Abu Dhabi Occupational Safety and Health System

Framework

(OSHAD-SF)

OSHAD-SF Technical Guideline

Process of Risk Management

Version 3.0

July 2016
 Table of Contents

1. Introduction ...................................................................................................................... 3
2. Training and Competency................................................................................................. 3
3. Consultation ..................................................................................................................... 4
3.1 Who should be involved in Consultation................................................................... 4
3.2 Benefits of Consultation ........................................................................................... 4
4. When to Undertake a Risk Assessment............................................................................ 5
5. Five Steps of Risk Assessment ........................................................................................ 5
5.1 Step One - Identify the Hazards ............................................................................... 6
5.2 Step Two Identify Who / What can be Harmed or Damaged and How .................. 6
5.3 Step Three - Evaluate and Select Additional Control Measures ............................... 7
6. Recording the Risk Management Process ...................................................................... 13
6.1 Risk Register ......................................................................................................... 13
7. References ..................................................................................................................... 14
8. Document Amendment Record ...................................................................................... 15
Appendix 1: Example Hazard Walkthrough Form .................................................................... 16
Appendix 2: Example Risk Assessment Form ............................................................................ 17
Appendix 3: Example Risk Register Form .................................................................................. 18

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 2 of 20
 1. Introduction
(a) This technical guideline provides additional information to assist entities to comply with the
requirements of OSHAD-SF - Element 2 Risk Management. The contents of this technical
guide are not mandatory; however adopting the information within this guide will assist the
entity in compliance to OSHAD-SF - Element 2.

(b) A risk assessment is nothing more than a careful examination of what, in the workplace,
could cause harm to people, so that the entity can weigh up whether it has taken enough
precautions or should do more to prevent harm and/or protect the environment.

2. Training and Competency

(a) Those carrying out risk assessments should be competent to do so. Competency is defined
in a number of ways and cannot be achieved by just attending a training course.

(b) Competence is defined as:

(i) Sufficient training and experience, or knowledge and other qualities, to enable a
person to properly undertake the measures needed to comply with OSH Legislation.
(c) Simple situations may only require the following:

(i) an understanding of relevant best practice;

(ii) an understanding of the process being assessed;
(iii) an awareness of the limitations of ones own experience and knowledge; and
(iv) the willingness and ability to supplement existing experience and knowledge, when
necessary by obtaining external help and advice.
(d) More complicated situations will require the competent person to have a higher level of
knowledge and experience. More complex or highly technical situations will call for specific
applied knowledge and skills which can be offered by appropriately qualified specialists.

(e) Employers are advised to check the appropriate OSH qualification (some of which may be
competency based and/or industry specific), or membership of a professional body or similar
organisation (at an appropriate level and in an appropriate part of OSH) to satisfy
themselves that the assistance they appoint has sufficiently high level of competence.

(f) Those undertaking risk assessments must take their own knowledge of the subject into
account prior to undertaking a risk assessment and when unsure of the process, call upon
additional support. This could be in the form of an industry expert for complex processes
and/or employee(s) who undertake the task in question.

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 3 of 20
 3. Consultation
(a) Consultation shall take place at every stage of the risk management process. OSHAD-SF -
Element 4 Consultation and Communication sets out requirements for consultation, which
involves fostering cooperation and developing partnerships between employers, employees,
and contractors to ensure protection of the environment, and the health and safety of
workers.

(b) Prior to undertaking any risk assessment, depending on the complexity of the process or
task, the staff who are involved in the undertaking of the process or task should be
consulted to gain an understanding of the hazards involved and more importantly, how the
task is undertaken. This will help ensure that any measures that are identified to control risk
can be implemented without creating additional risk(s) or complicating the processes.

3.1 Who should be involved in Consultation

(a) A comprehensive consultation process will help to achieve better OSH outcomes through the
risk management process.

