Stay on top of risk management
The next compliance task is an important one—something that should be an integral part of your everyday systems. In this section, we’re focusing on reviewing risk, choosing controls, and implementing them.
For a bit of background, head over to our previous risk management blog which gives a good rundown on the types of risk that businesses face and why it’s so crucial to identify and control them. This excerpt provides crucial perspective for why we approach risk management in such a thorough way:
“It’s important to understand that no plan, control, or procedure is foolproof. That’s why we create layers of risk management! In the Swiss Cheese model, an organisation's defences against failure are modeled as a series of barriers, represented as slices of the cheese. The holes in the cheese slices represent individual weaknesses in individual parts of the system, and are continually varying in size and position in all slices. When layered, the holes (weak points) are covered by the solid sections of other slices.”
In this blog, we want to share some practical tools that will help you to approach and set up a system for reviewing and controlling risks.
Types of risk
You will often see the term risk and hazard somewhat used interchangeably. For clarity, let's establish our definitions:
Hazard: something that could potentially cause harm.
Risk: the degree of likelihood that harm will be caused.
While we are focusing on safety, we encourage you to get bang for buck with risk management systems and processes by considering broader organisational risk. Why not? There are all sorts of things that can go sideways in business, and actually many non-safety risks can be precursors to safety related risks.
- Fiscal risk
- Economic risk
- Technological risk
- People risk
- Reputation risk
From a safety perspective, there are many aspects to consider:
1) Safety hazards
These can affect anyone from office workers to crane operators, but are commonly associated with heavy machinery, construction, manufacturing, and trades. Hazards can include anything that could cause slips, trips and falls, dangerous machinery and its operation, and electrical concerns.
2) Biological hazards
The biological hazards category covers exposure to dangerous substances and diseases associated with working amongst animals, people, or infectious plant materials. This is especially relevant to those working in hospitals, laboratories or outdoor occupations.
3) Physical hazards
These can affect anyone working in extreme weather conditions or harmful environments. Continuous loud noises, sun, UV, radiation, and other factors are included.
4) Ergonomic hazards
Anything that puts strain on the body is an ergonomic hazard. They are of particular concern at both ends of the manual labour spectrum: heavy lifting, digging, etc is an ergonomic risk, but so is sitting at a desk all day. These hazards can be difficult to identify as the effects are often gradual.
5) Chemical hazards
These occur when a role exposes someone to dangerous liquids, solvents or flammable gases. They often affect those working in cleaning facilities, engineers, and field-based roles. Chemicals can cause illness, skin irritation, breathing problems and, in extreme cases, death.
6) Workload hazards
Stress or strain can result from workload hazards—and these include not only load but also things like violence or aggression in the workplace. They can be experienced in any job role, but those working alone are at particular risk.
Identifying Risk
Risk identification happens in a multitude of ways, and it’s important that those responsible make sure to see, record, and control risks however they are brought to light. They can come out of incident investigations, new processes or plant, site inspections, and emergency drills, or can be identified through consultation with other PCBUs when forming an agreement for work or preparing a SSSP (Site Specific Safety Plan). They may be raised through documentation (corrective actions) or as part of meeting discussion. The identification of a risk is simply an acknowledgement of “what could go wrong here”!
Assessing Risk
Once identified, the process of assessing risk must begin. Risk matrices and the concept of raw and residual risk are important tools to have for this undertaking.
Risk matrix
A risk matrix cross-references the likelihood of an incident occurring with the severity of the consequences. The common example is a 5x5 matrix that looks like this:
Using a matrix for any given risk is a key part of the assessment process. Whether the risk has come to your attention following an initial review, a regular review, or an incident report, calculating the risk using a risk matrix will give you a clear idea of how to triage it (see the reviewing risk section!).
Raw and residual risk
You’ve probably heard the terms “raw risk” (or inherent) and “residual risk” before, but what exactly do they mean?
Raw risk is the degree of the risk (which can be determined by the risk matrix) which exists before any controls are put in place. Assessing the raw risk will give you an idea of how it should be managed and the urgency of deciding on and implementing controls.
Residual risk is the risk that remains even after the control is in place. In many cases, there’s no way to reduce it right down to zero. Therefore, it’s necessary to re-assess the risk with controls, determine the residual risk, and use that information to inform how often that activity, piece of equipment, or process should be reviewed.
Controlling Risk
The hierarchy of control is a structured approach to managing workplace risks, prioritising methods from the most to the least effective. It helps PCBUs (Persons Conducting a Business or Undertaking) in New Zealand comply with the Health and Safety at Work Act 2015 and the Health and Safety at Work (General Risk and Workplace Management) Regulations 2016. Take note specifically of Regulations 6, 7, and 8—these are helpful when it comes to implementing, maintaining, and reviewing control measures to ensure they remain effective and continue to manage risks appropriately.
