The concept of risk profiling is not a new one. Its application is found in a wide range of disciplines from business risk management, such as financial and insurance, to medicine (including genetics) and science. Risk profiling has even been used to profile passengers in an attempt to use risk based approaches to improve airport security.
According to the International Standards Organisation (ISO) Guide 73:2009 Risk Management. Vocabulary: “A risk profile is a description of a set of risks… The set of risks can contain those that relate to the whole organisation, part of the organisation, or as otherwise defined.”
Therefore, a risk profile can include the risks that the entire organisation must manage or only those that a particular function or part of the organisation must address.
The publication of the revised guidance document HGS65 Managing for Health and Safety by the Health and Safety Executive (HSE) in 2013 establishes the concept of risk profiling in health and safety management. The revised guidance explains the Plan, Do, Check, Act model (Deming Cycle) for a health and safety management system (SMS). According to the guidance, this approach achieves a balance between systems and management, treating health and safety as an integral part of good management, rather than a stand-alone safety management system. This is important because it acknowledges that health and safety risks are part of the overall risk profile of an organisation, and there is tacit acknowledgment of the interconnectedness of risks. Profiling an organisation’s health and safety risks comes within the “Doing” part of the SMS cycle.
Many organisations seek to implement and certify management system standards. Annex SL (previously ISO Guide 83) describes a framework for a generic management system, with the objective of delivering consistent and compatible management system standards applying to full ISO Standards, Technical Specifications (TS) and Publicly Available Specifications (PAS). Annex SL favours a risk profiling approach. (See our feature article Annex SL and the PDCA Cycle).
What is risk profiling?
Risk profiling is a systematic and structured approach to risk management which, if done correctly, should provide organisations with a detailed picture of all the risk elements of its operations, the effectiveness of the controls in place to mitigate the risks, as well as a framework for assurance and monitoring its higher risk priorities.
Organisations’ “appetite” for risk will differ considerably and this may be partly a function of the size and complexity of the organisation, driven by the operations and processes it conducts, as well as the culture of the organisation. Some organisations may be willing to accept or retain risk, others may seek to implement risk management strategies to reduce or control, transfer or avoid risk.
Every organisation will have its own risk profile: this is the starting point for determining the health and safety issues facing the organisation. In some organisations, the risk profile will consist of tangible and immediate safety hazards, while in others the risks may be longer term health-related risks, and it may be a long time before illness becomes apparent. Clearly, some organisations, such as those in the construction industry, may have a mixture, spanning both immediate and chronic hazards.
A risk profile should contain:
- A summary of the key strategic and operational health and safety risks for an organisation
- Quantification of these risks, in terms of likelihood and potential impact
- Identification of the current controls, their effectiveness and improvement potential
- Identification of any controls not yet in place and any (new) emerging risks with plans on how to deal with them
- A framework for monitoring and assurance, including a prioritised action plan with recommendations for improvements to address weaknesses with further controls and/or mitigation.
The range of risks normally includes quality (of product or services), environmental, injury, ill health and assets damage. Pure health and safety risks generally range from low hazard high frequency, e.g. slips on floors, to high hazard low frequency events, such as an oil refinery explosion, with the latter being at the top of the risk profile priority.
According to the HSE, the outcomes of risk profiling will be that:
- The right risks have been identified and prioritised for action
- Minor risks will not be given too much priority
- The level of risk will be reduced to that which is acceptable
- Paperwork and bureaucracy will be kept to the minimum necessary
- Performance will be reviewed and lessons learned.
What is the process?
The HSE provides guidance in HSG65 on what it considers to be the key actions in effective risk profiling, which make explicit the actions required of leaders (ownerships and responsibility) and managers (operational and process) to identify and quantify the strategic and operational risk of the organisation.
Risk profiling involves gathering information about operations and process, using existing risk assessments, and risk assessment methodology to evaluate risks, and developing a suitable means for monitoring and providing assurance. Some organisations use risk registers to enable them to document and monitor key risks.
Those who undertake risk assessments need to be competent to do so. While some organisations may choose to use external expertise to help them develop their risk profile, anyone doing so must have a broad knowledge of the entire organisation and have risk management expertise.
Risk information generated from interviews, e.g. with directors, senior managers, operational managers and staff, and from workshops needs to be confirmed, and ranked, and together with other data (e.g. risk assessments) should form the basis of an overall risk profile.
According to James Stapleton in his 2011 report, Lessons Learned from the London 2012 Games Construction Project: Health and Safety Risk Profiling, health and safety risk profiling contributed to the positive safety culture of the London 2012 programme, and promoted careful planning and safe delivery during the construction project.
A health and safety profile for construction works planned over three months was developed, using the following plan.
- Gathering information
- Project teams on planned work over a three-month construction period were spoken to about their work.
- The data captured was analysed and for each project a summary of 12-15 key tasks were identified as taking place over the next 90 days.
- The health and safety hazards anticipated from these planned tasks were then assessed.
- Risk assessment of future works
- A risk assessment was undertaken for each task.
- Risk assessments highlighted key hazards, such as the transporting of mechanical and engineering materials to high level working platforms.
- A key monitoring check was put in place to ensure that, in the example above, a safe system was in place to transport the materials mechanically to avoid manual handling.
- Relevant parties were consulted throughout the risk assessment process.
- Compliance review schedule
- A weekly compliance review schedule was developed.
- A list of example checks to follow was produced and documented on the compliance review schedule.
- Monitoring was undertaken and the schedule was updated when actions were completed and closed off, or altered to reflect changes to construction schedules.
Mr Stapleton notes that there were a number of benefits to health and safety risk profiling including providing a focus to the assurance team, anticipating and planning to minimise risk, as well as the identification of key risk themes.
Risk profiling can be a time consuming and resource-intensive process and, as with any technique, the outputs will only be as good as the information gathered, the competence of those involved, the methodology used to validate the process, and the commitment of those responsible for leading organisations.
The key benefits of health and safety risk profiling are that it can be used to focus on the real risks facing an organisation, and as such can be outcome driven, helping to increase ownership by the responsible persons. Health and safety professionals can play an important role in the risk profiling process, particularly if they have a good a good working knowledge of their organisation, combined with suitable risk management expertise.
Finally, it should be noted that health and safety risk profiling does not stand alone from the bigger risk profile of an organisation; risks are often interconnected and cannot be considered in isolation. Risk profiles need to be actively monitored, as internal as well as external changes may affect the dynamic profile.