According to the definition in ISO 31000, risk is the impact of uncertainty on [achieving] your objectives. Of course, this impact can be both negative or positive. ISO 31000 states the following:
“Clause 6.4.2 Risk identification: The organisation should identify risks, whether or not their sources are under its control.
Clause 6.4.3 Risk analysis: The effectiveness of existing controls.”
Understanding what controls you need to have in place to prevent or minimize negative and optimise positive outcomes, underpins an effective, objective-based risk management culture. So, taking another look at the clauses above, ISO 31000 is directing you first to understand your risks (the context) and then based on that context, identify your required controls (or lack thereof), and determine how effective those controls are in achieving your objective
Why does this matter?
Well, ISO 31000 provides little guidance on controls, other than Clause 6.4.2 and 6.4.3. So, you’re going to have to understand your operating context and objectives to understand your external and internal expected standard of care for controls. While each industry will be different, here’s an approach that applies globally, helps focus the identification of controls, and facilitates where they apply in a risk event’s journey.
Types of controls
A control is any measure or action that modifies or regulates risk, so in identifying controls, it is necessary to consider both the risk source, and the impact on achieving your objectives, to identify appropriate controls.
In risk management, controls are often thought of in terms of their hierarchy i.e. elimination, substitution, engineered controls, administrative controls and personal protective equipment – with that order going from most to least effective. In fact, any control that relies on a human input, is considered less reliable.
We present an example for each of these categories, as applied to drinking water quality risk management, in Davison (2020). While these categories of controls are useful, they do not help to articulate where they sit in the risk event’s journey, which is why we developed the following categories: preventive, detective, reactive, supportive and informative.
Each category, in one word, clearly shows how it supports risk management. We provide a definition and examples of each in the following table.
|Controls applying at the start of the risk journey, to prevent the source of hazard or exposure pathway occurring.
|Infiltration zone exclusion for prevention of pathogens entering groundwater.
Exclusion of trade waste emitters of specific hazards, for which treatment is unavailable or would make the objectives for the system unattainable (becoming of increasing importance as the world moves towards closing the loop and embracing the circular economy).
Hygiene maintenance of facility plumbing systems.
|Controls which are used to monitor whether a source is present or, a proliferation event or an exposure event have occurred.
|Observational monitoring of fencing integrity in catchments to identify breaches.
Real-time monitoring of ground water or sewage networks to detect specific hazards, which signal increased risk
|Controls which can be used to bring an uncertain situation back into control such as planned corrections on a monitoring trigger.
|Restoration of fencing integrity.
Disinfection or inactivation practices for pathogens that have penetrated the preventive barrier, such as corrective hyperchlorination or chemical cleaning of systems.
|Controls which are fundamental to the correct operation of the risk management system overall such as databases and systems to increase efficiency.
|SCADA historians and LIMS (laboratory information management systems) for data repository.
Document management systems for storage and retrieval of procedures, and records.
Customer record management systems.
|Controls which can be used to create awareness of a situation such as reports, education and signage.
|Well-designed user interfaces, user experience and automated intelligence for provision of real-time knowledge to a specific end user level, from board to boots on ground.
Training (across all organisational hierarchies – tailored to the roles and responsibilities of each) and signage to reinforce messaging (internal and external stakeholders, such as where recycled water is being used at a site).
what is in it for me?
We have found that by doing the following, people are more engaged with the whole process:
- Paying more attention to the risk objective.
- Clearly articulating the risk framing (what can happen, what impact does it have when it happens (type and level), what hazard (contaminant) does the event introduce)
- Identifying each relevant control and assigning it to a control category.
- Recording notes on the thinking at the time.
- Improved clarity for all stakeholders in understanding their own role, in protecting the objectives of the organisation (in a way that simply mashing all controls together, does not).
- Gaps in controls are clearly identified.
- While not every event has to have a control that fits in all categories, our approach clearly shows if gaps exist, the importance of the controls that are in place and whether the gaps do indeed, need to be filled (facilitating risk treatment identification).
- Simple but effective approach in improving risk communication.
- Improved confidence in whole of system risk management.
- Improved capture of history (invaluable for risk reviews).
It’s a very simple, but effective approach, creates confidence, effectively improves overall risk literacy and culture and essentially makes everyone in the organisation a risk manager – for all of the organisation’s objectives.
Dr Annette Davison (The Water Risk Doctor®) is a peer-recognised expert in risk assessment, training, monitoring, auditing and water quality information management. Click here if you would like a free 30 min risk-chat with Annette.
Dr Annette Davison, Director and Principal Risk Analyst, Risk Edge Pty Ltd;
#riskcommunication #riskmanagement #evidencebaseddecisions #ISO31000