1
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
PART I – RISK MANAGEMENT METHODS AND TOOLS
Chapter 1 – Risk Management and Prevention through Design
Authors: Bruce Lyon, CSP, PE, ARM, CHMM, and Georgi Popov, PhD, QEP, SMS, CMC
The following is a selected section from the upcoming Risk Management Tools
for Safety Professionals manual to be published by ASSE in 2018.
INTRODUCTION
The safety profession has evolved and experienced significant change during the past 40
years. Prior to the United States (U.S.) Occupational Safety and Health Act, work-related
injuries and illnesses were common and viewed as the norm among many organizations.
Amputations, respiratory problems and hearing loss, ergonomics-related disabilities and even
fatalities were accepted as a part of doing business. The role of safety was basically nonexistent. In 1970, the enactment of the OSH Act created a demand for occupational safety and
health (OSH) professionals to assist organizations comply with the many newly implemented
workplace safety and health regulations. The OSHA regulations provided a foundation for
worker protection and greatly defined the OSH professionals’ role for decades. However, a
transformation is underway within the profession.
Once confined to traditional and often times reactionary activities such as regulatory
compliance, accident investigation and reporting, safety programs development, safety training,
worksite inspections, and safety equipment selection, OSH professionals are beginning to engage
in more proactive, risk-based practices. This shift is noted in the following quote from Thomas
Cecich, the American Society of Safety Engineers (ASSE) President in 2016 taken from the
2
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
ISHN 50th anniversary: Challenges and Opportunities - Thought Leader Essays at
http://www.ishn.com/articles/105319-ishn-50th-anniversary-challenges-and-opportunities--thought-leader-essays.
In the future of the practice of occupational safety and health the role of safety and
health professionals must continue to move beyond compliance with regulatory standards.
Leading organizations understand that the key to injury and illness reduction and greater
operational efficiency lies with the need to identify, assess, manage and communicate
workplace risk. Senior management understands the concept of managing risk. They do it
all the time, whether operational risk, financial risk, reputational risk or market risk.
(Cecich, 2016)
The need to comply with regulations and perform traditional practices will always be part
of the job; however, it is the authors’ opinion that those activities will not be the primary focus of
the OSH profession. What then will define the need for future OSH professionals? In a word,
‘risk’.
As the profession moves from a hazard and compliance-based focus to a ‘risk-centric’ (a
phrase coined by Dave Walline) or risk-based approach, OSH professionals will be expected to
expand their skill-set to include those in risk assessment (identification, analyses, and
evaluation), application of higher level controls for risk reduction, Prevention through Design
(PtD) and pre-operational risk assessment, safety specifications for procurement, change
management, and operational risk management systems. This shift to more risk-based efforts is
3
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
elevating the profession to greater importance within organizations. In essence, the profession is
becoming more ‘active’ in nature, providing risk-based information to decision makers; moving
away from ‘passive’ traditional safety programs towards safety processes operating within
operational risk management systems. Perhaps a better descriptor for the profession is
‘occupational safety and health risk’ or simply ‘occupational risk’. None the less, the profession
is evolving.
The Sources of Risk
Risk is described as the effect of uncertainty by the ISO 31000:2009 Risk Management
Standard (adopted by ANSI/ASSE Z690.2 in 2011). As the role of the OSH professional
continues to evolve, it is important to recognize the different sources of risk, and their
relationship and effects upon an organization. The American Institute For Chartered Property
Casualty Underwriters known as ‘The Institutes’ refers to these risk source categories as the ‘risk
quadrants’ (The Institutes, 2017). The risk quadrants are known as operational risk, hazard risk,
financial risk and strategic risk. Operational risks and hazard risks are considered ‘pure’ risks –
those that can only result in loss or negative outcomes – and are the primary risks that OSH
professionals manage or control. Financial and strategic risks are ‘speculative’ risks which have
the possibility of either a positive or negative outcome. ‘Pure’ risks are typically insurable since
they only involve the chance of loss while ‘speculative’ risks are not. Figure 1.1 represents the
four quadrants of risk.
4
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Pure Risk
Speculative Risk
Hazard Risk
Financial Risk
Operational Risk
Strategic Risk
Figure 1.1, The Four Quadrants of Risk
In the course materials for the Associate in Risk Management (ARM) designation, The
Institutes describe the ‘risk quadrants’ as follows:
Hazard Risk - Risks that are derived from property, liability, or personnel loss
exposures and are generally insurable.
Operational Risk – Risks that are derived from people or a failure in processes,
systems, or controls including information technology (IT) related exposures. Both
hazard and operational risks are closed aligned and interrelated, and are often
managed as such.
Financial Risk – Risks derived from the effect of market forces or financial assets
or liabilities and include market risk, credit risk, liquidity risk, and price risk.
Strategic Risk – Risks derived from trends in the economy and society, including
changes in economic, political, and competitive environments, as well as from
demographic shifts.
5
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Risk sources have the potential of falling into more than one category or quadrant, and can
also impact other types of risks with in an organization – causing a cascade effect. For instance,
a product release or spill initially effects the operational aspect of the organization as a loss of
product and temporary business interruption risk. However, if the product is hazardous, the
operational risk turns into a safety, health and environmental risk – a hazard risk. And
depending upon the scale and severity of the operational and hazard risks, the event may lead to
significant financial loss - a financial risk - and possibly damage the organization’s reputation – a
strategic risk. As indicated by The Institutes, organizations define types of risk differently, and
recommend that each organization define their categories to align with their objectives and
processes. For this manual, the authors refer to ‘operational risks’ which OSH professionals tend
to manage as including both operational-related exposures and hazard risks – those derived from
occupational safety, health, environmental and property exposures.
Enterprise Risk Management (“ERM”) is a strategic business discipline that supports the
achievement of an organization’s objectives by addressing the full spectrum of its risks and
managing the combined impact of those risks as an interrelated risk portfolio (RIMS, 2017).
Organizations seek to manage risk exposures across all parts of their business so that, at any
given time, they incur just enough of the right kinds of risk—no more, no less—to effectively
pursue strategic goals (COSO, 2012). The OSH professional is trained to look at hazards and
risks associated with operational activities that produce negative consequences. Businesses must
balance both the negative risks as well as the opportunities and positive risks they face.
Interdependencies and Synergistic Effects
ERM risks are interdependent. Key interdependencies exist between hazard risks,
operational risk, financial risk, and strategic risk. Upon further examination, each of these major
6
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
interdependent categories is comprised of sub-risk categories. In addition, the synergistic effect
of risk exposures could pose greater risk that the sum of individual hazards and risks. For
example, the regulatory fines related to OSH risks may be considered acceptable form a financial
prospective, but may not be acceptable from and ERM prospective due to strategic risk and
potential reputational damage. Such risks may be misunderstood or underestimated. For
instance, OSH risk may lead to financial losses, operational interruptions, and regulatory issues if
the function is not properly integrated into ERM process.
Improperly managed OSH risks may lead to operations shut down due to incident
investigations, resulting in financial losses, failure to fulfil orders, insurance premiums increase
and reputational damage. Unfortunately, considerable number of organizations use different
systems and methodologies to manage different risks. For instance, OSH function may utilize
risk assessment and risk management methodologies that are not familiar to business managers.
Conversely, OSH managers may not be fully familiar with business risk assessment and risk
management practices and tools. Hence, the need for integration.
Benefits of OSH Function and ERM Integration
ERM requires an integrated risk organization. While many companies now have a Chief
Risk Officer (CRO), they are often aligned to financial or internal audit functions far removed
from operational and strategic risk domains where OSH professionals feel comfortable. This
progression from OSH risk to Operational, Financial, Business and Strategic risk offers the OSH
professionals the opportunity to integrate OSH risk management into the ERM process.
ERM requires the integration of risk management strategies, as not all risks are graded or
scored equally. Under the very familiar “silo approach” to risk identification, assessment and
management, OSH functions are frequently limited to compliance over effective implementation
7
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
truly affecting worker and community health, environmental quality, or personnel safety. Any
opportunity to align OSH projects with business objectives was often ignored.
Risk Management and the OSH Professional
In an effort to better prepare for the changes occurring in the profession, this manual
provides guidance for selecting, modifying and combining risk management methods and tools.
It is largely shaped by significant events in recent years that give greater prominence to risk
assessment and the risk management process. Some of the more important events which signal a
move toward risk-based efforts are shown in the following list.
1. The National Safety Council created an entity known as the Institute for Safety through
Design (ISTD) in 1995. The core of the ISTD and the safety through design concept is
hazard identification and risk assessment in the design phase.
2. In 1996, the National Institute for Occupational Safety and Health (NIOSH) began
consideration of what became a major initiative on Prevention through Design (PtD). The
intent of the initiative was to encourage organizations to have processes in place to
address occupational hazards and risks in the design and redesign processes. Doing so
requires making risk assessments as a continuum as the design process moves forward.
3. A European led drive to have risk assessment be recognized as the cornerstone of an
occupational risk management system is having an impact in the U.S. The move has led
OSHA, NIOSH, and industry to a more risk-based process.
4. In 2011, the American National Standard Institute (ANSI) approved a petition made by
the American Society of Safety Engineers to adopt four standards on risk management
developed by ISO (the International Organization for Standardization.) One of those
8
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
standards (ISO 31010) known as ANSI/ASSE Z690.3, Risk Assessment Techniques is
receiving broad attention in the OSH profession.
5. Sustainability and resilience of business has emerged as a major corporate endeavor.
Risk management is fundamental to a sustainable and resilient enterprise, in that it is a
continual improvement process used by an organization to achieve its objectives through
assessing uncertainly and lowering risk to acceptable levels.
6. In 2010, the Bureau of Ocean Energy Management Regulation and Enforcement
(BOEMRE), a federal government agency, adopted a mandatory standard that combines
safety and environmental risk management within one management system.
7. An ANSI standard on Prevention through Design was adopted on September 1, 2011. A
substantial portion of the standard is devoted to hazard analysis and risk assessment in the
design and redesign phase. Educators are developing new courses related to Prevention
through Design and new risk assessment tools. Plans for revision of the standard are
underway.
