Mike Watson CMIOSH
Risk management is the process of identifying, assessing and controlling threats to an organization. An organisation means a large, medium or small business either based on a return in terms of financial profit or a non for profit or charitable endeavour. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, operational factors or accidents and natural disasters.
You should also keep in mind that risk management also offers potential positive opportunities and as such the exercise of undertaking business risk assessment is not always a negative one.
Once risks are identified, companies take the appropriate steps to manage them to protect their business. The most common types of risk management techniques include avoidance, mitigation, transfer, and acceptance.
Some of the terms used within risk management are interchangeable, for instance you will come across the term risk which in some cases is referring to the threat or danger and at other times is used to mean the potential that it has for loss. I am sure that managers are able to distinguish each term and quickly understand how the term is being used in each case. But at the time when I was teaching in a classroom the interchangeable terms required some explanation for the sake of clarity.
- Identification: of a threat or potential loss situation
- Risk Assessment: a systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking
- Risk Management: (in business) the forecasting and evaluation of financial risks together with the identification of procedures to avoid or minimize their impact.
- Hazard: anything with the potential to cause harm or loss
- Risk: The chance or potential of something causing harm or loss
- Risk Rating: a calculation of the likelihood of occurrence X Severity of outcome
- Risk Reduction: anything put in place to reduce the harm or loss of a threat
- Risk Control: measures put in place to ensure the hazard is controlled at the level of acceptance
- Monitoring: Checking the progress or quality of the risk control measures
- Review: a formal assessment or examination of the arrangements
- Communication of Risks: a systematic exchange of information
Before we move on into techniques of risk management, I wanted to provide a few simple examples where risk management was used, or not, and the actual outcomes from my experience.
Some simple examples for thought
The risks of smoking Tobacco are high, meaning that the potential of loss of good health are high and if you smoke the ill health effects are very likely, hence the overall risk rating of smoking are high, high in threat and high in the potential. Therefore don’t smoke or be in a situation where you are inhaling other people’s smoke which means that the risk rating falls to very unlikely.
Working at height without the correct work equipment, fall arrest equipment, scaffolding, training and competency would offer the opportunity of a fall as such the threat or potential of a fall are high. The outcome of a fall may result in death or long-term disabilities; therefore, the potential outcome would be high. As such the overall risk rating would be high. The question to be asked is, is the working at height needed, can it be substituted by a safer method, can control measurers be put in place to allow the risk rating to be reduced to unlikely or very unlikely?
In 1999 – 2003 I was Head of Operations and Health & Safety for a medium sized not for profit organisation. We were operating the then Governments Back to Work Programmes New Deal with up to 1000 employees on our books. Part of the contract was an initiative to paint and decorate places of worship and community halls. I put in place a working at height restriction which basically meant that we would not ask our Participants (long-term unemployed) to work at height of more than 2meters. Of course we put everything in place for safety reasons. My risk assessment at that time showed that if all the controls were in place the likelihood of a fall was low and the potential of a lost time injury would be medium. During in the 1000s of hours worked, we never had a fall, but we did have an incident of noncompliance which was dealt with quickly.
Poor management comes with a set of threats some of which are complex. Take for instance poor management control over quality or a standard procedure or a simple method. In the 1990s I owned and operated a small computer supply business. The business grew in its first year in terms of financial turnover, premises and employees. In simple terms we purchased computer components, motherboards, hard drives, interfaces etc and built bespoke PCs. Our biggest client was British Coal which was a simple contract of “build and supply to their specification. The PCs where used at the coal mine entry point to count in and out the men and to operate the lift doors etc. This was a reasonable contract with a profit for us and a quality product for them, backed up with a quality service agreement. Payment terms to our suppliers were 60 days, payment terms to our clients 30 days. You can see that our bank balance was for the most part reasonable but depending on orders coming in. We had just two months of a bank balance for all costs of running the business but with a small overdraft facility. For the most part our PCs sold for £2,500 and our cost was approximately £1,200.
We gained an order from a county council for six PCs and one main frame. Total order value £42,000, our biggest single order to date. To cut a long story short our quality system, such as it was, failed. The mainframe was a high specification and in basic terms we failed to identify a potential mistake by the client when commissioning the mainframe. It was a simple switch, hidden in the main computer case. We had bought the components from the USA, assembled them and tested the system, all was well. However, when the client received the mainframe and tested it the motherboard blew, failing catastrophically damaging it beyond cost effective repair.
Questioning our technician, who was highly qualified, he stated that he had “carried out the checks”, “which he had and were in his head”!. He had completed his checks prior to the equipment leaving our premises. He had no idea why or how the power supply had been switched from UK to USA. “in any case he had tested the equipment prior to packaging”. We never did get the cause of the failure.
