The management of risks is a cornerstone principle within an array of legislative requirements, including WHS, Electrical Safety, Heavy Vehicle ‘Chain of Responsibility’ and Environmental Management and embedded within the requirements of most ISO standards (9001, 45001, 14001, 27001, 22001).
However, when it comes to the step-by-step process for assessing the risk there is confusion within industry as to how the process should be undertaken, and this can lead to an assessment which is skewed or not representative of the actual risk. This article walks through the process and the referenced documents to explore the correct way of assessing risk.
When it comes to the actual nuts and bolts of the process, there is either an overt deferral to the industry best-practice standard ISO 31000 Risk Management or (in QLD) to the WHS Risk Management Code of Practice (2021).
ISO 31000 Risk Management introduced the concept in 2009 that “Risk is analyzed by determining consequences and their likelihood”. The updated 2018 ISO 31000 retained the definition (in the Terms & Definitions) that “Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood”. This is clarified in the supporting Guide 73 Risk Management — Vocabulary (2009) which includes that “Risk is often expressed in terms of a combination of the consequences of an event and the associated likelihood.”
Then in 2020, Standards Australia issued a supporting AS/NZS 31010 Risk Management – Risk Assessment techniques, providing guidance and application of various risk assessment techniques, including the most commonly used risk matrix approach which combines consequence and likelihood ratings to generate an overall risk score. AS/NZS 31010 details that “to rate a risk, the user first finds the consequence descriptor that best fits the situation then defines the likelihood with which it is believed the consequence will occur”. The document also warns that the likelihood of any particular consequence will differ from the likelihood of the event at another level of consequence.
The QLD WHS Risk Management Code of Practice in 2011, included a re-packaged practical discussion under the sub-heading steps of ‘Work out how severe the harm could be‘ and ‘Work out the likelihood of harm occurring’ (with the harm equating to the consequence and then the determination of the likelihood).
Both the ISO Standard (and its supporting documents) and the Code of Practice state that consequence / harm should be considered initially, and then the likelihood of that level of harm should be determined.
All of these references serve to point out that the correct order of steps in the risk analysis process is to determine consequence first and then likelihood.
The consideration of likelihood before consequence has the potential to significantly skew the assessment process. If likelihood were considered first, the process is essentially asking for the likelihood of an event occurring at all (i.e. at any level of consequence) which would logically be a much higher likelihood rating (e.g. the likelihood of a cyclone occurring would logically be higher than the likelihood of an injury occurring from the cyclone given all of the precautions and risk controls in place). The fundamental error of considering likelihood before consequence leads the assessment down a path whereby the likelihood and the consequence are not anchored together. We would have an inflated likelihood of the event, and then we think about what consequence is possible, but the two factors are not linked as they should be.
By determining the consequence first, we enable the risk assessment to be focused and ‘credible’, taking into account the current controls in place. Then with this consequence established, considering the likelihood of the event occurring and producing that defined level of consequence considering the effectiveness of existing controls. The two factors (the consequence and the likelihood) need to be relative to each other, they need to be anchored together to the risk statement, or else the result will be skewed. The resulting inaccurate rating of risks then makes it more difficult to properly prioritise and manage the risks.
The way the risk assessment process is written in an organisation’s risk management procedure or risk register has the potential to inadvertently give rise to this error. QRMC recommends that discussion of the risk management methodology always refers to consequence before likelihood (as per the Standard and the Code of Practice). This frames and embeds the correct process every time it is undertaken.
Please contact QRMC for more information or assistance.
