Safe Design Start Here

Good Work Design

Good work design can help us achieve safe outcomes by designing safety into work processes and the design of products. Adding safety as an afterthought is almost always less effective and costs more over the lifecycle of the process or product.


The Australian Work Health and Safety Strategy 2012-2022 is underpinned by the principle that well-designed healthy and safe work will allow workers to have more productive lives. This can be more efficiently achieved if hazards and risks are eliminated through good design.

Work is currently underway by Safe Work Australia to update the WHS Strategy for 2022-2032.

Top Tip

The ten principles of good work design

This handbook contains ten principles that demonstrate how to achieve the good design of work and work processes. Each is general in nature so they can be successfully applied to any workplace, business, or industry.

The ten principles for good work design are structured into three sections:

  1. Why good work design is important;
  2. What should be considered in good work design; and
  3. How good work is designed.

These principles are shown in the diagram in Figure 1.

An image of good work design principles
Figure 1. Good work design principles.

This handbook complements a range of existing resources available to businesses and work health and safety professionals including guidance for the safe design of plant and structures see the Safe Work Australia Website.

Scope of the handbook

This handbook provides information on how to apply good work design principles to work and work processes to protect workers and others who may be affected by the work. 

It describes how design can be used to set up the workplace, working environment, and work tasks to protect the health and safety of workers, taking into account their range of abilities and vulnerabilities, so far as reasonably practicable.

The handbook does not aim to provide advice on managing situations where individual workers may have special requirements such as those with a disability or on a return to work program following an injury or illness.

Who should use this handbook?

This handbook should be used by those with a role in designing work and work processes, including:

  • Persons conducting a business or undertaking (PCBUs) with a primary duty of care under the model Work Health and Safety (WHS) laws.
  • PCBUs who have specific design duties relating to the design of plant, substances, and structures including the buildings in which people work.
  • People responsible for designing organizational structures, staffing rosters, and systems of work.
  • Professionals who provide expert advice to organizations on work health and safety matters.

Good work design optimizes work health and safety, human performance, job satisfaction, and business success.

Information: Experts who provide advice on the design of work may include: engineers, architects, ergonomists, information, and computer technology professionals, occupational hygienists, organizational psychologists, human resource professionals, occupational therapists, and physiotherapists.

What is ‘good work’?

‘Good work’ is healthy and safe work where the hazards and risks are eliminated or minimized so far as is reasonably practicable. Good work is also where the work design optimizes human performance, job satisfaction, and productivity.

Good work contains positive work elements that can:

  • protect workers from harm to their health, safety, and welfare;
  • improve worker health and wellbeing; and
  • improve business success through higher worker productivity.

What is good work design?

The most effective design process begins at the earliest opportunity during the conceptual and planning phases. At this early stage there is the greatest chance of finding ways to design-out hazards, incorporate effective risk control measures, and design-in efficiencies.

Effective design of good work considers:

The work:

  • how work is performed, including the physical, mental and emotional demands of the tasks and activities
  • the task duration, frequency, complexity, and
  • the context and systems of work.

The physical working environment:

  • the plant, equipment, materials, and substances used, and
  • the vehicles, buildings, and structures that are workplaces.

The workers:

  • physical, emotional, and mental capacities and needs.

Effective design of good work can radically transform the workplace in ways that benefit the business, workers, clients, and others in the supply chain.

Failure to consider how work is designed can result in poor risk management and lost opportunities to innovate and improve the effectiveness and efficiency of work.

I suspect that many of us have seen badly-designed work, which results in workarounds or waste, or both. A little fore-thought can prevent this.

Top Tip

The principles for good work design support duty holders to meet their obligations under the WHS laws and also help them to achieve better business practice generally.

For the purposes of this handbook, a work designer is anyone who makes decisions about the design or redesign of work. This may be driven by the desire to improve productivity as well as the health and safety of people who will be doing the work

The WHY Principles

Why is good work design important?

Principle 1: Good work design gives the highest level of protection so far as is reasonably practicable

  • All workers have a right to the highest practicable level of protection against harm to their health, safety, and welfare.
  • The primary purpose of the WHS laws is to protect persons from work-related harm so far as is reasonably practicable.
  • Harm relates to the possibility that death, injury, illness, or disease may result from exposure to a hazard in the short or long term.
  • Eliminating or minimizing hazards at the source before risks are introduced in the workplace is a very effective way of providing the highest level of protection.

Principle 1 refers to the legal duties under the WHS laws. These laws provide the framework to protect the health, safety, and welfare of workers and others who might be affected by the work. During the work design, process workers and others should be given the highest level of protection against harm that is reasonably practicable.

Prevention of workplace injury and illness

Well-designed work can prevent work-related deaths, injuries, and illnesses. The potential risk of harm from hazards in a workplace should be eliminated through good work design.

Only if that is not reasonably practicable, then the design process should minimize hazards and risks through the selection and use of appropriate control measures.

New hazards may inadvertently be created when changing work processes. If the good work design principles are systematically applied, potential hazards and risks arising from these changes can be eliminated or minimized.

Information: Reducing the speed of an inappropriately fast process line will not only reduce production errors, but can also diminish the likelihood of a musculoskeletal injury and mental stress.

Principle 2: Good work design enhances health and wellbeing

  • Health is a “state of complete physical, mental, and social wellbeing, not merely the absence of disease or infirmity” (World Health Organisation).
  • Designing good work can help improve health over the longer term by improving workers’ musculoskeletal condition, cardiovascular functioning, and mental health.
  • Good work design optimizes worker function and improves participation enabling workers to have more productive working lives.

Health benefits

An effective design aims to prevent harm, but it can also positively enhance the health and wellbeing of workers, for example, satisfying work and positive social interactions can help improve people’s physical and mental health.

As a general guide, the healthiest workers have been found to be three times more productive than the least healthy. It, therefore, makes good business sense for work design to support people’s health and wellbeing.

Information: Recent research has shown long periods of sitting (regardless of exercise regime) can lead to an increased risk of preventable musculoskeletal disorders and chronic diseases such as diabetes. In an office environment, prolonged sitting can be reduced by allowing people to alternate between sitting or standing whilst working.

Principle 3: Good work design enhances business success and productivity

  • Good work design prevents deaths, injuries, and illnesses and their associated costs, improves worker motivation and engagement, and in the long-term improves business productivity.
  • Well-designed work fosters innovation, quality, and efficiencies through effective and continuous improvement.
  • Well-designed work helps manage risks to business sustainability and profitability by making work processes more efficient and effective and by improving product and service quality.

Cost savings and productivity improvements

Designing-out problems before they arise is generally cheaper than making changes after the resulting event, for example by avoiding expensive retrofitting of workplace controls.

Good work design can have direct and tangible cost savings by decreasing disruption to work processes and the costs from workplace injuries and illnesses.

Good work design can also lead to productivity improvements and business sustainability by:

  • allowing organizations to adjust to changing business needs and streamline work processes by reducing wastage, training, and supervision costs
  • improving opportunities for creativity and innovation to solve production issues, reduce errors and improve service and product quality, and
  • making better use of workers’ skills resulting in more engaged and motivated staff willing to contribute greater additional effort.
The WHY Principles

The WHAT Principles

What should be considered by those with design responsibilities?

Principle 4: Good work design addresses physical, biomechanical, cognitive, and psychosocial characteristics of work, together with the needs and capabilities of the people involved

  • Good work design addresses the different hazards associated with work e.g. chemical, biological, and plant hazards, hazardous manual tasks, and aspects of work that can impact mental health.
  • Work characteristics should be systematically considered when work is designed, redesigned or the hazards and risks are assessed.
  • These work characteristics should be considered in combination and one characteristic should not be considered in isolation.
  • Good work design creates jobs and tasks that accommodate the abilities and vulnerabilities of workers so far as reasonably practicable.

All tasks have key characteristics with associated hazards and risks, as shown in Figure 2 below:

Figure 2 – Key characteristics of work

Hazards and risks associated with tasks are identified and controlled during good work design processes and they should be considered in combination with all hazards and risks in the workplace. This highlights that it is the combination that is important for good work design.

Workers can also be exposed to a number of different hazards from a single task. For example, meat boning is a common task in a meat-processing workplace. This task has a range of potential hazards and risks that need to be managed, e.g. physical, chemical, biological, biomechanical, and psychosocial. Good work design means the hazards and risks arising from this task are considered both individually and collectively to ensure the best control solutions are identified and applied.

Good work design can prevent unintended consequences which might arise if task control measures are implemented in isolation from other job considerations. For example, automation of a process may improve production speed and reduce musculoskeletal injuries but increase the risk of hearing loss if effective noise control measures are not also considered.

Workers have different needs and capabilities; good work design takes these into account. This includes designing to accommodate them given the normal range of human cognitive, biomechanical and psychological characteristics of the work.

Information: The Australian workforce is changing. It is typically older with higher educational levels, more inclusive of people with disabilities, and more socially and ethnically diverse. Good work design accommodates and embraces worker diversity. It will also help a business become an employer of choice, able to attract and retain an experienced workforce.

Principle 5: Good work design considers the business needs, context, and work environment.

  • Good work design is ‘fit for purpose’ and should reflect the needs of the organization including owners, managers, workers, and clients.
  • Every workplace is different so approaches need to be context-specific. What is good for one situation cannot be assumed to be good for another, so off-the-shelf solutions may not always suit every situation.
  • The work environment is broad and includes: the physical structures, plant and technology, work layout, organizational design and culture, human resource systems, work health and safety processes, and information/control systems.

The business organizational structure and culture, decision-making processes, work environment, and how resources and people are allocated to the work will, directly and indirectly, impact on work design and how well and safely the work is done.

The work environment includes the physical structures, plant, and technology. Planning for relocations, refurbishments, or when introducing new engineering systems are ideal opportunities for businesses to improve their work designs and avoid foreseeable risks.

These are amongst the most common work changes a business undertakes yet good design during these processes is often quite poorly considered and implemented. An effective design following the processes described in this handbook can yield significant business benefits.

Information: Off-the-shelf solutions can be explored for some common tasks, however usually design solutions need to be tailored to suit a particular workplace.

Good work design is most effective when it addresses the specific business needs of the individual workplace or business. Typically work design solutions will differ between small and large businesses.

However, all businesses must eliminate or minimize their work health and safety risks so far as reasonably practicable. The specific strategies and controls will vary depending on the circumstances.

The table on the next page demonstrates how to step through the good work design process for small and large businesses.

Good design steps In a large business that is downsizing In a small business that is undergoing a refit
Management commitment Senior management make their commitment to good work design explicit ahead of downsizing and may hire external expertise.   The owner tells workers about their commitment to designing-out hazards during the upcoming refit of the store layout to help improve safety and efficiency.  
Consult The consequences of downsizing and how these can be managed are discussed in senior management and WHS committee meetings with appropriate representation from affected work areas.   The owner holds meetings with their workers to identify possible issues ahead of the refit.  
Identify A comprehensive workload audit is undertaken to clarify opportunities for improvements.   The owner discusses the proposed refit with the architect and builder and gets ideas for dealing with issues raised by workers.  
Assess A cost-benefit analysis is undertaken to assess the work design options to manage the downsizing.   The owner, architect, and builder jointly discuss the proposed refit and any worker issues directly with workers.   
Control A change management plan is developed and implemented to appropriately structure teams and improve systems of work. Training is provided to support the new work arrangements.   The building refit occurs. Workers are given training and supervision to become familiar with a new layout and safe equipment use.  
Review The work redesign process is reviewed against the project aims by senior managers.   The owner checks with the workers that the refit has improved working conditions and efficiency and there are no new issues.  
Improve Following consultation, refinement of the redesign is undertaken if required.   Minor adjustments to the fit-out are made if required.  
Table 1 – steps in good work design for large and small businesses

Principle 6: Good work design is applied along the supply chain and across the operational lifecycle.

  • Good work design should be applied along the supply chain in the design, manufacture, distribution, use and disposal of goods and the supply of services.
  • Work design is relevant at all stages of the operational life cycle, from start-up, routine operations, maintenance, downsizing and cessation of business operations.
  • New initiatives, technologies, and changes in organizations have implications for work design and should be considered.

Information: Supply chains are often made up of complex commercial or business relationships and contracts designed to provide goods or services. These are often designed to provide goods or services to a large, dominant business in a supply chain. The human and operational costs of poor design by a business can be passed up or down the supply chain.

Businesses in the supply chain can have significant influence over their supply chain partners’ work health and safety through the way they design the work.

Businesses may create risks and so they need to be active in working with their supply chains and networks to solve work health and safety problems and share practical solutions for example, for common design and manufacturing problems.

Health and safety risks can be created at any point along the supply chain, for example, loading and unloading causing time pressure for the transport business.

There can be a flow-on effect where the health and safety and business ‘costs’ of poor design may be passed down the supply chain. These can be prevented if businesses work with their supply chain partners to understand how contractual arrangements affect health and safety.

Procurement and contract officers can also positively influence their own organization and others’ work health and safety throughout the supply chain through the good design of contracts. 

When designing contractual arrangements businesses could consider ways to support good work design safety outcomes by:

  • setting clear health and safety expectations for their supply chain partners, for example through the use of codes of conduct or quality standards
  • conducting walk-through inspections, monitoring, and comprehensive auditing of supply chain partners to check adherence to these codes and standards
  • building the capability of their own procurement staff to understand the impacts of contractual arrangements on their suppliers, and
  • consulting with their supply chain partners on the design of good work practices.

Information: The road transport industry is an example of the application of how this principle can help improve drivers’ health and safety and address issues arising from supply chain arrangements. For example, the National Heavy Vehicle Laws ‘chain of responsibility’ requires all participants in the road transport supply chain to take responsibility for driver work health and safety. Contracts must be designed to allow drivers to work reasonable hours, take sufficient breaks from driving and not have to speed to meet deadlines.

The design of products will strongly impact both health and safety and business productivity throughout their lifecycles. At every stage, there are opportunities to eliminate or minimize risks through good work design. The common product lifecycle stages are illustrated in Figure 3 below.

A diagram of common product lifecycle
Figure 3 – common product lifecycle

Information: For more information on the design of structures and plant see ‘Safe design of structures’ and Managing the risks of plant in the workplace and other design guidance on the Safe Work Australia website.

The good work design principles are also relevant at all stages of the business life cycle. Some of these stages present particularly serious and complex work health and safety challenges such as during the rapid expansion or contraction of businesses. Systematic application of good work design principles during these times can achieve positive work health and safety outcomes.

New technology is often a key driver of change in work design. It has the potential to improve the quality of outputs, efficiency, and safety of workers, however introducing new technology could also introduce new hazards and unforeseen risks. Good work design considers the impact of the new initiatives and technologies before they are introduced into the workplace and monitors their impact over time.

Information: When designing a machine for safe use, how the maintenance will be undertaken in the future should be considered.

In most workplaces, information and communication technology (ICT) systems are an integral part of all business operations. In practice, these are often the main drivers of work changes but are commonly overlooked as sources of workplace risks. Opportunities to improve health and safety should always be considered when new ICT systems are planned and introduced.

A diagram of the WHAT principles
Figure 4, The ICT Triad

The HOW Principles

Principle 7: Engage decision-makers and leaders

  • Work design or redesign is most effective when there is a high level of visible commitment, practical support, and engagement by decision-makers.
  • Demonstrating the long-term benefits of investing in good work design helps engage decision-makers and leaders.
  • Practical support for good work design includes the allocation of appropriate time and resources to undertake effective work design or redesign processes.

