Guidebook

The EHS Risk

Management
Guidebook
For environmental, health, and safety (EHS)
professionals, risk management is a major contributor to
achieving EHS goals. However, a roadblock to this is how
businesses can mitigate risk with technology.

© ETQ, part of Hexagon

2 | Introduction
Recent research shows that 43% of
industrial companies have increased
their strategic focus on digital
transformation — and EHS management
is the most likely area to have received
additional focus and investment.
Despite this additional attention in response to
the COVID-19 pandemic, collaboration and data
analysis issues still cause barriers to effective
risk management. The most common challenges
include:
• Inadequate interdepartmental collaboration
- Companies often rely on email chains or
shared network drives to exchange EHS
data. That reduces productivity and allows
information to become lost or buried easily.
• Disparate or outdated data systems
incompatible with one another - EHS data is
often spread across various systems, creating
data silos that make it impossible to get a
comprehensive view of an organization.
• The inefficiency of archaic systems - 46% of
EHS leaders say that outdated software has
driven them to find something new, and the
driving force for another 40% is poor existing
integration with other IT systems. That
makes it challenging to gather information,
limits functionality, and allows EHS risks to go
unmanaged.
Transforming EHS isn’t just about changing
decades-old processes and programs but tailoring
an EHS program to suit unique business needs.
This whitepaper guides you through a practical
approach to EHS risk management from a
technology perspective. That includes the basic
concepts behind risk management and a deep dive
into how companies can implement technology to
reduce risk and improve EHS outcomes.
© ETQ, part of Hexagon.
Risk Management:
A Strategic Business Issue
As the conversation around unmanaged risks —
and their ability to cause widespread damage —
becomes a more open conversation and a larger
concern, stakeholder pressure for transparency
increases. Investors, employees, regulators, and
communities now demand greater disclosure
regarding risks from the EHS sector.
One issue is that safety is sometimes considered
totally separate from other areas of day-to-day
work life. Terry L. Mathis theorized that many
employees feel that safety and productivity pull
them in separate directions, but he believes neither
safety nor productivity works well without the
other.
From a strategy perspective, organizations with
higher EHS capability maturity are more likely
to align their initiatives with enterprise business
objectives. The ideal time for EHS leaders to
invest in corporate strategic objectives is now.
EHS processes have been viewed simply as an
operational compliance issue for years — but they
are much more. Everyone deserves to go home
safely at the end of the day.
Risk Management Basics
Risk is the probability of an event multiplied by its
impact or severity. An event may be probable, but
it’s considered a low-risk issue if the consequences
are minimal. However, an event that occurs rarely
but has severe consequences — such as a chemical
explosion or equipment-related fatality — is
considered high risk.
In the EHS environment, effective risk management
requires four fundamental elements:
• Hazard identification to uncover potential risks
involving people, processes and equipment.
3 The EHS Management Guidebook

• Risk assessment to prioritize which risks need You then plot the numbers on a matrix or chart,
controls. This is essential for efficient and with each square calculated as the product of the
effective allocation of resources. corresponding frequency and severity level.

• Implementing controls such as additional
training or engineering controls.
• Monitoring of controls and measurement of
residual risk to ensure controls are effective.
It allows you to quantify the risk associated with
a given hazard. Each hazard falls into one of the
following areas on a color-coded risk matrix:
Green: Low or generally acceptable risk.

Red: High or generally unacceptable risk.

Risk assessment alone isn’t risk management, and
it’s simply one step in a larger process that focuses Yellow: Moderate risk.
on consistent risk reduction.

Common Risk Models

There are several possible risk levels that EHS
professionals use. The three most commonly used
are the risk matrix, the decision tree, and bowtie risk
assessment, and here’s what they all mean.

