UCM Fall Symposium and ASSE/AIHA/A&WMA PDC Risk Assessment What, Why, When and How UCM Fall Symposium and ASSE/AIHA/A&WMA PDC November 5, 2015 Bruce Lyon, CSP, PE, ARM, CHMM Hays Companies

Risk Assessment Fundamentals Objectives What… Hazards, Risks, and Risk Management Why… Developing Trends, Standards, FSI & PtD When… Triggers for Assessing Risk How… Steps for Conducting Risk Assessments

What is Risk Management? The coordinated activities of risk avoidance, control, and financing to a level that is considered acceptable. ‘Risk Assessment’ is the cornerstone of Risk Management.

What is Risk?

Hazards vs. Risks… Hazard Source of harm. (Z690.1) Exposure includes the frequency and duration of a hazard coming into contact with the population or assets at risk. Frequency of exposure describes how often an event might take place over a specified time period. Duration of exposure is the length of time that a single exposure occurs.

Hazards vs. Risks… Exposure – Contact with or proximity to a hazard, taking into account duration and intensity. (Z10) Extent to which an organization or stakeholder is subject to an event. (Z690.1) Exposure includes frequency and duration of a hazard coming into contact with the population or assets at risk. Exposure includes the frequency and duration of a hazard coming into contact with the population or assets at risk. Frequency of exposure describes how often an event might take place over a specified time period. Duration of exposure is the length of time that a single exposure occurs.

Hazards vs. Risks… Risk Effect of uncertainty on objectives. (Z690.1) An estimate of the probability of a hazard-related incident or exposure occurring and the severity of harm or damage that could result. (Z590.3) Risk is the estimated severity of harm and likelihood of occurrence from the hazard. Exposure includes the frequency and duration of a hazard coming into contact with the population or assets at risk. Frequency of exposure describes how often an event might take place over a specified time period. Duration of exposure is the length of time that a single exposure occurs.

Definitions Severity – Degree of harm. Likelihood – Chance of something happening. Operational Risk – Risks generated from the workplace including SH&E, liability, legal and information technology. Acceptable Risk - The risk level that is considered by the organization to be acceptable in its current context. This level of risk is generally lowered as the organization matures and the control technologies improve.

Definitions Risk Assessment “A process that commences with hazard identification and analysis, through which the probable severity of harm or damage is established, followed by an estimate of the probability of the incident or exposure occurring, and concluding with a statement of risk.” (Z590.3) “Overall process of risk identification, risk analysis and risk evaluation.” (Z690.1) Risk Assessment is a three step process that including identifying hazards, analyzing their risk, and evaluation the risk to determine if it requires additional control.

The Risk Assessment Process Hazard/Risk Identification Risk Analysis Risk Evaluation

Risk Assessment within the Risk Management Framework

Why Assess Risk? Fatalities and Serious Incidents (FSI) Continue to Occur While Incident Rates have decreased, Fatality Rates remain steady Major Disasters, Fires, Explosions, Chemical Releases FSIs in Construction, Petro-chemical, Transportation, Agribusiness among other industries On April 20, 2010, a sudden explosion and fire occurred on the oil rig. The accident resulted in the deaths of 11 workers and caused a massive, ongoing oil spill into the Gulf of Mexico. The rig was located approximately 50 miles southeast of Venice, Louisiana, and had a 126-member crew onboard.

Why Assess Risk?

Why Assess Risk?

The Rising Importance of Managing Risk Risk assessments required in: many countries branches of the military NASA Chemical operations – (OSHA Process Safety Management & EPA RMP) Atomic energy field Pharmaceuticals

Global Trends ISO 31000 Risk Management Standards

Key Standards ISO 31000 - ANSI/ASSE Z690-2011 Risk Management Standards ANSI/ASSE Z590.3-2011 Prevention through Design ANSI B11.0-2015 Safety of Machinery MIL-STD-882E-2012

The Purpose of Assessing Risk… to “provide evidence-based information and analysis to make informed decisions on how to treat particular risks and how to select between options.” ISO 31010/ANSI/ASSE Z690.3-2011

Risk Assessments required in Management Systems Standards Plan, Do, Check, Act “The effectiveness of an ORMS requires the continual identification, analysis and evaluation of risks to understand their magnitude of loss, and potential of occurring, as well as adequacy of existing control measures and needed improvements within the organization.”

