Risk Assessment
What, Why, When and How
UCM Fall Symposium and
ASSE/AIHA/A&WMA PDC
November 5, 2015
Bruce Lyon, CSP, PE, ARM, CHMM
Hays Companies
Risk Assessment Fundamentals
What…
Why…
When…
How…
Objectives
Hazards, Risks, and Risk Management
Developing Trends, Standards, FSI & PtD
Triggers for Assessing Risk
Steps for Conducting Risk Assessments
What is Risk Management?
The coordinated activities
of risk avoidance, control,
and financing to a level
that is considered
acceptable.
‘Risk Assessment’ is the
cornerstone of Risk
Management.
What is Risk?
Hazards vs. Risks…
Hazard
• Source of harm. (Z690.1)
Hazards vs. Risks…
Exposure –
• Contact with or proximity to a hazard, taking into account
duration and intensity. (Z10)
• Extent to which an organization or stakeholder is subject to
an event. (Z690.1)
Exposure includes frequency and duration of a hazard coming
into contact with the population or assets at risk.
Hazards vs. Risks…
Risk
• Effect of uncertainty on objectives. (Z690.1)
• An estimate of the probability of a hazard-related incident or
exposure occurring and the severity of harm or damage that
could result. (Z590.3)
Risk is the estimated severity of harm and likelihood of
occurrence from the hazard.
Definitions
• Severity – Degree of harm.
• Likelihood – Chance of something happening.
• Operational Risk – Risks generated from the workplace including
SH&E, liability, legal and information technology.
• Acceptable Risk - The risk level that is considered by the organization
to be acceptable in its current context. This level of risk is generally
lowered as the organization matures and the control technologies
improve.
Definitions
Risk Assessment
• “A process that commences with hazard identification and analysis,
through which the probable severity of harm or damage is
established, followed by an estimate of the probability of the incident
or exposure occurring, and concluding with a statement of risk.” (Z590.3)
• “Overall process of risk identification, risk analysis and risk
evaluation.” (Z690.1)
Risk Assessment is a three step process that including identifying
hazards, analyzing their risk, and evaluation the risk to determine if it
requires additional control.
The Risk Assessment Process
Risk Analysis
Hazard/Risk
Identification
Risk
Evaluation
Risk Assessment within the Risk Management
Framework
Why Assess Risk?
Fatalities and Serious Incidents (FSI) Continue to
Occur
•
•
•
While Incident Rates have decreased, Fatality Rates
remain steady
Major Disasters, Fires, Explosions, Chemical Releases
FSIs in Construction, Petro-chemical, Transportation,
Agribusiness among other industries
Why Assess Risk?
Why Assess Risk?
The Rising Importance of Managing Risk
Risk assessments required in:
• many countries
• branches of the military
• NASA
• Chemical operations – (OSHA Process Safety Management &
EPA RMP)
• Atomic energy field
• Pharmaceuticals
Global Trends
ISO 31000 Risk Management Standards
Key Standards
• ISO 31000 - ANSI/ASSE Z690-2011 Risk Management
Standards
• ANSI/ASSE Z590.3-2011 Prevention through Design
• ANSI B11.0-2015 Safety of Machinery
• MIL-STD-882E-2012
The Purpose of Assessing Risk…
to “provide evidence-based information and analysis to
make informed decisions on how to treat particular
risks and how to select between options.”
ISO 31010/ANSI/ASSE Z690.3-2011
Risk Assessments required in Management
Systems Standards
Plan, Do, Check, Act
“The effectiveness of an ORMS
requires the continual
identification, analysis and
evaluation of risks to understand
their magnitude of loss, and
potential of occurring, as well as
adequacy of existing control
measures and needed
improvements within the
organization.”
Operational Risk Management Systems
• OSHA’s Voluntary Protection Program (VPP)
• ANSI Z10-2012
• BS OHSAS 18001-2007
• International Labor Office ILO-OSH 2001
• ISO 14001-2004, Environmental management systems
• ISO 45001- 2015-16, Occupational Health and Safety
Management Systems
The Rising Importance of Risk Assessment
• Established February 2013
• Risk-based information, tools, and research for safety professionals
• Risk Assessment Certificate Program
http://www.oshrisk.org/
OSHA Recognizes Need for Risk-based
Approach
In a July 19, 2010 letter to the OSHA staff, Assistant Secretary David
Michaels wrote:
“Ensuring that American workplaces are safe will require a
paradigm shift, with employers going beyond simply
attempting to meet OSHA standards, to implementing riskbased workplace injury and illness prevention programs.”
When should Risks be Assessed?
Design of New Systems
Redesign of Existing Systems
Changes & Additions (MOC)
Procurement
High Risk Activities
Non-routine Activities
Serious Incidents (FSI)
Upsets and Emergencies
Third-party Interactions,
Contractors, & Construction
External Requirements
When Assess Risks?