1. Risk Matrix
The next step is interpreting the results and
The risk matrix is the most commonly used tool
deciding how to act. That requires your company to:
in EHS management, and it allows you to quantify
the risk associated with a hazard and set clear • Agree on a definition of risk. Everyone at
guidelines on whether the risk is acceptable. each business level must share a common
How it works: To create a risk matrix, you first understanding of what defines high risk and
break out different levels of probability and impact low risk.
into verbal scales, assigning each level a numeric • Vet the risk matrix with historical data. By
value: plotting past incidents on the risk matrix, you
SEVERITY can pinpoint the division between acceptable
Verbal Numeric Description and unacceptable risks.
Catastrophic 5 Likely result in death
Critical 4 Potential for severe injury • Create decision-making guidelines.
Moderate 3 Potential for moderate injury
Company policy should dictate the specific
Minor 2 Potential for minor injury
Negligible 1 No significant risk of injury number or range that requires new controls to
be implemented before proceeding.
FREQUENCY
Verbal Numeric Description
2. Decision Tree
Frequent 5 Hazard likely to occur
Probable 4 Hazard will be experienced A decision tree outlines possible decision paths or
Occasional 3
Some manifestation of the
hazards will occur
outcomes for a given situation. It’s less commonly
Remote 2
Manifestations of the hazard used than the risk matrix, but it helps teach
are possible
Manifestations of the hazard
employees how to apply company policy in a
Improbable 1
are unlikely
situation that contains many variables.

© ETQ, part of Hexagon.

