Time to abandon the risk matrix? I have recently worked with a large international company on how they assess risk and together we have developed a risk management framework that works very well.
Common problems highlighted in the initial review were:
1. There was a wide range of interpretations on how to assess risk through the company
2. The risk framework was designed with a business focused, and was not necessarily suited for health, safety and wellbeing
3. The risk matrix was too limited, and the definitions/actions were standard (possibly copied from another one), and had not been thought through. E.g., a Lost Time Injury of one day pushed the risk level to Very High.
4. Corporate Head Office did not follow through on extreme risk items (e.g., stop process)
The review process included:
1. Setting-up a working group of 4 people
2. Reading at length the 'Risk Management Guidelines ISO31000:2018(E)', the Handbook - 'Managing Health and Safety Risk SA/SNZ HB 205:2017', and the document 'How to manage work health and safety risks: Code of Practice' Safe Work Australia May 2018
3. Researching the value and construction of risk matrices
4. Moving from a standard 2 dimensional risk 4 x 4 matrix to a 3 dimensional 6 x 6 x 6 Matrix (we added frequency)
5. Debating at length the context, and definitions of the risk matrix and the outcomes
6. Trialing the new process across the group with great success - taking on board any room for improvement. For this part, we made sure we have people from the factory floor in the trial - they have tp understand it.
7. Getting the Executive Management Team to sign off on their role/responsibility when a risk is considered High/Very High.
Key elements to the new process are:
1. Involve the right people in the risk assessment
2. Inherent risk is not evaluated (it has been removed) as this is to confusing. You have a hazard, associated risks, and current controls. You then evaluate your current level of risk.
3. Focused on reducing risk SFAIRP, not ALARP.
4. Not including the level of risk if controls were in place - this provides a false sense of security with no action having been completed
5. Review the risk level once an improvement has been made.
The key thing to remember is that the process is not perfect, and will not give you an answer that takes away a level of debate, thinking, input, collective knowledge etc.
Where Risk Assessment processes fall down is the organisation has not followed a robust process that is unique for them, and they tend to adopt a standard off the shelf solution.