06 March 2008
Paul Smith

Risk assessment has become a central plank of our safety philosophy and practice. Not sure what action we should take in a particular situation? Carry out a risk assessment! Contractors coming on site? Don't let them past the gate until we've seen their risk assessment. Jean in accounts has just told her boss that she's expecting a baby - someone had better do a risk assessment! But are we missing the point?

When I am training and we get to risk assessment, I often play a short game with the delegates. I go round the room and I allocate each person a safety topic such as manual handling, asbestos or flammable materials. (The attention level immediately rises as everyone wonders what they are going to have to do with their subject.) I then go round and ask each person two questions: are there any regulations on your topic? And if so, what do they require?

Everyone quickly grasps that the answers are "yes" and "risk assessment". I can usually get right round a room of 12 to 15 people, just thinking of topics off the top of my head, and for each person there is some law on something that requires their employer to carry out a risk assessment.

Recent history

It was not, of course, ever thus. When I worked for the HSE in the early 1980s, there was no legal requirement for risk assessment. Risk assessment is mentioned nowhere in the Health and Safety at Work Act, though many have argued that it is implied in its general duties.

It wasn't until the Control of Lead at Work Regulations in the late 1980s that the term first appeared in UK safety law. Naturally, not many organisations were covered by these requirements so the wider impact of the new duty was minimal.

But then came the first COSHH (Control of Substances Hazardous to Health) Regulations and for the first time we had a legal duty, enforceable through the criminal courts, to carry out a formal risk assessment and to make a written record of it. And because of the broad application of COSHH (everyone uses something harmful somewhere in their organisation) we now had a risk assessment that pretty much everyone had to do.

After that, the trickle became a flood, and it was only a few more years before the "six pack" of regulations came along, with the duty to carry out a general risk assessment in the Management of Health and Safety at Work Regulations, as well as specific risk assessments for the Personal Protective Equipment, Manual Handling and Display Screen Equipment Regulations. And so the risk assessment business was born.

Nor did all this happen against industry's will. On the contrary, businesses actively welcomed goal-setting requirements, naïvely seeing the imposition of a legal duty to risk assess as a small price to pay in return for freedom from prescriptive safety requirements in the old style.

Another key factor was our membership of the EU where, again, government policy was that a Brussels-driven employment law agenda was a manageable entry fee for free access to the large and growing continental market. Of course we did risk assessments before all this, it's just that we didn't call them that and we didn't have to formalise them. And that is the heart of the problem.

Matters of principle

The devil is in the bureaucratisation of the process. Essentially, we have two key principles that make perfect sense when considered separately, but when put together create a legal swamp, consuming vast resources for little benefit, and (more seriously) sucking resources from other safety and health activities where they might be employed to greater effect.

The first principle is about the mental process of risk assessment, and there is simply no arguing with this. It has got to make sense to think about what you are going to do before you do it, because then you'll know how to do it safely - that's what a risk assessment is. If we hadn't learned to do this, we probably would never have made it as far as the world of work anyway.

Again, if you think about an accident you have had - cutting your finger with a kitchen knife for example - was it because no one warned you that the knife was sharp? You knew it was sharp, didn't you? Or was it because you weren't thinking about what you were doing? So we know from first-hand experience that this principle is pure common sense, yet people get killed at work every year through ignoring it.

The second principle is that if you are going to make something a requirement, you have to have some way of proving that it has been done - and this is true whether we are talking about company operating procedures or the law of the land. Otherwise it's impossible to prove whether anyone has taken the required action or not.

The simplest way of achieving this is to require people to make a record, so we log the scaffolding check we have just done, we register that the crane was in good working order and we fill in a risk assessment form to show that we have done the assessment and come up with some "significant findings". Again, it's almost impossible to argue against this.

Form over function

But the problem arises where we couple these two principles together. Then we have the current UK situation: legal requirements for a whole host of risk assessments both general and specific, with a requirement to make a written record of the main findings in every case. I would question whether there's actually a single employer in the UK that fully meets these requirements.

All sorts of problems ensue, notably:

• a waste of resources, which are then not available for other, possibly more productive activities
• tokenism, where all that matters is that the form is filled in correctly, without regard to the quality of decision-making that sits behind it
• a false sense of security among safety professionals, because we kid ourselves that we have done what is needed to protect people
• safety specialists are diminished in the eyes of their colleagues, and indeed the public at large to whom the "'ealth 'n' safety" professional is a figure of fun
• those involved get frustrated when they realise they have a task they can never do properly.

So what can be done? First of all we should promote what is in many companies called "dynamic" risk assessment - the constant awareness of hazards and questioning (as people go about their work) whether the right control measures are in place.

Thus we stress that risk assessment is not a form that you fill in, but a state of mind and a way of thinking. The form (if you must have one) is just the record of what you've decided. One of my hobbies is white-water kayaking - I assess risks constantly, but I never ever fill in a form. Training people to do this is money well spent, and it is easy to do because you are tapping into something most people do intuitively.

Secondly, I would like to see a change in the law whereby companies are required to have a risk assessment process, rather than the current hotch-potch of myriad general and specific risk assessment requirements that go way beyond industry best practice and actually create an unachievable goal.

Back in the 1970s, Lord Alfred Robens, that landmark figure in health and safety thinking and architect of the Health and Safety at Work Act, criticised most strongly the multitude of detailed health and safety laws that had built up.

He believed they were understood neither by those who were supposed to comply with them (employers) nor those for whose protection they existed (employees), nor even by the inspectors responsible for their enforcement. He saw simplicity as a virtue, and quantity as the enemy of quality.

With the 1974 Act, the UK government implemented his recommendations pretty much in full, dismantling the teetering structure of which he was so critical.

Then we rebuilt it around EU law founded on risk assessment. Lord Alfred must be rolling in his grave. ■

Paul Smith is head of safety, health and environment at Empower Training Services, based in Nottingham. He is a former HSE inspector and a chartered fellow of IOSH. He can be contacted at paul.smith@empower-training.com

Categories:
Risk assessment, Training, Training guides, Risk assessment, Article, Training