Information: Leaders are the key decision-makers or those who influence the key decision-makers. Leaders can be the owners of a business, directors of boards, and senior executives.

Leaders can support good work design by ensuring the principles are appropriately included or applied, for example in:

  • key organizational policies and procedures
  • proposals and contracts for workplace change or design
  • managers’ responsibilities and as key performance indicators
  • business management systems and audit reports
  • organizational communications such as a standing item on leadership meeting agendas, and
  • the provision of sufficient human and financial resources.

Good work design, especially for complex issues will require adequate time and resources to consider and appropriately manage organizational and/or technological change. Like all business changes, research shows that leader commitment to upfront planning helps ensure better outcomes.

Managers and work health and safety advisors can help this process by providing their leaders with appropriate and timely information. This could include for example:

  • identifying design options that support both business outcomes and work health and safety objectives
  • assessing the risks and providing short and long term cost-benefit analysis of the recommended controls to manage these risks, and
  • identifying what decisions need to be taken, when and by whom to effectively design and implement the agreed changes.

Principle 8: Actively involve the people who do the work, including those in the supply chain and networks

  • Persons conducting a business or undertaking (PCBUs) must consult with their workers and others likely to be affected by work in accordance with the work health and safety laws.
  • Supply chain stakeholders should be consulted as they have local expertise about the work and can help improve work design for upstream and downstream participants.
  • Consultation should promote the sharing of relevant information and provide opportunities for workers to express their views, raise issues, and contribute to decision-making where possible.

Effective consultation and cooperation of all involved with open lines of communication will ultimately give the best outcomes. Consulting with those who do the work not only makes good sense, it is required under the WHS laws.

Information: Under the model WHS laws (s47), a business owner must, so far as is reasonably practicable, consult with ‘workers who carry out work for the business or undertaking who are, or are likely to be, directly affected by a matter relating to work health or safety.’ This can include a work design issue.

If more than one person has a duty in relation to the same matter, ‘each person with the duty must, so far as is reasonably practicable, consult, co-operate and co-ordinate activities with all other persons who have a duty in relation to the same matter’ (model WHS laws s46).

Workers have knowledge about their own job and often have suggestions on how to solve a specific problem. Discussing design options with them will help promote their ownership of the changes. See Code of practice on consultation.

Businesses that operate as part of a supply chain should consider whether the work design and changes to the work design might negatively impact on upstream or downstream businesses. The supply chain partners will often have solutions to logistics problems that can benefit all parties.

Principle 9: Identify hazards, assess and control risks, and seek continuous improvement

  • A systematic risk management approach should be applied in every workplace.
  • Designing good work is part of the business process and not a one-off event.
  • Sustainability in the long-term requires that designs or redesigns are continually monitored and adjusted to adapt to changes in the workplace so as to ensure feedback is provided and that new information is used to improve the design.

Good work design should systematically apply the risk management approach to workplace hazards and risks. See Principle 4 for more details.

Typically good work design will involve ongoing discussions with all stakeholders to keep refining the design options.  Each stage in the good work design process should have decision points for review of options and to consult further if these are not acceptable. This allows for flexibility to quickly respond to unanticipated and adverse outcomes.

Figure 5 outlines how the risk management steps can be applied in the design process

Continuous improvements in work health and safety can in part be achieved if the good work design principles are applied at business start-ups and whenever major organizational changes are contemplated. To be most effective, consideration of health and safety issues should be integrated into normal business risk management.

A diagram of steps in the good work design process
Figure 5 – Steps in the good work design process

Principle 10: Learn from experts, evidence, and experience

  • Continuous improvement in work design and hence work health and safety requires ongoing collaboration between the various experts involved in the work design process.
  • Various people with specific skills and expertise may need to be consulted in the design stage to fill any knowledge gaps. It is important to recognize the strengths and limitations of a single expert’s knowledge.
  • Near misses, injuries and illnesses are important sources of information about poor design.

Most work design processes will require collaboration and cooperation between internal and sometimes external experts. Internal advice can be sought from workers, line managers, technical support and maintenance staff, engineers, ICT systems designers, work health and safety advisors, and human resource personnel.

Depending on the design issue, external experts may be required such as architects, engineers, ergonomists, occupational hygienists, and psychologists.

Information: If you provide advice on work design options it is important to know and work within the limitations of your discipline’s knowledge and expertise. Where required make sure you seek advice and collaborate with other appropriate design experts.

For complex and high-risk projects, ideally, a core group of the same people should remain involved during both the design and implementation phases with other experts brought in as necessary.

The type of expert will always depend on the circumstances. When assessing the suitability of an expert consider their qualifications, skills, relevant knowledge, technical expertise, industry experience, reputation, communication skills, and membership of professional associations.

Information:  Is the consultant suitably qualified?
A suitably qualified person has the knowledge, skills, and experience to provide advice on a specific design issue. You can usually check with the professional association to see if the consultant is certified or otherwise recognized by them to provide work design advice.

The decision to design or redesign work should be based on sound evidence. Typically this evidence will come from many sources such as both proactive and reactive indicators, information about new technology, or the business decisions to downsize, expand or restructure or to meet the requirements of supply chain partners.

Proactive and reactive indicators can also be used to monitor the effectiveness and efficiency of the design solution.

Information: Proactive indicators provide early information about the work system that can be used to prevent accidents or harm. These might include for example: key process variables such as temperature or workplace systems indicators such as the number of safety audits and inspections undertaken.

Reactive indicators are usually based on incidents that have already occurred. Examples include the number and type of near misses and worker injury and illness rates.

Useful information about common work design problems and solutions can also often be obtained from:

  • work health and safety regulators
  • industry associations and unions
  • trade magazines and suppliers, and
  • specific research papers.
A diagram of the HOW principles
Figure 5.1, Sources of Work Design Information

Good Work Design: Summary

The ten principles of good work design can be applied to help support better work health and safety outcomes and business productivity. They are deliberately high level and should be broadly applicable across the range of Australian businesses and workplaces. Just as every workplace is unique, so is the way each principle can be applied in practice.

When considering these principles in any work design also ensure you take into account your local jurisdictional work health and safety requirements.

Good Work Design: Copyright

Much of the content of this post is taken from the Principles of Good Work Design handbook from Safe Work Australia. The handbook is © Commonwealth of Austr​alia, 2019; this document is covered by a Creative Commons licence (CCBY 4.0) – for full details see here.

I have made some changes to the text to improve the layout and correct minor problems with Figure numbering in the original document. ‘Top Tips’ are my own!

What do you think of Good Work Design?

Back to the Home Page

Start Here

The Risk Matrix

In this article, I look at The Risk Matrix, a widely used technique in many industries. Risk Matrices have many applications!

In this article, I have used material from a UK Ministry of Defence guide, reproduced under the terms of the UK’s Open Government Licence.


A risk matrix is a graphical representation of the various risks associated with a project and its corresponding risk management strategies. It helps to identify and prioritize potential risks.

What is a Risk Matrix?

A safety risk matrix provides a framework for ranking or classifying safety issues according to their significance. The matrix is sometimes called a “hazard ranking matrix” or a “hazard classification matrix”, but it is strictly applied to accidents, since these have harmful outcomes, whereas hazards only have the potential for harm. The matrix can be used as a risk screening tool to help decide which issues need treatment first or which need not be considered further at this time.

Risk matrices can cover exposure to different types of loss, including harm to humans, damage to the environment, financial loss or impact on reputation. If a loss in these diverse categories can be considered in common terms (e.g. the monetary impact of all types of loss), then a single matrix can cover all such issues together and prioritize which are the most significant.

The matrix covers a “risk space” defined by the two component parts of risk, namely likelihood on one axis and consequence (or severity) on the other. Each axis must span the full range of outcomes, which are considered possible for the system of interest. Each range is divided into a number of categories or bands (typically between 3 and 8) to define the cells of the matrix.

The bands on the two axes may be defined in terms that are purely qualitative, semi-quantitative, or fully quantitative, for example:

  • Qualitative:
    • Likelihood is (Frequent/Reasonably Probable/Remote/Extremely Remote)
    • Severity is (Minor/Significant/Severe/Catastrophic)
  • Semi-quantitative:
    • Likelihood is (e.g. likely to occur once per year on one site)
    • Severity is (e.g. a single death)
  • Quantitative:
    • Likelihood is (e.g. between 1×10-4 and 1×10-5 per year on one site)
    • Severity is (e.g. between 1.0 and 10.0 Fatalities and Weighted Injuries)

Each cell of the matrix is assigned an indicator defining the relative significance of issues falling in that zone. This indicator could be:

  • A risk descriptor (e.g. Low, Moderate, High, Very High)
  • A risk score or index (e.g. a number from 1 to 20)
  • A priority category (e.g. High, Medium or Low)
  • A risk class (e.g. A, B, C or D)
  • A measure of expected rate of harm or loss (e.g. 5.4 Fatalities and Weighted Injuries per year or £45,000 per year)

Where likelihood and consequence are stated quantitatively, the axes are usually considered to have logarithmic scales. Adjacent bands will typically differ by one order of magnitude. In this case, lines of constant risk run diagonally across the matrix and the risk will range by a factor of 100 across the area covered by a single cell. This illustrates that the matrix is a coarse tool, which can show large differences in risk, but does not address fine detail, such as compliance with quantitative risk requirements.

To apply the matrix, users must have a list of the relevant safety issues (from Hazard Identification and Hazard Analysis) and estimates of the likelihood and severity of each possible accident (from Risk Estimation). The matrix is therefore a technique for Risk Evaluation, which follows on from Risk Estimation. The estimates of accident likelihood and severity may be generated by different methods, depending on the stage of the project, the information available and the significance of the safety issue being explored. For example, the estimates may come from:

  • Engineering judgement by Subject Matter Experts with knowledge of similar systems
  • Historical data from this or similar systems
  • Detailed modelling (e.g. using Fault Tree Analysis and Event Tree Analysis or Bow-Tie Analysis)

Examples of Risk Matrices

The following example matrices show some of the variations in format, terminology and risk indicators across a range of sectors and standards.

Example 1: IEC 31010 Example risk ranking matrix. Severity on x-axis increasing left to right, likelihood on y-axis increasing bottom to top, with five “risk levels” which are linked to decision rules such as the level of management attention or the time scale by which response is needed.

IEC 31010 Risk Matrix

Example 2: Def Stan 00-56 Issue 2 Example accident risk classification table. Severity on x-axis increasing right to left, likelihood on y-axis increasing bottom to top, four risk classes identify significance and so management level for approval.

Def Stan 00-56 Issue 2 Example Accident Risk Classification Table

Example 3: IMO Guidelines on FSA. Example hazard risk index matrix. Severity on x-axis increasing left to right, likelihood on y-axis increasing bottom to top, risk index (RI) in each cell calculated by adding Severity Index (SI) for column and Frequency Index (FI) for a row. RI can be considered as log(risk), obtained by adding FI and SI.

FIFrequencySeverity (SI)
6 78910
5Reasonably probable6789
4 5678
2 3456
1Extremely remote2345
IMO Guideline on FSA: Risk Ranking Matrix

Example 4: ISO 17776 Offshore Sector Example risk matrix. Severity on y-axis increasing top to bottom, likelihood on x-axis increasing right to left to top, matrix areas define future action to be taken.

ISO 17776 Risk Matrix

Risk Matrix Assessment

When it Might be Used

The matrix is usually set up at an early stage of the lifecycle, defining the framework to be used for risk evaluation at subsequent stages. It should be used early in the lifecycle to provide a coarse sift of the identified safety issues so that attention can be focused on the most significant ones. This attention may involve more detailed analysis to understand complex accident sequences and to apply semi-quantitative or fully quantitative risk assessment techniques where appropriate.

Later in the lifecycle, the risk matrix may be used for determining the appropriate management level for review and acceptance of each safety issue. This ensures that the key risk drivers are brought to the attention of senior managers but they are not swamped with masses of information on less significant matters.

During the in-service stage of the lifecycle, the risk matrix technique can be applied to give an indication of significance for new safety concerns, such as those revealed by incidents or due to proposed design changes. Risk monitoring can be focused on the issues of highest significance as well as targeting resources for risk reduction.

Advantages & Disadvantages


  • Risk matrices provide a quick appreciation of the most significant issues so that attention can be focused where it will have most benefit.
  • Matrices provide a visual representation which is easily understood and so aids communication with non-specialists.
  • Risk matrices can cover impacts which are different in nature (e.g. harm to people, harm to the environment, material or financial loss), provided that these can be equated in common units (e.g. in money terms).


  • Risk matrices are good for examining different issues affecting one system or activity on the basis of their risk relative to each other. They are not effective for understanding absolute risk.
  • There is no single, correct interpretation of the level at which “safety issues” should be selected for presentation on the risk matrix. This means that different analysts may choose different levels and the resulting list of prioritised issues is somewhat subjective. The apparent results may be changed by “accident splitting” (i.e. defining one safety issue as two or more different accidents, each of which will appear to have lower risk).
  • Risk matrices consider safety issues one at a time and so do not help understanding the overall or aggregate risk exposure.
  • When a variety of different outcomes is possible from a single issue (e.g. fire – consequences can range from no harm to multiple deaths) it can be difficult to choose which likelihood and consequence combination should be used.
  • As a broad-brush technique, risk matrices should not be used for considering whether quantitative risk targets have been met or as the only technique for examining complex or high consequence issues. The matrix can, however, highlight high consequence issues so that they then receive more detailed consideration.

Risk Matrices for Project Management

In project management, we are aiming for specific outcomes, often represented as the project management triangle.

Project Management Triangle

In the center is quality (and/or safety), which is central to indicate that this cannot be compromised.  The three corners are cost, time, and scope (or requirements), and these can be traded off against each other.

This representation helps us to identify project risks by the effect that they might have on the project’s objectives.  ISO 31000 defines risk as “the effect of uncertainty on objectives”.  Again, the risk matrix allows us to identify and rank risks, identifying the biggest, most critical risks.  These risks are where we will focus most attention, looking for multiple controls, or defense-in-depth, for the most serious ones.   

An old saying is that “you can have a quick job, a proper job, or a cheap job; you can have two out of three, but you can’t have all three.”  Taken literally this is a little pessimistic, but it does remind us that if we set an absolute target on one of these axes, then we will likely have to trade the other two off against each other.   

This axiom also gives us some basic principles on which to identify controls.  We might desire controls that allow us to achieve all objectives at the same time, but this is often unrealistic.  Practical experience – encoded in a saying – suggests that we must be prepared to accept some trades in budget/schedule/scope.

Thus the risk matrix, in combination with some basic project management principles, enables more realistic decision-making.  (Real decisions involve saying ‘no’ to some things in order to say ’yes’ to others.)  Rather than naively thinking that we can have it all, the risk matrix supports robust early decision-making. 

This should make project success more likely – until somebody changes the objectives!

Additional Considerations

It should be noted that risk matrices from different standards and industry sectors are not always represented in the same way. The most common convention has a Cartesian representation (i.e. values increasing left to right and bottom to top on the two axes) so that risk increases from bottom left to top right, but the examples below show that several common matrices have a different format.

