It is well understood among practitioners that risk management is a process. Plan Do Check Act is instilled in us from day one. But how often do we revisit ‘solved’ risks? Is a risk ever really solved or as they say of great art; merely abandoned?
Practitioners reading this article will recall many examples of risk assessments that assumed: ‘employees will follow the instructions,’ making risk disappear. Or a register that assumes, without evidence, that mitigation measures will work 100% of the time.
Whenever two practitioners meet, there will always be stories about clients who believe having a risk assessment means the job is done. No matter how policies, procedures, occupants, site and jobs change, that’s a tick in the box.
I often cite the example of a client who assumed that a risk assessment for a laser CNC machine that cut mild steel would apply equally to other metals. They were then stuck with a waste hopper full of thermite – a material that burns at 2500°C, and hot enough to melt concrete!
Revision questions
Often, practitioners will initially monitor the effects of hard fought for improvements, then trumpet the 22% reduction in slips and falls or the 5% reduction in sick leave as evidence a programme worked. But then attention is turned to the next challenge.
Five years down the line we should question if our mitigation measure sitting on the risk register as evidence of a reduced risk, still holds up.
We should ask:
- Has the risk changed?
- Has there been backsliding at the sharp end?
- Is the solution we fought for still the most efficient and cost effective?
- Has technology moved on?
- Is it even still a risk? Have changes elsewhere eliminated the risk or exacerbated it?
Often, even with highly capable and qualified risk teams, reviews of risk assessments and policies are done on a document-by-document basis and the wisdom of ‘If it ain’t broke, don’t fix it’ can prevail.
Risk assessments and procedures, even when regularly reviewed and updated, are based on historical circumstances that may no longer apply.
Update and eliminate
The relative costs of workforce and technology, and the ability to implement it, have changed substantially. This can mean that risk controls may now be based on a foundation of outdated knowledge or technology.
For example, decisions made at the time of an original assessment might have quite legitimately identified that the cost of a digital tool for inspection was prohibitive. Therefore, inspection procedures have been carried out based on a checklist, notes and photographs. However, in the intervening time, digital tools have reduced in complexity and increased in availability, and the same issues could now be addressed for a nominal cost with a low code (little coding) app or no code (no code at all) app built in-house.
Historic assumptions in the risk assessment may remain. So now an inefficient procedure is constantly being streamlined and worked around, rather than eliminated.
Practitioners may leave the regular review and updating of assessments to team leaders and managers who have limited time and training in risk management, so fundamental issues will rarely be addressed. This can mean risk registers fed by the assessments are flawed as well.
The most effective task for a risk management team is to have a scheduled, long-term strategy that plans for not just a review but a full suite of new risk assessments, policies and procedures. This can help eliminate the assumptions that were made at the time of the original drafting.
At Crawford, there is a reason why, despite it being permitted, we do not recommend simply reviewing a fire risk assessment every year. We recommend undertaking a new one every three to five years. It’s important because legislation changes, usage changes, practices change. Indeed, people change.
Progression
The simple truth is that, as risk management professionals, the one thing you can be sure of is this: You are better now than you were then.
After five or ten years of continuous personal development, on the job experience, problem solving and growing in understanding the nuances and changes in your organisation, you will be doing a better job now. You will make decisions based on today’s reality, not the past’s. You will identify more, prioritise better and catch risks that might have fallen through the cracks when you were less experienced and knowledgeable.
So next time you fill in your CPD, remember it is much more than a tool for showing you have kept up to date or are meeting technical requirements. It is evidence that you are better at this, and more knowledgeable (and valuable) than you were before.
The biggest risk we miss is often ourselves. We trust in our previous choices because we made them. But we forget that the ‘you’ who made those choices then was less experienced.
Risk management never ends: not just because the world is continuously changing, but because we are too. And we need to account for that as well.