RSR ENGINEERING COLLEGE

HEALTH, SAFETY AND ENVIRONMENTAL MANAGEMENT PRACTICES

(20A01705)
(Open elective course – IV)
UNIT – V
Risk Assessment And Management:
Risk is the chance that the outcome differs from what is expected. Usually, when we talk
about business risk, we are referring to possible negative impact and consequences of an
event or decision.
In business, there will always be a certain degree of risk that any organization must face to
achieve its goals. At the essence, risk is a fundamental requirement for growth,
development, profit and prosperity. In a broad range of every business industry, including
healthcare, finance, accounting, technology and supply chain, effectively managed
risks provide pathways to success. But like any path, you need to know all the
divots, detours, and dangers along the way.
Even though risks are a part of doing business, we must find ways to identify and manage
those risks swiftly and effectively since they can often develop out of nowhere, creating the
possibility for greater risks and damages. It is crucial to find ways to manage risks with the
goal of minimizing their threats and maximizing their potential.
Risks come from a variety of sources, which include the following:
 Uncertainties in financial markets and the economy.
 Threats associated with project failures at any phase, which includes design,
development, production, or maintenance of life cycles.
 Legal liabilities.
 Credit risk.
 Threat of natural or man-made disasters.
 Security and cybersecurity risk.
 Impact of uncertain or unpredictable events, such as a pandemic.
 Competitive risk. `
 Fallout from a company’s damaged reputation.
 Compliance risk.
 Third-party risk that comes with relying on external suppliers and vendors.
Risk Management
“The purpose of risk management is not to change the future, not to explain the past.”
– Dr. Dan Borge, a financial expert and former aeronautical engineer who designed
the RAROC risk-management system and wrote The Book of Risk.
Instead, cybersecurity risk management is the overarching umbrella when it comes risk. It
includes both risk assessment and risk analysis.
Management involves the identification, analysis, evaluation, and prioritization
of current and potential risks. This allows you to address loss exposures, monitor risk control
and financial resources in order to minimize possible adverse effects of potential loss.
Further, solid risk management strategies within your business model give you the ability to
maximize the realization of available opportunities to avoid risk.
Risk Assessment
Risk assessment helps you identify and categorize risks. Plus,
it provides an outline for potential consequences.
Risk assessment definition: an analysis involving processes and technologies that
help identify, evaluate and report on any risk-related concern. According to NIST 800-30,
risk assessment is a “key component” of the risk management process and is primarily
focused on the identification and analysis phases of risk management.
If we take the example of a security risk assessment, it involves the following steps:
 Identify the critical assets and sensitive data,
 Build a risk profile for each asset,
 Determine cybersecurity risks for each asset,
 Mapping how critical assets are linked,
 Prioritize which assets to address in case of a security threat,
 Create a mitigation plan with security controls to eliminate or mitigate the impact
of each risk,
 Continually monitor risks, threats, and vulnerabilities.
Risk Picture – Definition & Characteristics:
The term 'risk' is according to international standards (such as ISO 2002) 'combination of the
probability or an event and its consequence'. Other standards, like ISO 13702 (ISO 1999b),
have a similar definition: 'A term which combines the chance that a specified hazardous
event will occur and the severity of the consequences of the event.'

Risk may be expressed in several ways, by distributions, expected values, single probabilities
of specific consequences, etc. Most commonly used is probably the expected value.

An operational expression for practical calculation of risk is the following, which underlines
how risk is calculated, by multiplying probability and numerical value of the consequence for
each accident sequence i, and summed over all ( I) potential accident sequences:

(2.1)
where:

 p = probability of accidents

 C = consequence of accidents

This formula expresses risk as an expected consequence. The expression may also be
replaced by an integral, if the consequences can be expressed by means of a continuous
variable.

A "risk picture" generally refers to the comprehensive view or representation of risks that an
organization or project may face. It involves identifying, analysing, and visualizing various
risks to understand their potential impact and likelihood. Here are some key characteristics
and components of a risk picture:
1. Identification of Risks: The risk picture begins with the identification of potential risks. This
involves recognizing internal and external factors that could negatively impact the
achievement of objectives.