4 The EHS Management Guidebook
How it works: The decision tree asks a series of
questions that lead the reader to a specific action.
The decision tree below uses a chemical spill on the
shop floor as an example:
You can use this risk model for many EHS scenarios
requiring special procedures, including confined
space entry, hazardous material disposal, and
lockout/tag-out (LOTO).
3. Bowtie Risk Assessment
Companies use bowtie risk assessment to mitigate
the risk of rare but potentially catastrophic
events. It allows them to visualize complex risk
environments..
Threat Preventive
Controls
Recovery
Controls
Threat Preventive Undesired Event Recpvery
Controls (Hazard) Controls
Threat Preventive Recovery
Controls Controls
How it works: This risk model helps mitigate the
risk of rare, high-impact, or complex risk scenarios.
The bowtie includes the event in the center, with
threats and preventive controls on the left and
consequences and recovery controls on the right.
Bowtie risk assessment is popular in high-risk
industries like aviation, oil, and gas. Life sciences
companies also use this model for certain risks
since product defects can have similarly profound
consequences.
4. Leveraging Technology for More
Effective Risk Management
Manual tracking holds a high risk of employees
under-reporting or adding incorrect data – in fact,
88% of all spreadsheets contain at least one error.
Conversely, integrated EHS management systems
are changing how companies mitigate risk, shifting
the focus away from backward-looking approaches
that assign blame to past events and, instead,
towards proactive strategies that continuously
reduce and prevent risk.
© ETQ, part of Hexagon.
Automated EHS software also creates opportunities
in key areas such as:
• Tracking leading indicators - Traditional
EHS risk management focuses on lagging
indicators like incidence rates and injury costs.
Better linking of larger amounts of valuable
data allows you to identify leading indicators
with stronger predictive capabilities.
• Leveraging Big Data - Leading systems make
it easy to integrate vast quantities of EHS data
with business intelligence tools like Cognos
and QlikView.
• Performing advanced modeling - Integrated
Consequence systems create robust datasets that enable
Consequence advanced modeling, such as Monte Carlo
simulations.
Consequence
In the following sections, we’ll look at key EHS
functions where companies should focus on
implementing risk management tools and
strategies, with practical tips on reducing risk
through automation and integration.
Incident Management
Many companies treat incident management as a
reactive process that happens only after the event
occurs. That’s part of why injuries, illnesses, and
fatalities in the workplace cost billions of dollars
every year.
According to the U.S. Occupational Safety and
Health Management (OSHA), Liberty Mutual
estimated that employers paid more than $1 billion
every week for non-fatal disabling workplace
injuries in 2018. In 2019, work-related deaths and
injuries cost the country, employers, and individuals
$171 billion.
Companies with strong and effective EHS
performance use incident data as a predictive tool,
reducing organizational risk and minimizing the
5 The EHS Management Guidebook
likelihood of recurrence. Essential risk management
software tools and functions that improve your
incident management process include:
• Using a risk matrix to prioritize high-risk
incidents for corrective action.
• Tracking near-misses to improve predictive
capabilities and prevent incidents. Mandatory
near-miss reporting allows you to analyze
high-risk events to identify trends and
unmanaged risks. ETQ’s experience shows
that up to one in three near-misses may have
serious potential for harm, underscoring the
need to treat them as genuine safety incidents.
• Creating dashboard alerts for high-risk
incidents, near-misses, and when key incident
management tasks are overdue.
• Linking high-risk incidents to corrective action
requests. Integrated EHS software routes
corrective action requests automatically
through review, root cause analysis, actions
taken, and verification. That prevents high-
risk incidents from getting buried, making it
easy to access the risk mitigation history for
incidents.
Corrective Action
Many organizations use corrective action as a
punitive tool rather than a continuous improvement
process. This unhelpful approach leads to
underreporting issues and incidents, thus increasing
risk. It’s a key reason why companies must move
away from assigning blame and toward minimizing
the risk of incident recurrence.
Utilizing technology to create a robust corrective
action process ensures the appropriate action is
taken and enables a deeper understanding of the
context and causes of safety incidents.
© ETQ, part of Hexagon.
The following risk management strategies can
effectively boost effectiveness:
• Filtering corrective action requests by
risk - Ensures that high-risk items receive
priority attention. Without this kind of risk
triage, problems can become systemic, and
recurrence is more likely.
• Collaborating on root cause analysis to reduce
the subjectivity of results - Incidents typically
involve intersecting processes and uncovering
the true root cause often require multiple
viewpoints.
• Measuring residual risk as a final verification
step to ensure the corrective action reduced
risk to acceptable levels.
• Proactively applying lessons learned across
the enterprise and not siloing that data - Root
cause findings identified in one plant should
be applied in all other facilities, reducing risk
by preventing the problem from occurring in
other locations.
Change Management
From moving employees between production
areas to installing new equipment, coordinated
change management is critical to reducing EHS
risk. Many companies have learned the hard way
that unmanaged change can lead to disaster – in
fact, 60-70% of all change initiatives undertaken in
organizations fail.
Regardless, it’s important to remember that change
is necessary to benefit from new opportunities.
Change management tools within integrated EHS
software systems allow you to make important
changes while managing risk, ensuring business
continuity so your company can grow profitably
with minimal risk of interruption.
6 The EHS Management Guidebook
