Next Article in Journal / Special Issue
Safety of Machinery: Significant Differences in Two Widely Used International Standards for the Design of Safety-Related Control Systems
Previous Article in Journal
Integration of Safety in IFMIF-DONES Design
Previous Article in Special Issue
How Cognitive Biases Influence the Data Verification of Safety Indicators: A Case Study in Rail
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Safety
Volume 5
Issue 4
10.3390/safety5040075
safety-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Development and Validation of Plain English Interpretations of the Seven Elements of the Risk Management Process

by
Garry Marling
1,2,3,*,
Tim Horberry
4 and
Jill Harris
2
1
School of Systems Engineering, College of People Technology and Systems, 4000 Brisbane, Australia
2
Sustainable Minerals Institute, The University of Queensland, 4072 Brisbane, Australia
3
School of Environment and Safety Engineering, Sichuan Normal University, Chengdu 610066, China
4
Human Factors Team, Monash University Accident Research Centre, Melbourne, Australia and Coventry University, Coventry CV1 5FB, UK
*
Author to whom correspondence should be addressed.
Safety 2019, 5(4), 75; https://0-doi-org.brum.beds.ac.uk/10.3390/safety5040075
Submission received: 18 July 2019 / Revised: 11 October 2019 / Accepted: 21 October 2019 / Published: 29 October 2019
(This article belongs to the Collection Occupational Health and Safety in A Changing World: Realities, Challenges and Perspectives)
Browse Figure
Versions Notes

Abstract

:
A fundamental problem with risk management standards and other associated guiding documents is that the definitions and descriptors of the seven elements of the risk management process within these documents are commonly at odds with each other and are difficult to understand. An implication is that personnel within and across organisations interpret the process in different ways. This has led to some companies developing their own interpretations of the elements in their risk/work health and safety (WHS) management systems and thereby exacerbating the problem. A standard set of definitions, terminology and language are vital for addressing WHS issues efficiently and effectively to result in better outcomes. This study aimed to develop a set of plain English interpretations (PEI) for each of the seven elements of the risk management process. These seven elements sit between the scant and technical definitions contained in standards (primary and secondary) and the voluminous guidance in the handbooks and codes of practice. The Delphi-technique was used with 20 risk-experts to evaluate, over two iterations a set of draft PEIs—developed by the researchers. These were finally reviewed for readability and understandability by 24 operators/workers. The implications for these new PEIs is that they could be considered for future standards and guidance documents by the ISO Working Group Risk Management Standard and similar committees and used by organisations for their risk/WHS management systems.

