R is for Risk Management

R is for Risk Management

Risk management is a business process rather than a safety process – it affects all areas of your business. I like to use this equation:

Risk = Opportunity + Instinct

and your ROI = Reward

The first step in risk management is to identify all the hazards applicable to the organisation. They should be logged in a risk register listing them under the main headings of financial, operational, people/knowledge, and reputation. Safety, health, environmental and fire (SHEF) issues would normally come under operations.

When the risks have been identified, you need to assess and prioritise the risks. Every organisation is unique so what may be high priority to one organisation may be insignificant to another. For instance, a cold wet summer may be listed as high risk for an ice cream factory, but won’t affect a car manufacturer, and may be a real advantage to a shop that sells umbrellas!

Each risk should be assessed for the likelihood of the incident occurring and the severity of the outcome should it occur. This will enable you to categorise each risk as high, medium or low.

The next step is identifying how to control the risk.

Each risk should be weighted and prioritised. In some organisations even if something has been categorised as low or medium risk, it may need to be reprioritised in relation to the strategic purpose of the organisation.

Control measures follow a simple hierarchy of actions:

  • · Do we have to do it? In other words could that particular risk be removed altogether?
  • · Can we substitute it for something else? Is there a better way of doing this?
  • · Can we engineer or design the risk out, usually by improving or changing the equipment?
  • · Can it be managed out through the provision of information, instruction, training and supervision)?

When all this has been done there may still be some residual risk – can you just live with it?

There is another option – and that may be to transfer the risk to someone else, like an insurance company. In some cases you can contract the job out, but that doesn’t always completely remove the organisation’s responsibility in relation to the risk.


Risk control should also consider the potential for emergency response and business continuity, so it’s not just about the immediate effect should the risk occur, but also about the long term impact.

Finally, it’s essential to investigate failures. If you carry out a root cause analysis to establish what caused an incident (as an incident indicates a failure in the process) you’ll have valuable information to reassess the risk. In fact, at this point you start at the beginning of this process again.

Rather than a circular process, it’s a spiral that improves at each circuit