One of the fundamentals of the risk assessment process is to consider the effectiveness of current controls when determining the residual risk. A failure to consider the effectiveness of controls will result in an inaccurate assessment of the risk, as well as making it more difficult to determine what the organisation should do to improve its risk profile.
The assessment of effectiveness of controls is included in ISO 31000’s Risk Analysis stage, the supporting 31010 Risk Management – Risk Assessment Techniques, and within the How to manage work health and safety risks Model Code of Practice asking users to consider “How effective are current controls in reducing risk?“ (recognising that in most cases the risks being assessed will already be subject to some control measures).
Considering the effectiveness of the current controls provides an indicator of what is being relied upon on, what could be strengthened and what could potentially be discarded (as it is not particularly effective as a control).
In addressing the requirement for assessing existing controls, most organisations use either a % rating for the effectiveness, or a 5-point scale using broad qualitative terms such as excellent, good, fair, marginal etc.
But what do these ratings or terms really mean, and does this paint an accurate picture?
A particularly good WHS-related explanation regarding the effectiveness of current controls exists within the NSW Code of Practice for Managing Psychosocial Hazards at Work, with discussion that risk controls can be rated as follows:
- Controls are adequate, i.e., hazard/risk is eliminated, or residual risk is insignificant.
- Controls are in place to the full extent that is reasonably practicable. The controls are not ideal, but there is no better control currently available, or the cost would be grossly disproportionate to the risk. Ongoing monitoring of this risk is needed.
- Controls are satisfactory and appear to be working adequately. However, more effective controls are known and available and could be implemented.
- Controls are inadequate. There are known limitations with existing controls, and further action to manage the risk is needed.
- The risk is uncontrolled. Controls either have not been implemented, or they are grossly inadequate. Immediate action is required.
These plainly defined levels provide a clear picture of the effectiveness of the controls in mitigating the risk, whilst also indicating where further work is required or would be beneficial. The inclusion of ‘reasonably practicable’ (and the associated discussion) is also useful as it brings this legislative concept overtly into the risk management process.
It may be worth considering a review of your current controls, prefaced by a review of how you rate and describe them, during the next review of the Risk Management process and in Risk Management training.
Please contact QRMC for more information or assistance.