2. Risk Categories: Risks can be categorized in various ways, such as strategic, operational,
financial, compliance, and reputational. The risk picture often includes an overview of risks
across these categories.

3. Risk Descriptions: Each identified risk should be clearly described, detailing its nature,
potential consequences, and factors contributing to its occurrence.

4. Likelihood and Impact Assessment: Risks are assessed based on their likelihood of
occurring and the potential impact if they do. This helps prioritize risks and focus mitigation
efforts on those with the highest potential impact.

5. Risk Ratings or Scores: Some organizations use a numerical or qualitative scale to assign
risk ratings or scores to each identified risk. This helps in prioritizing and comparing risks in a
standardized manner.

6. Mitigation Strategies: The risk picture may include proposed or implemented mitigation
strategies for each identified risk. These strategies outline how the organization plans to
reduce the likelihood or impact of the risk.

7. Monitoring and Reporting: A dynamic risk picture involves continuous monitoring of risks
and regular reporting to stakeholders. This ensures that the risk picture remains current and
reflects the evolving nature of risks.

8. Dependencies and Interconnections: Risks are often interconnected, and the risk picture
may illustrate the dependencies between different risks. Understanding these relationships
is crucial for effective risk management.

9. Scenario Analysis: In addition to individual risks, the risk picture may incorporate scenario
analysis, which explores how multiple risks could manifest together and their combined
impact on the organization.
10. Communication: The risk picture is a communication tool that helps stakeholders,
including management and decision-makers, understand the overall risk landscape. It should
be presented in a format that is clear, concise, and easily understandable.

11. Adaptability: The risk picture is not static; it should be updated regularly to reflect
changes in the business environment, project scope, or other relevant factors.

In summary, a risk picture provides a holistic view of an organization's risk landscape, aiding
in informed decision-making and proactive risk management. It serves as a valuable tool for
organizations to understand, prioritize, and respond to potential challenges and
uncertainties.
Risk acceptance criteria are predefined standards or thresholds that an organization or
project establishes to determine when a risk is deemed acceptable or unacceptable. These
criteria help guide decision-makers in assessing whether a particular risk requires further
action, such as risk mitigation, transfer, or avoidance. Here are key aspects and
considerations related to risk acceptance criteria:

1. Definition of Tolerance Levels: Risk acceptance criteria define the acceptable levels of risk
for specific factors such as cost, schedule, performance, or other project objectives. For
example, an organization might establish that a cost overrun of no more than 10% is
acceptable.

2. Alignment with Objectives: The criteria should be aligned with the overall objectives and
goals of the organization or project. They help ensure that risks are evaluated in the context
of what is acceptable within the broader strategic framework.

3. Stakeholder Involvement: The criteria should take into account the perspectives and risk
tolerances of relevant stakeholders. Different stakeholders may have varying levels of risk
tolerance, and their input can influence the establishment of acceptance criteria.

4. Quantitative and Qualitative Measures: Risk acceptance criteria can be quantitative

(numeric thresholds) or qualitative (descriptive). For example, a quantitative criterion might
specify a maximum allowable delay in project completion, while a qualitative criterion might
express that any risk posing a threat to safety is unacceptable.
5. Legal and Regulatory Compliance: Consideration of legal and regulatory requirements is
crucial. Some risks may be non-negotiable due to legal or regulatory constraints, making
them automatically unacceptable.

6. Risk Appetite and Culture: Risk appetite, which reflects an organization's willingness to
take risks to achieve its objectives, should be considered when setting risk acceptance
criteria. The organizational culture, including its approach to risk, can also influence these
criteria.

7. Cost-Benefit Analysis: Assess the cost of mitigating a risk against the potential impact of
the risk occurring. If the cost of mitigation exceeds the potential loss, the risk may be
deemed acceptable.

