Start Here

Risk: Averse, Adverse, or Appetite?

You heard me right. Risk: Averse, Adverse, or Appetite? Which would you choose? Do we even have a choice? Read on …

We often hear that we live in a risk-averse society.  By that, I mean that we don’t want to take risks, or that we’re too timid.  I don’t think that’s the whole story.

In reality, we need to deal with several concepts.  Let’s start by looking at risk:

  • Aversity;
  • Adversity;
  • Appetite; and then
  • Perception.

Risk Adverse versus Risk Averse

These terms are often used incorrectly, so here’s a useful comparison:

Many people are confused when faced with the choice between adverse and averse.  While these two adjectives have many similarities, they are not used interchangeably.
If you want to describe a negative reaction to something (such as a harmful side effect from medication) or dangerous meteorological conditions (such as a snowstorm), adverse is the correct choice. You would not say that you had an ‘averse’ reaction to medication or that there was ‘averse’ weather.
In short, adverse tends to be used to describe effects, conditions, and results; while averse refers to feelings and inclinations.”[1]

Merriam-Webster Dictionary

Risk Adverse

A Formal Definition of Adverse

Again, the Merriam-Webster Dictionary sails to the rescue:

  • 1: acting against or in a contrary direction:
    • HOSTILE,
    • hindered by adverse winds
  • 2a: opposed to one’s interests,
    • an adverse verdict,
    • heard testimony adverse to their position,
    • especially: UNFAVORABLE,
    • adverse criticism
  • b: causing harm: HARMFUL, adverse drug effects
  • 3: archaic: opposite in position”[2]

This is all very well, but we need something that we can use, like a…

…Practical Definition of Risk Adverse

The Law Insider website provides a very useful definition of ‘Risk Adverse’.   

“Adverse Risk means any risk of an adverse effect on the Development, procurement or maintenance of Regulatory Approval, Manufacture or Commercialization of a Product.”[3]

Law Insider

It’s useful because it is so pertinent to safety.  Let me explain. Often, we want to develop a product or service, but there are:

  • Development risks – often called Project Management risks, as a development is often the focus of a project.  Remember that the ISO 31000 defines risk as “the effect of uncertainty on objectives”.  By definition, a project has specific objectives (e.g., budget, schedule, and quality). 
  • Procurement risks – when acquiring a new product or service and enterprise may also acquire development risks, for the new or upgraded thing.  There are also risks associated with contractual acceptance, fielding the product, etc.
  • In many industries and domains, regulatory approval may be needed.  This may require qualification, certification, or accreditation (or a combination thereof).
  • Commercialization risks include making a product commercially viable, positioning it in the market, and gaining user and/or public acceptance.     

Each one of these topics is a massive subject, about which countless books have been written.  Law Insider’s definition is very powerful!

Risk Averse

So, risk aversion is about feelings and inclinations.  This is such a familiar topic, that perhaps we don’t bother to explore it. Later on in this post, we will explore Risk Aversion by looking at Risk Perception.

Before we do that, let’s look at the opposite of Risk Aversion.

Risk Appetite

“Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats, that change inevitably brings. The ISO 31000 risk management standard refers to risk appetite as the “Amount and type of risk that an organization is prepared to pursue, retain or take”. This concept helps guide an organization’s approach to risk and risk management.”[4]


Risk appetite is a really interesting concept.  The definition is that risk appetite is the level of risk that a person or organization is prepared to accept in pursuit of objectives. 

Why is Risk Useful?

Risk is necessary because we need to take risks to do almost anything. Every time we breathe in, every time we eat or drink something, we’re taking a risk.

It’s the same for businesses, enterprises, and nations.  If we keep on doing the same old thing again and again, eventually someone else will come along and outcompete us.  Ironically, the risk is that we fail to adapt and cease to exist – Darwinian selection. 

A great example of this is the Kodak corporation.  For years Kodak dominated the photography market.  However, they failed to see the promise of digital photography and didn’t take advantage of it. They were overtaken by rivals, and in the end, this mighty corporation went out of business.

So to ensure the survival of an entity, we must accept change, we must take risks. This seems to be true of populations, businesses – even software programs seem to illustrate this kind of evolutionary development [5].

Quantifying Risk and Appetite

In some areas of business, it’s easy to define risk appetite.  Financial corporations can easily define how much loss they are prepared to accept.  They can accept that a certain percentage of turnover or profit will be lost to fraud or error. 

A more sophisticated business might quantify the benefit of taking risks.  For example, lending more money might result in greater profits.  If a business understands the relationship between risk and opportunity, it can exploit it.

Too Big to Fail

A few years ago we saw the downside of that thinking.  Organizations thought they were too big to fail or too clever – they couldn’t go wrong.  Some high-profile failures lead to a domino effect, whereby many institutions effectively collapsed.  This was the Global Financial Crisis. 

As a result, the regulation of lenders was tightened up.  Banks and similar bodies were forced to keep higher reserves of cash and assets in order to survive miscalculations of risk.

How Much Risk is Enough?

So, how can we determine an appropriate risk appetite, without over-reaching ourselves?

This is a particularly difficult judgment when considering safety. Now we are not trading $ for $, we are trading dollars for injury and even death.  This is a much more difficult ethical problem.  There are various ways of making this judgment, for example in Australia we can refer to Safe Work Australia’s guidance

In this article, we will consider what leads us to a distorted perception of risk. 

Risk Perception

Some researchers claim that there are three factors that cause us to look at risk and misunderstand it.

Psychometric research identified a broad domain of characteristics that may be condensed into three high order factors: 1) the degree to which a risk is understood, 2) the degree to which it evokes a feeling of dread, and 3) the number of people exposed to the risk. A dread risk elicits visceral feelings of terror, uncontrollable, catastrophe, inequality, and uncontrolled. An unknown risk is new and unknown to science. The more a person dreads an activity, the higher its perceived risk and the more that person wants the risk reduced.[6]


I have observed that people are ready to take more risks when they think they are in control.  For example, we’re more willing to take risks when driving, rather than in trains or planes where someone else is in control. 

It’s interesting to recall that our risk of death per journey is the same in a car as it is in a plane.  Moreover, we are three times more likely to be injured in a car crash than in an air crash.  Yet, people worry about flying, but they don’t think about the car journey to get to the airport. 

Therefore, if we are to think rationally about risk, we must address those three factors of risk perception – and control. 

Three Risk Perception Factors

First, we must understand risk.  Risk assessment helps us to do this and can help us make objective decisions.

Second, we must recognize feelings of dread, for example, fear of radiation.  We must strive to understand the mechanisms that give rise to risks so that we can understand how to treat or control them. This should give us confidence, which will counteract dread.

(Also, we might explicitly identify the benefits of the risky activity.  This should help us to deal with dread rationally.) 

Third, we must estimate the number of people exposed to the risk.  Accidents with multiple casualties cause Societal Concern and get a lot of media attention, whereas the constant background of individual casualties in car accidents goes largely unreported.

Let’s Look at Control 

We often have the illusion that we are in control, and that this will prevent accidents.

The night I had my most serious car accident, I was hit by a drug/ drunk driver.  I had not lost control of my vehicle and I had done nothing wrong.  However, when the other car turned into my path, I could not avoid the collision. 

We need to give people a realistic view of how much they really control. 

If we can give people control, without real adverse effects, then so much the better.  Either that or take away control completely and make sure that users know this.

Many fatalities have resulted from users misunderstanding how much control they had – for example over ‘self-driving’ cars.  


All these factors are challenging to deal with.  Moreover, there are a number of agents using social media to stoke and exploit public outrage. This is done for various purposes, which may have nothing to do with actual levels of risk (i.e. it not be a genuine societal concern).

Perhaps we can learn from those who manage outrage for enterprises that need it?  

They work to actively and regularly present a rational view of risks and benefits.  This is intended to counter the sensationalist reporting that will arise from time to time.  Think of it as a regular vaccine of rationality against periodic outbreaks of emotional outrage.   

Risk: Averse, Adverse, or Appetite?Conclusion

Of course, there are no guaranteed solutions or magic answers to these questions.

We will always have a subjective and visceral reaction to danger.  This is a good thing, essential even.  It’s a very important survival skill, and we should be afraid of things that can hurt us.

Yet, to live without risk at all is simply not possible – we will all die of something.  Will we achieve something meaningful before that dread day comes?

To do anything requires us to take risks.  As individuals, as a society, we need to take risks to enjoy the benefits that result.  “Great empires are not maintained by timidity” as a Roman historian once said[7].  

As in so many things, we are looking for a balance. 

How much risk-aversion do you need to survive, versus how much risk appetite to thrive?

(For more on risk management, see the FAQ.)





[5] Les Hatton & Greg Warr, Conservation of Information in Proteins, Software, Music, Texts, the Universe and Chocolate Boxes, Heiland Lecture, Colorado School of Mines, 06 Mar 2018.



Start Here Work Health and Safety

Due Diligence and Safety

In this article, I’m looking at Due Diligence and Safety in the USA, UK, and Australia. Why? Because Due Diligence is the root of so much that we should be doing in Safety.

Let’s start with the definitions of due diligence in the way that it applies to safety (because due diligence is a concept that has many different applications in business.)

Due Diligence in the United States of America

Definition of Due Diligence

1law the care that a reasonable person exercises to avoid harm to other persons or their property …
Doing your due diligence: “… in this sense, it is synonymous with another legal term, ordinary care.”

Merriam-Webster Dictionary

That’s the definition from a popular US dictionary.

Workplace Safety in the USA

In the USA, the Federal Occupational Safety and Health Agency, (OSHA), governs health and safety in the workplace.  As the USA is a federal state, what the OSH Act or Agency covers is complex, as follows:

  • The Agency covers most private sector employers in all 50 US states, either directly through the federal agency or through an OSHA-approved state plan – 22 states have such a plan;
  • Workers at state and local government agencies are not covered by the Agency, but have OSH Act protections if they work in those states that have an OSHA-approved state program;
  • The Agency protects workers of all federal agencies;
  • The Act does not cover the self-employed, immediate family members of farm employers; and
  • The Act does not cover workplace hazards regulated by another federal agency (for example, the Mine Safety and Health Administration, the Department of Energy, or Coast Guard).[2]  

Are you confused?  I am!

Product Safety in the USA

To add to my confusion the US Consumer Product Safety Commission (CPSA) regulates the safety of some consumer products. It does so under thirteen different federal laws.  These acts regulate, for example, child safety, flammable fabrics, art supplies, poisons, and refrigerators[3].  I can’t see any coherent pattern to what the CPSA regulates.

However, the US Federal Government tends not to manage product safety.  It is more often addressed via state legislation, which varies from state to state.  

Product safety is also dealt with through civil liability: victims sue you if your product hurts someone.  In other words “Product liability is the area of law in which manufacturers, distributors, suppliers, retailers, and others who make products available to the public are held responsible for the injuries those products cause.”[4]

There are different theories of liability, one of them being ‘strict liability.  “In criminal and civil law, strict liability is a standard of liability under which a person is legally responsible for the consequences flowing from an activity even in the absence of fault or criminal intent on the part of the defendant.”[5] 

Back to Due Diligence

Now we circle back to due diligence: “due diligence is the only available defense to a crime that is one of strict liability … Once the criminal offence is proven, the defendant must prove on balance that they did everything possible to prevent the act from happening.”[6]

(I also note from that Wikipedia article that “It is not enough that they took the normal standard of care in their industry – they must show that they took every reasonable precaution.”  We now seem to be heading towards our old friend ‘reasonably practicable’ – but that’s another article!)

