Change management is an important adjunct to risk management as it can limit risk exposure.

Risk management (contingency planning) involves understanding and planning for any number of possible negative scenarios. Identifying potential risks early and then developing appropriate strategies can prevent or mitigate negative impacts.

The source of risk can be external or internal:

  • external – anything outside your organisation’s influence like challenges, e.g., geo-political, industry, technological, socio-economic, etc.
  • internal – anything inside your organisation like staff, work conditions, skill levels, business model, products and services, etc.

Two approaches to change management can help evaluate and handle risk:

  1. Tangible or analytical competencies – include techniques like Porter’s 5 forces, value chain, PESTLEC, SWOT, life-cycle, scenario planning, benchmarking, VUCA, and more.
  2. Intangible or people competencies – include the understanding of soft skills like behaviours, motivation & persuasion, emotional intelligence, neuroscience (how the brain works), evolutionary psychology, human instincts, resistance, cultural issues, communications, creativity, mindsets, biases, beliefs, values, co-designing, humans as social creatures, leadership, collaboration, alignment, etc.

Of these 2 approaches, the intangible is often neglected yet it is very important: research has indicated the people elements of change management contribute around 70% to the chance of success. However, only 3% of investment is typically put into the people side of change management, with the rest going into tangible areas (Prosci, 2022).

In business, awareness of the interplay of change and risk management is a vital advantage.

“…risk mitigation means getting on with it and not missing opportunities. In today’s world, not adapting fast enough is the greatest risk…” (John Kotter et al, 2021)

For more detail on this topic, try visiting the online knowledge base for organisational change management here:

Article 3 in our risk mini-series (see links below for the first two) is all about what good risk registers need. And first and foremost it needs to be ‘owned’ as part of the organisational culture of a business.


Ownership should be at all levels of an organisation from board and executive management team to every person in the business. It is a vital tool in guiding an organisation to improve health and safety outcomes, increase productivity and performance, and improve team cohesion.

A further aspect of a risk register that delivers productive outcomes is involving a cross-section of the workforce to collaborate and identify the hazards, risks and controls required to be adopted. The collaboration and subsequent exchanges improve the interoperability of any organisation.


To be relevant, however, a risk register must also be up to date. Stating the obvious perhaps but risk registers need to be regularly reviewed to ensure they’re up to date, in particular:

  • After any significant change within a workplace or process
  • After an accident or incident has occurred
  • After any near-misses have been reported
  • If any controls are changed, updated or added (altering the risk)
  • If there are learnings from similar businesses that make good sense to adopt

To this end, having a register maintained online rather than on paper in a file, makes keeping it up to date much easier. An online register is more easily accessible (think mobile or tablet device) and can be audited and updated much more easily too. This latter point is important for those high-risk hazards that may require regular reviewing or updating – for legal, compliance, HSSE or operational reasons.

Managing a risk register is an iterative process – a constant in any high performing and agile business. The elements listed above would be the basic minimum a risk register needs to help an organisation be compliant and build its resilience to withstand the shocks and stresses that emerge.

What, Who & When:

A risk register needs to not only include:

  • What hazards were found
  • Who could be impacted (person(s) or groups)
  • And what controls are in place to manage risk

But also:

  • who is monitoring them
  • Who carried out the assessment or review and
  • On what date the assessment or review was done

Communications & Records:

A good risk register needs to be communicable and available as a matter of record to show that an organisation has and continues to do everything possible to ensure health and safety in the workplace. It is a mechanism for use in a range of forums including staff briefings, newsletters, health and safety forums, and business strategy development, and informs capital expenditure programs.

Risk registers do not need to be “War & Peace” in length. They need to list hazards and describe them. They should list the potential impact (high, medium, low) to a business (eg cost) and, critically from a risk perspective, the probability of occurrence. With this data, you can then rank risks relative to each other and consider and list any appropriate measures or controls. It is also important to record who’s responsible for managing any identified risk and related controls.