Important risk mitigation techniques to incorporate
into your change management process include:
• Performing a risk assessment before you
change processes, people, or equipment.
That could mean using a risk matrix to assess
the risk of a particular hazard or using a
decision tree to analyze the costs of various
alternatives.
• Using Job Safety Analysis to identify
hazards associated with new procedures or
equipment. You can assess the risk of the
procedure as a whole and for individual steps,
helping you pinpoint areas for strategic risk
reduction.
• Using integrated project planning tools within
the EHS System to ensure costs and timelines
don’t balloon out of control.
• Linking employee training requirements
to change management initiatives. People
are your biggest variable for EHS risk, and
employee training is a common weakness in
change management.
• Updating related documents such as protocols
and emergency response plans. Any changes
to processes or equipment should trigger
documentation updates, preferably within
an integrated, permissions-based Document
Control system.
Assets and Equipment
Preventive maintenance is far safer than reactive
maintenance and more cost-effective since it
inevitably stops incidents from happening that
would normally incur fines. Integrated software
that automatically uploads equipment data to the
EHS management system allows monitoring of that
© ETQ, part of Hexagon.
equipment. That means you won’t take equipment
out of service too early while dramatically reducing
worker risk.
Tools and capabilities to leverage within the EHS
management system for reducing equipment-
related risks include:
• Creating risk dashboards with automated
alerts for when equipment needs calibration,
maintenance, or monitoring systems show
abnormal conditions.
• Integrating employee data to prevent workers
who don’t meet certification or training
requirements from operating equipment.
• Filtering maintenance tasks by risk to ensure
the most important repairs and calibration
issues get priority attention.
• Tracking leading indicators around equipment
maintenance and monitoring activities. Smart
sensors that feed data from equipment to the
EHS system can provide predictive data that
allows you to stay ahead of problems.
Employee Training
Believe it or not, it’s rare that accidents are purely
the result of mechanical failure. Human behavior is
always the biggest variable for operational risk, and
the average worker could make anywhere from 10
to 12 errors every hour.
An EHS management system mitigates this risk
by automating compliance with employee training
requirements, reducing safety incidents that result
from insufficient training.
Critical risk mitigation activities to improve the
effectiveness of employee training programs
include:
7 The EHS Management Guidebook
• Updating training requirements whenever key
changes are made to documents, processes,
or equipment and when workers change
departments or roles.
• Automating scheduling so that employees
who need to take specific courses are
automatically added to the roster.
• Adding post-training assessments to ensure
competence in key areas.
• Tracking leading indicators around employee
training, such as analyzing how the number
of training hours or course updates affects
incidence rates.
• Generating new training requirements from
other functions within the EHS management
system, including change management,
document control, and audit management
modules.
Audits
Audits play a leading role in EHS risk management,
yet many companies miss key opportunities to
mitigate risk during the process, thanks to the sheer
volume of preparation involved.
Automated EHS software makes audits more
effective by eliminating busy work and helping you
incorporate audit results into your risk management
strategy.
Key Risk Management tools and functions to focus
on as part of your audit program include:
• Sorting noncompliances by risk so high-risk
problems get priority follow-up.
• Initiating corrective action requests from the
audit record so you can track risk mitigation
history and make certain unsafe conditions
aren’t allowed to persist.
© ETQ, part of Hexagon.
• Monitoring leading indicators related to
your audit programs, such as the number
of significant findings as a proportion of the
overall total, number of repeat findings, and
average time to closure corrective action.
Regulatory Compliance
OSHA penalties for unmanaged regulatory risks
rose in 2016, with the most common citations being
given out for issues such as hazard communication,
respiratory protection, and lockout/tag-out
procedures for controlling hazardous energy. OSHA
now hands out fines of $14,502 per violation, with
willful or repeated violations costing $145,027.
While risk management, on the whole, is improving
— for example, worker deaths in America are down
from approximately 38 worker deaths a day in
1970 to 15 a day in 2019 — the current state of risk
management is still not enough.
Unfortunately, companies have thousands of
requirements to comply with, and it’s often difficult
to understand which regulations even apply to an
organization. Effective compliance tracking is a
huge issue and a key area where EHS software can
reduce risk and minimize a company’s regulatory
exposure.
Top EHS performers typically adopt some version of
the following risk-based compliance process:
• Create a list of all applicable regulatory
requirements in the EHS management system
(an integrated system can do this for you).
• Link each requirement to existing controls
such as employee training or engineering
controls.
• Identify all requirements without controls or
where controls don’t sufficiently reduce risk.
• Conduct a risk assessment using your risk
matrix to identify high-risk gaps where you
8 The EHS Management Guidebook
need to focus on adding or improving controls.
An integrated EHS management system lets
you link regulatory gaps to corrective action,
employee training, and document control
systems.
Contractor and Supplier
Management
Contractors and suppliers introduce significant EHS
risk, with even a single mistake having the capability
to cause a serious incident. In extreme cases, these
incidents can have a long-term impact on brand
value and even an entire industry’s reputation.
Key steps for incorporating risk management into
