
HSE booklet Five Steps to Risk Assessment provides a very useful guide and
examples of the detail required for most risk assessments.

The record should be accessible to employees and a copy kept with the safety
manual containing the safety policy and arrangements.

Once an organisation has identified its hazards, it can analyse the risks by
producing a risk profile that gives a rating of significance to each risk and
provides a tool for prioritising where resources should be spent. This ranks the
relative importance of each identified risk.

PAGE 21 Redhat Safety

Unit ID 1 Learning Outcome - 4

Profiling allows risks to be mapped to specific areas where descriptions of

current controls are provided and an indication is made regarding whether
control investments levels may be improved, cut or redistributed/reassigned.

Risk analysis identifies the risks requiring urgent management attention, enabling
the organisation to operate successfully and efficiently; whilst allowing the
prioritisation of risk controls in terms of their organisational benefits.

Once an organisation has identified and evaluated the risk, it then must decide
how to manage it.

4.2.6 Factors affecting the choice of sensible and proportionate control

measures

It is important to note that you are not expected to completely eliminate all risks.
The HSE advise that the risk assessment process is not about creating huge
amounts of paperwork; it is about identifying and implementing sensible and
proportionate control measures to keep risk to a minimum.

When risks have been analysed and assessed, you can make decisions about
workplace precautions. All final decisions about risk control methods must take
into account the relevant legal requirements which establish minimum levels of
risk prevention or control. Some of the duties imposed by the HSW Act and the
relevant statutory provisions are absolute and must be complied with. Many
requirements are, however, qualified by the words, 'so far as is reasonably
practicable', or 'so far as is practicable'. These require an assessment of cost,
along with information about relative costs, effectiveness and reliability of
different control measures. Other duties require the use of 'best practicable
means' - often used in the context of controlling sources of environmental
pollution such as emissions to the atmosphere.

PAGE 22 Redhat Safety

Unit ID 1 Learning Outcome - 4

The selected method of control measure has to be sensible and proportionate

in the effecting factors (cost, time, efforts) in comparison to the risk and the
benefit. We should consider the factors:

 long term/short term

 applicability
 practicability
 cost
 proportionality
 effectiveness of control
 legal requirements and associated standards
 the competence of workers
 training needs relevant to preferred controls

Methods towards the top of the control hierarchy tend to be more effective at
controlling risk but more expensive and take longer to implement (long-term).
So, less effective measures may be adopted in the short-term as you move
towards the more effective measures in the long-term. Methods low down in the
hierarchy tend to be cheapest, implemented quickly to give some measure of
risk reduction but their effectiveness may be short-lived (e.g. PPE). An important
element of any control measure selected is to monitor the effectiveness of those
controls; this will tell you whether they have been successful or not! Remember
also that a combination of methods will typically be used to reduce risk to
acceptable or tolerable levels.

Short term control measures can be implemented immediately, while other

measures requiring further planning or financial commitments, can be
introduced in the longer term.

Knowing the type of failure gives a good indication of the actions necessary to
remedy the situation in both the short term (to get the equipment operational)
PAGE 23 Redhat Safety
Unit ID 1 Learning Outcome - 4

and long term (to prevent reoccurrence). Note the importance maintenance
plays in prevention of some of these failures.

There are several types of control measures that fall into three main categories
(in order of priority and effectiveness):

 Elimination
 Engineering
 Administrative
 Personal Protective Equipment

Applicability

It is important not to take a blanket approach to the use of controls. For

example, many sites require excessive PPE to be worn despite this offering no
protection. Hard hats only provide protection against objects falling from
above. If there is nothing above you except the sky, then there is no real need
to wear a hard hat. The controls selected must be applicable and relevant to
the risk you are attempting to control.

Practicability

Some countries, like the UK, require organisations to control some risks so far as is
practicable. This means that they must do everything technologically possible to
control the risk. Since technology regularly progresses, the controls selected must
be kept under review since more effective technologies may have been
developed.

Cost

As previously discussed, the organisation must attempt to strike a balance

between the benefits of risk reduction and the cost, time, trouble, and effort in

PAGE 24 Redhat Safety

Unit ID 1 Learning Outcome - 4

controlling the risk. The costs must not be excessive or ‗grossly disproportionate'
compared to the risk reduction. If the risk is quite small, then the introduction of
PPE and some training by themselves is perfectly acceptable.