There is a big difference in the way that the USA manages workplace and product health and safety.  Due Diligence may be a useful concept in all these settings. However, I’m finding it very difficult to say what it means when applied to safety.

Due Diligence Around the World

It was also challenging to pin down due diligence and safety in the United Kingdom (and still is).

In 2007, the UK’s Health and Safety Executive (the national regulator, much like OSHA in the USA) published a useful study into Due Diligence[7].  This report looked at “whether the law in nine different countries imposes health and safety duties upon boardroom directors (and other senior managers)”.

Due Diligence in Nine Different Countries

It concluded that “seven out of nine countries contain safety legislation that imposes positive safety obligations upon either directors or senior managers of companies. These are: Germany, France, Italy, Sweden, Japan, Canada (four out of fourteen jurisdictions) and Australia (two out of nine jurisdictions).

Thus, the criminal law in these countries imposes safety obligations on directors or senior managers.  

Interestingly, the Report found that exercising “due diligence to prevent the commission of the offence” was often found to be a viable defense for company directors and senior managers in many jurisdictions.

Due Diligence in the United Kingdom

The report observed that, in 2007, “It is fair to say that the legislative framework for regulating occupational health and safety (OHS) in Great Britain appears unusual in not imposing positive duties on directors. The majority of the nine countries studied do have this kind of legislation.” 

The UK brought the Corporate Manslaughter and Corporate Homicide Act into force in 2007 – the same year as this Report.  The UK introduced this because of several failures to prosecute company directors after high-profile fatal accidents.  Before 2007, courts had to find individuals guilty of gross negligence manslaughter to hold them accountable. Such prosecutions often failed.

Whether the Due Diligence Report had any influence on the 2007 Act is hard to say. This Report is still the best result on the UK HSE’s website for ‘due diligence’ so not much seems to have changed.

Safety Law in Australia

Now Australia has an interesting mix of approaches derived from those in the USA and UK.

Australia is a Federation

Australia, like the USA, is a federal state.  Responsibility for health and safety generally resides with the states and territories.  The federal government only controls health and safety in federal workplaces or on federal land.  In Australia, we have a similar jurisdictional model to the USA, with all the complexity that can introduce.

US practices also influence Australian industry and commerce.  Safety requirements are often met by meeting specifications. (Whereas the UK uses a ‘safety by intent’ approach – another article I must write).  Thus, Australian safety practice often relies on certification against standards, as in the US. 

Australian Work Health and Safety Law

In Australia, we have adopted our own version of the UK Health and Safety at Work Act, 1974.  The Australian government introduced a much-refined version of UK law in 2011, some 37 years after the UK Act.

To achieve standardization across Australia, the Federal Government agreed with state and territory governments to introduce a model-based approach.

Safe Work Australia developed the Model WHS Act, Regulations, and Codes of Practice, collaboratively. Then the states and territories all agreed to adopt these centrally-developed articles of legislation.

States and territories were free to modify the Models as they saw fit. In general, the different jurisdictions have changed little, although Victoria has chosen not to implement WHS at all (thanks, Victoria, for being team players).

Unlike in the USA, Australian Work Health and Safety (WHS) legislation covers both workplaces and non-consumer goods. (Consumer goods are covered by other laws.)

This criminal law sets standards that manufacturers, designers, importers, and users must achieve when engineering, installing, commissioning equipment, and running it within a workplace.

Safety Due Diligence in Australia

In Australia, we are fortunate that the Work Health and Safety Act introduces a very specific and practical definition of what Due diligence is when applied to safety duties.

The Act says that Officers (company directors and senior managers) have additional duties.  Officers must exercise ‘due diligence. Under Division 4—Duty of officers, workers and other persons, Section 27  Duty of officers:

             (1)  If a person conducting a business or undertaking has a duty or obligation under this Act, an officer of the person conducting the business or undertaking must exercise due diligence to ensure that the person conducting the business or undertaking complies with that duty or obligation. 

Australian WHS Act, 2011

We’re now talking about what is due diligence in the context of health and safety. I need to be precise about that. The term ‘due diligence’ appears in other Australian laws and can have different meanings. In this post, the definition of due diligence applies to WHS duties only.

We’ve got to do six things, in sub-paragraphs (a) to (f), to demonstrate due diligence. 

What does Due Diligence Mean (a & b)?

(5)  In this section, due diligence includes taking reasonable steps:

                     (a)  to acquire and keep up‑to‑date knowledge of work health and safety matters; and

                     (b)  to gain an understanding of the nature of the operations of the business or undertaking of the person conducting the business or undertaking and generally of the hazards and risks associated with those operations; and

Section 27

Officers must acquire and keep up to date with knowledge of work health and safety matters obligations and so forth.

Secondly, officers must gain an understanding of the nature of their business’s operations and the risks they control.  If you’re a company director you need to know what the operation does.

You cannot hide behind “I didn’t know” because it’s a legal requirement for you to do so.  There’s no pleading ignorance because ignorance is, in fact, illegal and you’ve got to have a general understanding of the hazards and risks associated with those operations.  

We don’t necessarily have to be up on all the specifics of everything going on in your organization, but you should know what your organization does. However, we should be aware of the general costs and risks associated with that kind of business.

What does Due Diligence Mean (c, d, e & f)?

                     (c)  to ensure that the person conducting the business or undertaking has available for use, and uses, appropriate resources and processes to eliminate or minimise risks to health and safety from work carried out as part of the conduct of the business or undertaking; and

Section 27

Now, thirdly, we are moving on. Basically, sub-paragraphs C, D, E, and F refer to appropriate resources and processes.  Officers have got to ensure that PCBUs have available and use appropriate resources and processes in order to control risks.  That says you’ve got to provide those resources and processes and there is supervision.

Maybe you put in a Safety Management System that ensures people actually do use the stuff they should, to keep themselves safe.  And that’s very relevant because often people don’t like wearing, for example, Personal Protective Equipment (PPE) because it’s uncomfortable or slows you down, so the temptation is to take it off.

What does Due Diligence Mean (d)?

                     (d)  to ensure that the person conducting the business or undertaking has appropriate processes for receiving and considering information regarding incidents, hazards and risks and responding in a timely way to that information; and

Section 27

Moving on to part D, we’re still on the appropriate processes. We must have appropriate processes for receiving and considering information on incidents, hazards, and risks.  Again, we’ve got to keep up to date. What’s going on in our own plants and maybe similar plants in the industry? We need a process to respond in a timely way to that information.

If we discover that there is a new incident or hazard that you didn’t previously know about. We need to respond and react to that quickly enough to make a difference to the health and safety of workers.  That works together with sub-paragraph B, doesn’t it?  In parts A and B we need to keep up to date on the risks and what’s going on in the business. Also, in part A, we need to ensure that the PCBU has processes for compliance with any duty or obligation and follows them again to provide that stuff.

In the system safety world, often the designers will need to provide the raw material that becomes those processes. Or maybe if we’re selling a product, it comes with an instruction manual of all the processes needed.

What does Due Diligence Mean (e-f)?

                     (e)  to ensure that the person conducting the business or undertaking has, and implements, processes for complying with any duty or obligation of the person conducting the business or undertaking under this Act; and

                      (f)  to verify the provision and use of the resources and processes referred to in paragraphs (c) to (e).

Examples:  For the purposes of paragraph (e), the duties or obligations under this Act of a person conducting a business or undertaking may include:

(a)    reporting notifiable incidents;

(b)    consulting with workers;

(c)    ensuring compliance with notices issued under this Act;

(d)    ensuring the provision of training and instruction to workers about work health and safety;

(e)    ensuring that health and safety representatives receive their entitlements to training.

Section 27

Finally, the officers must verify the provision and use of these resources and processes (in Parts C, D, and E).  Thus, we’ve got a simple six-point program that comprises due diligence, but it’s quite demanding. There’s no shirking this stuff or pretending you didn’t know.  I suspect it’s designed to hang Company directors who neglect and harm their workers.

WHS, Vaccinations and COVID

Now part (e) is interesting, particularly in the age of the COVID pandemic.  Not only must Officers ensure that safety resources and processes are provided, but that they are used.  Many Australian governments and businesses are mandating COVID vaccinations for workers.

Some undertakings, for example, large sporting venues, are insisting that patrons are vaccinated too.  As Officers have safety duties under the WHS Act to protect visitors and the public, you can imagine why. 

Directors could be held criminally liable for workers, visitors, or even passers-by catching COVID.  As this is criminal law, no contractual arrangement (e.g. saying ‘enter at your own risk’ on a ticket) can override WHS obligations.

What Due Diligence is All About?

Let’s face it, this is all good common-sense stuff. We should be doing this anyway.

These requirements are only the minimum required for all businesses and undertakings in Australia. In any kind of high-risk industry, we should have a Safety Management System that does all of this and more.


Well, we’ve looked at due diligence as it applies to safety in many different countries.  We’ve concentrated on the USA, the UK, and Australia. But Germany, France, Italy, Sweden, Japan, Canada got an honorable mention as well.

The combinations of due diligence with criminal law, civil law, and safety are very confusing in the USA. It is largely non-existent in the UK. 

Only Australia has spelled out in law what due diligence means for safety.  You may not work in Australia, but I suggest that the clarity and practicality of the WHS Act definition on ‘due diligence’ are useful for safety practitioners everywhere.  

What does Due Diligence mean for Safety Practices where You are?

[1] Merriam-Webster online dictionary.







Start Here

Hazard Logs and Hazard Tracking Systems

In this blog post and video ‘Hazard Logs and Hazard Tracking Systems’, I’m going to tell you about the benefits and features of Hazard Logs and Hazard Tracking Systems. I’m going to be covering these topics, which are the most commonly asked questions:

  • 1. What is a hazard log? (What is it what do we do with it?)
  • 2. The key elements of a hazard log (what needs to be in it to make it work)?
  • 3. Hazard Log management (what we need to do)?
  • 4. What about hazard log tools? (What can we use to create a hazard log)?
  • 5. What’s the difference between a hazard log and a risk assessment?
  • 6. What’s the difference between a hazard log and a risk register?

The Video: Hazard Logs and Hazard Tracking Systems

Watch the full, 35-minute lesson.

The Blog Post: Hazard Logs and Hazard Tracking Systems

Hi everyone, and welcome to the Safety Artisan.

I’m Simon and today we’re going to be talking about Hazard logs and hazard tracking systems.

As I said, we’re going to look at hazard logs and hazard tracking systems and we’re going to be answering the most popular questions.

The most often asked questions about Hazard logs and Hazard Tracking Systems that you will find on the internet. So that’s what we’re going to answer.

And this is going to be the first of three sessions on this subject.


Topics for this session. Right now commonly asked questions are:

  • What is a hazard log? What is it what do we do with it?
  • The key elements of a hazard log, what needs to be in it to make it work?
  • Hazard Log of management, what do we need to do?
  • What about hazard log tools? What can we use to create a hazard log?

Effectively now we’ll be looking at that in much more detail in sessions two and three but we’ll just go over the basics today and then also, some very common questions:

  • What’s the difference between hazard log versus a risk assessment? and
  • What’s the difference between a hazard log and a risk register?

