All organisations face safety risk to varying degrees. And a considerable amount of resources are spent on risk management processes designed to identify, analyse, and control workplace safety hazards. But how well do organisations control critical risks?
Critical risks are defined as events that can cause grave damage to a business operation, or result in worker fatality or permanent disability. Situations where if a control is lost, a worker may be killed. These ‘low probability, extreme consequence’ events can get overlooked within risk management processes because they seem improbable, or difficult to mitigate.
In order to get a better understanding of how organisations treat critical risks, myosh sat down with Risk Management expert David Turner who stressed the need for correct risk identification and ownership.
Turner said many businesses have trouble prioritising risk, and can fall into the trap of focusing on low impact risks that are cheap and easy to address. On top of this, organisations often dismiss critical risks as unlikely, or build them into their acceptable risk framework.
David Turner is a senior business executive and trusted advisor with over 20 years’ experience in the risk management industry. David has a unique blend of expertise across diverse areas with a focus on risk management of human behaviour – one of the more complex, dynamic and often overlooked areas of the industry. A strong leader, David has played critical roles in significant projects across Australia and New Zealand.
David currently advises global corporations within the business, governance, government, construction, and critical infrastructure sectors on pertinent risk issues such as change management, legal liability, client management and customer service, and leadership and process.
How do you distinguish critical risks from other operational risks businesses face?
“I do this by identifying priority risks/high risks and ensuring they are placed into a specific category (so they are clearly defined), then mitigated by priority and placing the best risk owner against that risk.”
“If we place these risks into a general risk register (or the like) they are usually not given the attention required, hence creating a larger risk and threat as time moves along.”
“Accountability and clear actions to mitigate and control is crucial, and more regular meetings on critical risk status are needed to maintain momentum. In the end, it’s about people, show them the value, what is in it for themselves, and make it easy and you will gain traction, if we don’t, then it will just be another chore and this will heighten the overall risk.”
In your experience, how well do businesses understand the need to control critical risks?
“From my experience generally businesses know they need to control critical risks first, (however this is sometimes also prompted through the risk of legal liability and potential reputational damage).”
“The problem can be that businesses do not, or cannot identify correctly all critical risks and they lack the ability to prioritise accordingly, this can be from lack of critical risk identification knowledge, or, lack of internal support reference time and resources (usually the latter).”
Are businesses too focused on ‘high probability, low impact risks’ such as slips and trips?
“Yes I think generally this is true, and there are a couple of reasons. First; these risks are easy, meaning little time, effort, and thought is required to address them – which equals less money and resources.”
“Second; usually the other risks (including critical risks) can be what actually makes an organisation work. For example, long haul drivers, teachers with too many students, pilots flying long hours, bullying, peer pressure in the workplace, and the need to either build something quickly to gain income.”
“When we have risks (higher risks) like these, sometimes we decrease or ignore the critical risks (instead of taking time and effort to address correctly) to get the job done, and we name these risks as either highly unlikely, an act of god, or as an acceptable risk to the organisation. You see, we can adjust, bend and fit critical risk to suit our bottom line.”
Do you subscribe to a particular method of managing critical risks?
“Identify and change the key habit that produces and encourages the critical risk to continue, along with ownership, regular attention, and admitting there are critical risks.”
“The tone is set at the top and this is the most successful way to manage critical risks downward and across. Obtain buy-in from people and show the value, and most importantly identify the habit/circuit breaker that is the root cause of a critical risk and change that habit.”
So you believe upper management should be actively involved in the risk mitigation effort?
“Organisations must set the tone from the top, and show the value to the workers, and make it as simple as possible. Encourage (and demand) accountability and ownership.”
“Upper management is key and usually where the needed action does not occur.”
Immotus Principal Consultant Mark Alston, who recently conducted a webinar with myosh called Investigations Differently, said that while it was important for an organisation to identify its critical risks, it was equally as important to implement effective ‘critical controls’ to manage these risks.
A ‘Critical Control’ is a control, alone or in conjunction with others, that can prevent, eliminate or reduce to acceptable levels the likelihood and/or impact of a critical risk event. It’s important to note that there may be more than one critical control for a single critical risk.
“When Critical Controls are designed correctly and implemented 100 per cent of the time, they prevent a Fatality or other critical risk,” Mark said.
“Critical controls must be designed to ensure their effectiveness through the complex variability of normal work and when designed effectively, can allow an organisation to safely fail. As such, administrative controls are rarely effective as critical controls.”
Risk Management Systems assist organisations by producing leading indicators and scheduling auditing and reporting processes. Dashboards then provide a clear visual representation of how each critical risk and control is performing, which can be quickly analysed and shared. The myosh Risk Assessment module enables you to accurately establish and evaluate risk. Once identified, risks can be assessed, rated, and tracked.
An effective Hazard Management System also helps an organisation to build its risk profile. There are 4 steps that help to build a company’s risk profile – Hazard Identification, Risk Assessment, Control, and Review. The myosh Hazard Management module guides the user through a proactive process that enables continuous improvement and risk reduction in your business.