Proportionality

Control measures should be proportionate to the level of risk. High risks will
require significant effort to be invested in control measures, using controls from
all parts of the hierarchy of controls. However, low risks will require very little effort
except for regular monitoring.

In general, a control measure is more effective if it does not rely on human

involvement; necessary maintenance is the exception. It is foreseeable that,
where control measures rely on people, there will be occasions where they will
not be used whether unintentionally or deliberately.

Legal requirements and standards

The choice of controls also needs to consider any specific legal requirements
and standards relevant to the identified risk. Local regulations may require that
certain pieces of equipment are guarded, or that certain training is delivered.
Therefore, this control measure is legally required and must be implemented,
regardless of proportionality, cost, effectiveness, or other considerations.

The competence of the workers and relevant training

Measures introduced that may require the introduction of new equipment may
require workers to undergo further training which is an additional cost to the
organisation. For example, the introduction of mobile elevated work platforms
(MEWPs) for working at height, will require workers to undergo specific training,
which may have to be periodically repeated.

PAGE 25 Redhat Safety

Unit ID 1 Learning Outcome - 4

4.2.7 Organisational arrangements for implementing and maintaining an

effective risk assessment programme

Procedures

An effective risk assessment programme must be based on a procedure for risk

assessments. This will set out the process identifying:

 The people responsible for carrying out the risk assessments.

 How the risk assessment team will be put together.
 The level of competence and training required to carry out a risk
assessment.
 The frequencies of review of risk assessments.
 The areas and activities need to be risk assessed. It will also specify that
temporary and non-routine activities must be considered and assessed.
 The tools in place to assist the team (checklists, access to expertise and
advice, etc.).
 The documents to be used.
 The arrangements for reviewing the findings of the risk assessments.
 The arrangements for agreeing corrective and improvement actions,
along with the necessary authorisations and assigning responsibilities for
completion.
 A mechanism to review the effectiveness of the actions.
 Arrangements for the communication of the risk assessment findings and
controls to all relevant people.
 Clear authorisation for risk assessors to stop the job if there is a serious and
imminent danger.

Recording Protocols

PAGE 26 Redhat Safety

Unit ID 1 Learning Outcome - 4

We have already explained that the documentation of risk assessments must be

kept to the minimum necessary for their communication and the management
of risks. Nevertheless, many organisations have complex risk assessment systems
due to the complex nature of their activities and their large size. Furthermore,
enforcement agencies and insurers wish to see evidence of risks being
considered in the risk assessments, and this drives organisations towards greater
and greater levels of bureaucratic complexity.

When a large number of risk assessments are held on file, it is useful to keep a
‗register‘ of risk assessments so the organisation can see all of the risk
assessments that are current active, where they are stored, when they were
created, and when they are due for review.

The organisation must only record the ―significant findings‖ of the risk
assessments. But each one will contain basic information, such as:

 Area, equipment, location being risk assessed.

 Names of the risk assessors.
 Name of the person who approved the risk assessment findings (if
applicable).
 Date of the risk assessment.
 Date of planned review.
 Details of the risks, who and how people could be harmed.
 Whether these risks are controlled or not.
 Control measures to be followed.
 Further controls necessary, if necessary.

The risk assessors should sign the risk assessments to ensure they are valid, and as
evidence they were indeed the people who carried it out.

PAGE 27 Redhat Safety

Unit ID 1 Learning Outcome - 4

It is also useful to include a ‗version number‘ on the risk assessment so that it is

easy to see which is the latest version. When operating a paper based system, it
is possible that someone may be in possession of an out of date risk assessment.

Training and Competence

People who carry out risk assessments must be trained and competent to do so.

The risk assessors need to be trained in the organisation‘s risk assessment

procedure, so they know what needs risk assessing, how often, with whom, what
documentation needs to be kept, how to address serious and imminent risks,
who to report the findings of the risk assessment to, etc.

Furthermore, they need training in the risk assessment process. That means giving
them a basic understanding of the definitions of hazard and risk, and how risk is
categorised. They need to understand the factors that influence likelihood and
severity, so they can estimate, to a reasonable level of accuracy, the overall risk
rating.

The organisation must select carefully who should carry out its risk assessments.
They should consider:

 The level of risk of the process, and whether the risk is simple enough to be
suitably risk assessed internally, or whether external expertise is needed.
 Whether an individual will carry out the risk assessments, or whether a
team approach is needed.
 The level of training the individuals have in risk assessment.
 Their understanding of the risk assessment process.
 Their knowledge of the process, activities, and the workplace.

