Understanding Risk Control

How does the human element affect risk? And how can RCA help to control it?

Human behavior is often the focus of safety investigations. Managers and others are primarily interested in how to get people to do the right thing at the right time. Attention is generally given to risky actions taken by people. The desire is for people to be careful, to always watch out, to remember that everyone has a family at home and that risk recognition and management are personal responsibilities. But a key element is often missing from the equation: identification and control of causes that exist in conjunction with behaviors.

Basics of Risk

Change happens; there is no getting around it. And there is no reliable way to predict what changes will come our way or whether these changes will be positive or negative. We are subject daily to a continuous stream of uncertainty about what the future holds for us. This uncertainty increases the further into the future we look.

Not all outcomes are possible. However, because so many outcomes fall within the realm of possibility, we do our best to calculate probabilities and act according to predictions of what is most likely to occur. But a calculation that yields a high likelihood of a particular outcome does not ensure the event actually will happen. Conversely, a low probability of occurrence does not guarantee an event will not occur, to which anyone recently struck by lightning — or those looking at their March 2009 401(k) statement — can attest.

In engineering, risk is understood to be a subcomponent of uncertainty. This is because many in industry define risk as the possibility that change will lead to an undesirable outcome, whereas uncertainty contains both the positive and negative possibilities the future may hold.

The following equation is frequently used to define risk:

Risk = Probability X Consequence

There are variations on this equation. Sometimes a variable is included that accommodates the presence or absence of a barrier that would mitigate undesirable consequences.

However, not everyone thinks of risk in a purely negative light. In the world of finance, risk is not a subcomponent of uncertainty — it is uncertainty. Financial analysts see risk as the potential that the future price of an asset will be different than expected. Price volatility, measured statistically, provides an indication of risk. In the financial analyst's world, risk includes the potential for both positive and negative outcomes, not just the possibility the price will go down. This is where the notion of a trade-off between risk and return comes from. To earn large returns in a short amount of time, the investor is required to take large risks. Of course, the risk pendulum swings both ways.

Simply put, financial analysts measure total risk as a combination of two components — systematic risk and unsystematic risk. Systematic risk is the risk shared by all firms in a given industry. Think of systematic risk as the risk associated with the business environment. For example, all banks share the same environmental risk component: All are subject to the ups and downs of the financial services industry. Unsystematic risk is the risk associated with any individual firm. Each individual bank has risk factors that differentiate it from its competitors. This individual risk is the unsystematic risk component.

This two-part concept of risk has validity beyond finance. For example, the Bering Sea is an environment in which all vessels are subject to a baseline risk level. This level of risk represents a risk floor that cannot be lowered. Unsystematic risk is associated with any individual vessel that ventures out into the environment. For instance, if the crew has access to and utilizes safety equipment, conducts rescue drills, and the ship is in good repair, it will have a lower level of unsystematic risk when compared with other vessels. Other variables, such as size and age, also gauge the unsystematic risk of any individual vessel. The key distinction is that individuals in any environment have a degree of control over their unsystematic risk (their choices and actions). However, they can do nothing to lower the systematic risk floor of the Bering Sea itself. Both types of risk combine to equal the total risk to which any individual is subject.

Human Behavior: The Main Cause of Risk?

Human behavior is often the focus of an incident investigation. What did someone do (or not do) that contributed to the outcome of the event? Many solution recommendations attempt to control human behavior in one manner or another. Recommendations such as writing better procedures, sending people to additional training, and implementing best work practices abound. These are good starting points, but more can be done. These solutions address only the unsystematic risk components of an event, not the systematic environmental risk. Why not focus on dropping the systematic risk floor to a lower level? Doing so would subject all individuals to a lower level of risk, regardless of individual behaviors.

The primary reason this does not happen more often is that decision makers often lack the information required to identify systematic risks, or the information is presented in such a way that it is not consistent with a strategy to reduce risk yet still provide an acceptable return on investment.

Using Root Cause Analysis to Minimize Risk

A comprehensive root cause analysis (RCA) program can help organizations better understand and mitigate risks of human behavior. In order to reveal systematic risk elements effectively, RCA must go beyond the traditional Five Whys method (which is overly simplistic) or Fishbone method (which is confusing and inconsistently applied). The purpose of this article is not to illustrate the downside to these widely used methods, but to explain elements of more advanced alternatives that, if employed effectively, will provide greater visibility into systematic risks. This, in turn, will present decision makers with a more complete set of options when choosing a course of corrective action.