1. Introduction

The concept of defining risk and standardising a set of risk management terminology and language is relatively new. In Australia and New Zealand AS/NZS 4360:1995 Risk management—Principles and guidelines (AS/NZS 4360) (The research for this paper took place just prior to some of the nominated standards being updated; however, the methodology and findings are still noteworthy.) was introduced as a top-level document on risk management and underwent two revisions in 1999 and 2005 [1]. AS/NZS 4360:2005 was finally released as an international standard, titled ISO 31000:2009 Risk management—Principles and guidelines; accompanied by ISO/IEC Guide 73:2009 Risk management—Vocabulary—Guidelines for use in standards, previously a 2002 version [2]. This is now supported by handbook HB 436:2013 Risk management guidelines—A companion to ISO 31000:2009 Risk management—Principles and guidelines [3]. This suite of risk management documents is now well accepted by the Australian risk/work health and safety (WHS) community as definitive guides to the risk management process.
A series of other standards and handbooks have been produced over time that gives guidance on the management of risk, some of these at an industry level [4], some at an equipment level [5], some at a functional level [6] and some at a systems safety engineering level [7].
Definitions for risk management are provided in two key documents, namely ISO Guide 73:2009 Risk management—Vocabulary and ISO 31000:2009 Risk Management—Principles and guidelines [8]. Within the framework of risk management, there are a plethora of other codes of practice, standards and supporting handbooks that also define risk management terms and give context for practitioners. This research constrains the discussion to the key WHS codes of practice, standards and supporting handbooks to support the problem statement.
Figure 1 is a node diagram showing the inter-relationships of the key codes of practice, standards and handbooks as discussed. The interrelationships are based on whether the documents contain a reference to one of the other documents. If they do, the expectation is that the definitions, terminology and language would be consistent. However, as the diagram suggests, there are multiple connections and disconnects between the codes of practice, standards and handbooks—these may contribute to the confusion in the interpretation of the process of risk management.
SAI Global’s online searching tool was used for determining which standards were relevant and current. There is some conjecture to its accuracy at the time of research in that AS/NZS 3931:1998 [9] may have already been withdrawn, yet was not described as such [10]. There is also conjecture amongst risk practitioners that IEC/ISO 31010:2009 is not well recognised in Australia [11] and that its principles were adopted through the use of HB 89:2010 [12], however well recognised or not, there are differences in the two standards. That said, the diagram above still demonstrates the complex connections and disconnections.
Legend for Figure 1:
  • black box—a document that is current and references other current documents;
  • white box—a document that is superseded but still available through SAI Global and not clearly marked as superseded;
  • grey box—a document that is current but references superseded documents;
  • solid line—a current document referenced by a current document;
  • dotted line—a current document referenced by a superseded document, and
  • dashed line—a superseded document referenced by a current document.
This research has been conducted within the WHS domain and ISO/IEC GUIDE 51:2014 ‘Safety aspects—Guidelines for their inclusion in standards’ that focuses on products and systems is considered outside of the scope [12]. However, some comparisons are made between it and other documents later in this paper.
Although Hardy [13] (p. 36) discusses ISO 31000:2009 [2] as a “universal effort to establish an acceptable and common understanding of risk across all sectors and types of organisations”; concerns regarding divergent risk management definitions have been widely debated since the early 1980s. Commentators have argued that risk management terminology and language is not used consistently—terms can have different and contradictory meanings, multiple terms can have the same meaning, terms can be vaguely defined and the meaning and understanding of some terms is dependent upon the context in which it is being used [14]. Haimes [15] (p. 939) contends that “the Risk Definition Committee of the Society for Risk Analysis (SRA) (2) printed 13 definitions of risk on the program jacket of its first meeting in 1981” and “… the definitions of risk continue to multiply as ‘risk’ becomes a household term” (p. 1647). Knight [16] (p.6) states that during the drafting of AS/NZS 4360:2004 [1] “some terms were so widely interpreted by risk practitioners they caused real debate amongst users as to what they meant and how they should be implemented.” He also describes the difficulty in coming to a consensus on terminology across international borders in some cases due to the framework around risk management that these countries developed and in some cases because terms became ‘lost-in-translation’ in some languages.
The recent work of Aven [17] found that the latest version of ISO Guide 73:2009 “fails in several ways in producing consistent and meaningful definitions of many of the key concepts covered” (p. 724). Cross [18] in her chapter on risk in the Safety Institute of Australia’s OHS Body of Knowledge describes “the confusing and inconsistent terminology” of risk and the need “to communicate clearly and unambiguously a single language” (p. 1) of risk.
Hubbard [19] (p. 79) stated that “concepts about risk and even the word risk are a source of considerable confusion even amongst those who specialise in the topic,” which is supported by Hillson and Murray-Webster [20] and Breakwell [21]. Hopkins [22] raises the issue of the legal system being confused by the meaning of the term risk in bringing charges against Esso for the Longford disaster. Hopkins [22] (p. 15) also discusses the process of managing risk from a regulatory perspective as three basic steps, those being “hazard identification, risk assessment and risk control”.’ However, these are at odds with the model as defined in ISO31000:2009 [2] and its predecessors. As Calman and Royston [23] (p. 393) suggest “it is odd that we have no common language for discussing the hazards of life.”
A key consequence concerning the confusion in risk definitions and terminology is that of interpretation and how to operationalise concepts of risk within organisations and across broader industries. Kaplan and Garrick [24] (p. 11) stated with respect to the varied uses of risk that “the requirements for an intelligible subject is [sic] a uniform and consistent usage of words.” Fischhoff et al. [25] (p. 136) claim that “an effective decision-making process, whether conducted by individuals or societies, requires agreement on basic terms” furthermore maintaining that “without such conceptual clarity, miscommunication and confusion are likely.” McNamee [26] urges that there is a need for people to agree on a risk framework or model and a common language of risk and Espersen [27] (p. 69) suggests that “it ensures that everyone throughout the organisation shares a common method of speaking about risk.” Further, von Känel et al. [28] argue that a common risk language (or risk taxonomy) provides a basis for clear and concise communication throughout a company about risk to facilitate a better risk management process. Miccolis [29] (p. 45) states that “the language used to describe risks is becoming muddled” and furthermore that “in order for senior managers to have a complete grasp of all-encompassing risk as it affects their businesses, they need to communicate the varieties of risk in a common language.” Meshkat and Su [14] (p. 1) support this claiming that “having a common language is a key factor to implementing a successful management process.” Hogganvik et al. [30] (p. 14) argue that in risk forums you cannot rely on participants’ interpretations of the risk management terms and that there is often misunderstandings and uncertainty amongst the participants. They then posit that interpretations “may differ depending on the participant’s background and experience” and “it is important that the terminology does not conflict with the daily language understanding of these terms” (p. 13). Hopkin [31] (p.123) supports this in claiming that “without a common language, risk management teams will spend too much time resolving communication issues at the expense of their primary responsibilities.”
In response to these deficiencies in risk management definitions, terminology and language, a study was undertaken to develop and evaluate a set of plain English interpretations (PEIs) of the seven elements of the risk management process. In particular, whilst it is noted from the literature that there is a need for ‘consistent and meaningful definitions’ and the need to ‘communicate clearly and unambiguously,’ this study focusses more on the latter. To this end, plain English is undefined but is expected to be reached with the consensus of the participants who are a subset of the target audience for the use of the PEIs. No previous research has done this.

2. Aim

The aim of this study was to develop a set of PEIs for each of the seven elements of the risk management process that reflect both the key concepts of the definitions contained in standards (primary and secondary) and the additional guiding information in the supporting handbooks and codes of practice. They will be clear, brief and avoid technical jargon. They are therefore designed to sit between the scant and technical definitions contained in standards (primary and secondary) and the voluminous guidance in the handbooks and codes of practice.
The seven elements are:
  • Establishing the Context;
  • Risk Identification;
  • Risk Analysis;
  • Risk Evaluation;
  • Risk Treatment;
  • Communication and Consultation, and
  • Monitoring and Reviewing
The hypothesis for this study is that a set of PEIs for each of the seven elements of the risk management process would provide workers with clarity and a common meaning and language when applying the risk management process.