If risk estimates are generated by a team of Subject Matter Experts, their deliberations can be biased (consciously or unconsciously) if they know the risk matrix framework. There may be a tendency to choose likelihood and/or severity estimates that result in a lower apparent risk so that it attracts less management scrutiny.

Uncertainty of the estimates of severity and likelihood can be represented on a risk matrix by showing that risk with error bars rather than a single point. This can help understanding by senior managers.

Using common matrices for different systems does not necessarily result in risk estimates that can be compared in a meaningful way. The systems may have diverse risk exposure factors (e.g. number of people exposed, usage rate) and different numbers and types of accidents to consider.

(For more on risk management, see the FAQ.)

Do You Use a Risk Matrix in Your Work?

Start Here

Risk: Averse, Adverse, or Appetite?

You heard me right. Risk: Averse, Adverse, or Appetite? Which would you choose? Do we even have a choice? Read on …

We often hear that we live in a risk-averse society.  By that, I mean that we don’t want to take risks, or that we’re too timid.  I don’t think that’s the whole story.

In reality, we need to deal with several concepts.  Let’s start by looking at risk:

  • Aversity;
  • Adversity;
  • Appetite; and then
  • Perception.

Risk Adverse versus Risk Averse

These terms are often used incorrectly, so here’s a useful comparison:

Many people are confused when faced with the choice between adverse and averse.  While these two adjectives have many similarities, they are not used interchangeably.
If you want to describe a negative reaction to something (such as a harmful side effect from medication) or dangerous meteorological conditions (such as a snowstorm), adverse is the correct choice. You would not say that you had an ‘averse’ reaction to medication or that there was ‘averse’ weather.
In short, adverse tends to be used to describe effects, conditions, and results; while averse refers to feelings and inclinations.”[1]

Merriam-Webster Dictionary

Risk Adverse

A Formal Definition of Adverse

Again, the Merriam-Webster Dictionary sails to the rescue:

  • 1: acting against or in a contrary direction:
    • HOSTILE,
    • hindered by adverse winds
  • 2a: opposed to one’s interests,
    • an adverse verdict,
    • heard testimony adverse to their position,
    • especially: UNFAVORABLE,
    • adverse criticism
  • b: causing harm: HARMFUL, adverse drug effects
  • 3: archaic: opposite in position”[2]

This is all very well, but we need something that we can use, like a…

…Practical Definition of Risk Adverse

The Law Insider website provides a very useful definition of ‘Risk Adverse’.   

“Adverse Risk means any risk of an adverse effect on the Development, procurement or maintenance of Regulatory Approval, Manufacture or Commercialization of a Product.”[3]

Law Insider

It’s useful because it is so pertinent to safety.  Let me explain. Often, we want to develop a product or service, but there are:

  • Development risks – often called Project Management risks, as a development is often the focus of a project.  Remember that the ISO 31000 defines risk as “the effect of uncertainty on objectives”.  By definition, a project has specific objectives (e.g., budget, schedule, and quality). 
  • Procurement risks – when acquiring a new product or service and enterprise may also acquire development risks, for the new or upgraded thing.  There are also risks associated with contractual acceptance, fielding the product, etc.
  • In many industries and domains, regulatory approval may be needed.  This may require qualification, certification, or accreditation (or a combination thereof).
  • Commercialization risks include making a product commercially viable, positioning it in the market, and gaining user and/or public acceptance.     

Each one of these topics is a massive subject, about which countless books have been written.  Law Insider’s definition is very powerful!

Risk Averse

So, risk aversion is about feelings and inclinations.  This is such a familiar topic, that perhaps we don’t bother to explore it. Later on in this post, we will explore Risk Aversion by looking at Risk Perception.

Before we do that, let’s look at the opposite of Risk Aversion.

Risk Appetite

“Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats, that change inevitably brings. The ISO 31000 risk management standard refers to risk appetite as the “Amount and type of risk that an organization is prepared to pursue, retain or take”. This concept helps guide an organization’s approach to risk and risk management.”[4]


Risk appetite is a really interesting concept.  The definition is that risk appetite is the level of risk that a person or organization is prepared to accept in pursuit of objectives. 

Why is Risk Useful?

Risk is necessary because we need to take risks to do almost anything. Every time we breathe in, every time we eat or drink something, we’re taking a risk.

It’s the same for businesses, enterprises, and nations.  If we keep on doing the same old thing again and again, eventually someone else will come along and outcompete us.  Ironically, the risk is that we fail to adapt and cease to exist – Darwinian selection. 

A great example of this is the Kodak corporation.  For years Kodak dominated the photography market.  However, they failed to see the promise of digital photography and didn’t take advantage of it. They were overtaken by rivals, and in the end, this mighty corporation went out of business.

So to ensure the survival of an entity, we must accept change, we must take risks. This seems to be true of populations, businesses – even software programs seem to illustrate this kind of evolutionary development [5].

Quantifying Risk and Appetite

In some areas of business, it’s easy to define risk appetite.  Financial corporations can easily define how much loss they are prepared to accept.  They can accept that a certain percentage of turnover or profit will be lost to fraud or error. 

A more sophisticated business might quantify the benefit of taking risks.  For example, lending more money might result in greater profits.  If a business understands the relationship between risk and opportunity, it can exploit it.

Too Big to Fail

A few years ago we saw the downside of that thinking.  Organizations thought they were too big to fail or too clever – they couldn’t go wrong.  Some high-profile failures lead to a domino effect, whereby many institutions effectively collapsed.  This was the Global Financial Crisis. 

As a result, the regulation of lenders was tightened up.  Banks and similar bodies were forced to keep higher reserves of cash and assets in order to survive miscalculations of risk.

How Much Risk is Enough?

So, how can we determine an appropriate risk appetite, without over-reaching ourselves?

This is a particularly difficult judgment when considering safety. Now we are not trading $ for $, we are trading dollars for injury and even death.  This is a much more difficult ethical problem.  There are various ways of making this judgment, for example in Australia we can refer to Safe Work Australia’s guidance

In this article, we will consider what leads us to a distorted perception of risk. 

Risk Perception

Some researchers claim that there are three factors that cause us to look at risk and misunderstand it.

Psychometric research identified a broad domain of characteristics that may be condensed into three high order factors: 1) the degree to which a risk is understood, 2) the degree to which it evokes a feeling of dread, and 3) the number of people exposed to the risk. A dread risk elicits visceral feelings of terror, uncontrollable, catastrophe, inequality, and uncontrolled. An unknown risk is new and unknown to science. The more a person dreads an activity, the higher its perceived risk and the more that person wants the risk reduced.[6]


I have observed that people are ready to take more risks when they think they are in control.  For example, we’re more willing to take risks when driving, rather than in trains or planes where someone else is in control. 

It’s interesting to recall that our risk of death per journey is the same in a car as it is in a plane.  Moreover, we are three times more likely to be injured in a car crash than in an air crash.  Yet, people worry about flying, but they don’t think about the car journey to get to the airport. 

Therefore, if we are to think rationally about risk, we must address those three factors of risk perception – and control. 

Three Risk Perception Factors

First, we must understand risk.  Risk assessment helps us to do this and can help us make objective decisions.

Second, we must recognize feelings of dread, for example, fear of radiation.  We must strive to understand the mechanisms that give rise to risks so that we can understand how to treat or control them. This should give us confidence, which will counteract dread.

(Also, we might explicitly identify the benefits of the risky activity.  This should help us to deal with dread rationally.) 

Third, we must estimate the number of people exposed to the risk.  Accidents with multiple casualties cause Societal Concern and get a lot of media attention, whereas the constant background of individual casualties in car accidents goes largely unreported.

Let’s Look at Control 

We often have the illusion that we are in control, and that this will prevent accidents.

The night I had my most serious car accident, I was hit by a drug/ drunk driver.  I had not lost control of my vehicle and I had done nothing wrong.  However, when the other car turned into my path, I could not avoid the collision. 

We need to give people a realistic view of how much they really control. 

If we can give people control, without real adverse effects, then so much the better.  Either that or take away control completely and make sure that users know this.

Many fatalities have resulted from users misunderstanding how much control they had – for example over ‘self-driving’ cars.  


All these factors are challenging to deal with.  Moreover, there are a number of agents using social media to stoke and exploit public outrage. This is done for various purposes, which may have nothing to do with actual levels of risk (i.e. it not be a genuine societal concern).

Perhaps we can learn from those who manage outrage for enterprises that need it?  

They work to actively and regularly present a rational view of risks and benefits.  This is intended to counter the sensationalist reporting that will arise from time to time.  Think of it as a regular vaccine of rationality against periodic outbreaks of emotional outrage.   

Risk: Averse, Adverse, or Appetite? Conclusion

Of course, there are no guaranteed solutions or magic answers to these questions.

We will always have a subjective and visceral reaction to danger.  This is a good thing, essential even.  It’s a very important survival skill, and we should be afraid of things that can hurt us.

Yet, to live without risk at all is simply not possible – we will all die of something.  Will we achieve something meaningful before that dread day comes?

To do anything requires us to take risks.  As individuals, as a society, we need to take risks to enjoy the benefits that result.  “Great empires are not maintained by timidity” as a Roman historian once said[7].  

As in so many things, we are looking for a balance. 

How much risk-aversion do you need to survive, versus how much risk appetite to thrive?

(For more on risk management, see the FAQ.)





[5] Les Hatton & Greg Warr, Conservation of Information in Proteins, Software, Music, Texts, the Universe and Chocolate Boxes, Heiland Lecture, Colorado School of Mines, 06 Mar 2018.



Start Here Work Health and Safety

Due Diligence and Safety

In this article, I’m looking at Due Diligence and Safety in the USA, UK, and Australia. Why? Because Due Diligence is the root of so much that we should be doing in Safety.

Let’s start with the definitions of due diligence in the way that it applies to safety (because due diligence is a concept that has many different applications in business.)

Due Diligence in the United States of America

Definition of Due Diligence

1law the care that a reasonable person exercises to avoid harm to other persons or their property …
Doing your due diligence: “… in this sense, it is synonymous with another legal term, ordinary care.”

Merriam-Webster Dictionary

That’s the definition from a popular US dictionary.

Workplace Safety in the USA

In the USA, the Federal Occupational Safety and Health Agency, (OSHA), governs health and safety in the workplace.  As the USA is a federal state, what the OSH Act or Agency covers is complex, as follows:

  • The Agency covers most private sector employers in all 50 US states, either directly through the federal agency or through an OSHA-approved state plan – 22 states have such a plan;
  • Workers at state and local government agencies are not covered by the Agency, but have OSH Act protections if they work in those states that have an OSHA-approved state program;
  • The Agency protects workers of all federal agencies;
  • The Act does not cover the self-employed, immediate family members of farm employers; and
  • The Act does not cover workplace hazards regulated by another federal agency (for example, the Mine Safety and Health Administration, the Department of Energy, or Coast Guard).[2]  

Are you confused?  I am!

Product Safety in the USA

To add to my confusion the US Consumer Product Safety Commission (CPSA) regulates the safety of some consumer products. It does so under thirteen different federal laws.  These acts regulate, for example, child safety, flammable fabrics, art supplies, poisons, and refrigerators[3].  I can’t see any coherent pattern to what the CPSA regulates.

However, the US Federal Government tends not to manage product safety.  It is more often addressed via state legislation, which varies from state to state.  

Product safety is also dealt with through civil liability: victims sue you if your product hurts someone.  In other words “Product liability is the area of law in which manufacturers, distributors, suppliers, retailers, and others who make products available to the public are held responsible for the injuries those products cause.”[4]

There are different theories of liability, one of them being ‘strict liability.  “In criminal and civil law, strict liability is a standard of liability under which a person is legally responsible for the consequences flowing from an activity even in the absence of fault or criminal intent on the part of the defendant.”[5] 

Back to Due Diligence

Now we circle back to due diligence: “due diligence is the only available defense to a crime that is one of strict liability … Once the criminal offence is proven, the defendant must prove on balance that they did everything possible to prevent the act from happening.”[6]

(I also note from that Wikipedia article that “It is not enough that they took the normal standard of care in their industry – they must show that they took every reasonable precaution.”  We now seem to be heading towards our old friend ‘reasonably practicable’ – but that’s another article!)

There is a big difference in the way that the USA manages workplace and product health and safety.  Due Diligence may be a useful concept in all these settings. However, I’m finding it very difficult to say what it means when applied to safety.

Due Diligence Around the World

It was also challenging to pin down due diligence and safety in the United Kingdom (and still is).

In 2007, the UK’s Health and Safety Executive (the national regulator, much like OSHA in the USA) published a useful study into Due Diligence[7].  This report looked at “whether the law in nine different countries imposes health and safety duties upon boardroom directors (and other senior managers)”.

Due Diligence in Nine Different Countries

It concluded that “seven out of nine countries contain safety legislation that imposes positive safety obligations upon either directors or senior managers of companies. These are: Germany, France, Italy, Sweden, Japan, Canada (four out of fourteen jurisdictions) and Australia (two out of nine jurisdictions).

Thus, the criminal law in these countries imposes safety obligations on directors or senior managers.  

Interestingly, the Report found that exercising “due diligence to prevent the commission of the offence” was often found to be a viable defense for company directors and senior managers in many jurisdictions.

Due Diligence in the United Kingdom

The report observed that, in 2007, “It is fair to say that the legislative framework for regulating occupational health and safety (OHS) in Great Britain appears unusual in not imposing positive duties on directors. The majority of the nine countries studied do have this kind of legislation.” 

The UK brought the Corporate Manslaughter and Corporate Homicide Act into force in 2007 – the same year as this Report.  The UK introduced this because of several failures to prosecute company directors after high-profile fatal accidents.  Before 2007, courts had to find individuals guilty of gross negligence manslaughter to hold them accountable. Such prosecutions often failed.

Whether the Due Diligence Report had any influence on the 2007 Act is hard to say. This Report is still the best result on the UK HSE’s website for ‘due diligence’ so not much seems to have changed.

Safety Law in Australia

Now Australia has an interesting mix of approaches derived from those in the USA and UK.

Australia is a Federation

Australia, like the USA, is a federal state.  Responsibility for health and safety generally resides with the states and territories.  The federal government only controls health and safety in federal workplaces or on federal land.  In Australia, we have a similar jurisdictional model to the USA, with all the complexity that can introduce.

US practices also influence Australian industry and commerce.  Safety requirements are often met by meeting specifications. (Whereas the UK uses a ‘safety by intent’ approach – another article I must write).  Thus, Australian safety practice often relies on certification against standards, as in the US. 

Australian Work Health and Safety Law

In Australia, we have adopted our own version of the UK Health and Safety at Work Act, 1974.  The Australian government introduced a much-refined version of UK law in 2011, some 37 years after the UK Act.

To achieve standardization across Australia, the Federal Government agreed with state and territory governments to introduce a model-based approach.

Safe Work Australia developed the Model WHS Act, Regulations, and Codes of Practice, collaboratively. Then the states and territories all agreed to adopt these centrally-developed articles of legislation.

States and territories were free to modify the Models as they saw fit. In general, the different jurisdictions have changed little, although Victoria has chosen not to implement WHS at all (thanks, Victoria, for being team players).

Unlike in the USA, Australian Work Health and Safety (WHS) legislation covers both workplaces and non-consumer goods. (Consumer goods are covered by other laws.)

