English
BACK TO KNOWLEDGE
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
UNDERSTANDING EFFECTIVE RISK ASSESSMENT
Published: 14 August 2024
“A man exercising no forethought will soon experience present sorrow.” – Confucius
The ever-increasing scale and complexity of marine transportation requires a proactive approach to risk management. Professional skills, experience and regulation have great advantages but cannot foresee all possible risks in advance. A review of incidents often finds that opportunities were missed to identify and mitigate the risks.
As with any process, risk assessments may be ineffective and unlikely to contribute to safety if they are missing the point, are not understood, or seen merely as a ‘tick box exercise’. Risk assessments should ideally occur on many levels, both as a formal, documented process and as a dynamic, ‘on the job’ activity.
DEFINITIONS
For the purpose of the paper the following simplified definitions on how we understand the terms are applied:
- Hazard is an event or a situation which has the potential to cause harm, such as injury, damage or pollution
- Risk is a combination of the likelihood and the severity (consequence) of a hazard
- Risk assessment is the process of risk identification, analysis and evaluation1
- Risk management is the coordinated activity to assess, control and monitor risk
REASONS WHY RISKS NEED TO BE ASSESSED AND MANAGED
The general purpose of risk management is to identify the hazards before they occur and have a plan for addressing them. While some risks can be avoided altogether, others can only be minimised to a tolerable level. The reasons for managing risk may be summarised in the following groups:
BUSINESS
A company will be unavoidably exposed to various risks during business activities. If incidents do occur, they may lead to claims, losses, reputational damage and loss of competitive advantage. Efficient risk management will contribute to the overall success of the business.
ETHICAL
A company has a legal and moral duty to take reasonable care of the health and safety of their employees. These objectives extend to contractors, third parties, property and the environment. In turn, employees have a duty of care towards themselves, each other and the employer. This is also a prerequisite to achieving Environmental, Social, and Corporate Governance (ESG) objectives
REGULATORY
A ship is subject to the regulatory requirements of the International Maritime Organization (IMO), flag state, and those imposed by the Port/Coastal State in which they trade. Legal requirements agreed in commercial contracts (such as a charterparty) and employment contracts may also apply. Where the requirements regarding risk management may be explicit or implied.
INSURANCE
There are both explicit and inferred risk management requirements arising from insurance:
- Obligation to comply with class and statutory requirements
- Cover limitations applicable to imprudent, unsafe or unduly hazardous trading
- Obligation to mitigate loss, damage, expense or liability following an incident.
RISK MANAGEMENT AND THE ISM CODE
The ISM Code has specific requirements regarding risk management and the objectives of the company (section 1.2.2):
- Provide safe practices in ship operation and a safe working environment;
- assess all identified risks to its ships, personnel and the environment and establish appropriate safeguards; and
- continuously improve safety management skills of personnel ashore and aboard ships, including preparing for emergencies related both to safety and environmental protection.
Above requires companies to carry out a systematic review of their operations and activities, assess the risk for all identified hazards and develop adequate controls – such as the procedures and instructions included in the Safety Management System (SMS).
The ISM Code does not stipulate a particular risk assessment methodology to be used. This provides companies with the flexibility to utilise the approach most suitable for their operational profile. However, company policy as well as procedures for methods selected for risk assessment should be structured and documented. Authority, responsibility and training requirements of the individuals involved with the risk assessment process should be defined in the SMS.
RISK ASSESSMENT METHODS AND TECHNIQUES
The risk assessment may be based on the following foundations2:
- Historical experience
- Analytical methods
- Knowledge and judgment
Depending on the nature and complexity of their operations, companies may adopt a number of different methods ranging from detailed quantitative assessments to less formal qualitative assessments.
QUALITATIVE risk assessments evaluate risks based on subjective judgments and descriptions, often using categories like high, medium, or low. They often rely on expertise and experience to assess the likelihood and impact of risks.
QUANTITATIVE risk assessments, on the other hand, use numerical data and statistical methods to measure risks. They may involve calculating probabilities and potential impacts in numerical terms to provide a more precise evaluation of risks.