3. Method

3.1. Participants

Participants comprised two groups—1) twenty eminent risk-experts and 2) twenty-four frontline operators/workers. Risk experts (19 males) were aged between 45 and 56 years (M = 55.1 years, SD = 6.5 years), had collectively worked in WHS/risk management for 701 years (M = 35.1 years, SD = 7.4 years, R = 24–48 years) and had practised risk management in their vocations for a minimum of 25 years. Fifteen were facilitators/practitioners of risk management and WHS in mining and construction (general and railway), three were lawyers and two were academics, all specialised in the fields of risk management and WHS. Initially, there were 23 risk-experts but three participants did not respond correctly to the task and were removed from the sample.
Operators/workers (20 males) were aged between 22 and 56 years (M = 33.1 years, SD = 8.6 years) and employed in the mining and construction (general and railways) industries with 332 years of collective experience (M = 13.8 years, SD = 8.1 years, R = 2–35 years).
All of the participants had professional ties to the researchers so were not a representative random sample. Participants were sought based on the criteria set by Pill [32] and Oh [33], that is, they had what Hsu and Sandford [34] subsequently described as having moderately associated backgrounds and experiences in the focus areas, being able to provide useful responses and being willing to adjust their initial/previous decisions. With respect to numbers of participants, Hsu and Sandford [34] claim there is no consensus within the literature; however, the sample number meets the criteria of Witkin and Altschuld [35] of there being less than 50 participants and approximates the criteria of Ludwig [36] that there be between 15 and 20 participants.
In any research, there is always a concern of participant bias at a number of levels:
  • The ‘social desirability effect’ and this was addressed in that participants were advised that responses were confidential and anonymous;
  • the ‘halo effect’ and the way this was addressed was to not shape participants ideas before seeing the survey and
  • the ‘yae/nae saying acquiescence’ and this was addressed by using balance in the questioning, that is no leading questions [37].
All participants gave written informed consent and the Human Research Ethics Committee of The University of Queensland approved the study. None of the participants were paid or reimbursed for their participation in this study.

3.2. Procedure and Materials

Risk-experts received an email describing the study and inviting them to participate. Those volunteering to participate then received the first-cut PEIs and an associated feedback questionnaire.
The authors developed the first-cut PEIs by comparing the definitions of each of the elements contained in four standards, one guide, six supporting handbooks and one code of practice, as defined in Figure 1. As described earlier, some of these documents were current and others in the process of revision or due for future revision (to be made consistent with AS/NZS ISO 31000:2009 [2]). This added a level of uncertainty in developing and aligning the definitions and interpretations of the elements. Given that the authors wrote the first-cut PEIs it should be noted that the three authors have over 70 years of combined experience in the area; they have backgrounds in practical health and safety management and academic safety research. For example, the principal author has over 40 years of experience managing risks from the board level to the coal- face in the rail, mining and construction industries.
The feedback questionnaire asked participants whether they believed the PEIs reflected the core principles of the defining standards and were readable. If they disagreed, they were asked to justify their decision and to supply alternative wording. Those who agreed that the PEIs reflected the intent of the guiding documents were also encouraged to explain their decision. Two participants with extensive WHS and risk management experience completed a pilot study to test the syntax and format of the feedback questionnaire.
The Delphi technique then guided the subsequent development of the PEIs. The panel of experts would continue to receive the updated PEIs and feedback questionnaires (via email) and encouraged to revise their earlier opinions in light of the feedback from the other experts. This process would continue until the group achieved a consensus. After each round, experts received an anonymous report of everyone’s feedback, which included the reasons for their responses [38,39,40,41]. The theory underlying the Delphi method is that during this iterative process, the range of the opinions will decrease and the group will converge towards a consensus of opinion [42]. Dalkey [38], Helmer and Rescher [43], Oh [33] and Adams [44] further posit that the process of individuals working anonymously to form a consensus may help to reduce the various biases that result in regular, face-to-face group meetings, such as ‘group think’ and the ‘halo effect.’ A key challenge to applying a Delphi-technique is that it can be a time-consuming process [40,45,46].
Once the risk-experts reached consensus, the group of operators/workers reviewed the PEIs using a similar process. A key difference between groups was that the survey tool SurveyMonkey® delivered the information instead of email. This improved the participation rate to 100% and dramatically reduced the time taken for participants to respond. The feedback questionnaire differed in that it asked participants to judge whether the PEIs were readable and understandable.
The risk-experts took two rounds to satisfy consensus. The outcomes from each of these rounds are henceforth termed the ‘second-cut’ and ‘third-cut’ PEIs, respectively. The operators/workers group achieved consensus in one round and their outcomes, which became the final version of the PEIs, are referred to as the ‘fourth-cut’ of the PEIs.

3.3. Analysis Strategy

The criterion used to indicate an acceptable level of consensus was 80% group agreement. This is an application of the law of diminishing returns, whereby at some point the amount of effort to increase consensus outweighs the economic value of that effort.

4. Results

4.1. Feedback Provided by Risk-Experts

Risk experts, using two iterations of the Delphi technique, developed plain English interpretations of the seven elements of the risk management process. Table 1 highlights the changing level of support for the PEIs given by risk experts over the two review rounds. The group deemed two of the PEIs—Risk Evaluation and Communication and Consultation suitable in the first round. Their feedback then informed updated versions of the PEIs (second-cut) that experts reviewed in round two. As shown in Table 1, between 80 and 100 per cent of experts approved the second-cut PEIs but they also offered further feedback, which guided the development of the final expert-developed PEIs (third-cut). This later feedback generally related to minor syntax and formatting changes, whereas earlier feedback concerned more substantive issues associated with the meaning of concepts (etc.). In accommodating the suggestions of multiple participants, the researchers made minor grammatical corrections and word changes.
Five participants provided general comments supporting the development of the PEIs for the seven elements of the risk management process. Examples of these were—“ISO GUIDE 73 definitions we apply to risk management are the result of much debate,” “I agree that the generic definitions can sometimes leave the user still seeking answers” and that “I think your plain English interpretation adds value—I think you’ve thought them out well.” Another participant was concerned that the trainers of the risk management process often “failed to use plain English.” Another participant said “It works for me, I understand what you’re saying and I agree that what you’re saying is right. My only suggested changes are tweaks to wording on a couple of places where I had to read it twice to get what you were saying.”
Only one participant maintained that the current definitions in the standard “were acceptable as were the PEIs.” Three of the risk-experts only gave general comments about the first round PEIs, while being excluded from later rounds, their feedback informed round two PEIs.
To illustrate the qualitative changes made to PEIs across rounds, the next section represents a case study of the major changes made in the development of the Risk Treatment PEI.

