Risk Management is the cornerstone of any good management system, whether that be a Safety, Quality, Environmental or Enterprise Risk Management system.
While the WHS Act prescribes a duty to manage risk (sec 17) and a suite of core requirements (WHS Reg Sec 33 – 38, as well as the supporting Code of Practice How to Manage Work Health and Safety Risks), other systems default to the framework and process established through the industry best practice ISO 31000-2009 Risk management – Principles and guidelines.
To effectively manage risk, there is a need to understand the risk, its cause, its potential impacts (positive as well as negative), and the relative likelihood that those impacts can occur.
ISO 31000 outlines that risk should be “…analysed by determining consequences and their likelihood, and other attributes of the risk” with the way in which the consequences and likelihood are combined determining the overall level of risk. The likelihood of the risk is to be anchored to the consequence level and gauged by the overall likelihood of the consequence occurring for that specific risk event.
The consistent application of this connection between consequence and likelihood is the key. Effective ‘risk takers’ use this as a part of their planning processes to ensure they are prepared to make the critical decisions, doing so in a well-informed manner.
Organisations are using Risk Databases and Registers, Bow-tie assessments and hot-spot mapping (to name a few) to collate the various causes and controls, highlight the various risk scores as a means of prioritising actions, and inform the risk making / risk taking decision.
The approach for the risk analysis needs to be clearly understood by all involved; and the discussion needs to start with “what are the impacts or consequences of the risk, should it occur?” These impacts could be either positive or negative, and there could be multiple impacts across a number of different disciplines such as an environmental impact, a WHS impact and a reputational consequence. Each consequence should have a corresponding likelihood, with each connected pairing producing a relative risk score.
From a safety perspective, similar processes should apply. Risk Assessments do not need to be long and drawn out, but they do need to be specific to the work environment and conditions. It isn’t possible to make an effective, informed decision in relation to managing a risk if all the details are generic or a cut-n-paste from the last job.
With the implementation and standardisation of the high level international standards structure, Annex SL, in the current revisions of ISO 9001:2015 Quality Management Systems and ISO 14001:2015 Environmental Management systems (and in all probability, the upcoming ISO 45001 Occupational Health and Safety Management Systems) risk-based thinking has now been introduced as a standardised requirement to all management systems. Organisations are now required to highlight risks and opportunities in clause 4, with clause 6 requiring demonstration of how these will be addressed through planning.
Please contact QRMC for assistance to standardise your management systems for risk-based thinking.