This criminal law sets standards that manufacturers, designers, importers, and users must achieve when engineering, installing, commissioning equipment, and running it within a workplace.

Safety Due Diligence in Australia

In Australia, we are fortunate that the Work Health and Safety Act introduces a very specific and practical definition of what Due diligence is when applied to safety duties.

The Act says that Officers (company directors and senior managers) have additional duties.  Officers must exercise ‘due diligence. Under Division 4—Duty of officers, workers and other persons, Section 27  Duty of officers:

             (1)  If a person conducting a business or undertaking has a duty or obligation under this Act, an officer of the person conducting the business or undertaking must exercise due diligence to ensure that the person conducting the business or undertaking complies with that duty or obligation. 

Australian WHS Act, 2011

We’re now talking about what is due diligence in the context of health and safety. I need to be precise about that. The term ‘due diligence’ appears in other Australian laws and can have different meanings. In this post, the definition of due diligence applies to WHS duties only.

We’ve got to do six things, in sub-paragraphs (a) to (f), to demonstrate due diligence. 

What does Due Diligence Mean (a & b)?

(5)  In this section, due diligence includes taking reasonable steps:

                     (a)  to acquire and keep up‑to‑date knowledge of work health and safety matters; and

                     (b)  to gain an understanding of the nature of the operations of the business or undertaking of the person conducting the business or undertaking and generally of the hazards and risks associated with those operations; and

Section 27

Officers must acquire and keep up to date with knowledge of work health and safety matters obligations and so forth.

Secondly, officers must gain an understanding of the nature of their business’s operations and the risks they control.  If you’re a company director you need to know what the operation does.

You cannot hide behind “I didn’t know” because it’s a legal requirement for you to do so.  There’s no pleading ignorance because ignorance is, in fact, illegal and you’ve got to have a general understanding of the hazards and risks associated with those operations.  

We don’t necessarily have to be up on all the specifics of everything going on in your organization, but you should know what your organization does. However, we should be aware of the general costs and risks associated with that kind of business.

What does Due Diligence Mean (c, d, e & f)?

                     (c)  to ensure that the person conducting the business or undertaking has available for use, and uses, appropriate resources and processes to eliminate or minimise risks to health and safety from work carried out as part of the conduct of the business or undertaking; and

Section 27

Now, thirdly, we are moving on. Basically, sub-paragraphs C, D, E, and F refer to appropriate resources and processes.  Officers have got to ensure that PCBUs have available and use appropriate resources and processes in order to control risks.  That says you’ve got to provide those resources and processes and there is supervision.

Maybe you put in a Safety Management System that ensures people actually do use the stuff they should, to keep themselves safe.  And that’s very relevant because often people don’t like wearing, for example, Personal Protective Equipment (PPE) because it’s uncomfortable or slows you down, so the temptation is to take it off.

What does Due Diligence Mean (d)?

                     (d)  to ensure that the person conducting the business or undertaking has appropriate processes for receiving and considering information regarding incidents, hazards and risks and responding in a timely way to that information; and

Section 27

Moving on to part D, we’re still on the appropriate processes. We must have appropriate processes for receiving and considering information on incidents, hazards, and risks.  Again, we’ve got to keep up to date. What’s going on in our own plants and maybe similar plants in the industry? We need a process to respond in a timely way to that information.

If we discover that there is a new incident or hazard that you didn’t previously know about. We need to respond and react to that quickly enough to make a difference to the health and safety of workers.  That works together with sub-paragraph B, doesn’t it?  In parts A and B we need to keep up to date on the risks and what’s going on in the business. Also, in part A, we need to ensure that the PCBU has processes for compliance with any duty or obligation and follows them again to provide that stuff.

In the system safety world, often the designers will need to provide the raw material that becomes those processes. Or maybe if we’re selling a product, it comes with an instruction manual of all the processes needed.

What does Due Diligence Mean (e-f)?

                     (e)  to ensure that the person conducting the business or undertaking has, and implements, processes for complying with any duty or obligation of the person conducting the business or undertaking under this Act; and

                      (f)  to verify the provision and use of the resources and processes referred to in paragraphs (c) to (e).

Examples:  For the purposes of paragraph (e), the duties or obligations under this Act of a person conducting a business or undertaking may include:

(a)    reporting notifiable incidents;

(b)    consulting with workers;

(c)    ensuring compliance with notices issued under this Act;

(d)    ensuring the provision of training and instruction to workers about work health and safety;

(e)    ensuring that health and safety representatives receive their entitlements to training.

Section 27

Finally, the officers must verify the provision and use of these resources and processes (in Parts C, D, and E).  Thus, we’ve got a simple six-point program that comprises due diligence, but it’s quite demanding. There’s no shirking this stuff or pretending you didn’t know.  I suspect it’s designed to hang Company directors who neglect and harm their workers.

WHS, Vaccinations and COVID

Now part (e) is interesting, particularly in the age of the COVID pandemic.  Not only must Officers ensure that safety resources and processes are provided, but that they are used.  Many Australian governments and businesses are mandating COVID vaccinations for workers.

Some undertakings, for example, large sporting venues, are insisting that patrons are vaccinated too.  As Officers have safety duties under the WHS Act to protect visitors and the public, you can imagine why. 

Directors could be held criminally liable for workers, visitors, or even passers-by catching COVID.  As this is criminal law, no contractual arrangement (e.g. saying ‘enter at your own risk’ on a ticket) can override WHS obligations.

What Due Diligence is All About?

Let’s face it, this is all good common-sense stuff. We should be doing this anyway.

These requirements are only the minimum required for all businesses and undertakings in Australia. In any kind of high-risk industry, we should have a Safety Management System that does all of this and more.


Well, we’ve looked at due diligence as it applies to safety in many different countries.  We’ve concentrated on the USA, the UK, and Australia. But Germany, France, Italy, Sweden, Japan, Canada got an honorable mention as well.

The combinations of due diligence with criminal law, civil law, and safety are very confusing in the USA. It is largely non-existent in the UK. 

Only Australia has spelled out in law what due diligence means for safety.  You may not work in Australia, but I suggest that the clarity and practicality of the WHS Act definition on ‘due diligence’ are useful for safety practitioners everywhere.  

What does Due Diligence mean for Safety Practices where You are?

[1] Merriam-Webster online dictionary.







Start Here

Hazard Logs and Hazard Tracking Systems

In this blog post and video ‘Hazard Logs and Hazard Tracking Systems’, I’m going to tell you about the benefits and features of Hazard Logs and Hazard Tracking Systems. I’m going to be covering these topics, which are the most commonly asked questions:

  • 1. What is a hazard log? (What is it what do we do with it?)
  • 2. The key elements of a hazard log (what needs to be in it to make it work)?
  • 3. Hazard Log management (what we need to do)?
  • 4. What about hazard log tools? (What can we use to create a hazard log)?
  • 5. What’s the difference between a hazard log and a risk assessment?
  • 6. What’s the difference between a hazard log and a risk register?

The Video: Hazard Logs and Hazard Tracking Systems

Watch the full, 35-minute lesson.

The Blog Post: Hazard Logs and Hazard Tracking Systems

Hi everyone, and welcome to the Safety Artisan.

I’m Simon and today we’re going to be talking about Hazard logs and hazard tracking systems.

As I said, we’re going to look at hazard logs and hazard tracking systems and we’re going to be answering the most popular questions.

The most often asked questions about Hazard logs and Hazard Tracking Systems that you will find on the internet. So that’s what we’re going to answer.

And this is going to be the first of three sessions on this subject.


Topics for this session. Right now commonly asked questions are:

  • What is a hazard log? What is it what do we do with it?
  • The key elements of a hazard log, what needs to be in it to make it work?
  • Hazard Log of management, what do we need to do?
  • What about hazard log tools? What can we use to create a hazard log?

Effectively now we’ll be looking at that in much more detail in sessions two and three but we’ll just go over the basics today and then also, some very common questions:

  • What’s the difference between hazard log versus a risk assessment? and
  • What’s the difference between a hazard log and a risk register?

And when I say Hazard Log, you can substitute has a tracking system at all times.

They’re really one and the same thing, which we will talk about.

What is a Hazard Log?

That neatly brings us onto what is a hazard log.

And I’ve got a definition here which is actually from the UK Ministry of Defence guidance, but it doesn’t really matter where it came from and just acknowledging the source.

But the definition is really useful in that a tells you what a hazard log is.

But also, it defines a hazard log in terms of what it does.

These are the benefits that a Hazard Log gives us.

It says a Hazard Log or a Hazard tracking system is a continually updated record of the hazards, accident sequences, and accidents associated with the system.

We’ll unpack that in just a moment.

It’s Not Just a Log!

But the point I want to make here, it’s a continually updated record. Okay? It’s a management tool.

It’s not a log. You know, I always think of captain’s log in star trek, which the idea that it’s just like a ship’s log, it’s a recording of everything that’s happened.

Well, you can do that.  you can have a very rigorous recording of who’s done what, when and that’s all good.

But it’s not just a sort of dry dusty record that should sit on the shelf.

It’s a tool to help us manage risks associated with a system.

We’re managing a system, whatever it might be, it might be a physical system, a vehicle, it might be an enterprise business, it might be a piece of software, it might be an IT system, you know, where you’re a bank and you’re using an IT system to service all your customers, etcetera.

It could be any one of those things and a hazard tracking system that enables us to manage all the information that we need to look at risks associated with that system.

It’s worth saying that normally we use hazard logs for safety whereby we’re worried about harm to people, but that’s not their only application.

You can use a hazard log or a risk register in any application.

We might be talking about financial loss, damage to reputation, equipment, harm to the environment, all of these things.


What is the hazard log? Well, it’s structured and we’ll talk about structure in a moment.

structure implies we’ve got lots of pieces of information, but they are linked together into a coherent structure.

And that’s very important. We’ll spend a lot of time talking about that later.

But those languages really are the key to the Hazard log.

It’s a structured means of storing and referencing, safety, risk evaluations, and other information relating to a piece of equipment or system.


A safety risk evaluation. we’ve got the assumption is that we’ve done some risk analysis, we’ve done some risk assessment, which is a structured series of risk analyses in order to look at the total picture of risk.

We’ve evaluated that risk against some kind of norm that we’ve said, you know, this is how much risk we’re willing to put up with and we can’t tolerate that. That’s the evaluated bit we’ve evaluated against some framework or benchmark.

Risk Reduction

It’s the principal means of tracking the status of all the hazards decisions and actions to reduce risk because typically we’re not doing this for the sake of it.

We’re doing this because we have risk and we need to manage that risk. And generally speaking, we want to reduce risk.

And there are other decisions to be made about How do we deal with risk?

You know, maybe we reduce it and live with it. Maybe we give it to transfer it to somebody else if we can or we get insurance for stuff that we’re not happy with whatever it might be.

There are lots of lots of different approaches but it’s all about tracking the status.

It’s the Key

We saw in the middle of the definition about storing and referencing risk evaluations. We’re probably referencing out to other documents to other artifacts that record and analyze the risk in detail.

But the hazard log is our key to finding all of those things.

we have references in there and we can track the current status of where we think all these risks and hazards are, how much risk is there associated with our system?

That is what a hazard log is.

And as you can see, it’s defined by what it does, which is also the benefit of using a hazard log. They’re all one and the same thing.  let’s move on.

Key Elements of a Hazard Log #1

What are the key elements of a hazard log? I’ve got two slides on this.

First, you remember we talked about what goes in a Hazard Log of hazards and risks and everything to do with the accident sequence or accident sequences associated with the system.

Typically what we have in a hazard log is we have a bunch of hazards.

Now each hazard may have multiple causes. There might be a hardware failure, software failure, environmental issues that could give rise to a hazard; there might be erroneous human activity.

All sorts of causes can lead to one hazard.

And also, one hazard can lead to a number of different consequences. For example, if we have, if we’re thinking about a ship, we’ve got a hazard that says flooding, we’re getting water in where it’s not supposed to be.

Well, actually, you know, if there’s, if the ship floods, people could drown inside the ship, the ship could, I think it could founder and think it could get full of water that it loses buoyancy and sinks or it could unbalance the ship and it could cap sites: and that’s just the accident outcomes.

Most of the time, if the hazard is present, nothing bad happens at all.  Some water gets in the ship. We don’t want it. Well, we pump the water out, most ships have got bilge pumps to get the water out or if it’s just a canoe, you take it out of the water, turn it upside down and you get the water out.

No problem. consequences aren’t always harmful.  They’re not always desirable, but they’re not always harmful either.

We can get a range of consequences, a range of causes, and one hazard in the middle.

And this representation is what’s called a bowtie analysis because it looks like a bow tie. I’m not recommending bowtie analysis, but it’s a great way to represent and explain an accident sequence. That’s all I’m using it for in this instance.

Key Elements of a Hazard Log #2

What do we typically have in a hazard log?

Accident Sequence

On the right-hand side here, you can see that we’ve got the progression from causes, through to hazard through to accidents or consequences.

And we all have lots of hazards, probably lots of lots of causes and some accidents.

They will all be linked and there’s the accident sequence on the right-hand side, you know, this curve from bottom to top, as we can see hazards linked to accidents and hazards linked to causes, but causes do not directly link to accidents because you’ve always got to go via a husband.

The definition of a hazard is the one that we’re using here, is that it’s enough, it’s enough, it’s sufficient to cause an accident. But the accident isn’t inevitable just because the hazard exists.

If there is a banana skin, I’ve got rather a humorous comic version here, if there is a banana skin on the pavement and there are people walking on the pavement, yep, that’s a hazard.

An accident is perfectly possible, but it doesn’t mean it’s inevitable. People might walk around the banana or goodness knows somebody might pick it up and throw it away. The accident is not inevitable, but once the hazard is there, that’s enough. (As opposed to there being a banana skin in the bin, that’s not a hazard.)

Once we get to the Hazard, nothing else unusual needs to happen for somebody to get hurt.

That’s the accident sequence now linked to causes hazards, and maybe accidents and controls.


These are the things that stop the accident sequence from progressing and actually, maybe it’s if we go back to the previous slide.

It’s probably a little bit clearer here, we can imagine controls as vertical barriers between the causes, the hazard, and the consequences. And then you know, there’ll probably be some controls.

We’ve got controls linking to all three, and controls are not perfect. Usually, they only reduce the severity of the accident/harm. Others reduce the likelihood of harm.

We’re reducing risk all the time and in addition to those, we have references.


All of our entities in the hazard log, maybe they are more fully described in a document or some other artifacts.

Maybe we’ve done some modeling to determine how much risk there is. There is a computer model somewhere that says this is how we model the risk and therefore this is what we think the level of risk is.

We refer out other things.  Which are under configuration control.  They’re not just random bits of paper. They’re actually authorized and dated and version numbered and they’re stored somewhere safe.

But of course, I’m getting ahead of myself. Those are the documents.


Maybe we’ve got a database full of documents or maybe we’ve got physical documents or a mixture. The hazard log references those documents.

And if there are electronically stored some hazard logs will give you the ability to electronically link to hyperlink to those electronic documents.

You can go into the hazard log; you can follow the audit trail and then get back to the evidence, on which all of this is based. You’ve got a complete picture if you like of your safety case. Basically, you’ve got your argument here that you’ve managed all of the hazards appropriately.