8. Documentation and Communication: Clearly document the risk acceptance criteria and
communicate them to relevant stakeholders. This ensures that decision-makers and team
members are aware of the standards used to evaluate risks.

9. Periodic Review: Risk acceptance criteria are not static and should be periodically
reviewed and updated. Changes in project scope, external factors, or organizational
priorities may necessitate adjustments to the criteria.

10. Decision-Making Process: Clearly outline the decision-making process for accepting or
rejecting risks based on the established criteria. This helps streamline decision-making and
ensures consistency in risk management practices.

By defining risk acceptance criteria, organizations provide a framework for evaluating risks in
a systematic and consistent manner. This facilitates more effective decision-making and
helps ensure that risks are managed in alignment with organizational objectives and
stakeholder expectations.

Quantified Risk Assessment (QRA) is a systematic process of assessing and analysing risks by
assigning numerical values to various aspects of the risk, such as likelihood and impact. This
approach provides a more quantitative understanding of risks, enabling organizations to
prioritize and manage them based on a numerical scale. Here are the key components and
steps involved in quantified risk assessment:
1. Identification of Risks:
- Identify and list potential risks that may impact the organization or project.

2. Risk Parameters:
- Define specific parameters for each identified risk, including the potential consequences
(impact) and the likelihood of occurrence.

3. Data Collection:
- Gather relevant data and information to support the quantification of risk parameters.
This may involve historical data, expert opinions, industry benchmarks, or other sources.

4. Quantitative Measures:
- Assign numerical values to the identified risk parameters. This often involves using scales
or metrics to quantify the likelihood (probability) and impact (severity) of each risk.

5. Risk Calculation:
- Calculate the overall risk for each identified risk by multiplying the likelihood and impact
values. This calculation may result in a risk score or index.

6. Risk Ranking and Prioritization:

- Rank the risks based on their calculated scores to prioritize them. This step helps identify
the most significant and critical risks that require immediate attention.

7. Sensitivity Analysis:
- Conduct sensitivity analysis to assess how changes in the input parameters (likelihood,
impact) affect the overall risk assessment. This helps identify which factors have the most
significant influence on the results.

8. Cost-Benefit Analysis:
- Evaluate the potential costs associated with each risk and compare them to the costs of
implementing risk mitigation measures. This analysis helps in making informed decisions
about which risks to address and to what extent.
9. Scenario Analysis:
- Explore different scenarios by adjusting the input parameters to understand the potential
range of outcomes. This provides a more comprehensive view of the uncertainties
associated with the risks.

10. Decision-Making:
- Use the quantified risk assessment results to make informed decisions about risk
management strategies. This may involve accepting, mitigating, transferring, or avoiding
risks based on their quantified values.

11. Documentation and Communication:

- Document the quantified risk assessment process, including the data, assumptions, and
calculations. Communicate the results and recommended actions to relevant stakeholders.

Quantified Risk Assessment is particularly useful in complex projects or industries where a

more precise understanding of risks is required. By assigning numerical values, organizations
can prioritize their efforts and allocate resources more effectively to address the most critical
risks. However, it's essential to recognize the limitations and uncertainties associated with
quantitative risk assessments, as they often rely on assumptions and historical data that may
not perfectly capture future uncertainties.
Hazard assessment is a systematic process of identifying, evaluating, and understanding the
potential hazards that could cause harm to people, property, the environment, or an
organization's operations. This assessment is a fundamental step in risk management and is
crucial for establishing effective safety measures and controls. Here are key components and
steps involved in hazard assessment:

1. Hazard Identification:
- Identify and list all potential hazards that could pose a threat. Hazards can be physical,
chemical, biological, ergonomic, or psychosocial in nature.

2. Hazard Classification:
- Classify identified hazards based on their nature and characteristics. For example, hazards
may be categorized as biological, chemical, physical, ergonomic, or safety-related.
3. Risk Assessment:
- Assess the risks associated with each identified hazard. This involves evaluating the
likelihood of the hazard causing harm and the potential severity of that harm. The goal is to
understand the level of risk posed by each hazard.

