This is a six-million-dollar question that all employers, OH&S practitioners and internal OHS auditors will ask at some stage.
So, what are the criteria we should use to determine if our risk assessments are suitable and sufficient to meet the requirements of OHS legislation and standards such as OHSAS 18001 and the new ISO 45001 standards?
To begin with, we should look at the competency of the person carrying out the risk assessment. This person should have knowledge of the risk assessment process and should therefore be trained in how to carry out the risk assessments. They should also have knowledge of the task, activity, area or equipment being assessed.
If we do not have the competency in-house or there are specialised risk assessments required, then we should recognize our own limitations and bring in outside help from a competent person.
The HSE in the UK guidelines on risk assessment outlined in INDG163 (http://www.hse.gov.uk/pubns/indg163.pdf) suggest that risk assessments are suitable and sufficient if they show that:
- a proper check was made
- you asked who might be affected
- you dealt with all the obvious significant risks, considering the number of people who could be involved
- the precautions are reasonable, and the remaining risk is low, and
- you involved your staff or their representatives in the process
However, the above may be an over simplification of the criteria for determining if the risk assessment is suitable and sufficient.
I would suggest that the risk assessment should meet the following criteria:
- It should cover routine as well as non-routine activities as well as appropriate to the nature of the work
- It should identify all of the hazards
- It should identify all of those who might be harmed
It should also include vulnerable groups (e.g. pregnant employees, people with a disability, personnel with a pacemaker (especially if there is a strong magnetic field such as in metal detection equipment in the food industry), etc.)
- It should consider the number of people at risk
- Those affected by it should be consulted or involved in it
- The risk assessment should comply with relevant OHS legislation
- It should evaluate the likelihood and severity of the risk
- The effectiveness of the existing controls needs to be considered when evaluating the risk
- If these are not adequate, then further controls need to be considered
- The hierarchy of controls have been considered when deciding on the controls required (e.g. elimination, substitution, isolation, engineering controls, administrative controls and PPE)
- The residual risk after implementation of the controls should be low. In other words, the risk should be as reduced to an acceptable level
- The results of the risk assessment should be documented; if it is not written down it is not done
- The results of the risk assessments must be communicated to those affected by them
- It should be valid for a certain period of time
- It should be reviewed if there are significant changes or it is no longer valid, or in the event of an accident or near miss
- The risk assessment should be reviewed after the passage of a suitable period of time warrants it
Documenting the process you have followed provides an audit trail to help you demonstrate to the Health & Safety Authority or other interested parties that what you have done represents a suitable and sufficient risk assessment. Finally, the level of detail in the risk assessment should be proportionate to the risk.
Bottom line the risk assessment should ensure that the control measures prevent and protect workers from injury and ill health.
Submitted by Finbarr Stapleton from Antaris