PAGE 28 Redhat Safety

Unit ID 1 Learning Outcome - 4

 Their general knowledge of health and safety law and standards. They
must be able to recognise breaches of legislation, and where current
controls fall short of good industry practice.
 Their knowledge of the organisation‘s health and safety management
system.
 They must have good attention to detail, be reliable (so they can carry
out the risk assessments on time), and be someone who can be trusted to
get the risk assessment done properly.
 They must have good communication skills, since this requires discussion
with those who do the job. Also, the findings must be reported to
someone with authority to implement additional controls, so good
communication skills to explain the risks and suggest improvements are
also necessary.
 They should have reasonable IT literacy skills so they can record and store
the risk assessments electronically. They must also have reasonable report
writing skills, since they may have to write a report to management.
 They would benefit from being involved with the workers or trade unions.
 They should be aware of their own limitations, and be humble enough to
ask for assistance and advice.

Responsibilities

Ideally line-managers must be responsible for carrying out the risk assessments
for the areas and activities under their control. This will develop their sense of
ownership of health and safety and the safety rules they implement. If managers
are not directly responsible, then they should at least be intimately involved in all
the risk assessments affecting their areas.

The overall process of risk assessment will be managed by the Health and Safety
Team or Manager. Their role is to ensure that the risk assessments are completed,

PAGE 29 Redhat Safety

Unit ID 1 Learning Outcome - 4

on time, to the correct level of detail and quality, that risk assessors are trained
and competent, and to offer advice and assistance whenever requested.

Authorisation and follow-up of actions

It is good practice for the risk assessment to be checked and approved before it
becomes official. This is a second opinion, usually by a member of the Health
and Safety team. If the risk assessment appears not to have been done
correctly, it can be returned to the risk assessment team with questions and/or
comments on improvements. If the risk assessment is suitably done, then the
document will be approved. This then leads to implementation of any actions,
and communication of the findings to the workers.

In many cases, the risk assessor and line-manager will lack the necessary
authority to agree certain actions, due to their significant cost or change in
ways of working. Therefore, the procedure must identify which people have the
necessary authority to approve major changes. Without a clear responsibility, risk
assessors will not know how to get the necessary approvals for the additional
controls.

The actions and additional controls recommended by risk assessments must be

allocated to action ‗owners‘. These are people responsible for implementing the
actions. When many actions are in progress it can become difficult to keep
track of them all. Therefore, it will be necessary to make someone responsible for
tracking them through to completion, and reporting to management any
actions that remain incomplete. The progress against these action plans will be
reviewed on a regular basis at management meetings.

Monitoring

PAGE 30 Redhat Safety

Unit ID 1 Learning Outcome - 4

The organisation must regularly check that the controls stipulated in the risk
assessments are in use. There is no point in specifying a safety rule, such as the
mandatory wearing of hearing protection, if both the workers and the local
managers ignore this. Therefore, there must be a mechanism to regularly check
the rules are being followed and whether they are effective.

Review

Few workplaces stay the same. Eventually, changes will be made, such as the
introduction of new processes, new equipment, new substances, even new
people. Activities will be changed, equipment may be moved. So, it makes
sense to review the risk assessments on a regular basis, to see what changes
have been made and whether these affect the risk levels.

There is no fixed timeframe for reviewing a risk assessment. Many organisations

review these annually. But it can be more frequent or less frequent, depending
on the situation. A large construction site will always be changing and evolving
as the project advances. It would therefore make sense to review the risk
assessments very frequently as the layout of the site and activities change. On
the other hand, a low risk office environment may only need to be reviewed
every two years.

4.2.8 Acceptability/tolerability of risk

How do we know whether a risk is acceptable or tolerable?

In this context, risk is the combination of the likelihood and the consequence of
a specified hazardous event.

PAGE 31 Redhat Safety

Unit ID 1 Learning Outcome - 4

The law in many countries requires employers to do everything "reasonably

practicable" to protect people from harm. Often, this can be done by
comparing what is being done with international standards, or good practice. In
the UK, organisations are required to reduce risks to "as low as is reasonably
practicable" (ALARP).

This is a balancing act with the level of risk on one side and the costs in terms of
time, effort, money needed for rectification on the other side.

ALARP allows for grossly disproportionate actions to be deemed unnecessary for

example: spending £1 million to repair a small leak in a roof in an unoccupied
building would be grossly disproportionate however spending £1 million on fire
prevention systems on an oil refinery which could potentially kill hundreds of
people is proportionate.