And when I say Hazard Log, you can substitute has a tracking system at all times.

They’re really one and the same thing, which we will talk about.

What is a Hazard Log?

That neatly brings us onto what is a hazard log.

And I’ve got a definition here which is actually from the UK Ministry of Defence guidance, but it doesn’t really matter where it came from and just acknowledging the source.

But the definition is really useful in that a tells you what a hazard log is.

But also, it defines a hazard log in terms of what it does.

These are the benefits that a Hazard Log gives us.

It says a Hazard Log or a Hazard tracking system is a continually updated record of the hazards, accident sequences, and accidents associated with the system.

We’ll unpack that in just a moment.

It’s Not Just a Log!

But the point I want to make here, it’s a continually updated record. Okay? It’s a management tool.

It’s not a log. You know, I always think of captain’s log in star trek, which the idea that it’s just like a ship’s log, it’s a recording of everything that’s happened.

Well, you can do that.  you can have a very rigorous recording of who’s done what, when and that’s all good.

But it’s not just a sort of dry dusty record that should sit on the shelf.

It’s a tool to help us manage risks associated with a system.

We’re managing a system, whatever it might be, it might be a physical system, a vehicle, it might be an enterprise business, it might be a piece of software, it might be an IT system, you know, where you’re a bank and you’re using an IT system to service all your customers, etcetera.

It could be any one of those things and a hazard tracking system that enables us to manage all the information that we need to look at risks associated with that system.

It’s worth saying that normally we use hazard logs for safety whereby we’re worried about harm to people, but that’s not their only application.

You can use a hazard log or a risk register in any application.

We might be talking about financial loss, damage to reputation, equipment, harm to the environment, all of these things.


What is the hazard log? Well, it’s structured and we’ll talk about structure in a moment.

structure implies we’ve got lots of pieces of information, but they are linked together into a coherent structure.

And that’s very important. We’ll spend a lot of time talking about that later.

But those languages really are the key to the Hazard log.

It’s a structured means of storing and referencing, safety, risk evaluations, and other information relating to a piece of equipment or system.


A safety risk evaluation. we’ve got the assumption is that we’ve done some risk analysis, we’ve done some risk assessment, which is a structured series of risk analyses in order to look at the total picture of risk.

We’ve evaluated that risk against some kind of norm that we’ve said, you know, this is how much risk we’re willing to put up with and we can’t tolerate that. That’s the evaluated bit we’ve evaluated against some framework or benchmark.

Risk Reduction

It’s the principal means of tracking the status of all the hazards decisions and actions to reduce risk because typically we’re not doing this for the sake of it.

We’re doing this because we have risk and we need to manage that risk. And generally speaking, we want to reduce risk.

And there are other decisions to be made about How do we deal with risk?

You know, maybe we reduce it and live with it. Maybe we give it to transfer it to somebody else if we can or we get insurance for stuff that we’re not happy with whatever it might be.

There are lots of lots of different approaches but it’s all about tracking the status.

It’s the Key

We saw in the middle of the definition about storing and referencing risk evaluations. We’re probably referencing out to other documents to other artifacts that record and analyze the risk in detail.

But the hazard log is our key to finding all of those things.

we have references in there and we can track the current status of where we think all these risks and hazards are, how much risk is there associated with our system?

That is what a hazard log is.

And as you can see, it’s defined by what it does, which is also the benefit of using a hazard log. They’re all one and the same thing.  let’s move on.

Key Elements of a Hazard Log #1

What are the key elements of a hazard log? I’ve got two slides on this.

First, you remember we talked about what goes in a Hazard Log of hazards and risks and everything to do with the accident sequence or accident sequences associated with the system.

Typically what we have in a hazard log is we have a bunch of hazards.

Now each hazard may have multiple causes. There might be a hardware failure, software failure, environmental issues that could give rise to a hazard; there might be erroneous human activity.

All sorts of causes can lead to one hazard.

And also, one hazard can lead to a number of different consequences. For example, if we have, if we’re thinking about a ship, we’ve got a hazard that says flooding, we’re getting water in where it’s not supposed to be.

Well, actually, you know, if there’s, if the ship floods, people could drown inside the ship, the ship could, I think it could founder and think it could get full of water that it loses buoyancy and sinks or it could unbalance the ship and it could cap sites: and that’s just the accident outcomes.

Most of the time, if the hazard is present, nothing bad happens at all.  Some water gets in the ship. We don’t want it. Well, we pump the water out, most ships have got bilge pumps to get the water out or if it’s just a canoe, you take it out of the water, turn it upside down and you get the water out.

No problem. consequences aren’t always harmful.  They’re not always desirable, but they’re not always harmful either.

We can get a range of consequences, a range of causes, and one hazard in the middle.

And this representation is what’s called a bowtie analysis because it looks like a bow tie. I’m not recommending bowtie analysis, but it’s a great way to represent and explain an accident sequence. That’s all I’m using it for in this instance.

Key Elements of a Hazard Log #2

What do we typically have in a hazard log?

Accident Sequence

On the right-hand side here, you can see that we’ve got the progression from causes, through to hazard through to accidents or consequences.

And we all have lots of hazards, probably lots of lots of causes and some accidents.

They will all be linked and there’s the accident sequence on the right-hand side, you know, this curve from bottom to top, as we can see hazards linked to accidents and hazards linked to causes, but causes do not directly link to accidents because you’ve always got to go via a husband.

The definition of a hazard is the one that we’re using here, is that it’s enough, it’s enough, it’s sufficient to cause an accident. But the accident isn’t inevitable just because the hazard exists.

If there is a banana skin, I’ve got rather a humorous comic version here, if there is a banana skin on the pavement and there are people walking on the pavement, yep, that’s a hazard.

An accident is perfectly possible, but it doesn’t mean it’s inevitable. People might walk around the banana or goodness knows somebody might pick it up and throw it away. The accident is not inevitable, but once the hazard is there, that’s enough. (As opposed to there being a banana skin in the bin, that’s not a hazard.)

Once we get to the Hazard, nothing else unusual needs to happen for somebody to get hurt.

That’s the accident sequence now linked to causes hazards, and maybe accidents and controls.


These are the things that stop the accident sequence from progressing and actually, maybe it’s if we go back to the previous slide.

It’s probably a little bit clearer here, we can imagine controls as vertical barriers between the causes, the hazard, and the consequences. And then you know, there’ll probably be some controls.

We’ve got controls linking to all three, and controls are not perfect. Usually, they only reduce the severity of the accident/harm. Others reduce the likelihood of harm.

We’re reducing risk all the time and in addition to those, we have references.


All of our entities in the hazard log, maybe they are more fully described in a document or some other artifacts.

Maybe we’ve done some modeling to determine how much risk there is. There is a computer model somewhere that says this is how we model the risk and therefore this is what we think the level of risk is.

We refer out other things.  Which are under configuration control.  They’re not just random bits of paper. They’re actually authorized and dated and version numbered and they’re stored somewhere safe.

But of course, I’m getting ahead of myself. Those are the documents.


Maybe we’ve got a database full of documents or maybe we’ve got physical documents or a mixture. The hazard log references those documents.

And if there are electronically stored some hazard logs will give you the ability to electronically link to hyperlink to those electronic documents.

You can go into the hazard log; you can follow the audit trail and then get back to the evidence, on which all of this is based. You’ve got a complete picture if you like of your safety case. Basically, you’ve got your argument here that you’ve managed all of the hazards appropriately.

Let’s say you’ve reduced the risk of your hazards down to an acceptable level and that’s all documented and justified it somewhere else, but you’ve got links to it.

Not all, in fact, the minority of Hazard logs in my experience, go that far, but it’s, you know, it’s an ideal to aim for. It requires a lot of discipline to link all the documents in and maintain that level of configuration control, but it can be done.

Those are the key elements of a hazard log.

Not all hazard logs will have all of those things. For example, some standards tell you that causes are optional. You don’t have to have causes. Maybe you won’t have hyperlinks to everything etcetera, etcetera.

But most of those things you will have personally, I would argue it causes are essential but that’s another story will come to that later.

Managing Hazard Logs and Hazard Tracking Systems

Yeah, we talked about hazard log management in the sense of what a hazard log allows us to manage and what it allows us to do more sort of the benefits.

But how do we actually manage a has a long day today?

Well, somebody has got to look after the hazard log, an individual or a team of people maybe.

If we’re managing a complex system, things will be happening in the real world, which we need to track. Maybe we’ve had incidents, maybe we’ve had near misses, maybe, unfortunately, we’ve had an accident. That information has got to be assessed and we’ve got to either put it in the hazard log.

You could have an incident registering your hazard log as well. Or maybe you’ve got a separate incident register, but we need to look at the incidents and we need to look at any trends that are going on and saying, well, when we bought the thing or design the thing and we thought that this, this hazard would, would pop up very infrequently, maybe once a year, but actually it’s happening once a month.

We need to change the probability of the hazard. An incident might be that a hazard has been, has occurred, but it hasn’t led to an accident, there’s been no actual harm. But we’ve noted that something untoward has happened.

We’re looking at that and go, well, actually the probability is worse or better than what we thought it would be.

And we need to update that Hazard Log to keep track of that; those two things need to be done.

Decision Support

The reason that we’re doing this is the hazard log is there to support decisions made by people in authority. And those people in authority, need an accurate picture of the risk to say, well what is the real level of risk?

You know, we said we would go ahead and use the system because we thought the risk was down here.

Maybe now we realized there’s more risk in what we’re doing than we thought.

Can I accept that or do I have to reduce it?

And the hazard log helps us to rank risks and say these are the most important risks.

These are the biggest risks that we should be paying the most attention to because we should be reducing risk.

We should be continuously monitoring to say, you know, is the system running acceptably or an unacceptable level of risk.

And the hazard log helps to support those decisions by ranking risks amongst other things.

And then fourthly, we need to do quality control.

Quality Control

At the micro-level, we need to make sure that the data in the hazard log, the information is accurate. It’s up to date. It’s justified. We haven’t just got somebody’s best guess in there if we can do better.

That’s the kind of microscopic level, but there’s also, the sort of macro-level with quality control in that I’ve seen hazard logs that have been used as a dumping ground for all sorts of information.

That actually is nothing to do with hazards and risks. Okay?

And if that happens, you can end up with a bloated hazard log with hundreds or even thousands of entries and then that hazard log effectively becomes unusable.

Okay? it’s no longer fit for purpose because there’s much information in there, we can no longer see the wood from the trees.

We can’t support sensible decision-making because we’re blinded by all this guff this information that isn’t really pertinent.

we need to do quality control at both those levels and the one is dependent on the other.

Clearly, if we’ve got a hazard log that’s full of rubbish quality information, then the trends and the decision-making advice whether we’re getting are probably going to be rubbish as well.

But we’ve also, got to be aware that if we don’t manage to hazard log properly, we could end up with something that just doesn’t work as a hazard lob anymore.

Configuration Control

It’s just got too bloated and a big part of that is the 5th bullet, which is both micro and macro quality control is configuration control.

we control hazard log, we don’t allow just anybody to shove random information in there we make sure that only authorized people are putting in authorized information, which has been quality check.

We were confident that it’s the best quality that we can get. It’s justified.