Operational Risk Management Systems OSHA’s Voluntary Protection Program (VPP) ANSI Z10-2012 BS OHSAS 18001-2007 International Labor Office ILO-OSH 2001 ISO 14001-2004, Environmental management systems ISO 45001- 2015-16, Occupational Health and Safety Management Systems

The Rising Importance of Risk Assessment Established February 2013 Risk-based information, tools, and research for safety professionals Risk Assessment Certificate Program http://www.oshrisk.org/

OSHA Recognizes Need for Risk-based Approach In a July 19, 2010 letter to the OSHA staff, Assistant Secretary David Michaels wrote: “Ensuring that American workplaces are safe will require a paradigm shift, with employers going beyond simply attempting to meet OSHA standards, to implementing risk- based workplace injury and illness prevention programs.”

When should Risks be Assessed? Design of New Systems Upsets and Emergencies Redesign of Existing Systems Third-party Interactions, Contractors, & Construction Changes & Additions (MOC) External Requirements Procurement High Risk Activities Non-routine Activities Serious Incidents (FSI)

When Assess Risks? Develop a Strategy for ‘when’, ‘where’, ‘who’ and ‘how’ risk assessments are to be performed Gain Management Commitment Involve Stakeholders Ensure Adequate Resources are Available Qualified Risk Assessors Document and Communicate Risk

Establish Risk Criteria Establish Context Assemble Team Identify Hazards Analyze Risks Evaluate Risks Treat Risks Document Monitor / Review Risk Assessment Process

Establish Risk Criteria and Matrix Define Risk Criteria & Levels Establish Risk Scoring System Select Risk Assessment Matrix

Establish Risk Criteria and Matrix Establish a Risk Scoring System Qualitative, Semi-quantitative, or Quantitative Risk Factors in System Severity, Likelihood, Control Effectiveness, Exposure, etc. Existing or Customized System MIL-STD-882 ANSI Z10 ANSI Z590.3 PtD a measurement system that includes a baseline and a method of scoring

Establish Risk Criteria and Matrix Define Risk Criteria & Levels for the Organization Severity Likelihood Action Levels Acceptable Level Risk criteria are the reference points against which the significance of risk are evaluated and measured.

Establish Risk Criteria and Matrix “A method to categorize combinations of probability of occurrence and severity of harm, thus establishing risk levels.” (Z590.3)

Establish Risk Criteria and Matrix

Establish Context Purpose and Scope Boundaries and Limitations Select Risk Assessment Method(s) with internal (resources, knowledge, culture and values among others) and external (legal, regulatory, economy, perceptions of external stakeholders, etc.) parameters in mind

Form a Team Context will Determine Size and Makeup Cross-functional Group Roles and Responsibilities Training in Method(s) Context will determine the size and makeup of the team familiar and knowledgeable with the hazards and operations

Identify Hazards/Risks Find, Recognize and Record Hazards Causes and Sources Events, Scenarios or Failure Modes Existing Controls Hazards are the source of risk Thus, if risks are to be assessed, hazards must first be identified.

Identification Methods Brainstorming Checklists Regulations (OSHA, EPA, DOT etc.) Standards (ANSI, ASTM, NFPA, etc.) Experts (external or internal) Job Hazard Analyses/Job Safety Analyses Accident/incident investigations OSHA Injury and Illness Records Insurance claims Formal hazard/risk identification techniques (31 listed in ANSI Z690.3-2011)

Risk Analysis Severity of Consequences (S) Likelihood of Occurrence (L) Effectiveness of Existing Controls Estimated Risk Levels Upon identifying hazards, the team will analyze the potential risk. Risk analysis involves developing an ‘understanding’ of the risk.

Risk Analysis Determine Consequence(s) and their Severity Example: a fire in a fertilizer warehouse could impact employees, building, materials, surrounding public and environment.

Risk Analysis Estimate Severity Level (S) for each Consequence Example: a fire in a fertilizer warehouse could impact employees, building, materials, surrounding public and environment.

Risk Analysis Estimate Likelihood (L) Review historical data Consider exposure frequency, duration and population Estimate Likelihood of Occurrence

Risk Analysis Assess Existing Controls (PE) Adequacy and Effectiveness Consider the type of controls and their effectiveness according to the ‘Hierarchy of Controls’

Risk Analysis Estimate Risk Level Using the Risk Scoring System calculate the Risk Level Take care not to dilute severity if using multiple risk factors in the formula (i.e. severity, probability, exposure, protection effectiveness, failure detectability, frequency, duration, etc.) Examples: Severity + Likelihood = Risk Level Severity x (Likelihood x Protection Effectiveness) = Risk Level

Risk Evaluation Compare estimated Risk Levels with established Risk Criteria Determine if Risk is Acceptable or if Treatment is needed Prioritize Actions based on Risk Levels

Risk – ‘As Low As Reasonably Practicable’ Decisions on treating a risk will depend on the risk level and the costs and benefits of implementing improved controls.

