Risk engineer and management consultant in risk control, Associate Professor Derek Viner, talks about the need to both identify risks and maintain a risk inventory to track them long-term. He also discusses managing risks using a hazard management plan, understanding levels of control, and the need for different approaches to managing general and operational risks.
Who is this seminar for?
This podcast is especially useful for employers and managers, WHS professionals, regulators, WHS researchers, union and industry association WHS advisors.
About the presenter
Associate Professor Derek Viner is a consulting risk engineer and management consultant in risk control. He has contributed courses in risk at Swinburne University of Technology for over 20 years, and is an Associate Professor with Central Queensland University. A major focus of his work has been on the practical application of knowledge to manage risk in the workplace.
The interviewer is Safe Work Australia’s Dr Howard Morris.
- Model Code of Practice: How to Manage Work Health and Safety Risks, Safe Work Australia
- Handbook of Good Work Design Principles, Safe Work Australia
- Occupational Risk Control: Predicting and Preventing the Unwanted by Derek Viner (2015), Routledge
“Dr Morris:” Howard Morris, Interviewer
"Mr Viner:" Derek Viner, Interviewee
Start of Transcript
Welcome to today’s discussion on work health and safety risk as part of Safe Work Australia’s virtual seminar series. I’m Howard Morris of Safe Work Australia, and I’d first like to acknowledge the traditional custodians of the land on which we meet, the Ngunnawal people, and recognise and respect their continuing culture and the contribution they make to this city and to this region.
It’s my very great pleasure to introduce Associate Professor Derek Viner. Derek is a consulting risk engineer and a management consultant in risk control. Derek has contributed courses in risk for the Faculty of Science, Engineering and Technology at Swinburne University of Technology for over 20 years. He is also an Associate Professor with Central Queensland University.
A major focus of Derek’s work throughout his career has been on the very practical application of knowledge and skill to manage issues around risk in the workplace. So while Derek has a very strong academic background, he comes with a very strong practical component to the application of the work, and it’s great to have him here today. So welcome Derek, and thank you for participating in Safe Work Australia’s virtual seminar series.
To start the discussion today Derek, sometimes work health and safety risk management can be seen to be a complex activity. Is there a way to simplify our understanding of risk management and its aims to help us apply it effectively in practice?
Well thanks for the good question Howard, and thank you for your introduction and welcome. I think it is important, particularly for senior executive management, to have a very simplified view of risk management, because it’s so easy to get engrossed in the complexity of it. This complexity is important in the implementation of particular things in the workplace, but not particularly valuable or useful when it comes to having a strategic view.
I think it is possible to simplify the strategic view quite significantly, and now you’ve asked me to respond as to how I might do this, I think it can be simply said that the primary goal of the organisation is to both achieve and then maintain required standards of risk control. Now of course that simple statement can be applied to any of the risks in the organisation, and one needs to understand a little bit about what is meant by required standards of risk control, and of course what I think of as a required standard of risk control as being one which satisfies legal obligations, one that could be presented with some confidence in a court of law in the event that something did go wrong, to convince the court that in fact you were a responsible organisation that had in fact been doing what was necessary.
I think it’s important to realise with risk that absolute prevention isn’t normally one of our options, and so we need to recognise that even doing absolutely the right thing, at times something may well go wrong and the organisation suffers an adverse outcome as a result of it. So understanding what the required standards are for each risk, and doing what one can to achieve those required standards is important. Doing what one can depends a bit on how much you can afford and what the capital or operational cost is of actually reaching those required standards. That decision making process helps one to understand how the general principles of understanding what’s required applies to the particular circumstances of the organisation which you’re managing.
Then the second part of it is to maintain those standards of risk control. That’s quite a challenging thing to do in some respects, but not if you have it in your mind as a task that does need to be achieved. The maintenance of standards of risk control really just involves people in the organisation doing the things they do but recognising that they need to include aspects of risk controls. Who in the organisation? Well it’s your maintenance organisation, it’s your training organisation, it’s your human resources people, it’s your procurement staff, it’s line managers in operating parts of the organisation and so on that maintain these. If there’s any particular challenge, I must say it is that these things need to be maintained over a long period of time, not just over the next year or two or three.
