A Primer on Risk Management

We couldn’t possibly start to manage our safety challenges effectively without a clear understanding of what “risk” is and how risk can be managed. There are many websites and texts available to explore the intricacies of the Risk Management Process so I won’t repeat all of that good work here. What I will do is outline the essentials that I’ve come to believe as the fundamental features of risk and how these features can be managed.

William W. Lowrance*, a specialist in risk management, defined safety as: “a judgment of the acceptability of risk”, and he defined risk, in turn, as “a measure of the probability and severity of harm to human health.” He summarizes his position by stating: “a thing is safe if its risks are judged to be acceptable”. I read “Of Acceptable Risk” early in my career and it has shaped my thinking about what and how safety needs to be managed.

So let’s look at a practical example of the theory, managing the risk of falling off a flat roof.

A risk mitigation strategy could include:

  • Reducing the probability that someone could fall off the roof by installing a barrier,
  • Reducing the severity of someone falling off of the roof by having them wear fall protection and/or
  • Reducing the exposure to the roof (the hazard) by limiting access to the roof.

Everything has risk because consequences happen for our actions and inactions. Everything we do or don’t do makes a contribution to our future outcomes. That puts us somewhat in control of our outcomes. Nothing of course is certain, but our actions can and do dramatically manage what happens next in our lives. Putting on a seatbelt when we drive has the potential to dramatically change the outcome in a traffic accident. The consequences of our actions and inactions make this whole thing manageable. What we do and don’t do for safety matters A LOT.

The Risk Formula

Risk is a function of three critical factors:

Risk = Probability x Severity x Exposure

Risk 300

  • Probability that a sequence of events will occur and result in a specific consequence.
  • Severity of the consequence.
  • Exposure to the opportunity for the sequence of events to occur.

Note that for our purposes here, Consequence is the impact of the loss or the result of the scenario. Consequence can range from positive to negative including neutral. We can like the outcomes, dislike the outcomes or frankly not be concerned at all with the consequences.

The multiplication process comes from the fact that if you could get probability, severity and/or exposure to ZERO (or for argument sake, close to Zero) then the Risk is virtually gone for THAT set of circumstances. If you add these components in a situation it could look like a risk is still there when it virtually isn't.

If you work at the edge of a roof on a 5-story building without fall protection there is a probability of injury, there will almost certainly be a severity to the consequences if you fall and there is, by simple logic, an exposure. If I change one (or more) of the factors we can get to (close to) Zero. Don't go up there, changes the exposure to zero for example. If we must go on the roof then managing the potential of a fall by putting up guardrails also increases the chance of safely and successfully doing the work. Fall protection would indeed alter the severity if there was a slip from the edge of the roof.

Let not forget that we're not working with absolutes. Risk is about our perception of these components of risk. When doing risk analysis it's about your best guess. If life was a sure thing, risk calculations would be as simple as geometry...it would always work! We wouldn't have a stock market and even playing team sports wouldn't be as exciting. Car insurance companies would all give you the same quote! Did you just hear a duck quacking? Let’s face it; this Risk Management is hardly a pure science.

The Four “T’s”

Now once a Risk has been identified there are the classic Four “T’s” of risk management for us to consider. Using one or more of these managing factors will decrease the risk of loss.

Terminate: an extremely effective risk control technique, this approach is also called risk avoidance. It should be thought of as including both the refusal to expose the organization to a risk in the first place, and the complete elimination of a risk that is already present in the operation. This is the only risk management technique designed to be used without any others.

Treat: Also called reduction, it is related to risk control. "Treating" the risk includes the safety techniques of loss control, or loss prevention. Note that when these techniques are applied, the risk still exists; the techniques are designed to stop or reduce losses only. For example, wearing a hard hat does not eliminate the risk of being struck by falling objects; it only prevents or reduces the injuries experienced. Risk treatment (loss control) is a vital area of activity when termination is not a practical solution.

Tolerate: This is also called retention. It is an approach to financing risks that include all forms of paying for losses with funds originating inside the organization: current expenses, reserves, borrowing, and some insurance agreements with a third party insurer. For most organizations, tolerating risks is only economical in the presence of a good loss control program. Once we have mitigated the potential for loss to an acceptable level the risk we experience must be tolerated by us…hence the phrase “acceptable risk”.

Transfer: Both risk control and risk financing include transfers, one of legal responsibility through contracts, leases, etc., and the other of financial responsibility. Perhaps, the most common risk transfer is to finance losses through insurance, but this must never be viewed as a substitute for loss control, since transfers are not foolproof and almost always leave some chance that the "transferor" may suffer some loss.

There you have it, a view of risk and the management of risk. This is a subject that is as wide as it is deep. Search around the internet…you’ll find more information than you can possibly read in a lifetime. Decide your definitions of risk and your strategies to manage and mitigate the risks that you and your fellow humans face.

*Lowrance, W. W. (1976). Of Acceptable Risk. William Kaufmann Inc. California.

Alan Quilley

Written by Alan Quilley

Alan D. Quilley is the author of The Emperor Has No Hard Hat – Achieving REAL Safety Results and Creating & Maintaining a Practical Based Safety Culture© . He is president of Safety Results Ltd., a Sherwood Park, Alberta OH&S consulting company (http://www.safetyresults.ca/). You can reach him at aquilley@safetyresults.ca.

Safety Cary Blog
Ask a Safety Question
Safety Prediction Blog