8. Organizations are moving from program-based safety and health methods to a more
management systems approach. With the ANSI Z10 standard, and a new ISO 45001
Occupational Health and Safety Management standard expected, employers have come to
realize that occupational safety and health and risk management are an integral part of
sustainable business practices.
9. Recent research shows that risk assessment can be successfully implemented in daily
operations and long-term planning.
9
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
10. Many industries have applied Lean Concepts to reduce waste, improve efficiency, and
lower production costs. Lean Six Sigma concepts and risk assessment tools can be
applied in the OSH profession.
11. For many years, businesses have been operating with tight budgets and continuously
seeking ways to reduce costs, among which are accident/incident costs. Risk-based
decision making has become more prevalent in organizations and is requiring greater use
of tools that assess and manage risk, analyze costs and determine benefits of
interventions.
12. In June 2013, the American Society of Safety Engineers (ASSE) recognized the
significance of risk assessment by launching its Risk Assessment Institute, a gateway for
members of the society to develop new risk assessment core competencies.
13. In 2015, ASSE initiated the Risk Assessment Certificate program which has received
heavy demand by OSH professionals.
14. The significance of risk assessment is evidenced in the number of published peerreviewed articles on the subject. As of September, 2017, a search for articles on the
subject of risk assessment found in the ASSE Professional Safety Archives reveals 155
articles since the year 2000.
Of special note is the development of ASSE’s Risk Assessment Institute. In 2012, officers
of ASSE recognized a need for OSH professionals to develop greater skills in risk assessment
fundamentals. The increasing number of safety-related standards and guidelines requiring risk
assessment made it evident that ASSE should provide its members with educational
opportunities through which the necessary skills could be acquired (Manuele, 2016). The Risk
Assessment committee was formed in 2013 and its members continue to develop and collect
10
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
literature, videos, webinars and other materials that could be used by OSH risk professionals.
The success of the Risk Assessment Certificate program which includes over 500 certificate
recipients as of November 2016 continues to grow. An international outreach is also taking
place with the program being extended to OSH risk professionals worldwide, as well as a more
advanced certificate program being considered. This development is significant in that
awareness has developed among leaders of such technical organization with an international
scope. As Fred Manuele proclaims, ‘this is an important step forward for the practice of safety.’
(Manuele, 2016). The Risk Assessment Institute website can be accessed at
http://www.oshrisk.org/.
To summarize, operational risk assessments are becoming a requirement within many
countries, branches of the military and certain industries such as atomic energy, chemical
operations and pharmaceuticals. Considering these developments, and the need for organizations
to compete on a more global basis, it is anticipated that requirements for risk assessment will
continue to grow, both in the U.S., and worldwide.
MANUAL CONTENTS
For the OSH risk professional, this manual is intended to provide instructive guidance in
selecting, modifying, and applying fundamental risk management tools and Prevention through
Design concepts. It is divided into three parts: Part I – The Risk Management Methods and
Tools contains instructional steps for common risk management tools used by safety
professional; Part II – STRATEGIES FOR SELECTING, MODIFYING AND COMBINING RISK
MANAGEMENT METHODS provides strategies used to select, customize, optimize and combine
methods to provide the risk-based information needed by the safety professional ; and Part III –
PRACTICAL EXAMPLES AND CASE STUDIES OF RISK MANAGEMENT METHODS AND
11
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
TOOLS from the field are used to help demonstrate the use of tools. Part I is organized in
accordance with the Risk Management Process elements identified in the ANSI/ASSE Z690.22011 Risk Management Standard (adopted from ISO 31000:2009) shown in Figure 1.2. Note:
For the purposes of this manual, the authors use ISO 31000 when referring to ISO
31000:2009/ANSI/ASSE Z690.2–2011 Risk Management Standard, and ISO 31010 when
referring to ISO 31010:2009/ANSI/ASSE Z690.3-2011, Risk Assessment Techniques.
Process (clause 5)
Risk identification (5.4.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Monitoring and review (5.6)
Communication and consultation (5.2)
Establishing the context
(5.3)
Risk treatment (5.5)
Figure 1.2, ISO 31000 Risk Management Process reprinted with permission (Courtesy of the
American Society of Safety Engineers)
12
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Within each process step, select tools and methods commonly used by OSH risk
professionals are presented and discussed as shown in Figure 1.3. Many other methods are
available as indicated in ANSI/ASSE Z690.3 – 2011 Risk Assessment Techniques standard
(adopted from ISO 31010:2009), and should be considered where appropriate.
Risk Communication
Plan-Do-Check-Act Model
Risk-based Decision Making
Risk Assessment Triggers
Risk identification (5.4.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.5)
Monitoring and review (5.6)
Risk Analysis
Bow Tie Analysis
Event tree
Fault tree
Failure Mode and Effects Analysis
(FMEA)
Hazard and Operability Study
(HAZOP)
Job Risk Assessment (JRA)
Layers of Protection Analysis
(LOPA)
Preliminary Hazard Analysis
Striped Bow Tie Risk Assessment
Structured What-if Technique
(SWIFT)
Establishing Context
Risk Criteria
Risk Scoring System
Pareto Analysis
Risk Assessment Matrix
Establishing the context
(5.3)
Communication and consultation (5.2)
Risk Identification
Brainstorming
Checklists
Delphi Technique
Design Safety Review
Hazard Identification (HAZID)
Nominal Group Technique
Process (clause 5)
Monitoring and Review
Key Performance Indicators (KPI)
Key Risk Indicators (KRI)
Risk Treatment Tracking
Risk Performance Measurement
Risk Register
Risk Treatment
Business Impact Analysis
Cost/Benefit Analysis
Nonfinancial Benefits Analysis
Hierarchy of Controls
Multi-Criteria Analysis
Risk Evaluation
As Low As Reasonable Practicable
(ALARP)
Risk Heat Map
Risk Indices
Figure 1.3, The ISO 31000 Risk Management Process with associated tools adapted and
reprinted with permission (Courtesy of the American Society of Safety Engineers)
13
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
RISK MANAGEMENT - PRINCIPLES, FRAMEWORK AND PROCESS
Internal and external factors that create uncertainty for organizations can also prevent the
achievement of certain business objectives. This effect of uncertainty to an organization’s
objectives is referred to as ‘risk’ (ANSI Z690.2, 2011). Without a clear picture of the risks
facing an organization, it is difficult to make informed decisions on objectives, and the degree of
risk the organization is willing to ‘assume in pursuit of those objectives’ (ANSI Z690.2, 2011).
Therefore, it is vital that organizations incorporate and integrate a process of managing
operational risk within the overall management system. Such systems should encompass
strategies for risk assessment and management planning, risk-based decision making,
establishing accountabilities, managing and measuring activities, reporting and recording, and
risk communication with stakeholders.
The ISO 31000:2009 Risk Management standard provides organizations the principles,
framework and process for managing risk. The authors, as members of the U.S. Technical
Advisory Group for ISO 31000, developed the graphic shown in Figure 1.4 to depict the
relationship of these elements. These principles, framework and process elements provide a
standardized approach to managing risk and should be studied by those responsible for managing
operational risk. For OSH risk professionals, these fundamentals provide a blueprint in assessing
and managing operational risks, and are the foundation of the material presented in this manual.
14
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Framework (clause 4)
Process (clause 5)
Implementation
(4.4)
Leadership and
commitment
(4.2)
Improvement
(4.6)
Risk identification (5.4.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Evaluation
(4.5)
Monitoring and review (5.6)
Design
(4.3)
Communication and consultation (5.2)
Establishing the context
(5.3)
Risk treatment (5.5)
Principles (clause 3)
a) Value creation and protection
b) Integration
c) Structured
d) Customized
e) Inclusive
f) Best available information
g) Human and cultural factors
h) Continual improvement
Figure 1.4, Risk Management Principles, Framework and Process Relationship developed by the
authors – adapted from ISO 31000
15
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Risk is managed within an organization to achieve its objectives. It is the primary purpose
of managing risk. If objectives are not meet, the organization is at risk of losing market share and
value, failing to compete, downsizing or going out of business. Uncertainty of risks can be a
significant obstacle to the achievement of certain objectives. To succeed and grow, organizations
must be able to reduce uncertainly that impedes decision making and be in a position to
successfully achieve their business objectives. This requires sound risk management.
Principles
The relationships that exist between the principles, framework and process of risk
management are illustrated in Figure 1.3. The principles (clause 4) are the foundation on which
the framework (clause 5) and process (clause 6) are built as described in the ISO 31000 standard.
Both the framework and process are constructed in a plan-do-check-act (PDCA) model for
continual improvement, one of the principles cited in clause 4.
The eight (8) principles identified in the standard help communicate the intention and
purpose of risk management, and enable an organization to manage risk more successfully and
meet its objections (ANSI Z690.2, 2011). The principles are briefly described in the following:
a) Value creation and protection - Value is created and protected through an
organization’s ability to innovate, continually improve performance, and achieve
objectives.
b) Integration - Integration of risk management into all activities and decision making
requires a coordinated effort from stakeholders in the organization to ensure risk is
considered in decisions and actions at all levels.
16
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
c) Structured - A structured, systematic approach to managing risk helps ensure a
more efficient, consistent, reliable and repeatable process, which is vital.
d) Customized - The ability to modify and customize the framework and process
elements to suit an organization, its culture and structure, internal and external
factors is important to the effectiveness of risk management.
e) Inclusive - Inclusiveness of stakeholders in risk management ensure ownership and
allows for better risk-informed decisions to be made.
f) Best available information - Incorporating the best available information into the
process of managing risk enables decision makers to better anticipate and take
proper action.
g) Human and cultural factors - Human behavior as well as the organization’s values,
perceptions, beliefs, attitudes, intentions and capabilities influence risk management
at all levels.
h) Continual improvement - Management of risk should facilitate continual
improvement through organizational performance, continued learning and
experience.
Finally, risk management should be fluid, dynamic and responsive in managing new
emerging or changing risks as well as existing risks that an organization encounters.