Selecting the method appropriate to the situation is essential for successful risk assessment. In principle, a simple qualitative method should be applied first to determine if the risk can be assessed without having to resort to more complex quantitative techniques.
For simple, straightforward activities an assessment made on site by a supervisor with appropriate level of authority may be sufficient. Objective evidence of such risk assessment should still be maintained3.
RISK ASSESSMENT PROCESS
The required formal approach to risk assessment, does not need to be overly complex. In essence, this process should fulfil the following objectives:
- Identify activities, operations, tasks and processes that require a risk assessment
- Comprehensively identify the hazards
- Assess the risks associated with those hazards
- Identify and apply controls to reduce the risks that are considered as intolerable
- Monitor the effectiveness of the controls
The formal risk assessment process may be summarised by the flowchart below2:
HAZARD IDENTIFICATION
The risk assessment can only be carried out once the hazards and their potential consequences have been identified and described.
Hazards differ depending on the ship type, cargo, navigational situation, operational scenario etc. A meaningful assessment of risk requires a thorough understanding of the hazards present. It should be accurate and may be performed explicitly using structured methods and techniques. However, in cases where the hazards are considered well known, hazard identification may be an implicit step that is not systematically performed2. Whilst it may be appropriate in some cases, implicit hazard identification may result in gaps and false assumptions.
It should be also noted that good seamanship, experience and compliance with rules and regulations may not be sufficient to identify all the hazards and manage risk effectively.
In order to identify all potential hazards, it is recommended that a broad team of personnel (both on board and within the shore management team) are involved in the risk assessment process, to ensure that all aspects are considered and that all reasonable potential hazards are identified for further consideration.
RISK ANALYSIS
Risk analysis should determine the frequency (likelihood) and the potential consequence (severity) associated with each of the identified hazards. The likelihood and severity are then combined to establish the level of risk. It should be noted that a hazardous event may have multiple consequences, therefore risk analysis should review all of them.
The risk analysis process should also include the evaluation of the existing risk barriers and mitigation measures.
RISK EVALUATION
The results of risk analysis are then evaluated by comparing them with the risk acceptance criteria. This is to decide whether the existing risk needs treatment and the risk abatement priorities.
RISK TREATMENT / MITIGATION
The next step of the risk management process is to specify and implement risk controls in order to mitigate the risk to an acceptable level. The hierarchy of barrier controls4, is an example of a structured approach to risk mitigation:
Where risk controls have been identified, these should be assigned ownership to a suitable person to action prior to the activity taking place. When risk assessments have identified that new mitigation measures may take time to engineer and/or implement, a time limit for completion, alongside ownership of the task, may be prudent.
RISK APPETITE AND RISK TOLERANCE IN HEALTH AND SAFETY
To understand the principle of applying risk management in health and safety, one needs a clear understanding of the two basic concepts: risk appetite and risk tolerance.
Risk appetite may be defined as the amount and type of risk that an organisation is willing to take to meet its business objectives5. It is more applicable to situations where there is an upside risk, such as a reward or benefit from risk-taking.
Companies will have different risk appetites, depending on their business model, culture, industry sector etc. Risk appetite needs to be clearly communicated within the company in order for risk to be managed effectively.
Risk tolerance is defined as the amount of risk that an organisation is willing to seek or accept in the pursuit of its objectives5. Risk tolerance is considered a more appropriate term for downside risks, associated with health and safety.
Risk areas such as occupational health and safety should not be considered as a part of an organisation’s risk appetite, rather its risk tolerance6. In health and safety, risk tolerance is limited by regulatory or legal requirements to protect the health and safety of employees or third parties and reduce risks to ALARP (see below). An organisation’s risk acceptance criteria may define tolerable risk levels, or may require that the risk is ALARP.
“AS LOW AS REASONABLY PRACTICABLE” (ALARP)
In short, ALARP describes the level to which risks should be reduced, through evaluating the risk against the sacrifice needed.