So that’s a simple way of looking I think at the goals of a risk management program Howard.
Thanks Derek. In some organisations risk management and work health and safety activities can be managed separately. What’s your experience of this situation?
Yes. Not a very happy experience I must say. I have certainly worked with organisations where there is a workplace health and safety and possibly environment part of the organisation as well as a risk management one, and the two tend to be located in different parts of the organisation. Workplace health and safety typically is located where operating things are happening, and risks actually arise of a physical sort that might affect people and the environment. Whereas the risk management part of an organisation often resides somewhere in head office probably, may be located in the finance or treasury area, may involve a board risk management committee oversighting its operations and so on.
So two very different places in the organisation, and while the risk management part of the organisation has an interest in risks that go beyond health and safety, and rightly so, it also has an interest in risks involving health and safety, because boards are very conscious of the responsibilities that they have in this area. So this shouldn’t be a problem, but it can be at times. Apart from the two different locations of the two different functions, if you look at the principles of what one is trying to do in promoting work health and safety and what one is trying to do in promoting better risk management in an organisation, the underlying principles and theory are identical. It’s all about risk, and risk is all about the potential for something adverse going on in the context that we’re talking about here, which is pure risk.
So the underlying principles are clearly the same, but the underlying practices are often somewhat at odds with one another. I have been in organisations where the workplace health and safety team are promoting one understanding of risk registers for example, and the risk management group are promoting and in fact have ownership of risk registers, but they think of risk registers using a completely different philosophy. So if the philosophy that is used to underlie the activities of the risk management team and the workplace health and safety team appear to be incompatible, we have a situation of confusion when we look at the customers in the organisation if you like for the services of these two different functions of workplace health and safety and risk management.
I have seen that. I have seen people at an operating and an engineering management level who are being subjected to the influence of workplace health and safety on one side and the influence of risk management on the other side, and the two are incompatible and leading to confusion, and I must say not to a particularly good reputation to be established by either of these two functions in the organisation. So unfortunately it can cause confusion, and it really doesn’t need to be, because the underlying principles are identical. I think that if you get your principles right, then the process follows from that and the language follows from the principles that you’re working under as well. People start to talk about things in the same way using the same language. They start to talk about the same processes. This conflict or confusion is by no means an essential result of having a workplace health and safety and a risk management team working separately.
Thanks Derek. Following on from this, we might now think about how to manage risk in practice. Is there advice that you can provide for senior executives and senior managers on effective approaches they can use to promote and oversee risk management in their companies?
Thank you. A challenging question also. I think there is. I think that first of all, despite what I’ve just said, I do think it’s terribly important for senior executive management in an organisation to separate in their own minds the practices that they’re going to apply to or they’re going to encourage or they will see being applied to what I call general occupational health and safety, and those practices that they will encourage hopefully in the area of what I call operational health and safety.
I need to just quickly define what I mean there if you like. General health and safety is health and safety activities directed at hazards which are very common. Most organisations for example have standard 240 volt electricity in their offices. That’s a general health and safety matter. Some organisations actually generate electricity or they transmit it or distribute it, and they’re handling electricity at significantly higher voltages and in completely different applications of technology. That same hazard of electricity exists in sufficient quantities and is so utterly tied up with the function of the operation that it needs to be managed by specialist people, and that’s what I call operational risks.
In other organisations like flying operations for example, operational risks are clearly the operation of aircraft. In a petrol refinery it’s clearly the large quantities of very flammable liquids and gases which are to be found there. Whereas even your average transport operation has flammable liquids in it, possibly it operates on gas, but the circumstances are more routine and more simple.
I think it’s terribly important that managers don’t assume that the practices of their generalist health and safety people can be just read across to the operational risks. There have been examples in recent times which I rightly or wrongly see as being largely a consequence of this. What am I talking about? CEOs who are very proud of their very low lost time injury frequency rate, which is a measure used by generalist health and safety people. Whereas in the background their management of operational risks is deteriorating unrecognised to the point where suddenly they have a significant disaster on their hands which pretty much threatens the life of their organisation.