(b) A consultative group could include:

(i) workers;
(ii) supervisors;
(iii) workplace safety and health officers;
(iv) workplace safety and health representatives;
(v) workplace safety and health committees;
(vi) contractors; and
(vii) other relevant stakeholders.
3.2 Benefits of Consultation

(a) Consultation between management, workers and stakeholders is beneficial throughout the
risk management process because it:

(i) brings together different areas of expertise to identify and analyse risks and allows
those with day to day experience of the hazards to provide valuable input;
(ii) allows workers to have ownership of the risks and the solutions;
(iii) increases the likelihood that workers will be committed to implementing the control
measures, because they understand why they are being imposed;
(iv) increases workers morale, satisfaction and retention rates, as staff feel they are being
listened to and involved;
(v) improves trust, communication and teamwork;
(vi) improves productivity as a result of better decision-making processes; and
(vii) contributes to developing a positive safety culture in the workplace, by increasing team
commitment to workplace health and safety.

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 4 of 20
 4. When to Undertake a Risk Assessment
(a) OSH risk assessment is an on-going process and shall be undertaken at various times
including:

(i) when planning or making a change to a work procedure, activity and/or practices;
(ii) when introducing new plant, equipment, materials or substances into the workplace;
(iii) after an OSH incident (including near misses);
(iv) introduction of new workers;
(v) presence of a high level of risk associated with a specific work activity (e.g. confined
space);
(vi) at regular or scheduled intervals appropriate to the nature of the workplace and the
hazards present;
(vii) when legislative obligations change (including regulations); and
(viii) before work activities begin.

5. Five Steps of Risk Assessment

(a) The risk assessment process can be systematically divided into five steps:

(i) Identify Hazards, based on experience, recorded data and other information;
(ii) Identify who can be harmed or what can be damaged and how understand who
can be harmed or what can be damaged from the risk and to what extent;
(iii) Evaluate the Risk and Select Additional Control Measures (if required). Using a
recognized method, evaluate the level of risk and decide if it is required to implement
any additional control measures. If additional control measures are required, select
these from the hierarchy of control (e.g. eliminate, substitute, isolate or engineer out
the risks, or reduce them through administrative measures or personal protective
equipment) by selecting the highest order control method possible and then
proceeding down the list in order;
(iv) Implement the Selected Control Measure(s) in the workplace; and
(v) Monitor the Control Measures to ensure that they are working correctly to control the
risks and that no other risks have been introduced.
(b) Attention shall be given to risks that may be easy to fix but may have low risk priority scores
(e.g. power leads across the floor). These risks shall be fixed promptly. Particular attention
shall also be given to risks that may have very low likelihood of an occurrence but may result
in major consequences.

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 5 of 20
 5.1 Step One - Identify the Hazards

(a) Start the process by walking around the workplace to identify the likely risk issues. For
instance, these may arise from:

(i) work activities;

(ii) plant and machinery;
(iii) known hazards;
(iv) incident reports; and
(v) known near misses.
(b) The aim is to generate a comprehensive list of sources of risk and events that might have an
impact on the safety and health of employees. The form in Appendix 1 can be used to
record the hazards spotted during the walkthrough of the building.

(c) When identifying hazards, always observe the actual practice as this may differ from what is
supposed to happen. Consult with employees who undertake the task as they may have
very good safety reasons for undertaking a task in a certain manner.

(d) Having identified what might happen, it is necessary to consider possible causes and
scenarios. There are many ways an event can occur. It is important that no significant
causes are omitted.

(e) Approaches used to identify risks include checklists, judgements based on experience and
records, flow charts, brainstorming, systems analysis, scenario analysis and systems
engineering techniques.

(f) The approach used will depend on the nature of the activities under review, types of risk, the
entity and the purpose of the risk management study.

(g) Manufacturers instructions or data sheets can also help to identify hazards and put risks
into their true perspective.

5.2 Step Two Identify Who / What can be Harmed or Damaged and How

(a) Make a list of the groups of people and other components that could be affected by the
hazards, and always ensure they are taken into account:

(i) employees;
(ii) visitors;
(iii) contractors;
(iv) members of the public;
(v) consumers of products or services;
(vi) specific sensitive or protected environment areas; and
(vii) plant / equipment / property damage.

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 6 of 20
 (b) Take into account persons who may have additional difficulties, such as new or expectant
mothers, people with special needs, young or inexperienced workers.

(c) Identify how each group and component could be harmed by the hazards found, as this will
help to identify control measures to help reduce the risks at a later stage in the assessment
process.

5.3 Step Three - Evaluate and Select Additional Control Measures

(a) Evaluating risk is about developing an understanding of the risk. It provides an input to
decisions on whether risks need to be controlled and the most appropriate and cost-effective
risk treatment strategies.