A Case Study Showing the Development of the Risk Treatment PEI as Informed by Risk-Experts

On first viewing of the Risk Treatment PEI, 65 per-cent of the risk experts agreed that it reflected the core principles of the defining standards and was readable. Shown in column one of Table 2 is the feedback given by experts in round one. There were 14 comments given from seven participants who disagreed and 13 participants who agreed with the PEI resulting in the following changes:
  • Added an initial short definition of risk treatment that included two risk treatment outcomes—(1) eliminate or reduce the risks that are unacceptable or intolerable and (2) accept or increase the risk or opportunities that are acceptable or tolerable
  • Added ‘accepting the risk’ to the tolerating the risk strategy because it was important to highlight that risk was not necessarily negative
  • Deleted ‘removing the risk source’ from the treating the risk strategy because it actually belongs in the termination strategy
  • Added ‘passing on’ to the transferring the risk strategy to differentiate from ‘sharing’ the risk
These changes resulted in a second-cut Risk Treatment PEI that received support from 95 per-cent of the group in round two. Six issues were raised as part of round two feedback (given by one participant who disagreed and 19 who agreed with the PEI) that resulted in the following changes (see column two, Table 2):
  • In the first paragraph ‘with consideration of the hierarchy of controls’ was added because it was thought to be an important and often forgotten part of the risk management process
  • In the second outcome ‘accept or increase risk’ was separated, to highlight their differences better—so that there were now three separate outcomes

4.2. Feedback Provided by Operators/Workers

To bolster the likely use of the PEIs at the sharp-end of a firm, a group of 24 operators/workers reviewed them for their readability and understandability. On first viewing, 80% or more of the group approved each of the seven PEIs. They did, however, provide feedback that resulted in a final set of PEIs. This feedback suggested minor amendments, primarily targeting the readability of the PEIs. For example, they suggested that commonly used words replace jargon and technical words.
For four elements—(1) Establishing the Context, (2) Risk Evaluation, (3) Risk Treatment and (4) Communication and Consultation, the level of support given by operators/workers was less (by 8 to 17%) than that given by the risk-experts in round two but generally higher than that given by risk-experts in round one (see Table 3). The reduction in levels of approval across rounds two and three is likely to be due to the risk-experts and operators/workers viewing the risk management elements in a slightly different manner. The former group is likely to hold a more strategic/tactical approach, while the latter an operational approach. Additionally, it was anticipated that the levels of agreement among the occupational groups differ because they have different competency sets and methods for managing risk. More important was that the level of consensus satisfied the 80 per cent consensus criteria. Table 3 depicts the changes in support for the PEIs across the two occupation groups. It shows a consensus score for each round and a difference between rounds.
Table 3 shows that Establishing the Context, Risk Evaluation and Risk Treatment just reached consensus, indicating that support for these elements would probably improve with further rounds of the Delphi-technique; as part of further work.
One participant offered a general comment across all elements that “the average worker would not understand any of this.” This comment was in contrast to the views of the remaining 23 operators/workers.
The results of this round were the fourth-cut and final version of the PEIs, as detailed in Table 4.

4.3. Discussion

The aim of this study was to develop a set of PEIs for each of the seven elements of the risk management process that reflect both the key concepts of the definitions contained in standards (primary and secondary) and the additional guiding information in the supporting handbooks and codes of practice. In two iterations 80 per cent or more of the group (M = 92% across PEIs) of 20 risk experts (each with at least 25 years’ experience as risk practitioners) gave support for each of the seven PEIs, confirming that they reflected the core principles of the defining standards and were readable.
The PEIs achieving the highest level of approval by experts on first viewing were Risk Analysis (75%), Risk Evaluation (85%) and Consultation and Communication (95%). This may be due to them being more clearly defined in the current risk management standards, handbooks and codes of practice than other elements of the risk management process. Another explanation is that experts in our study were more familiar with conducting them and so there was less variability in their understanding. The Risk Analysis and Risk Evaluation elements are core components of the risk assessment sub-process that most risk practitioners are familiar with and so they are likely able to define quite well. In addition to being a requirement in AS/NZS ISO 31000:2009 [2], the risk assessment sub-process is also used at the operator/worker level in field-level risk assessments (e.g., ‘Take 5’, ‘SLAM’ and ‘StepBack’). Also, the Communication and Consultation element cuts across many management activities beyond risk management and so, again, it is relatively familiar and known to practitioners. Conversely, the Establishing the Context PEI, which had a low level of support in round one, is typically not applied by risk practitioners when conducting risk assessments. Contrary to this view, the Risk Treatment PEI also had a low level of support, yet one would expect that this process by familiar to experts.
To better ensure the use of the PEIs at the ‘pointy-end’ of an organisation, a group of 24 workers/operators employed in high-risk industry sectors (construction and mining) subsequently rated the expert-approved PEIs. It was found that more than 80 percent of the group (M = 88% across PEIs) agreed that the PEIs were both readable and understandable. The finalised PEIs for all elements of the risk management process are given in Table 4.
The researchers used the study group to develop the PEIs and at no stage influenced their decision through the Delphi process. However, some commentary is offered below for further consideration on five of the PEIs that were developed:

4.3.1. Risk Identification PEI

The words ‘harm’ and ‘hazard’ were used in AS/NZS 4360: 2004 [1] (replaced by ISO 31000:2009 [2]) only with specific reference to ISO/IEC GUIDE 51:1999 (replaced by ISO/IEC GUIDE 51:2005 and then ISO/IEC GUIDE 51:2014) [12] and safety-related risk. These terms are not meant to be applied to risk management activities that are not safety-related. As this study is safety-related, it could be argued that it is relevant to consider the definition of ‘harm’ from ISO/IEC GUIDE 51:2014 [12] rather than its inference from the definition of hazard from ISO GUIDE 73:2009. Interestingly, ISO/IEC GUIDE 51:2014 [12] does not return the favour, although it mentions ISO 31000:2009 [2], it does not make use of any of it, potentially demonstrating the politics of different ISO/IEC committees.
The expert group suggested and agreed on the words ‘uncertainties and ambiguities’ within the Risk Identification PEI. Hayes [47] would contend that uncertainty is inherent in the definition and ambiguity is a subset of uncertainty and so perhaps there is a form of residually in the definition agreed by the participants that could be improved with further work.

4.3.2. Risk Analysis PEI

It is worth considering the likelihood of the consequence of an event that is to be combined with the extent of the consequence when determining the level of risk. That is, there is a distribution of possible consequence values that have to be represented by an expected value. The likelihood of the event does influence the likelihood of the consequence. ISO 31000:2009 [2] is not consistent in its description of likelihood and consequence but the authors of the update to HB 436:2013 [3] have tried to clarify what should be meant by ‘likelihood’ when determining the level of risk.

4.3.3. Risk Evaluation PEI

The expert group suggested and agreed that the phrase ‘as low as reasonably practicable’ be included in the Risk Evaluation PEI. This is in conflict with the requirements of the WHS statutes that require the principles of ‘so far as is reasonably practicable.’
Some may contend that Risk Evaluation cannot be used to decide about ‘mitigation’ strategies (i.e., whether to terminate, tolerate, treat or transfer). Such strategies have not been determined yet and their priorities are dependent upon their change to levels of risk and the cost of implementation, which may be one of the risk criteria, should that approach be taken. As such, the definition agreed by the participants could be improved with further work that may include consideration of the penultimate paragraph in the definition being dropped or moved to the Risk Treatment PEI, where such priorities are set.

4.3.4. Risk Treatment PEI

It could be argued that the hierarchy of controls are appropriate from a safety aspect but not for general risk management. Others might argue that it is dangerous to indicate a particular approach within a definition but as these are PEIs, it may be considered appropriate.
Some may contend that from a WHS perspective passing on risk is not possible. Risk is defined in ISO 31000:2009 [2] (p. 1) and ISO Guide 73:2009 [8] (p. 2) as the “effect of uncertainty on objectives.” So, they may question how that can be passed to someone outside the organisation? However, within this context, the consequences for the objectives/risk criteria can be influenced by someone else’s actions, as in paying out insurance but the effect remains within the organisation, even if lessened. That said, as mentioned for ‘Risk Treatment,’ particular approaches really should not be in definitions, although they are used in ISO Guide 73:2009 [8].
The expert group suggested and agreed on the words ‘risk and opportunities’ and ‘accept the risk’ be used in the Risk Treatment PEI. It could be argued that ‘risk and opportunities’ would be better worded as ‘threat and opportunities’ and that ‘accept the risk’ would be better expressed as ‘accept the level of risk.’ These could be potentially improved with further work.

4.3.5. Monitoring and Reviewing PEI

The expert group suggested and agreed that ‘more appropriate controls’ be used in the Monitoring and Reviewing PEI. It could be argued that these are also new controls and potentially this PEI could be improved with further work.

4.4. Conclusions

The research here has shown that PEIs for the seven elements of the risk management process can successfully be developed. These PEIs were understood and accepted by risk experts. Considerable differences exist in risk management definitions and terminology in the various risk management standards, handbooks and codes of practice. Confusion arising from these differences has been consistently reported in the literature and is concerning because it has the potential to hinder the application of the risk management process. Across two iterations of the Delphi-technique risk-experts provided feedback about PEIs and resulted in incremental improvement in their support of the PEIs; confirming that the content and readability of the emergent PEIs were being enhanced and highlighting the value of the Delphi-technique to generate a common meaning from divergent and differing expert opinions. Not only that, it is evident that it was possible to get a group of specialists and operators to agree on plain language interpretations of the seven elements of the risk management process.
There are two implications of this work from an applied research point of view. Firstly, that PEIs could be considered by the ISO working committee for risk management for future improvement to the risk management standards and handbook, because people are concerned about the poor level of consistency and clarity in these documents. Secondly, the PEIs could be adopted by companies for implementation into their current safety/risk management systems.
Ongoing testing of our findings should be undertaken with other safety scientists and professional groups, for example, the Safety Institute of Australia, to verify the PEIs further.

Author Contributions

The research was undertaken by the first author (G.M.) under the supervision of T.H. and J.H. All three authors contributed to the data analysis, and all were actively involved in the writing of this paper.

