Safety professionals face increasing demands for their expertise and time at the same time staffing levels are often being reduced. Their leaders expect improved safety performance while the organization, work force, work environment/processes, and risk levels are constantly changing. Many organizations rely on safety audits to evaluate the effectiveness of their safety program. Properly performed these audits require time and experienced auditors. Even the best of audit programs can become stale over time and lose effectiveness; with changing risk levels this can have dire consequences. In order for leaders and safety professionals to be able to sleep better at night there are some questions that need to be answered. A couple of them are:
Does are safety program adequately address our risks?
How do we ensure that we are looking at/for the right things?
Risk Based Assessment is a structured concept for assessing and improving risk the management maturity of any organization. It should based on risk management methodology, aligned with recognized standards and frameworks, e.g. AS/NZ 4630, EFQM Framework for Risk Management, COSO ERM Framework.
Framework (available in full paper).
The reality shows that some aspects of making risk management effective are often difficult for many companies.
Business context needs to be clearly defined. There is a need for effective deployment of strategy and risk appetite into specific, operational objectives at organizational, process and individual (e.g. KPIs) level. It is important that an organization assures clear risk tolerances for all objectives.
Risks need to be well assessed (identified, analyzed and evaluated) and therefore credible. Risks need to be well identified, based on a risk-breakdown structure that fits specific needs of the organization. Risk analysis needs to be versatile and sound. Quantification needs to be conducted according to criteria based on specific measures aligned with selected reference objective. Risk evaluation needs to be conducted based on clear criteria rooted in risk tolerances (derived from risk management policy). Risk assessment process needs to be embedded within the organization and operational processes. Risk assessment output needs to be credible.
Processes need to be effective and efficient. Process performance needs to be continuously improved. Common criteria for process assessment need to be established, where all relevant aspects are reflected, incl. compliance, effectiveness and efficiency. Criticality of specific processes needs to be evaluated. Risk management components need to be integrated with (embedded into) all processes (assure integration of risk management across all processes).