The advantage of ensuring this data is accurately recorded in a register means you can then identify hazards and risks that require more frequent monitoring – in particular those that are considered highly likely to occur and highly likely to have a severe impact (high impact, high probability risks). These are risk register items you should have in an audit so you can be sure they are regularly reviewed and controls are updated whenever possible to reduce risk.

Addressing risk in a systematic manner is a prudent activity for all organisations to undertake in developing a productive, safe, and sustainable operation.


Article 1 in this series: What is a Risk Assessment?

Article 2 in this series: How to do a Risk Assessment


Nuffield Group provides consultancy and support services including risk assessment and compliance. Find out more here.

Last week I wrote a short piece on ‘what a risk assessment is’; This week’s follow up is all about how to do a risk assessment for yourself because, as we all know, every organisation/business should have a risk register, especially in these turbulent and unprecedented times.

There are many guides to ‘How to do a risk assessment’ but the basic steps are as follows:

  1. Identify potential risks/hazards
  2. Identify who or what may be impacted by them
  3. Evaluate the likelihood and severity of each risk/hazard identified (in point 1)
  4. Implement controls to reduce or eliminate risk/hazard
  5. Review & re-assess your risk assessment register

The risk assessment process should consider internal and external hazards and risks. Many risks for an organisation  have an external focus. It is common for a business to be impacted by third party suppliers for example.

It is important to document your assessment in a register for reference and communication as well as for reviewing and updating – it’s not a set and forget exercise! The register should include who is accountable for the management of any particular risk and regular reports should be provided on the state of the risk; ie whether it is reducing or increasing.

Identifying risks/hazards

Sometimes easier said than done but the key to identifying risks and hazards is consultation. Talk to staff and service providers, take a walk around your premises, review previous accident or Ill-health records and any manufacturers’ recommendations for goods-handling or storage or machinery operations. And use third-party data, such as insurance contracts, to provide information and ensure your processes are rigorous and comprehensive.

Identifying who might be impacted

Different groups can be impacted differently by the same hazard or risk. For example, pregnant women would be more at risk from exposure to, say, radiation than other groups; Employees on site might be more at risk than contractors visiting. So, identifying categories of ‘at risk groups’ becomes critical to evaluating the severity of a risk and the controls you choose to mitigate or eliminate risk.

Evaluating the likelihood and severity of each risk/hazard

In a nutshell, any assessment will basically evaluate how likely it is for a risk/hazard to occur and how severe the consequences would be should it occur. By doing this you can consider what controls are available to eliminate or reduce risk ‘as far as practically possible’. And you can identify any costs associated with the control measures you choose to eliminate, reduce or control the risk.

Implementing controls

Not all controls are equal! That is, what’s good for the goose isn’t always what’s good for the gander. Whilst some businesses or organisations will often have the same risks/hazards the choice of suitable control measures may vary depending on the likelihood and severity of potential impact. The consequences of a fire on an offshore major hazard facility are likely to be more serious and require more costly control measures than say a fire in a single storey storage unit housing non-hazardous goods for distribution. There is a proportionality relationship between the risks and controls which are evident in many regulated sectors to exemplify the principle that not all controls are equal.

Reviewing & assessing your risk assessment

Having a written record of your risk assessment is critical; in most cases it’s also a legal requirement, not just an excellent business practice. We refer to this document as the ‘Risk Register’. Having a risk register not only provides a record of your assessment considerations and control measures but it provides the basis for auditing your business/organisation enabling you to be proactive in identifying new risks and new controls. It is a fundamental and significant business resilience tool for any organisation.

Before 2020 how many businesses/organisations would have had ‘working from home’ procedures identifying and evaluating risk and appropriate control measures? How much would mental health factors have been a consideration before the global Covid pandemic? And would the evaluation of mental health factors be the same now as it was in 2020?

Nuffield Group provides consultancy and support services including risk assessment and compliance. Find out more here.