Let’s say you’ve reduced the risk of your hazards down to an acceptable level and that’s all documented and justified it somewhere else, but you’ve got links to it.

Not all, in fact, the minority of Hazard logs in my experience, go that far, but it’s, you know, it’s an ideal to aim for. It requires a lot of discipline to link all the documents in and maintain that level of configuration control, but it can be done.

Those are the key elements of a hazard log.

Not all hazard logs will have all of those things. For example, some standards tell you that causes are optional. You don’t have to have causes. Maybe you won’t have hyperlinks to everything etcetera, etcetera.

But most of those things you will have personally, I would argue it causes are essential but that’s another story will come to that later.

Managing Hazard Logs and Hazard Tracking Systems

Yeah, we talked about hazard log management in the sense of what a hazard log allows us to manage and what it allows us to do more sort of the benefits.

But how do we actually manage a has a long day today?

Well, somebody has got to look after the hazard log, an individual or a team of people maybe.

If we’re managing a complex system, things will be happening in the real world, which we need to track. Maybe we’ve had incidents, maybe we’ve had near misses, maybe, unfortunately, we’ve had an accident. That information has got to be assessed and we’ve got to either put it in the hazard log.

You could have an incident registering your hazard log as well. Or maybe you’ve got a separate incident register, but we need to look at the incidents and we need to look at any trends that are going on and saying, well, when we bought the thing or design the thing and we thought that this, this hazard would, would pop up very infrequently, maybe once a year, but actually it’s happening once a month.

We need to change the probability of the hazard. An incident might be that a hazard has been, has occurred, but it hasn’t led to an accident, there’s been no actual harm. But we’ve noted that something untoward has happened.

We’re looking at that and go, well, actually the probability is worse or better than what we thought it would be.

And we need to update that Hazard Log to keep track of that; those two things need to be done.

Decision Support

The reason that we’re doing this is the hazard log is there to support decisions made by people in authority. And those people in authority, need an accurate picture of the risk to say, well what is the real level of risk?

You know, we said we would go ahead and use the system because we thought the risk was down here.

Maybe now we realized there’s more risk in what we’re doing than we thought.

Can I accept that or do I have to reduce it?

And the hazard log helps us to rank risks and say these are the most important risks.

These are the biggest risks that we should be paying the most attention to because we should be reducing risk.

We should be continuously monitoring to say, you know, is the system running acceptably or an unacceptable level of risk.

And the hazard log helps to support those decisions by ranking risks amongst other things.

And then fourthly, we need to do quality control.

Quality Control

At the micro-level, we need to make sure that the data in the hazard log, the information is accurate. It’s up to date. It’s justified. We haven’t just got somebody’s best guess in there if we can do better.

That’s the kind of microscopic level, but there’s also, the sort of macro-level with quality control in that I’ve seen hazard logs that have been used as a dumping ground for all sorts of information.

That actually is nothing to do with hazards and risks. Okay?

And if that happens, you can end up with a bloated hazard log with hundreds or even thousands of entries and then that hazard log effectively becomes unusable.

Okay? it’s no longer fit for purpose because there’s much information in there, we can no longer see the wood from the trees.

We can’t support sensible decision-making because we’re blinded by all this guff this information that isn’t really pertinent.

we need to do quality control at both those levels and the one is dependent on the other.

Clearly, if we’ve got a hazard log that’s full of rubbish quality information, then the trends and the decision-making advice whether we’re getting are probably going to be rubbish as well.

But we’ve also, got to be aware that if we don’t manage to hazard log properly, we could end up with something that just doesn’t work as a hazard lob anymore.

Configuration Control

It’s just got too bloated and a big part of that is the 5th bullet, which is both micro and macro quality control is configuration control.

we control hazard log, we don’t allow just anybody to shove random information in there we make sure that only authorized people are putting in authorized information, which has been quality check.

We were confident that it’s the best quality that we can get. It’s justified.

There’s something, there’s some evidence that justifies the decisions that we’re making on what we’re putting in the Hazard log.

that configuration control is very, very important and it’s one of the reasons for having an automated to actually in the s specialist who will do a lot of these things or help you do a lot of these things for you.

I’ll help you with the discipline of hazard log management.


I’ve mentioned tools, here’s a screenshot of actually quite an old tool.

Now it’s quite difficult to get hold of Cassandra but that doesn’t really matter, it’s just an illustration.

This is the kind of view that you get from a purpose-built hazard log tool. It’s built upon a database.

And on the left-hand column here you’ve got some summary information you can get an overview of how many accidents hazards causes and controls, etcetera. You’ve got some numbers tracking [how many hazards there are at] their different status[es] as they go through the life cycle.

And then typically at the top here we’ve got some basic information title, description, who put it in, what’s the likelihood for example, and then at the bottom on this version we’ve got here is an overview of all the links to other things.

[Here we are, you can see we are in what were we in? We’re in a test hazard.]

We’ve got links to accidents, controls, causes, references, and history in this database and we can link all of those things together to get that structure to get a picture.

Tool Types

Once we have that structure we can start at any point in the hazard log, you know, we’ve had an incident and then we can follow it through, we can follow the links through to find all the pertinent information, and essentially that’s what the structure does for us.

We might be using a database very often we might be using a spreadsheet, might we might be using a commercial tool as a hazard log or a risk register or indeed, and that might be part of a suite of tools that does various things where we’re linking risk management to configuration management to product management to whatever it might be.

We might have a suite of tools.

Now, in the second session of these three lessons, I’m going to be talking about commercial tools that are all based on databases.

I’m going to be talking about what you get with a fully-featured commercial hazard log tool, has a tracking tool.

Spoiler Alert – Spreadsheets!

And then in the third session, I’m going to be talking about how you implement some of that in a spreadsheet.

Now, and it’s important to remember if we go back up what we have here, we looked at these key elements, what we’ve got here is a set of relations and if we store this, what we have is a relational database.

we’ve got many too many linkages between different entities.

Okay now, strictly speaking, we must have a database to do that properly.

However, most people use a spreadsheet which I know is not a relational database, but if you observe certain rules, you can have a spreadsheet that does some of what a relational database will do and if you are careful to observe the discipline of setting up the spreadsheet correctly and not corrupting it, then you will get most of the functionality of the database.

now I can hear the purists howling at me as I say that, but in the real world, most people use a spreadsheet.

I’m sorry. That’s the dirty little secret in safety management. let’s move on.

Hazard Log Versus Risk Assessment

We’re going to talk now about hazard log versus risk assessment.

These are two very different things but they are related. On the left there we have risk assessment and risk assessment in most standards.

This diagram is based upon the ISO-31000 which is a very, very common unified risk standard. And in it, risk assessment is defined as risk identification, risk analysis, and risk evaluation.

That is risk assessment. 

Now the Hazard Log doesn’t do risk assessment but it supports risk assessment, it enables you to store the results. Okay?

You can record the results of the risk assessment, you can also, record the risk treatments. (That’s another word for controls, all the controls and risk reduction measures that you’ve taken.)

It can establish you can record context in there as well.

The Log Enables Good Risk Assessment

And then the hazard log enables good communication and consultation because certainly the commercial hazard log tools or if you make a database or make a hazard log with a database, you can use the database functionality to generate bespoke reports for different stakeholders.

the hazard log supports good communication and consultation, which is excellent. Got to do that.

And it also, supports monitoring and review because we’ve got the structure because we can review different aspects, we can review the risks, the hazards, the controls, the structure of the database and the and the hazard log in the way it presents things helps us to do that.

That is the relationship of a hazard log with risk assessment.

A hazard log is an entity, it’s a thing. Risk assessment is an activity or a series of activities, but they do go together very well.

One supports the other, right?

What’s the Difference between a Hazard Log and a Risk Register?

Now another very commonly asked question is what’s the difference between a hazard log and the risk register? And the answer is in many ways not very much.  They’re both doing basically the same thing. If we go back to, you know, I talked about Hazard log supports this risk process.

Well, this is a generic risk process; you can apply it to anything. If you had a risk register, it would support the risk process just the same.

That’s the purpose of the risk register. it’s very, very similar to a hazard log.

Hazard Log Differences

However, differences are typically for a hazard log, we are using a hazard log to track safety impacts.

Now, strictly speaking, safety, I prefer the definition where we’re talking only about harm to people, as in most jurisdictions of the world, when we talk about safety, the law says we have to protect people, that’s safety law.

And then there are usually other laws for protecting the environment and then as a business or an enterprise, we might want to protect valuable assets as well.

But the core of it is protecting people.

And a hazard log has a tracking system that is also, hazard-centric, you remember the bow tie, the hazard is there in the middle, it’s the core of everything that we do and it’s the hazards that tie multiple causes and multiple consequences together.

It really is the key to understanding that structure and all those many-to-many relationships.

Risk Register Differences

The thing about a risk register is that we can use it for the risks of impacts are just about anything.

I think the ISO-31000 standard defines risk as ‘the effect of uncertainty on objectives’. Whatever you’re doing, if you’ve got a project, you know, you want to deliver something specific at a specific time to a specific cost.

Well, you can look at the risks to those objectives if your objective is ‘business as usual’, you just want to keep things running your enterprise running steadily.

Your risk register can look at all the risks that might trip up your enterprise and stop it from working.

Also, you can use it for continuous improvement.

Although usually when we talk about continuous improvement, we usually start talking about models. Like the classic CMM, the Capability Maturity Model. There are various flavors of CMM around the world to do safety, security, finance, all kinds of things. We’ve fallen in love with maturity models. that’s really taking risk management and improvement to the next step.

But of course, to just take the first step on the ladder, we’ve got to start managing stuff and recording stuff consistently without those basic things. Continuous improvement cannot happen without it. We need a risk register and or hazard log to do all of that.

Those are some key differences between hazard logs and risk registers. In reality, they are really quite similar.

Risk Events AKA Hazards?

Some risk registers incorporate the idea of a risk event. Well, funnily enough, that sounds rather like a hazard to me. We’ve got all of these latent causes lying around. We’ve got a risk event or a trigger and then that can realize the risk. If you’ve got a risk register that supports that concept, it’s pretty, it’s almost identical to a hazard log.

That’s Hazard logs versus risk registers.

There’s More to Come…

That is the end of today’s session. Thanks very much for listening. I hope you enjoyed it. And there’s more to come.

Further Sessions on Hazard Logs and Hazard Tracking Systems

As I said before, in the second session we’re going to look at the features and benefits of commercial hazard log tools.

I showed you a screenshot, what would a fully-featured, purpose-designed database tool do for you and why would you want to do that?

And if you’re managing a particularly complex or demanding system, it will be worth going to the expense of either buying a tool or designing your own hazard log in a proper relational database. 

I’ve seen lots of Hazard logs implemented in DOORs, for example, which is a requirements management tool but of course, you know some of your requirements and not to hurt people. You can integrate a hazard log into doors or into another requirements management till provided you set it up properly.

Now and actually that brings us neatly onto the third session, which would be how do we make a proper hazard log in a spreadsheet?

How do we put a hazard log in a spreadsheet without breaking the fundamental rules?

Because we can set up tables, tabs in a spreadsheet, where each table is a list of entities be it causes, hazards, controls, references, whatever it might be.

Each one of those is an independent table and then they linked to each other properly using the primary key in each table. So, just like a database does it, we can do that in the spreadsheet more or less.

Excel for example isn’t going to give you all of the features of a proper properly set up relational database tool but it can probably for most people it will probably be enough. You’re also, going to rely on a lot of self-discipline controlling the hazard log and operating in a spreadsheet but we’ll talk about that in the third session.

I talk about lots and lots of safety and risk-related things and some security risk stuff as well at

Please do go and visit and do Please subscribe for email updates. You can get some free handouts and also, some discounts. Stay in touch with what I’m doing and the lessons and handouts that I’m producing.

Do please subscribe. and it just remains for me to say thank you very much. This lesson on was hazard logs and hazard tracking systems.

I’m Simon and thank you for watching ‘Hazard Logs and Hazard Tracking Systems’ on the Safety Artisan. Back to Start Here.

What would you like to Know about Hazard Logs and Hazard Tracking Systems?

Start Here

FAQ on Risk Management

In this FAQ on Risk Management, I will point you to some lessons where you will get some answers to basic questions.

Lessons on this Topic

Welcome to Risk Management 101, where we’re going to go through these basic concepts of risk management. We’re going to break it down into the constituent parts and then we’re going to build it up again and show you how it’s done.

So what is this risk analysis stuff all about? What is ‘risk’? How do you define or describe it? How do you measure it? In Risk Basics I explain the basic terms.

Risk Analysis Programs – Design a program for any system in any application. You’ll be able to:

  • Describe fundamental risk concepts;
  • Define what a risk analysis program is;
  • and much more…

If you don’t find what you want in this FAQ on Risk Management, there are plenty more lessons under Start Here and System Safety Analysis topics. Or just enter ‘risk’ into the search function at the bottom of any page.

The Common Risk Management Questions

Click here to see the most Commonly-asked Questions

why risk management, why risk management is important, why risk management is important in project management, why risk management plan is important, why risk management is important for business, why risk management matters, are risk management, are risk management services, is risk management important, is risk management framework, is risk management effective, can risk management be outsourced, can risk management increase risk, can risk management create value, how can risk management help companies, how can risk management be improved, how can risk management improve performance, how risk management improve organization performance, how risk management works, how risk management help you, how risk management helps, how risk management plans can be monitored, how risk management help us, how risk management add value to a firm, how risk management developed, what risk management do, what risk management means, what risk management is, what risk management is not, where risk management, which risk management certification is best, which risk management principle is best demonstrated, which risk management technique is considered the best, which risk management handling technique is an action, which risk management techniques, who risk management guidelines, who risk management, who risk management framework, who risk management tool, who risk management plan, who risk management strategies, will risk management be automated, how will risk management help you, how will this risk management plan be monitored, risk management will reduce, risk management will

Functional Safety Start Here

Functional Safety

The following is a short, but excellent, introduction to the topic of ‘Functional Safety’ by the United Kingdom Health and Safety Executive (UK HSE). It is equally applicable outside the UK, and the British Standards (‘BS EN’) are versions of international ISO/IEC standards – e.g. the Australian version (‘AS/NZS’) is often identical to the British standard.

My comments and explanations are shown [thus].

[Functional Safety]

“Functional safety is the part of the overall safety of plant and equipment that depends on the correct functioning of safety-related systems and other risk reduction measures such as safety instrumented systems (SIS), alarm systems and basic process control systems (BPCS).

[Functional Safety is popular, in fact almost ubiquitous, in the process industry, where large amounts of flammable liquids and gasses are handled. That said, the systems and techniques developed by and for the process industry have been so successful that they are found in many other industrial, transport and defence applications.]

SIS [Safety Instrumented Systems]

SIS are instrumented systems that provide a significant level of risk reduction against accident hazards.  They typically consist of sensors and logic functions that detect a dangerous condition and final elements, such as valves, that are manipulated to achieve a safe state.