There’s something, there’s some evidence that justifies the decisions that we’re making on what we’re putting in the Hazard log.

that configuration control is very, very important and it’s one of the reasons for having an automated to actually in the s specialist who will do a lot of these things or help you do a lot of these things for you.

I’ll help you with the discipline of hazard log management.


I’ve mentioned tools, here’s a screenshot of actually quite an old tool.

Now it’s quite difficult to get hold of Cassandra but that doesn’t really matter, it’s just an illustration.

This is the kind of view that you get from a purpose-built hazard log tool. It’s built upon a database.

And on the left-hand column here you’ve got some summary information you can get an overview of how many accidents hazards causes and controls, etcetera. You’ve got some numbers tracking [how many hazards there are at] their different status[es] as they go through the life cycle.

And then typically at the top here we’ve got some basic information title, description, who put it in, what’s the likelihood for example, and then at the bottom on this version we’ve got here is an overview of all the links to other things.

[Here we are, you can see we are in what were we in? We’re in a test hazard.]

We’ve got links to accidents, controls, causes, references, and history in this database and we can link all of those things together to get that structure to get a picture.

Tool Types

Once we have that structure we can start at any point in the hazard log, you know, we’ve had an incident and then we can follow it through, we can follow the links through to find all the pertinent information, and essentially that’s what the structure does for us.

We might be using a database very often we might be using a spreadsheet, might we might be using a commercial tool as a hazard log or a risk register or indeed, and that might be part of a suite of tools that does various things where we’re linking risk management to configuration management to product management to whatever it might be.

We might have a suite of tools.

Now, in the second session of these three lessons, I’m going to be talking about commercial tools that are all based on databases.

I’m going to be talking about what you get with a fully-featured commercial hazard log tool, has a tracking tool.

Spoiler Alert – Spreadsheets!

And then in the third session, I’m going to be talking about how you implement some of that in a spreadsheet.

Now, and it’s important to remember if we go back up what we have here, we looked at these key elements, what we’ve got here is a set of relations and if we store this, what we have is a relational database.

we’ve got many too many linkages between different entities.

Okay now, strictly speaking, we must have a database to do that properly.

However, most people use a spreadsheet which I know is not a relational database, but if you observe certain rules, you can have a spreadsheet that does some of what a relational database will do and if you are careful to observe the discipline of setting up the spreadsheet correctly and not corrupting it, then you will get most of the functionality of the database.

now I can hear the purists howling at me as I say that, but in the real world, most people use a spreadsheet.

I’m sorry. That’s the dirty little secret in safety management. let’s move on.

Hazard Log Versus Risk Assessment

We’re going to talk now about hazard log versus risk assessment.

These are two very different things but they are related. On the left there we have risk assessment and risk assessment in most standards.

This diagram is based upon the ISO-31000 which is a very, very common unified risk standard. And in it, risk assessment is defined as risk identification, risk analysis, and risk evaluation.

That is risk assessment. 

Now the Hazard Log doesn’t do risk assessment but it supports risk assessment, it enables you to store the results. Okay?

You can record the results of the risk assessment, you can also, record the risk treatments. (That’s another word for controls, all the controls and risk reduction measures that you’ve taken.)

It can establish you can record context in there as well.

The Log Enables Good Risk Assessment

And then the hazard log enables good communication and consultation because certainly the commercial hazard log tools or if you make a database or make a hazard log with a database, you can use the database functionality to generate bespoke reports for different stakeholders.

the hazard log supports good communication and consultation, which is excellent. Got to do that.

And it also, supports monitoring and review because we’ve got the structure because we can review different aspects, we can review the risks, the hazards, the controls, the structure of the database and the and the hazard log in the way it presents things helps us to do that.

That is the relationship of a hazard log with risk assessment.

A hazard log is an entity, it’s a thing. Risk assessment is an activity or a series of activities, but they do go together very well.

One supports the other, right?

What’s the Difference between a Hazard Log and a Risk Register?

Now another very commonly asked question is what’s the difference between a hazard log and the risk register? And the answer is in many ways not very much.  They’re both doing basically the same thing. If we go back to, you know, I talked about Hazard log supports this risk process.

Well, this is a generic risk process; you can apply it to anything. If you had a risk register, it would support the risk process just the same.

That’s the purpose of the risk register. it’s very, very similar to a hazard log.

Hazard Log Differences

However, differences are typically for a hazard log, we are using a hazard log to track safety impacts.

Now, strictly speaking, safety, I prefer the definition where we’re talking only about harm to people, as in most jurisdictions of the world, when we talk about safety, the law says we have to protect people, that’s safety law.

And then there are usually other laws for protecting the environment and then as a business or an enterprise, we might want to protect valuable assets as well.

But the core of it is protecting people.

And a hazard log has a tracking system that is also, hazard-centric, you remember the bow tie, the hazard is there in the middle, it’s the core of everything that we do and it’s the hazards that tie multiple causes and multiple consequences together.

It really is the key to understanding that structure and all those many-to-many relationships.

Risk Register Differences

The thing about a risk register is that we can use it for the risks of impacts are just about anything.

I think the ISO-31000 standard defines risk as ‘the effect of uncertainty on objectives’. Whatever you’re doing, if you’ve got a project, you know, you want to deliver something specific at a specific time to a specific cost.

Well, you can look at the risks to those objectives if your objective is ‘business as usual’, you just want to keep things running your enterprise running steadily.

Your risk register can look at all the risks that might trip up your enterprise and stop it from working.

Also, you can use it for continuous improvement.

Although usually when we talk about continuous improvement, we usually start talking about models. Like the classic CMM, the Capability Maturity Model. There are various flavors of CMM around the world to do safety, security, finance, all kinds of things. We’ve fallen in love with maturity models. that’s really taking risk management and improvement to the next step.

But of course, to just take the first step on the ladder, we’ve got to start managing stuff and recording stuff consistently without those basic things. Continuous improvement cannot happen without it. We need a risk register and or hazard log to do all of that.

Those are some key differences between hazard logs and risk registers. In reality, they are really quite similar.

Risk Events AKA Hazards?

Some risk registers incorporate the idea of a risk event. Well, funnily enough, that sounds rather like a hazard to me. We’ve got all of these latent causes lying around. We’ve got a risk event or a trigger and then that can realize the risk. If you’ve got a risk register that supports that concept, it’s pretty, it’s almost identical to a hazard log.

That’s Hazard logs versus risk registers.

There’s More to Come…

That is the end of today’s session. Thanks very much for listening. I hope you enjoyed it. And there’s more to come.

Further Sessions on Hazard Logs and Hazard Tracking Systems

As I said before, in the second session we’re going to look at the features and benefits of commercial hazard log tools.

I showed you a screenshot, what would a fully-featured, purpose-designed database tool do for you and why would you want to do that?

And if you’re managing a particularly complex or demanding system, it will be worth going to the expense of either buying a tool or designing your own hazard log in a proper relational database. 

I’ve seen lots of Hazard logs implemented in DOORs, for example, which is a requirements management tool but of course, you know some of your requirements and not to hurt people. You can integrate a hazard log into doors or into another requirements management till provided you set it up properly.

Now and actually that brings us neatly onto the third session, which would be how do we make a proper hazard log in a spreadsheet?

How do we put a hazard log in a spreadsheet without breaking the fundamental rules?

Because we can set up tables, tabs in a spreadsheet, where each table is a list of entities be it causes, hazards, controls, references, whatever it might be.

Each one of those is an independent table and then they linked to each other properly using the primary key in each table. So, just like a database does it, we can do that in the spreadsheet more or less.

Excel for example isn’t going to give you all of the features of a proper properly set up relational database tool but it can probably for most people it will probably be enough. You’re also, going to rely on a lot of self-discipline controlling the hazard log and operating in a spreadsheet but we’ll talk about that in the third session.

I talk about lots and lots of safety and risk-related things and some security risk stuff as well at

Please do go and visit and do Please subscribe for email updates. You can get some free handouts and also, some discounts. Stay in touch with what I’m doing and the lessons and handouts that I’m producing.

Do please subscribe. and it just remains for me to say thank you very much. This lesson on was hazard logs and hazard tracking systems.

I’m Simon and thank you for watching ‘Hazard Logs and Hazard Tracking Systems’ on the Safety Artisan. Back to Start Here.

What would you like to Know about Hazard Logs and Hazard Tracking Systems?

Start Here

FAQ on Risk Management

In this FAQ on Risk Management, I will point you to some lessons where you will get some answers to basic questions.

Lessons on this Topic

Welcome to Risk Management 101, where we’re going to go through these basic concepts of risk management. We’re going to break it down into the constituent parts and then we’re going to build it up again and show you how it’s done.

So what is this risk analysis stuff all about? What is ‘risk’? How do you define or describe it? How do you measure it? In Risk Basics I explain the basic terms.

Risk Analysis Programs – Design a program for any system in any application. You’ll be able to:

  • Describe fundamental risk concepts;
  • Define what a risk analysis program is;
  • and much more…

If you don’t find what you want in this FAQ on Risk Management, there are plenty more lessons under Start Here and System Safety Analysis topics. Or just enter ‘risk’ into the search function at the bottom of any page.

The Common Risk Management Questions

Click here to see the most Commonly-asked Questions

why risk management, why risk management is important, why risk management is important in project management, why risk management plan is important, why risk management is important for business, why risk management matters, are risk management, are risk management services, is risk management important, is risk management framework, is risk management effective, can risk management be outsourced, can risk management increase risk, can risk management create value, how can risk management help companies, how can risk management be improved, how can risk management improve performance, how risk management improve organization performance, how risk management works, how risk management help you, how risk management helps, how risk management plans can be monitored, how risk management help us, how risk management add value to a firm, how risk management developed, what risk management do, what risk management means, what risk management is, what risk management is not, where risk management, which risk management certification is best, which risk management principle is best demonstrated, which risk management technique is considered the best, which risk management handling technique is an action, which risk management techniques, who risk management guidelines, who risk management, who risk management framework, who risk management tool, who risk management plan, who risk management strategies, will risk management be automated, how will risk management help you, how will this risk management plan be monitored, risk management will reduce, risk management will

Functional Safety Start Here

Functional Safety

The following is a short, but excellent, introduction to the topic of ‘Functional Safety’ by the United Kingdom Health and Safety Executive (UK HSE). It is equally applicable outside the UK, and the British Standards (‘BS EN’) are versions of international ISO/IEC standards – e.g. the Australian version (‘AS/NZS’) is often identical to the British standard.

My comments and explanations are shown [thus].

[Functional Safety]

“Functional safety is the part of the overall safety of plant and equipment that depends on the correct functioning of safety-related systems and other risk reduction measures such as safety instrumented systems (SIS), alarm systems and basic process control systems (BPCS).

[Functional Safety is popular, in fact almost ubiquitous, in the process industry, where large amounts of flammable liquids and gasses are handled. That said, the systems and techniques developed by and for the process industry have been so successful that they are found in many other industrial, transport and defence applications.]

SIS [Safety Instrumented Systems]

SIS are instrumented systems that provide a significant level of risk reduction against accident hazards.  They typically consist of sensors and logic functions that detect a dangerous condition and final elements, such as valves, that are manipulated to achieve a safe state.