contractor and supplier compliance programs
include:
• Tracking compliance certificates to ensure all
contractors and suppliers meet internal and
regulatory standards.
• Identifying high-risk suppliers and contractors
through proactive compliance history tracking.
• Standardizing policies for how to manage
supplier issues. For example, a decision tree
or risk matrix can help you identify whether
an incident calls for corrective action,
enhanced inspection rules, or reevaluating the
relationship entirely.
• Assigning corrective actions to partners
with secure, cloud-based access to the
EHS system to engage suppliers and
subcontractors in your safety process.
Enterprise Risk Management
For anybody making business decisions – whether
quality and safety, finance, security, HR, or otherwise
– risk has become a major element to factor in
and make decisions around. EHS software allows
© ETQ, part of Hexagon.
organizations to standardize risk management
practices, improving consistency in how individuals
identify and mitigate risks.
Enterprise risk management strategies to focus on
include:
• Centralizing all risk items in a Risk Register
gives you an easily accessible source for
assessing risk across the organization.
• Establishing risk templates for different types
of risk items, including who is responsible and
what decision-making criteria are.
• Creating roll-up reports that show risk across
different organizational areas enables more
strategic decision-making.
• Linking risks in different areas to identify
trends and common underlying sources of risk.
That can also help EHS teams secure needed
investments in risk management initiatives
that impact other areas of the organization.
Emergency Preparedness
Application
ETQ Reliance includes an Emergency Preparedness
(EP) application as part of the Enterprise Risk
Management solution set. EP is a planning and
preparation tool to document, approve and test an
organization’s response plans for ensuring business
continuity in the face of various emergencies.
Risk management and mitigation are key quality
functions, and especially important in emergency
planning. To improve your organizational response
to events, it is critical to define precisely how
an organization will react during an emergency.
The Reliance EP application will guide you in
critical areas of prep from documenting plans,
policies, and procedures, to training employees
on emergency plans, and running drills to ensure
preparedness. Part of these plans should define how
9 The EHS Management Guidebook
and where employees would work remotely if the
organization’s primary locations were unusable.
Emergency Preparedness helps organizations
manage risk with disaster recovery and business
continuity planning and can be applied to several
scenarios, including:
• IT failures
• Executive disruption
• Medical and healthcare emergencies
• Natural disaster
• Political disruptions
• Fire
• Bomb Threat
• Chemical Spills
Ensuring employee, customer and other stakeholder
safety is paramount. As part of our Enterprise Risk
Management Solution, this critical EP process
enables customers to:
• Create and approve emergency response
plans, policies, and procedures
• Track employee training on these plans
• Set reviews and complete drills on their plans
to ensure organizational readiness
• Link associated response plans, policies,
procedures and work instructions with the
Corrective Action (CAPA/SCAR) records
EHS Software Checklist
Evaluating EHS management systems and
determining whether they meet your organization’s
unique needs is a time-consuming process. The
checklist provides some important considerations
for any system under evaluation:
• Integration: Integrated systems provide
© ETQ, part of Hexagon.
more functionality than point solutions. It’s
also important to consider whether your EHS
software is capable of directly integrating
data from related systems such as quality,
human resources, manufacturing systems and
finance.
• Automation: An automated system reduces
the risk of human error and improves
productivity, also reducing administrative
overhead.
• Mobile: Mobile capabilities allow you to
extend risk management to the field. This
helps engage employees, so you can capture
more (and more detailed) safety data. The
key is having a mobile platform for all EHS
functions, not just a few mobile apps.
• Flexibility: You should be able to customize
an EHS system to your business, not the other
way around. Ease of use is also a huge factor in
user adoption.
• Scalability: It’s important to evaluate how
difficult it is to scale up the system, since you’ll
likely want to add new users and locations as
your business grows.
Closing Thoughts
Big Data now allows companies to collect and
analyze vast quantities of data faster, better, and
cheaper. For organizations to gain maximum benefit
from these advances, an integrated approach
is needed that addresses the gaps created by
disparate point solutions and outdated manual
tracking systems.
Ultimately, the key is building a system that ties
together singular EHS functions and the enterprise.
Only then can companies achieve a higher standard
of protecting both worker safety and our shared
environmental resources.
10 The Risk Management Guidebook

This is an updated version of the original document that was

published in 2018.

About ETQ
ETQ, part of Hexagon, is the leading provider of quality, EHS and
compliance management SaaS software, trusted by the world’s
strongest brands. More than 600 customers globally, spanning
industries such as pharmaceuticals, electronics, heavy industry,
food and beverage, and medical devices, benefit from ETQ to secure
positive brand reputations, enable higher levels of customer loyalty
and enhance profitability. ETQ Reliance offers built-in best practices
and powerful flexibility to drive business excellence through quality.
Only ETQ lets customers configure industry-proven quality processes
to their unique needs and business vision. ETQ was founded in 1992
and has main offices located in the U.S. and Europe. To learn more
about ETQ and its various product offerings, visit www.etq.com.

Hexagon is a global leader in digital reality solutions. Learn more about

Hexagon (Nasdaq Stockholm: HEXA B) at hexagon.com and follow us@
HexagonAB.

© ETQ, LLC, part of Hexagon