Source: Adapted from ANSI/ASSP/ISO 31000–2018.
Unfortunately, risk assessments have not been a common practice in the United States. One example is the 20 April 2010 Deepwater Horizon incident. According to estimates, the losses from the offshore oil rig accident resulted in 11 lives lost, $40 billion dollars, and 4.9 million barrels of oil released in the Gulf during the 87‐day incident. BP’s internal investigation team of the Deepwater Horizon accident (i.e. “Deepwater Horizon Accident Investigation Report” 8 September 2010; page 36) concluded that one of the eight key causes to the accident was that no risk assessment was performed of the cement slurry barrier application. The report stated, “the investigation team has not seen evidence of a documented risk assessment regarding annulus barriers”. The accuracy of cement slurry barriers was described as “critical” in the report, yet no formal risk assessment was performed.
Other examples indicate risk assessments are inconsistently performed. In a webinar hosted by the American Society of Safety Professionals (ASSP), “Prevention through Design: Guidelines for Addressing Occupational Hazards and Risks in Design and Redesign Processes” 30 November 2011, one of the webinar facilitators, Bruce Main, quoted a study conducted by a Fortune 500 company indicating that 65% of serious incidents had no previous risk assessment. This number may be indicative of other Fortune 500 companies and supports the authors’ experience that many smaller companies perform very few if any risk assessments.
The takeaway message here is that organizations should establish a strategy for determining when and how risks should be assessed. Basic criteria for a written policy for conducting risk assessments and when assessments are needed might include some of the following:
Projects or tasks that have not had a formal risk assessment.
New facilities, processes, or equipment.
When there are a number of risks present or introduced that make it necessary to apply risk priorities in an organized way.
When there is a risk which could have serious consequences, and where control measures are unclear.
Where there is a planned change to equipment, machinery, or a particular process (as outlined in ANSI Z10.0 8.5 – Design Review and Management of Change).
3.3 Risk Assessments and Operational Risk Management Systems
As within the risk management framework, risk assessment is central to an Operational Risk Management System. The ultimate goal of an Operational Risk Management System is to effectively manage risks and associated costs of occupational incidents through a “management‐lead” continual improvement process that involves its employees. This is evidenced in the ANSI/ASSP Z10.0‐2019 Occupational Health and Safety Management Systems standard and other management system standards and guidelines. For instance, the process of hazard analysis and risk assessment is a “required” core element in the following standards and guidelines:
Occupational Safety and Health Administration’s (OSHA) Voluntary Protection Program (VPP)
ANSI/ASSP/ISO 45001‐2018, Occupational Health and Safety Management Systems – Requirements and Guidance for Use
ANSI/ASSP Z10.0‐2019, Occupational Health and Safety Management Systems
BS OHSAS 18001‐2007, Occupational Health and Safety Management
International Labor Office ILO‐OSH 2001 “Guidelines on Occupational Safety and Health Management Systems”
ISO 14001‐2015, Environmental Management Systems – Requirements with Guidance for Use
Operational Risk Management Systems are based on a continual improvement process using the Plan, Do, Check, Act (PDCA) model promoted by Dr. Edwards Deming, known for his efforts in continuous improvement and quality initiatives. The OHSMS continual improvement process is illustrated in Figure 3.2.
Figure 3.2 The OHSMS Plan‐Do‐Check Act process.
The effectiveness of an Operational Risk Management System requires the continual identification, analysis, and evaluation of risks to understand their magnitude of loss, and potential of occurring, as well as adequacy of existing control measures and needed improvements within the organization. Therefore, the risk assessment process is crucial to understanding and managing risks to an acceptable level within an Operational Risk Management System.
3.4 The Purpose of Assessing Risk
Risk assessments can be performed for many reasons and have many purposes. According to the ANSI/ASSP/ISO 31010, Risk Management – Risk Assessment standard, the purpose of risk assessment is to “help people understand uncertainty and the associated risk in this broad, complex and diverse context, for the purpose of supporting better‐informed decisions and actions.” The use of a consistent risk assessment process allows an organization to understand risk levels, compare those risks, and address those with the greatest risk first.
Generally, operational risk assessments are performed by safety professionals to determine the risk level resulting from a risk source (hazard or operation) and apply appropriate risk‐control measures according to the Hierarchy of Controls to reduce risk to an acceptable or tolerable level. Other forms of risk treatment are available to risk management through insurance or other risk financing mechanisms to cover incidents that are not prevented.
Through the use of risk assessment, an organization is able to make better decisions regarding risk and achieve its business objectives. Removing uncertainly by assessing risk allows an organization to manage with a certain degree of confidence.
3.5 The Risk Assessment Process
The fundamental process of identifying, analyzing, and evaluating risk is necessary in providing those responsible for making business decision an understanding of the risk. This understanding allows decisions to be made regarding whether the identified risk is tolerable, and what control measures are most appropriate. Ultimately, the “output” of risk assessment is an “input” to the decision‐making processes.
The following sections describe the sequence of components that take place within a risk assessment process. This is illustrated in Figure 3.3.
Figure 3.3 Simplified steps of a risk assessment.
3.6 Risk Criteria
In the ANSI/ASSP Z590.3‐2011(R2016), Prevention through Design: Guidelines for Addressing Occupational Hazards and Risks in Design and Redesign Processes standard, the initial steps outlined in (Section 7) “The Hazard Analysis and Risk Assessment Process” are (7.1) “Communication and Direction” followed by (7.2) “Establish Risk Criteria.” In the ANSI/ASSP/ISO 31000 risk management standard, the process begins with establishing context and ANSI/ASSP/ISO 31010 outlines this in Section 6.1 “Plan the assessment.” This includes “define the purpose and scope of the assessment,” “understand the context,” “engage with stakeholders,” “define objectives,” “consider human, organizational