Funding

This research received no external funding.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Standards Australia and Standards New Zealand. AS/NZS 4360:2004 Risk Management; NZS: Wellington, New Zealand, 2004. [Google Scholar]
  2. Standards Australia and Standards New Zealand. ISO 31000:2009 Risk Management–Principles and Guidelines; NZS: Wellington, New Zealand, 2009. [Google Scholar]
  3. Standards Australia and Standards New Zealand. HB 436:2013, Risk Management Guidelines–A Companion to AS/NZS ISO 31000: 2009; Sydney, NZS: Wellington, New Zealand, 2013. [Google Scholar]
  4. Standards Australia and Standards New Zealand. HB 246:2010-Guidelines for Managing Risk in Sport and Recreation Organizations; Sydney, NZS: Wellington, New Zealand, 2010. [Google Scholar]
  5. Standards Australia and Standards New Zealand. AS/NZS 4024.1201:2014-Safety of Machinery-General Principles for Design-Risk Assessment and Risk Reduction; NZS: Wellington, New Zealand, 2014. [Google Scholar]
  6. Standards Australia and Standards New Zealand. HB 167:2006 Security Risk Management; NZS: Wellington, New Zealand, 2006. [Google Scholar]
  7. Standards Australia and Standards New Zealand. AS 61508.1-2011 Functional Safety of Electrical/electronic/Programmable Electronic Safety-Related Systems-General Requirements; NZS: Wellington, New Zealand, 2011. [Google Scholar]
  8. Standards Australia and Standards New Zealand. ISO GUIDE 73:2009, Risk Management–Vocabulary Sydney; NZS: Wellington, New Zealand, 2009. [Google Scholar]
  9. Standards Australia and Standards New Zealand. AS/NZS 3931:1998 Risk Analysis of Technological Systems–Application Guide; NZS: Wellington, New Zealand, 1998. [Google Scholar]
  10. Standards Australia and Standards New Zealand. IEC/ISO 31010:2009 Risk Management–Risk Assessment Techniques; NZS: Wellington, New Zealand, 2009. [Google Scholar]
  11. Standards Australia and Standards New Zealand. HB 89:2010 Risk Management-Guidelines on Risk Assessment Techniques; NZS: Wellington, New Zealand, 2010. [Google Scholar]
  12. Standards Australia and Standards New Zealand. ISO/IEC GUIDE 51:2014 Safety Aspects–Guidelines for Their Inclusion in Standards; NZS: Wellington, New Zealand, 2014. [Google Scholar]
  13. Hardy, J. Enterprise Risk Management: A Guide for Government Professionals; Josey-Bass: San Francisco, CA, USA, 2014. [Google Scholar]
  14. Meshkat, L.; Su, P. A Common Risk Language; The Aerospace Corporation: El Segundo, CA, USA, 2004. [Google Scholar]
  15. Haimes, Y.Y. On the complex definition of risk: A systems-based approach. Risk Anal. 2009, 29, 1647–1654. [Google Scholar] [CrossRef] [PubMed]
  16. Knight, K. 21 years of risk management standardisation-past, present and future. Presented at the Queensland Chapter of RMIA, Brisbane, QLD, Australia, 22 October 2012. [Google Scholar]
  17. Aven, T. On the new ISO guide on risk management terminology. Reliab. Eng. Syst. Saf. 2011, 96, 719–726. [Google Scholar] [CrossRef]
  18. Cross, J. Risk. In The Core Body of Knowledge for Generalist OHS Professionals; HaSPA (Health and Safety Professionals Alliance); Safety Institute of Australia: Tullamarine, VIC, Australia, 2012. [Google Scholar]
  19. Hubbard, D.W. The Failure of Risk Management: Why It Is Broken and How to Fix It; John Willey & Sons, Inc.: Hoboken, NJ, USA, 2009. [Google Scholar]
  20. Hillson, D.; Murray-Webster, R. Understanding and Managing Risk Attitude; Gower Publishing Co.: Aldershot, QLD, Australia, 2005. [Google Scholar]
  21. Breakwell, G.M. The Psychology of Risk; Cambridge University Press: Cambridge, UK, 2007. [Google Scholar]
  22. Hopkins, A. Lessons from Longford: The trial. Spec. Issue J. Occup. Health Saf. 2002, 18, 3. [Google Scholar]
  23. Calman, K.C.; Royston, G.H.D. Personal paper: Risk language and dialects. Br. Med. J. 1997, 315, 939–942. [Google Scholar] [CrossRef] [PubMed]
  24. Kaplan, S.; Garrick, B.J. On the quantitative definition of risk. Risk Anal. 1981, 1, 11–27. [Google Scholar] [CrossRef]
  25. Fischoff, B.; Watson, S.R.; Hope, C. Defining risk. Policy Sci. 1984, 17, 123–139. [Google Scholar] [CrossRef]
  26. McNamee, D. Targeting business risk. Intern. Audit. 2000, 57, 45–51. [Google Scholar]
  27. Espersen, D. The language of risk. Intern. Audit. 2007, 64, 69. [Google Scholar]
  28. Von Känel, J.; Cope, E.W.; Deleris, L.A.; Nayak, N.; Torok, R.G. Three key enablers to successful enterprise risk management. IBM J. Res. Dev. 2010, 54, 1. [Google Scholar] [CrossRef]
  29. Miccolis, J.A. Toward a universal language of risk. Risk Manag. 1996, 43, 45. [Google Scholar]
  30. Hogganvik, I.; Stølen, K. Risk analysis terminology for IT-systems: Does it match intuition? In Proceedings of the 2005 International Symposium on Empirical Software Engineering, Noosa Heads, Australia, 17–18 November 2005. [Google Scholar]
  31. Hopkin, P. Institute of risk management. Fundamentals of Risk Management; Kogan Page Publishers: London, UK, 2014. [Google Scholar]
  32. Pill, J. The Delphi method: Substance, context, a critique and an annotated bibliography. Socio-Econ. Plan. Sci. 1971, 5, 57–71. [Google Scholar] [CrossRef]
  33. Oh, K.H. Forecasting through Hierarchical Delphi. Ph.D. Thesis, The Ohio State University, Columbus, OH, USA, 1974. Unpublished. [Google Scholar]
  34. Hsu, C.C.; Sandford, B.A. The Delphi technique: Making sense of consensus. Pract. Assess. Res. Eval. 2007, 12, 1–8. [Google Scholar]
  35. Witkin, B.R.; Altschuld, J.W. Planning and Conducting Needs Assessment: A Practical Guide; Sage Publications, Inc.: Thousand Oaks, CA, USA, 1995. [Google Scholar]