The general benchmark of good practice is BS EN 61508, Functional safety of electrical/electronic/programmable electronic safety related systems. BS EN 61508 has been used as the basis for application-specific standards such as:

  • BS EN 61511: process industry
  • BS EN 62061: machinery
  • BS EN 61513: nuclear power plants

BS EN 61511, Functional safety – Safety instrumented systems for the process industry sector, is the benchmark standard for the management of functional safety in the process industries. It defines the safety lifecycle and describes how functional safety should be managed throughout that lifecycle. It sets out many engineering and management requirements, however, the key principles of the safety lifecycle are to:

  • use hazard and risk assessment to identify requirements for risk reduction
  • allocate risk reduction to SIS or to other risk reduction measures (including instrumented systems providing safety functions of low / undefined safety integrity)
  • specify the required function, integrity and other requirements of the SIS
  • design and implement the SIS to satisfy the safety requirements specification
  • install, commission and validate the SIS
  • operate, maintain and periodically proof-test the SIS
  • manage modifications to the SIS
  • decommission the SIS

BS EN 61511 also defines requirements for management processes (plan, assess, verify, monitor and audit) and for the competence of people and organisations engaged in functional safety.  An important management process is Functional Safety Assessment (FSA) which is used to make a judgement as to the functional safety and safety integrity achieved by the safety instrumented system.

Alarm Systems

Alarm systems are instrumented systems designed to notify an operator that a process is moving out of its normal operating envelope to allow them to take corrective action.  Where these systems reduce the risk of accidents, they need to be designed to good practice requirements considering both the E,C&I design and human factors issues to ensure they provide the necessary risk reduction.

In certain limited cases, alarm systems may provide significant accident risk reduction, where they also might be considered as a SIS. The general benchmark of good practice for management of alarm systems is BS EN 62682.

BPCS [Basic Process Control Systems]

BPCS are instrumented systems that provide the normal, everyday control of the process.  They typically consist of field instrumentation such as sensors and control elements like valves which are connected to a control system, interfaced, and could be operated by a plant operator.  A control system may consist of simple electronic devices like relays or complicated programmable systems like DCS (Distributed Control System) or PLCs (Programmable Logic Controllers).

BPCS are normally designed for flexible and complex operation and to maximize production rather than to prevent accidents.  However, it is often their failure that can lead to accidents, and therefore they should be designed to good practice requirements. The general benchmark of good practice for instrumentation in process control systems is BS 6739.”

[To be honest, I would have put this the other way around. The BCPS came first, although they were just called ‘control systems’, and some had alarms to get the operators’ attention. As the complexity of these control systems increased, then cascading alarms became a problem and alarms had to be managed as a ‘thing’. Finally, the process industry used additional systems, when the control system/alarm system combo became inadequate, and thus the terms SIS and BCPS were born.]

[It’s worth noting that for very rapid processes where a human either cannot intervene fast enough or lacks the data to do so reliably, the SIS becomes an automatic protection system, as found in rail signaling systems, or ‘autonomous’ vehicles. Also for domains where there is no ‘fail-safe’ state, for example in aircraft flight control systems, the tendency has been to engineer multiple, redundant, high-integrity control systems, rather than use a BCPS/SIS combo.]


The above text is reproduced under Creative Commons Licence from the UK HSE’s webpage. The Safety Artisan complies with such licensing conditions in full – for details see here.

[Functional Safety – END]

Back to Home Page

Start Here

Preliminary Hazard Identification & Analysis Guide

Get your free Preliminary Hazard Identification & Analysis, PHIA Guide here!


Hazard Identification is sometimes defined as: “The process of identifying and listing the hazards and accidents associated with a system.”

Hazard Analysis is sometimes defined as: “The process of describing in detail the hazards and accidents associated with a system and defining accident sequences.”

Preliminary Hazard Identification and Analysis (PHIA) helps you determine the scope of safety activities and requirements. You can identify the main hazards likely to arise from the capability and functionality being provided. Perform it as early as possible in the project life cycle. Thus, you will provide important early input to setting Safety requirements and refining the Project Safety Plan.

PHIA seeks to answer, at an early stage of the project, the question: “What Hazards and Accidents might affect this system and how could they happen?”


The aim of the PHIA is to identify, as early as possible, the main Hazards and Accidents that may arise during the life of the system. It provides input to:

  1. Scoping the subsequent Safety activities required in any Safety Plan. A successful PHIA will help to gauge the proportionate effort that is likely to be required to produce an effective Safety Case, proportionate to risks.
  2. Selecting or eliminating options for subsequent assessment.
  3. Setting the initial Safety requirements and criteria.
  4. Subsequent Hazard Analyses.
  5. Initiate Hazard Log.


Perform a PHIA as early as possible in order to obtain maximum benefit. Use it to understand what the Hazards and Accidents are, why, and how they might be realized. A PHIA is an important part of Risk Management, project planning, and requirements definition. It helps you to identify the main system hazards and helps target where a more thorough analysis should be undertaken.

Usually, PHIA is based on a structured brainstorming exercise, supported by hazard checklists. A structured approach helps to minimize the possibility of missing an important hazard. It also demonstrates that a thorough and comprehensive approach has been applied.

Get Your Free PHIA Guide Here!

Find more on basic safety topics at Start Here.

Cybersecurity Start Here

My CISSP Exam Journey

Here is a video about my CISSP exam journey.

I’ve just passed the Certified Information Systems Security Professional (CISSP) Exam…

I’ve just passed the Certified Information Systems Security Professional (CISSP) Exam, which was significantly updated on 1st May 2021. In this 30-minute video I will cover:

  • The official CISSP course and course guide;
  • The 8 Domains of CISSP, and how to take stock of your knowledge of them;
  • The official practice questions and the Study Guide;
  • The CISSP Exam itself; and
  • Lessons learned from my journey.

I wish you every success in your CISSP journey: it’s tough, but you can do it!

To get a full course on what’s new in all eight Domains of the CISSP Exam outline Click Here.

Transcript: My CISSP Exam Journey

Click here for the Transcript…

My CISSP Exam Journey

Hi, Everyone,

My name is Simon Di Nucci and I’ve just passed the new CISSP exam; for those of you that don’t know what that is, that’s the Certified Information Systems Security professional. It’s new because, the exams have been around a long time, but the syllabus and the exam itself have undergone a significant change as of the 1st of May this year. I’m probably one of the first people to pass the new exam, which I have to tell you was a great relief because it was really it was a tough exam and it was tough preparing for it.

It was a big mountain to climb. I am very, very relieved to have passed. Now, I hope to share some lessons with you. When I mentioned that I passed on the cybersecurity groups on Facebook and LinkedIn, I got a huge response from people who appreciated how difficult it is to do this and also lots of questions. And whilst I can’t talk about the specifics of the exam, that’s not allowed, I can share some really useful lessons learned from my journey.


So I’m going to be talking about what I did:

  1. The Official Course, and the Student Guide;
  2. How I took stock at the start of the revision process;
  3. How I revised using the practice questions and the Study Guide;
  4. Something about the exam itself; and
  5. Lessons learned.

So those are the five topics that I’m going to be talking about.

The Official Course

So let’s get on with it.  My journey was that two, three years ago, the firm that I worked for decided that they wanted me to take the CISSP exam in order to improve our credibility when doing cybersecurity and my credibility.

And I was sent on a five-day course where which was very intense and it was the official is the the official ISC2 course. And that was several hundred slides a day for five days. It was very intense. And as you can see, the guy that you get with a pretty hefty eight hundred pages of closely packed and high-quality material. I’m taught by someone who was clearly a very experienced expert in the field.

It was a good quality course. It cost about $3,700 (Australian). I think that’s about $2,500 (US). In terms of the investment, I think it was worth it because it covered a lot of ground and I was very rusty on a lot of this stuff. It was it was a useful ‘crammer’ to get back into this stuff. As I said, [the Study Guide is] 800 pages long. I’ve done a lot of revising!

And if we pick a couple of pages at random on the kind of person who likes to you know, I like to highlight the book and I’d like to, you know, and I’ve been all the way through this book at least twice, highlighting as I go and making notes.  that’s just the way I do things. But I think it’s useful to illustrate, you know, the effort involved in order to absorb, you know, a huge tome of information like this.

Let’s put that to one side. The course was very good, but of course, it takes some time out of your schedule to do it. You need the money and the support from your workplace to be able to do that. There are now online courses, which I haven’t been on, I can’t say how good they are, but they are cheaper and they’re spread out. I think you do a day or two per week for a period of several weeks.

And I think that’s got to be really good because you’re going to have more time to consolidate this huge amount of information in your disrespect to the face-to-face course. It was very good. I think the online courses could be even better and a lot more accessible.  that was the course. Now, I did that in November twenty nineteen and I intended to do some revision and then take the exam probably in early.

Twenty, twenty, you know, March, April time now as we know, global events got in the way of that and all the exam centres were closed down. I couldn’t do that. Basically I sort of forgot about it for a period of months. And then at the tail end of twenty 20 years, as things began to improve here in Australia at least, we’ve been very lucky here, exam centres reopened and I thought, well, I really should get back and, you know, try and schedule the exam and do some revision and get on with it.

So I did. And starting in the January of this year, I got mine management agreement that I would spend one day a week working from home, revising, and that’s what I did. Given that I took the exam in the middle of May, that’s probably 18 full days of revision going through the material and I needed it. Originally, I was going to take the exam, I think, in early April, but I realised at the end of March that I was not ready and I needed more time.

So I put the exam date back to the middle of May. And it was only after I’d done that that it was announced that the syllabus of the exam was changing quite significantly. That was a, you know, extra work then. And fortunately. They. They brought out the official guide to the new exam, and I realised that quite a lot of material to learn. I went through and for example, there’s eight domains in CISSP.

And for example, here’s domain number two, asset security. And in the pink, I have highlighted all the new things that are in the 1st of May Edition syllabus that were not in the 2018 syllabus.  and I went through all of these things and there are quite a few in almost every domain except the first one. There are significant changes.  I had to do a lot of extra revision because the syllabus had changed, but nevertheless it was doable.

Taking Stock

Going back to January 2021, I started off by getting out the Official Practice Tests. Fortunately, my firm bought this book and the Study Guide, which we will come on to in a minute. This [the Official Practice Tests book] is $40 (US) and it’s worth its weight in gold, because in here there are 1,175 practice questions. There are 100 questions for all eight of the domains. Plus there are three practice papers of 125 questions each, a total of 1,175 questions.

It was very, very useful to me because, out of the eight domains I had some background in four, but not in the other four. Just to let you know, I did 20 years in the Air Force. I worked in software maintenance. In my day job I’m a safety risk assessor, so I’m pretty good at risk assessment and governance.

So domain Number One, Security and Risk Management.  There are a lot of similarities with safety. I had a lot of experience of security in the forces, I was pretty good on Number One. Domain Number Two, Asset Security. Again, I was used to working in an area where we were protecting a lot of classified material. I had a strong background in that. And then jumping to the end, Domain Number Seven, Security Operations: physical security, disaster recovery, that kind of stuff.

Again, I’ve got a lot of background there. And then finally, Software Development Security.  I hadn’t been involved in the development of secure software, but I’ve been involved in software development on a massive scale as well as in maintenance for military systems, which was done in a secure environment. I had a pretty strong background in those four domains in Numbers One and Two And Seven And Eight.

However, the middle four domains I was quite weak on. So Security, Architecture and Engineering, all the networking type stuff, Communications and Network Security, Identity and Access Management (IAM), and Security Assessment and Testing – I had not really been involved in that stuff much at all. I was quite weak in those areas.