The following diagram illustrates the concept of ALARP:
ALARP level is not prescriptive and requires the organisation or individual to exercise judgment. It is reached when the resources (time, effort and cost) required for further risk reduction become disproportionate to the additional risk reduction obtained.
ALARP demonstration is a legal requirement in many safety regimes around the world. In the “broadly acceptable” region, ALARP may be demonstrated by compliance with good practice. For higher risk, a case specific ALARP demonstration is required, such as implementation of control measures based on a structured risk assessment.
It is important to note that ALARP does not represent zero risk. In consequence, even once risks are reduced to ALARP level, incidents may still occur.
LEVELS OF RISK ASSESSMENT
Risk assessment should be seen as a continuous process and may occur on many levels. The Code of Safe Working Practices for Merchant Seafarers (COSWP)7 encourages a four-level process:
- Level 1: Generic risk assessments carried out at a high level in the company. The results are used to ensure that the SMS contains appropriate control measures and safeguards in the form of policies, procedures and work instructions.
- Level 2: Task-based risk assessments (TBRA) carried out on board the ship, building on generic risk assessments carried out by the company. Generic risk assessments may not reflect all ship and task-specific factors applicable at the time. Two types of TBRA may be used:
- A range of vessel-specific generic TBRAs for all routine and low-risk tasks, periodically reviewed
- TBRAs for specific, non-routine and high risk tasks, valid only for the duration of the task and for specific personnel.
In both cases, the TBRA should be carried out by a competent person. It is also recommended that the personnel involved in the task participate in the TBRA process.
- Level 3: Toolbox talk – to talk through the job/task at hand with the involved personnel and discuss the findings of the TBRA. A toolbox talk should be conducted prior to any work involving more than one person and resulting in a significant risk to people or assets. Full and active involvement of all participants should be encouraged, and any questions or concerns discussed and taken into consideration.
- Level 4: Personal assessment of risk (also called a dynamic risk assessment) – informal assessment performed by individuals for all tasks they are involved in, by taking a short time to consider what could go wrong and how, then see what steps they can personally take to avoid an incident. As the task is proceeding, it also helps to maintain awareness and react to any change in the circumstances that might increase the risk or present new hazards. In case of a significant change the task/work may have to be stopped and the risks re-assessed, including the revision of the TBRA. The use of personal risk assessment should be developed and encouraged.
As the COSWP points out, every task carried out on board the ship should be subject to risk assessment; this does not mean a new risk assessment written every time a simple task is carried out, but “the existing risk assessment must be referred to as part of a Toolbox Talk before the task can commence to ensure that the hazards and controls are fully understood, still relevant and appropriate”7.
Other techniques may be included in the SMS to ensure that ineffective risk controls or gaps in hazard identification are captured and addressed. As an example, the Stop Work Authority (SWA) technique provides all personnel with the authority and obligation to stop work in case of a perceived unsafe condition or behaviour. This adds a safety barrier and an opportunity to re-assess the risk and review risk controls.
EFFECTIVENESS OF RISK ASSESSMENT
The effectiveness of a risk assessment may be measured by achieving the following objectives:
- All hazards relevant to the activity are identified
- Risk controls are adequate and reduce the risk to an acceptable level
- The risk assessment and its outcome is considered as meaningful
- The participants feel their voice is heard and that they actively contribute to safety
- The assessment identifies the priority of risk controls
- Sufficient time and resources are allocated to implementing the risk controls
- The outcome is shared with all participants of the activity
- The perception of risk is shared and understood by all stakeholders, including shore management
- The participants recognise the value of risk assessment to their personal safety
- The participants understand the operational boundaries of the assessment
- The participants are able to recognise a hazard that had not been identified, or that a risk control failed
INEFFECTIVE RISK ASSESSMENTS
According to the research into risk assessment practices conducted on board ships, the reasons for the failure of this process may be categorised as follows8:
- Lack of adequate training and competency in non-technical skills
- Failure of a procedural approach to risk management
- Risk perceptions, attitudes, and cultural/organisational factors
- Process verification: lack of ownership and identification of safety objectives
LACK OF ADEQUATE TRAINING AND COMPETENCY IN NON-TECHNICAL SKILLS
For risk assessment to be effective, the stakeholders should have a robust understanding of the concepts and techniques referred to in the ship’s SMS, such as ‘acceptable risk’, ALARP, etc. Furthermore, effective implementation of risk management processes cannot be achieved without the active involvement of competent persons. Both technical and non-technical skills are required for an effective risk assessment.
