HSfB Blog

How to audit hazard control and effective risk assessment - back to basics

My current job as a Health, Safety and Radiation Advisor has given me some amazing and interesting opportunities to learn and share best practice, both internally in our heavy engineering manufacturing facilities and by visiting hundreds of our suppliers. I want to share my experiences because I think it would be wrong not to.

I've found that regardless of the industry, the basics of any positive health and safety culture are the same. I've also discovered over the past 11 1/2 years that many businesses aspiring to achieve 45001 accreditation (previously 18001) often think they are a long way off, but in reality they are closer than they think.

My articles will give you practical and meaningful advice with real world examples to help provide assurance that your health and safety management system is effective in reality and doesn't just look good on paper. They will also help identify areas of improvement. By the way, is it 'continuous' or 'continual' improvement? There's been many a debate on that one for sure!

So, whenever I conduct an internal audit or external supplier audit, I go right back to basics. Hazard control and risk assessment…

 

Hazard Identification

My audits often start by asking the auditee 'what's the most dangerous activity on site, what can kill me if things go bad?' For me, the response to this question gives me an indication of the auditee's perception of risk, potentially the organisation's perception of risk and their priorities.

Some of the responses I've had in the past will very often set the tone and direction of the day. Here's some examples I've come across, a few links to useful resources and my thought process from the conversations:

  • "nothing, all our people work safely"
    ○ You are kidding yourself on, shying away from reality, wearing blinkers, focussed on the wrong things. I'm more than happy to be challenged and proved wrong, but I need to be convinced and I refuse to be convinced easily!
  • "so far so good, we've never seriously hurt anybody"
    ○ Is the company living on a 'wing and a prayer', Lady Luck, 'it'll be fine', or the belief it won't happen to them? See above! What is the definition of a 'serious' injury anyway?
  • "fork lift trucks"
    ○ Agreed. Vehicles and pedestrians never mix well. During an audit I'll spend plenty of time looking at legal requirements (thorough examinations under LOLER), risk assessments, training, inspections of vehicles, maintenance, safe systems of work, supervision, management's understanding of the risks
    ○ Vehicles at work advice from the Health and Safety Executive (HSE) - http://www.hse.gov.uk/workplacetransport/index.htm
  • "working at heights"
    ○ Agreed. Hierarchy of controls all the way for me. The HSE has plenty of guidance here - http://www.hse.gov.uk/work-at-height/the-law.htm
    ○ Here's a video with complete disregard for sensible risk management. 'Scaffolder Fall From Height' - https://www.youtube.com/watch?v=VUv3KRaBA0E
    ○ I'm throwing this reference in because I think it has a good explanation with examples of the hierarchy of controls. I've used it a few times to get the message over - http://www.hse.gov.uk/construction/pdf/fallsqa.pdf
  • "overhead gantry cranes"
    ○ Mechanical lifting equipment / accessories and their thorough examinations. I've had so many conversations over the years trying to get people to use the correct terminology on what constitutes 'equipment' and 'accessories'. It's amazing how many people refer to everything to do with lifting as 'equipment' but fail to recognise that 'accessories' have their own further definition by the HSE. To miss this important aspect risks breaches in LOLER for specified timescales of thorough examinations. For example, thorough examinations for lifting equipment must take place every 12 months (or every 6 months if the equipment is used to lift people) and includes overhead cranes, motor vehicle lifts and vehicle tail lifts etc. However, thorough examinations for accessories must take place every 6 months and includes soft slings, chains, hooks, eyebolts, spreader beams, shackles etc.
    ○ Everything you need to know for PUWER and LOLER - http://www.hse.gov.uk/work-equipment-machinery/index.htm and http://www.hse.gov.uk/work-equipment-machinery/faq-lifting.htm

Your business listed here on HSfB free

Can I see it please?

This question is so important and in my experience, not used nearly often enough. As human beings, we typically don't want to offend people and when doing audits its important and helpful to build positive relationships with the auditee, it's my preferred approach at least. However, if I'm looking at legal compliance, it isn't good enough to simply accept people's word that it is done. If there are statutory records required for things like specified timescales for thorough examinations highlighted above, I want to see the certification, examination schemes, defect reports, LEV records or whatever is appropriate.

I've seen it all too often that somebody thinks somebody else has it all under control. You may have already seen the story of Everybody, Somebody, Anybody And Nobody?

Take nobody's word for it, see it for yourself and don't publish an audit report based on assumptions. 

 

Now that I've satisfied myself that the high hazard activities are at least understood by the business and any specific legislative requirements are being met, I want to know if there is an effective system in place to identify and adequately control the 'significant' hazards. I much prefer to tackle this on a risk based, practical and sensible approach.