Wwhen I started revising, I can see this basically on the first column, I did ten questions from each domain and I scored myself to see how I got on. And as you can see, the green indicates that I got the score required, which is seventy percent.

I only got seven out of ten in three out of eight domains. And in fact my scores varied widely into a domain. Number four, I got one out of ten in domain. Number six, I got three out of ten. Overall I got I think it was forty three out of eighty and the pass mark out of eighty questions would be about fifty-six. I was well, well sure. Of the pass mark at the beginning, but this was very useful because it allowed me to take stock and confirm what I was strong in and what I was weak in.

And then that helped me to focus my revision. And then as you can see, I continue to test myself as I went through the process. And again, this confirms what I’ve said in Domain’s one and two, lots of green all the way through Domain’s seven and eight, lots of green all the way through. Not always. I did stuff up there. We go on stuffed up. That one there, as you can see, only got six out of ten, but much, much weaker in the middle.

And it took a lot of work before I was getting consistent. Seven, seven out of ten on every day.  and I did about four hundred and eighty of those practice questions, plus I did a couple of the practice papers, I probably did about six hundred questions and then, you know, looked at where I’d gone wrong, which was that was quite a tough process, but as I say, the official practice tests are really, really excellent and really pointed out to me what I didn’t know and further work that I needed to do.

So that was taking stock.

Practice Questions

I looked at the practice questions. Unfortunately, one of the things that I learned while doing the practice questions was that a lot of questions were testing knowledge that I had not been taught in the course. I looked at a total of about 400 questions and I found that the amount of material that was not talked about in the Official Course was about 20 percent overall (I would say in some domains it was lower).

So Domain One, I reckoned about 14 percent of the questions were on untaught material, and in Domain Three, it was about 16 percent. But actually, you know, that varied through Domain Four where about one third of the questions tested knowledge that wasn’t taught in the course and Domain Six, went up as high as 45 percent. On average, maybe twenty to twenty-five percent of the material in the practice questions had was not covered in the green and white Student Guide that I showed you.

So that was a bit of a shocker, to be honest. I was horrified about that. But it did spur me to go and learn a whole bunch of other stuff, and fortunately, almost everything that was missing from the Student Guide (the green and white book) was in this [book]. I refer to this as the black book because it’s got a black spine. It’s got a black and white cover. This is the Official Study Guide.

This is $70 (US) or $110 (Australian), something like that. Again, this is worth its weight in gold. This is a thousand pages of very dense material. There’s an awful lot of good stuff in here. And in fact, there’s also because I think that’s where there are twenty-one chapters and there are about 20 practice questions for each chapter. There’s another 400 plus practice questions in this book alone. Again, it’s well worth getting.

And now and this book has got a lot of information in it that is not in the official course or was not in the course that I did in late twenty nineteen. Of course, I can’t speak for other courses and the material in here is also it’s very readable and it tells a story. There’s a student guide. The green and white book really is about cramming information into you. But when you read this book, it really helps you consolidate information.

 I found this very, very helpful and I found that the information, the way it was, was got across in this book is much more helpful. It told the story. It explained why things are as they are and that really help the information to go into my head and stay there, OK? And that was terrifically helpful for the exam. I would not have passed the exam without this book. I have no doubt whatsoever and I would not have passed the exam if I had not done so many practice questions.

And I really don’t think it matters what background you’ve got. The exam is so broad and the syllabus is so broad that it doesn’t matter what experience you’ve got. You’re not going to have the full breadth of knowledge that you need to pass the exam unless you use the study materials, you know, in seventy US dollars as opposed to two thousand five hundred. That’s really good value for money. And again forty US dollars as opposed to two thousand five hundred really good value.

So that’s by the way, I am not an affiliate of (ISC)2. I’m not making any money out of it. I’m just telling you the way it was for me. That was my revision process from January through to early May, and I got a lot better and a lot more consistent answering the questions, which was good. But then, of course, it came to the day of the exam itself. Excuse me.

Doing the Exam

I took the exam in English, which is a computer-based test. There are up to, I think, 125 multiple-choice questions. There are four potential answers for each question, but the Computer Adaptive Testing (CAT) takes account of how well you do the questions, and you don’t necessarily get to answer all 125. The exam stops when it’s ready, when the computer has assessed whether you’ve passed or failed.

So a quick word about going to the exam. It was a very professional set-up. I went to a centre in the centre of Adelaide where I live. Do read very carefully the information they give you about what you need. You need to take two forms of I.D. and to wear a face mask. Even though we’re very relaxed here about COVID, I still had to wear a face mask. You’ve got to submit to palm scan (an ID scan), and put all your stuff in a locker.

They check you very thoroughly to make sure you’re not cheating in any way and that security all takes time. You’ve got to arrive half an hour early. Do arrive early. Do look up all the information about what you need before you turn up. Here in in Australia, wearing facemasks is not very common because we have no community transmission, so it was a surprise to some people when they rocked up to the exam centre and got told you have to wear a mask.  Wherever you are, do look up what you’ve got to do, because obviously nobody wants to be rushing around trying to get a face mask at the last minute. That’s just not what you need when you’ve got to take a big exam.

The exam was three hours, very tightly controlled, as I say, very professional. I’m not going to tell you anything about the specific exam questions, but what I can tell you is that the exam was a lot better in many ways than the practice questions.

There’s a lot of practice questions that make you wonder, what is the point of them? There’s lots of questions where you have to choose between different categories of based on, say, what category fire extinguisher do you need for such-and-such a fire? What type of testing is this? Is it ‘Type One’ or ‘Type Two’ or what type of failure is lots of sort of rather mechanistic questions? Where am I looking at these questions? What on earth for?  Why would you need to know this to do cybersecurity, it doesn’t make any sense?

I checked my thoughts with other people in the business who have got a different background to me. And they agree there were lots of questions in here that just did not make a lot of sense. They were sort of test fodder, I would say, but there were very few of those type of questions in the exam. Okay, the exam was much better in that respect than the practice questions.

But there was still, I reckon, about twenty percent of the exam questions that were not taught in the course and some stuff that wasn’t in the study guide. You do need to read around the experience in any of the remains is useful and you need to read around a bit if you possibly can. Now that is. Possible, it’s tricky, I mean, here we have the CISSP body of knowledge suggested references, and there are 52 references in here, 52.

And of course, the first reference is the official course guide. And the third one, I think, is the. My apologies. The first one is the study guide. That’s a thousand pages. And there’s thousands and thousands of pages in these in these refought. You can’t possibly read them thoughts would be to get online and look at some, do some research and ask around and get some more focussed learning because you can’t you can’t read all of this stuff.

And similarly, there is an official CISSP glossary. Here it is. And there’s 50 pages of this glossary, including all the references. And there are actually four hundred and twenty-three defined terms in here. But actually this is a bit of date. A lot of the terms in here are not much use. There’s lots of terms that you learn in the study guide that are not in here, not even in the old syllabus, let alone new ones.

So that’s not a great deal of use. Going back to the exam, there were, I’m glad to say, very few silly questions about, you know, is this a type ABCDE of what have you? Very little of that. There were lots more what I would say good questions, questions that really test your knowledge of cybersecurity, whether you know what you’re talking about. Lots of scenario-based questions where you have to reason through the scenario and think about what’s the correct answer.

 there are tough questions. I sat there in the exam and thought, you know, I failed this for sure because when I was doing the practice questions – I’m pretty good at learning how to pass an exam. That’s one of the things I’ve always been good at – and I got good at learning to pass the practice questions to the point where at least 50 percent of the questions I thought, yeah, I know that.

I know that. I know that. I know that. I got pretty good when I went into the exam. Almost every question I had to think very carefully about it was it was hard work.  but on the other hand, it does mean it’s really testing your understanding of cybersecurity, and your ability to reason through the information that I gave you and come up with the best answer. There’s a lot more judgement involved in the exam than there is in some of the rather mechanistic questions in here.

There’s a lot more thinking ready to go in and do that thinking, OK? And on that point, when you go in, don’t get psyched out. It seemed to me that there were a lot of tough questions in the early part of the exam.  and I think early on it would be easy to get disheartened and give up and go. There’s no way I could do this but keep going because it did seem to get easier and I say easier.

It wasn’t quite as tough as when they hit you. Start with a lot of really hard questions. Some things seem to come up more than others, it seemed to me, but that’s probably the computer adaptive testing. Maybe I made some mistakes early on. And then the computer comes back and hits you again on those topics later just to push you to make sure that you do understand it.  and I must have I must have done well enough because after one hundred five questions, the test stopped and said, you’ve got to go and get your results.

And at that point I thought one hundred and five questions. Is that good or bad? I just don’t know. I thought I would not have been surprised to have failed, but I did.  the computer doesn’t tell you whether you’ve passed or not. He just says the exam has come to an end.  don’t freak out when it stops. It doesn’t mean that you failed. Just, you know, do whatever you have to do to follow the rules.

Put your hand up to finish the exam and then you’ll find out. And I got handed a piece of paper when I came out saying, congratulations, you’ve passed. I was so, relieved, what a relief! So, yeah, significant differences between what’s in the exam and what’s in practice questions. But nevertheless, I would say it’s still worth doing the practice questions. That was the exam. One more thing to say about the exam, you know, I mentioned that there were lots of things that were not taught in the book.

It says, we don’t ask you about commercial tools or anything like that in the practice questions. There are lots of questions on tools. There are lots of questions about things that they say they will not test you about, which is annoying. But those things did not appear in the exam. Take heart. The exam is a lot more honest than the, dare I say, on the practice questions.

Lessons Learned

What lessons did I learn from all of this? I would say, first of all, if you can get on a course, either face to face or online, I would say that it is worth it. I had learned a lot of the [taught] information before and I learned to program computers decades ago. I learned a lot of security. I’d learned a lot of technical stuff in the early part of my career. As I said before, I was strong on four out of eight of the domains, but I was still pretty rusty in a lot of subjects and there is a lot of information to cram in. I think probably going on a course helps you cramming that information.

But the course itself, is not going to be enough. I do think you need to do the practice questions. You need to take stock and get a realistic picture of what you know and what you don’t know. Then there are usually quite detailed answers in [the book] as to why one answer is correct and the other three are not correct. It’s worth reading those carefully and making further notes.

It’s worth [mentioning], while we’re referring to the study guide, one of the areas that the original course did not cover very well at all.  There was very little on attacks and defences. There wasn’t a lot about different types of cyber-attack and how you defend against them. And, you know, different architectures are vulnerable to this kind of attack and other architectures are vulnerable to a different kind of attack. And what’s the best way to defend? There was almost nothing about that. There’s some stuff about it in the practice questions. There’s more stuff about it in here in Chapter 21 [of the Study Guide], especially, as that’s all about different attacks.

But even the information in here was not really, I would say, enough in enough depth to answer quite a lot of the exam questions. There were quite a lot of exam questions about this scenario-based attack defence. As I say, this version of the book, maybe the new version of the book that’s coming out this month, maybe that will have more in that area. I hope so, because that’s what you’re going to need.

So if you don’t if you don’t find enough information on the scenario-based attack and defence, then I would suggest you need to go online and find a good source of material about that. And I’m afraid I can’t recommend one to you because I have not time to, you know, to go out and search the Internet and look at what’s out there and say, oh, yeah, that’s a really good source of reliable information on that. To be honest, I may not even be the right person to make that judgement.