Non-technical skills are defined as the cognitive, social and personal resource skills that complement technical skills, and contribute to safe and efficient task performance. Risk assessment, as a part of the decision-making process, requires skills which belong to the cognitive skills group.
Maritime training has traditionally focused on technical skills. However, the Manila Amendments to the International Convention on Standards of Training, Certification and Watchkeeping (STCW) introduced mandatory requirements for formal training in selected non-technical skills (leadership, teamwork, decision-making, etc) along with the previously recognised technical skills.
The ability to identify hazards is key to effective risk assessment; if hazards are not identified or understood, it will not be possible to control risks arising from these hazards. Measures taken to eliminate a hazard should be proportionate to the risk, i.e. the likelihood of occurrence and severity of consequence. The ‘law of diminishing returns’ should be considered when determining preventative measures. Too many control measures may have minimal additional impact on preventing a potential hazard occurring, and therefore it becomes uneconomic and also too onerous on seafarers’ time, with little gain from a safety management perspective. The SMS should therefore provide guidance and/or policies that will allow seafarers to apply criteria which will define the ‘ALARP region’ of tolerable and unacceptable risks and the seafarers will require training in such analysis.
The training should allow seafarers to effectively perform the following risk management tasks9:
- Objectively identify hazards
- Assess the risks (consequences and likelihood of each risk)
- Implement measures to control the risks (eliminate risks or bring risks to an acceptable level)
- Evaluate and review the effectiveness of implemented measures
- Complete the required documentation
In cases where training is insufficient and where skill gaps are identified, the SMS should be able to identify the additional training needs so that changes to the training can be provided.
RISK PERCEPTIONS, ATTITUDES, AND CULTURAL/ORGANISATIONAL FACTORS
Risk perception is the subjective judgment that people make about characteristics and the severity of a risk. For risk management to be effective, risk perceptions in the organisation should be aligned. Risk perception should be shared not only within the immediate work team, but also between the ship and shore management, as well as other stakeholders if applicable. Otherwise, ‘perception gaps’ may prevent risks from being assessed and communicated effectively.
Risk perceptions differ between individuals because they are affected by several subjective factors10:
Many of these factors depend on the individual’s personal values and cultural background. Due to the global nature of the shipping industry, each seafarer’s risk perception may be subject to a significant variation. This variation is not necessarily a negative factor, but it should be taken into account and managed.
Organisational or ship-specific factors may also play a role in risk perception. As we often highlight in Britannia publications, safety culture (described as ‘the way we do things around here’) permeates the organisation and influences individuals through shared values. These shared values involve the understanding of risk. Therefore, good safety culture combined with effective safety leadership should help reduce and manage risk perception gaps.
Also, it is not uncommon for safety policies to state goals as ‘zero harm’ or that require ‘100% safety’, which without appropriate training may result in a flawed understanding of the risk assessment process, in particular the concept of acceptable risk and ALARP.
Finally, utilising risk assessments effectively requires the risk to be communicated and understood by all stakeholders. Communicating risk is subject to similar gaps and barriers as risk perception, this may result from conflicting assumptions about safety, organisational factors, apparent contradictions between safety and operational objectives, cultural issues such as fear of reprisal, etc. Good safety culture across the organisation will help to manage or eliminate these gaps.
To reduce gaps resulting from subjective risk perception or organisational factors, it is advisable to:
- Cultivate a safety culture in which everyone has the responsibility for safety
- Promote good safety leadership
- Encourage all seafarers to participate in safety initiatives and speak up in safety meetings, if they originate from a high-power distance culture (i.e. a culture whose members are deferential to figures of authority and are reluctant to speak up)
- Provide opportunities to discuss safety in less formal circumstances
- Be aware of the influence the officers-crew divide may have on the attitudes of the crew towards the matter of safety
- Enable close risk communication between shipboard and shore management, based on trust and constructive dialogue.