Picture this if you can: Two kayaks tied side-by-side to the roof of my car as I set out for the small town of Tarwin Lower in Gippsland to drop them into the river for a bit of R&R on the water. Life vests in the boot? Check. Paddles aboard? Check. Tides checked and favourable. So, risk assessment complete and all OK for the day, right? Well, not quite.

It certainly seemed like I’d covered all my bases, but I’d taken a calculated risk that my years of cub scouting meant the knots used to tie the kayaks to the roof racks were suitable and secure. And to be fair, they were. But I had not factored in the forces of nature and wind speed at 80kph on a twisty, open road. My risk assessment checklist was inadequate.

Of course, we do things every day that entail risk assessment and largely, our personal experience, knowledge & judgement prevent anything untoward occurring. In the above example I mitigated the risk by having a passenger watch the kayaks carefully through the sunroof! As soon as we saw movement we didn’t like we were able to abort the trip and return home to find better bindings.

In business, risk assessment needs to be a little more measured and proactive!

Businesses have the responsibility to ensure their staff understand any risk associated with their work and their working environment and what controls need to be adopted to remove or reduce risk – particularly risk of an accident at work. The consequences of not doing so are far more costly than turning a car loaded with kayaks around and starting again! The bottom line is:

“A risk assessment will protect your workers and your business, as well as complying with law”

Every organisation should have a risk assessment done by a suitably qualified person capable of identifying hazards, evaluating and categorising risk. This allows an organisation to then implement reasonable control measures to remove or reduce risk.

An assessment needs to address the following elements:

  1. An accident: ‘an unplanned event that results in loss
  2. hazard: ‘something that has the potential to cause harm’
  3. risk: ‘the likelihood and the severity of a negative occurrence (injury, ill-health, damage, loss) resulting from a hazard.

Naturally, there are many diverse types of risk assessment (fire risk, handling dangerous goods, working from heights etc) so any risk assessment you carry out needs to be “proportionate and relevant to the operational activities” of your business or organisation”. That said, many industries will have specific legislative requirements that businesses must incorporate into their  risk assessments.

So, the bottom line is a risk assessment is a simple, structured method of identifying, eliminating, reducing and/or controlling risk to benefit the health, safety, and wellbeing of your employees. Every business needs one.

Nuffield Group provides consultancy and support services including risk assessment and compliance. Find out more here.

This year Nuffield Group’s Health & Safety committee has been running a series on ‘Prevention is better than cure’. It’s been an informative and educational contribution to the business and it got me thinking not just about the idiom but the fact that, as we see time and time again in our business, prevention is actually also cheaper than cure.

Let’s view this in the context of the current Covid global pandemic and hopefully this is not a controversial view: Numerous outbreaks of Covid throughout the community in most every State of Australia have come from breakdowns in hotel quarantine. The consequent lockdowns have cost our economy billions of dollars. The cost of purpose-built quarantine facilities, like Howard Springs in the Northern Territory (where no outbreaks have spread into the local community to date), is in the 100s of millions. Ipso facto – it would have been cheaper to have purpose-built facilities than to have to deal with the consequences.

‘Prevention is better than cure’ is a concept dating as far back as the 13th century with the Latin saying “It is better and more useful to meet a problem in time than to seek a remedy after the damage is done’. In the 1500s Dutch philosopher Desiderius Erasmus coined the somewhat more pithy ‘Prevention is better than cure.’

In many aspects of our business we work closely with customers to do just this. Whether we’re developing a safety case or a risk assessment; providing training or support for emergency and crisis management; reviewing or updating regulatory & governance compliance; or looking at processes and providing solutions tailored to specific industries and sectors; What we do is help with prevention so the cost is cheaper than having to deal with the cure.

What’s more, we’re not just talking dollar cost here. There is a human dimension and cost to not taking the prevention route. There’s also a positive people component when prevention includes training and upskilling. That’s why we focus on building resilient businesses, helping organisations focus on preventative controls to de-risk their operations and improve health, safety and environment for their workers.