So if you can go and find a good source of information about cyber-attacks and cyber defences and strategies for defending different types of architecture and different set ups, then I would highly recommend you do that. And in fact. When you see this exam, if anybody out there has got some suggestions about where to look on the Internet to get that stuff, then do please send in your comments and share that knowledge with other people. Because, as I say, I don’t have the background to be able to say where’s a good place to go?

Maybe you do. Please give us your thoughts on where we’re a good place to get that knowledge would be.  well, I’ve talked enough, it was here, it was a long, hard road, I’m relieved to have got through the exam. I’m now going to apply to be, uh, to get my full CISSP membership, which hopefully I’ve got the experience to get. That’s the beginning of my cybersecurity management journey for me.

And I wish you every success in your efforts to pass the exam. It’s tough, but you can do it.

To get regular updates from The Safety Artisan, Click Here. For more introductory lessons then Start Here.

Start Here

Risk Management 101

Welcome to Risk Management 101, where we’re going to go through these basic concepts of risk management. We’re going to break it down into the constituent parts and then we’re going to build it up again and show you how it’s done. I’ve been involved in risk management, in project risk management, safety risk management, etc., for a long, long time.  I hope that I can put my experience to good use, helping you in whatever you want to do with this information.

Maybe you’re getting an interview. Maybe you want to learn some basics and decide whether you want to know more about risk management or not.  Whatever it might be, I think you’ll find this short session really useful. I hope you enjoy it and thanks for watching.

Welcome to Risk Management 101, where we’re going to…

Risk Management 101, Topics

  • Hazard Identification;
  • Hazard Analysis;
  • Risk Estimation;
  • Risk [and ALARP] Evaluation;
  • Risk Reduction; and
  • Risk Acceptance.

Risk Management 101, Transcript

Click here for the full transcript:


Hi everyone and welcome to Risk Management 101. We’re going to go through these basic concepts of risk management. We’re going to break it down into the constituent parts. Then we’re going to build it up again and show you how it’s done.

My name is Simon Di Nucci and I have a lot of experience working in risk management, project risk management, safety risk management, etc.  I’m hoping that I can put my experience to good use, helping you in whatever you want to do with this information. Whether you’re going for an interview or you want to learn some basics. You can watch this video and decide if you want to know more about risk management or you don’t need to.  Whatever it might be, you’ll find this short session useful. I hope you enjoy it and thanks for watching.

Topics For This Session

Risk Management 101. So what does it all mean? We’re going to break risk management down into we’ve got six constituent parts. I’m using a particular standard that breaks it down this way. Other standards will do this in different ways. We’ll talk about that later. Here we’ve got risk management broken down in to; hazard identification, hazard analysis, risk estimation, risk evaluation (and ALARP), risk reduction, and risk acceptance.

Risk Management

Let’s get right on to that. Risk management – what is it? It’s defined as “the systematic application of management policies, procedures and practises to the tasks of hazard identification, hazard analysis, risk estimation, risk and ALARP evaluation, risk reduction, and risk acceptance”.

There are a couple of things to note here. We’re talking about management policies, procedures and practices. The ‘how’ we do it. Whether it’s a high-level policy or low-level common practice. E.g. how things are done in our organisation vs how the day-to-day tasks are done? And it’s also worth saying that when we talk about ‘hazards’, that’s a safety ‘ism’. If we were doing security risk management, we can be talking about ‘threats’. We can also be talking about ‘causes’ in day-to-day language. So, we can be talking about something causing a risk or leading to a risk. More on that later, but that’s an overview of what risk management is.

Part 1

Let’s look at it in a different way. For those of you who like a visual representation, here is a graph of the hierarchical breakdown. They need to happen in order, more-or-less, left to right. And as you can see, there’s a link between risk evaluation and risk reduction. We’ll come on to that. So, it’s not ‘or’ it’s a serial ‘this is what you have to do’. Sometimes they’re linked together more intimately.

Hazard Identification

First of all, hazard identification. So, this is the process where we identify and list hazards and accidents associated with the system. You may notice that some words here are in bold. Where a word is in bold, we are going to give the definition of what it is later.

These hazards could lead to an accident but only associated with the system. That’s the scope. If we were talking about a system that was an aeroplane, or a ship, or a computer, we would have a very different scope. There would also be a different way that maybe accidents would happen.

On a more practical level, how do we do hazard identification? I’m not going to go into any depth here, but there are certain classic ones. We can consult with our workers and inspect the workplace where they’re operating. And in some countries, that’s a legal requirement (Including in Australia where I live). Another option is we can look at historical data. And indeed, in some countries and in some industries, that’s a requirement. A requirement means we have to do that. And we can use special analysis techniques. Now, I’m not going to talk about any of those analysis techniques today. You can watch some other sessions on The Safety Artisan to see that.

Hazard Analysis

Having done hazard identification, we’ve asked ourselves ‘What could go wrong?’. We can put some more detail on and ask, ‘How could it go wrong? And how often?’. That kind of stuff. So, we want to go into more detail about the hazards and accidents associated with this particular system. And that will help us to define some accident sequences. We can start with something that creates a hazard and then the hazard may lead to an accident. And that’s what we’re talking about. We will show that using graphics late, which will be helpful.

But again, more on terminology. In different industries, we call it different things. We tend to say ‘accident’ in the UK and Australia. In the U.S., they might call it a ‘mishap’, which is trying to get away from the idea that something was accidental. Nobody meant it to happen. Mishap is a more generic term that avoids that implication. We also talk about ‘losses’ or we talk about ‘breaches’ in the security world. We have some issue where somebody has been able to get in somewhere that they should not. And we can talk about accident sequences. Or, in a more common language, we call it a sequence of events. That’s all it is.

Risk Estimation

Now we’re talking about the risk estimation. We’ve thought about our hazards and accidents and how they might progress from one to another. Let’s think about, ‘How big is the risk of this actually happening?’. Again, we’ll unpack this further later at the next level. But for now, we’re going to talk about the systematic use of available information. Systematic- so, ordered. We’re following a process. This isn’t somebody on their own taking a subjective view ‘Look, I think it’s not that’. It’s a process that is repeatable. We want to do something systematic. It’s thorough, it’s repeatable, and so it’s defendable. We can justify the conclusions that we’ve come to because we’ve done it with some rigour. We’ve done it in a systematic way. That’s important. Particularly if we’re talking about harm coming to people or big losses.

Risk and ALARP Evaluation

Now, risk evaluation is just taking that estimated risk just now and comparing it to something and saying, “How serious is this risk?”. Is it something that is very low? If it’s very insignificant then we’re not bothered about it. We can live with it. We can accept it. Or is it bigger than that? Do we need to do something more about it? Again, we want to be systematic. We want to determine whether risk reduction is necessary. Is this acceptable as it is or is it too high and we need to reduce it? That’s the core of risk evaluation.

In this UK-based standard – we’re using terminology is found in different forms around the world. But in the UK, they talk about ‘tolerability’. We’re talking about the absolute level of risk. There probably is an upper limit that’s allowed in the law or in our industry. And there’s a lower limit that we’re aiming for. In an ideal world, we’d like all our risks to be low-level risks. That would be terrific.

So, that’s ‘tolerability’. And you might hear it called different things. And then within the UK system, there’re three classes of ‘tolerability’ at risk. We could say it’s either ‘broadly acceptable’- it’s very low. It’s down in the target region where we like to get all our risks. It’s ‘tolerable’- we can expose people to this risk or we can live with this risk, but only if we’ve met certain other criteria. And then there’s the risk that it’s so big. It’s so far up there, we can’t do that. We can’t have that under any circumstances. It’s unacceptable. You can imagine a traffic light system where we have categorised our risk.

And then there’s the test of whether our risk can be accepted in the UK. It’s called ALARP. We reduce the risk As Low As Reasonably Practicable. And in other places, you’ll see SFARP. We’ve eliminated or minimised the risk So Far As Is Reasonably Practicable. In the nuclear industry, they talk about ALARA: As Low As Reasonably Achievable. And then different laws use different tests. Whichever one you use, there’s a test that we have got to use to say, “Can we accept the risk?” “Have we done enough risk reduction?”. And whatever you’ve put in those square brackets, that’s the test that you’re using. And that will vary from jurisdiction to jurisdiction. The basic concept of risk evaluation is estimating the level of risk. Then compare it to some standard or some regulation. Whatever one it might be, that’s what we do. That’s risk evaluation.

Risk Reduction

We’ve asked, “Do we need to reduce risk further?”. And if we do, we need to do some risk reduction. Again, we’re being systematic. This is not some subjective thing where we go “I have done some stuff, it’ll be alright. That’s enough.”. We’re being a bit more rigorous than that. We’ve got a systematic process for reducing risk. And in many parts of the world, we’re directed to do things in a certain way.

This is an illustration from an Australian regulation. In this regulation, we’re aiming to eliminate risk. We want to start with the most effective risk reduction measures. Elimination is “We’ve reduced the risk to zero”. That would be lovely if we could do that but we can’t always do that.

What’s the next level? We could get rid of this risk by substituting something less risky. Imagine we’ve got a combustion engine powering something. The combustion engine needs flammable fuel and it produces toxic fumes. It could release carbon monoxide and CO2 and other things that we don’t want. We ask, “Can we get rid of that?”. Could we have an electric motor instead and have a battery instead? That might be a lot safer than the combustion engine. That is a substitution. There are still risks with electricity. But by doing this we’ve substituted something risky for something less risky.

Or we could isolate the hazard. Let’s use the combustion engine as an example again. We can say, “I’ll put that in the fuel and the exhaust somewhere, a long way from people”. Then it’ll be a long way from where it can do harm or cause a loss.” And that’s another way of dealing with it.

Or we could say, “I’m going to reduce the risks through engineering controls”. We could put in something engineered. For example, we can put in a smoke detector. A very simple, therefore highly reliable, device. It’s certainly more reliable than a human. You can install one that can detect some noxious gases. It’s also good if it’s a carbon monoxide detector. Humans cannot detect carbon monoxide at all. (Except if you’ve got carbon monoxide poisoning, you’ll know about it. Carbon monoxide poisoning gives you terrible headaches and other symptoms.) But of course, that’s not a good way to detect that you’re breathing in poisonous gas. We do not want to do it that way.

So, we can have an engineering control to protect people. Or we can an interlock. We can isolate things in a building or behind a wall or whatever. And if somebody opens the door, then that forces the thing to cut out so it’s no longer dangerous. There are different things for engineering controls that we can introduce. They do not rely on people. They work regardless of what any person does.

Next on the list, we could reduce exposure to the hazard by using administrative controls. That’s giving somebody some rules to follow a procedure. “Do this. Don’t do that.” Now, that’s all good. We can give people warning signs and warn people not to approach something. But, of course, sometimes people break the rules for good reasons. Maybe they don’t understand. Maybe they don’t know the danger. Maybe they’ve got to do something or maybe the procedure that we’ve given them doesn’t work very well. It’s too difficult to get the job done, so people cut corners. So, procedural protection can be weak. And a bit hit and miss sometimes.