4. Consequence Analysis:
- Evaluate the potential consequences of exposure to each hazard. This analysis may
consider the impact on human health, the environment, property, and the overall operation
of the organization.

5. Likelihood Analysis:
- Assess the likelihood of the identified hazard manifesting and causing harm. This analysis
may consider factors such as frequency, duration, and intensity of exposure.

6. Risk Matrix:
- Use a risk matrix or similar tool to visually represent the combination of likelihood and
consequence assessments. This matrix helps prioritize hazards based on their level of risk.

7. Hierarchy of Controls:
- Identify and implement controls to mitigate or eliminate the risks associated with each
hazard. The hierarchy of controls includes measures such as elimination, substitution,
engineering controls, administrative controls, and personal protective equipment.

8. Documentation:
- Document the hazard assessment process, including the identified hazards, risk
assessments, and control measures. This documentation serves as a reference for ongoing
safety management.

9. Review and Update:

- Regularly review and update the hazard assessment to account for changes in the
workplace, processes, or external factors. New hazards may emerge, and existing controls
may need adjustment.
10. Employee Involvement:
- Involve employees in the hazard assessment process. They often have valuable insights
into the day-to-day operations and can contribute to identifying hazards and suggesting
practical control measures.

11. Compliance with Regulations:

- Ensure that the hazard assessment process complies with relevant safety and health
regulations and standards. Different industries and regions may have specific requirements
for hazard assessments.

12. Communication:
- Communicate the results of the hazard assessment to all relevant stakeholders, including
employees, contractors, and management. Clear communication is essential for fostering a
safety-conscious culture.

Hazard assessment is an ongoing process that plays a crucial role in creating and maintaining
a safe and healthy work environment. By systematically identifying and addressing hazards,
organizations can minimize the risk of incidents and injuries, promoting the well-being of
individuals and the sustainability of operations.

Fatality risk assessment is a process that involves identifying, evaluating, and understanding
the potential risks of fatalities associated with specific activities, processes, or situations.
This type of risk assessment is particularly critical in industries and contexts where there is a
heightened potential for serious harm or loss of life. Here are key components and steps
involved in a fatality risk assessment:

1. Identify Activities and Processes:

- Clearly define the activities, processes, or scenarios for which the fatality risk assessment
will be conducted. This could include specific tasks, operations, or situations within an
organization.

2. Hazard Identification:
- Identify and list potential hazards associated with the identified activities. Hazards that
can lead to fatal outcomes should be prioritized. Hazards could include physical, chemical,
biological, ergonomic, or psychosocial factors.
3. Determine Exposure:
- Assess the likelihood and extent of exposure to each identified hazard. Consider factors
such as the frequency, duration, and intensity of exposure, as well as the number of
individuals at risk.

4. Consequence Analysis:
- Evaluate the potential consequences of exposure to each hazard, focusing on the severity
of the outcomes. In the context of fatality risk assessment, the consequences are typically
severe and may involve loss of life.

5. Risk Assessment:
- Combine the likelihood and consequence assessments to determine the overall risk
associated with each hazard. This often involves using a risk matrix or similar tool to
categorize risks based on their severity.

6. Hierarchy of Controls:
- Identify and implement controls to mitigate or eliminate the risks associated with each
hazard. The hierarchy of controls includes measures such as elimination, substitution,
engineering controls, administrative controls, and personal protective equipment.

7. Critical Task Analysis:

- Analyze critical tasks that have the highest potential for fatal outcomes. This involves a
detailed examination of each step of the task to identify and address potential risks.

8. Scenario Analysis:
- Explore different scenarios by considering variations in conditions or factors that could
affect the fatality risk. This helps in understanding the range of possible outcomes and
refining risk mitigation strategies.

9. Review and Update:

- Regularly review and update the fatality risk assessment, especially when there are
changes in the workplace, processes, or external factors. New hazards may emerge, and
existing controls may need adjustment.
10. Documentation:
- Document the entire fatality risk assessment process, including hazard identification, risk
assessments, control measures, and critical task analyses. Proper documentation is essential
for reference and regulatory compliance.