The general benchmark of good practice is BS EN 61508, Functional safety of electrical/electronic/programmable electronic safety related systems. BS EN 61508 has been used as the basis for application-specific standards such as:

  • BS EN 61511: process industry
  • BS EN 62061: machinery
  • BS EN 61513: nuclear power plants

BS EN 61511, Functional safety – Safety instrumented systems for the process industry sector, is the benchmark standard for the management of functional safety in the process industries. It defines the safety lifecycle and describes how functional safety should be managed throughout that lifecycle. It sets out many engineering and management requirements, however, the key principles of the safety lifecycle are to:

  • use hazard and risk assessment to identify requirements for risk reduction
  • allocate risk reduction to SIS or to other risk reduction measures (including instrumented systems providing safety functions of low / undefined safety integrity)
  • specify the required function, integrity and other requirements of the SIS
  • design and implement the SIS to satisfy the safety requirements specification
  • install, commission and validate the SIS
  • operate, maintain and periodically proof-test the SIS
  • manage modifications to the SIS
  • decommission the SIS

BS EN 61511 also defines requirements for management processes (plan, assess, verify, monitor and audit) and for the competence of people and organisations engaged in functional safety.  An important management process is Functional Safety Assessment (FSA) which is used to make a judgement as to the functional safety and safety integrity achieved by the safety instrumented system.

Alarm Systems

Alarm systems are instrumented systems designed to notify an operator that a process is moving out of its normal operating envelope to allow them to take corrective action.  Where these systems reduce the risk of accidents, they need to be designed to good practice requirements considering both the E,C&I design and human factors issues to ensure they provide the necessary risk reduction.

In certain limited cases, alarm systems may provide significant accident risk reduction, where they also might be considered as a SIS. The general benchmark of good practice for management of alarm systems is BS EN 62682.

BPCS [Basic Process Control Systems]

BPCS are instrumented systems that provide the normal, everyday control of the process.  They typically consist of field instrumentation such as sensors and control elements like valves which are connected to a control system, interfaced, and could be operated by a plant operator.  A control system may consist of simple electronic devices like relays or complicated programmable systems like DCS (Distributed Control System) or PLCs (Programmable Logic Controllers).

BPCS are normally designed for flexible and complex operation and to maximize production rather than to prevent accidents.  However, it is often their failure that can lead to accidents, and therefore they should be designed to good practice requirements. The general benchmark of good practice for instrumentation in process control systems is BS 6739.”

[To be honest, I would have put this the other way around. The BCPS came first, although they were just called ‘control systems’, and some had alarms to get the operators’ attention. As the complexity of these control systems increased, then cascading alarms became a problem and alarms had to be managed as a ‘thing’. Finally, the process industry used additional systems, when the control system/alarm system combo became inadequate, and thus the terms SIS and BCPS were born.]

[It’s worth noting that for very rapid processes where a human either cannot intervene fast enough or lacks the data to do so reliably, the SIS becomes an automatic protection system, as found in rail signaling systems, or ‘autonomous’ vehicles. Also for domains where there is no ‘fail-safe’ state, for example in aircraft flight control systems, the tendency has been to engineer multiple, redundant, high-integrity control systems, rather than use a BCPS/SIS combo.]


The above text is reproduced under Creative Commons Licence from the UK HSE’s webpage. The Safety Artisan complies with such licensing conditions in full – for details see here.

[Functional Safety – END]

Back to Home Page

Start Here

Preliminary Hazard Identification & Analysis Guide

Get your free Preliminary Hazard Identification & Analysis, PHIA Guide here!


Hazard Identification is sometimes defined as: “The process of identifying and listing the hazards and accidents associated with a system.”

Hazard Analysis is sometimes defined as: “The process of describing in detail the hazards and accidents associated with a system and defining accident sequences.”

Preliminary Hazard Identification and Analysis (PHIA) helps you determine the scope of safety activities and requirements. You can identify the main hazards likely to arise from the capability and functionality being provided. Perform it as early as possible in the project life cycle. Thus, you will provide important early input to setting Safety requirements and refining the Project Safety Plan.

PHIA seeks to answer, at an early stage of the project, the question: “What Hazards and Accidents might affect this system and how could they happen?”


The aim of the PHIA is to identify, as early as possible, the main Hazards and Accidents that may arise during the life of the system. It provides input to:

  1. Scoping the subsequent Safety activities required in any Safety Plan. A successful PHIA will help to gauge the proportionate effort that is likely to be required to produce an effective Safety Case, proportionate to risks.
  2. Selecting or eliminating options for subsequent assessment.
  3. Setting the initial Safety requirements and criteria.
  4. Subsequent Hazard Analyses.
  5. Initiate Hazard Log.


Perform a PHIA as early as possible in order to obtain maximum benefit. Use it to understand what the Hazards and Accidents are, why, and how they might be realized. A PHIA is an important part of Risk Management, project planning, and requirements definition. It helps you to identify the main system hazards and helps target where a more thorough analysis should be undertaken.

Usually, PHIA is based on a structured brainstorming exercise, supported by hazard checklists. A structured approach helps to minimize the possibility of missing an important hazard. It also demonstrates that a thorough and comprehensive approach has been applied.

Get Your Free PHIA Guide Here!

Find more on basic safety topics at Start Here.

Cybersecurity Start Here

My CISSP Exam Journey

Here is a video about my CISSP exam journey.

I’ve just passed the Certified Information Systems Security Professional (CISSP) Exam…

I’ve just passed the Certified Information Systems Security Professional (CISSP) Exam, which was significantly updated on 1st May 2021. In this 30-minute video I will cover:

  • The official CISSP course and course guide;
  • The 8 Domains of CISSP, and how to take stock of your knowledge of them;
  • The official practice questions and the Study Guide;
  • The CISSP Exam itself; and
  • Lessons learned from my journey.

I wish you every success in your CISSP journey: it’s tough, but you can do it!

To get a full course on what’s new in all eight Domains of the CISSP Exam outline Click Here.

Transcript: My CISSP Exam Journey

Click here for the Transcript…

My CISSP Exam Journey

Hi, Everyone,

My name is Simon Di Nucci and I’ve just passed the new CISSP exam; for those of you that don’t know what that is, that’s the Certified Information Systems Security professional. It’s new because, the exams have been around a long time, but the syllabus and the exam itself have undergone a significant change as of the 1st of May this year. I’m probably one of the first people to pass the new exam, which I have to tell you was a great relief because it was really it was a tough exam and it was tough preparing for it.

It was a big mountain to climb. I am very, very relieved to have passed. Now, I hope to share some lessons with you. When I mentioned that I passed on the cybersecurity groups on Facebook and LinkedIn, I got a huge response from people who appreciated how difficult it is to do this and also lots of questions. And whilst I can’t talk about the specifics of the exam, that’s not allowed, I can share some really useful lessons learned from my journey.


So I’m going to be talking about what I did:

  1. The Official Course, and the Student Guide;
  2. How I took stock at the start of the revision process;
  3. How I revised using the practice questions and the Study Guide;
  4. Something about the exam itself; and
  5. Lessons learned.

So those are the five topics that I’m going to be talking about.

The Official Course

So let’s get on with it.  My journey was that two, three years ago, the firm that I worked for decided that they wanted me to take the CISSP exam in order to improve our credibility when doing cybersecurity and my credibility.

And I was sent on a five-day course where which was very intense and it was the official is the the official ISC2 course. And that was several hundred slides a day for five days. It was very intense. And as you can see, the guy that you get with a pretty hefty eight hundred pages of closely packed and high-quality material. I’m taught by someone who was clearly a very experienced expert in the field.

It was a good quality course. It cost about $3,700 (Australian). I think that’s about $2,500 (US). In terms of the investment, I think it was worth it because it covered a lot of ground and I was very rusty on a lot of this stuff. It was it was a useful ‘crammer’ to get back into this stuff. As I said, [the Study Guide is] 800 pages long. I’ve done a lot of revising!

And if we pick a couple of pages at random on the kind of person who likes to you know, I like to highlight the book and I’d like to, you know, and I’ve been all the way through this book at least twice, highlighting as I go and making notes.  that’s just the way I do things. But I think it’s useful to illustrate, you know, the effort involved in order to absorb, you know, a huge tome of information like this.

Let’s put that to one side. The course was very good, but of course, it takes some time out of your schedule to do it. You need the money and the support from your workplace to be able to do that. There are now online courses, which I haven’t been on, I can’t say how good they are, but they are cheaper and they’re spread out. I think you do a day or two per week for a period of several weeks.

And I think that’s got to be really good because you’re going to have more time to consolidate this huge amount of information in your disrespect to the face-to-face course. It was very good. I think the online courses could be even better and a lot more accessible.  that was the course. Now, I did that in November twenty nineteen and I intended to do some revision and then take the exam probably in early.

Twenty, twenty, you know, March, April time now as we know, global events got in the way of that and all the exam centres were closed down. I couldn’t do that. Basically I sort of forgot about it for a period of months. And then at the tail end of twenty 20 years, as things began to improve here in Australia at least, we’ve been very lucky here, exam centres reopened and I thought, well, I really should get back and, you know, try and schedule the exam and do some revision and get on with it.

So I did. And starting in the January of this year, I got mine management agreement that I would spend one day a week working from home, revising, and that’s what I did. Given that I took the exam in the middle of May, that’s probably 18 full days of revision going through the material and I needed it. Originally, I was going to take the exam, I think, in early April, but I realised at the end of March that I was not ready and I needed more time.

So I put the exam date back to the middle of May. And it was only after I’d done that that it was announced that the syllabus of the exam was changing quite significantly. That was a, you know, extra work then. And fortunately. They. They brought out the official guide to the new exam, and I realised that quite a lot of material to learn. I went through and for example, there’s eight domains in CISSP.

And for example, here’s domain number two, asset security. And in the pink, I have highlighted all the new things that are in the 1st of May Edition syllabus that were not in the 2018 syllabus.  and I went through all of these things and there are quite a few in almost every domain except the first one. There are significant changes.  I had to do a lot of extra revision because the syllabus had changed, but nevertheless it was doable.

Taking Stock

Going back to January 2021, I started off by getting out the Official Practice Tests. Fortunately, my firm bought this book and the Study Guide, which we will come on to in a minute. This [the Official Practice Tests book] is $40 (US) and it’s worth its weight in gold, because in here there are 1,175 practice questions. There are 100 questions for all eight of the domains. Plus there are three practice papers of 125 questions each, a total of 1,175 questions.

It was very, very useful to me because, out of the eight domains I had some background in four, but not in the other four. Just to let you know, I did 20 years in the Air Force. I worked in software maintenance. In my day job I’m a safety risk assessor, so I’m pretty good at risk assessment and governance.

So domain Number One, Security and Risk Management.  There are a lot of similarities with safety. I had a lot of experience of security in the forces, I was pretty good on Number One. Domain Number Two, Asset Security. Again, I was used to working in an area where we were protecting a lot of classified material. I had a strong background in that. And then jumping to the end, Domain Number Seven, Security Operations: physical security, disaster recovery, that kind of stuff.

Again, I’ve got a lot of background there. And then finally, Software Development Security.  I hadn’t been involved in the development of secure software, but I’ve been involved in software development on a massive scale as well as in maintenance for military systems, which was done in a secure environment. I had a pretty strong background in those four domains in Numbers One and Two And Seven And Eight.

However, the middle four domains I was quite weak on. So Security, Architecture and Engineering, all the networking type stuff, Communications and Network Security, Identity and Access Management (IAM), and Security Assessment and Testing – I had not really been involved in that stuff much at all. I was quite weak in those areas.

Wwhen I started revising, I can see this basically on the first column, I did ten questions from each domain and I scored myself to see how I got on. And as you can see, the green indicates that I got the score required, which is seventy percent.

I only got seven out of ten in three out of eight domains. And in fact my scores varied widely into a domain. Number four, I got one out of ten in domain. Number six, I got three out of ten. Overall I got I think it was forty three out of eighty and the pass mark out of eighty questions would be about fifty-six. I was well, well sure. Of the pass mark at the beginning, but this was very useful because it allowed me to take stock and confirm what I was strong in and what I was weak in.

And then that helped me to focus my revision. And then as you can see, I continue to test myself as I went through the process. And again, this confirms what I’ve said in Domain’s one and two, lots of green all the way through Domain’s seven and eight, lots of green all the way through. Not always. I did stuff up there. We go on stuffed up. That one there, as you can see, only got six out of ten, but much, much weaker in the middle.

And it took a lot of work before I was getting consistent. Seven, seven out of ten on every day.  and I did about four hundred and eighty of those practice questions, plus I did a couple of the practice papers, I probably did about six hundred questions and then, you know, looked at where I’d gone wrong, which was that was quite a tough process, but as I say, the official practice tests are really, really excellent and really pointed out to me what I didn’t know and further work that I needed to do.

So that was taking stock.

Practice Questions

I looked at the practice questions. Unfortunately, one of the things that I learned while doing the practice questions was that a lot of questions were testing knowledge that I had not been taught in the course. I looked at a total of about 400 questions and I found that the amount of material that was not talked about in the Official Course was about 20 percent overall (I would say in some domains it was lower).

So Domain One, I reckoned about 14 percent of the questions were on untaught material, and in Domain Three, it was about 16 percent. But actually, you know, that varied through Domain Four where about one third of the questions tested knowledge that wasn’t taught in the course and Domain Six, went up as high as 45 percent. On average, maybe twenty to twenty-five percent of the material in the practice questions had was not covered in the green and white Student Guide that I showed you.

So that was a bit of a shocker, to be honest. I was horrified about that. But it did spur me to go and learn a whole bunch of other stuff, and fortunately, almost everything that was missing from the Student Guide (the green and white book) was in this [book]. I refer to this as the black book because it’s got a black spine. It’s got a black and white cover. This is the Official Study Guide.

This is $70 (US) or $110 (Australian), something like that. Again, this is worth its weight in gold. This is a thousand pages of very dense material. There’s an awful lot of good stuff in here. And in fact, there’s also because I think that’s where there are twenty-one chapters and there are about 20 practice questions for each chapter. There’s another 400 plus practice questions in this book alone. Again, it’s well worth getting.

And now and this book has got a lot of information in it that is not in the official course or was not in the course that I did in late twenty nineteen. Of course, I can’t speak for other courses and the material in here is also it’s very readable and it tells a story. There’s a student guide. The green and white book really is about cramming information into you. But when you read this book, it really helps you consolidate information.

 I found this very, very helpful and I found that the information, the way it was, was got across in this book is much more helpful. It told the story. It explained why things are as they are and that really help the information to go into my head and stay there, OK? And that was terrifically helpful for the exam. I would not have passed the exam without this book. I have no doubt whatsoever and I would not have passed the exam if I had not done so many practice questions.

And I really don’t think it matters what background you’ve got. The exam is so broad and the syllabus is so broad that it doesn’t matter what experience you’ve got. You’re not going to have the full breadth of knowledge that you need to pass the exam unless you use the study materials, you know, in seventy US dollars as opposed to two thousand five hundred. That’s really good value for money. And again forty US dollars as opposed to two thousand five hundred really good value.

So that’s by the way, I am not an affiliate of (ISC)2. I’m not making any money out of it. I’m just telling you the way it was for me. That was my revision process from January through to early May, and I got a lot better and a lot more consistent answering the questions, which was good. But then, of course, it came to the day of the exam itself. Excuse me.

Doing the Exam

I took the exam in English, which is a computer-based test. There are up to, I think, 125 multiple-choice questions. There are four potential answers for each question, but the Computer Adaptive Testing (CAT) takes account of how well you do the questions, and you don’t necessarily get to answer all 125. The exam stops when it’s ready, when the computer has assessed whether you’ve passed or failed.