These are extreme and obvious examples. In practice, it is often more difficult to
decide.

The following factors are likely to be considered when deciding whether a risk
has been reduced as far as reasonably practicable:

 Health and safety guidelines and codes of practice.

 Manufacturer's specifications and recommendations.
 Industry practice.
 International standards and laws.
 Suggestions from advisory bodies.
 Comparison with similar hazardous events in other industries.
 If the cost to continue to reduce the risk further became disproportionate

PAGE 32 Redhat Safety

Unit ID 1 Learning Outcome - 4

4.3 Outline what should be considered in a risk management

strategy for an organisation - Risk management
4.3.1 Organisational risk profiling

The risk profile of an organisation informs all aspects of the approach to leading
and managing its health and safety risks.

Every organisation will have its own risk profile. This is the starting point for
determining the greatest health and safety issues for the organisation. In some
businesses the risks will be tangible and immediate safety hazards, whereas in
other organisations the risks may be health-related and it may be a long time
before the illness becomes apparent.

A risk profile examines:

 the nature and level of the threats faced by an organisation

 the likelihood of adverse effects occurring
 the level of disruption and costs associated with each type of risk
 the effectiveness of controls in place to manage those risks

The outcome of risk profiling will be that the right risks have been identified and
prioritised for action, and minor risks will not have been given too much priority. It
also informs decisions about what risk controls measures are needed.

Risk profiling is building a basic picture of the set of major risks that the business
faces and using it for decision making. Therefore, it is recognition of risks
affecting the organisation including business disruption and associated business
costs and not specific risks of work at height, etc. It is a holistic approach
referring to management of health and safety as a whole and therefore is an
analysis of the processes involved in risk management within the organisation.

PAGE 33 Redhat Safety

Unit ID 1 Learning Outcome - 4

External risk profiling affects external public, clients and stakeholders and may
consider: ill- health (pathogens), environmental issues, public reaction
(reputation) or security (terrorism), etc.

Internal risk profiling of the corporation may consider legal compliance (claims,
liability), assets of staff (security of staff), assets of the facilities (rusting of
equipment, etc.) or assets of privacy (cyber security, etc.)

As an example, it is no good spending millions of pounds on a state of the art

administration building if the organisation is unable to keep hazardous products
in the constraints of a process plant where potentially catastrophic
consequences occur such as a toxic cloud engulfing the local population.

The outcome of risk profiling will be that the right risks have been identified and
prioritised for action. Large risks should be acknowledged and steps taken to
minimise risks. Minor risks should be appropriately prioritised, again with steps
taken to minimise the risks. Organisations need to remember that ignoring
smaller risks can often lead to them becoming an underlying or root cause with
larger detrimental impacts at a later date. Details of risk control measures that
are needed should be recorded and then used as a basis for setting the health
and safety budget for the forthcoming year. Some organisations will work on a
three or five year plan, but need to make sure that in these instances, that the
risks and controls are reviewed annually to ensure that they are still current and
that the budget set will still be suitable for the required actions.

In public funded bodies such as charitable organisations, it is a legal

requirement that the organisations‘ trustee board undertakes a risk profiling
exercise each year and states their findings in the annual report in the accounts.

The examples in the following pages with key areas of 'What it looks like when
done effectively' indicate positive health and safety attitudes and behaviours.

PAGE 34 Redhat Safety

Unit ID 1 Learning Outcome - 4

The examples also cover 'What it looks like when done badly or not at all' as this
could indicate underlying cultural issues.

Risk Required – refers to the level of risk required to be taken to achieve your
desired level of return.

Risk Capacity – refers to the level of risk (or losses) that you can afford to take.

Risk Tolerance – refers to the level of risk you‘re comfortable taking.

Key actions in effective risk profiling

Leaders
 Identify who takes ownership of health and safety risks
o This might be the owner, or chief executive - in larger organisations it
may be a risk committee or a senior board champion for health
and safety
 Think about the consequences of the worst possible occurrence for your
organisation

PAGE 35 Redhat Safety

Unit ID 1 Learning Outcome - 4

o How confident are you that plans are in place to control the
effects?
 Ensure that risk assessments are carried out by a competent person
o This is someone who has the necessary skills, knowledge and
experience to manage health and safety effectively
 Maintain an overview of the risk-profiling process
o Make sure you are aware of the major risks within your organisation
o Check that minor risks have not been given too much priority and
that major risks have not been overlooked
 Identify who will be responsible for implementing risk controls and over
what timescale
 Remember to assess the effects of changing technology
o Think about issues related to changes in asset ownership. This may
increase the risk profile if design information and knowledge haven't
been passed on
o Have the effects of ageing plant and equipment been examined?