We’ve also seen, or I’ve also seen particularly in my career and we have seen recently in some disasters which have been well publicised in the press, situations that if the operational managers of a plant had some understanding, some better understanding of the fundamental processes of risk analysis and risk management, should never have happened.
Most of the valuable methods and techniques that are available in risk analysis and risk management to my mind have originated in the needs of the aerospace and the petrochemical industry. Some of these have been very much adopted recently by generalist health and safety people, and made use of for their own reasons not necessarily in a particularly skilful manner. I think it’s very important that senior executive management ensure that these aren’t then imported back into the operational risk area where the changes that have been made to them and the changes to the understanding of them may really have rendered them inappropriate for use in the operational risk area.
So a short summary of that, definitely please separate out the operational risk from the general risk in the management of the organisation.
Thank you Derek. So it’s important to manage general and operational risks differently. Now I understand you have issues in relation to use of the risk matrix. Can you explain these please, and how this impacts on the capability to manage general and operational risks differently?
Thank you. Yes, I’d like to have this opportunity. My concerns with the risk matrix Howard are threefold really. I think it can be simplified in that way. The first one is that I think it’s a misdirected effort. In an earlier question, maybe the first question, you asked me what I thought the goal was and I said it was to achieve the right standards of risk control. The goal is in no way to try to work out what level of risk are we managing here. That’s not what legislative obligations in workplace health and safety are asking of us. They’re asking of us to achieve the right level of risk.
So trying to estimate the level of risk in a matrix is not actually what’s required of us, and using a matrix to then determine what management effort is needed as a result of that estimation is just building on to something which shouldn’t have a foundation at all. So number one it’s misdirected efforts, not what we’re here to do.
Number two, it’s not a suitable tool for the estimation of risk. It’s not possible to judge what likelihood is on a simple word scale with any meaning at all. Likelihood is a synonym for probability. It’s sometimes used as a synonym also for frequency. The two things are different. I won’t go into the differences now, but the two are related by exposure to the circumstances in which it could happen. In using scales of likelihood, one is not giving explicit recognition to this fact, and the word scales and their explanations sometimes confuse probability and frequency in any event.
The second point is that a simple matrix doesn’t adequately represent what is in reality a logarithmic relationship between likelihood and consequence value. In asking somebody to make use of the matrix in order to pick a single cell in the matrix, that’s also a misunderstanding of what risk is. Risk is actually a relationship between frequency and consequence value. It’s what people commonly now understand is the occurrence of high frequency but low consequence things, but low frequency and high consequence things from the same risk. So risk is the relationship. The matrix doesn’t help to make this evident, and so it’s often incorrectly used.
The third point I’d like to make about it is that my own research, and both formal research and anecdotal experience in industry, is that the risk matrix is incapable of consistent use, either between groups of people or individuals, or even from the same person over a period of time. So I think those are three fairly significant reasons why the risk matrix is not something which should be the focus of activity.
In the context of managing operational risks separately or distinctly differently from general risks, I think the use of the risk matrix to actually make what are operational risk decisions is particularly unfortunate. I have spoken to a number of engineers working in industry who are actually quite concerned that because of the lack of any other tool that’s available to them, their senior executives are making use of the risk matrix to justify expenditure of significant sums of money which a rational engineering assessment would quite possibly say was a waste of money. Now this is important, because money that is spent unwisely on risk could actually be better spent wisely on risk.
So risk management should be aiming to actually make the organisation more efficient in the face of uncertainty, not less efficient in the face of uncertainty. I think that there is a very definite need for a nationally accepted practice, protocol or something like that which would give senior executive management a sense of confidence that the processes that they were using to make significant risk related expenditure decisions was a process which was recognised and approved in our country. I would really like to see something like that happen.
Thank you Derek. You’ve highlighted a number of issues with the use of a risk matrix. So what is an alternative approach that can be used to manage work health and safety risk?
