IOSH Risk Ratings and Risk Management – some key facts

Summary

• What is risk?
• What is a risk rating?
• What is the probability of occurrence?
• What is severity of consequence?
• What is the problem with calculating an unweighted severity of consequence
• What is the Severity of Consequences, the Weighted Value Scale
• What is identifying risk in the workplace
• What is risk assessment?
• Why assess the risks?
• How do I control the risks?
• When should you record your findings?
• When is the best time to review the controls?

When it comes to health and safety in the workplace, mimimising the potential harm that could come to any of your staff has to be a priority. There was a time when health and safety was seen as a separate element when it came to running a business. Back then, the Health and Safety Executive (HSE) advocated implementing health and safety procedures based on the POPIMAR (Policy, Organising, Planning, Implementing, Measuring performance, Auditing and Review) model which tended to separate health and safety from other elements involved in the running of a business. 

Today, by way of further integrating health and safety into the everyday running of a business, the HSE has turned to POPIMAR’s successor, Plan, Do, Check, Act, or PDCA.

Another part of the drive towards more effective health and safety measures includes the Institute of Occupational Safety and Health (IOSH), which is based in the UK, and has developed a worldwide organisation to educate businesses in the ways of effective implementation of health and safety measures. Here at Commodious our excellent and comprehensive seven-module Managing Safely course is based on IOSH requirements and forms a part of its Training and Skills program.

What is risk?

According to the IOSH, “Risk is the likelihood of potential harm from [a] hazard being realised. The extent of that risk will depend on the following:

• The likelihood of harm occurring
• The potential severity
• The population which might be affected

What is a risk rating?

A risk rating is the level of risk attributed to a certain hazard and the potential for that hazard to cause harm.

 According to the American Chemical Society:

        Risk Rating (RR) = Probability of Occurrence (OV) x Severity of Consequences Value (CV)

In simple terms, the greater the estimated probability of occurrence and the greater the magnitude of the severity of the consequences, the greater the risk rating will be.

What is the probability of occurrence?

The probability of occurrence is the likelihood of an identified risk actually happening. It is important to note here that the probability of occurrence is not the same as a risk rating. The probability of occurrence is an educated ‘estimate’ of the likelihood of an event happening, while a risk rating is a carefully calculated estimate of a risk happening. In general, the probability of occurrence is estimated to be at one of five different levels, these levels being:

What is severity of consequence?

The severity of consequences assesses impacts on personnel safety, resources, work performance, and property damage, and can also include institutional reputation. In the chart below we have created a rating of 1 and 4 for the severity level.

What is the problem with calculating an unweighted severity of consequence?

In theory, you would think that multiplying the probability of occurrence value by the severity of consequence value would give you an accurate risk rating. It will, but here’s the problem. It will not allow you to differentiate between high-risk activities and low-risk activities. We will explain further…

Using the standard linear scaling, an activity with a ‘certain’ probability rating (4) with a ‘no risk’ rating (1) would produce an overall risk rating of 4. However, if a different activity has a ‘rare’ probability value (1) with potentially lethal consequences (4), this activity would have an identical risk rating of 4. However, as any activity with the potential of being lethal would never be considered low risk, regardless of how low the probability, the severity of the scale needs to be weighted to consider the severity of potential consequences.

What is the Severity of Consequences, the Weighted Value Scale?

Looking again at our two different activities, by using this weighted scale, an activity with a certain probability (4) with no risk (1) would still have a risk rating of 4. However, and this is the important part, an activity with a rare probability value (1) with potentially lethal consequences (20) would result in an overall risk rating of 20. Comparing a risk rating of 4 to 20 is a far more ‘informative’ way to help understand the severity of a risk.

Of course, the weighting can be adjusted to suit your own calculations, these figures are not ‘set in stone’.

What is identifying risk in the workplace?

One of the most important elements of health and safety in the workplace is the accurate and effective identification of risk. Of course, that in itself is insufficient when it comes to protecting the workforce. Simply telling employees that one of the tasks they have to perform is ‘quite dangerous’ is pointless as it is an employer’s responsibility to mitigate all risks to the greatest extent possible.

So, how do you identify risk in the workplace?

What is risk assessment?

In order to identify risk in the workplace, you need to carry out a risk assessment. This involves looking at each and every action performed by the workforce and identifying any hazards.

According to the HSE, identifying hazards involves assessing the following as examples:

• How people work and how plant and equipment are used
• What chemicals and substances are used
• What safe or unsafe work practices exist
• The general state of your premises

Therefore hazards, and consequentially risks, also include but are not limited to the actual working environment, the premises, the equipment, the training, other members of the workforce, and the working environment. 

Why assess the risks?

Having identified all hazards, you then need to decide how likely it is that someone could be harmed and how serious it could be. This is known as assessing the level of risk.

Thus, you need to assess:

• Who might be harmed and how
• What you're currently doing, if anything, to mitigate those risks
• What you now need to do, in addition, to mitigating those risks
• Who should be responsible for putting into action the proposed changes
• When the deadline for completing the changes should be

If you would like to learn more about conducting a risk assessment, consider reading our detailed article here. 

How do I control the risks?

Ask yourself the following questions:

• Can I eliminate the hazard altogether?
• If I can’t, how can I minimise the risks so that the chances of harm being caused are unlikely?

It will pay you to look further than at the obvious. You could perhaps consider any or all of the following:

• Redesigning how the task is performed
• Replacing materials, tools, or plant machinery 
• Redesigning how the work is done to mitigate exposure to materials, machinery or the working process(es)
• Identifying and implementing practical measures that will help employees to work more safely
• Providing personal protective equipment (PPE) and making sure workers know how it should be properly worn and used.

You should then put in place all the necessary controls you have identified. You are not expected to eliminate 100% of the risks, but you are required, by law, to do everything 'reasonably practicable' to protect employees and other visitors to your premises, such as clients or customers, from harm. This means balancing the level of risk against the measures needed to control the real risk in terms of money, time or required effort.

The HSE also provides additional detailed guidance on controls relevant to your business.

When should you record your findings?

If you employ five or more people, you are required to record any significant findings, including.

• Identified hazards (things that may cause harm)
• Which persons might be harmed and detail how
• Making it very clear what, exactly, you are doing to mitigate identified risks

For further help, Commodious has produced a very useful resource, How to do a risk assessment with a free downloadable template. However, it is important to note that you should not solely rely purely on filling in paperwork as your main priority should always be to actively mitigate risks in working practices and your premises.

When is the best time to review the controls?

Once operational, you are then required to review the controls you have put in place to ensure they are working. You should also review the controls if:

• You suspect they may no longer be effective
• There have been changes in the workplace which may lead to new risks, such as changes in:

• Your employees
• Working processes
• Materials or equipment used.

It is also good working practice to involve the workforce in all the processes of risk management. Soi, consider implementing a review if your workers have spotted any problems or if there have recently been any accidents or near misses.

Subsequent to this, you should update your risk assessment record with any changes made.

Here at Commodious we specialise in providing online courses that cover many aspects of Health & Safety at work. If you would like to learn more about any of these, please feel free to get in contact with us.

IOSH Managing Safely 

IOSH Working Safely

Further Reading