Framework
A risk management framework, based on the aforementioned principles, exists to provide
organizational structure for leadership, process design, implementation and monitoring,
evaluation and continual improvement of the risk management process. It assists an organization
in the integration of risk management into all activities, decisions and actions.
17
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Leadership and Commitment - As with all management system structures the most critical
elements to the framework are leadership and commitment – without which the remaining
elements are ineffective. An organization’s genuine commitment and leadership are central to
the framework and can be demonstrated by an organization through some of the following
actions:
establishment of defined policies for risk management which are aligned with the
organization’s culture;
determination of key performance indicators;
alignment of risk management objective with the organization’s objectives;
consideration of regulatory, legal and voluntary obligations
assignment of authority, responsibilities and accountabilities within the
organization;
allocation of necessary resources for risk management;
effective communication with the organization and its stakeholder in the value of
risk management;
assessment of progress in the achievement of risk management objectives.
Design – To begin, the organization should gain understanding of its external and internal
context. This may include evaluation of the political, legal, social, regulatory, financial
technological and competitive environment the organization operates within. Other factors may
include relationships with external stakeholders, their perceptions, expectations and values,
contractual agreements, or other factors that affect the organization’s objectives. Internal context
may include the organization’s own structure, overall vision, mission, and objectives, culture,
management system, as well as the perceptions and values of internal stakeholders.
18
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Once an understanding of the organization and its context is established, leadership should
clearly define and communicate a risk management policy. The policy should include the
organization’s philosophy and reasoning, linkage to objectives, responsibilities and
accountabilities throughout the organization, commitment of resources, measurement of
performance, communication with stakeholders, and commitment to continual improvement.
The policy should be effectively communicated with internal and external stakeholders as
appropriate.
Assignment of roles, responsibilities and authorities for risk management duties for all
levels of the organization should be made and communicated. Those given responsibilities
should also be provided adequate education, training and resources to enable their performance
of their risk management tasks successfully.
Integration of risk management into all organizational decisions and actions should be
designed into the framework. As part of the decision-making process, management should
consciously take into account the potential risks of any decision made to determine whether the
risks are acceptable.
Methods for effective communication of risk management should be established within the
organization. Management should ensure that risk-based information and feedback are
exchanged with internal and external stakeholders as appropriate on a timely basis.
An implementation strategy for the risk management framework should be developed to
ensure affected stakeholders clearly understand the timing, method, and meanings to be
employed. Communication throughout the implementation process is crucial.
19
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Once implemented, an evaluation process should be established. The process should be
objective and consistent to provide the organization accurate data. Periodic measurement of key
performance indicators (KPIs) and key risk indicators (KRIs) should be made and compared to
the initial baseline, with the results communicated to stakeholders.
Improvement - As the organization operates and adapts to its operating environment, there
is often times a need to make modifications and improvements. The framework should be
designed to adapt to any changes in the organization and continually improve. This requires the
use of monitoring the internal and external factors affecting objectives, and the use of feedback,
auditing, observations and other means of gathering information. Identified gaps, weaknesses, as
well as improvements should be acknowledged, addressed and incorporated into action plans to
further the overall improvement and maturity of the organization’s risk management.
Process
The risk management process is the systematic application of policies, procedures and
practices for activities involving communication, establishing context, assessing risk
(identifying, analyzing and evaluating risk), treating risk, monitoring and reviewing, and
reporting and recording. Each of these process elements along with select tools and methods will
be covered in the balance of this manual.
PREVENTION THROUGH DESIGN
In this manual, the concept of prevention through design (PtD) is woven into the concepts,
elements and tools of the risk management process. The authors believe that it is vitally
important to consider managing risk from the beginning stages of design throughout the system’s
20
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
life span to decommission and disposal. This is a relatively new concept that OSH risk
professions and some organizations are beginning to explore and champion.
To put into the proper context, the ANSI Z590.3-2011 (R2016) Prevention through Design
standard is written to address occupational safety and health risks over the entire life cycle of a
system. This more pinpointed focus aligns with OSH risk professional’s roles in assessing and
managing workplace exposures. The ISO 31000 standards on the other hand, are written from a
much broader perspective and designed to address all types of risks including those that have
negative and/or positive consequences with the ultimate purpose of reducing uncertainly and
enabling an organization to achieve its objectives. Therefore, ISO 31000 provides the risk
management platform that the risk assessment and Prevention through Design process operates
within which is illustrated in Figure 1.5.
Figure 1.5, Relationship between ISO 31000 and ANSI Z590.3
21
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
The Beginnings of Prevention through Design
In 1994, a Position Paper was released by the American Society of Safety Engineers
(ASSE) to promote the relatively new concept of “Designing For Safety”. A year later, the
National Safety Council established the Institute for Safety through Design which was formed to
advance the integration of hazard analysis and risk assessment into the design stage. Some of this
work lead to the 2007 launch of the Prevention through Design (PtD) initiative by the National
Institute for Occupational Safety and Health (NIOSH). The research developed through the
Institute, the National Safety Council and NIOSH helped pave the way for the Prevention
through Design concepts now used (Popov, Lyon, Hollcroft, 2016).
In 2009, the Technical Report ASSE TR-Z790.001-2009 Prevention through Design Guidelines for Addressing Occupational Risks in Design and Redesign Processes was released.
Shortly after, the ANSI/ASSE Z590.3-2011 Prevention through Design – Guidelines for
Addressing Occupational Hazards and Risks in Design and Redesign Processes standard was
released. This standard, developed to provide consistent procedures for addressing occupational
hazards and risks in the design and redesign processes, is considered foundational to the practice
of safety, and was reaffirmed in 2016.
PtD Concepts and Application
ANSI/ASSE Z590.3-2011(R2016) is the first standard to address risk assessment in the
design and redesign phase. It provides a framework for implement risk assessment concepts
within the various phases of a system’s life span including conception, design, redesign,
22
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
construction, manufacture, use, maintenance, decommission and disposal. ANSI/ASSE Z590.32011(R2016) defines prevention through design as follows:
Prevention through Design. Addressing occupational safety and health needs in the
design and redesign process to prevent or minimize the work-related hazards and
risks associated with the construction, manufacture, use, maintenance, retrofitting,
and disposal of facilities, processes, materials, and equipment. (ANSI/ASSE Z590.32011(R2016))
The stated goals of Z590.3 are to 1) achieve acceptable risk levels, 2) prevent or reduce
risks that produce injuries and illnesses, and 3) reduce the need for retrofitting to address hazards
and risks not addressed in the design or redesign phases. The PtD standard is based on the risk
reduction hierarchy of controls concept shown in Figure 1.6 that theorizes the most effective and
reliable controls come from higher level measures which are avoidance, elimination, substitution
and reduction of hazard through proper design of the system. This concept also promotes cost
efficiency in controlling hazards and risks. Fundamentally, and practically, it makes the most
sense to avoid a problem rather than allow it to exist and try to manage it. This is the concept of
prevention through design. (Popov, Lyon, Hollcroft, 2016)
23
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Most
Preferred
Least
Preferred
Risk Avoidance: Prevent entry of hazards into a
workplace by selecting and incorporating appropriate
technology and work methods criteria during the
design processes.
Eliminate: Eliminate workplace and work methods
risks that have been discovered.
Substitution: Reduce risks by substituting less
hazardous methods or materials.
Engineering Controls: Incorporate engineering
controls/safety devices.
Warning: Provide warning systems.
Administrative Controls: Apply administrative
controls (the organization of work, training,
scheduling, supervision, etc.).
Personal Protective Equipment: Provide Personal
Protective Equipment (PPE).
Figure 1.6. Risk Reduction Hierarchy of Controls reprinted with permission from ANSI/ASSE
Z590.3-2011(R2016) (Courtesy of the American Society of Safety Engineers)
PtD concepts can be applied in any occupational setting and at various stages of a system’s
life. There are four major stages identified in Z590.3 which are:
1. Pre-operational – conceptual, initial planning, design, specification, prototyping,
construction phases which offer the greatest degree of control and lowest costs.
2. Operational – production, maintenance, redesign, modification, addition, and other
activities related to the operational phase of a system. Hazards and risk are identified and
evaluated with control measures taken through redesign initiatives or work method
changes before incidents occur.
3. Post-incident – following incidents such as injuries, illnesses, fatalities, property damage,
equipment failure, product failure, non-injury incidents and other unwanted events.
24
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Investigations and analysis of causal factors to determine appropriate interventions to
reduce recurrence or control similar exposures to an acceptable risk level.
4. Post-operational – end of life, decommission, reuse, demolition, and/or disposal of a
system. Hazards and risk are identified/anticipated and evaluated with control measures
taken through redesign initiatives or work method changes before incidents occur.
Management Policy and Responsibilities
Similar to ISO 31000, the PtD standard outlines requirements for establishing policy, and
assigning roles and responsibilities for carrying out prevention through design. Management
should begin with defining a policy and implementing a process to incorporate risk reduction in
the design and redesign processes. The standard states that the policy and process should be
designed to include the following:
Hazards should be anticipated, identified, and evaluated to avoid, eliminate or
substitute less hazardous components.
A consistent hazard analysis and risk assessment process should be implemented to
address identified hazards.
Hazards and their risks should be reduced using the risk reduction hierarchy of
controls approach to achieve acceptable risk levels.
The risk assessment process should include knowledgeable, skilled stakeholders
close to the hazards and risks.
The process should be monitored by stakeholders for effectiveness and continual
improvement.
Systems for recording and reporting results during design reviews should be used.
25
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Responsibilities should be defined within the organization to address opportunities to
prevent or reduce risk when: 1) new facilities, processes, equipment, technologies, and materials
are planned, designed, acquired, or installed; 2) changes or additions are planned for existing
facilities, processes, equipment, technologies, or materials; 3) during incident investigations and
selection of corrective actions; and 4) when demolition, decommissioning or reusing/rebuilding
operations are planned.
