The 5-step risk management model offers a continuous, organized decision-making method to guide the risk planning process. This model allows managers to 1) identify risks, 2) assess hazards, 3) develop controls and make decisions, 4) implement controls, and 5) supervise and evaluate changes. The 5-step model forms the basis for deliberate planning, and familiarization further forms a framework for individuals that make risk decisions at the operational phase or tactical level. Step one begins with the identification of hazards associated with a specific activity.
A hazard is any real or potential condition that compromises the health and wellness or death of personnel, or damages or destroys equipment and property. During this step, review current plans and tasks associated with a specific operation and attempt to list all known hazards or factors that may lead to a mishap. Additionally, list any causes linked to each specific hazard and determine possible root causes. After identifying hazards, an assessment of those hazards can be made.
This involves determining the quantitative and/or qualitative factors to estimate the probability and severity of an undesirable state from occurring. Assessments are made by evaluating time, vicinity, scope, or frequency of exposure to a hazard. Severity should be determined with consideration of impact on personnel, equipment, and operational capability, and an estimate of the probability of the hazard occurring should be determined. From there, a comprehensive risk assessment can be determined and a level of risk assigned in relation to severity and probability.
A risk assessment matrix can be used to determine the outcome of a hazard. Levels of risk range from extremely high, high, medium, or low, and are determined based on the probability of occurrence in relation to the severity of the consequence. Severity is broken down into four levels: catastrophic, critical, moderate, and negligible. The probability of the event from occurring is divided into five different levels: frequent, likely, occasional, seldom, and unlikely. The matrix is then used as a visual guide to determine the level of risk and overall impact.
The third step of the model involves the development of controls to mitigate or eliminate risk. This starts with identifying control options beginning with the highest risk hazards that are identified in step two. Every hazard has at least one control that can be implemented to effectively mitigate, remove, or reduce a risk to an acceptable level. After identifying controls, managers should determine the effects associated with each control following step two – hazard assessment – again. Other factors to consider would be cost in personnel, time, and money to determine production-protection value.
Once controls are determined to be a feasible method of hazard mitigation, they need to be prioritized to maximize risk reduction and optimize the use of resources. The operation or activity should be re-analyzed with the proposed controls in place to determine the effectiveness of the risk controls before they are implemented. Risk management is not a trial-and-error process and no process should be modified without assessing the effects of the change first. It is possible that a control can create a new hazard in its attempt to avoid another.
Alternatively, not all hazards may be readily identifiable or predictable until after the process is implemented. For example, volcanic activity may force reroutes to flight plans over hundreds of miles to avoid engine clogging ash. Airlines will want to take the shortest route to save costs on fuel. However, if the new flightpath takes aircraft over hostile territory, this could risk aircraft being attacked from ground forces. Airlines can choose to take the risk of flying over hostile territory or to take on the financial costs of again rerouting flights hundreds of miles further to avoid both volcanic ash and the hostile territory.
Once appropriate risk controls are decided upon, they need to be implemented in step four of the risk management process. Managers need to strategize the best way to develop and carry out implementation of controls. The planning process should be detailed and include the who, what, when, where, and cost for setting the gears in motion. Accountability is a key aspect of this process. From the project leader down to the front line operator, each person is responsible for doing their part exactly as planned to reach the desired goal.
Any miscalculation or deviation can potentially open the door for new hazards or have negative repercussions. Every stakeholder is responsible for ensuring risk controls are implemented correctly. Control implementation needs to be outlined clearly. Everyone involved should understand the vision for the changes being implemented.
The person making the decisions is accountable for the roll-out process. They need to ensure a roadmap is clearly communicated to those performing the changes. The accountable executive must have a presence in this process and be willing to provide the resources needed to fully accomplish the goal. Successful implementation relies on sustained commitment across all levels with a cradle-to-grave mentality. Once implementation of hazard controls is completed, managers need to supervise and evaluate the process throughout its life cycle. All stakeholders must do their part to ensure the process remains consistent over time.
Periodic evaluation is key to ensuring sustainability and effectiveness of the activity. This is done through persistent supervision and evaluation. Supervision entails continuous monitoring of the operation or activity. This increases confidence that hazard controls are effective and remain in place. Supervisors ensure that ineffective risk controls are corrected or are redirected for further risk assessments. As employees come and go, the operation or activity changes, or the mission environment evolves, risks and controls will need to be re-evaluated for currency and effectiveness.
In business and safety one thing is certain: change is continuous. Part of the supervision process is evaluation. The risk management review process must be systematic. An evaluation should be performed once risk controls are in place to evaluate the cost benefit of the program. It is unlikely that initial implementation of a control will be spot-on perfect and minor adjustments and tweaking may be needed.
Frequent evaluation allows for the identification of errors during enrollment and further analysis of the effectiveness of the changes. Audits and surveys provide department leaders the assurance that risk controls are doing what they are designed to do. In order to promote risk management effectiveness in an SMS there needs to be communication flow from top to bottom and bottom to top. A reporting system needs to be in place to allow line operators doing the hands on work to up-channel problems in the process. The reporting system should be widely accessible and easy enough to access for employees to be able to submit reports without frustration.
The more difficult the process, the less likely a report will be made.