I know it’s stating the obvious but, to my point above, we still don’t have purpose-built quarantine facilities do we? It all starts by assessing your risk, identifying what preventative and mitigation controls you want, and then ensuring any training, processes or structural / framework changes are adopted and adapted to ensure you maximise your preparedness to prevent rather than cure.


Nuffield Group has invested in developing its capability in Emergency and Crisis Management to support customers and organisations build safety and resilience into their business. Nuffield Group provides consultancy and support services as part of their Integrated Emergency Management & Recovery Team. Find out more here:

Free Webinar on Emergency Preparedness

Nuffield Group is holding a FREE webinar on the topic of Emergency Management preparedness on Thursday 28th October at 11am lasting approximately one hour.

It’s brought to you by our Integrated Emergency Management and Recovery team (IEMR) and we’d love you to join us.
We’ll have a keynote presentation from Craig Lapsley on the topic of ‘Preparedness’ and an opportunity for attendees to ask questions and participate in a short online survey to assess their own readiness for an unplanned event. The survey tool link will be provided to attendees post the webinar and consists of just 17 questions that will take 5 minutes to answer – a quick and easy way to see how prepared you and your organisation are.

Registration for the webinar is FREE and will take you 1 minute. You can do it here.

You will get email reminders of the webinar date and time and a link to join us. We look forward to your company and a great presentation from Craig, who’ll be speaking to us from the USA where he is currently deployed leading and advising authorities fighting some of the biggest and worst wildfires the country has ever seen.

Is the fire season going to be bad this year?

One of the questions I was asked every year of my career in the fire service was “Is the fire season going to be bad this year”?

My response was always the same. “Every year will be a bad year somewhere, just make sure if you’re at that somewhere, you’re prepared”. Now is the time to act!

There are a number of indicators that are very useful to gauge the likely extent of our annual fire season. Some of these indicators are technical and require a level of expertise to interpret such as the Southern Oscillation Index which measures the difference in surface air pressure between Tahiti and Darwin and the Keetch-Byram Drought Index (KBDI) which is a numerical value reflecting the dryness of the top layer of soils, deep forest litter, logs and living vegetation. Other indicators are more intuitive such as the amount of Winter and Spring rainfall, the number of warm and windy days leading into Summer and the level of fire activity experienced across Europe and the United States of America which have experienced a large number of mega-fires this year.

The Bureau of Meteorology, provides an annual Bushfire Seasonal Outlook for all parts of Australia. The current Bushfire Seasonal Outlook states: “The Spring 2021 Outlook presents above normal fire potential for conditions over south-east Queensland and northern New South Wales, driven by grass and crop growth in these areas. In Western Australia, the above normal fire potential in the north is driven by grass growth and dry soil in the area. Below normal fire potential is predicted across the ACT, New South Wales and Victoria as a result of vegetation recovering from the 2019–20 bushfire season.

While most of Australia shows normal bushfire potential during the spring outlook period, destructive and deadly fires can still occur during normal bushfire seasons across Australia. Fire potential can vary greatly, even at the smaller scale, between bordering states and territories. Each state and territory’s assessment considers different land-use types and vegetation types. This, in turn, is influenced by different forecasts for temperature and rainfall over these regions.”

Whilst the outlook is a very useful resource and indicates we are likely to experience a number of fast-running grass fires, it does not replace the need to prepare your property or business for a possible bushfire or grassfire event.

So, how do you prepare?

Preparation can be divided into two categories: Property and People.

On your business property 

  • Manage long grass to less than 100mm in height.
  • Maintain shrubs, garden and trees by removing all the dry or dead foliage.
  • Keep access into and around the property clear.
  • Ensure clear access to any water points.
  • Practice good housekeeping when storing materials and products outside particularly on your property perimeter.
  • If you have fixed fire protection features like hose reels or equipped hydrants, familiarise yourself with their operation. All fires start small and you might be able to knock down a fire whilst it is small.