Develop a Strategy for ‘when’, ‘where’, ‘who’ and ‘how’ risk
assessments are to be performed
Gain Management Commitment
Involve Stakeholders
Ensure Adequate Resources are Available
Qualified Risk Assessors
Document and Communicate Risk
Establish Risk
Criteria
Monitor /
Review
Document
Establish
Context
Risk
Assessment
Process
Assemble
Team
Identify
Hazards
Treat Risks
Evaluate
Risks
Analyze
Risks
Establish Risk Criteria and Matrix
Define Risk Criteria & Levels
Establish Risk Scoring System
Select Risk Assessment Matrix
Establishing the context (5.3)
Risk assessment (5.4)
Risk identification (5.4.2)
Communication
and consultation
(5.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.5)
Monitoring and
review (5.6)
Establish Risk Criteria and Matrix
Establish a Risk Scoring System
Qualitative, Semi-quantitative, or Quantitative
Risk Factors in System
• Severity, Likelihood, Control Effectiveness, Exposure, etc.
Existing or Customized System
• MIL-STD-882
• ANSI Z10
• ANSI Z590.3 PtD
Establish Risk Criteria and Matrix
Define Risk Criteria & Levels for the Organization
• Severity
• Likelihood
• Action Levels
• Acceptable Level
Establish Risk Criteria and Matrix
“A method to categorize
combinations of
probability of occurrence
and severity of harm, thus
establishing risk levels.”
(Z590.3)
Establish Risk Criteria and Matrix
Risk Level
Unacceptable
High
Moderate
Low
Risk Action Levels
Action
Immediate action required. Operation not permissible, except
in rare and extra-ordinary circumstances.
Remedial action is to be given high priority.
Remedial action is to be taken at appropriate time.
Remedial action is discretionary. Procedures are to be in place
to ensure risk level is maintained.
Establish Context
Purpose and Scope
Boundaries and Limitations
Select Risk Assessment Method(s)
Form a Team
Context will Determine Size and Makeup
Cross-functional Group
Roles and Responsibilities
Training in Method(s)
Identify Hazards/Risks
Find, Recognize and Record
• Hazards
• Causes and Sources
• Events, Scenarios or Failure
Modes
• Existing Controls
Establishing the context (5.3)
Risk assessment (5.4)
Risk identification (5.4.2)
Communication
and consultation
(5.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.5)
Monitoring and
review (5.6)
Identification Methods
•
•
•
•
•
•
•
•
•
•
Brainstorming
Checklists
Regulations (OSHA, EPA, DOT etc.)
Standards (ANSI, ASTM, NFPA, etc.)
Experts (external or internal)
Job Hazard Analyses/Job Safety Analyses
Accident/incident investigations
OSHA Injury and Illness Records
Insurance claims
Formal hazard/risk identification techniques (31 listed in ANSI Z690.3-2011)
Risk Analysis
1. Severity of Consequences (S)
2. Likelihood of Occurrence (L)
3. Effectiveness of Existing
Controls
4. Estimated Risk Levels
Establishing the context (5.3)
Risk assessment (5.4)
Risk identification (5.4.2)
Communication
and consultation
(5.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.5)
Monitoring and
review (5.6)
Risk Analysis
Determine Consequence(s) and their Severity
Fertilizer
Warehouse Fire
Employees
Public
Environment
Building
Liability
Risk Analysis
Estimate Severity Level (S) for each Consequence
Severity
Ranking
Severity Level (S)
4
Catastrophic
3
Critical
2
Marginal
1
Low
Severity of Consequence Description
One or more fatalities; multiple serious hospitalizations;
incident resulting in more than $250 K
Disabling injury or illness; permanent impairment; incident
resulting in more than $ 50 K
Medical treatment or restricted work; recordable incidents;
incident resulting in more than $ 1 K
First aid or non-treatment incidents; incident resulting in
less than $ 1 K
Risk Analysis
Estimate Likelihood (L)
• Review historical data
• Consider exposure
frequency, duration and
population
• Estimate Likelihood of
Occurrence
Risk Analysis
Assess Existing Controls (PE)
• Adequacy and Effectiveness
• Consider the type of controls and
their effectiveness according to the
‘Hierarchy of Controls’
Risk Analysis
Estimate Risk Level
• Using the Risk Scoring System calculate the Risk Level
Take care not to dilute severity if using multiple risk factors in the formula (i.e.
severity, probability, exposure, protection effectiveness, failure detectability,
frequency, duration, etc.)
Examples:
Severity + Likelihood = Risk Level
Severity x (Likelihood x Protection Effectiveness) = Risk Level
Risk Evaluation
• Compare estimated Risk
Levels with established Risk
Criteria
• Determine if Risk is
Acceptable or if Treatment is
needed
• Prioritize Actions based on
Risk Levels
Establishing the context (5.3)
Risk assessment (5.4)
Risk identification (5.4.2)
Communication
and consultation
(5.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.5)
Monitoring and
review (5.6)
Risk – ‘As Low As Reasonably Practicable’
Decisions on treating a
risk will depend on the
risk level and the costs
and benefits of
implementing improved
controls.
