Risk assessments are a key component to help mitigate risks. Once one understands the key risks in a project, policies and procedures can be developed and the risk can be monitored. Such risk control measures can apply to different types of projects including environmental, construction quality control, and health & safety.
Risk Assessment Framework
Prior to the start of any project, it is recommended that the risks be examined and assessed based on consultation with experts, review of relevant conditions and risk appetite of the key stakeholders. The following chart (taken from ISO 30001:2009) shows the relationship between risk appetite, risk assessment and risk treatment:
The first part of the risk treatment is to understand the stakeholder’s risk appetite. This is a function of several factors, such as socio-cultural, relationships with clients, and drivers that have an effect on the objectives of the organization. Once these drivers are understood, the risk identification process can be undertaken.
The Project Management Institute (PMI) states in the Project Management Book of Knowledge (PMBOK) defines risk management as “the process of defining how to conduct risk management activities for a project” (Section 11.1). The act of risk management is broken down into three parts:
- Risk identification – the determination of incidents that may affect the outcome of a project, (both positive and negative)
- Risk Analysis – the determination of risk, based on the quantitative measure of an incident’s severity and frequency
- Risk Evaluation – the prioritization of high-risk activities to minimize the detrimental effects on a project
This data is summarized in a risk register. High-risk activities are then subjected to risk treatments.
Risk treatment is the act of controlling the frequency of an incident to help reduce the overall effects of risk on a project. The primary intention is that as the incident frequency is reduced, the overall effects on a project are mitigated.
Risk treatment is based on ANSI Z10, specifically:
The ‘plan’ phase is a direct result of the conclusions of the risk assessment phase of project management. Once a series of high-risk activities have been identified, separate plans are developed, based on local and federal regulations or best practices, as determined by national bodies, such as ANSI, ASTM, ASSE, NFPA, etc.
The plans are based around a hierarchy of controls:
Each type of control is implemented to help prevent the frequency of an incident from coming to fruition. The results of these series of plans are used to develop policies and procedures. The process also lays out the requirements for the use of engineering measures such as specialty equipment, administrative (policies and procedures, training), and personal protective equipment to help prevent risks from occurring.
As the project progresses, the personnel involved use the training they have received and reference the policies & procedures to help mitigate the risks from occurring.
During the ‘do’ phase, trained personnel will observe the personnel and operations to confirm they conform to the policies/procedures, local & federal regulations, and best practices.
Risks are being monitored to confirm they do not occur, or occur within an expected manner (i.e. failure rates of components, health and safety incident rates, release rates of chemicals of special concern, etc.).
If it has been determined that an aspect of the program does not mitigate or help mitigate the risks (i.e. are occurring at a higher rate than expected), the program should be re-evaluated. Additional policies/procedures, training, and/or monitoring are implemented to help reduce the overall risks.
Job Safety Analysis
While all projects have inherent risks, they can be mitigated with an effective plan that is designed by competent personnel following the framework of ANSI Z10 and ISO 31000. We cannot rule out all risks but we can control the known risks in an effective manner.