For your people

  • Stay informed by monitoring the Vic Emergency Website: and the Vic Emergency App.
  • Regularly brief employees about the current fire danger, particularly on days of high fire danger
  • Maintain regular communications about fire risk with employees that work offsite
  • Practise your response to a grass or bushfire as predetermined in your businesses Emergency Management Plan.
  • Plan for the welfare of your employees and families. Do you need all employees on site on high fire danger days?
  • Consider your evacuation plan and remember the safest option is to leave early.

Further actions for your consideration

  • Liaise with your neighbours to understand their level of preparedness and work together where possible
  • Discuss your level of preparedness and the needs of the fire brigade with your local fire brigade members
  • Review your business continuity plan 

The Nuffield Group has invested in developing its capability in Emergency and Crisis Management to support customers and organisations build safety and resilience into their business. Nuffield Group provides consultancy and support services as part of their Integrated Emergency Management & Recovery Team. Find out more here:

One of my favourite sayings is “learn from the away game”. We all understand that we can and should learn from our own mistakes but how often do we think about learning from the mistakes of others?

Earlier this week, one of the pre-eminent social media platforms went offline and left millions of people unable to communicate with one another. Users of Facebook, Instagram, WhatsApp and Messenger were denied access and it took more than five hours before services would begin to be restored.

On the face of it, we as users simply faced a delay in accessing these services and like many, I expected that eventually the systems would come back online and I would be able to catch up on my daily intake of information. However, this outage had a much deeper impact on some businesses including the Facebook business itself.

People rely on Facebook not only to connect with friends and family, but businesses use it to log into other services including online sales websites. In some countries, it is the dominant means of communication through services like WhatsApp. That an outage can have such a profound impact on billions of people for several hours will give some pause for thought.

Facebook’s own internal services were affected by the outage with reports staff were locked out of offices due to the security pass system being caught up in the outage, and could not access their own internal communications platform leading to delay in rectifying the problem and slow return to full capacity.

The total cost of this outage is unknown however the Facebook share price dropped 4.9% and the founder and CEO’s personal wealth dropped $6.5bn according to Bloomberg.

So, what is the lesson to be learnt here?

The lesson here is understanding where your single points of failure are, knowing, and managing the consequences.

Failure to identify these can lead to dramatic and drastic consequences that have financial, legal and reputational implications. I can attest to this from a personal experience whilst working for an organisation that developed an App designed to notify the community of emergency events as they occurred. The App failed when it was most needed due to a single point overload.

The single point failure was not identified in the risk assessment and consequently, there were no actions identified to be carried out to address the potential single point failure in the emergency management plan.  The recovery from this situation was expensive with significant reputational damage.

Recovering from any setback is a challenge for all of us. Identifying possible systemic failures in your business systems and infrastructure then planning how you would go about addressing these will make a big difference to your business.

Nuffield Group has invested in developing its capability in Emergency and Crisis Management to support customers and organisations build safety and resilience in their business.

Nuffield Group provides consultancy and advisory services and also has an online platform, GNTX, for the exchange of non-competitive information and tools allowing businesses to share, download and modify frameworks and documents for their own use.

Find out more about GNTX here:

It’s hard to fathom going to a bar for a drink and being served ‘flat’ beer – even in the UK! Worse still imagine being unable to go to hospital to have a medical procedure. And yet, this amazing situation is currently playing out in the UK and perfectly demonstrates why you need emergency management planning because comprehensive planning is the only way to deliver resilience in supply chains.

Carbon Dioxide (CO2) is an important additive in the food, beverage and health industries. It is used widely, for example, in the carbonisation of water, soft and alcoholic drinks; It is also used to stun pigs and chickens before they are humanely processed through abatoirs; It used in many medical procedures for humans too and it is used during packaging of a variety of supermarket foods to ensure extended shelf life.  