  36. Ludwig, B. Predicting the future: Have you considered using the Delphi methodology? J. Ext. 1997, 35, 1–4. [Google Scholar]
  37. Farnsworth, B. What Is Participant Bias? (And How to Defeat It). Available online: https://imotions.com/blog/participant-bias/ (accessed on 18 December 2017).
  38. Dalkey, N.C. The Delphi method: An experimental study of group opinion. In Studies in the Quality of Life: Delphi and Decision-Making; Dalkey, N.C., Rourke, D.L., Lewis, R., Snyder, D., Eds.; Lexington Books: Lexington, MA, USA, 1972; pp. 13–54. [Google Scholar]
  39. Ludlow, J. Delphi inquiries and knowledge utilization. In The Delphi Method: Techniques and Applications; Linstone, H.A., Turoff, M., Eds.; Addison-Wesley Publishing Company: Reading, MA, USA, 1975; pp. 102–123. [Google Scholar]
  40. Ludwig, B.G. Internationalizing Extension: An Exploration of the Characteristics Evident in a State University Extension System that Achieves Internationalization. Ph.D. Thesis, The Ohio State University, Columbus, OH, USA, 1994. Unpublished. [Google Scholar]
  41. Douglas, D.C. A Comparative Study of The Effectiveness of Decision Making Processes Which Utilize the Delphi and Leaderless Group Methodologies. Ph.D. Thesis, The Ohio State University, Columbus, OH, USA, 1983. Unpublished. [Google Scholar]
  42. Rowe, G.; Wright, G. The Delphi technique as a forecasting tool: Issues and analysis. Int. J. Forecast. 1999, 15, 353–375. [Google Scholar] [CrossRef]
  43. Helmer, O.; Rescher, N. On the epistemology of the inexact science. Manag. Sci. 1959, 6, 25–53. [Google Scholar] [CrossRef]
  44. Adams, S.J. Projecting the next decade in safety management: A Delphi technique study. Prof. Saf. 2001, 46, 26–29. [Google Scholar]
  45. Delbecq, A.L.; van de Ven, A.H.; Gustafson, D.H. Group Techniques for Program Planning; Scott, Foresman, and Co.: Glenview, IL, USA, 1975. [Google Scholar]
  46. Ulschak, F.L. Human Resource Development: The Theory and Practice of Need Assessment; Reston Publishing Company, Inc.: Reston, VA, USA, 1983. [Google Scholar]
  47. Hayes, K. Uncertainty and Uncertainty Analysis Methods; Report EP102467; CSIRO: Hobart, TAS, Australia, 2001. [Google Scholar]
Safety 05 00075 g001 550
Figure 1. Node-diagram depicting the interrelationships of the chosen standards, handbooks and codes of practice.
Figure 1. Node-diagram depicting the interrelationships of the chosen standards, handbooks and codes of practice.
Safety 05 00075 g001
Table
Table 1. Proportion of risk experts supporting the first- and second-cut plain English interpretations (PEIs).
Table 1. Proportion of risk experts supporting the first- and second-cut plain English interpretations (PEIs).
RoundsEstablish Context Risk IdentificationRisk AnalysisRisk EvaluationRisk TreatmentCommunication & ConsultationMonitoring & Reviewing
Round 1 60%60%75%85%65%95%65%
Round 2 95%80%85%100%95%100%90%
∆ Rounds 1 and 235%20%10%15%30%5%25%
∆ represents the difference between rounds.
Table
Table 2. Changes to the Risk Treatment PEI across round one (second-cut) and two (third-cut) of the Delphi-technique.
Table 2. Changes to the Risk Treatment PEI across round one (second-cut) and two (third-cut) of the Delphi-technique.
Second-Cut PEIsThird-Cut PEIs
‘Risk treatment’ is the process of determining ‘risk mitigation strategies’ to:
  • eliminate or reduce risks that are unacceptable or intolerable, or
  • accept or increase risks or opportunities that are acceptable or tolerable.
This results in consideration of four key decisions:
  • terminating the risk, i.e., avoiding the risk by deciding not to start or continue the activity or removing the risk source, that gives rise to risk;
  • tolerating the risk, i.e., accepting the risk or taking on increased risk, by informed decision, in order to pursue an activity/opportunity;
  • treating the risk, i.e., changing the likelihood and/or consequence associated with the risk, or
  • transferring the risk, i.e., passing on or sharing the risk with another party or parties including contracts and/or risk financing.
‘Risk treatment’ is the process of determining further risk mitigation strategies, with consideration of the hierarchy of controls, to:
  • eliminate or reduce risks that are unacceptable or intolerable or
  • accept risks or opportunities or
  • increase risks providing they remain acceptable or tolerable.
For each risk identified, this results in consideration of four key decisions:
  • terminating the risk, i.e., avoiding the risk by deciding not to start or continue the activity or removing the risk source, that gives rise to risk;
  • tolerating the risk, i.e., accepting the risk or taking on increased risk, by informed decision, in order to pursue an activity/opportunity;
  • treating the risk, i.e., changing the likelihood and/or consequence associated with the risk or
  • transferring the risk, i.e., passing on or sharing the risk with other parties including contracts and/or risk financing.
Note: The grey, struck-out text denotes deletions and the italics text denotes additions to the first-cut PEI.
Table
Table 3. The proportion of participants (risk-experts, operators/workers) who approved the PEIs across round two and three of a Delphi technique.
Table 3. The proportion of participants (risk-experts, operators/workers) who approved the PEIs across round two and three of a Delphi technique.
RoundsEstablish ContextRisk IdentificationRisk AnalysisRisk EvaluationRisk TreatmentCommunication & ConsultationMonitor & Review
Round 2