The organization should establish and communicate to stakeholders its acceptable risk
levels and goal to achieve such levels during conceptual design and redesign phases. Acceptable
risk levels should be the basis for an organization’s overall occupational safety and health goals
and objectives. For hazards that cannot be totally avoided or eliminated during design, the
organization should establish ‘acceptable risk targets’ that assist in the design and selection of
risk control alternatives.
The organization’s established policies and procedures should ensure the design process
incorporates input from affected stakeholders including designers and engineering, procurement,
quality, legal, risk management, safety and health, maintenance, supervisors, operations
personnel, as appropriate. Assurance that personnel skilled and experienced in performing risk
assessments are utilized in the design process should be made by the organization. The standard
also calls for communication plans that include design safety specifications, use of risk
assessment and risk-based decision making as part of the prevention through design process.
Relationships with Suppliers
A unique component of the Z590.3 standard is the inclusion of measures for affected
contractors, suppliers and vendors involved in new designs, equipment, and construction,
26
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
changes in processes, materials and technology. Many catastrophic incidents have occurred as a
result of outside contractors and suppliers that were not properly managed by the organization.
Some of these requirements stated in the standard which should be considered by the
organization include:
communication with suppliers, engineers, and contractors to reach agreement on
expectations related to their management of risk through designs, methods,
technologies and materials;
written safety and health performance specifications in procurement documents,
purchase orders and contracts;
use of risk assessment to achieve an acceptable risk level;
inspections and test protocols during factory acceptance, site acceptance, and/or
commissioning;
visits to suppliers to verify safety specifications are met prior to purchase/delivery;
and procedures for ongoing testing and maintenance of systems.
Design Safety Reviews
The greatest opportunity for reducing risk is achieved by anticipating, identifying,
assessing, and controlling risks during the design and redesign phase. This process is sometimes
referred to as a design safety review. The standard includes this important management tool for
integrating safety into the design process and provides guidance on the subject.
A design safety review process is most effective early in the design stage. Top
management should establish the organization’s policies, roles and responsibilities for
conducting design safety reviews. Some of these requirements stated in the standard include:
27
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
A designated design safety review manager or person in charge appointed to
manage the process and coordinate the review.
A review team consisting of qualified and affected stakeholders designated by
management to perform design safety reviews.
Policy outlining how, when and to what degree design safety reviews will be
performed including the risk assessment methods used.
Appropriate safety requirements and specifications incorporated into the design
process.
Designers held accountable for adhering to established safety specifications in the
design, unless the deviation has been reviewed, approved and documented by
management as meeting acceptable risk levels.
Procedures requiring a written certification signed by the lead design professional
verifying that the design safety review has been completed.
For further information, Addendum E of ANSI Z590.3 and Chapter 4 of this manual
provide a summary of the safety design review method.
Through the application of PtD concepts, organizations can manage risks much more
effectively and efficiently. Decision makers that understand the value of designing out hazards
rather than working around them will be more successful for their organizations.
PtD Hazard Analysis and Risk Assessment Process
Like the ANSI Z690.2 Risk Management and ANSI Z690.3 Risk Assessment Techniques
standards, Z590.3 addresses the same fundamental steps in risk assessment. However, there are
some important distinctions between the two. The ANSI Z690 standard addresses the
28
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
management of all types of risk (including those with positive results as well as those with
negative consequences) in a much broader sense with the purpose of reducing uncertainly and
achieving an organization’s objectives. Z590.3 is focused on the assessment and control of
hazard-derived risks through design and the use of the hierarchy of controls within the lifecycle
of a system to achieve acceptable risk.
The heart of the prevention through design process involves a ‘hazard analysis and risk
assessment’ methodology which closely aligns with the ISO 31000 risk management process
model represented in Figure 1.7. Note that ‘Communication and consultation’ (6.2) and
‘Monitoring and review’ (6.6) in ISO 31000 are connected to and involved with all elements of
the risk management process.
29
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
1) Data gathering –
Injury and protective data
Process (clause 5)
2) Set scope or Limits of Assessment
3) Develop and charter risk reduction
team
Establishing the context (5.3)
Risk identification (5.4.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
4) Identify task and hazards
5) Assess risk – Initial risk scoring
system
Monitoring and review (5.6)
Communication and consultation (5.2)
Reevaluate
tasks and
hazards
6) Reduce risk – Hazard control
hierarchy
Identify
current
controls
Test/verify
current
controls
Identify new
controls
7) Assess Risk – residual risk scoring
system
No
Residual risk
acceptable?
Yes
8) Results/Documentation
Risk treatment (5.5)
Evaluation complete
10) New
hazard ID
ISO 31000
9) Controls measurement system
ANSI Z590.3
Figure 1.7, Alignment of ISO 31000 and the ANSI/ASSE Z590.3 Risk Assessment Process
Management Direction - As in ISO 31000, the PtD standard emphasizes the importance of
management leadership and direction. Throughout the process, top management must set the
policy and expectations for planned designs and the need to achieve acceptable risk levels. Some
of the policy elements include establishment of the risk assessment matrix and analysis
parameters; implementation of a risk assessment process; application of risk treatment methods
using the hierarchy of controls; risk acceptance decision making; and communication,
documentation and follow-up.
30
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Risk Assessment Matrix – The standard notes that a risk assessment matrix provides a
means of establishing and comparing risk by categorizing combinations of probability of
occurrence and severity of harm. They are helpful in communicating risk levels and discussing
risk treatment options with decision makers. Each organization should establish a risk
assessment matrix or other validated process that is suitable and agreed upon by the stakeholders.
Analysis Parameters – For each analysis, the parameters and scope should be well defined
including the process, product, project, or task to be analyzed, the context of the analysis,
boundaries and limitations, operating phase, resources, and affected stakeholders.
Hazard Identification – Stakeholders trained in the anticipation and recognition of hazards
and their mitigation are needed in the process. This requires an understanding of technologies,
activities, and characteristics (equipment, technology, processes, materials, chemicals, etc.) or
actions or inactions of people that could result in exposure or unwanted energy release. A
systems approach, treating each hazard independently, as well as their synergistic effects should
be applied with the intent of achieving acceptable risks for all. Special attention should be given
to anticipating and uncovering hidden hazards or hazards that can be later created but not
initially recognized.
Failure Modes – According to the standard, potential failure modes resulting from credible
circumstances that could result in hazardous situations shall be considered, including the
reasonably foreseeable uses and misuses of facilities, materials, and equipment. In addition, any
existing controls should be taken into account as to their effectiveness, reliability and whether
the condition of controls can cause failures, or be easily defeated.
31
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Severity Analysis - The worst credible consequences (defined in Z590 as ‘an incident that
has the potential to occur within the lifetime of the system’) should be considered rather than the
worst conceivable risk (an incident that could occur, but probably will not occur, within a
system’s lifetime). Historical data, past experience and best engineering practices that provide
objective information regarding injuries or illnesses and their severity, property or equipment
values, potential business interruption, environmental damage, or market share loss can be used.
Probability Analysis – Following severity analysis of a hazard, an estimate of the
likelihood or probability of its occurrence should be determined. Occurrence analysis may
include the frequency and duration of exposure, or dose response and exposure assessments, and
is typically related to an interval base such as a unit of time, activity, events, units produced, or
life cycle of a facility, machine, material, process, or product.
Initial Risk – Using the selected risk assessment criteria and matrix to categorize the
hazard’s severity and probability risk levels, the initial risk is evaluated and determined. The
initial risk evaluation should take into account any existing controls for the hazard’s occurrence
or severity.
Risk Reduction and Control Methods – If the initial risk evaluation indicates the risk
requires further risk reduction, the hierarchy of controls model is used to select possible risk
reduction measures. The PtD model lists, in descending order of effectiveness and preference; 1)
risk avoidance, 2) elimination, 3) substitution, 4) engineering controls, 5) warning, 6)
administrative controls, and 7) personal protective equipment. Prioritizing risks for reduction,
and a system to track risk reduction measures for effectiveness should be included in the process.
32
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Residual Risk – Following the risk reduction measures, a second assessment is made to
determine the remaining risk known as ‘residual risk. If the residual risk is not acceptable,
further risk reduction measures are applied where feasible until the risk is considered acceptable
to the organization. As the standard states, ‘if an acceptable risk level cannot be achieved,
operations shall not continue, except in unusual and emergency circumstances or as a closely
monitored and limited exception circumstance with approval of the person having authority to
accept the risk’.
Risk Acceptance – Based on the organization’s defined ‘acceptable risk levels’, decision
makers will determine whether the risk is acceptable or if further action is required. In certain
situations, higher risks may be tolerated temporarily until risk measures can be implemented.
Documentation – Pertinent information such as details on assessment team, dates, methods,
hazards and risks identified, measures taken to reduce risk, and other related information should
be recorded by the organization conducting the assessment.
Follow Up – Effectiveness and reliability of implemented control measures should be
evaluated to determine if the risk was adequately reduced, that no new hazards were created, or if
additional measures are needed. If it is determined the risk level is not acceptable, or that
unintended consequences were introduced by the control measures, the organization should take
steps to reassess the risk and consider other risk reduction measures.
Hazard Analysis and Risk Assessment Techniques in PtD
Each organization should select and apply risk assessment methods suitable to its needs and
provide training in those methods to stakeholders involved in the process. The Z590.3 standard
33
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
identifies eight common techniques for hazard analysis and risk assessment in its Addendum G.
Those methods are:
Preliminary Hazard Analysis (PHA),
What-If Analysis,
Checklist Analysis,
What-If/Checklist Analysis,
Hazard and Operability Analysis (HAZOP),
Failure Mode and Effects Analysis (FMEA),
Fault Tree Analysis (FTA), and
Management Oversight and Risk Tree (MORT).
As the standard further suggests, most situations and risks can be adequately assessed using
three primary methods which are the Preliminary Hazard Analysis, What-If/Checklist Analysis,
and Failure Mode and Effects Analysis. In some cases, a combination of techniques is used to
adequately assess and communicate risks to stakeholders.
ANSI/ASSE Z10-2012 (R2017)
A key component of the ANSI Z10 Occupational Health and Safety Management Systems
standard, is the requirement that a risk assessment process be established. Similar to other
management system standards, its purpose is to provide a structured, systematic approach that
enables an organization to control its OSH risks and improve performance. Z10 defines a safety
management system as ‘a set of interrelated elements that establish and/or support occupational
health and safety policy and objectives, and mechanisms to achieve those objectives in order to
continually improve occupational health and safety’ (ANSI Z10-2012 (R2017)). In other words,
34
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Z10 directs organizations to manage occupational safety risks as they do other elements in their
business to achieve their objectives.
The ANSI Z10 standard, originally published in 2005, revised in 2012, and reaffirmed in
2017 contains requirements for managing risk through risk assessment, the use of hierarchy of
controls, designing in safety, procurement and management of change. The most recent version
of Z10- 2012 (R2017) emphasizes risk assessment in sections 4.2 Assessment and Prioritization,
5.1.1. Risk Assessment, and Appendix F. Risk Assessment (informative). Included in the
Appendix F are several example methods used in risk assessment including brainstorming,
checklists, risk assessment matrix and consequence and probability matrix.
Even though there are numerous methods and variations, all are based on the same
fundamental process: hazard/risk identification, risk analysis and risk evaluation
A comparison of listed hazard analyses and risk assessment methods in ISO 31010, ANSI
Z590.3 and ANSI Z10 standards is shown in Table 1.1. Of these methods, the checklist method
is the only one listed in all three standards. Several techniques are listed in at least two of these
standards including design reviews, brainstorming, preliminary hazard analysis (PHA), what-if
analysis, hazard and operability studies (HAZOP), failure mode and effects analysis (FMEA),
fault tree analysis, consequence/probability matrix and risk assessment matrix (Lyon, Popov,
2016).
35
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
ISO 31010/ANSI Z690.3-2011
ANSI Z590.3-R2016 PtD
Design Safety Review
ANSI Z10-R2017
Design Review
Risk Assessment Matrix
Risk Assessment Matrix
Management Oversight and Risk Tree MORT
What-if / Checklist Analysis
B.1
Brainstorming
Brainstorming
B.2
Structured / Semi Structured Interviews
B.3
Delphi
B.4
Checklists
Checklists
B.5
Preliminary Hazard Analysis
Preliminary Hazard Analysis
B.6
Hazard and Operability Studies
Hazard and Operability Studies
B.7
B.8
Hazard Analysis and Critical Control
Points (HACCP)
Toxicity Assessment
B.9
Structured What-if Analysis
B.10
Scenario Analysis
B.11
Business Impact Analysis
B.12
Root Cause Analysis
B.13
Failure Mode Effects Analysis (FMEA);
Failure Mode Effects and Critical Analysis
(FMECA)
Failure Mode and Effects Analysis
B.14
Fault Tree Analysis
Fault Tree Analysis
B.15
Event Tree Analysis
B.16
Cause and Consequence Analysis
B.17
Cause and Effect Analysis
B.18
Layers of Protection Analysis
B.19
Decision Tree Analysis
B.20
Human Reliability Analysis
B.21
Bow Tie Analysis
B.22
Reliability Centered Maintenance
B.23
Sneak Analysis and Sneak Circuit Analysis
B.24
Markov Analysis
B.25
Monte Carlo Simulation
B.26
Bayesian Statistics and Bayes Nets
B.27
FN Curves
B.28
Risk Indices
B.29
Consequence / Probability Matrix
B.30
Cost/Benefit Analysis (CBA)
B.31
Multi-Criteria Decision Analysis
Checklists
What-if Analysis
Consequence / Probability
Matrix
36
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
Table 1.1 Comparison of hazard analysis and risk assessment methods listed in ISO 31010,
ANSI Z590.3, and ANSI Z10
SUMMARY
As organizations become more risk-centric, OSH risk professionals will be expected to
have sufficient skills in selecting and applying occupational risk management tools. They will
be expected to understand and apply the hierarchy of controls concept to achieve an acceptable
risk level. Risk elimination and reduction will be incorporated into designs, and throughout a
system’s life span. Knowledge and skill in these concepts as well as a firm understanding of
occupational risk management systems such as ISO 45001 and ANSI Z10 will be required by
organizations. The concepts, tools and case studies in this manual are designed to help prepare
the OSH risk professional for these changing expectations and developing trends.
37
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
References
ANSI/ASIS/RIMS RA.1-2015. Risk Assessment. Alexandria, VA: ASIS International and The
Risk and Insurance Management Society, Inc., 2015.
ANSI/ASSE/AIHA Z10-2012 (R2017). American National Standard—Occupational Health and
Safety Management Systems. Fairfax, VA:. American Society of Safety Engineers, 2017
ANSI/ASSE Z590.3-2011 (R2016). Prevention through Design: Guidelines for Addressing
Occupational Hazards and Risks in Design and Redesign Processes. Des Plaines, IL: American
Society of Safety Engineers, 2016.
ANSI/ASSE Z690.1-2011. American National Standard - Vocabulary for Risk Management. Des
Plaines, IL: American Society of Safety Engineers, 2011.
ANSI/ASSE Z690.2-2011. American National Standard – Risk Management Principles and
Guidelines. Des Plaines, IL: American Society of Safety Engineers, 2011.
ANSI/ASSE Z690.3-2011. American National Standard - Risk Assessment Techniques. Des
Plains, IL: American Society of Safety Engineers, 2011.
ANSI B11.0-2015. Safety of Machinery. Houston, TX: B11 Standards, 2015.
ASSE’s Risk Assessment Institute website (http://www.oshrisk.org/videos/)
BS OHSAS 18001:2007. Occupational health and safety Management systems—Requirements.
London, UK: British Standards Institution (BSI), 2007
38
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
ILO-OSH 2001. Guidelines on occupational safety and health management systems. Geneva,
Switzerland. International Labour Office, 2001.
Main, Bruce, W. Risk Assessment: Challenges and Opportunities. Ann Harbor, MI: Design
Safety Engineering, Inc., 2012.
Manuele, Fred. A., Advanced Safety Management: Focusing on Z10 and Serious Injury
Prevention. Hoboken, NJ: Wiley, 2008.
MIL-STD-882E. Standard Practice for System Safety. Washington, DC: Department of Defense,
2012.
OSHA. (2003). Voluntary protection programs: Policies and procedures manual. Washington,
DC: U.S. Department of Labor, Author. Retrieved from www.osha.gov/
OshDoc/Directive_pdf/CSP_03-01-003.pdf
Popov, G., Lyon, B., Hollcroft, B., Risk Assessment: A Practical Guide to Assessing Operational
Risks. Hoboken, NJ: Wiley, 2016
Risk Assessments – Top 10 Pitfalls & Tips for Improvement, Bruce K. Lyon and Bruce Hollcroft,
Professional Safety, December 2012, American Society of Safety Engineers
The Art of Assessing Risk – Selecting, Modifying and Combining Methods to Assess Operational
Risks, Bruce K. Lyon and Georgi Popov, Professional Safety, March 2016, American Society of
Safety Engineers
39
Risk Management Tools for Safety Professionals – Part I, Chapter 1. RM and PtD
The Institutes, Quadrants of Risk: Hazard, Operational, Financial, and Strategic. Retrieved
from https://www.theinstitutes.org/comet/programs/arm/assets/arm54-chapter.pdf
The Risk Management Society (RIMS), What is ERM? Retrieved from
https://www.rims.org/resources/ERM/Pages/WhatisERM.aspx
Risk Management Tools for Safety
Professionals – Part I, Chapter 1
RISK MANAGEMENT METHODS AND TOOLS
Chapter 1 – Risk Management and Prevention through Design
Authors: Bruce K. Lyon, P.E., CSP, ARM, CHMM
Georgi Popov, Ph.D., CSP, QEP, SMS, ARM, CMC
Chapter 1: INTRODUCTION
• The safety profession has evolved and experienced significant change during the past
40 years. Prior to the United States (U.S.) Occupational Safety and Health Act, workrelated injuries and illnesses were common and viewed as the norm among many
organizations. Amputations, respiratory problems and hearing loss, ergonomicsrelated disabilities and even fatalities were accepted as a part of doing business. The
role of safety was basically non-existent. In 1970, the enactment of the OSH Act
created a demand for occupational safety and health (OSH) professionals to assist
organizations comply with the many newly implemented workplace safety and health
regulations. The OSHA regulations provided a foundation for worker protection and
greatly defined the OSH professionals’ role for decades. However, a transformation is
underway within the profession.
• Once confined to traditional and often times reactionary activities such as regulatory
compliance, accident investigation and reporting, safety programs development,
safety training, worksite inspections, and safety equipment selection, OSH
professionals are beginning to engage in more proactive, risk-based practices.
Chapter 1: The Sources of Risk
• Risk is described as the effect of uncertainty by the ISO 31000:2009 Risk
Management Standard (adopted by ANSI/ASSE Z690.2 in 2011). As the
role of the OSH professional continues to evolve, it is important to
recognize the different sources of risk, and their relationship and effects
upon an organization.
• The American Institute For Chartered Property Casualty Underwriters
known as ‘The Institutes’ refers to these risk source categories as the ‘risk
quadrants’ (The Institutes, 2017). The risk quadrants are known as
operational risk, hazard risk, financial risk and strategic risk.
Chapter 1: The Sources of Risk
• Operational risks and hazard risks are
considered ‘pure’ risks – those that can
only result in loss or negative
outcomes – and are the primary risks
that OSH professionals manage or
control. Financial and strategic risks
are ‘speculative’ risks which have the
possibility of either a positive or
negative outcome. ‘Pure’ risks are
typically insurable since they only
involve the chance of loss while
‘speculative’ risks are not. Figure 1.1
represents the four quadrants of risk.
Pure Risk
Speculative Risk
Hazard Risk
Financial Risk
Operational Risk
Strategic Risk
Figure 1.1, The Four Quadrants of Risk
Chapter 1: The Sources of Risk
• In the course materials for the Associate in Risk Management (ARM) designation,
The Institutes describe the ‘risk quadrants’ as follows:
• Hazard Risk - Risks that are derived from property, liability, or personnel loss
exposures and are generally insurable.