So a quick word about going to the exam. It was a very professional set-up. I went to a centre in the centre of Adelaide where I live. Do read very carefully the information they give you about what you need. You need to take two forms of I.D. and to wear a face mask. Even though we’re very relaxed here about COVID, I still had to wear a face mask. You’ve got to submit to palm scan (an ID scan), and put all your stuff in a locker.

They check you very thoroughly to make sure you’re not cheating in any way and that security all takes time. You’ve got to arrive half an hour early. Do arrive early. Do look up all the information about what you need before you turn up. Here in in Australia, wearing facemasks is not very common because we have no community transmission, so it was a surprise to some people when they rocked up to the exam centre and got told you have to wear a mask.  Wherever you are, do look up what you’ve got to do, because obviously nobody wants to be rushing around trying to get a face mask at the last minute. That’s just not what you need when you’ve got to take a big exam.

The exam was three hours, very tightly controlled, as I say, very professional. I’m not going to tell you anything about the specific exam questions, but what I can tell you is that the exam was a lot better in many ways than the practice questions.

There’s a lot of practice questions that make you wonder, what is the point of them? There’s lots of questions where you have to choose between different categories of based on, say, what category fire extinguisher do you need for such-and-such a fire? What type of testing is this? Is it ‘Type One’ or ‘Type Two’ or what type of failure is lots of sort of rather mechanistic questions? Where am I looking at these questions? What on earth for?  Why would you need to know this to do cybersecurity, it doesn’t make any sense?

I checked my thoughts with other people in the business who have got a different background to me. And they agree there were lots of questions in here that just did not make a lot of sense. They were sort of test fodder, I would say, but there were very few of those type of questions in the exam. Okay, the exam was much better in that respect than the practice questions.

But there was still, I reckon, about twenty percent of the exam questions that were not taught in the course and some stuff that wasn’t in the study guide. You do need to read around the experience in any of the remains is useful and you need to read around a bit if you possibly can. Now that is. Possible, it’s tricky, I mean, here we have the CISSP body of knowledge suggested references, and there are 52 references in here, 52.

And of course, the first reference is the official course guide. And the third one, I think, is the. My apologies. The first one is the study guide. That’s a thousand pages. And there’s thousands and thousands of pages in these in these refought. You can’t possibly read them thoughts would be to get online and look at some, do some research and ask around and get some more focussed learning because you can’t you can’t read all of this stuff.

And similarly, there is an official CISSP glossary. Here it is. And there’s 50 pages of this glossary, including all the references. And there are actually four hundred and twenty-three defined terms in here. But actually this is a bit of date. A lot of the terms in here are not much use. There’s lots of terms that you learn in the study guide that are not in here, not even in the old syllabus, let alone new ones.

So that’s not a great deal of use. Going back to the exam, there were, I’m glad to say, very few silly questions about, you know, is this a type ABCDE of what have you? Very little of that. There were lots more what I would say good questions, questions that really test your knowledge of cybersecurity, whether you know what you’re talking about. Lots of scenario-based questions where you have to reason through the scenario and think about what’s the correct answer.

 there are tough questions. I sat there in the exam and thought, you know, I failed this for sure because when I was doing the practice questions – I’m pretty good at learning how to pass an exam. That’s one of the things I’ve always been good at – and I got good at learning to pass the practice questions to the point where at least 50 percent of the questions I thought, yeah, I know that.

I know that. I know that. I know that. I got pretty good when I went into the exam. Almost every question I had to think very carefully about it was it was hard work.  but on the other hand, it does mean it’s really testing your understanding of cybersecurity, and your ability to reason through the information that I gave you and come up with the best answer. There’s a lot more judgement involved in the exam than there is in some of the rather mechanistic questions in here.

There’s a lot more thinking ready to go in and do that thinking, OK? And on that point, when you go in, don’t get psyched out. It seemed to me that there were a lot of tough questions in the early part of the exam.  and I think early on it would be easy to get disheartened and give up and go. There’s no way I could do this but keep going because it did seem to get easier and I say easier.

It wasn’t quite as tough as when they hit you. Start with a lot of really hard questions. Some things seem to come up more than others, it seemed to me, but that’s probably the computer adaptive testing. Maybe I made some mistakes early on. And then the computer comes back and hits you again on those topics later just to push you to make sure that you do understand it.  and I must have I must have done well enough because after one hundred five questions, the test stopped and said, you’ve got to go and get your results.

And at that point I thought one hundred and five questions. Is that good or bad? I just don’t know. I thought I would not have been surprised to have failed, but I did.  the computer doesn’t tell you whether you’ve passed or not. He just says the exam has come to an end.  don’t freak out when it stops. It doesn’t mean that you failed. Just, you know, do whatever you have to do to follow the rules.

Put your hand up to finish the exam and then you’ll find out. And I got handed a piece of paper when I came out saying, congratulations, you’ve passed. I was so, relieved, what a relief! So, yeah, significant differences between what’s in the exam and what’s in practice questions. But nevertheless, I would say it’s still worth doing the practice questions. That was the exam. One more thing to say about the exam, you know, I mentioned that there were lots of things that were not taught in the book.

It says, we don’t ask you about commercial tools or anything like that in the practice questions. There are lots of questions on tools. There are lots of questions about things that they say they will not test you about, which is annoying. But those things did not appear in the exam. Take heart. The exam is a lot more honest than the, dare I say, on the practice questions.

Lessons Learned

What lessons did I learn from all of this? I would say, first of all, if you can get on a course, either face to face or online, I would say that it is worth it. I had learned a lot of the [taught] information before and I learned to program computers decades ago. I learned a lot of security. I’d learned a lot of technical stuff in the early part of my career. As I said before, I was strong on four out of eight of the domains, but I was still pretty rusty in a lot of subjects and there is a lot of information to cram in. I think probably going on a course helps you cramming that information.

But the course itself, is not going to be enough. I do think you need to do the practice questions. You need to take stock and get a realistic picture of what you know and what you don’t know. Then there are usually quite detailed answers in [the book] as to why one answer is correct and the other three are not correct. It’s worth reading those carefully and making further notes.

It’s worth [mentioning], while we’re referring to the study guide, one of the areas that the original course did not cover very well at all.  There was very little on attacks and defences. There wasn’t a lot about different types of cyber-attack and how you defend against them. And, you know, different architectures are vulnerable to this kind of attack and other architectures are vulnerable to a different kind of attack. And what’s the best way to defend? There was almost nothing about that. There’s some stuff about it in the practice questions. There’s more stuff about it in here in Chapter 21 [of the Study Guide], especially, as that’s all about different attacks.

But even the information in here was not really, I would say, enough in enough depth to answer quite a lot of the exam questions. There were quite a lot of exam questions about this scenario-based attack defence. As I say, this version of the book, maybe the new version of the book that’s coming out this month, maybe that will have more in that area. I hope so, because that’s what you’re going to need.

So if you don’t if you don’t find enough information on the scenario-based attack and defence, then I would suggest you need to go online and find a good source of material about that. And I’m afraid I can’t recommend one to you because I have not time to, you know, to go out and search the Internet and look at what’s out there and say, oh, yeah, that’s a really good source of reliable information on that. To be honest, I may not even be the right person to make that judgement.

So if you can go and find a good source of information about cyber-attacks and cyber defences and strategies for defending different types of architecture and different set ups, then I would highly recommend you do that. And in fact. When you see this exam, if anybody out there has got some suggestions about where to look on the Internet to get that stuff, then do please send in your comments and share that knowledge with other people. Because, as I say, I don’t have the background to be able to say where’s a good place to go?

Maybe you do. Please give us your thoughts on where we’re a good place to get that knowledge would be.  well, I’ve talked enough, it was here, it was a long, hard road, I’m relieved to have got through the exam. I’m now going to apply to be, uh, to get my full CISSP membership, which hopefully I’ve got the experience to get. That’s the beginning of my cybersecurity management journey for me.

And I wish you every success in your efforts to pass the exam. It’s tough, but you can do it.

To get regular updates from The Safety Artisan, Click Here. For more introductory lessons then Start Here.

Start Here

Risk Management 101

Welcome to Risk Management 101, where we’re going to go through these basic concepts of risk management. We’re going to break it down into the constituent parts and then we’re going to build it up again and show you how it’s done. I’ve been involved in risk management, in project risk management, safety risk management, etc., for a long, long time.  I hope that I can put my experience to good use, helping you in whatever you want to do with this information.

Maybe you’re getting an interview. Maybe you want to learn some basics and decide whether you want to know more about risk management or not.  Whatever it might be, I think you’ll find this short session really useful. I hope you enjoy it and thanks for watching.

Welcome to Risk Management 101, where we’re going to…

Risk Management 101, Topics

  • Hazard Identification;
  • Hazard Analysis;
  • Risk Estimation;
  • Risk [and ALARP] Evaluation;
  • Risk Reduction; and
  • Risk Acceptance.

Risk Management 101, Transcript

Click here for the full transcript:


Hi everyone and welcome to Risk Management 101. We’re going to go through these basic concepts of risk management. We’re going to break it down into the constituent parts. Then we’re going to build it up again and show you how it’s done.

My name is Simon Di Nucci and I have a lot of experience working in risk management, project risk management, safety risk management, etc.  I’m hoping that I can put my experience to good use, helping you in whatever you want to do with this information. Whether you’re going for an interview or you want to learn some basics. You can watch this video and decide if you want to know more about risk management or you don’t need to.  Whatever it might be, you’ll find this short session useful. I hope you enjoy it and thanks for watching.

Topics For This Session

Risk Management 101. So what does it all mean? We’re going to break risk management down into we’ve got six constituent parts. I’m using a particular standard that breaks it down this way. Other standards will do this in different ways. We’ll talk about that later. Here we’ve got risk management broken down in to; hazard identification, hazard analysis, risk estimation, risk evaluation (and ALARP), risk reduction, and risk acceptance.

Risk Management

Let’s get right on to that. Risk management – what is it? It’s defined as “the systematic application of management policies, procedures and practises to the tasks of hazard identification, hazard analysis, risk estimation, risk and ALARP evaluation, risk reduction, and risk acceptance”.

There are a couple of things to note here. We’re talking about management policies, procedures and practices. The ‘how’ we do it. Whether it’s a high-level policy or low-level common practice. E.g. how things are done in our organisation vs how the day-to-day tasks are done? And it’s also worth saying that when we talk about ‘hazards’, that’s a safety ‘ism’. If we were doing security risk management, we can be talking about ‘threats’. We can also be talking about ‘causes’ in day-to-day language. So, we can be talking about something causing a risk or leading to a risk. More on that later, but that’s an overview of what risk management is.

Part 1

Let’s look at it in a different way. For those of you who like a visual representation, here is a graph of the hierarchical breakdown. They need to happen in order, more-or-less, left to right. And as you can see, there’s a link between risk evaluation and risk reduction. We’ll come on to that. So, it’s not ‘or’ it’s a serial ‘this is what you have to do’. Sometimes they’re linked together more intimately.

Hazard Identification

First of all, hazard identification. So, this is the process where we identify and list hazards and accidents associated with the system. You may notice that some words here are in bold. Where a word is in bold, we are going to give the definition of what it is later.

These hazards could lead to an accident but only associated with the system. That’s the scope. If we were talking about a system that was an aeroplane, or a ship, or a computer, we would have a very different scope. There would also be a different way that maybe accidents would happen.

On a more practical level, how do we do hazard identification? I’m not going to go into any depth here, but there are certain classic ones. We can consult with our workers and inspect the workplace where they’re operating. And in some countries, that’s a legal requirement (Including in Australia where I live). Another option is we can look at historical data. And indeed, in some countries and in some industries, that’s a requirement. A requirement means we have to do that. And we can use special analysis techniques. Now, I’m not going to talk about any of those analysis techniques today. You can watch some other sessions on The Safety Artisan to see that.

Hazard Analysis

Having done hazard identification, we’ve asked ourselves ‘What could go wrong?’. We can put some more detail on and ask, ‘How could it go wrong? And how often?’. That kind of stuff. So, we want to go into more detail about the hazards and accidents associated with this particular system. And that will help us to define some accident sequences. We can start with something that creates a hazard and then the hazard may lead to an accident. And that’s what we’re talking about. We will show that using graphics late, which will be helpful.

But again, more on terminology. In different industries, we call it different things. We tend to say ‘accident’ in the UK and Australia. In the U.S., they might call it a ‘mishap’, which is trying to get away from the idea that something was accidental. Nobody meant it to happen. Mishap is a more generic term that avoids that implication. We also talk about ‘losses’ or we talk about ‘breaches’ in the security world. We have some issue where somebody has been able to get in somewhere that they should not. And we can talk about accident sequences. Or, in a more common language, we call it a sequence of events. That’s all it is.

Risk Estimation

Now we’re talking about the risk estimation. We’ve thought about our hazards and accidents and how they might progress from one to another. Let’s think about, ‘How big is the risk of this actually happening?’. Again, we’ll unpack this further later at the next level. But for now, we’re going to talk about the systematic use of available information. Systematic- so, ordered. We’re following a process. This isn’t somebody on their own taking a subjective view ‘Look, I think it’s not that’. It’s a process that is repeatable. We want to do something systematic. It’s thorough, it’s repeatable, and so it’s defendable. We can justify the conclusions that we’ve come to because we’ve done it with some rigour. We’ve done it in a systematic way. That’s important. Particularly if we’re talking about harm coming to people or big losses.

Risk and ALARP Evaluation

Now, risk evaluation is just taking that estimated risk just now and comparing it to something and saying, “How serious is this risk?”. Is it something that is very low? If it’s very insignificant then we’re not bothered about it. We can live with it. We can accept it. Or is it bigger than that? Do we need to do something more about it? Again, we want to be systematic. We want to determine whether risk reduction is necessary. Is this acceptable as it is or is it too high and we need to reduce it? That’s the core of risk evaluation.

In this UK-based standard – we’re using terminology is found in different forms around the world. But in the UK, they talk about ‘tolerability’. We’re talking about the absolute level of risk. There probably is an upper limit that’s allowed in the law or in our industry. And there’s a lower limit that we’re aiming for. In an ideal world, we’d like all our risks to be low-level risks. That would be terrific.

So, that’s ‘tolerability’. And you might hear it called different things. And then within the UK system, there’re three classes of ‘tolerability’ at risk. We could say it’s either ‘broadly acceptable’- it’s very low. It’s down in the target region where we like to get all our risks. It’s ‘tolerable’- we can expose people to this risk or we can live with this risk, but only if we’ve met certain other criteria. And then there’s the risk that it’s so big. It’s so far up there, we can’t do that. We can’t have that under any circumstances. It’s unacceptable. You can imagine a traffic light system where we have categorised our risk.

And then there’s the test of whether our risk can be accepted in the UK. It’s called ALARP. We reduce the risk As Low As Reasonably Practicable. And in other places, you’ll see SFARP. We’ve eliminated or minimised the risk So Far As Is Reasonably Practicable. In the nuclear industry, they talk about ALARA: As Low As Reasonably Achievable. And then different laws use different tests. Whichever one you use, there’s a test that we have got to use to say, “Can we accept the risk?” “Have we done enough risk reduction?”. And whatever you’ve put in those square brackets, that’s the test that you’re using. And that will vary from jurisdiction to jurisdiction. The basic concept of risk evaluation is estimating the level of risk. Then compare it to some standard or some regulation. Whatever one it might be, that’s what we do. That’s risk evaluation.