Managers
Identify the risks

 Identify the health and safety risks from the business and prioritise them.
Think about the severity of the harm and the likelihood of occurrence.
Concentrate on priority risks
 Ensure that risks are owned so that appropriate resources can be
allocated
 Consider whether other risks are due to health and safety lapses

Who might be affected?

PAGE 36 Redhat Safety

Unit ID 1 Learning Outcome - 4

 Think about everyone who might be affected by your work activities.

Remember that certain groups may be at increased risk, eg young or
inexperienced workers, pregnant workers, workers with a disability,
migrant workers or ageing workers.

Control measures

 Consider whether any control measures are already in place or if further

action is needed
 Recognise that full implementation of control measures may take time,
and implement interim measures to minimise the risks

Report, record and review

 Report risk control performance regularly internally and consider whether

it should be done externally
 Make sure paperwork is kept to the minimum levels necessary. You only
need to record the risk assessment if you employ five or more people
 Review the organisation's risk profile regularly. Change within the
organisation will affect the risk profile, eg during economic cycles such as
recession and recovery, when there is an increase in workload, or when
experience levels drop

Worker consultation and involvement

 Do workers understand the organisation's risk profile?

o Do they have the necessary information, instruction and training to
deal with the risks that have been identified?
 Consult with workers and their representatives in all parts of the
organisation to ensure that all areas of risk have been identified

Competence

PAGE 37 Redhat Safety

Unit ID 1 Learning Outcome - 4

 A broad knowledge of the entire organisation will be needed to draw up

its risk profile
 In high-hazard organisations, identify what specialist advice may be
necessary to identify hazards and analyse the risks
 Make sure workers are trained and have information about risk controls

Risk profiling – the benefit

 Understanding your risks and exposures

 Evaluation of control measures
 Action to reduce risk of event and improve
 Key element in the CI process
 Goes to satisfy and demonstrate good governance

4.3.2 Why health and safety risks must be integrated into main business
risk

Protecting the health and safety of employees and the public alike is ―an
essential part of risk management and must be led by the board‖.

Despite the well-known legal, moral and financial arguments for implementing
good health and safety practice, it is often the human cost that comes to the
fore when trying to understand the drivers for health and safety.

Research suggests that the wider business interests of an organisation are the
main driver for implementing health and safety. The challenge for the health
and safety practitioner is therefore to demonstrate how health and safety is
intertwined with the wider business risks.

Health and safety and the business agenda

PAGE 38 Redhat Safety
Unit ID 1 Learning Outcome - 4

The linking of health and safety risks to the wider business agenda is reflected in
the new management system standard ISO 45001. The International
Organization for Standardization states that ISO 45001 ―concentrates on the
interaction between an organisation and its business environment‖, while its
predecessor, OHSAS 18001, was focused on ―managing OH&S hazards and
other internal issues‖.

The British Standards Institution also highlights this wider business agenda and the
interconnectivity of risks, stating that the standard focuses on key business
challenges such as the supply chain and continuity planning, thereby allowing
an organisation to ―anticipate, adapt and respond providing both resilience
and agility in a global market place‖.

As such, ISO 45001 should be aligned to the strategic direction of the

organisation, embedding occupational health and safety management into
the core business functions, rather than treating health and safety as a
standalone discipline.

The Institution of Occupational Safety and Health also notes that, increasingly,
organisations are taking a more holistic approach to risk management, driven
primarily by requirements such as the Combined Code of Corporate
Governance and the corporate social responsibility agenda, etc.

However, it also states that unless the health and safety practitioner is familiar
with the principles (and language) of business risk management they may be
―marginalised and left behind‖.

Connecting risks

PAGE 39 Redhat Safety

Unit ID 1 Learning Outcome - 4

As well as understanding business risk management principles, the health and

safety practitioner needs to understand how health and safety risks, if
materialised, will impact on the wider business.

Although they may be familiar with developing arguments for good health and
safety based around the legal, moral and financial aspects, linking these to the
wider business risks may not be so familiar.

In addition, many organisations have separate ―risk functions‖ with limited

integration. A resilient organisation should understand how risks need to be
recognised as being interconnected.