• Operational Risk – Risks that are derived from people or a failure in processes,
systems, or controls including information technology (IT) related exposures.
Both hazard and operational risks are closed aligned and interrelated, and are
often managed as such.
• Financial Risk – Risks derived from the effect of market forces or financial assets
or liabilities and include market risk, credit risk, liquidity risk, and price risk.
• Strategic Risk – Risks derived from trends in the economy and society, including
changes in economic, political, and competitive environments, as well as from
demographic shifts.
Chapter 1: The Sources of Risk
• Risk sources have the potential of falling into more than one category or
quadrant, and can also impact other types of risks with in an organization
– causing a cascade effect.
• For instance, a product release or spill initially effects the operational
aspect of the organization as a loss of product and temporary business
interruption risk.
• If the product is hazardous, the operational risk turns into a safety, health
and environmental risk – a hazard risk. And depending upon the scale
and severity of the operational and hazard risks, the event may lead to
significant financial loss - a financial risk - and possibly damage the
organization’s reputation – a strategic risk.
Chapter 1: The Sources of Risk
• Enterprise Risk Management (“ERM”) is a strategic business discipline that
supports the achievement of an organization’s objectives by addressing the
full spectrum of its risks and managing the combined impact of those risks
as an interrelated risk portfolio (RIMS, 2017).
• Organizations seek to manage risk exposures across all parts of their
business so that, at any given time, they incur just enough of the right kinds
of risk—no more, no less—to effectively pursue strategic goals (COSO,
2012). The OSH professional is trained to look at hazards and risks
associated with operational activities that produce negative consequences.
• Businesses must balance both the negative risks as well as the
opportunities and positive risks they face.
Chapter 1: The Sources of Risk
• Interdependencies and Synergistic Effects
• ERM risks are interdependent.
• Key interdependencies exist between hazard risks, operational risk, financial risk,
and strategic risk.
• Each of these major interdependent categories is comprised of sub-risk
categories. In addition, the synergistic effect of risk exposures could pose greater
risk that the sum of individual hazards and risks.
• The regulatory fines related to OSH risks may be considered acceptable form a
financial prospective, but may not be acceptable from and ERM prospective due
to strategic risk and potential reputational damage. Such risks may be
misunderstood or underestimated. For instance, OSH risk may lead to financial
losses, operational interruptions, and regulatory issues if the function is not
properly integrated into ERM process.
Chapter 1: The Sources of Risk
• Improperly managed OSH risks may lead to operations shut down due to
incident investigations, resulting in financial losses, failure to fulfil orders,
insurance premiums increase and reputational damage.
• Unfortunately, considerable number of organizations use different systems
and methodologies to manage different risks.
• OSH function may utilize risk assessment and risk management
methodologies that are not familiar to business managers.
• OSH managers may not be fully familiar with business risk assessment and
risk management practices and tools.
• Hence, the need for integration.
Chapter 1: The Sources of Risk
• Benefits of OSH Function and ERM Integration
• ERM requires an integrated risk organization. While many companies now
have a Chief Risk Officer (CRO), they are often aligned to financial or
internal audit functions far removed from operational and strategic risk
domains where OSH professionals feel comfortable.
• This progression from OSH risk to Operational, Financial, Business and
Strategic risk offers the OSH professionals the opportunity to integrate OSH
risk management into the ERM process.
Chapter 1: The Sources of Risk
• Risk Management and the OSH Professional
• In an effort to better prepare for the changes occurring in the profession,
this manual provides guidance for selecting, modifying and combining risk
management methods and tools.
• It is largely shaped by significant events in recent years that give greater
prominence to risk assessment and the risk management process.
• Review Chapter 1 for details.
Chapter 1: The Sources of Risk
• MANUAL CONTENTS
• For the OSH risk professional, this manual is intended to provide instructive
guidance in selecting, modifying, and applying fundamental risk management
tools and Prevention through Design concepts.
• It is divided into three parts:
• Part I – The Risk Management Methods and Tools contains instructional steps for
common risk management tools used by safety professional;
• Part II – STRATEGIES FOR SELECTING, MODIFYING AND COMBINING RISK
MANAGEMENT METHODS provides strategies used to select, customize, optimize
and combine methods to provide the risk-based information needed by the safety
professional ; and
• Part III – PRACTICAL EXAMPLES AND CASE STUDIES OF RISK MANAGEMENT
METHODS AND TOOLS from the field are used to help demonstrate the use of
tools.
Process (clause 5)
Chapter 1: The Sources of Risk
Risk identification (5.4.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.5)
Monitoring and review (5.6)
Communication and consultation (5.2)
Establishing the context
(5.3)
• Note: For the purposes of this manual, the
authors use ISO 31000 when referring to
ISO 31000:2009/ANSI/ASSE Z690.2–2011
Risk Management Standard, and ISO 31010
when referring to ISO
31010:2009/ANSI/ASSE Z690.3-2011, Risk
Assessment Techniques.
Figure 1.2, ISO 31000 Risk Management Process reprinted with permission
(Courtesy of the American Society of Safety Professionals (ASSP))
Chapter 1: The Sources of Risk
Risk Communication
➢ Plan-Do-Check-Act Model
➢ Risk-based Decision Making
➢ Risk Assessment Triggers
Risk identification (5.4.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.5)
Risk Evaluation
➢ As Low As Reasonable Practicable
(ALARP)
➢ Risk Heat Map
➢ Risk Indices
Monitoring and review (5.6)
Risk Analysis
➢ Bow Tie Analysis
➢ Event tree
➢ Fault tree
➢ Failure Mode and Effects Analysis
(FMEA)
➢ Hazard and Operability Study
(HAZOP)
➢ Job Risk Assessment (JRA)
➢ Layers of Protection Analysis
(LOPA)
➢ Preliminary Hazard Analysis
➢ Striped Bow Tie Risk Assessment
➢ Structured What-if Technique
(SWIFT)
Establishing Context
➢ Risk Criteria
➢ Risk Scoring System
➢ Pareto Analysis
➢ Risk Assessment Matrix
Establishing the context
(5.3)
Communication and consultation (5.2)
Risk Identification
➢ Brainstorming
➢ Checklists
➢ Delphi Technique
➢ Design Safety Review
➢ Hazard Identification (HAZID)
➢ Nominal Group Technique
Process (clause 5)
Monitoring and Review
➢ Key Performance Indicators (KPI)
➢ Key Risk Indicators (KRI)
➢ Risk Treatment Tracking
➢ Risk Performance Measurement
➢ Risk Register
Risk Treatment
➢ Business Impact Analysis
➢ Cost/Benefit Analysis
➢ Nonfinancial Benefits Analysis
➢ Hierarchy of Controls
➢ Multi-Criteria Analysis
• Within each process step,
select tools and methods
commonly used by OSH risk
professionals are presented
and discussed as shown in
Figure 1.3. Many other
methods are available as
indicated in ANSI/ASSE
Z690.3 – 2011 Risk
Assessment Techniques
standard (adopted from ISO
31010:2009), and should be
considered where
appropriate.
Figure 1.3, The ISO 31000 Risk Management Process with associated
tools adapted and reprinted with permission (Courtesy of the ASSP)
Chapter 1: The Sources of Risk
• RISK MANAGEMENT - PRINCIPLES, FRAMEWORK AND PROCESS
• Internal and external factors that create uncertainty for organizations can also
prevent the achievement of certain business objectives. This effect of uncertainty
to an organization’s objectives is referred to as ‘risk’ (ANSI Z690.2, 2011).
• Without a clear picture of the risks facing an organization, it is difficult to make
informed decisions on objectives, and the degree of risk the organization is willing
to ‘assume in pursuit of those objectives’ (ANSI Z690.2, 2011).
• It is vital that organizations incorporate and integrate a process of managing
operational risk within the overall management system. Such systems should
encompass strategies for risk assessment and management planning, risk-based
decision making, establishing accountabilities, managing and measuring
activities, reporting and recording, and risk communication with stakeholders.
Chapter 1: The Sources of Risk
Framework (clause 4)
Process (clause 5)
Implementation
(4.4)
Leadership and
commitment
(4.2)
Improvement
(4.6)
Evaluation
(4.5)
Risk identification (5.4.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Monitoring and review (5.6)
Design
(4.3)
Communication and consultation (5.2)
Establishing the context
(5.3)
Risk treatment (5.5)
Principles (clause 3)
a) Value creation and protection
b) Integration
c) Structured
d) Customized
• RISK MANAGEMENT - PRINCIPLES,
FRAMEWORK AND PROCESS
• The ISO 31000:2009 Risk
Management standard provides
organizations the principles,
framework and process for
managing risk.
e) Inclusive
f) Best available information
g) Human and cultural factors
h) Continual improvement
Figure 1.4, Risk Management Principles, Framework and
Process Relationship developed by the authors – adapted
from ISO 31000
Chapter 1: The Sources of Risk
• Principles
• The relationships that exist between the principles, framework and process
of risk management are illustrated in Figure 1.3. The principles (clause 4)
are the foundation on which the framework (clause 5) and process (clause
6) are built as described in the ISO 31000 standard. Both the framework
and process are constructed in a plan-do-check-act (PDCA) model for
continual improvement, one of the principles cited in clause 4.
• Review Chapter 1 for further details
Chapter 1: The Sources of Risk
• Framework
• A risk management framework, based on the aforementioned principles,
exists to provide organizational structure for:
➢leadership,
➢process design,
➢implementation and
➢monitoring, evaluation and continual improvement of the risk management process.
• It assists an organization in the integration of risk management into all
activities, decisions and actions.
Chapter 1: The Sources of Risk
• PREVENTION THROUGH DESIGN
• In this manual, the concept of prevention through design (PtD) is woven
into the concepts, elements and tools of the risk management process.
• The authors believe that it is vitally important to consider managing risk
from the beginning stages of design throughout the system’s life span to
decommission and disposal.
