As published by the Certified Enterprise Risk Manager® (CERM) Academy, Issue #272.
Over the years we’ve heard many people state that a control cannot modify consequence – especially in the public health space. Well, we’ve been considering this a lot lately and we just want to put a common sense lens on this statement. Here we have a look at the importance of understanding your controls in context, and understanding what controls modify which part of the Likelihood x Consequence equation.
While contemporary drinking water quality management frameworks are all based on risk, and therefore fit with ISO 31000, there is one area where, if you as a practitioner are not careful, you could potentially ‘gloss over’ some key aspects of drinking water quality management. Drinking water quality risk management is all about the controls – with some of these controls being priority or critical to have in place. ISO 31000 does not provide much guidance on controls other than saying the following that:
- For risk identification – you should be identifying risks, whether or not the risk sources are under your control (Clause 6.4.2).
- In conducting your risk analysis – the effectiveness of your existing controls should be assessed (Clause 6.4.3).
It is therefore important to understand that you will need to match the control to the hazard and hazard event and that you will need to assess the effectiveness of the existing controls at that point in the water quality supply chain.
What Type of Control?
There are three main options for risk control:
- Controls that reduce the likelihood of the hazardous event or hazard.
- Controls that reduce the consequences of the hazardous event or hazard.
- Controls that reduce both likelihood and consequence.
The types of controls you will need to have in place will depend on their application to the source to end point (S2E) supply chain e.g.:
- Chlorine or UV disinfection as a critical control point at the treatment plant or a water quality responsibility handover point.
- System-wide controls such as document control, training, human resource management, materials and chemicals procurement, electricity/power management.
- Supporting programs such as vermin management and catchment management programs.
Can Consequence be Reduced?
In your risk assessment framework, it is sensible to set some rules around how you are defining and assessing controls e.g.:
- Ensure that key controls are identified and appropriate for the identified hazard and event.
- Ensure that controls are properly articulated.
- Ensure that controls are considered from a hierarchy perspective i.e. preventative (e.g. disinfection), reactive (e.g. procedures for corrections) or surveillance (e.g. types of monitoring).
- Acknowledge the importance of the key controls in mitigating risk e.g. chlorine disinfection for bacteria and some viruses, UV disinfection for protozoa.
- Assess effectiveness of controls together i.e. it is the group of controls in place for a hazard/event, that is being assessed, but acknowledging the importance of the key controls in mitigating risk.
When you assess the residual risk of the event, make it clear what the controls are modifying by adding in comments to the risk register so there is a history in place for the risk assessment review. Our table below shows some examples of the likelihood being modified, the consequence being modified and where controls are being considered as a whole, for the likelihood and consequence being modified.
So, if a familiar refrain in your risk assessments is: “But you can’t reduce consequence!”
Well, our answer is, “It depends!”
You need to apply a healthy dose of common sense. For the most part, it makes practical sense to consider controls for an event, as a whole and therefore, as a whole, it may be possible to reduce both the likelihood and consequence.
So, the next time you’re reviewing your risk register, make sure you apply a healthy dose of common sense and record the reasons why you have landed on the risk modification scores – because sometimes, you might be able to reduce consequence, or likelihood, or both!
Need help? The Risk Edge Group has a vast experience in undertaking and auditing water quality risk assessments. Learn more here
Annette Davison, Director and Principal, Risk Edge® Pty Ltd; Managing Director and Chief Risk and Product Officer, D2K Information Pty Ltd
Sarah Loder, Senior Risk Analyst, Risk Edge® Pty Ltd and Director and Principal, Praktik