Many people fail to distinguish between a hazard and a risk. They are not the same thing, and risk experts are always amused when people use both terms without understanding the differences. For example, one dictionary defines hazard as “a danger or risk” which helps explain why many people use the terms interchangeably, the Canadian Centre for Occupational Health and Safety (CCOHS) says. The following blog post aims to reduce confusion and bring clarity.
Identifying Hazards Means Identifying Sources of Risks
A hazard is any source or cause of potential damage, harm or adverse effects on something or someone. Basically, a hazard can cause harm or adverse effects to individuals (e.g. health effects) or to organizations (e.g. property or equipment losses).
In addition, the word “hazard” is used mainly in Environment, Health and Safety (EHS). Other domains affected by risk management (e.g. Corporate Governance, Supply Chain, IT, Security, HR, Finances, Legal, Compliance) may have other concepts to designate sources and causes of risk, such as “threats” and “vulnerabilities” in IT and Security.
By contrast, a risk is the likelihood of an adverse event taking place as a result of the hazard, and which may prevent a company from meeting its objectives.
For example, the sentence “chemicals not stored properly are a risk” is not entirely accurate. Chemicals not stored properly are a hazard. The risk is that, as a result of chemicals not stored properly, someone comes in contact with them and has a skin irritation (the consequence), or breathes toxic chemical releases resulting in respiratory problems (the consequence).
When hazards are identified, the sources of risks also become known, which leads to a proper risk analysis composed of: 1) assessments of the likelihood of adverse events, and 2) assessments of consequences (i.e. their impact).
Identifying Hazards Is Not Enough
Once hazards are identified successfully, some companies may have a false sense of confidence because they may think that, by virtue of being aware of the dangers, they can “work around them” to minimize risks. But identifying hazards and mitigating risks are two different things. Many incidents happen because risks caused by known hazards were not addressed properly. It is at this critical juncture, after hazards have been successfully identifying and before risks are treated, where many companies fail to do proper risk analysis and evaluation.
At the risk analysis phase, companies assess: 1) the likelihood of adverse events, and 2) the consequences of adverse events. The two assessments (likelihood and consequences) are then combined to determine the level of risk.
At the risk evaluation phase, the levels of risk determined during the analysis phase are compared against the risk appetite, or the amount of risk that the company is willing to live with. This allows the company to prioritize risks for treatment, control and mitigation. For example, a company may decide that it will only treat risks that have high impacts and high likelihood. Or a company may wish to focus more on impact and treat all risks that have high impacts, regardless of their likelihood.
Having a Centralized Risk Register Improves the Process
Given that hazards and risks are two different things, companies need to distinguish them, and keep track of them at the enterprise level. They also must establish relationships between hazards, risks, controls and consequences. This is not as simple as it seems. A single risk can have multiple hazards as causes, and multiple consequences. Similarly, a single hazard can be a source of two or more different risks.
A centralized Risk Register helps track all hazards, risks and controls throughout the enterprise for proper prioritization of risk mitigation efforts. Some companies use an Excel-based Risk Register, but this can be a mistake for two reasons.
First, given the vast array of risk-based information and the relationships between hazards, risks, controls and consequences, the Excel file can quickly become overly-complex and a nightmare for users. If users don’t like a solution, they are less likely to use it. The last thing your organization needs to do is to discourage users from entering or updating risk information.
Second, using an Excel-based Risk Register amounts to condemning Risk Management to become a silo in your organization. But there needs to be a common platform for EHS, Risk and Sustainability to ensure regulatory compliance, bring business efficiencies and make the company more resilient. Consider this scenario for a moment, and ask yourself whether using an Excel-based Risk Register is possible:
- A worker enters an incident on a mobile device.
- The incident is recorded in a central system used for EHS management. After further investigation, the hazards that led to the adverse event are also entered in the system.
- The system shows that the same type of incident occurred in other places and at a given frequency. It also shows whether the same hazards led to the incidents.
- As a result, a new risk for an adverse event is recognized, and entered into the same system that is also used for risk management, in addition to being used for EHS management.
- The system also determines whether the hazards that were responsible for the incident are also the sources of other risks.
- The risk is mitigated and incidents are reduced. The metric then becomes an input for a CSR/Sustainability report generated by the same platform.
Hazards and risks are not the same thing. Failing to understand the differences between the two can have negative consequences. Centralizing Risk Management through an used also for EHS Management and Sustainability reduces any potential confusion that may hinder the successful mitigation of risks.