Right. Yes. One needs to provide something in place of that. The risk matrix appears to me to be used broadly, and wherever anything is being done you’ve got to risk assess it so to speak. That process of decision making about adequacy of controls is then taken down to the level at which the risk matrix is being used. Now that level may not be the right level in the organisation at which to decide on the adequacy of the level of controls, because the responsibility for it certainly doesn’t lie with the people who are typically using the risk matrix. Depending on how bad it might be, the responsibility actually could reside at the CEO level or even the board. Just read your newspapers recently.
So you’ve got to put something else into the process, and my belief is that what needs to go into the process is a top down view of where these decisions are best made and by whom and with what level of information. From a tactical point of view at a senior executive management level I think there is a need for some simple things. One is an inventory of risks. You’ve got to know what it is you’re dealing with. This inventory needs to be sensibly developed. It’s not thousands and thousands. There are not thousands and thousands. Risk is not a synonym for probability or likelihood in the context in which we’re talking about it. So a sensible inventory of risks. In many organisations I would have thought 40, 50 maybe maximum, depending on the amount of technology changes involved.
Secondly there needs to be a process for periodic review of the adequacy of the control measures that have been identified in the inventory, because requirements for the standards of control measures change as community standards and technology available changes.
Thirdly there needs to be a conscious effort to maintain those risk control measures. Of course I’m going back over an answer to an earlier question here aren’t I? Lastly, ensuring that that approach remains constant over a time scale measured in decades, not just the interval between CEO appointments. In other words that there exists a really good corporate memory so that the next CEO who comes in knows what the organisation is doing here and keeps a steady course rather than just starting from scratch, which seems to happen in quite a few organisations.
So I think that these are the things that need to replace the use of the risk matrix. There are some few situations in which decisions about what risk controls should be implemented could benefit from a cost benefit analysis if you like or from assessment of the actual level of risk that is being managed in the first place. I like to think of the idea simply that some aspects of risk control measures are in the must do category, because regulations and codes of practice say you must do them. Some are in the should do category, and that applies to ideas that you might find in a standard or a code of practice which has not actually been imported if you like into a regulation. It’s there as an advisory thing. Those are the must dos and the should dos.
Now over and beyond them one has could do situations. You could also do XYZ, and if you inform yourself on the way in which decisions are made in common law courts about the safe place and the safe system of work and so on and so forth, then it becomes possible to understand that control strategies which don’t exist in regulations, they don’t exist in codes of practice or guidance notes or common industry practice but nevertheless exist as possibilities, are in some circumstances required in order to make a responsible decision. It’s in that situation that the variables associated with making reasonably practicable decisions particularly kick in, and those are the likelihood of this happening, the ease with which it could be controlled, the cost of controlling it, the difficulty of controlling it. All of those decisions can then – you’re being allowed if you like to make decisions on that basis if it’s neither a must do nor a should do activity.
So in that last could do area of risk control decision making, one needs to understand the cost benefit approach to this so that one is using appropriate tools for making decisions involving significant amounts of money, and further that those decisions are actually being made at an appropriate level of management, the level of management that would in fact be held responsible in the organisation if the foreseeable likely worst consequence arose from this particular risk.
So briefly that I think is the process and the understanding that should replace the use of the risk matrix.
Thanks Derek. Actually building on that, how can we promote cooperation on an industry wide basis to help companies in this way to manage health and safety?
It’s very important for industries to work cooperatively for a number of reasons. One is a theoretical reason, and that is that we’re talking about low probability things happening that produce serious outcomes. A better way to understand such low probability things is to increase our exposure to them. Let me put that another way. Five mining companies will have much more experience – which is what I mean by exposure to situations – and be able to learn from one another in a way that one mining company won’t. So what to one mining company might be a disaster that happens every ten years, to ten mining companies it might be a disaster that happens every year.
I’m sure you can understand the point that I’m making, that by pooling one’s resources and experience one really pools one’s understanding of what can go wrong, and also one in the same way actually benefits from ten organisations being able to establish what changes need to be made as a result of these lessons. If they work together they’re far more likely to be able to promote top of the hierarchy design related controls, because an equipment supplier for example, or a primary contractor – I’ll carry on with my mining industry example, but it does apply across other industries – will be able to be influenced to use different design techniques for their equipment, to design things differently, and so to make available to the mining industry equipment which doesn’t contribute to or promote the sorts of risks that it currently does. So greater buying power means a greater potential to influence the design of equipment and facilities, top of the hierarchy of control stuff. Very important to do.