Risk Treatment ‘The process of reducing or modifying risk using Risk Treatment Options.’ Risks that are judged unacceptable must be ‘treated’ to reduce risk. Risks that are judged unacceptable must be ‘treated’ to reduce risk. It involves: the assessment of a risk treatment; determining if residual risk levels are tolerable; selecting new risk treatments for those residual risks that are not acceptable; and assessing the effectiveness of any new control measure.

Risk Treatment Options Avoidance - avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk Elimination - removing the risk source Substitution - changing the consequences Engineering and Administrative controls - changing the likelihood Transfer & Financing - sharing the risk with another party such as insurance contracts and risk financing Retain - retaining the risk by informed decision Risk treatment options are not always mutually exclusive or appropriate for all situations. Treatment options include:

Hierarchy of Controls

Documentation Virtually all aspects of the process should be documented Selecting the risk assessment matrix Determining the purpose and scope (context) Forming the team Selecting the hazards or operations to be assessed Identifying Hazards/risks Analyzing Risks Evaluating Risks Communicating and documenting Monitoring and continuous improvement NASA’s Space Shuttle Columbia explosion February 1, 2003 which claimed seven lives was determined by the investigation board to be partially due a lack of effective communication of critical safety information. The Synopsis of the Report of the Columbia Accident Investigation Board concluded that organizational causes including lack of communication contributed to the incident. “Cultural traits and organizational practices detrimental to safety were allowed to develop, including: reliance on past success as a substitute for sound engineering practices..., organizational barriers that prevented effective communication of critical safety information and stifled professional differences of opinion; lack of integrated management across program elements; and the evolution of an informal chain of command and decision-making processes that operated outside the organization’s rules. (p. 9)”

Documentation Risk Register Case # Location Task Hazard # Hazard Current State Risk Level Additional Controls Completion Date Future State Risk Level 1 QC Lab - Weld Plasma cutter 1.1 Electrical Shock 14 Yes 2/20/2015 12 1.2 burns 15.2 3/15/2015 1.3 arc flash 11.2 9.8 1.4 noise 19 8.4 1.5 fire 1.6 dust 9.6 2 Weld Destruct 2.1 ergo-strains 4/15/2015 2.2 vibration 4.8 2.3 10.8 2.4 struck by 14.4 2.5 16 2.6 struck against 11.4 6.3 2.7 falls same level 3 Finishing Wash Station 3.1 hot liquid 9 3.2 14.25 0.2 3.3 chem-corrosive 4.2 3.4 hot surfaces 3.5 mechanical 3.6

Monitoring & Continuous Improvement Hazards and operations change Changes can effect existing controls and their effectiveness Update risk assessments to consider these possible changes NASA’s Space Shuttle Columbia explosion February 1, 2003 which claimed seven lives was determined by the investigation board to be partially due a lack of effective communication of critical safety information. The Synopsis of the Report of the Columbia Accident Investigation Board concluded that organizational causes including lack of communication contributed to the incident. “Cultural traits and organizational practices detrimental to safety were allowed to develop, including: reliance on past success as a substitute for sound engineering practices..., organizational barriers that prevented effective communication of critical safety information and stifled professional differences of opinion; lack of integrated management across program elements; and the evolution of an informal chain of command and decision-making processes that operated outside the organization’s rules. (p. 9)”

Communication The importance of communication can not be overstated. Successful risk assessments are dependent on effective communication among stakeholders prior to, during and after the process. Communication is a provision of both ANSI Z690.3 and ANSI Z590.3. Communication is also required by virtually all of the national and international health and safety management standards such as ANSI Z10, OHSAS 18001 and OSHA VPP, but it is seldom done well. As a result, poor communication is often identified as a major contributor to poor outcomes such as accidents. As with many other functions within organizations, people should make it a priority to communicate effectively when performing risk assessments. Those involved in the risk assessments should think about who could help them do the risk assessment more effectively. For example, they could ask others within their own departments for input. Alternatively, they should think about who might be interested and benefit from the risk assessment that is being performed and let them know the outcome. Take a few minutes and think.

The Take Away Message Take a ‘Risk-based’ Approach Establish a Strategy for Performing Risk Assessments Lead the Way