Figure 3.4 The four quadrants of a Cartesian coordinate system.
At this stage, an organization should consider their acceptance risk level in terms of the planned risk assessment exercise. Management and other involved stakeholders should agree on the levels that require “stop work,” “immediate action required,” “remedial action,” on down to “acceptable level – no further action.” As stated in ANSI/ASSP Z590.3, “Personnel who craft risk assessment matrices may have differing ideas about acceptable risk levels and the management actions that should be taken in a given risk situation, and those differences must be resolved so that all personnel understand the process.”
3.7 Establishing Context
The purpose and scope known as the context of the risk assessment must be established. This step is considered critical since it sets the direction, tone, and expectations for the project. Within the organization’s risk management process, the context should define the purpose and scope of the assessment; the stakeholders/team members responsibilities and accountabilities; the degree, extent, or rigor of the assessment; the risk assessment methodologies; the risk criteria; and resources available. Ultimately, the context defines the parameters for managing the risk throughout the process as stated in ANSI/ASSP/ISO 31010.
The context for the risk assessment should be clear, concise, and well understood by all stakeholders. Every successful risk assessment needs a tightly defined beginning and end, so the assessment team is not tempted to make it more complicated than needed or take it further than it is intended. The context should set the boundaries for the assessment with internal (resources, knowledge, culture, and values among others) and external (legal, regulatory, economy, perceptions of external stakeholders, etc.) parameters in mind.
To ensure the risk assessment team is focused on the correct elements, the context should “clearly explain” what is expected. For example:
If the hazards associated with the job of cleaning windows were to be assessed, would it just cover the actual cleaning, or would it include associated hazards like setting up the ladders, transferring the cleaning chemicals, or even driving to and from the location?
If a facility was to be assessed, would it include just the plant operations on‐site, or would it include items like transportation, utilities, waste, and emissions to and from the facility?
For a risk assessment of potential emergencies/disasters, should the assessment be limited to emergencies/disasters at facility sites or include events off‐site? Should it include natural, man‐made, or technological emergencies/disasters, or all of them?
Setting the scope too narrow might prevent a hazard and the resulting risk from being identified and assessed or making it too broad could prevent the risk assessment from getting to the real purpose. It is important to get input from those who will be using the risk assessment to make decisions.
A well‐written and understood context is important as a guide that can be checked against frequently to keep the risk assessment team from drifting off course. The authors recommend that a concise “Purpose and Scope” statement be produced and written at the beginning of each risk assessment. Two simple examples are provided below.
1 The purpose and scope of the risk assessment for the Robotic Welding Cell # 214 is to determine the risk level to Operators when entering the cell to change welding tips on the robot considering existing controls using a Preliminary Hazard Analysis method by a cross‐functional team of certified assessors.
2 The purpose and scope of the risk assessment for the Westfall Plant is to determine the risk level that natural hazards (including wind, severe rail, hail, tornado, earthquake, lightning, hurricane, and flood) present to the plant considering existing controls. The assessment team consisting of risk management, insurance professionals, and an outside consultant will use an Organizational Risk Assessment methodology to identify and quantify risk levels that may need additional risk treatment or risk financing.
Prior to conducting a risk assessment, an organization should clearly define and communicate its own risk criteria and “acceptable risk” level. Risk criteria should correspond to the selected risk assessment matrix, and take into account the type of consequences expected; how likelihood or probabilities will be determined and expressed; the specific risk level classifications to be used; at what level of risk will corrective action be required; and the organization’s established acceptable risk level.
The criteria used to determine risk criteria and acceptable risk level should include the organization’s business objectives and safety and health goals, the use of cost/benefit analyses of risks and their treatment, and will be influenced by its culture and industry setting. Typically, as an organization matures and improves its risk control measures, the acceptable risk level will move closer to the negligible risk level. Further discussion on risk criteria and acceptable risk are provided in Chapter 4.
3.8 The Risk Assessment Team
The context of the risk assessment assignment will determine the size and makeup of the team needed. The risk assessment team should include a cross‐functional group of individuals who are familiar and knowledgeable with the hazards and operations being assessed. In many cases, the team will be comprised of several members on a consistent basis, while others are likely to come and go based on their ability to contribute to the particular risk assessment. For example, a risk assessment for a production operation might include engineering, maintenance, quality, production, safety, and an operator. A risk assessment for a transportation operation might include a driver, mechanic, and a dispatcher, along with the safety professional. A risk assessment for a product might include a product designer, engineer, legal counsel, production employee, marketing, customer service representative, insurance representative, and safety.
It is important to include members from within as well as outside of the organization that are knowledgeable about the hazards or operations and can make a positive contribution to the risk assessment. In some situations, external members are crucial to an assessment. During the “Occupy Movement” in 2011, a risk assessment was being performed for emergency planning purposes at a company near the Port of Oakland, California. The company did not have a security person and it was recommended that the security firm for the complex be invited to participate. As a result, the outside security professional identified that the Port was subject to civil unrest during the risk assessment. Recommendations from the assessment were addressed. Soon after “Occupy Oakland” occurred disrupting operations, but the company was prepared as a result of the input from the external security person.
A facilitator is also an important member of the risk assessment team. The facilitator could be an additional member or one of the members who is knowledgeable about the hazard or operation. The facilitator must know the risk assessment process and techniques. They must also understand the purpose and scope and be able to communicate this to the other members in order to keep them focused and on track. The facilitator should be confident but not controlling. Confidence is important to keep the risk assessment progressing in the right direction, staying objective, and on a reasonable schedule. However, the facilitator must avoid being controlling or dominating and should prevent other team members from dominating the risk assessment. Each member should feel comfortable contributing their ideas to the risk assessment and be assured that their contributions will be valued. The facilitator is key to the success of a good risk assessment.
A risk assessment team of about three to 10 members seems to work well. Less than three members may not provide enough perspectives or insights into the risk assessment. Risk assessment teams with more than 10 members may be difficult to control and keep focused. At some point a large risk assessment team will likely