My last post was about action planning, and I concluded by saying “a good resolution for 2015 would be to put into action the risk assessments that you did in 2014”.
One piece of feedback that I received was about the quality of the risk assessments that were performed. My contributor was making the point that some people concluded a discussion about a contentious work topic with “I’ve done a risk assessment”. Somehow, as if by magic, they seem to feel that this would solve the problem and conclude to the conversation. This was exactly the issue that I was covering in my post. However, my contributor continued that the quality of the risk assessment was never discussed and this was vital.
That comment resonates with my own experience. A poorly conducted risk assessment can run into a number of problems. I have experienced both the frustration and the futility that goes along with poorly written risk assessments. I will cover a number of the pitfalls in conducting a good risk assessment in future posts. For now I’ll cover how people describe risk that they are evaluating.
Risk Assessments are Poor at Describing Risk
Many risk assessments aren’t describing risk at all – odd but true. There should be a “Risk Description” field in the risk assessment and in my experience this is always completed. However, the description that is submitted doesn’t communicate the risk. Instead, they often describe a problem being experienced by the risk assessor.
So we might see a risk expressed as “We do not issue electronic invoices”. This is not a risk. The author may have a real risk in mind. It could be that electronic invoices are standard in our industry and so we are losing customers. It could be that the customer receives a printed invoice and transcription errors are causing incorrect or late payment. But neither are being described.
General health and safety risk assessments are often worse. The descriptor might say “Sulphuric Acid”, which is a hazard (i.e. it has the potential to cause harm). But it is not a risk (i.e. the probability of actually causing harm). The difference between a hazard and a risk is quite important. We can reduce risk by changing control measures, but a hazard is a constant. So, with our sulphuric acid example, the hazard is sulphuric acid; it is either there or it is not – this does not tell us if there is any risk. The volume of acid, its concentration, manner of use and the environment in which we use it are all contextual contributors to the understanding of the risk. (My health and safety professional colleagues would note here that a COSHH risk assessment would do all this for you).
What is the Consequence?
Equally, we need to know what the consequence is. Are people going to be harmed by this sulphuric acid? Are we concerned about property damage? Is the risk that we might need to evacuate and interrupt our production line? Without a consequence in there, it is difficult to understand the risk.
So a risk assessment must describe both the consequence and the context. What is the real issue is and how does it arise? This seems very simple, but is rarely achieved.
The Man on the Clapham Omnibus
The other issue with describing risk is that we tend to write them in jargon. How many of us have seen risks such as “Plugging drill string with LCM”? I’m sure that there is a risk in there, but I have not the first clue what the risk might be. By the way, I got this one from a website, which will remain nameless, that says that it gives examples of good risk management practice!
There is a principle in English law, which is used by the court as a test of where it is necessary to decide whether a party has acted as a reasonable person would. It was first used in the 1903 English Court of Appeal libel case, McQuire v. Western Morning News and is the concept of “the man on the Clapham omnibus”. This hypothetical man is a fair-minded, intelligent and reasonably well educated. I am going to borrow this person (it need not be a man) and suggest that this person will be reading your risk assessment. Despite being reasonably well educated, they are unlikely to have a technical knowledge of the specialisms involved and, as such, we must not use language that is too technical, we should explain acronyms and generally express the risk as that person would understand it.
If we describe the consequence and the context of our risk in a way that can be generally understood by a reasonable person, then we have a reasonable chance of describing risk to those that need to act upon it.
Using a Simple Format
To help with this there is a simple format that can be used in describing risk: “There is a risk that X, which is caused by Y and results in Z”. It is useful to think about all three variables even though this might be overkill for many risks, you might not need Y and Z as the risk is adequately described using just X and Y or just X and Z. So for our electronic invoice issue the risk might be described as “There is a risk that we lose customers caused by our failure to meet industry expectations of electronic invoicing”. In this instance we didn’t need Z as the risk is adequately described by X and Y.
We might be describing risk about Sulphuric Acid hazard as “There is a risk that staff might suffer sulphuric acid burns caused by concentrated acid leaking from the corroded large volume storage cylinder in the goods yard resulting in loss of staff, litigation and industrial action”. That says a bit more than “Sulphuric Acid”, doesn’t it?
Gaining the Support of Decision Makers
Now imagine your risk being reviewed by the board. You will understand that urgent action needs to be taken to resolve the problem of the corroded sulphuric acid storage tank. The folk in that board meeting are unlikely to be familiar with the problem, and even less likely to understand that from your risk description; “Sulphuric Acid” as a risk descriptor is unlikely to gain much support.
So getting the risk description right is key. It doesn’t need to be a Shakespearian sonnet, just a good description of the risk, with consequence and context that is understandable to a reasonably educated person. If we can do this we are well on the way to having a good basic risk assessment.
Action Planning for a Risk Management New Year
