THEORYANDMODEL

SAFETYMANAGEMENTSERIES
E XECUTIVE S UMMA R Y
In this document the term “risk analysis” is employed in its broadest sense to include
risk assessment, risk
management and risk communication. Risk assessment involves identifying sources
of potential harm,
assessing the likelihood (probability) that harm will occur and the consequences if
harm does occur. Risk
management evaluates which risks identified in the risk assessment process require
management and
selects and implements the plans or actions that are required to ensure that those
risks are controlled. Risk
communication involves an interactive dialogue between stakeholders and risk
assessors and risk managers
which actively informs the other processes. Due to the relatively short history of use
of technology, the
potential variety of hazards and the complexity of the environments into which they
may be introduced, the
risk analysis process may rely on both quantitative and qualitative data.
RISK ANALYSIS = RISK ASSESSMENT + RISK MANAGEMENT + RISK COMMUNICATION
The first step in risk assessment is establishing the risk context. The risk context
includes: the scope and
boundaries of the risk analysis as determined by national and international
regulations, the Regulations and
the Regulator’s approach to their implementation; the proposed dealings; and the
nature of the process and
technology. It should be noted that consideration of potential harm may include
economic issues such as
marketability and other trade considerations, which sometimes fall outside the scope
of the national and
international regulations. As the Regulator must consider risks to human health and
safety and the
environment (and other targets) arising from, or as a result of, human activities and
interaction with
technology. In addressing harm it is important to define harm, and the criteria to
assess harm.
Risk assessment can be usefully considered as a series of simple questions: “What
might happen?”, “How
might it happen?”, “Will it be serious if it happens?”, “How likely is it to happen?”,
and finally, ”What is the
risk?”. In the first instance, answering these questions involves hazard identification,
a process that identifies
sources of potential harm (“What…?”) and the causal pathway through which that
harm may eventuate
(“How…?”). This is followed by a consideration of the seriousness of the harm being
realised (consequence),
the chance or probability (likelihood) that harm will occur, the chance of exposure to
the hazard, and the
safety level existing for the process or technology. The hazard identification,
consequence, likelihood,
exposure, and safety level assessments together lead to an appraisal of whether the
hazard will result in a
risk and to make a qualitative estimate of the level of that risk (risk estimate).
Although risk assessment is
most simply presented as a linear process, inreality it is cyclical or iterative, with risk
communication actively
informing the other elements. For this reason, it is helpful to use terminology that
clearly distinguishes
between the likelihood assessment, consequence (loss criticality) assessment,
exposure assessment, safety
level assessment, and the risk estimate. Therefore, several different descriptors have
been selected for each
component that are designed to convey a scale of sequential levels. The consistent
application of this
distinct terminology is intended to clarify the discussion of these components of the
risk assessment. The
explanations of the descriptors for consequence need to encompass adverse
consequences of events
relating to both human health and safety and other targets, e.g. the environment.
They are relatively simple,
in order to cover the range of different factors (e.g. severity, space, time, cumulative,
reversibility) that may
contribute to the significance of adverse consequences. The risk estimate is derived
from the combined
consideration of both exposure, likelihood, loss criticality (severity), and safety level.
The individual
descriptors can be incorporated into a Risk Estimate Matrix. The aim of the matrix is
to provide a format for
thinking about the relationship between the exposure, likelihood, and loss criticality
(severity) of particular
QUANTITATIVERISKANALYSIS
SAFETYMANAGEMENTSERIES
hazards. It is important to note that uncertainty about either or both of these
components will affect the risk
estimate.
The risk management component of risk analysis builds on the work of the risk
assessment and may be
described as answering the questions: “Does anything need to be done about the
risk?”, “What can be done
about it?”, and “What should be done about it?”. While risk assessment deals as far
as possible with
objective evidence, risk management necessarily involves prudential judgements
about which risks require
management (risk evaluation), the choice and application of treatment measures,
and ultimately whether
the dealings should be permitted. Consequently, if there is uncertainty about risks
(e.g. in early stage
research) this may influence the management measures that are selected. A
consideration of the causal
pathways for harm to occur, that were elucidated in the risk assessment, provides a
basis for strategic
selection of how, where and when to undertake risk treatment measures. This
enables the identification of
the points at which treatment can be most effectively applied to break the causal
pathway and prevent
adverse outcomes from being realised. While the focus of risk management is on
prevention, the Regulator
also addresses how to manage adverse outcomes if a particular risk is realised.
Important considerations are
whether the adverse consequences can be reduced or reversed, identifying measures
that can achieve these
ends, and including these in licence conditions or contingency plans. Risk
management actions undertaken
by the Regulator are not limited to devising the risk management plan.
Risk communication underpins the processes of risk assessment and risk
management and the safety
regulations (both national and international regulations) provides legislative
mechanisms to ensure the
clarity, transparency and accountability of the Regulator’s decision-making processes
and that there is public
input into that process. Risk communication involves an interactive dialogue between
risk assessors, risk
managers and stakeholders. In many instances differing perceptions of risk can
influence the approach of
stakeholders to particular issues. The Regulator undertakes extensive consultation
with a diverse range of
expert groups and authorities and key stakeholders, including the public, before
deciding whether to issue a
licence. The Regulator endeavours to provide accessible information to interested
parties on applications,
licences, dealings with process and technology, trial sites and the processes of risk
assessment, risk
management, monitoring and compliance undertaken by the Regulator Office.
Therefore, the Regulator is
committed to active risk communication.