(risk-experts)		95%80%85%100%95%100%90%
Round 3
(operators/workers)		83%88%92%83%83%92%92%
∆ Rounds 2 and 3−12%8%7%−17%−12%−8%2%
∆ represents the difference between rounds.
Table
Table 4. Finalised PEIs.
Table 4. Finalised PEIs.
Finalised PEIs
‘Establishing the context’ is the process of evaluating the external and internal environment in which your organisation operates with respect to the specific objective you are trying to achieve. This includes legal and regulatory frameworks, political, economic, cultural, commercial (including financial), technological and operational elements of your organisation.
From this broad-based perspective, a strategic approach to risk can be mapped for your organisation, including establishing the criteria against which risk will be evaluated and defining the analysis structure.
This results in a starting plan and scope for the other six parts of the process that can be applied at a strategic, tactical and operational level, as appropriate.
‘Risk identification’ is the process of identifying the opportunities or hazards (sources of harm) and describing the types of credible risks that could affect your organisation. It involves a thorough examination of your organisation’s activities and the potential events that could occur and those that have occurred in similar circumstances. These events can be planned or unplanned.
This results in a comprehensive list of well-defined risks, albeit there may be some uncertainties and ambiguities, unique to your organisation and its operational environment.
‘Risk analysis’ is the process of determining the relative effect individual risks are likely to exert on your organisation/role.
Risks to your organisation are analysed in terms of the likelihood of the event(s) occurring (e.g., ranging from rare to almost certain) and consequence(s) if the event occurs (e.g., ranging from minor to catastrophic). Events can be planned or unplanned.
This results in data that can then be used to prioritise risk for management action as part of ‘risk evaluation.’
‘Risk evaluation’ is the process of comparing estimated levels of risk against the criteria defined earlier when ‘establishing the context.’ It then considers the balance between potential benefits and adverse outcomes, to determine if the risk is acceptable or tolerable based on the quality of the controls in place.
This results in decisions being made about the current and potential future risk mitigation strategies and their priorities to ‘as low as reasonably practicable’ principles.
‘Risk treatment’ is the process of determining further risk mitigation strategies, with consideration of the hierarchy of controls, to:
  • eliminate or reduce risks that are unacceptable or intolerable, or
  • accept risks or opportunities, or
  • increase risks providing they remain acceptable or tolerable.
For each risk identified, this results in consideration of four key decisions:
  • terminating the risk, that is avoiding the risk by deciding not to start or continue the activity or removing the risk source, that gives rise to risk;
  • tolerating the risk, that is accepting the risk or taking on increased risk, by informed decision, in order to pursue an activity/opportunity;
  • treating the risk, that is changing the likelihood and/or consequence associated with the risk, or
  • transferring the risk, that is passing on or sharing the risk with other parties including contracts and/or insurance.
‘Communication and consultation’ is the process of sharing or obtaining information and engaging in dialogue with persons or organisations that can affect, be affected by or perceive themselves to be affected by, a decision or activity. It happens at each stage of the risk management process with a particular focus on the outcomes of managing and controlling the risk. It should also include consideration of lessons learned from within and external to the business.
This results in giving or receiving feedback for consideration in the other elements of the risk management process.
‘Monitoring’ is the process of checking, supervising and critically observing planned controls. These activities are undertaken at appropriate frequencies, depending on the nature and scope of the particular risk. This results in establishing that planned controls are in place and remain in place and whether the operating environment and thus risk, has changed.
‘Reviewing’ is the process of determining the suitability, adequacy and effectiveness of the implemented controls to achieve established objectives that were defined earlier in ‘establishing the context.’ This results in establishing a cycle of continuous improvement including considering new and/or more appropriate controls.

Share and Cite

MDPI and ACS Style

Marling, G.; Horberry, T.; Harris, J. Development and Validation of Plain English Interpretations of the Seven Elements of the Risk Management Process. Safety 2019, 5, 75. https://0-doi-org.brum.beds.ac.uk/10.3390/safety5040075

AMA Style

Marling G, Horberry T, Harris J. Development and Validation of Plain English Interpretations of the Seven Elements of the Risk Management Process. Safety. 2019; 5(4):75. https://0-doi-org.brum.beds.ac.uk/10.3390/safety5040075

Chicago/Turabian Style

Marling, Garry, Tim Horberry, and Jill Harris. 2019. "Development and Validation of Plain English Interpretations of the Seven Elements of the Risk Management Process" Safety 5, no. 4: 75. https://0-doi-org.brum.beds.ac.uk/10.3390/safety5040075

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop