Effective safety management is not helped by a belief that all safety matters equally and we must act on it all at the same time. Larger numbers of low risks (low because we are already controlling things well) mean that acting to manage all the risk equally elevates low risk to the same level of importance as high risk.

Some organisations fail to fully understand the ALARP principle ("as low as is reasonably practicable" - see Risk: how low can you go?) and look for ever more robust controls for all their risks, regardless of how low.

This frustrates busy operational managers when, in their view, they are being forced to focus on the relatively trivial. No wonder that many managers believe safety is a "stopper" to the day job.

Safety sold in this way can be confusing and seemingly unmanageable. Can you really focus equally on every risk in the portfolio?

Only reasonable

Reasonable judgement is made by applying competency, which encompasses training, experience, knowledge and skill.

Reasonable judgement is also made in the context of the activity and industry.

For example, in an office environment making a cup of tea is an insignificant risk and a recorded assessment is not required. But an occupational therapist teaching a severely disabled person how to make a cup of tea would obviously require a risk assessment.

Same activity, but the reasonable judgement involved is different because the context of the activity is different.

Concentrating on generating risk assessments doesn't help either. It fuels the mistaken belief that it's having risk assessment documentation alone that's important for legal compliance.

A risk assessment is simply a piece of paper recording significant information - so what does it do to mitigate risk? Answer: nothing. It's implementing control or monitoring processes that mitigates risk - actions by people, not accumulating pieces of paper.

The reason why enforcement officers ask to see a risk assessment is so that they can evaluate our understanding of the problem and discover what we are doing to control the risk.

Matter of priorities

It's important to note that managers manage resources and safety professionals can only advise and influence. So it should be the manager who is primarily responsible for risk management.

The risk assessment records data that allows the manager to prioritise risk and then focus an organisation's limited resources: money, time and people.

This is where risk registers can come in useful. Managers can use a risk register to justify their arguments that risk control and monitoring is focused on the highest priority risk first.

So if risk assessment is a prioritisation tool, what is a risk register? At its simplest, it's a summary, listing risks in their priority order. It contains a brief description of the task and the risk level. Most organisations include other columns to assist the manager. These include:

• the date the risk assessment was completed
• the last review date
• the next review date
• outstanding actions
• who is responsible for its management
• references to related procedures or protocols
• any trend in the risk (whether it's getting worse or better).

Whatever risk assessment methodology you use, you assign a value to each risk to show its relative priority. If you end up with large numbers of risks all assigned the same value, you can fine-tune the ranking using the following:

• morality: the seriousness of the injury is more important than the likelihood of an accident so we will be biased towards high-hazard risk
• likelihood: often there is more that can be done to mitigate likelihood (such as improve competency, change environment or procedure, enhance supervisory arrangements)
• a business view: which of these activities is operationally more critical, or provides the greater financial impact if we get this wrong?

Once they have decided the order, managers can use the list to help them define what risk management actions to take, concentrating on the items at the top of the list first.

Like with like

Risk registers let you compare risk in different departments or for different projects more easily (see Figure 1); which is important when you are considering how to apply resources across an organisation.

Figure 1

For example, why would you spend resources on the lower-rated risks on Register B before you are satisfied that you have done all you can on the high risks of Register A?

Comparing risk registers also serves as a check. If the two risk registers in Figure 1 come from two sites which do the same job in the same conditions, comparison would raise questions of why there is such a stark difference.

Are the resources different? Is one site doing something the other should learn from? Is one department over-rating or under-rating risk? If both sites rate reversing vehicles in their yards as a high hazard (potential crushing to death), for example, but rate likelihood differently, it is worth investigating why. Does one have a better layout, better lighting, use banksmen? Different parts of the organisation can learn from one another.

When the order, the level and the type of risk are considered, the risk register can pose further questions for a manager, such as the following.

• Which are the most important risks I need help with?
• Which are the risks I believe our existing controls make tolerable but the boss should be informed of in case they disagree?
• Are there a number of similar risks which form a picture for collective action? For example, we have many manual handling risks near the top of our register, what can we do collectively to reduce them all?
• Which of these risks do I need to personally manage (the top) and which am I more comfortable to delegate responsibility for (the middle and bottom)?

There are a number of different action strategies for working through the risk register list, including the following.

Focusing all resources on the top risk first to see if you can reduce it further, then moving on to number two. For instance, if, as a sales company, our principle risk is driving, let's make sure we control this properly before we move onto our lesser risk.

• Taking action to reduce the first risk so it drops down the list. When it eventually shuffles back to the top we will take further action. For example, let's replace the missing signage and later on we will consider how to improve supervision in this area of the warehouse.
• Choosing a collective action to reduce a number of risks at or near the top of the risk register at the same time. For example, why change the content of the induction programme six times as recommended by six different risk assessments?
• Recognising that some of the risks at the top of the risk register cannot be reduced further (for example, if it's not technically feasible at the moment) and therefore we focus our monitoring resources on them, while our reduction actions are focused on those risks lower in the register. For example, we have no choice but to use this chemical and we have done all we can to protect employees using it; we must wait for a less hazardous chemical to be invented for this task.

How frequently should you review a risk register? This depends on a number of factors, including the maturity of your risk control plans, the level of risk, accident history and significant changes to personnel or process. It's a risk management decision rather than a policy one.

In a large organisation, the risk register can be used to cream off the top risks to send up to the next level of management. They are re-prioritised in the risk register at that level (see Figure 2).

Figure 2

This prioritisation will inform the middle managers of the order for their attention and resources. Likewise the executive board's risk register will be a collection of the top few risks from the middle managers; although how the risk is presented to directors may change to include the fuller business imperative for taking action. Imagine you are a board member. Which of the following two reports would you want?

• Maintenance technicians are exposed to a manual handling risk when loading or unloading their vans. They are suffering back injuries and taking time off work.
• Manual handling risks feature in the top six of every department's risk register. Further analysis has revealed that we are losing 1,200 days/year to manual-handling-related risk. This is adding a cost of £1 million a year due to sickness payment, lost production and agency costs. An investment of £50,000 in new training across the organisation, coupled with a campaign to inform managers how to supervise this issue more effectively, is projected to reduce these costs by 50% in the first year.

There are some important provisos on the use of risk registers. A risk management system that uses risk registers must be operated by managers and directors trained how to use it. It is essential that a uniform method for risk assessment is used throughout the organisation, otherwise like is not compared with like, undermining effective prioritisation.

There are numerous benefits of developing and using risk registers. They can:

• help define who is responsible and accountable for safety risk
• focus limited organisation resources on the most important risks first
• provide documented evidence for arguments of reasonable practicability
• provide focus for safety communication and risk monitoring
• build up to a record of how effectively managers have handled risk.

Risk registers are certainly not a new concept, yet many people have still to grasp their huge potential for facilitating and demonstrating effective management decision-making.

 The focus of our safety risk management systems should not be on the risk assessments themselves, but on their outputs. Only then will we be able to claim that we are sensibly managing safely rather than just doing safety.

Duncan Spencer, CFIOSH, is the safety manager for the Waitrose division of the John Lewis Partnership. He has been a lead presenter for IOSH and was responsible for writing and updating several of their courses for more than eight years.