My last post was about describing risk, and it would seem to be logical to move to evaluation and scoring: but I’m not going to do that. We’re going to discuss controls.
When we score a risk we do it at least twice. There will always be a score before the application of controls, usually called the inherent score. There will be another after the application of controls (usually called the residual score). As an understanding of control is so fundamental to the understanding of how we score risk, I thought that a summary of “control” would be a more useful and informative next step.
There is immense confusion over the difference between a control, an assurance and an action. But we’ll come back to actions in another post.
A control is something that we can put in place that is either a barrier to the hazard meeting its target or something that, if the hazard does meet the target, reduces the amount of harm that is caused.
The simplest way of understanding this is to consider a very basic health and safety risk. Imagine that you have a machine with an exposed moving cutting surface: a circular saw bench or a chain saw, for example. Now imagine that there is a history of injuries ranging from minor cuts to amputation. The hazard is easy to identify – the moving blade. The risk is easy to describe. There is a risk that the moving blade will injure people because they need to work close to the exposed blade. Although we will move onto evaluation in another post, we don’t need a lesson to realise that incident history shows that this is a pretty serious risk – we are already hurting people. A control might be a guard, a cage or other barrier that prevents the person coming into contact with the blade.
Process as Control
Now take a different type of risk; our fictitious company provides care services in client’s homes on a 1:1 basis, with staff attending the client’s home alone. There is a risk that we fail to recruit suitable people and our quality of care could be poor or even negligent resulting in harm to the client and reputational damage to our hypothetical company. The unsuitable recruit is the hazard. The unsuitable recruit may harm the client. The actions of the unsuitable recruit may damage the company’s reputation . Our recruitment process is our control, weeding out our unsuitable applicants so this person is kept away from our potential objects of harm. So in this case, the control is not physical, but a process that is operated by the recruitment team.
What is Not a Control
We should note several points:
- People are not controls – the control is what the person does: it is the process.
- Documents are not controls – you cannot wave a document at a risk and expect it to vanish! We will consider documents in a short while.
- Absolute controls are rare – many people would say fictitious. All controls have failure points, weak areas, gaps etc. Whole books have been written just about that concept, Managing the Risks of Organizational Accidents by James Reason is really good.
In both of our examples, the control attempts to separate the hazard from the object of harm. We can see how we do this in everyday life. When we cross the road we check for traffic to prevent the speeding car hitting us. We ensure that food not spoiled when we buy it. We store it in a way that will mean that we don’t eat food that will make us ill. These attempt to separate the hazard (us) from the object of harm (the speeding car or bacteria that cause food poisoning).
Some controls, however, accept that we cannot totally separate the hazard from the object of harm – so we try to reduce the harm. When we travel in a car we use a seatbelt to prevent our head impacting the car in an accident (or at least to prevent us being prosecuted for flouting the seatbelt laws!). When we ride a motorcycle we use a helmet for a similar purpose. So controls can reduce impact or likelihood. This becomes important when we score risk, so we can look for this in a different post.
I did say that documents are never a control, and some people might have a problem with that. “I have insurance”, you might say, “so my insurance policy is a control – it reduces the impact of financial damage”. Absolutely right – but that document is not the insurance. The insurance is an agreement (or policy) between you and the insurance company. The document is simply a statement of the scope of that agreement and the proof that the agreement is in place. So whilst insurance is a control, the insurance documents are an assurance of that control.
Equally, some might point to a binder full of standard operating procedures and say that these are the control. However, we cannot just write a document about process. We need to inform people and train them so that the people involved actually use the process. So the process is the control and the training supports the process (the training is an additional control). The standard operating procedure document, the training materials, attendance registers and certificates of competence are all assurances that the control is in place.
Not unreasonably, many people will suggest that “control is in place” is not good enough. We should establish that the control is effective. Again, this should result in assurances. These may include incident and accident records, audit reports and maintenance records. All are examples of assurances that prove to some degree that the control works. I’m sure you can think of many others.
In general then, a control is a physical barrier or a process we can put in place to keep the hazard away from the object of harm, or reduce the amount of harm caused. An assurance is a document that proves that the control is in place, or that the control is effective.