Risk Treatment
‘The process of reducing or
modifying risk using Risk
Treatment Options.’
Risks that are judged
unacceptable must be ‘treated’
to reduce risk.
Establishing the context (5.3)
Risk assessment (5.4)
Risk identification (5.4.2)
Communication
and consultation
(5.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.5)
Monitoring and
review (5.6)
Risk Treatment Options
1) Avoidance - avoiding the risk by deciding not to start or continue
with the activity that gives rise to the risk
2) Elimination - removing the risk source
3) Substitution - changing the consequences
4) Engineering and Administrative controls - changing the likelihood
5) Transfer & Financing - sharing the risk with another party such as
insurance contracts and risk financing
6) Retain - retaining the risk by informed decision
Hierarchy of Controls
Most
Preferred
Least
Preferred
Risk Avoidance: Prevent entry of hazards into a
workplace by selecting and incorporating appropriate
technology and work methods criteria during the
design processes.
Eliminate: Eliminate workplace and work methods
risks that have been discovered.
Substitution: Reduce risks by substituting less
hazardous methods or materials.
Engineering Controls: Incorporate engineering
controls/safety devices.
Warning: Provide warning systems.
Administrative Controls: Apply administrative
controls (the organization of work, training,
scheduling, supervision, etc.).
Personal Protective Equipment: Provide Personal
Protective Equipment (PPE).
Documentation
Virtually all aspects of the process should be documented
 Selecting the risk assessment matrix
 Determining the purpose and scope (context)
 Forming the team
 Selecting the hazards or operations to be assessed
 Identifying Hazards/risks
 Analyzing Risks
 Evaluating Risks
 Communicating and documenting
 Monitoring and continuous improvement
Documentation
Risk Register
Current State Risk
Level
Additional Controls
Completion Date
Future State Risk
Level
14
Yes
2/20/2015
12
burns
15.2
Yes
3/15/2015
12
1.3
arc flash
11.2
Yes
2/20/2015
9.8
Plasma cutter
1.4
noise
19
Yes
3/15/2015
8.4
QC Lab - Weld
Plasma cutter
1.5
fire
14
Yes
3/15/2015
12
1
QC Lab - Weld
Plasma cutter
1.6
dust
11.2
Yes
3/15/2015
9.6
2
QC Lab - Weld
Weld Destruct
2.1
ergo-strains
14
Yes
4/15/2015
14
2
QC Lab - Weld
Weld Destruct
2.2
vibration
19
Yes
4/15/2015
4.8
2
QC Lab - Weld
Weld Destruct
2.3
noise
11.2
Yes
4/15/2015
10.8
2
QC Lab - Weld
Weld Destruct
2.4
struck by
15.2
Yes
2/20/2015
14.4
2
QC Lab - Weld
Weld Destruct
2.5
dust
16
Yes
4/15/2015
8.4
2
QC Lab - Weld
Weld Destruct
2.6
struck against
11.4
Yes
3/15/2015
6.3
2
QC Lab - Weld
Weld Destruct
2.7
falls same level
16
Yes
3/15/2015
11.2
3
Finishing
Wash Station
3.1
hot liquid
9
Yes
4/15/2015
6.3
3
Finishing
Wash Station
3.2
struck against
14.25
Yes
4/15/2015
0.2
3
Finishing
Wash Station
3.3
chem-corrosive
11.2
Yes
4/15/2015
4.2
3
Finishing
Wash Station
3.4
hot surfaces
14.25
Yes
4/15/2015
2.1
3
Finishing
Wash Station
3.5
mechanical
9.6
Yes
3/15/2015
4.8
3
Finishing
Wash Station
3.6
ergo-strains
11.2
Yes
4/15/2015
0.2
Case #
Location
Task
Hazard #
Hazard
1
QC Lab - Weld
Plasma cutter
1.1
Electrical Shock
1
QC Lab - Weld
Plasma cutter
1.2
1
QC Lab - Weld
Plasma cutter
1
QC Lab - Weld
1
Monitoring & Continuous Improvement
Hazards and operations change
Changes can effect existing
controls and their effectiveness
Update risk assessments to
consider these possible changes
Establishing the context (5.3)
Risk assessment (5.4)
Risk identification (5.4.2)
Communication
and consultation
(5.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.5)
Monitoring and
review (5.6)
Communication
The importance of
communication can not be
overstated.
Successful risk assessments
are dependent on effective
communication among
stakeholders prior to, during
and after the process.
Establishing the context (5.3)
Risk assessment (5.4)
Risk identification (5.4.2)
Communication
and consultation
(5.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.5)
Monitoring and
review (5.6)
The Take Away Message
Take a ‘Risk-based’ Approach
Establish a Strategy for Performing Risk Assessments
Lead the Way