Emergency Management Planning

In the UK, the current shortage of carbon dioxide has come about because two large fertiliser factories have stopped production because of soaring wholesale gas prices. Fertiliser plants generate CO2 as a by-product of their production process. The result? A 60% reduction in the UK’s food grade carbon dioxide supply.

Emergency Management Planning

The reduction in CO2 supplies has caused such shortages in the availability of a range of products that it has required intervention at a national government level. It is a remarkable situation and one that is proving difficult to resolve because the situation has arisen due to a fall in demand for fertilisers, not a fall in demand for carbon dioxide itself. The crisis has drawn attention to the fractured responsibility that exists in the supply chain and its management. Politically the issue lies across many areas of government.

Interestingly, this is not the first time a crisis involving the supply of Carbon Dioxide has occurred. It tends to be a cyclical event caused by a decrease in the production of fertiliser over the summer period. In 2018 a similar situation was reported. So, this incidence is entirely predictable and should have been resolved by proper emergency management planning to ensure resilience in the supply chain.

It is a great learning opportunity for all of us. All businesses need to ensure they have identified weaknesses and potential emergency situations and planned accordingly to deliver business continuity. Planning is the key to building resilience into systems and businesses.

The global pandemic has introduced a new normal to this equation. There’s more volatility, uncertainty, complexity, and ambiguity in our everyday lives, so we need to plan better for the unexpected. This requires a change in mindset and thinking. It requires businesses to perform detailed risk planning to identify vulnerabilities and adopt controls to ensure supply and operations.

Through Covid a key learning has been on the very issue the UK CO2 crisis illustrates – security of supply chains to ensure a business can continue to operate. There are many current examples where a lack of foresight has been exercised and businesses have been exposed. The automotive sector is a great source of learning along with many of our iconic parcel and package delivery services that have had to adjust their services due to unprecedented demand.

The learnings from the UK case study and Australia’s Covid experiences across a range of sectors make it abundantly clear that all businesses need to adapt quickly based on good data, intelligence, and evidence, leading to prompt decision making and the establishment of a rapid deployment capability.

It is an ever-changing world with new challenges and opportunities for businesses. Nuffield Group has the expertise and experience to support businesses in their risk assessment and emergency management planning.

Find out more:

contact us via the form on this website; email us direct at or call 1300 308 257 or +61 404 852 062


At Nuffield Group we don’t believe in re-inventing the wheel. We believe in helping create resilient businesses by sharing and collaborating non-competitive information. This approach has many advantages, not least of which is providing our customers with access to best practice frontiers based on learnings across industries and sectors.

Back in 2016 the Williams Formula One racing team worked with medical staff at the University Hospital of Wales in Cardiff to help apply their knowledge and procedures of pit lane operations to the resuscitation of newborn babies. The story is often invoked as an example of how you can learn from other industries and sectors to improve outcomes in your own.

In our industry we have adopted this principle by developing a practical solution; An online ‘Give ‘n’ Take Exchange (GNTX). GNTX is an innovative, collaborative and information sharing platform, supporting the development of best practice solutions across a range of organisations operating in various sectors and markets.

GNTX allows organisations, many with common goals, interests, and challenges, to share their approaches, policies, procedures, and practices to a range of issues.

The ability to access a diversity of experience, expertise and learnings creates an opportunity to understand and improve processes, tools, policies, and procedures among GNTX subscribers. Above all it enables the delivery of better outcomes in a timelier, better informed, less costly and efficient manner.

It’s like a virtuous circle driving continuous improvement which translates to better products, solutions and outcomes promoting sustainable business operations and improved consumer outcomes. It’s a new way of consulting with collaboration and validation of practices and is particularly centred on small and medium businesses to help them increase their capability and responsiveness.

Nuffield Group are proud of the ecosystem GNTX creates and the improvement it offers businesses. For further information on its functionality and application contact us via the form on this website; email us direct at or call 1300 308 257 or +61 404 852 062