(b) Risk analysis involves consideration of the sources of risk, their consequences and the
likelihood that those consequences may occur. Factors that affect consequences and
likelihood may be identified. Risk is analysed by combining consequences and their
likelihood. In most circumstances existing controls are taken into account.

(c) The level of risk is calculated by multiplying the Consequence Score and Probability of
Occurrence together:

(d) Risk = Consequence Score x Likelihood of Occurrence

(e) Consequences and likelihood may be estimated using statistical analysis and calculations.
Where no reliable or relevant past data is available, subjective estimates may be made
which reflect an individuals or groups degree of belief that a particular event or outcome will
occur.

(f) The most pertinent information sources and techniques shall be used when analysing
consequences and likelihood. Sources of information may include the following:

(i) past records;

(ii) practice and relevant experience;
(iii) relevant published literature;
(iv) economic, engineering or other models; and
(v) specialist and expert judgments.
(g) Techniques include:

(i) structured interviews with experts in the area of interest;

(ii) use of multi-disciplinary groups of experts;
(iii) individual evaluations using questionnaires; and
(iv) use of models and simulations.
(h) Where appropriate, the confidence placed on estimates of levels of risk shall be included.
Assumptions made in the analysis shall be clearly stated.

(i) For the discharge or emission of a pollutant, evaluating factors such as those listed below
should help in the assessment of relative consequence:
OSHAD-SF Technical Guideline
st
Process of Risk Management - Version 3.0 1 July 2016 Page 7 of 20
 (i) persistence;
(ii) toxicity;
(iii) health effects;
(iv) concentration of chemical;
(v) volume discharged per event;
(vi) duration of the discharge;
(vii) proximity to water-bodies;
(viii) potential dilution;
(ix) the area of land/marine waters affected; and
(x) taking into account secondary consequences and existing mitigation measures.
(j) Regarding occupational safety and health, evaluating factors such as those listed below will
help in the assessment of relative consequence:

(i) health effect (e.g. long / short term effects, fatality, degree of injury / illness, disability);
and
(ii) damage to assets (e.g. plant, premises).
(k) The potential consequences shall be judged using all available information This information
may include, but not be limited to:

(i) control measures in place;

(ii) written systems of work, permit-to-work procedures for the tasks;
(iii) monitoring data from within and outside the entity;
(iv) tasks being carried out, their duration and frequency and locations;
(v) plant, machinery, powered hand tools to be used;
(vi) size, shape, surface character and weight of materials that may be handled; distances
and heights to which materials have to be moved;
(vii) service used (e.g. compressed gas), substances used or encountered during the work;
(viii) parties carrying out the tasks (training received); and
(ix) legal requirements.
(l) For risk assessment, five levels of severity of consequences have been used insignificant,
minor, moderate, major and catastrophic. The definitions used to assess relative
consequences have been adopted from HB 203:2000, and are shown in Table 1 below.

(m) Table 1 provides a consistent method of assessment that can be applied by different
personnel and at different times.

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 8 of 20
 5.3.1 Understanding the Consequence of the Hazard

(a) At this stage of evaluating process the entity is trying to understand what harm can come
from the hazard. Using table 1 provides a consistent method of assessment that can be
applied by different personnel and at different times.

(b) The following table is not linked to categorization of OSHAD-SF Serious Incidents.

Area impacted Insignificant Minor Moderate Major Catastrophic

(a) Consequences Consequences Consequences Consequences Consequences
(Score = 1) (Score = 2) (Score = 3) (Score = 4) (Score = 5)

Human Health Minor injuries, Injuries requiring Serious injuries Single fatality. Multiple fatalities.
and Safety which may require on-site treatment requiring off-site
self-administered by medical treatment by
first aid. Injured practitioner. medical
personnel can Personnel unable practitioner or
continue to to continue to immediate
perform normal perform duties. evacuation to
duties. hospital. Potential
long-term or
permanently
disabling effects.

Production Loss Incident event Production loss or Production loss or Production loss or Loss of licence to
without causing delay up to one delay of one week delay for over one operate or ability
production loss. week. to one month. month. to produce
indefinitely.