More advanced RCA methodologies have specific differences but generally include a variation of the following steps. Please keep in mind that each proprietary root cause analysis method uses unique terminology.

Problem Definition
The first step in any thorough analysis is to define the problem. It cannot be assumed that each team member understands the problem in the same way. In fact, the best teams are well diversified. This virtually guarantees initial disagreement on the exact nature of the problem. However, effective RCA methods manage this diversity by choosing a starting point which all members can get behind. Once the problem is determined, additional information — such as time, date, location, and significance — are documented.

It is a good idea to do a risk assessment during the problem definition step. What is the risk this problem could have been worse or will recur? The process of assessing risk can be formal or informal. Regardless, it will be important later in the analysis when deciding which solutions to recommend.

Causal Analysis
Once the problem is defined, the causes of the problem need to be identified. There are multiple proprietary methods for accomplishing this task. The primary difference is whether the methodology utilizes a variation of a modified logic diagram or cause categories. Regardless of method, causes should be supported with evidence. Evidence minimizes the influence of conjecture and provides decision makers with confi- dence in the report's findings.

The methods that account for both action- type causes (such as "operator opened valve") and conditional causes (such as "system under pressure") will most effectively compare to the financial risk model presented above. These types of methods help illuminate risk because the action causes are more uncertain than the conditional causes. Actions are usually momentary and generally involve people. The risk associated with conditions is often lower because these causes are highly predictable and generally stable over time.

Identify/Implement Solutions
Effective solutions are effective only because they control one or more causes of the event. Because both actions and conditions are required in order to create an effect, removing either or both reduces the risk of recurrence. The best solution recommendations mimic the diversification strategy of a wellbalanced portfolio. They control multiple causes, which helps to reduce the risk of recurrence.

How Does the Human Element Affect Risk?
Returning to the earlier discussion on systematic and unsystematic risks, let's now look at behaviors as variables in the causal equation. Recall that actions and conditions come together to create effects. Conditions generally represent the systematic risk in any environment. Actions, particularly when associated by human behavior, represent the unsystematic risk. Total risk is the combination of each.

The work environment can be controlled, and it can be done much more easily than changing a worker's decision-making processes. This does not mean that awareness campaigns, training, and even occasional discipline should not be a part of any solution strategy. But risk can be controlled more effectively by controlling the systematic constants (conditional causes), not the unsystematic variables (action causes).

Editor's Note: The concepts in this article were discussed by safety professionals in a panel discussion at the 2008 NSC Congress and Expo moderated by Brian Hughes, who is vice president of Apollo Associated Services, a Midland, Mich.-based provider of root cause analysis consulting, training, and soft ware. Co-author Jimmy Marullo is director of instructor certifi cation and public services for Apollo Associated Services. As a Licensed Master of Social Work concentrating on clinical studies, he has a keen understanding of human behavior as it applies to problem solving. He works with leaders in industries such as power generation, manufacturing, construction, mining, and health care. Hughes has led significant safety-related incident investigations, including those related to major explosions, chemical releases, consumer product contamination, and supply chain processes, and has helped clients achieve savings in excess of $100 million as well as significant improvements in safety, reliability, and quality. For more information, visit www.apollorca.com or contact Hughes at bhughes@apollorca. com or 206-331-2569.

This article originally appeared in the October 2009 issue of Occupational Health & Safety.

Download Center

HTML - No Current Item Deck
  • Free Safety Management Software Demo

    IndustrySafe Safety Management Software helps organizations to improve safety by providing a comprehensive toolset of software modules to help businesses identify trouble spots; reduce claims, lost days, OSHA fines; and more.

  • Get the Ultimate Guide to OSHA Recordkeeping

    When it comes to OSHA recordkeeping there are always questions regarding the requirements and in and outs. IndustrySafe is here to help. We put together this page with critical information to help answer your key questions about OSHA recordkeeping.

  • Safety Training 101

    When it comes to safety training, no matter the industry, there are always questions regarding requirements and certifications. We put together a guide that’s easy to digest so you can ensure you're complying with OSHA's training standards.

  • Conduct EHS Inspections and Audits

    Record and manage your organization’s inspection data with IndustrySafe’s Inspections module. IndustrySafe’s pre-built forms and checklists may be used as is, or can be customized to better suit the needs of your organization.

  • Track Key Safety Performance Indicators

    IndustrySafe’s Dashboard Module allows organizations to easily track safety KPIs and metrics. Gain increased visibility into your business’ operations and safety data.

  • Industry Safe
comments powered by Disqus