The hierarchy emphasises eliminating hazards whenever possible. If elimination is not feasible, risks should be minimised using a series of controls. From there, it becomes a matter of regularly reviewing control measures to ensure they remain effective and adapt to any new risks identified.
Hierarchy of Control Measures Explained
1. Eliminate Hazards and Risks
Remove the hazard entirely to ensure the highest level of protection.
2. Substitution
Replace the hazard with a less dangerous one.
3. Isolation
Prevent exposure by separating people from the hazard.
4. Engineering Controls
Implement physical changes to the workplace or equipment to reduce risks.
5. Administrative Controls
Use procedures and work methods to minimize exposure, such as safety protocols, training, and signage.
6. Personal Protective Equipment (PPE)
Use protective gear like gloves, masks, and goggles to reduce exposure to hazards. This is the least effective control and should be used only when other measures are insufficient.
Risks to be managed under the GRWM Regulations
The GRWM Regulations prescribe specific processes for managing certain risks, including those associated with remote or isolated work, atmospheres with potential for fire or explosion, raised and falling objects, loose materials in enclosed spaces, and substances hazardous to health. PCBUs must follow these processes to ensure all risks are effectively controlled, regularly reviewed, and updated as necessary to maintain a safe working environment.
Risk Responsibilities
We’ve written about getting your roles and responsibilities right as part of our compliance series. The following is more about where ultimate responsibility lies for risk management—and therefore what you might need to think about as a manager or worker.
Responsibilities of a worker
Workers should be aware of the risks involved in their own role. They are responsible for paying attention to the here and now: what could hurt me or my team members right now? Do I feel safe doing my job, and if not, why not?
It’s important for workers who notice risks or issues to inform their supervisors or managers through the specified processes. Additionally, they should ensure that pre-start meetings (or similar meetings with an H&S component) happen when they should, are comprehensive, and are recorded.
Responsibilities of a manager/director
A manager—and to an even greater extent, a director—is responsible for making sure that all of the pieces of the puzzle are in place: the reviews, the assessments, the controls, and the policies.
Keeping people safe is the primary goal. However, another very important aspect of a manager’s job is to ensure that the organisation can prove that it is meeting both the legal H&S requirements and the standards for any accreditations, prequalifications or certifications. For this reason, documentation—the dreaded paperwork—is a crucial aspect of management in any high-risk setting.
For a director, this is a legal responsibility. Should an incident occur, the buck lies with the directors: they must be able to prove they had done their due diligence regarding health and safety. This incident, after which the Whangarei Boys’ High School Board of Trustees was charged, demonstrates how severe the consequences can be for those ultimately responsible.
Reviewing Risk
The risk review process brings it all together. While using the risk matrix assessment, you may decide that residual risks of High/10 or above need to be reviewed more regularly and include a higher level of the organisation. Lower risks reviews may be allocated at general worker level or supervisor level. This can spread the load across the organisation, while also giving appropriate air time to risks that need it most. Tie these risk reviews in with existing meetings where possible and chip away at them over the year, rather than attempting to review them en masse once a year. They can be reviewed when investigating related incidents too. According to Murphy's Law, the time you allocate will end up being your busiest and you’ll ‘risk’ it not being completed, leaving yourself out of date, non-compliant with our own policy (WorkSafe hate this), and unable to pull evidence together when it's needed.
Each risk or risky activity is unique and may require a different approach. Take night driving, for example—a common activity for workers in some industries. To review this part of the role, you’ll need to ask questions like:
- What controls are currently in place?
- Are they still effective?
- Do they need updating?
- Have laws changed since the last review?
- Are there new technologies to consider? There may have already been a rule in place regarding seat belt use, but could seat belt alarms now be added as an extra precaution?
- How is adherence to the controls being documented, so that the relevant manager can be sure of them?
- Do our training practices or instruction documents reflect the most recent information?
TL;DR: Keeping risk at bay
Staying on top of your risk management is important for all aspects of a business. Our previous blog post on the topic explained why—and in this one we offered some practical advice, including:
- Use a risk matrix to assess the severity of a risk and to prioritise where risk management efforts should be directed first.
- Consider raw and residual risk—the level of risk before controls are in place, and the risk that remains afterwards.
- Identify the different responsibilities of workers and managers/directors when it comes to H&S. Workers should be aware of the risks involved in their role and advocating for proper controls. Managers and directors are responsible for ensuring that adequate controls are in place and that they are reviewed and updated as necessary, and that all H&S activities are recorded so that the organisation can demonstrate due diligence.
Get the right help
As always, some guidance from the experts can make a task like reviewing and controlling risks a little more manageable. At Emendas, we help businesses to assess their policies and procedures, identify gaps, and create tailored solutions through capability uplift. Get in touch and let’s talk about how we can equip you with the tools you need to keep your workplace safe.