Total Cost of Financial loss Financial loss Financial loss Financial loss Severe financial
Impacts or (compensation, (compensation, (compensation, (compensation, penalties or legal
Incident Event fines, cost to fines, cost to fines, cost to fines, cost to liabilities.
repair, plant repair, plant repair, plant repair, plant Financial loss
damage) of less damage) of damage) of damage) of (compensation,
than AED5,000. AED5,000 - AED50,000 - AED500,000 - fines, cost to
AED50,000. AED500,000 AED10M. repair, plant
damage) of
greater than
AED10M.
Table 1- Hazard Consequence

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 9 of 20
 5.3.2 Understanding the Likelihood of the Event

(a) Following on from looking at the magnitude of the consequences of an event, should it
occur, the entity now needs to understand the likelihood of the event occurring. Using table
2 provides a consistent method of assessment that can be applied by different personnel
and at different times.

Descriptor Likely Frequency Probability

Frequent Occurs frequently 5

Often Occurs several times per year 4

Likely Has occurred more than once 3

Possible Has occurred 2

Rare Never occurred 1

Table 2 Likelihood

5.3.3 Assigning a Risk Rating

(a) Following on from the analysis for likelihood and consequence, the entity can now assign a
risk rating to the hazard. This will assist when looking at the additional control measures (if
any) that are needed. Using table 3 provides a consistent method of assessment that can be
applied by different personnel and at different times.

Likelihood Consequence (From Table 1)

(From Table 2) Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Rare (1) 1 2 3 4 5

Possible (2) 2 4 6 8 10

Likely (3) 3 6 9 12 15

Often (4) 4 8 12 16 20

Frequent/ Almost
5 10 15 20 25
Certain (5)

15 - 25 Extreme Risk Activity or industry should not proceed in current form.

Activity or industry should be modified to include remedial planning and action and be
8 - 12 High Risk
subject to detailed OSH assessment.

4-6 Moderate Risk Activity or industry can operate subject to management and /or modification.

1-3 Low Risk No immediate action required, unless escalation of risk is possible.

Table 3 Risk Rating

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 10 of 20
 5.3.4 Step Four-Implement the Selected Control Measures

(a) When the risk is categorized, the entity should identify the corrective action in order to
manage the hazard at an acceptable and as low as reasonably practicable (ALARP) risk
level. For hazard(s) with low risk, actions may not be required.

(b) Identified foreseeable risks will be eliminated if reasonably practicable. If it is not reasonably
practicable to eliminate the risk then the following hierarchy of controls will be applied.

(c) The safety and health hierarchy of control is as follows:

(i) elimination of the hazard (where possible);

(ii) substitution (eg. use a less hazardous substances );
(iii) engineering / isolation - for plant and equipment (e.g. exhaust ventilation);
(iv) procedural (e.g. via improving work methods, housekeeping); and
(v) personal protective equipment (PPE) it is the last resort if the above measures are
not practicable.
(d) In the evaluation of which control measures shall be taken, consideration shall be given to
reducing risk to a level deemed ALARP. This includes consideration of:

(i) legal requirements;

(ii) international standards / guidelines;
(iii) entities OSH policy / objectives;
(iv) availability of resources;
(v) costs and benefits; and
(vi) the status of scientific and technical knowledge.
(e) To reduce a risk to an ALARP level involves balancing reduction in risk to a level, objectively
assessed, where the trouble, difficulty and cost of further reduction measures becomes
unreasonably disproportionate to the additional risk reduction obtained. To demonstrate
ALARP, it requires consideration of different options to ensure risk is reduced to a level
whereby the cost or effort for any further reduction is grossly disproportionate to the risk
reduction achieved.

(f) When the mitigation measures are identified, an action plan shall be formulated addressing
roles and responsibilities, training required for the relevant parties, time frame for completing
the actions, the required changes for the OSHMS and its associated documents /
procedures, the procedures for quality assurance, monitoring, maintenance and inspection
(where appropriate). More importantly, the action plan shall be monitored (e.g. progress) to
ensure actions are closed per the plan.

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 11 of 20
 (g) The purpose of implementation plans is to document how the chosen options will be
implemented. These plans shall include:

(i) proposed actions;

(ii) resource requirements;
(iii) responsibilities;
(iv) timing;
(v) performance measures; and
(vi) reporting and monitoring requirements.
(h) Any relevant work procedures, in relation to the new control measures, should also be
updated, which may involve clearly defining responsibilities of management, supervisors
and workers.

