A risk assessment is a systematic approach to identifying hazards, analyzing and prioritizing the potential to harm, and evaluating the efficacy of controls. A hazard is absolute, whereas a risk is relative and will vary in severity and seriousness. Hazards can come from a wide range of sources including machinery, chemicals, ergonomic, psychosocial, environmental, and so on. A risk assessment is a thorough look at the workplace to identify processes, actions, situations, etc. that may cause harm and to identify the likelihood and severity of the harm. The objective is to establish safe work practices, provide a holistic view of the risk exposure of the entire organization, and have controls in place that reduce or eliminate the risks.
In a recent webinar, Chuck Jenkins, National Safety Council Senior Network Forum Leader, identified seven steps to risk assessment:
While risk assessments are the foundation for any successful workplace injury prevention program, they often fall short of the goals. Here are nine common pitfalls:
Companies need to dig in and identify all the risks inside the organization. This takes time, energy, and commitment. It needs to encompass normal operational situations as well as non-routine events such as maintenance, shutdowns, emergencies, power outages, extreme weather, etc. It must consider different groups of workers who have different levels of risk, such as inexperienced workers, identify who might be harmed, and all possible ways they might be harmed.
Historical and industry safety data, such as incident and near miss records, root cause analysis, corrective and preventive actions, job safety analysis, and training reports provide a good picture of the current and past risks. Anticipating potential risks is more challenging, but major transformations that are changing the world of work, including technology, shifting demographics, climate and environmental risks, supply chain disruptions, and changes in work organization (independent contractors, gig workers) should be considered.
Risk assessment is an ongoing process but often they are limited to an annual basis, which is the bare minimum. When processes or products are changed, it’s important to perform risk assessments throughout the development phases, as well as pre-and post-launch. Moreover, workers should be encouraged to communicate about potential hazards, and supervisors held responsible for monitoring risks. Early detection and response to hazards or weak controls are critical to preventing major incidents. Should an incident or near-miss occur, the adequacy of the risk assessment should be reviewed and updated as needed. Significant changes in hiring or job responsibilities should also trigger a review.
There is no one simple or single way to determine the level of risk and many risk assessments are inherently qualitative. Ranking hazards requires knowledge of the workplace activities, urgency of situations, and sound objective judgment. One popular technique is the risk matrix, which combines the severity and probability of a risk occurring. Organizations need to have clear definitions of severity, which often includes five levels ranging from very low to catastrophic. It also requires a consistent method for determining probability, which involves frequency of exposure and number of workers exposed, and an appropriate numerical weighting system for both severity and probability.
Serious injury, illness, and fatality (SIIF) are rare, but high-impact events that require a different approach. Tasks where an incident could result in death or incapacitation should be assigned a catastrophic rating.
While risk assessments can be conducted by a risk manager, risk management team, or third-party consultant, it’s critical to involve employees engaged in daily operations who are most familiar with potential hazards. By the same token, it’s important to recognize that they may underestimate low-level risks that they manage regularly or don’t want “cumbersome” fixes added to their processes. It’s important to have a balance of those who carry out the tasks and risk management professionals.
Words such as “should,” “heavy,” and “PPE” are too imprecise. For example, “an employee should wear fall protection PPE” is inadequate, and changing “should” to “must” and defining the specific type of PPE would be more useful.
Human and organizational factors can intensify a hazard or undermine effective controls. A culture that focuses on blame and bullying or allows workers to bypass safeguards to increase production escalates risk. Also, low employee engagement, inadequate training, poor communication, physical and mental fatigue, high-risk tolerance, are factors that will multiply risk.
When assessing the efficacy of controls, it’s critical to follow the hierarchy of controls in the order that they fall on the list. As you go down the hierarchy, the reliability and effectiveness of the controls decrease and the dependence on the worker following the preventative process increases.