7-step process includes identifying, integrating risks
Part of the challenge of working in the safety world is the constant change. As one of the newest professions, safety practitioners need to be adaptable to change.
One of the changes currently impacting the safety world is the move away from simple hazard assessment and control and the move towards enterprise risk management (ERM). Enterprise risk management, as the name implies, integrates all risks under one consistent set of methods and process to manage risks and seize opportunities related to the achievement of the company’s objectives. Occupational health and safety is fast becoming one of the newest and most important aspects of uncontrolled risk under the ERM umbrella.
ERM has also been described as a risk-based approach to managing an enterprise. The evolution of ERM is driven by the needs of the stakeholders who want to understand the broad spectrum of risks facing their organization. Currently the aspects of ERM best recognized and managed by corporations include: financial risk, operational risk, strategic risk, environmental risk, occupational health and safety risk and hazard risk.
Each risk function varies in complexity and how it co-ordinates with other risk functions. Hazard risk and, in particular, occupational health and safety risk are not always considered to be as important as the other risks at the most senior levels of companies. A central goal and challenge of ERM is improving this capability and co-ordination. Full integration of the ERM outputs provides for a truly unified picture of risk for stakeholders and improves the organization’s ability to manage all risks effectively.
ERM provides a framework for total risk management which typically involves identifying particular events or circumstances relevant to the organization’s objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy and monitoring progress.
By identifying and proactively addressing risks and opportunities, businesses protect and create value for their stakeholders, including owners, employees, customers, regulators and society in general.
For safety practitioners, training in enterprise risk management fundamentals is essential. They need to understand how occupational health and safety risk fits into the ERM framework. They need to know this so they can communicate it to senior management using the ERM language so that it is heard and understood as a component of ERM. The old fashioned language of “hazard assessment and control” has to be replaced with the new language of “risk assessment and risk management.”
Further, the recognition that controlled hazards still represent an enterprise risk needs to be incorporated into the thinking of the modern safety professional.
They need to understand that the ERM process is best described as a seven steps process. Remarkably it also integrates very closely into it the plan-do-check-act or Shewhart cycle. ERM involves:
•Establishing the present: This requires the safety practitioners to take stock and understand the current conditions in which the organization operates, and measure the risk posture of the organization.
•Identifying risks: This requires they do much more than assess hazards and design control strategies. Risks exist even when hazards have been controlled. Your senior management team assumes you have done this. An inventory of risks associated with controlled work processes needs to be provided as an input to the ERM process. These unidentified risks may represent what is referred to as a “material threat” to the organization. Further control of these risks may create a significant competitive advantage.
•Risk analysis and quantification: This requires the comparison of some qualitative or quantitative measure of the occupational health and safety risks to the capacity or appetite of the organization’s risk acceptance (or risk posture). This may include the requirement to estimate the probability of the various risks identified to allow this information to be included in the organization’s data driven decision-making.
•Risk integration: This includes the comparison of all risks including occupational health and safety risk and an assessment of the impact of a serious incident on finances, operations and organizational strategy. It is not until all risks are assessed and their aggregation estimated can a true assessment be determined of the impact an incident will have on the organization’s key performance metrics.
•Aggregate risk prioritization: This prioritization process takes into account the aggregate impact an OHS incident can have on the organization. It allows for identification of incremental risk management efforts needed to bring the aggregate risk profile in line with the organization’s risk posture.
•Risk treatment: This includes the development of strategies for controlling and exploiting the aggregate of the OHS, financial, operational, strategic and other risks.
•Audit and review: As with any active process, the continuous improvement loop requires the ongoing audit and review of these processes. This includes the ongoing measurement, monitoring and communication regarding risk in the organization’s environment and the continual re-assessment and re-affirmation of the risk management strategies.
Glyn Jones is a partner at EHS Partnerships in Calgary and the regional vice-president of Alberta, Northwest Territories and Nunavut for the Canadian Society of Safety Engineering. He is a consulting occupational health and safety professional with 30 years of experience. He also provides program design and instructional support to the University of New Brunswick’s OHS certificate and diploma programs. He can be reached at firstname.lastname@example.org.