Clearly, the protection of life and prevention of harm to employees, visitors and
the public is the primary purpose of the health and safety practitioner and has
obvious benefits in terms of a safe and healthy work environment, compliance
with legal obligations and avoidance of financial losses. However, successful
health and safety management brings wider benefits to the business. These can
include:

 a more content and healthier workforce with less absenteeism

 reduced administrative costs and management time (eg investigation
time)
 efficient assets (eg through planned preventive maintenance).

Conversely, poor practice can result in increased:

 absenteeism and staff turnover with higher labour-related costs

 insurance premiums, particularly under the recently introduced Insurance
Act requirements
 breakdown and damage to assets and properties and associated costs.

PAGE 40 Redhat Safety

Unit ID 1 Learning Outcome - 4

The above can then be linked to three wider business issues, namely business
continuity risks, financial risks and reputational risk.

As a simple example, if an organisation was providing goods and services as

part of a supply chain, the materialisation of a health and safety risk could
interrupt the supply of such goods/services (a business continuity risk).

This, in turn, could result in financial penalties as part of contractual penalties,

and may also damage the brand/reputation of the organisation, resulting in
further losses due to an inability to generate further contracts and thus
negatively affecting business profitability.

This then could also impact on the perceptions of wider stakeholders (such as
shareholders) who do not want to be associated with an organisation with poor
social responsibility standards.

A good example of how health and safety failures resulted in wider business
failure can be seen in the BP Deepwater Horizon incident, where the
organisation‘s financial losses and reputational damage were severe.

Context and engagement

Having identified that health and safety risks are connected to wider business
risks, the challenge is to put this into practice. The health and safety practitioner
must engage with relevant stakeholders to ensure health and safety forms part
of overall risk management and is given the necessary gravitas.

As mentioned previously, the new international management system standard

ISO 45001 requires any organisation wishing to utilise the standard to understand
the organisation and its context. Even where this standard is not being applied,
by understanding the organisation and its context, the health and safety

PAGE 41 Redhat Safety

Unit ID 1 Learning Outcome - 4

practitioner can gain considerable insight into the wider business risks by
identifying, for example, relationships with suppliers, key industry drivers and the
expectations of stakeholders.

The completion of a PESTLE (political, economic, social, technological, legal and

environmental) study, combined with a rRisk register is one useful method of
recording the organisation‘s H&S risks but also recording how these are linked or
connected to business risks.

However, recording the interconnectivity is only part of the challenge. The

health and safety practitioner must then ‖sell‖ health and safety to relevant
stakeholders to ensure it is integrated into wider business functions and risk
management. This will typically require engaging with senior managers across
the organisation who are managing the wider business risks.

Engagement can be challenging, and to make a successful pitch be aware

that senior managers will look at health and safety in this strategic environment.
It is therefore essential to consider the:

 message that is to be delivered (ie the impact of H&S risk materialisation

on wider business risks)
 objectives of the presentation (eg to gain support for H&S
implementation)
 forum in which the message is to be delivered
 understanding and appreciation of the separate senior managers in
relation to health and safety.

In terms of practical presentations, presenting the risk interconnectivity in a

diagrammatical format may be useful, for example by the use of a ‖bow-tie‖
and/or event tree diagram that clearly indicates the link between health and
safety risks and business risks.

PAGE 42 Redhat Safety

Unit ID 1 Learning Outcome - 4

Conclusion

 Modern health and safety management requires the health and safety
practitioner to be a ―business partner‖.
 Health and safety practitioners will need to understand the key principles
of wider business risk management and risk management language.
 There is a clear interconnectivity of risk, which the health and safety
practitioner will need to identify and record.
 This can be completed by understanding the wider organisation/business
context and the way that health and safety risks can lead to wider
business continuity, financial and reputational risks.
 This can be undertaken by using a PESTLE or SWOT analysis that enables a
clear and cogent approach to be taken.
 Ensure health and safety risks are embedded within business functions.
 Using diagrammatical representations can assist in the engagement
process and show how health and safety risks are actually business risks.

4.3.3 The concepts of avoidance, reduction, transfer and retention

Risk Avoidance

This strategy is where the organisation avoids the risk altogether. For example,
replacing a hazardous chemical with one that is less hazardous but achieves the
same required result.

Risk Reduction

PAGE 43 Redhat Safety

Unit ID 1 Learning Outcome - 4

This strategy involves implementing a loss control programme to protect the

organisation from risk that could result in loss i.e. through wastage caused by
accidents etc.

Risk Transfer

This strategy involves the transfer of loss from one party to another (usually by
implementing an insurance policy). Under an insurance policy, the insurer will
pay-out to the insured against the losses resulting from an event that is stipulated
within the policy.

Risk Retention

This strategy involves the organisation retaining the risk and having to fund any
consequences from their own finances.

There are two aspects to consider:

Risk Retention With Knowledge :

This is where the organisation meets any loss through their own funding. These
decisions can only be made once all risks have been identified and evaluated.

Risk Retention Without Knowledge:

This is where the organisation fails to insure against or identify a risk and as such,
loss occurs.

Every risk which is not transferred (to insurance) is a retained risk. Examples are:

 Events which are insurable. You cannot get insurance for everything. The
insurance company has to be able to assess risk since they are in the
business of risk management. They may quote a premium which is above
PAGE 44 Redhat Safety
Unit ID 1 Learning Outcome - 4

the value you wish to insure. If you can buy a new item for the price of the
premium, it is pointless to insure. Take the risk instead.
 Losses not considered when setting up insurance - if you do not take into
account a particular possibility, you are retaining the loss. It is a case of
accidental risk retention, or risk retention by default.
 Hazards deliberately not insured - risk management is all about taking a
risk, where you have been able to reduce either the probability or the
severity of a loss-making event.
 Losses outside the scope of the insurance - there are always exclusion
clauses, and you do not realise their significance until you need to make a
claim. The good risk manager does not find himself or herself in such a
situation.

4.3.4 Circumstances when each of the above strategies would be

appropriate

Risk Avoidance

One disadvantage is that organisations may lose out on benefits associated with
the

activity. Activities that are risky can be profitable or provide other benefits to the
organisation, for example, trapeze and high wire performers in the circus are
high risk, but large audiences are attracted by the excitement.

Ultimately, commercial organisations must make a profit. And to make profit risks
must be taken. Risk avoidance is suitable when:

 There is a financially viable alternative.

 The risks are so great, they cannot be justified.

PAGE 45 Redhat Safety

Unit ID 1 Learning Outcome - 4

Risk Reduction

As risk reduction is suitable for a range of risks, it is the most common approach.
It lets organisations continue with the activity, but with measures in place to
make it less dangerous. The danger is that your controls are ineffective, and you
end up still suffering the loss that you feared.

Risk Transfer

As long as affordable insurance is possible, this is a good choice for large impact
risks such as fires and flooding.

Another method of transferring risk is to subcontract the risk to another person or

organisation. For example, a manufacturer may decide to subcontract a
hazardous chemical process to another organisation who specialises in that
type of work. This option is acceptable when your organisation lacks the
knowledge, expertise, and equipment necessary to carry out an activity.

Risk Retention (with or without knowledge)

This strategy can be useful if:

 The organisation can save large amounts of cash, or has the cash
available to survive any losses.
 Insurance premiums are not financially viable.
 The organisation has the expertise and rigorous systems in place to
manage the risk adequately.

In some cases, risk is retained without any insurance or contingency plans,

because the insurance is unaffordable. For example, an individual may not be
able to afford health insurance.

PAGE 46 Redhat Safety

Unit ID 1 Learning Outcome - 4

"With knowledge" means that a conscious decision has been made by the
organisation to bear the losses from their own funds.

"Without knowledge" means that organisations retain some of their risks because
they are completely unaware the risks exist. Therefore, the risks are not reduced
or transferred in any way. They are retained within the organisation until they are
identified or lead to a loss.

4.3.5 Factors to be considered in the selection of an optimum solution

based on relevant risk data

It should be said that risk management solutions are dynamic. That is, the best
method today may not be the best method in a year's time, as frequency and
severity of losses may have changed or the cost of implementing different
solutions may have changed (such as significant increase in insurance
premiums).

The selection of the optimum solution will depend upon the availability of
relevant risk data, the type and size of the organisation and its ability to
withstand losses. If the likelihood and consequences of an incident is high, then
significant money may need to be spent to reduce the risk. This could involve
avoiding the risk by ceasing an operation, reducing the risk by spending money
on control measures and, in addition transferring risk to an insurer or contractor.
In high risk industries, insurers would be unlikely to insure unless the organisation
could demonstrate high standards of health and safety management.

Factors to consider include:

Legal Requirements

PAGE 47 Redhat Safety

Unit ID 1 Learning Outcome - 4

Specific legislation may influence a solution. For example, machine guarding

legislation in Europe demands that dangerous parts of machinery must be
guarded. Therefore, risk reduction is an appropriate solution. Safety cases and
reports are required for major hazard installations in the UK, Europe and
Australia, before they are permitted to be constructed.

