Article 3 in our risk mini-series (see links below for the first two) is all about what good risk registers need. And first and foremost it needs to be ‘owned’ as part of the organisational culture of a business.
Ownership should be at all levels of an organisation from board and executive management team to every person in the business. It is a vital tool in guiding an organisation to improve health and safety outcomes, increase productivity and performance, and improve team cohesion.
A further aspect of a risk register that delivers productive outcomes is involving a cross-section of the workforce to collaborate and identify the hazards, risks and controls required to be adopted. The collaboration and subsequent exchanges improve the interoperability of any organisation.
To be relevant, however, a risk register must also be up to date. Stating the obvious perhaps but risk registers need to be regularly reviewed to ensure they’re up to date, in particular:
- After any significant change within a workplace or process
- After an accident or incident has occurred
- After any near-misses have been reported
- If any controls are changed, updated or added (altering the risk)
- If there are learnings from similar businesses that make good sense to adopt
To this end, having a register maintained online rather than on paper in a file, makes keeping it up to date much easier. An online register is more easily accessible (think mobile or tablet device) and can be audited and updated much more easily too. This latter point is important for those high-risk hazards that may require regular reviewing or updating – for legal, compliance, HSSE or operational reasons.
Managing a risk register is an iterative process – a constant in any high performing and agile business. The elements listed above would be the basic minimum a risk register needs to help an organisation be compliant and build its resilience to withstand the shocks and stresses that emerge.
What, Who & When:
A risk register needs to not only include:
- What hazards were found
- Who could be impacted (person(s) or groups)
- And what controls are in place to manage risk
- who is monitoring them
- Who carried out the assessment or review and
- On what date the assessment or review was done
Communications & Records:
A good risk register needs to be communicable and available as a matter of record to show that an organisation has and continues to do everything possible to ensure health and safety in the workplace. It is a mechanism for use in a range of forums including staff briefings, newsletters, health and safety forums, and business strategy development, and informs capital expenditure programs.
Risk registers do not need to be “War & Peace” in length. They need to list hazards and describe them. They should list the potential impact (high, medium, low) to a business (eg cost) and, critically from a risk perspective, the probability of occurrence. With this data, you can then rank risks relative to each other and consider and list any appropriate measures or controls. It is also important to record who’s responsible for managing any identified risk and related controls.
The advantage of ensuring this data is accurately recorded in a register means you can then identify hazards and risks that require more frequent monitoring – in particular those that are considered highly likely to occur and highly likely to have a severe impact (high impact, high probability risks). These are risk register items you should have in an audit so you can be sure they are regularly reviewed and controls are updated whenever possible to reduce risk.
Addressing risk in a systematic manner is a prudent activity for all organisations to undertake in developing a productive, safe, and sustainable operation.
Article 1 in this series: What is a Risk Assessment?
Article 2 in this series: How to do a Risk Assessment
Nuffield Group provides consultancy and support services including risk assessment and compliance. Find out more here.