Presented by: Chris Peace, Risk Management Ltd at OHSIG 2014, Wednesday 10/9/14, NZI Room 4, 1.15pm

1. 1
How did Goldilocks find out
about the bears?
Chris Peace!
Risk Management Ltd!
Wellington, New Zealand!
0064 4 389 2665!
0064 274 713 723!
chris.peace@riskmgmt.co.nz!
www.riskmgmt.co.nz
The
effec'veness
of
risk
assessments
in
informing
safety-­‐related
decisions
2
What is this thing called risk?
Origins of risk
Definitions from academic literature (N+1)
• Probabilities & expected values
• Events/consequences & uncertainties
Definitions from standards, codes and guidance
documents
• ISO31000, COSO ERM, PMBoK, IRGC, FAO/WHO/WOAH
Risk is the “effect of uncertainty on objectives”
• Takes account of uncertainty in
• Consequences
• Likelihood/probability of consequences
Agree definition with decision-makers before
starting

2. 3
What is this thing called risk
assessment?
Sources
• Academic are idiosyncratic! (N+1)
• ISO31000, COSO ERM, PMBoK, IRGC, FAO/WHO/WOAH
Definitions - the same problem (but worse)
• ISO31000 is risk identification, analysis and evaluation
• WTO gives two different definitions
• IRGC groups characterisation and tolerability together
• HSE 5 Steps
• “To do this you need to think about what might cause harm to people and
decide whether you are taking reasonable steps to prevent that harm”
4
Risk management process from ISO 31000
Establish the context
* external
* internal
* risk management
Establish risk criteria
Risk identification
Communication&consultation
Monitoring&review
Accept?
Risk analysis
* no controls
* with controls
Likelihood of
consequences
Risk evaluation
Risk treatment
Risk assessment
Yes
No
Risk management processes
IRGC
WTO, WOAH, FAO, IPPC
COSO ERM (limited)
IRGC
WTO, WOAH, FAO, IPPC
IRGC, HSE (hazard identification)
WTO, WOAH, FAO, IPPC (hazard)
COSO ERM
PMBoK
IRGC (risk estimation)
WTO, WOAH, FAO, IPPC (risk assessment)
COSO ERM (risk assessment)
PMBoK (qualitative & quantitative)
IRGC (tolerability & acceptability)
HSE
IRGC (tolerability & acceptability)
IRGC (risk reduction)
WTO, WOAH, FAO, IPPC(risk management)
COSO ERM (risk response)
PMBoK (risk responses)
IRGC
COSO ERM
HSE (review)

3. 5
What is an effective risk assessment?
No one set of agreed criteria
Best set structured on ISO31000 covers:
• planning the risk assessment
• establish the context, develop criteria
• communication and consultation
(continuous)
• risk identification
• risk analysis
• risk evaluation
• risk treatment (many options for best
results)
• monitoring and review (continuous)
6
Survey - processes and techniques
Which risk assessment processes do respondents use?
• in-house (ad hoc?) and ISO31000 dominate
Which risk techniques do respondents use?
• professional judgement
• context, C&C, identify, analyse, evaluate, treatments
• 5x5 matrix
• qualitative and quantitative
• but the research evidence … (see my website)
Do respondents discuss uncertainty?
• never 10%
• occasionally 27%
• about half the time 8%
• frequently 29%
• always 26%
45%

4. 7
Summary and conclusions
Risk assessors, decision-makers and stakeholders
don’t speak the same language [HASAWA NZ]
Overlaps and under-laps?
Corporate
Manufacturer Exporter Importer
RegulatorsSelf-regulation Standards bodies
Research
Good outcome Poor outcome
Good process
Good risk
management
Bad luck
Poor process Good luck
Poor risk
management
Developed by Risk Management Ltd
8
My next steps
Analyse survey data in detail
• 220+ responses
• 127+ from New Zealand
• mix of SHP and risk people
Case studies
• volunteers welcome!
• one to date shows poor process and poor outcome
Which process and !
techniques do you use?

5. 9
And the ending for Goldilocks?
Escape?
New best friends?
Or, eaten by the bears!
!
How much did she understand
the bears risks?
10
Visit www.riskmgmt.co.nz !
for working papers and !
information about !
training courses
Want to teach children
about risk? !
Buy the book