A large business should have the resources available to have this covered. They may use a mix of online risk management software, corporate software and databases, industry specific guidance, internal risk registers or even specialist third party consultants. I would still be looking to see if a business verified their own approach by way of internal audit and/or inspections and to see if they had a robust corrective action and non-conformance system.

A small business with limited resources available on the other hand will likely have a fairly simple process in place and they might not even know it! Ask for a list of their hazards on site and you might not find one. Ask for the process they follow when buying new machinery for example and they might describe a robust process of how they verify the machine is fit for purpose before buying it, what existing controls prevent harm to people, what additional controls the company needs to implement, training requirements, maintenance requirements, PUWER risk assessment requirements etc. The process may not be written down but if the company can demonstrate it to be effective, maybe they just need to capture it on a simple flow diagram.

I have certainly audited places where there is little in the way of a documented management system, maybe even little or no formalised risk assessments, but the people doing the job are skilled and fully aware of the hazards and risks they are working with. That, at least, is something to work with as an health and safety professional.

What would you prefer?

A) An all singing, all dancing documented health and safety management system, but people on the workshop floor are swinging from the rafters, putting themselves in harm's way for production, ignoring safety rules, have a bad attitude to health and safety, OR,

B) Not much in the way of a formalised management system, but employees are demonstrating a positive, proactive approach to improving the health and safety at their work, looking out for their colleagues, following rules, getting involved, well trained and motivated

B all the way for me please. Formalised systems can be developed. 

 

Effective risk assessments and safe systems of work

I say 'effective' for a reason. All too often I see risk assessments created without input from the people involved in the hazardous activities, or without consulting with others in the business who might have valuable input. These can sometimes be seen purely as a tick-box exercise to cover one's backside! These are the risk assessments filed away on a computer, kept in a nice shiny folder in the office or pinned to a noticeboard.

Do people pick these up, read and follow them? I guess some do, but many don't.

Do people know and understand the controls without needing to refer to the risk assessments all the time? I would hope they do, but if not, training, communication and consultation could be your next audit focus area.

So, back to basics. The law requires us to record the 'significant findings' of an assessment of risk if you employ five people or more. Having them recorded ticks the box, great. Communicating them, providing training on them and checking they are being followed is the key.

When my auditing takes me to risk assessments, I quickly drop into the 'can I see it?' mode. Here's a real world example…

 Take nobody's word for it, see it for yourself and don't publish an audit report based on assumptions.

Real world example - spray painting

A risk assessment for a spray painting operation calls for a pre-start checklist to be completed by the operator. The checklist has several safety critical items on it, one of them being to check there are records for the bi-annual maintenance of the pressurised paint mixing unit.

When asked, the operator was fully aware of the requirement for the maintenance and was confident it was completed, so the box was ticked.

When asked, the operator explained the records would be held in the office.

When the office was asked for the records, they weren't there but were reported to be at head office.

Head office did in fact have the records and they were current, accurate and all correct. It took several hours to have visibility of these records.

Spray painter wearing PPEIn the end, my concern was not that it took several hours to see the records, it was the fact that the operator was given responsibility of checking records on a pre-start checklist immediately prior to painting. It was not the operator's responsibility to develop a maintenance plan, implement it, ensure it was completed bi-annually and maintain accurate records which are easily retrievable.

The checklist, in my opinion, could only then be seen as a tick box exercise.

If the operator was simply ticking this box on assumptions (albeit confidently), what other boxes are being ticked without absolute certainty? Ultimately, the operator is being set up to fail from the beginning. That's unacceptable in my personal rule book.

The company now needs to look at that risk assessment and their risk assessment process to see what other controls are misplaced, incorrect or irrelevant. Otherwise, the importance of the risk assessment's controls could be diluted, making them ineffective.

Risk assessment doesn't need to be complicated. It does need to work for those who rely on its content no matter how the information is relayed to them.

Here's the HSE's risk management pages, set a shortcut to it on your browser and use it often, regardless of whether you are a beginner or seasoned health and safety professional - http://www.hse.gov.uk/risk/index.htm

Back to basics please.

I hope you have found my ramblings useful. If you have, please consider sharing the article on your social networks. Many thanks.

 

Other articles I've written on auditing...

How to Audit your Management's Commitment to Health and Safety

 

Here are some resources on HSfB which may be useful…

Workplace Equipment Downloads - https://www.healthandsafetytips.co.uk/downloads/workplace-equipment
Risk / COSHH assessment downloads - https://www.healthandsafetytips.co.uk/downloads/risk-coshh-assessment
Discussion forum topic - Working at Height Risk Assessment - http://www.healthandsafetytips.co.uk/forums/viewtopic.php?f=1&t=47367