PROCESS VERIFICATION: LACK OF OWNERSHIP AND IDENTIFICATION OF SAFETY OBJECTIVES
Process verification consists of management reviews and audits, generating appropriate feedback. It is the key element of the “Plan, Do, Check, Act” cycle (PDCA) which underlies any SMS. For this cycle to be effective, the verification process must be objective and should not be carried out by the seafarers themselves, as they are the practitioners of the risk management process8.
An ineffective verification process may result in breaking the fundamental PDCA cycle and therefore potential gaps and failures may not be identified or will not generate appropriate feedback. There are a number of reasons why this may occur, including:
- Discrepancy between the objectives of the audit process and the reality. In particular, the quality of practical execution tends to receive significantly less attention than generating the audit-oriented documentation
- Gaps in auditor skills and lack of uniformity in the interpretation of ISM Code requirements, for example, with regard to the level of risk where the assessment needs to be formalised and documented
- Inadequate audit tools and techniques
- Treating the audit process as a ritual rather than a tool to improve workplace safety
Where the actors of a risk management process do not identify with the safety objectives, it may result in a lack of ownership. This may occur where the process is seen as an unnecessary administrative burden and where the involved individuals do not recognise the value of risk assessment to their personal safety.
To maintain the effectiveness of process verification, it is recommended to ensure that:
- The practical execution of the risk assessment process receives adequate attention during management reviews and audits
- The review / audit process is sufficiently independent and objective
- Engagement and ownership of the risk management agenda is supported by a robust safety culture, as well as by highlighting the value created by this process through training and crew communications
- Where relevant, auditors are provided with access to innovative process verification techniques and adequate training.
SUMMARY
Whilst effective risk assessment is essential to achieving safety goals and preventing incidents, it requires particular skills, competencies, organisational approach and responsible commitment from all participants. In practice, each of these areas is subject to several challenges, which may require a considered approach and significant effort to overcome.
It is, however, worthwhile considering that in the long term it helps achieve safety and quality excellence, as well as creating a safety
culture where all stakeholders are aware of the benefits to both their safety and business objectives.
THIS WHITE PAPER IS NOT INTENDED TO REPLACE THE COMPANY’S SAFETY MANAGEMENT PROCEDURES, POLICIES OR ANY APPLICABLE STATUTORY REGULATIONS.
REFERENCES
1. ISO 31000:2018 Risk management – Guidelines, ISO.
2. ABS, Guidance Notes on Risk Assessment Applications for the Marine and Offshore Industries, 2020.
3. ABS, Guidance on the Revised ISM Code Clause 1.2.2.2, 2010.
4. NIOSH, “About Hierarchy of Controls,” 2024. [Online]. Available: https://www.cdc.gov/niosh/hierarchy-of-controls/about/?CDC_AAref_Val=https://www.cdc.gov/niosh/topics/hierarchy/default.html.
5. The Institute of Risk Management (IRM), “Risk Appetite & Tolerance – Executive Summary,” September 2011. [Online]. Available: https://www.theirm.org/what-we-say/thought-leadership/risk-appetite-and-tolerance/.
6. Croner-i, “Risk appetite and risk tolerance in health and safety,” [Online]. Available: https://app.croneri.co.uk/feature-articles/risk-appetite-andrisk-tolerance-health-and-safety.
7. Code of Safe Working Practices for Merchant Seafarers, MCA, 2024.
8. S. Ghosh and W. Daszuta, “Failure of risk assessment on ships: factors affecting seafarer practices,” Australian Journal of Maritime & Ocean Affairs, vol. 11, no. 3, pp. 185-198, 2019.
9. M. Mousavi, I. Ghazi and B. Omaraee, “Risk Assessment in the Maritime Industry,” Engineering, Technology & Applied Science Research, 2017.
10. Wikipedia, “Risk perception,” [Online]. Available: https://en.wikipedia.org/wiki/Risk_perception.