• This is a relatively new concept that OSH risk professions and some
organizations are beginning to explore and champion.
Chapter 1: The Sources of Risk
Figure 1.5, Relationship between ISO 31000 and ANSI Z590.3
• To put into the proper context, the
ANSI Z590.3-2011 (R2016) Prevention
through Design standard is written to
address occupational safety and
health risks over the entire life cycle
of a system.
• This more pinpointed focus aligns
with OSH risk professional’s roles in
assessing and managing workplace
exposures.
• The ISO 31000 standards on the other
hand, are written from a much
broader perspective and designed to
address all types of risks including
those that have negative and/or
positive consequences with the
ultimate purpose of reducing
uncertainly and enabling an
organization to achieve its objectives.
Chapter 1: The Sources of Risk
• PtD Concepts and Application
• ANSI/ASSE Z590.3-2011(R2016) is the first standard to address risk
assessment in the design and redesign phase. It provides a framework for
implement risk assessment concepts within the various phases of a
system’s life span including conception, design, redesign, construction,
manufacture, use, maintenance, decommission and disposal. ANSI/ASSE
Z590.3-2011(R2016) defines prevention through design as follows:
• Prevention through Design. Addressing occupational safety and health
needs in the design and redesign process to prevent or minimize the workrelated hazards and risks associated with the construction, manufacture,
use, maintenance, retrofitting, and disposal of facilities, processes,
materials, and equipment. (ANSI/ASSE Z590.3-2011(R2016))
Chapter 1: The Sources of Risk
Most
Preferred
Least
Preferred
Risk Avoidance: Prevent entry of hazards into a
workplace by selecting and incorporating appropriate
technology and work methods criteria during the
design processes.
Eliminate: Eliminate workplace and work methods
risks that have been discovered.
Substitution: Reduce risks by substituting less
hazardous methods or materials.
Engineering Controls: Incorporate engineering
controls/safety devices.
Warning: Provide warning systems.
Administrative Controls: Apply administrative
controls (the organization of work, training,
scheduling, supervision, etc.).
Personal Protective Equipment: Provide Personal
Protective Equipment (PPE).
• PtD Concepts and Application
• The stated goals of Z590.3 are to
1) achieve acceptable risk levels,
2) prevent or reduce risks that
produce injuries and illnesses,
and 3) reduce the need for
retrofitting to address hazards
and risks not addressed in the
design or redesign phases. The
PtD standard is based on the risk
reduction hierarchy of controls
concept shown in Figure 1.6
Figure 1.6. Risk Reduction Hierarchy of Controls reprinted with permission
from ANSI/ASSE Z590.3-2011(R2016) (Courtesy of the ASSP)
Chapter 1: The Sources of Risk
• PtD Hazard Analysis and Risk Assessment Process
• Like the ANSI Z690.2 Risk Management and ANSI Z690.3 Risk Assessment
Techniques standards, Z590.3 addresses the same fundamental steps in risk
assessment.
• There are some important distinctions between the two.
• The ANSI Z690 standard addresses the management of all types of risk
(including those with positive results as well as those with negative
consequences) in a much broader sense with the purpose of reducing
uncertainly and achieving an organization’s objectives.
• Z590.3 is focused on the assessment and control of hazard-derived risks
through design and the use of the hierarchy of controls within the lifecycle
of a system to achieve acceptable risk.
Chapter 1: The Sources of Risk
1) Data gathering –
Injury and protective data
• PtD Hazard Analysis and
Risk Assessment Process
Process (clause 5)
2) Set scope or Limits of Assessment
3) Develop and charter risk reduction
team
Establishing the context (5.3)
Risk identification (5.4.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
4) Identify task and hazards
5) Assess risk – Initial risk scoring
system
Monitoring and review (5.6)
Communication and consultation (5.2)
Reevaluate
tasks and
hazards
6) Reduce risk – Hazard control
hierarchy
Identify
current
controls
Test/verify
current
controls
Identify new
controls
7) Assess Risk – residual risk scoring
system
No
Residual risk
acceptable?
Yes
8) Results/Documentation
Risk treatment (5.5)
Evaluation complete
10) New
hazard ID
ISO 31000
9) Controls measurement system
ANSI Z590.3
Figure 1.7, Alignment of ISO 31000 and the
ANSI/ASSE Z590.3 Risk Assessment Process
Chapter 1: The Sources of Risk
• Hazard Analysis and Risk Assessment Techniques in PtD
• Each organization should select and apply risk assessment methods suitable to its needs
and provide training in those methods to stakeholders involved in the process. The
Z590.3 standard identifies eight common techniques for hazard analysis and risk
assessment in its Addendum G. Those methods are:
• Preliminary Hazard Analysis (PHA),
• What-If Analysis,
• Checklist Analysis,
• What-If/Checklist Analysis,
• Hazard and Operability Analysis (HAZOP),
• Failure Mode and Effects Analysis (FMEA),
• Fault Tree Analysis (FTA), and
• Management Oversight and Risk Tree (MORT).
Chapter 1: The Sources of
Risk
• A comparison of listed hazard
analyses and risk assessment
methods in ISO 31010, ANSI
Z590.3 and ANSI Z10 standards is
shown in Table 1.1.
ISO 31010/ANSI Z690.3-2011
ANSI Z10-R2017
Design Review
Risk Assessment Matrix
What-if / Checklist Analysis
B.1
B.2
Brainstorming
Structured / Semi Structured
Interviews
B.3
B.4
B.5
B.6
Delphi
Checklists
Preliminary Hazard Analysis
Hazard and Operability Studies
B.7
Hazard Analysis and Critical Control
Points (HACCP)
B.8
B.9
B.10
B.11
B.12
B.13
Toxicity Assessment
Structured What-if Analysis
Scenario Analysis
Business Impact Analysis
Root Cause Analysis
Failure Mode Effects Analysis (FMEA);
Failure Mode Effects and Critical
Analysis (FMECA)
Fault Tree Analysis
Event Tree Analysis
Cause and Consequence Analysis
Cause and Effect Analysis
Layers of Protection Analysis
Decision Tree Analysis
Human Reliability Analysis
Bow Tie Analysis
Reliability Centered Maintenance
Sneak Analysis and Sneak Circuit
Analysis
B.14
B.15
B.16
B.17
B.18
B.19
B.20
B.21
B.22
B.23
Table 1.1 Comparison of hazard analysis and risk assessment
methods listed in ISO 31010, ANSI Z590.3, and ANSI Z10
ANSI Z590.3-R2016 PtD
Design Safety Review
Risk Assessment Matrix
Management Oversight and
Risk Tree - MORT
B.24
B.25
B.26
B.27
B.28
B.29
Markov Analysis
Monte Carlo Simulation
Bayesian Statistics and Bayes Nets
FN Curves
Risk Indices
Consequence / Probability Matrix
B.30
Cost/Benefit Analysis (CBA)
Brainstorming
Checklists
Preliminary Hazard Analysis
Hazard and Operability Studies
Checklists
What-if Analysis
Failure Mode and Effects
Analysis
Fault Tree Analysis
Consequence / Probability
Matrix
Chapter 1: The Sources of Risk
• SUMMARY
• As organizations become more risk-centric, OSH risk professionals will be
expected to have sufficient skills in selecting and applying occupational risk
management tools. They will be expected to understand and apply the
hierarchy of controls concept to achieve an acceptable risk level.
• Risk elimination and reduction will be incorporated into designs, and
throughout a system’s life span. Knowledge and skill in these concepts as
well as a firm understanding of occupational risk management systems such
as ISO 45001 and ANSI Z10 will be required by organizations.
• The concepts, tools and case studies in this manual are designed to help
prepare the OSH risk professional for these changing expectations and
developing trends.
Chapter 1: The Sources of Risk
• References
• ANSI/ASIS/RIMS RA.1-2015. Risk Assessment. Alexandria, VA: ASIS International and The Risk and Insurance
Management Society, Inc., 2015.
• ANSI/ASSE/AIHA Z10-2012 (R2017). American National Standard—Occupational Health and Safety Management
Systems. Fairfax, VA:. American Society of Safety Engineers, 2017
• ANSI/ASSE Z590.3-2011 (R2016). Prevention through Design: Guidelines for Addressing Occupational Hazards and
Risks in Design and Redesign Processes. Des Plaines, IL: American Society of Safety Engineers, 2016.
• ANSI/ASSE Z690.1-2011. American National Standard - Vocabulary for Risk Management. Des Plaines, IL: American
Society of Safety Engineers, 2011.
• ANSI/ASSE Z690.2-2011. American National Standard – Risk Management Principles and Guidelines. Des Plaines, IL:
American Society of Safety Engineers, 2011.
• ANSI/ASSE Z690.3-2011. American National Standard - Risk Assessment Techniques. Des Plains, IL: American Society of
Safety Engineers, 2011.
• ANSI B11.0-2015. Safety of Machinery. Houston, TX: B11 Standards, 2015.
• ASSE’s Risk Assessment Institute website (http://www.oshrisk.org/videos/)
• BS OHSAS 18001:2007. Occupational health and safety Management systems—Requirements. London, UK: British
Standards Institution (BSI), 2007
Chapter 1: The Sources of Risk
• References
• ILO-OSH 2001. Guidelines on occupational safety and health management systems. Geneva, Switzerland.
International Labour Office, 2001.
• Main, Bruce, W. Risk Assessment: Challenges and Opportunities. Ann Harbor, MI: Design Safety
Engineering, Inc., 2012.
• Manuele, Fred. A., Advanced Safety Management: Focusing on Z10 and Serious Injury Prevention.
Hoboken, NJ: Wiley, 2008.
• MIL-STD-882E. Standard Practice for System Safety. Washington, DC: Department of Defense, 2012.
• OSHA. (2003). Voluntary protection programs: Policies and procedures manual. Washington, DC: U.S.
Department of Labor, Author. Retrieved from www.osha.gov/ OshDoc/Directive_pdf/CSP_03-01-003.pdf
• Popov, G., Lyon, B., Hollcroft, B., Risk Assessment: A Practical Guide to Assessing Operational Risks.
