Top six list of practical tips for good hazard management.
1. There is no such thing as a closed hazard. A lot of commercial tools and company practices for tracking hazards include an entry for hazard status, with the final state being closed. There really isn’t any such state. After you’ve identified a hazard, there is always a next action that needs to be taken. For a newly identified hazard, the next action is to assess the risk. For a hazard with known risk, the next action is to choose a mitigation. Then the next action is to make sure the mitigation actually happens. Then the next action is to determine whether the risk is now acceptable. Then the next action is to put in place mechanisms for ensuring the risk stays acceptable. Then the next action is to review whether the monitoring system is actually working. Throughout the life of a system, for every hazard you should always know what the next action is, when that action is due, and whose responsibility it is. Even if a hazard has been transferred to someone else, it isn’t closed. There is still a next action to periodically check that the other person is managing the hazard. There have been cases where hazards have been transferred to organisations that have then gone out of business, leaving no one owning the hazard.
2. Once the risk associated with a hazard has been estimated, it should never be changed without evidence. The easiest way to change an unacceptable risk into an acceptable risk is by crossing out the old estimate and writing a new one. In some cases that temptation is simply too dangerous. If you believe that the original estimate was wrong, then you should be able to produce data which backs up your belief. If you can’t produce that data, you’ve no reason to place your judgement ahead of someone elses. This guideline includes a message for people doing the original risk assessment as well. If you don’t know the answer, then label it as tentative and create an action for someone to follow up.
3. There’s no practical benefit to distinguishing pre and post mitigation risk. A lot of hazard logs ask you to record the risk before mitigation, and the risk after. This results in all sorts of arguments about which mitigations are pre-existing, and which ones are the new ones. It’s all irrelevant. There is no system of risk acceptance where the acceptability of a risk is determined by how much the risk has been reduced from its original level. What matters is how much risk there is now, and whether there is anything that can reasonably done to reduce the risk further.
4. Hazards are an engineering construct for the management of risk. They aren’t a real physical thing. This means that there is no universally agreed definition of a hazard, and that there is no single correct list of hazards for any system. The key is to define hazards at a level that makes them useful to manage. A good rule of thumb is that all of the hazards should be able to be discussed in a single meeting. If you have hundreds of hazards, then they are too detailed. If you have one or two hazards, they are too abstract.
5. Probability and severity are not actually numbers. The underlying reality is that there is a probability distribution of outcome severities. For convenience, we often use single point estimates of probability and severity as a shorthand for this underlying distribution. Most of the time this is the most sensible thing to do, because we don’t actually know what the probability distribution looks like anyway. However, we get into trouble if we forget what the reality is. The most common time this happens is when people are arguing about the severity of a hazard. We are never trying to find the worst possible outcome – for all hazards the worst possible outcome is total destruction of human civilisation, it just has a very low probability. What we are trying to do is find a point on the probability distribution where the vast majority of the area under the curve is to the left of that point. If we remember this it much easier to usefully prioritise hazards rather than classify everything as catastrophic.
6. Every assumption creates an obligation for somebody. When you perform any sort of hazard identification or risk assessment, you make assumptions, and you should record them. Every assumption then becomes a task for someone to go and make sure that the assumption is true, or becomes true, and another task for someone to make sure that the assumption stays true.
