Risk is a fundamental concept that underpins health and safety management. But as Nick Bell explains, there are different ways to understand what risk is and its meaning can change significantly further up the food chain in organisations.
I was discussing health and safety with the senior executives of an organisation that operates in countries in a state of political unrest. The executives considered their key risks to be: contractual non-conformance and the associated risk of claims or loss of contracts; reputational damage (for example, through malicious allegations of bribery); and political or regulatory changes leading to the loss of the licenses or permissions which are needed to operate. Although the health and safety risks were well managed, the executives’ focus was on risks to the business.
Of course, it is quite logical to make the case that effective health and safety management will lessen the risk of contractual non-conformance, reputational damage and loss of permits. In fact, one of the core skills of a health and safety practitioner is to help an organisation understand these indirect consequences of accidents and ill-health. This helps ensure that controls properly reflect the true magnitude of the risks posed by an activity or operation. For these reasons, the potential risk to the operation and/or organisation are sometimes assessed alongside health and safety risks.
In health and safety, we almost always deal with these sorts of ‘pure’ risks. A pure risk refers to a situation where only bad things can happen, and we put measures in place to limit the likelihood and scale of the losses. [1]
The Health and Safety Executive states that sensible risk management “should be about practical steps to protect people from real harm and suffering”.[2] In other words, risk is always bad.
However, risk is sometimes good. As a species, we need to take risks to ensure we can survive and prosper.[3] Going back into our dim and distant past, we routinely faced the pure risks of starvation and hypothermia and as a control measure we gathered fur and food.
Most of the time, the tribe’s resources are spent gathering nuts and fruit and catching rabbits. This is fairly laborious and unglamorous work but relatively safe and far better than starving or freezing to death.
After discussions, the clan elders decide to organise a mammoth hunt. This carries enormous risks of physical harm, however the clan can collect a tremendous amount of meat and fur in one go and boost the status of the clan and hunters. The benefits prove just too attractive to ignore.
We are now in the province of ‘speculative risk’. As the name suggests, this involves risking our resources (e.g. time, effort, reputation or money) in the hope of realising certain benefits.[1] Speculative risk is as much a normal part of life as pure risk. For example, university students stake years of their life and amass thousands in debt in the hope that they will enjoy a range of benefits (social, academic, financial) over the short, medium and long term.
Senior executives must continually assess what risks to take in order to help their company or organisation survive and thrive. Health and safety is consequently just one of the risks they are managing.
While risk management is a professional discipline in its own right, health and safety practitioners have valuable expertise to help a company manage a broad spectrum of risks relating to its enterprise or business.
For example, if an organisation was considering purchasing a new site, health and safety practitioners might help advise on issues such as asbestos, legionella and fire safety. Their findings and recommendations could help a company evaluate the overall risks (and cost) of this proposal.
However, health and safety practitioners have a much broader set of transferrable skills. They are usually comfortable participating in or chairing workshops to discuss risk. They help managers articulate, assess and record risk in terms of likelihood and severity then help them develop a reasonable selection of preventive and protective controls. They also understand the benefits of recording and tracking this information in a clear and structured manner (risk registers are frequently used when dealing with business risks).
It should be noted that risk management is a professional discipline in its own right, and health and safety practitioners may benefit from additional training if they were looking to lead (rather than support) the business risk management process.
Controlling risks
The principles of prevention and the hierarchy of control are core tools of the health and safety practitioner. There are also several frameworks for controlling business risks (e.g. ISO 310004 and the model contained within IOSH technical guidance).[1] All these approaches start with risk avoidance.
If a project is considered too risky, the company can halt proceedings. However, there could be business risks to a company that fails to adapt and innovate in a rapidly changing market.
If risks cannot reasonably be avoided, they could be managed to reduce the likelihood or potential scale of loss. Stringent design, testing and quality control procedures reduce the likelihood of defects in a new product line, plans can be drawn up to try to prevent business disruption during a project to install new plant, business continuity plans can be put in place in case things do go wrong.[5]
Risks can be transferred, typically through the use of third party contractors or insurance. However, this does not completely transfer risk. For example, the company would still have to ensure that the project was suitably co-ordinated with its own operations and appropriately monitored.[6]
A good appetite
According to the UK Corporate Governance Code, one of the principal functions of a board is to determine what level of risk it is prepared to take to realise its strategic objectives.[7] This is sometimes expressed by the terms ‘risk appetite’ and ‘risk tolerance’.[8] Risk appetite represents what risks a company is prepared to pursue to realise its goals, while risk tolerance expresses the limits of the risks that it is prepared to accept.
Major projects can die in the water if the design or project team misinterpret the client’s risk appetite and tolerance. Problems can also arise if there is a significant mismatch between the business risk attitude of a board and its workers – employees might feel that the organisation is stifling innovation and crushing creativity, while the board might worry what trouble this bunch of wild-eyed mavericks is going to cause. A clear expression and discussion of an organisation’s attitude towards business risk can therefore be useful during recruitment, selection and tendering processes.
Good risk governance requires that a board puts systems of internal control in place to monitor and manage the risks it has accepted.[7] The HSE[9] have been keen to stress that the Plan-Do-Check-Act cycle applies just as well to business risks as it does to health, safety and environmental risks, and health and safety practitioners come pre-programmed with this logical, structured framework.
Weighing it up
The more strategically important a particular objective is, the greater the risks a company might be prepared to take. An organisation might consider tendering for a particularly high value contract for a high profile client. There are significant reputational risks and benefits from being so exposed to the public eye and the demands of this particular contract might increase the risk of contractual non-conformance and claims. A company will weigh up the business risks against the strategic benefits to help inform its decision whether to tender or not.
It is worth noting that a company is ‘speculating’ a number of different business risks and resources in the hope of realising benefits. These risks typically include regulatory non-compliance, workforce relations, reputation, customer and shareholder satisfaction, work-related injury and ill-health, etc. Even though two companies may broadly have the same attitude towards risk, one might choose not to tender for the aforementioned contract as they are more sensitive about reputational damage than the other.
‘Risk’ is a much wider concept than just health and safety – senior executives routinely pursue and accept certain risks to ensure their business can survive and thrive. Attitudes towards business risk can vary tremendously between and within companies and articulating that attitude can be difficult, but also very helpful. Health and safety practitioners can feed information to decision makers. They can also support the business risk management process, and ensure health and safety is firmly on the agenda by using the skills and tools that they already possess in abundance.
References:
The Safety Conversation with SHP (previously the Safety and Health Podcast) aims to bring you the latest news, insights and legislation updates in the form of interviews, discussions and panel debates from leading figures within the profession.
Find us on Apple Podcasts, Spotify and Google Podcasts, subscribe and join the conversation today!
