A team that is committed performs the best and most thorough risk assessments. To be committed, the team must understand the purpose, scope, and the value of the risk assessment. They must be informed and understand how the risk assessment will contribute to the organization’s goals and objectives. They should have the support of their manager and understand that a certain amount of prestige is associated with being on the team. A good facilitator can solicit a great deal of commitment out of team members though good communication on these matters.
The risk assessment team should have the appropriate skills to perform a successful risk assessment. They should understand the basic risk assessment concepts and methods. They can learn these concepts and methods through experience over time, or they can be provided basic instruction immediately prior to the risk assessment. They should be clear on the purpose and scope of each individual risk assessment. This includes knowing why the risk assessment is being performed and how the information will be applied and used. This communication should be clear and concise, and the facilitator should provide it or make sure it has previously been provided. Good communication and skills are essential.
3.9 Risk Identification
For operational risks, hazards are the source of risk. Thus, if risks are to be assessed, hazards must first be identified and described. Risk identification is defined as the process of finding, recognizing, and recording risks. Its purpose is to identify what might happen and/or the situations that could impact the system or organization. Risk identification should include the identification and description of the source of the risk (hazard in the context of physical harm) and its causes; events, situations, or circumstances which could have a material impact upon objectives; the nature of impact; and any existing controls for the identified risk (ANSI/ASSP/ISO 31010, 2019).
Methods for identifying existing and potential risks in the workplace are many. A likely starting point might begin with collecting available information about the operations to be assessed. Some hazards (risk sources) are easily identified intuitively or through recent or past experience, while others require more systematic methods of identification. Depending on the operation or subject of the assessment, the level of effort will vary accordingly. A simple job or task may only require a job hazard analysis, while a more complex system may require a series of methods to identify existing and potential hazards.
There are many ways to go about identifying hazards and operations for assessment, but a systematic approach will likely be more thorough and reliable. Some of the more common methods and sources used by safety professionals to identify hazards are listed below.
Brainstorming
Checklists
Regulations (OSHA, EPA, DOT, etc.)
Consensus industry standards (ANSI, ASTM, NFPA, etc.)
Experts (external or internal)
Job Hazard Analyses/Job Safety Analyses
Accident/incident investigations
OSHA Injury and Illness Records
Insurance claims
Formal hazard/risk identification techniques42 listed in ANSI/ASSP/ISO 31010‐2019 and50 methods listed in ANSI/ASSP TR 31010‐2020 Technical Report on Risk Assessment
Each risk identification method has its strengths, limitations, complexity level, resource requirements, and outputs. In some cases, more than one technique may be used to identify the risk‐related information needed. These techniques are used in conjunction with the established risk criteria and context that is discussed in the next chapter.
3.10 Risk Analysis
Upon identifying risk sources, the team will analyze the potential risk. As stated by ANSI/ASSP/ISO 31010, risk analysis involves developing an “understanding” of the risk. This analysis of each hazard/risk includes:
determining the severity of consequences
estimating the likelihood of occurrence
assessment of the effectiveness of existing controls
an estimation of the risk level
The level of risk takes into consideration a combination of the possible consequences and likelihood. A single event or task can have many possible consequences and impact multiple assets.
Risk analysis can be qualitative, semiquantitative, or quantitative in nature depending upon the context of the assessment, and available data. Qualitative analyses are the most common and use descriptors such as “high”, “serious”, “medium,” and “low” for degrees of severity of consequence, likelihood of occurrence, and risk level. Semiquantitative methods use numerical ratings for consequence and likelihood to produce a level of risk, which are based on qualitative descriptive criteria rather than quantitative data. Quantitative analyses which are not as common, use estimated values for consequences and their likelihood producing numerical values of risk in specific units defined in the context. As stated by ANSI/ASSP/ISO 31010, full quantitative analysis may not always be possible or desirable due to insufficient information or the needs of the assessment. In many cases, a comparative semiquantitative or qualitative ranking of risks by qualified assessors is desired for the assessment.
3.10.1 Consequence Analysis
The assessment team determines the nature and type of consequences that could result for exposure to a particular hazard or risk source. A single risk source may produce a number of impacts with various magnitudes (levels of severity) and could affect multiple assets or stakeholders. The assessment’s context determines the types of consequence analyzed and stakeholders affected.
Consideration and direction should be given to how certain impacts will be handled. Some risk sources may present a low severity level of consequence but a high likelihood of occurrence, while others may present a high severity, and a low likelihood of occurrence. An organization’s acceptable level of risk (ALOR) will help determine the priorities for these types of risk. As mentioned in ANSI/ASSP/ISO 31010, it may be appropriate to focus on risks with potentially very severe outcomes such as Fatal and Serious Incident (FSI)‐type consequences, as these are often of greatest concern to managers. In other situations, it may be important to analyze both high and low consequence risks separately. Guidance should be established during the development of the context for such decisions.
3.10.2 Likelihood Analysis
Determining probability or likelihood generally involves: (i) a review of relevant historical data to identify events or situations which have occurred; (ii) predictive‐type techniques such as fault tree analysis and event tree analysis, and; (iii) a structured systematic process guided by a qualified, knowledgeable expert(s). Any available data used should be relevant to the focus of the assessment. Where historical data shows a very low frequency of occurrence, it may be difficult to properly estimate probability. Therefore, it may be necessary to consider exposure frequency, time, and duration to a certain hazard or event in the likelihood analysis.
3.10.3 Assessment of Controls
The adequacy and effectiveness of existing control measures greatly affect the level of risk and must be assessed. This assessment of controls should include determining the type of controls for each specific risk, and a judgment of their effectiveness based on the Hierarchy of Controls. For instance, controls such as permanent or fixed guards (engineering controls) are considered more effective than employee training, warnings (administrative controls), or personal protective equipment. The assessment should ensure existing controls are being applied/operated as intended, and that their effectiveness