ISO3100 and the risk management continuum…

Why risk management sometimes fails to get wide acceptance - and how to address that



There are many reasons why risk management often fails to get acceptance in a workplace, but one of the main reasons is over-engineering it. Read on to find out how to provide staff with the sort of risk management tools that they will want to use – and thereby make time for the benefits risk management generally.

To the man who only has a hammer, everything he encounters begins to look like a nail.”
 Abraham Maslow
I’d been in the room for about five minutes and I’d already heard Brian (not his real name) tell me at least three times in a variety of different ways that “this is a load of bullshit”, “I’m only talking to you because management said I have to” and “I’ve got real work to do!” 

Not off to a good start I thought to myself“. Brian was a mid-level manager at a high-security, high-risk, bio-hazard facility where I’d been asked to conduct a safety risk analysis.  Brian’s attitude wasn’t typical of the people at this location  - we were there to follow up on the findings of a coronial inquest – but it’s an attitude I’ve heard all too often in my career.  It wasn’t that Brian was unmoved by the death of his co-worker and he understood the ‘why’ of risk management, but he was a typical overworked manager who simply hadn’t been shown much in the way of ‘appropriate’ risk management. Spend enough time in risk management and you’ll hear a million variations of “I’m busy enough as it is and this stuff is too time-consuming to use in my day-to-day work anyway”.  Even I will admit to having this attitude to risk management many years ago after having ill-conceived and impractical safety training rammed down my throat – until I discovered the risk management continuum. 

Brian’s comments about risk management being too complicated were less a failure of risk management than a failure of imagination. In the end I managed to bring Brian around to being a fan of risk management (or at least to showing a little interest) which later translated into a few business changes in his department. Paraphrasing our discussion somewhat, these are the key points that we discussed:

  • There are any number of risk management processes, formats, standards and guidelines to choose from.  
  • The trick is to use the appropriate size tool commensurate with the job.  
  • You don’t need to do a series of workshops and a 100-page report to manage the risk of hanging a picture on an office wall.  Neither do you want to write your organizations five-year risk treatment plan on the back of an envelope.

It’s all about picking the right size tool for the job.  Trying to apply every section of ISO31000 to risk managing a staff training day is like trying to crack a walnut with a 20-tonne hydraulic press. Sure you could do it, but you’ll spend a lot of time at it and you’re not likely to get an edible result.  Over the years that I’ve been doing this, I’ve collected a grab bag of tools, which when put into context give us a hierarchy of tools or what I call ‘the risk management continuum’.

These tools range from the very simple to very complex and take correspondingly different expertise, resources and time to do.   At it’s simplest; you can do a risk assessment on crossing the road in a matter of seconds while an enterprise risk plan may take a team of people several months to complete.
Before introducing the tools illustrated above, it’s worth emphasizing that these are only examples of tools that you might choose to use.  Even if you like the concepts there is no reason why you need to keep the names, but they could be a good place to start:

  • Take 2
  • Stepback 5×5
  • The Team Leader’s 10 Questions
  • Job Risk Analysis (JRA)
  • The Team Leader’s 10 Questions
  • Project Risk Assessment and Treatment Plan
  • Formal Risk Assessment
  • Complex Risk Assessment

The book will spend many pages looking at the more involved risk tools on the continuum but here is a quick summary of the various tools.

Take 2 
‘Take 2’ is simply an easy to remember name for the process of taking 2 minutes (metaphorically or literally) to consider the risks associated with an activity.  It’s an ideal tool for a quick risk assessment before moving a filing cabinet or plugging in new equipment for example.   An individual might use it before pressing ‘Send’ on an email to your boss or a client and spend two minutes considering the risks or opportunities (eg: Could this be a Career Limiting Move, Is this a good email to share with a colleague).  Equally, in a group activity someone might suggest, “hang on, let’s Take 2” before collectively moving a desk.  The process of taking 2 might in the latter example get the group thinking about moving some boxes out of the way or allocating someone to hold a door.

Stepback 5×5
Step back 5 paces (metaphorically or physically) and spend 5 minutes considering, discussing and documenting risks and risk treatments.  A simple example would be two tradesman drilling a hole to hang a whiteboard.   A 5×5 might raise questions like:

  • Are there live wires, gas or water pipes behind this wall?
  • Will the plaster wall support the weight of this electric whiteboard?
  • If we put it on this wall, is it likely to be in the way of people passing through?
  • Do we have enough people to hold it up while we fasten it to the wall?

A Stepback 5×5 is something that might be documented informally in a notepad and then shared at a toolbox meeting but it isn’t just applicable to tradesmen. It’s equally useful for strategic management where for example, a Board of Directors are making a decision or even documenting the agreed decision.  The discussion around a quick Stepback 5×5 to consider the bigger picture might reveal a host of issues.

The Team Leader’s 10 Questions
The ’10 questions’  are simply a checklist of questions designed to assess the level of risk and the relative risk of an activity.
  1. Is this activity/project necessary to achieve organizational objectives? 
  2. Has an adequate risk analysis been done and have the measures that have been identified to reduce the risk actually been implemented?
  3. Are adequate contingency plans in place if things go wrong? 
  4. Have briefings and training been done including for when things go wrong? 
  5. Are those involved in leading this activity experienced and qualified?
  6. Are our people involved qualified and trained to participate in this activity?
  7. Are our tools and equipment in good working order, well maintained and ready?
  8. Has there been adequate build up of skills among the team prior to this activity? 
  9. Do I have checks in place to monitor and review the activity after it has launched and to amend if necessary? 
  10. Am I, as the team leader or manager, satisfied we are prepared to do this activity/operation?
If the answer to any of the questions is NO – you and your team need to do more work before you press the go button!
Job Risk Analysis (JRA)
A JRA is a documented but abbreviated risk assessment most suited for tasks that are done repeatedly. At it’s simplest it’s a one page list of discreet process steps, with notes describing the potential risks and a list of mitigation strategies.   You will also come across the same process described as a Job Hazard Analysis (JHA) or Job Safety Analysis (JSA) however there is no fundamental difference between a JRA, JHA or JSA.
Project Risk Assessment and Treatment Plan
According to the Project Management Body of Knowledge (PMBOK) a project is “a temporary endeavor undertaken to create a unique product, service or result”.  Temporary is one of the key words in this definition and accordingly this type of risk assessment and risk treatment plan is designed to address risks for an endeavor with a clearly bounded scope and duration.  As such, the size and nature of a project risk plan is entirely dependent on the nature of the project.   It’s worth noting that the cost or duration of the project is not the determining factor.  
Formal Risk Assessment
A formal risk plan involves as the name suggests, a comprehensive documented risk assessment leading to an endorsed risk treatment plan.    In this respect it is little different from a project risk plan or even a Job Risk Analysis.  I’ve separated it out here between a Project Risk Assessment and Complex Risk Assessment because a) it’s the type of risk assessment that most managers will do in their working life and b) although relatively sophisticated, it often has a defined scope.  Eg: OHS Plan, Divisional risk plan, security plan, etc.

Complex Risk Assessment and Plan 
At this level, we’re starting to get into a whole new level of complexity.  This is the domain of enterprise risk management or project risks of the scale of building a space shuttle.  The risk management process remains the same, but before even attempting this, you absolutely must have the following elements in place:

  • An organizational risk management framework
  • An adequate budget to complete the process
  • Management support at the highest levels

So there you have it… The Risk Management Continuum – the secret of any craftsman’s success, having the right tool for the job

This article is an excerpt form my upcoming book, Get the benefits of ISO 31000:2009 Risk Management fast. It’s not out yet but you can find more articles on risk in my KNOL’s or at my blogsite