William W. Lowrance, a specialist in risk management, defined safety as “a judgment of the acceptability of risk”, and he defined risk, in turn, as “a measure of the probability and severity of harm to human health.” He summarizes his position by stating that “a thing is safe if its risks are judged to be acceptable”. I read Of Acceptable Risk early in my career and it has shaped my thinking about what and how safety needs to be managed.

So let’s look at a practical example of the theory: managing the risk of falling off a flat roof.

A risk mitigation strategy could include:
• Reducing the probability that someone could fall off the roof by installing a barrier
• Reducing the severity of someone falling off the roof by having them wear fall protection
• Reducing the exposure to the roof (the hazard) by limiting access to the roof.

Everything has risk because consequences happen for our actions and inactions. Everything we do or don’t do makes a contribution to our future outcomes. That puts us somewhat in control of our outcomes. Nothing of course is certain, but our actions can – and do – dramatically manage what happens next in our lives. Putting on a seatbelt when we drive has the potential to dramatically change the outcome in a traffic accident.

The consequences of our actions and inactions make this whole thing manageable. What we do and don’t do for safety matters a lot.

The risk formula
Risk is a function of three critical factors:
Risk = Probability x Severity x Exposure
• Probability that a sequence of events will occur and result in a specific consequence
• Severity of the consequence
• Exposure to the opportunity for the sequence of events to occur.

Note that for our purposes here, consequence is the impact or effect of the loss or the result of the scenario. Consequence can range from positive to negative, including neutral. We can like the outcomes, dislike the outcomes or frankly not be concerned at all with the consequences.

The multiplication process comes from the fact that if you could get probability, severity and/or exposure to zero (or for argument’s sake, close to zero) then the risk is virtually gone for that set of circumstances. If you add these components in a situation, it could look like a risk is still there when it virtually isn’t.

If you work at the edge of a roof on a five-story building without fall protection, there is a probability of injury. There will almost certainly be a severity to the consequences if you fall. And there is, by simple logic, an exposure. If I change one (or more) of the factors, we can get to (or close to) zero.

Saying, ‘Don’t go up there,’ changes the exposure to zero, for example. If we must go on the roof then managing the potential of a fall by putting up guardrails also increases the chance of safely and successfully doing the work. Fall protection would indeed alter the severity if there was a slip from the edge of the roof.

Let’s not forget that we’re not working with absolutes. Risk is about our perception of these components of risk. Risk analysis is about your best guess. If life was a sure thing, risk calculations would be as simple as geometry – it would always work! We wouldn’t have a stock market, and even playing team sports wouldn’t be as exciting. Car insurance companies would all give you the same quote!

Did you just hear a duck quacking? Let’s face it: this risk management is hardly a pure science.

Four Ts
Now, once a risk has been identified there are the classic Four Ts of risk management for us to consider. Using one or more of these managing factors will decrease the risk of loss.

Terminate. An extremely effective risk control technique, this approach is also called risk avoidance. It should be thought of as including both the refusal to expose the organization to a risk in the first place, and the complete elimination of a risk that is already present in the operation. This is the only risk management technique designed to be used without any of the others.

Treat. Also called reduction, it is related to risk control. Treating the risk includes the safety techniques of loss control or loss prevention. Note that when these techniques are applied, the risk still exists; the techniques are designed to stop or reduce losses only. For example, wearing a hard hat does not eliminate the risk of being struck by falling objects; it only prevents or reduces the injuries experienced. Risk treatment (loss control) is a vital area of activity when termination is not a practical solution.

Tolerate. This is also called retention. It is an approach to financing risks that include all forms of paying for losses with funds originating inside the organization: current expenses, reserves, borrowing and some insurance agreements with a third party insurer. For most organizations, tolerating risks is only economical in the presence of a good loss control program. Once we have mitigated the potential for loss to an acceptable level the risk we experience must be tolerated by us, hence the phrase “acceptable risk”.

Transfer. Both risk control and risk financing include transfers — one of legal responsibility through contracts, leases, etc., and the other of financial responsibility. Perhaps the most common risk transfer is to finance losses through insurance, but this must never be viewed as a substitute for loss control, since transfers are not foolproof and almost always leave some chance that the “transferor” may suffer some loss.

There you have it, a view of risk and the management of risk. This is a subject that is as wide as it is deep. Search around the Internet. You’ll find more information than you can possibly read in a lifetime. Decide your definitions of risk and your strategies to manage and mitigate the risks that you and your fellow humans face.

Alan D. Quilley is the author of The Emperor Has No Hard Hat – Achieving REAL Safety Results, and president of Safety Results Ltd., a Sherwood Park, Alberta OH&S consulting company. You can reach him at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .