I’d been in the room for about five minutes and had already heard Brian (not his real name) tell me at least three times in a variety of different ways that “this is a load of bullshit; I’m only talking to you because management said I have to. I’ve got real work to do!”.
"Not off to a good start," I thought to myself. I was there to conduct a safety risk analysis at a high-security, high-risk, bio-hazard facility where Brian was a mid-level manager. His attitude wasn’t typical of the people at this facility, but it’s an attitude I’ve heard all too often in my career. It was especially disappointing because we were there to follow up on the findings of a coronial inquest.
It wasn’t that Brian didn't feel for the death of his co-worker. Quite the opposite. However, his perspective on risk management wasn't positive. It was even understandable, given his experience with years of lousy risk management training and complex risk assessments.
If you spend enough time working in risk management, you’ll hear a million variations of “I’m busy enough as it is" and "This stuff is too time-consuming to use in my day-to-day work anyway”.
Even I will admit to having this attitude to risk management many years ago after having ill-conceived and impractical safety training rammed down my throat ⏤ until I discovered the 'risk management continuum'.
Brian's comments about risk management being too complicated were less a failure of risk management than a failure of imagination. In the end, I managed to bring Brian around to being a fan of risk management (or at least showing a little interest), which later translated into a few business changes in his department. Paraphrasing our discussion somewhat, these are the key points that we discussed:
There are various risk management processes, formats, standards, and guidelines.
The trick is to use the appropriate size tool commensurate with the job.
You don’t need a series of workshops and a 100-page report to manage the risk of hanging a picture on an office wall. Neither do you want to write your organization's five-year risk treatment plan on the back of an envelope.
It’s all about picking the right size tool for the job. Applying every section of ISO31000 to risk managing a staff training day is like trying to crack a walnut with a 20-tonne hydraulic press. Sure, you could do it, but you’ll spend a lot of time at it, and you’re not likely to get an edible result. Over the years that I've been doing this, I’ve collected a grab bag of tools, which, when put into context, give us a hierarchy of tools or what I call 'the risk management continuum'. They include:
Take 2
Stepback 5x5
The Team Leader’s 10 Questions
Job Risk Analysis (JRA)
The Team Leader’s 10 Questions
Project Risk Assessment and Treatment Plan
Formal Risk Assessment
Complex Risk Assessment
And are illustrated in the following diagram:
The Risk Management Continuum
These tools range from the very simple to the very complex and take correspondingly different expertise, resources, and time to use. At its simplest, you could do a risk assessment on crossing the road in a matter of seconds, while an enterprise risk plan may take a team of people several months to complete.
Before introducing the aforementioned tools, it's worth emphasizing that these are only examples of the tools you might choose. Even if you like the concepts, there is no reason why you need to keep the names; but they could be a good place to start.
Here is a quick summary of the various tools: Take 2 ‘Take 2’ is simply an easy-to-remember name for taking 2 minutes (metaphorically or literally) to consider the risks associated with an activity. It's an ideal tool for a quick risk assessment before moving a filing cabinet or plugging in new equipment, for example. An individual might use it before pressing ‘send’ on an email to their boss or a client, spending two minutes considering the risks or opportunities (e.g., Could this be a career-limiting move? Is this a good email to share with a colleague?). Equally, in a group activity, someone might suggest, “Hang on, let’s Take 2,” before collectively moving a desk. In the latter example, the process of 'Taking two' might get the group thinking about first moving some boxes out of the way or allocating someone to hold a door.
Stepback 5x5 Step back five paces (metaphorically or physically) and spend 5 minutes considering, discussing, and documenting risks and treatments. A simple example would be two tradesmen drilling a hole to hang a whiteboard. A 5x5 might raise questions like:
Are there live wires, gas, or water pipes behind this wall?
Will the plaster wall support the weight of this electric whiteboard?
If we put it on this wall, is it likely to be in the way as people pass through?
Do we have enough people to hold it up while we fasten it to the wall?
A Stepback 5x5 might be documented informally in a notepad and then shared at a toolbox meeting, but it isn’t just applicable to tradesmen. It’s equally useful for strategic management where, for example, a Board of Directors is making a decision or documenting the agreed decision. The discussion around a quick Stepback 5x5 to consider the bigger picture might reveal various issues.
The Team Leader’s 10 Questions
The ’10 questions’ are simply a checklist of questions designed to assess the level of risk and the relative risk of an activity.
Is this activity/project necessary to achieve organizational objectives?
Has an adequate risk analysis been done, and the measures identified to reduce the risk been implemented?
Are adequate contingency plans in place if things go wrong?
Have briefings and training been done, including for when things go wrong?
Are those involved in leading this activity experienced and qualified?
Are our people involved qualified and trained to participate in this activity?
Are our tools and equipment in good working order, well-maintained, and ready?
Has there been an adequate build-up of skills among the team before this activity?
Do I have checks to monitor and review the activity after it has launched and amend if necessary?
Am I, as the team leader or manager, satisfied we are prepared to do this activity/operation?
If the answer to any questions is NO – you and your team need to do more work before you press the go button!
Job Risk Analysis (JRA)
A JRA is a documented but abbreviated risk assessment most suited for repeatedly done tasks. At its simplest, it’s a one-page list of discrete process steps, with notes describing the potential risks and a list of mitigation strategies. You will also come across the same process described as a Job Hazard Analysis (JHA) or Job Safety Analysis (JSA); however, there is no fundamental difference between a JRA, JHA, or JSA.
Project Risk Assessment and Treatment Plan
According to the Project Management Body of Knowledge (PMBOK), a project is “a temporary endeavor undertaken to create a unique product, service or result.” 'Temporary' is one of the keywords in this definition. Accordingly, this risk assessment and risk treatment plan are designed to address risks for an endeavor with a bounded scope and duration. As such, the size and nature of a project risk plan is entirely dependent on the nature of the project. It’s worth noting that the cost or duration of the project is not the determining factor.
Formal Risk Assessment As the name suggests, a formal risk assessment involves a comprehensively documented risk assessment leading to an endorsed risk treatment plan. In this respect, it differs slightly from a project risk plan or job risk analysis. I’ve separated it out here between a Project Risk Assessment and Complex Risk Assessment because: a) it's the type of risk assessment that most managers will do in their working life, and b) although relatively sophisticated, it often has a defined scope, e.g., OHS Plan, Divisional risk plan, security plan, etc.
Complex Risk Assessment and Plan At this level, we’re starting to get into a new level of complexity. This is the domain of enterprise risk management or project risks on building a Mars mission. The risk management process remains the same, but before even attempting this, you absolutely must have the following elements in place:
An organizational risk management framework,
An adequate budget to complete the process, and
Management support at the highest levels.
So there you have it! The Risk Management Continuum - a tool for every job.