The client would not pay and returned the order valued at £42,000 back to us. In the same period British Coal stopped ordering from us preferring to buy from a new, not for profit organisation, and at a much-reduced price.
In summary everything that could have gone wrong did go wrong. It started in my lack of understanding of business management and continued to the point of poor-quality control. The business closed due to cashflow, but the route cause was a poor business mode.
Opportunities from threats
During 1992 – 1993 I was employed by a company based in New York city, USA. The owner was an entrepreneur and a risk taker. He told me that one of his income streams was to buy precious or rare metals contained in scrap materials and sell them to a processing company who would then extract the precious and rare metals ready for resale. Money was to be made along the chain. A dock worker strike in a port of New York meant that his 20-tonne containment of scrap materials containing low percentages of Beryllium was trapped on the dock side and causing him anxiety because he had a contract with a processing company which would now be late in delivery. Further to this he was having to pay weeks of storage at the dock. However, it turned out that the weeks of storage were actually an opportunity rather than a threat. The price of Beryllium went up and far outweighed the cost of additional storage. His contract was safe and profitable.
The element beryllium is a grey metal that is stronger than steel and lighter than aluminium. Its physical properties of great strength-to-weight, high melting point, excellent thermal stability and conductivity, reflectivity, and transparency to X-rays make it an essential material in the aerospace, telecommunications, information technology, defence, medical, and nuclear industries. Beryllium is classified as a strategic and critical material by the U.S. Department of Defense. Reference Wikipedia.
Having put risk management into some context we can start to answer some of the questions raised in the subject.
The term business risks refers to the possibility of a commercial business or other making inadequate profits (or even losses) due to unforeseen threats or market uncertainties – for example: changing preferences of consumers, withdraw of labour, increased competition, changes in government policy, changes in or disruption in supply chains, incidents & accidents in the workplace such as a fire or large scale illness or none compliance of legal requirements.
For example, a company may face different risks in production, risks due to irregular supply of raw materials, or machinery breakdown. In marketing, risks may arise due to fluctuations in market prices, changing trends and fashions, errors in sales forecasting, etc. In addition, there may be loss of assets of the firm due to fire, flood, earthquakes, riots or war and political unrest which may cause unwanted interruptions in the business operations. As such business risks may take place in different forms depending upon the nature of a company and its production.
Business risks can arise due to the influence by two major risks: internal risks (risks arising from the events taking place within the organisation) and external risks (risks arising from the events taking place outside the organisation)
Internal risks arise from factors such as:
- human factors (talent management, strikes)
- technological factors (emerging technologies)
- physical factors (failure of machines, fire or theft)
- operational factors (access to credit, cost cutting, advertisement)
External risks arise from factor such as:
- economic factors (market risks, pricing pressure)
- natural factors (floods, earthquakes, disease)
- political factors (compliance demands, and regulations imposed by governments)
From this point on I will use the terms that I generally use. Below is an overview of the steps I have taken when undertaking an audit of a company’s threats and the management of those threats.
In this example I was contracted by a medium sized NHS Trust. Their Risk Manager had contacted our office and asked if we could present an overview of our services. They also explained that they had had a visit from the HSE and while the findings of the inspection had some positives, the HSE noted a list of improvements that required actions to be taken including a need for an improved health and safety policy.
A contract was on offer from the Trust and it became clear through our talks that they wanted a company and a consultant that would work with them rather than for them.
It would have been easy to deal with the immediate issue, a weak non compliant health and safety policy and arrangements and leave it at that. However having spent a three hour meeting with the Trusts Clinical Risk Manager it was clear that they had little in place with regards to safety management.
My first action was to draw up a contract with them and a covering letter to be presented to the HSE inspectors. The letter simply laid out my competencies, qualifications and experience and included my Chartered membership of Institution of Occupational Safety & Health (IOSH). The letter also stated that a first draft of the Trusts policy would be available within 28 days and would include an arrangement for me as the named Competent person for health & safety matters. This action reduced the immediate threat of a formal Improvement notice and possible Prohibition notice.
I now had a desk at the Trust and was now meeting the Clinical Risk Manager on a weekly basis. At that time as a consultant I would advise clients to assign a staff member who would work alongside me and learn, the aim was to build their own competent health and safety advisor. I was assigned one of the coordinators of the clinical administration team who was keen to learn and had an interest in the subject. I enrolled her on the IOSH Managing Safely certificate which was a classroom course I was tutoring and following this I enrolled her on the NEBOSH National General certificate via eLearning, again I was an online tutor.
