Organisations are vulnerable from any failures of their day-to-day risk controls, which can lead to serious consequences that will have a significant impact on their financial bottom line, from fatalities, plant damage, loss of image, etc. that may potentially cost them thousands or even millions of dollars. Trevor Kletz once said, “if you think safety is expensive try a serious incident”.
Process safety risk assessment is a critical tool that must be used to help an organisation identify its potential operational risks and determine what effective preventative and/or mitigative process risk controls need to be put in place and subsequently maintained on a day-to-day basis to ensure continued safe operations. By carrying out competent process risk assessments, an organisation is better placed to make positive judgements regarding controlling operational risks and, therefore, leading to achieving their risk management and HSE policy objectives.
The step-by-step assessment process of identifying, analysing, evaluating and treating operational risks is set out in the international risk management standard ISO 31000:2009. This process is illustrated in Figure 1.
Figure 1: step-by-step risk assessment process
Risk assessment provides an organisation with realistic, evidence-based information and analysis to allow management to make informed and competent decisions on how to effectively control their operational risks to an acceptable and/or tolerable level, in accordance with the ALARP (as low as reasonably practicable) concept. Using a consistent and structured approach to risk assessment allows those carrying out risk assessments to better understand how to prioritise risk levels and determine the risks that are judged as significant and, therefore, requires additional risk treatment to ensure they are reduced to an acceptable and/or tolerable level.
With the passage of time and changes in staff, previous recommendations made to implement additional risk controls after an incident has occurred are forgotten and/or have not been communicated to other key departments or parts of the organisation. Organisations have no memory; only people have the memories, and they take these memories with them when they move on. The key message here is the inability or organisations to learn and retain in the long-term, lessons drawn from serious incidents. Thus, the incidents of similar types and with serious consequences recur within the same organisation at intervals of several years or so.
Hazards are the source of risk. Therefore, it is important to identify existing and potential hazards and their associated risks. There is a wide range of risk assessment methods available for us to use in identifying these hazards and risks. ISO 31010:2011 sets out numerous risk assessment methods, tools and examples, including the Bow-Tie; HAZOP; Root Cause Analysis; Process Hazard Analysis; Cause & Consequence Analysis; Fault Tree Analysis; Failure Mode & Effects Analysis; Event Tree Analysis; and many more qualitative and quantitative risk assessment methods and tools.
In summary – Organisations must ensure that they fully understand the risk assessment process and be able to competently follow the six step-by-step approach, as set out above and in the risk management standard ISO/IEC 31000:2009 to ensure that all operational risks are identified and effectively controlled on a day-to-day basis. Risk assessment is the prime business foundation that organisations need to build on to fully protect their company from costly and damaging incidents occurring, which will potentially significantly diminish the ability of the business to be able to survive its consequences.