Ethical, Moral, and Social Considerations

After a major accident, there is often a call for organisations to guarantee that
such accidents can never happen again. Unfortunately, human beings make
mistakes and machinery sometimes fails. Organisations need to have systems in
place to ensure that risks are reduced to the lowest levels reasonably
practicable.

A common moral argument is that people‘s lives matter, and that risk control
decisions cannot be made purely for financial reasons. The price that an
individual pays for lack of adequate control can range from personal injury to
death. Other personal costs are job losses. Society expects organisations to go
beyond the legal minimum and to place a high value on human health and
wellbeing.

Whilst accidents have associated direct costs to an organisation, they can also
affect workers' motivation and morale. This can result in additional costs, such as
reduced productivity, higher staff turnover, and increased sickness absence.
Organisations need to demonstrate to workers that they are prepared to, when
necessary, go beyond the bare minimum legal requirements to protect workers.
However, spending money to prevent accident and injuries "at all costs" may
not be in the best interests of the organisations long term financial survival.

PAGE 48 Redhat Safety

Unit ID 1 Learning Outcome - 4

Technology

Technology has long played an important role in the development of workplace

safety. As technology advances, so too must risk controls include more modern
technological solutions. For example, process control systems evolved from
simple programmable logic control systems (PLC), to far more effective,
computer controlled, supervisory control and data acquisition system (SCADA).
Such systems have been around for a few years now and have undoubtedly
helped prevent potential accidents. With technology constantly improving,
there are interesting methods and gadgets that have recently been unveiled, or
soon will be, that will only help further enhance workplace safety.

Economic State of the Organisation

The economic state, and goals, of a company will influence its approach to risk
control. An organisation with vast cash reserves can afford to spend more than
one that has severe financial constraints.

The economic goals of an organisation may range from making enough money
to survive (covering its costs) through to maximising profits. The cost of risk control
measures, therefore, must be carefully weighed against the reduction in
potential loss from the organisational risks.

It has estimated that some 70% of businesses that suffer a major fire, fail within
two years of the fire. The transfer of fire risk to an insurance company, knowing
the premium costs, allows a degree of certainty in the event of a fire and its
associated costs. A balance must be made, therefore, in the cost of risk transfer
and the potential costs of fire losses.

PAGE 49 Redhat Safety

Unit ID 1 Learning Outcome - 4

4.3.6 The principles and benefits of risk management in a global context

The international standard BS ISO 31000:2009 gives the following risk

management principles:

 Risk management creates and protects value.

 Risk management is an integral part of all organisational processes.
 Risk management is part of decision-making.
 Risk management explicitly addresses uncertainty.
 Risk management is systematic, structured, and timely.
 Risk management is based on the best available information.
 Risk management is tailored.
 Risk management takes human and cultural factors into account.
 Risk management is transparent and inclusive.
 Risk management is dynamic, iterative, and responsive to change.
 Risk management facilitates continual improvement of the organisation.

―Risk management is about taking practical steps to protect people from real
harm and suffering, not bureaucratic legal protection.‖ Taking a sensible
approach to risk management is about:

 Ensuring that workers and the public are properly protected.

 Enabling innovation and learning not stifling it.
 Ensuring that those who create risks manage them responsibly and
understand that failure to manage significant risks responsibly is likely to
lead to robust action.
 Providing overall benefit to society by balancing benefits and risks, with a
focus on reducing significant risks, both those which arise more often and
those with serious consequences.
 Enabling individuals to understand that as well as the right to protection,
they also have to exercise responsibility‖.

PAGE 50 Redhat Safety

Unit ID 1 Learning Outcome - 4

The benefits of effective risk management are:

 Protecting workers and the public from injury and ill-health.

 Reducing worker sickness and absenteeism, leading to greater
productivity.
 Reducing the organisation‘s insurance premiums.
 Protecting the business against foreseeable and unforeseeable risks.
 Reducing the costs of poor health and safety management, such as lost
time, legal costs, fines, reduced productivity, sick pay, increased
recruitment and training, adverse publicity, etc.
 Keeping clients satisfied, and maintaining or increasing sales. A large
incident can prevent an organisation from meeting its clients‘ needs,
therefore leading to loss of contracts, and even financial penalties.

PAGE 51 Redhat Safety