Within the first week I drew up a draft H&S policy with arrangements and responsibilities. This draft was considered by the Trusts Board and each section was reviewed by them, they had a lot to consider as they went through the draft, assigning duties to named members of staff etc, however my arrangements section gave them pointers at each step. They took just 30 days to have a suitable and compliant policy and arrangements in place. It was specific to them and their sector. This policy was presented to the HSE Inspector who having considered the policy and discussing each aspect stated that he would visit them at some point in the future, date to be arranged. From my desk I now had a better understanding of my clients and what they did.
During the first 28 days of my contract I undertook a desk top audit of the safety files. My audit showed areas of compliance and noncompliance across the Trust in terms of health & safety. I then met with management and other staff such as nurses, reception and cleaners etc. This is part of the identification of risk process that I go through. I am looking for significant risks in terms of noncompliance of the Health & Safety at Work Act 1974 and of the pertinent regulations. The Trusts safety record was good in terms of accidents and incidents with few recorded accidents and just one lost time reportable injury in the past 12 months.
In place was a vast set of risk assessments and safe working methods for the clinical activities, however the Trust was missing one important aspect of any safety management standard, audits and inspections. The Trust had three hospital sites, one large administration building and 17 doctors’ surgeries spread across the region. I was unable to find any inspection reports for any of the premises. In place were the statutory inspections of work equipment and inspection reports for passenger lifts etc but no reports of work areas and public areas.
In agreement with the Trust I laid out an inspection protocol and timetable. I had permission to visit each of their places of work and entry into each area. Using a prepopulated inspection template, I visited and inspected every office, ward, and even a morgue. At times I was accompanied by the Clinical Risk Manager who would explain a treatment process and examining equipment. I learned a great deal of the Care work of the Trust.
What was clear to me at this point was the Trust had engaged the services of a consultant perhaps two years earlier. It appeared from talking these matters through and researching the safety files that the consulting company had come in, done their job and walked away with very little consultation. It was also clear that the Trust had very competent people who were experts in their subject including risk, however they did not know the regulations and what was required to comply with them.
At this point I have an action list that is prioritised in terms of what non-compliance and a list of actions required to prevent loss in terms of accidents. What was needed now was an action plan dealing with each of these.
Within the section above I am providing a real case example of the Risk Identification methods I used at that time.
- Status meetings
- Research including consultation
- Audits and Inspections
You can use these methods for identifying a broad range of business risks. Financial risk identification would vary depending on the situation. There are many other techniques that are proactive and reactive. These are discussed in a separate blog and are useful in your learning.
Having an action plan in place with a prioritised list of threats to the Trust I started the process of writing the risk assessments that would enable me and the Trust to firstly risk rate the threat and secondly what and who might be lost or harmed by the threat.
It is important that not only do we identify threats but that we also determine their cause and related consequence. Once this has been carried out, then we determine which are the most serious in terms of probability of occurrence and the severity of impact.
From my desk top audit of the safety files it was clear that some basic noncompliance’s required attention. I will discuss here what they did not have in place. My reason for this is that they had a great deal in place complying with a range of Care regulations and work equipment.
Threat Priority Considerations including matters of non-compliance
- Health & Safety Policy including arrangements and responsibility sections. This was dealt with quickly and the policy was distributed to all stakeholders.
- Named Competent Person. I was named within the policy as the competent person for health and safety matters.
The main issue that became apparent within the first two months of the contract was that the Trust was missing a key member of staff. What they needed in the longer term was a Health, Safety and Security Manager.
Within four months I put in place a safety management system, basic in its approach but which met the legal requirements in terms of the audits and inspections and a range of risk assessments, some of these were generic and some specific.
At a Board meeting I proposed that the Trust recruited a full time member of their staff in the position of HSE & Security. The Trust had already been considering because it was to merge with a second trust with an increase in staff and infrastructure.
Working with the Clinical Risk Manager (CRM) we developed a job description and a person specification for this new post. Within 60 days we were interviewing prospective candidates. My contract ended with the trust just 30 days later with the new member of staff in place.
Some weeks later I got a call from CRM asking what I would do in a situation were the main office block was flooding. The local area was indeed under one meter of flood water from heavy rain. The office block was of six stories with some 200 staff. I suggested that if they could get out safely then they should do so. Failing that they should all be gathered on the first and second floors and await rescue.
I thought I had thought of everything during my time with them, but the geographical area of the main office building, which had not had any flooding for 100 years, proved me wrong.
In my next blog I will provide an overview of risk assessment in practice