Risk Reduction

We’ve asked, “Do we need to reduce risk further?”. And if we do, we need to do some risk reduction. Again, we’re being systematic. This is not some subjective thing where we go “I have done some stuff, it’ll be alright. That’s enough.”. We’re being a bit more rigorous than that. We’ve got a systematic process for reducing risk. And in many parts of the world, we’re directed to do things in a certain way.

This is an illustration from an Australian regulation. In this regulation, we’re aiming to eliminate risk. We want to start with the most effective risk reduction measures. Elimination is “We’ve reduced the risk to zero”. That would be lovely if we could do that but we can’t always do that.

What’s the next level? We could get rid of this risk by substituting something less risky. Imagine we’ve got a combustion engine powering something. The combustion engine needs flammable fuel and it produces toxic fumes. It could release carbon monoxide and CO2 and other things that we don’t want. We ask, “Can we get rid of that?”. Could we have an electric motor instead and have a battery instead? That might be a lot safer than the combustion engine. That is a substitution. There are still risks with electricity. But by doing this we’ve substituted something risky for something less risky.

Or we could isolate the hazard. Let’s use the combustion engine as an example again. We can say, “I’ll put that in the fuel and the exhaust somewhere, a long way from people”. Then it’ll be a long way from where it can do harm or cause a loss.” And that’s another way of dealing with it.

Or we could say, “I’m going to reduce the risks through engineering controls”. We could put in something engineered. For example, we can put in a smoke detector. A very simple, therefore highly reliable, device. It’s certainly more reliable than a human. You can install one that can detect some noxious gases. It’s also good if it’s a carbon monoxide detector. Humans cannot detect carbon monoxide at all. (Except if you’ve got carbon monoxide poisoning, you’ll know about it. Carbon monoxide poisoning gives you terrible headaches and other symptoms.) But of course, that’s not a good way to detect that you’re breathing in poisonous gas. We do not want to do it that way.

So, we can have an engineering control to protect people. Or we can an interlock. We can isolate things in a building or behind a wall or whatever. And if somebody opens the door, then that forces the thing to cut out so it’s no longer dangerous. There are different things for engineering controls that we can introduce. They do not rely on people. They work regardless of what any person does.

Next on the list, we could reduce exposure to the hazard by using administrative controls. That’s giving somebody some rules to follow a procedure. “Do this. Don’t do that.” Now, that’s all good. We can give people warning signs and warn people not to approach something. But, of course, sometimes people break the rules for good reasons. Maybe they don’t understand. Maybe they don’t know the danger. Maybe they’ve got to do something or maybe the procedure that we’ve given them doesn’t work very well. It’s too difficult to get the job done, so people cut corners. So, procedural protection can be weak. And a bit hit and miss sometimes.

And then finally, we can give people personal protective equipment. We can give them some eye protection. I’m wearing glasses because I’m short-sighted. But you can get some goggles to protect your eyes from damage. Damage like splashes, flying fragments, sparks, etc. We can have a hard hat so that if we’re on a building site and something drops from above on us that protects the old brain box. It won’t stop the accident from happening, but it will help reduce the severity of the accident. That’s the least effective. We’re doing nothing to prevent the accident from happening. We’re reducing the severity in certain circumstances. For example, if you drop a ton of bricks on me, it doesn’t matter whether I’m wearing a hard hat or not. I’m still going to get crushed. But with one brick, I should be able to survive that if I’m wearing a hard hat.

Risk Acceptance

Let’s move on to risk acceptance. At some stage, if we have reduced the risk to a point where we can accept it. We can live with it and we’ve decided that we’re going to need to do whatever it is that is exposing us to the risk. We need to use the system. We want to get in our car to enable us to go from a to b quickly and independently. So, we’re going to accept the risk of driving in our car. We’ve decided we’re going to do that. We make risk acceptance decisions every day, often without thinking about it. We get in a car every day on average and we don’t worry about the risk, but it’s always there. We’ve just decided to accept it.

But in this example we’ve got, it’s not an individual deciding to do something on the spur of the moment. Nor is it based on personal experience. We’ve got a systematic process where a bunch of people come together. The relevant stakeholders agree that a risk has been assessed or has been estimated and has been evaluated. They agree that the risk reduction is good enough and that we will accept that risk. There’s a bit more to it than you and I saying, “That’ll be alright.”

Part 2

Let’s summarise where we’ve got to. We’ve talked about these six components of risk management. That’s terrific. And as you can see, they all go together. Risk evaluation and risk reduction are more tightly coupled. That’s because when we do some risk reduction, we then re-evaluate the risk. We ask ‘Can we accept it?’. If the answer is ‘No.’ we need to do some more work. Then we do some more risk reduction. So those tend to be a bit more coupled together at the end. That’s the level we’ve got to. We’re now going to go to the next level.

So, we’re going to explain these things. We’ve talked about hazard identification and hazard analysis, but what is a hazard? And what is an accident? And what is an accident sequence? We’re going to unpack that a bit more. We’re going to take it to the next level. And throughout this, we’re talking about risk over and over again. Well, what is ‘risk’? We’re going to unpack that to the next level as well. It all comes down to this anyway. This is a safety standard. We’re talking about harm to people. How likely is that harm and how severe might it be? But it might be something else. It might be a loss or a security breach. It might be a financial loss. It might be a negative result for our project. We might find ourselves running late. Or we’re running over budget. Or we’re failing to meet quality requirements. Or we’re failing to deliver the full functionality that we said we would. Whatever it might be.


So, let’s unpack this at the next level. A hazard is a term that we use, particularly in safety. As I say, we call it other things in different realms. But in the safety world, it’s a physical situation or it’s a state of a system. And as it says, it often follows from some initiating event which we may call a ‘cause’. And the hazard may lead to an accident. And the key thing to remember is once a hazard exists, an accident is possible, but it’s not certain. You can imagine the sort of cartoon banana skin on the pavement gag. Well, the banana skin is the hazard. In the cartoon, the cartoon character always steps on the banana skin. They always fall over the comic effect. But in the real world, nobody may tread on the banana skin and slip over. There could be nobody there to slip over all the banana skin. Or even if somebody does, they could catch themselves. Or they fall, but it’s on a soft surface and they don’t hurt themselves so there’s no harm.

So, the accident isn’t certain. And in fact, we can have what we call ‘non-accident’ outcomes. We can have harmless consequences. A hazard is an important midway step. I heard it called an accident waiting to happen, which is a helpful definition. An accident waiting to happen, but it doesn’t mean that the accident is inevitable.


But the accident can happen. Again, the ‘accident’, ‘mishap’, or ‘unintended event’. Something we did not want or a sequence of events that causes harm. And in this case, we’re talking about harm to people. And as I say, it might be a security breach. It might be a financial loss. It might be reputational damage. Something might happen that is very embarrassing for an organisation or an individual. Or again, we could have a hiccup with our project.


But in this case, we’re talking about harm. And this kind of standard, we’re using what you might call a body count approach to the harm. We’re talking about actual death, physical injury, or damage to the health of people. This standard also considers the damage to property and the environment. Now, very often we are legally required to protect people and the environment from harm. Property less so. But there will be financial implications of losses of property or damage to the systems. We don’t want that. But it’s not always criminally illegal to do that. Whereas usually, hurting people and damaging the environment is. So, this is ‘harm’. We do not want this thing to happen. We do not want this impact. Safety is a much tougher business in this instance. If we have a problem with our project, it’s embarrassing but we could recover it. It’s more difficult to do that when we hurt somebody.


And always in these terms, we’re talking about ‘risk’. What is ‘risk’? Risk is a combination of two things. It’s a combination of the likelihood of harm or loss and the severity of that harm or loss. It’s those two things together. And we’ve got a very simple illustration here, a little table. And they’re often known as a risk matrix, but don’t worry about that too much. Whatever you want to call it. We’ve got a little two by two table here and we’ve got likelihood in the white text and severity in the black. We can imagine where there’s a risk where we have a low likelihood of a ‘low harm’ or a ‘low impact’ accident or outcome. We say, ‘That’s unlikely to happen and even if it does not much is going to happen.’ It’s going to be a very small impact. So, we’d say that that’s a low risk.

Then at the other end of the spectrum, we can imagine something that has a high likelihood of happening. And that likelihood also has a high impact. Things that happen that we definitely do not want to happen. And we say, ‘That’s a high risk and that’s something that we are very, very concerned about.’

And then in the middle, we could have a combination of an outcome that is quite likely, but it’s of low severity. Or it’s of high severity, but it’s unlikely to happen. And we say, ‘That’s a medium risk’.

Now, this is a very simplified matrix for teaching purposes only. In the real world, you will see matrices that four by four, or five by five, or even six by six, or combinations thereof. And in security where they talk about threat and vulnerability and the outcomes. Here, you might see multiple matrices used. They use multiple matrices to progressively build up a picture of the risk. They use matrices as building blocks. So, it may not be only one matrix used in a more complex thing you’ve got to model. But here we’ve got a nice, simple example. This illustrates what risk is. It’s a combination of severity and likelihood of harm or loss. And that’s what risk is, fundamentally. And if we have a firm grasp of these fundamentals, it’ll help us to reason and deal with almost anything. With enough application.

Accident Sequence

Now, let’s move on and talk about accident sequences. We’re talking about a progression in this case. We’re imagining a left-to-right path. A progression of events that results in an accident. This diagram, that looks like a bow tie, it’s meant to represent the idea that we can have one hazard. There might be many causes that lead to this hazard. There might be many different things that could create the hazard or initiate the hazard. And the hazard may have many different consequences.

As I’ve said before, nothing at all may happen. That might be the consequence of the hazard. Most of the time that’s what’s going to happen. But there may be a variety of consequences. Somebody might get a minor injury or there might be a more serious accident where one or more people are killed. A good example of this is fire. So, the hazard is the fire. The causes might be various. We could be dealing with flammable chemicals, or a lightning strike, or an electricity arc flash. Or we could be dealing with very high temperatures where things spontaneously burst into flames. Or we could have a chemical in the presence of pure oxygen. Some things will spontaneously burst into flames in the presence of pure oxygen. So there’re a variety of causes that lead to the fire.

And the fire might be very small and burn itself out. It causes very little damage and nobody gets hurt. Or it might lead to a much bigger fire that, in theory, could kill lots of people. So, there’s a huge range of consequences potentially from one hazard. But the accident sequence is how we would describe and capture this progression. From initiating events to the hazard to the possible consequences. And by modelling the accident sequence, of course, we can think about how we could interrupt it.

Part 3

We’ve broken risk management down into those six constituent parts. We’ve gone to the next level, in that we’ve sort of gone down to the concepts that underpin these things. These hazards, the accidents, and the accident sequence. We’ve talked about risk itself and what we don’t want to happen. The harm, the loss, the financial loss, the embarrassment, the failed or late or budget project, a security breach, the undesired event, etc. We had an objective which was to do something safely or to complete a project and the risk is that that won’t happen. That there’ll be an impact on what we were trying to do that is negative. That is undesirable.

There are just only more concepts that we need to look at to complete the pattern, as you can see. We’ve been talking about the system. And we’ve been talking about doing things systematically. And then a system works in an operating environment. So, let’s unpack that.


First of all, we have a system. The system is going to be a combination of things. I wouldn’t call a pen or a pencil a system. It’s only got a couple of components. You could pull it apart. But it’s too simple to be worth calling it a system. We wouldn’t call it a pen system, would we? So, a system is something more complex. It’s a combination of things and we need to define the boundary. I’ll come back to that.

But within this boundary, we’ve got some different elements in the system that work together. Or they’re used together within a defined operating environment. So, we’re going to expose this system to a range of conditions which it is designed to usually work in. The intention is the system is going to do whatever it does to perform a given task. It can do one defined task or achieve a specific purpose. I talked before about getting in our car. A car is complex enough to be called a system. We get in our car and we drive it on the roads. Or if we’ve got a four-wheel drive, we can drive Off-Road. Or we can use it in a more demanding operating environment to achieve a specific purpose. We want to transport ourselves, and sometimes some stuff, from A to B. That’s what we’re trying to do with the system.

And within that system, we may have personnel/people, we may have procedures. A bunch of rules about how you drive a car legally in different countries. We’ve got materials and physical things – what the car is made of. We could have tools to repair it, change wheels. We’ve got some other equipment, like a satnav. We’ve got facilities. We need to take a car somewhere to fill up with fuel or to recharge it. We’ve got services like garages, repairs, servicing, etc. And there could be some software in there as well. Of course, these days in the car, there’s software everywhere in most complex devices.

So, our system is a combination of lots of different things. These things are working together to achieve some kind of goal or some kind of result. There’s somewhere we want to get to. And it’s designed to work in a particular operating environment. Cars work on roads really well. Off-road cars can work on tracks. Put them in deep water, they tend not to work so well. So, let’s talk about that operating environment.

Operating Environment

What we’ve got here, the total set of all external, natural, and induced conditions. (That’s external to the system, so outside the boundary.) So, it might be these conditions-. It might be natural or it might be generated by something else, which a system is exposed to at any given moment. And we need to get a good understanding of the system, the operating environment, and what we want it to do.

If we have a good understanding of those three things, then we will be well on the way to being able to understand the risks associated with that system. That’s one of the key things with risk management. If you’ve got those three things, that’s crucial. You will not be able to do effective risk management if you don’t have a grasp of those things. And if you do have a thorough grasp of those things, it’s going to help you do effective risk management.


So, we’ve talked about risk management. We’ve broken it down into some big sections. Those six sections; the hazard identification; analysis; risk estimation; evaluation; reduction; and acceptance. We’ve seen how those things depend on only a few concepts. We’ve got the concepts of ‘hazards’, ‘risks’, and ‘accidents’. As well as the undesirable consequences that the risk might result in. And the risk is measured based on the likelihood and severity of that harm or that loss occurring.

And when we’re dealing with a more complex system, we need to understand that system and the environment in which it operates. And of course, we’ve put it in that environment for a purpose. And that unpacking has allowed us to break down quite a big concept, risk management. A lot of people, like myself, spend years and years learning how to do this. It takes time to gain experience because it’s a complex thing. But if we break it down, we can understand what we’re doing. We can work our way down the fundamentals. And then if we’ve got a good grasp of the fundamentals, that supports getting the more complex stuff right. So, that’s what risk management is all about. That’s your risk management 101 and I hope that you find that helpful.

Copyright Statement

I just need to say briefly that those quotations from the standard. I can do that under a Creative Commons licence. The CC4.0. That allows me to do that within limits that I am careful to observe. But this video presentation is copyright the Safety Artisan.

For More…

And you can see more like these at the Safety Artisan website. That’s And as you can see, it’s a secure site so you can visit without fear of a security breach. So, do head over there. Subscribe to the monthly newsletter to get discounts on paid videos and regular updates of what’s coming up. both paid and free.

So, it just remains for me to say thanks very much for watching and I look forward to catching up with you again very soon.

End of Risk Management 101

This session can also be found at along with more advanced courses like this one. For more introductory sessions on this site start here.