(i) Work procedures shall also detail maintenance requirements and verification of the
maintenance to ensure the on-going effectiveness of the control measures.

(j) All relevant persons should be informed about the control measures being implemented; in
particular, the reasons for the changes.

(k) Adequate supervision should be provided to verify that the new control measures are being
implemented and used correctly.

(l) Depending upon the magnitude of risks and the potential consequences of hazards, the risk
assessment shall be periodically reviewed by competent staff (normally at annual intervals).

(m) This review shall verify whether changes have occurred to base assumptions made since
implementation of the original design (e.g. change of legal requirements, public perception,
introduction of new technology, whether the performance of the plant/equipment achieved
expectations of the original design).

5.3.5 Step Five - Monitor and Review

(a) On-going review is essential to ensure that the management plan remains relevant. Factors
that may affect the likelihood and consequences of an outcome may change, as may the
factors that affect the suitability or cost of the mitigation options. It is therefore necessary to
repeat the risk management cycle regularly.

(b) Actual progress against risk control plans provides an important performance measure and
shall be incorporated into the nominated entities performance management, measurement
and reporting system.

(c) Monitoring and review also involves learning lessons from the risk management process, by
reviewing events, the mitigation plans and their outcomes.

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 12 of 20
 6. Recording the Risk Management Process
(a) Each stage of the risk management process shall be recorded appropriately. Assumptions,
methods, data sources, analyses, results and reasons for decisions shall all be recorded.

(b) The records of such processes are an important aspect of good corporate governance.

(c) Decisions concerning the making and capture of records shall take into account:

(i) the legal and business needs for records;

(ii) the cost of creating and maintaining records; and
(iii) the benefits of re-using information.
6.1 Risk Register

(a) More complex operations will benefit from completing a risk register that summarises their
risk assessments and can act as a management tool for the monitoring and updating of risk
assessments.

(b) The risk register should include all the basic details of the risk assessment including (an
example is included in Appendix 3:

(i) risk assessment reference/number;

(ii) activity;
(iii) risk ranking;
(iv) control measures;
(v) Timescales;
(vi) action owner; and
(vii) review dates.

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 13 of 20
 7. References
OSHAD-SF Element 2 Risk Management

5 Steps to Risk Assessment HSE Books, ISBN 0 7176 1565 0

ISO Standard, ISO 31000: 2009 - Risk management -- Principles and guidelines

Standards Australia - HB 203-2000 - Environmental Risk Management - Principles and

Process

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 14 of 20
 8. Document Amendment Record
Revision Page/s
Version Description of Amendment
Date Affected
Change of Logo All

Change from AD EHS Center to OSHAD throughout

1st July Change of document title: AD EHSMS RF to OSHAD-SF Throughout

3.0
2016 EHS changes to OSH Throughout

Environmental assessment requirements removed Throughout

Title of Section 5.3 updated to provide clarity 7

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 15 of 20
 Appendix 1: Example Hazard Walkthrough Form
Entity Name Date Walkthrough Reference Assessor Name Task / Process

Risk Action
OSH Issue Notes
H L Risk Priority

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 16 of 20
 Appendix 2: Example Risk Assessment Form

Walkthrough
Entity Name Date Assessor Name Task / Process
Reference

Groups Exposed Previous Risk

Hazards Identified (Inc. Numbers and Hazardous Existing Control Measures
Patterns) Events H L Risk

Date
Additional Controls Required Action Date Residual Risk Review Date
Completed

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 17 of 20
 Appendix 3: Example Risk Register Form

R/A Activity / Hazard Risk Control Measures Timescales Action Review Date
Ref Owner

OSHAD-SF Technical Guideline

st
Process of Risk Management - Version 3.0 1 July 2016 Page 18 of 20
OSHAD-SF Technical Guideline
st
Process of Risk Management - Version 3.0 1 July 2016 Page 19 of 20
 OSHAD 2016
This document was developed by OSHAD and shall remain its property. The document may only be used for
the purposes for which it was intended. Unauthorized use or reproduction of this document is prohibited.