Hoboken, NJ: Wiley, 2016
• Risk Assessments – Top 10 Pitfalls & Tips for Improvement, Bruce K. Lyon and Bruce Hollcroft, Professional
Safety, December 2012, American Society of Safety Engineers
• The Art of Assessing Risk – Selecting, Modifying and Combining Methods to Assess Operational Risks,
Bruce K. Lyon and Georgi Popov, Professional Safety, March 2016, American Society of Safety Engineers
Chapter 1: The Sources of Risk
• References
• The Institutes, Quadrants of Risk: Hazard, Operational, Financial, and Strategic. Retrieved from
https://www.theinstitutes.org/comet/programs/arm/assets/arm54-chapter.pdf
• The Risk Management Society (RIMS), What is ERM? Retrieved from
https://www.rims.org/resources/ERM/Pages/WhatisERM.aspx
Risk Management and
Prevention through Design
EHS Seminar
Developed by: Dr. Georgi Popov, CSP, QEP, SMS, ARM, ASP, CMC
Why ERM?
• Value of the Profession
“ASSE must tell the story of what we do and the value we provide to organizations.
While regulatory standards will always be part of OSH programs, we deliver the
greatest value to our organizations and clients when we use our technical
knowledge to identify and assess risks, then apply our business skills to develop
and communicate effective solutions
Progressive organizations do not hire professionals to achieve basic compliance.
They hire us to influence the policies, systems and programs that are needed to
protect the organization’s employees, assets and viability.
We do this best by focusing on identifying, assessing, reducing and communicating
with our corporate leaders in terms of risk.”
• Risk Communication: A journey from SH&E Hazards Identification to Enterprise
Risk Management (ERM)
2
Why ERM?
• You don't have a true and
overarching safety strategy.
• Your safety strategy was developed
in a vacuum (silo approach)
• You have antiquated equipment that
is unsafe to operate at optimum
speeds.
• You have developed the mindset in
your workers that safety is the
enemy of productivity. ???
• Your flawed safety culture reinforces
this division between safety and
productivity.
Source: https://proactsafety.com/blog-posts/the-war-between-safety-and-productivity
3
Why ERM?
• History lessons:
• Integration is the key!!!
• Alexander the Great (Egypt – I’m one of you) = Alexandria
• Roman Empire – Integration and common values
• Opposite: Napoleon and Hitler (us against the World) –
Short lived results
Anubis in
• Translation: Safety examples?
Roman Toga
4
“Traditional” Risk Management
• “Traditional” RM is often associated with entrenched silos.
• Safety professionals were very often separated from financial and strategic risk
decisions. Safety function was very often considered separate or part of
operations.
• Human resources typically managed the turnover rate, hiring, benefits and
absenteeism.
• Lean Six Sigma function managed productivity and quality.
• Accounting managed financial records, business transactions, cash flows and
accounts payable.
• All these functions or departments had their own management structure and very
rarely worked in synergy. ERM integrates safety risks with operational, financial,
and strategic risks and it encourages an understanding of their relationships and
synergistic effect.
5
ERM Models
Hazard Risk
Financial
Risk
Operational
Risk
Strategic
Risk
ERM
Hazard risk
Example: Insurable risks. Injuries & Illnesses, Property damage, Natural catastrophe
Financial risk
Financial losses, Pricing risk, Asset risk, Currency risk, Liquidity risk
Operational risk
Employee error, System failure, Process interruption, Customer satisfaction,
Product failure, Integrity, Knowledge drain
Strategic risks
Competition, Social trend, Reputational risk; $$$ availability (GM & Chrysler 2008)
6
ERM Models
Generally, risks to the
Company’s success can be
grouped into four
categories:
(1)Strategic,
(2) Operational,
(3) Compliance and
(4) Financial & Reporting
J&J ERM: Source:
https://www.jnj.com/_document?id=0000015a678b-d85b-a1da-779f4cfe0000
7
OSH and Enterprise Risk
Management integration
Strategic Risk
Compliance
Risk
This ERM methodology integrates safety into Enterprise Risk Management.8
Safety Function and ERM
Traditional RM 2007 – “Silo” approach
Diesel Forklift
"Knauf Tianjin“ Drywall
9
OSH Risk Management adds Value
• ERM risks are interdependent.
• Key interdependencies exist between OSH risks, operational risk, financial
risk, business risk and reputational risk.
• Each of these major interdependent categories is comprised of sub-risk
categories.
• The synergistic effect of risk exposures could pose greater risk that the sum
of individual hazards and risks. For example, the regulatory fines related to
OSH risks may be considered acceptable form a financial prospective
($12,675 per violation), but may not be acceptable from and ERM
prospective due to strategic risk and potential reputational damage.
10
OSH Risk Management adds Value
• Safety risks may be misunderstood or underestimated.
• OSH risk may lead to financial losses, operational interruptions, and
regulatory issues if the function is not properly integrated into ERM
process.
• Improperly managed OSH risks may lead to operations shut down due to
incident investigations, resulting in financial losses, failure to fulfil orders,
insurance premiums increase and reputational damage.
• Unfortunately, considerable number of organizations use different systems
and methodologies to manage different risks.
• OSH function may utilize risk assessment and risk management
methodologies that are not familiar to business managers.
• OSH managers may not be fully familiar with business risk assessment and
risk management practices and tools. Hence, the need for integration.
11
OSH - ERM framework
• Our interpretation: OSH - ERM framework should be defined as follows:
• OSH risk is a variable that can have a negative effect on key business
objectives. Conversely, proper management of OSH risks may contribute to
achieving business objectives, eliminate or minimize overall organization
risk, maximize company value and contribute to achieving strategic
objectives.
• Presented OSH-ERM methodology clarifies the importance of OSH
function’s role in strategic planning, and demonstrates that it is easily
embedded throughout an organization.
• OSH risk influences and aligns with strategic goals and performance across
all departments and functions.
12
OSH & ERM Integration
• Case study/Practical example
• Consider the following practical example. In 2006 - The U.S. Chemical
Safety and Hazard Investigation Board (CSB) issued a safety bulletin
following the agency's investigation into the June 24, 2005, fire and
explosions that swept through the Praxair Distribution, Inc., gas
cylinder filling and distribution center in St. Louis, Missouri. According
to CSB, the accident occurred when gas released by a pressure relief
valve on a propylene cylinder ignited. (CSB, 2006 report available at:
http://www.csb.gov/one-year-after-gas-cylinder-fire-and-explosionsat-praxair-st-louis-csb-issues-safety-bulletin-focusing-on-pressurerelief-valve-standards-and-good-safety-practices/)
13
OSH & ERM Integration
• Case study/Practical example
• Under the “traditional” Loss Control approach, the organization will purchase
property, liability and workers compensation for this type or risk. Safety
managers may add proper handling procedures and emergency response plan in
case of chemical release or an explosion.
• “Traditional” Loss Control approach may consider this type of risk transfer
sufficient form of control – a.k.a. “cost of doing business”. “Traditional” Safety
management function may consider the SOPs sufficient measure to reduce
probability/likelihood of explosion and emergency response plan a measure to
reduce the consequences.
• Under ERM approach, additional risks will be considered. Additional risks
include business interruption, turnover rate, ethical considerations and
reputational damage. Strategic risk may include failure to complete orders on
time and eventually loss of clients.
CSB: http://www.csb.gov/praxair-flammable-gas-cylinder-fire/
14
Objectives of risk assessment and risk
management
• As defined by ISO 31000/ANSI Z690.2, risk assessment is the “overall
process of risk identification, risk analysis, and risk evaluation.”
• A more detailed definition of risk assessment within an occupational
safety and health context is found in the ANSI/ASSE Z590.3 Prevention
through Design: Guidelines for Addressing Occupational Hazards and
Risks in Design and Redesign Processes standard. It states that risk
assessment is “a process that commences with hazard identification
and analysis, through which the probable severity of harm or damage
is established, followed by an estimate of probability of the incident
or exposure occurring, and concluding with a statement of risk.”
(ANSI/ASSE Z590.3-2011-R2016, 3.19, p 13)
15
Objectives of risk assessment and risk management
• The objectives of risk assessment are:
➢Identify hazards and their risks that threaten the organization and its
objectives
➢Analyze, evaluate and determine risk levels
➢Recommend risk reduction measures according to the hierarchy of
controls (HoC)
➢Reduce and maintain residual risk to an acceptable level to the
organization
➢Communicate risk effectively to decision makers to enable informed riskbased decisions
➢Reduce uncertainty
➢Assist the organization in achieving its stated objectives
16
Objectives of risk assessment and risk management
• The objectives of risk management are:
➢Align the outcomes of risk assessment with the organization objectives
➢Treat the risks
➢Communicate the outcomes
➢Monitor and review the risks
➢For ERM consider Operational, Financial, and Strategic risks
17
ISO 31000
Risk
Management
Standard and
modified to
include ERM
18
Selection of
SH&E and
ERM
techniques
19
Selection of SH&E and ERM techniques
20
ERM
• For an ERM to work, it needs to be:
✓Enterprise (i.e. integrating all influences over the whole organization),
✓Risk (i.e. model the interrelationships that cause uncertainty),
✓Management (i.e. be a decision making tool for those who actually run
the business).
Source: BREXIT AND THE FAILURE OF ERM – GREG CARROLL
http://www.fasttrack365.com/blog/bid/brexit-and-the-failure-of-erm
21
Safety Value
• Notice
Opportunities
Source: ASSE PSJ: Safety & Sustainability: Understanding the Business Value
http://aeasseincludes.asse.org/professionalsafety/pastissues/058/06/F3Hill_0613.pdf
22
Safety Value
Opportunities
• Notice
Opportunities
Source: ASSE PSJ: Safety & Sustainability: Understanding the Business Value
http://aeasseincludes.asse.org/professionalsafety/pastissues/058/06/F3Hill
_0613.pdf
23
ASSP RAI
Source: © istock.com/relif
24
Purchase answer to see full
attachment