There are some wonderful examples of industries working together in association. One I can think of goes back 20 or 30 years in the softwoods plantations of south eastern Australia, in South Australia as a matter of fact, where the logging industry training team got together the manufacturers of chainsaws and said ‘Listen, unless you start redesigning your chainsaws to stop causing vibration related injuries and to stop promoting bushfires and to not generate so much noise and fumes, we’re not actually going to buy chainsaws anymore, we’re going to find some other ways of knocking trees down’. They were a very small percentage of the world’s chainsaw market, but they succeeded in creating chainsaw manufacturers providing chainsaws which they had redesigned to satisfy those requirements, certainly within a period of 12 months.
Terribly important thing to do. Industry associations in Australia are beginning to do this in sort of an ad hoc way. I would really love to see legislation broadened to make the role of industry associations in this more formal and more required, because I believe it would be so helpful to our community.
There’s a wonderful example of this in Germany if anyone wants to look at it, and it’s been there working successfully, doing all of this top of the hierarchy of control stuff and going well beyond just work injury into efficiency and happiness and wellbeing. This goes back to the 1970s/80s. Maybe this even goes back to just after the Second World War I’m not sure. That’s what I’d really like to see happen.
Thank you Derek. To finish off our discussion today, what are some key take away points that you’d like to provide for our audience?
Thanks Howard. I think three of them would be good. Three is always a good number for these things isn’t it? The first one I think really is to know what your risks are. That means having a sensible inventory of risks. Any inventory which exceeds – let’s pick a number - I would have thought that without really significant justification, anything that exceeds about 100 is just misunderstanding what risk is. I have seen risk registers which contain upwards of 1,800 to 2,000 risks and it’s climbing, and the problem is immediately apparent because risk is being thought of as a synonym for probability, which is what it is not in this work. So the first thing is to know sensibly what your risks are.
The second thing is to manage the standards of control over each of those risks. One of the things that is conspicuously absent from a lot of health and safety management systems that I see is any sort of a statement about what hazard management practices are. I think that they should start with hazard management plans or practices, whatever you wish to call them. Risks arise from hazards. Each one of those hazards needs to be managed to an appropriate standard, and that standard needs to be identified. It consists of three things. It consists of physical things, administrative control measures and behavioural control measures. So physical control measures, administrative and behavioural. If you like to think of it as the top, the middle and the bottom of the hierarchy of controls, that’s just fine. But all risks require a suite of management practices, all hazards require a suite of management practices, and it’s important for an organisation to know what they are explicitly. So hazard management plans then is the second thing.
The third thing I’ve referred to a number of times in answering your questions Howard, and that is the control of hazards to those standards needs to be kept happening in the organisation. It’s not a natural capability of most organisations to remember why they’re doing something, and it might take ten to 15 years before the statistics catch up with you and you have another big bang so to speak.
Trevor Kletz, the late Trevor Kletz, a very influential chemical engineer in this field was often – well he said in a number of ways something along the lines of the chemical industry has the same fire every 25 years because it takes them 25 years to both forget why they were doing things and then for the statistics to catch up with them.
The keeping it happening thing is a challenge for organisations and it needs to be managed explicitly, because the big picture things that happen and reach the newspapers and the smaller picture things which happen and reach the newspapers are all things which occur to any one organisation with intervals of say – let’s some pick some order of magnitude figures – greater than ten years and upwards of the order of 100 years or more. No one crew on the boat, no one CEO and group of managers can hope to understand everything they need to manage in the course of their working lives based upon gathering that knowledge by experience. The organisation must learn from the experience. It can’t learn from the experience if it doesn’t have processes in place, and if it doesn’t have those processes in place it won’t be able to keep the control measures happening. Thanks Howard.
Thank you Derek. They are really good take away points for our audience. Thank you. That concludes our discussion today. So on behalf of Safe Work Australia Derek, my thanks again for your excellent and informative discussion on work health and safety risk. Thank you.
Thank you Howard.
[End of Transcript]