11. Training and Awareness:

- Ensure that employees and relevant stakeholders are trained and aware of the fatality
risks associated with specific activities. Training programs should include information on
proper safety procedures and the use of controls.

12. Emergency Preparedness:

- Develop and implement emergency response plans specific to the identified fatality risks.
This includes procedures for immediate response and communication in the event of a
critical incident.

Fatality risk assessments are crucial for organizations to proactively address potential threats
to human life. By systematically analyzing and mitigating these risks, organizations can create
a safer work environment and prevent severe consequences. Compliance with safety
regulations and standards is often a key consideration in fatality risk assessment processes.
Risk management involves the identification, assessment, and mitigation of potential risks to
achieve organizational objectives. Here are some key principles and methods commonly
employed in risk management:

Principles of Risk Management:

1. Integration with Organizational Objectives:

- Align risk management activities with the overall objectives and strategies of the
organization. Ensure that risk management contributes to the achievement of business
goals.

2. Comprehensive Approach:
 - Adopt a holistic and comprehensive approach to risk management. Consider risks across
all aspects of the organization, including strategic, operational, financial, and compliance-
related risks.

3. Risk Culture:
- Foster a risk-aware culture within the organization. Encourage open communication
about risks, and ensure that all employees understand their role in identifying and managing
risks.

4. Customization:
- Tailor risk management processes to the specific characteristics and needs of the
organization. Recognize that different industries, sectors, and organizations may face unique
risks.

5. Continuous Improvement:
- Embrace a mindset of continuous improvement in risk management processes. Regularly
review and enhance risk management strategies based on lessons learned and changing
circumstances.

6. Informed Decision-Making:
- Integrate risk information into decision-making processes. Ensure that decision-makers
have access to relevant risk data to make informed choices.

7. Transparent Communication:
- Foster transparent communication about risks, both internally and externally. This
includes communicating with stakeholders about the organization's risk management
practices and the status of key risks.

Methods of Risk Management:

1. Risk Identification:
- Systematically identify and document potential risks that could affect the achievement of
objectives. This involves engaging stakeholders, conducting workshops, and utilizing various
tools such as checklists and brainstorming sessions.
2. Risk Assessment:
- Evaluate the likelihood and impact of identified risks. This often involves using qualitative
or quantitative methods to prioritize risks based on their significance.

3. Risk Mitigation:
- Develop and implement strategies to mitigate or control identified risks. This may include
risk avoidance, risk reduction, risk sharing (such as insurance), or acceptance of certain risks.

4. Monitoring and Review:

- Establish a system for ongoing monitoring of risks. Regularly review and update risk
assessments to reflect changes in the organization's environment, operations, or risk
landscape.

5. Scenario Analysis:
- Conduct scenario analysis to explore potential future events and their impact on the
organization. This helps in preparing for a range of possible outcomes.

6. Risk Reporting:
- Develop a robust reporting mechanism for communicating risk information to relevant
stakeholders. Reports should be clear, concise, and tailored to the needs of different
audiences.

7. Key Risk Indicators (KRIs):

- Implement Key Risk Indicators to provide early warning signals of potential risks.
Monitoring KRIs helps in proactively managing risks before they escalate.

8. Risk Management Framework:

- Establish a formal risk management framework that outlines the policies, procedures,
and responsibilities related to risk management. This framework provides a structured
approach to managing risks.

9. Technology and Analytics:

 - Leverage technology and data analytics tools to enhance risk management capabilities.
This includes using risk management software, predictive analytics, and other technological
solutions.

10. Regulatory Compliance:

- Ensure that risk management practices comply with relevant laws, regulations, and
industry standards. Compliance is crucial for avoiding legal issues and maintaining the
organization's reputation.

By adhering to these principles and methods, organizations can develop effective risk
management strategies that contribute to resilience, sustainable growth, and the
achievement of strategic objectives.