And then finally, we can give people personal protective equipment. We can give them some eye protection. I’m wearing glasses because I’m short-sighted. But you can get some goggles to protect your eyes from damage. Damage like splashes, flying fragments, sparks, etc. We can have a hard hat so that if we’re on a building site and something drops from above on us that protects the old brain box. It won’t stop the accident from happening, but it will help reduce the severity of the accident. That’s the least effective. We’re doing nothing to prevent the accident from happening. We’re reducing the severity in certain circumstances. For example, if you drop a ton of bricks on me, it doesn’t matter whether I’m wearing a hard hat or not. I’m still going to get crushed. But with one brick, I should be able to survive that if I’m wearing a hard hat.

Risk Acceptance

Let’s move on to risk acceptance. At some stage, if we have reduced the risk to a point where we can accept it. We can live with it and we’ve decided that we’re going to need to do whatever it is that is exposing us to the risk. We need to use the system. We want to get in our car to enable us to go from a to b quickly and independently. So, we’re going to accept the risk of driving in our car. We’ve decided we’re going to do that. We make risk acceptance decisions every day, often without thinking about it. We get in a car every day on average and we don’t worry about the risk, but it’s always there. We’ve just decided to accept it.

But in this example we’ve got, it’s not an individual deciding to do something on the spur of the moment. Nor is it based on personal experience. We’ve got a systematic process where a bunch of people come together. The relevant stakeholders agree that a risk has been assessed or has been estimated and has been evaluated. They agree that the risk reduction is good enough and that we will accept that risk. There’s a bit more to it than you and I saying, “That’ll be alright.”

Part 2

Let’s summarise where we’ve got to. We’ve talked about these six components of risk management. That’s terrific. And as you can see, they all go together. Risk evaluation and risk reduction are more tightly coupled. That’s because when we do some risk reduction, we then re-evaluate the risk. We ask ‘Can we accept it?’. If the answer is ‘No.’ we need to do some more work. Then we do some more risk reduction. So those tend to be a bit more coupled together at the end. That’s the level we’ve got to. We’re now going to go to the next level.

So, we’re going to explain these things. We’ve talked about hazard identification and hazard analysis, but what is a hazard? And what is an accident? And what is an accident sequence? We’re going to unpack that a bit more. We’re going to take it to the next level. And throughout this, we’re talking about risk over and over again. Well, what is ‘risk’? We’re going to unpack that to the next level as well. It all comes down to this anyway. This is a safety standard. We’re talking about harm to people. How likely is that harm and how severe might it be? But it might be something else. It might be a loss or a security breach. It might be a financial loss. It might be a negative result for our project. We might find ourselves running late. Or we’re running over budget. Or we’re failing to meet quality requirements. Or we’re failing to deliver the full functionality that we said we would. Whatever it might be.


So, let’s unpack this at the next level. A hazard is a term that we use, particularly in safety. As I say, we call it other things in different realms. But in the safety world, it’s a physical situation or it’s a state of a system. And as it says, it often follows from some initiating event which we may call a ‘cause’. And the hazard may lead to an accident. And the key thing to remember is once a hazard exists, an accident is possible, but it’s not certain. You can imagine the sort of cartoon banana skin on the pavement gag. Well, the banana skin is the hazard. In the cartoon, the cartoon character always steps on the banana skin. They always fall over the comic effect. But in the real world, nobody may tread on the banana skin and slip over. There could be nobody there to slip over all the banana skin. Or even if somebody does, they could catch themselves. Or they fall, but it’s on a soft surface and they don’t hurt themselves so there’s no harm.

So, the accident isn’t certain. And in fact, we can have what we call ‘non-accident’ outcomes. We can have harmless consequences. A hazard is an important midway step. I heard it called an accident waiting to happen, which is a helpful definition. An accident waiting to happen, but it doesn’t mean that the accident is inevitable.


But the accident can happen. Again, the ‘accident’, ‘mishap’, or ‘unintended event’. Something we did not want or a sequence of events that causes harm. And in this case, we’re talking about harm to people. And as I say, it might be a security breach. It might be a financial loss. It might be reputational damage. Something might happen that is very embarrassing for an organisation or an individual. Or again, we could have a hiccup with our project.


But in this case, we’re talking about harm. And this kind of standard, we’re using what you might call a body count approach to the harm. We’re talking about actual death, physical injury, or damage to the health of people. This standard also considers the damage to property and the environment. Now, very often we are legally required to protect people and the environment from harm. Property less so. But there will be financial implications of losses of property or damage to the systems. We don’t want that. But it’s not always criminally illegal to do that. Whereas usually, hurting people and damaging the environment is. So, this is ‘harm’. We do not want this thing to happen. We do not want this impact. Safety is a much tougher business in this instance. If we have a problem with our project, it’s embarrassing but we could recover it. It’s more difficult to do that when we hurt somebody.


And always in these terms, we’re talking about ‘risk’. What is ‘risk’? Risk is a combination of two things. It’s a combination of the likelihood of harm or loss and the severity of that harm or loss. It’s those two things together. And we’ve got a very simple illustration here, a little table. And they’re often known as a risk matrix, but don’t worry about that too much. Whatever you want to call it. We’ve got a little two by two table here and we’ve got likelihood in the white text and severity in the black. We can imagine where there’s a risk where we have a low likelihood of a ‘low harm’ or a ‘low impact’ accident or outcome. We say, ‘That’s unlikely to happen and even if it does not much is going to happen.’ It’s going to be a very small impact. So, we’d say that that’s a low risk.

Then at the other end of the spectrum, we can imagine something that has a high likelihood of happening. And that likelihood also has a high impact. Things that happen that we definitely do not want to happen. And we say, ‘That’s a high risk and that’s something that we are very, very concerned about.’

And then in the middle, we could have a combination of an outcome that is quite likely, but it’s of low severity. Or it’s of high severity, but it’s unlikely to happen. And we say, ‘That’s a medium risk’.

Now, this is a very simplified matrix for teaching purposes only. In the real world, you will see matrices that four by four, or five by five, or even six by six, or combinations thereof. And in security where they talk about threat and vulnerability and the outcomes. Here, you might see multiple matrices used. They use multiple matrices to progressively build up a picture of the risk. They use matrices as building blocks. So, it may not be only one matrix used in a more complex thing you’ve got to model. But here we’ve got a nice, simple example. This illustrates what risk is. It’s a combination of severity and likelihood of harm or loss. And that’s what risk is, fundamentally. And if we have a firm grasp of these fundamentals, it’ll help us to reason and deal with almost anything. With enough application.

Accident Sequence

Now, let’s move on and talk about accident sequences. We’re talking about a progression in this case. We’re imagining a left-to-right path. A progression of events that results in an accident. This diagram, that looks like a bow tie, it’s meant to represent the idea that we can have one hazard. There might be many causes that lead to this hazard. There might be many different things that could create the hazard or initiate the hazard. And the hazard may have many different consequences.

As I’ve said before, nothing at all may happen. That might be the consequence of the hazard. Most of the time that’s what’s going to happen. But there may be a variety of consequences. Somebody might get a minor injury or there might be a more serious accident where one or more people are killed. A good example of this is fire. So, the hazard is the fire. The causes might be various. We could be dealing with flammable chemicals, or a lightning strike, or an electricity arc flash. Or we could be dealing with very high temperatures where things spontaneously burst into flames. Or we could have a chemical in the presence of pure oxygen. Some things will spontaneously burst into flames in the presence of pure oxygen. So there’re a variety of causes that lead to the fire.

And the fire might be very small and burn itself out. It causes very little damage and nobody gets hurt. Or it might lead to a much bigger fire that, in theory, could kill lots of people. So, there’s a huge range of consequences potentially from one hazard. But the accident sequence is how we would describe and capture this progression. From initiating events to the hazard to the possible consequences. And by modelling the accident sequence, of course, we can think about how we could interrupt it.

Part 3

We’ve broken risk management down into those six constituent parts. We’ve gone to the next level, in that we’ve sort of gone down to the concepts that underpin these things. These hazards, the accidents, and the accident sequence. We’ve talked about risk itself and what we don’t want to happen. The harm, the loss, the financial loss, the embarrassment, the failed or late or budget project, a security breach, the undesired event, etc. We had an objective which was to do something safely or to complete a project and the risk is that that won’t happen. That there’ll be an impact on what we were trying to do that is negative. That is undesirable.

There are just only more concepts that we need to look at to complete the pattern, as you can see. We’ve been talking about the system. And we’ve been talking about doing things systematically. And then a system works in an operating environment. So, let’s unpack that.


First of all, we have a system. The system is going to be a combination of things. I wouldn’t call a pen or a pencil a system. It’s only got a couple of components. You could pull it apart. But it’s too simple to be worth calling it a system. We wouldn’t call it a pen system, would we? So, a system is something more complex. It’s a combination of things and we need to define the boundary. I’ll come back to that.

But within this boundary, we’ve got some different elements in the system that work together. Or they’re used together within a defined operating environment. So, we’re going to expose this system to a range of conditions which it is designed to usually work in. The intention is the system is going to do whatever it does to perform a given task. It can do one defined task or achieve a specific purpose. I talked before about getting in our car. A car is complex enough to be called a system. We get in our car and we drive it on the roads. Or if we’ve got a four-wheel drive, we can drive Off-Road. Or we can use it in a more demanding operating environment to achieve a specific purpose. We want to transport ourselves, and sometimes some stuff, from A to B. That’s what we’re trying to do with the system.

And within that system, we may have personnel/people, we may have procedures. A bunch of rules about how you drive a car legally in different countries. We’ve got materials and physical things – what the car is made of. We could have tools to repair it, change wheels. We’ve got some other equipment, like a satnav. We’ve got facilities. We need to take a car somewhere to fill up with fuel or to recharge it. We’ve got services like garages, repairs, servicing, etc. And there could be some software in there as well. Of course, these days in the car, there’s software everywhere in most complex devices.

So, our system is a combination of lots of different things. These things are working together to achieve some kind of goal or some kind of result. There’s somewhere we want to get to. And it’s designed to work in a particular operating environment. Cars work on roads really well. Off-road cars can work on tracks. Put them in deep water, they tend not to work so well. So, let’s talk about that operating environment.

Operating Environment

What we’ve got here, the total set of all external, natural, and induced conditions. (That’s external to the system, so outside the boundary.) So, it might be these conditions-. It might be natural or it might be generated by something else, which a system is exposed to at any given moment. And we need to get a good understanding of the system, the operating environment, and what we want it to do.

If we have a good understanding of those three things, then we will be well on the way to being able to understand the risks associated with that system. That’s one of the key things with risk management. If you’ve got those three things, that’s crucial. You will not be able to do effective risk management if you don’t have a grasp of those things. And if you do have a thorough grasp of those things, it’s going to help you do effective risk management.


So, we’ve talked about risk management. We’ve broken it down into some big sections. Those six sections; the hazard identification; analysis; risk estimation; evaluation; reduction; and acceptance. We’ve seen how those things depend on only a few concepts. We’ve got the concepts of ‘hazards’, ‘risks’, and ‘accidents’. As well as the undesirable consequences that the risk might result in. And the risk is measured based on the likelihood and severity of that harm or that loss occurring.

And when we’re dealing with a more complex system, we need to understand that system and the environment in which it operates. And of course, we’ve put it in that environment for a purpose. And that unpacking has allowed us to break down quite a big concept, risk management. A lot of people, like myself, spend years and years learning how to do this. It takes time to gain experience because it’s a complex thing. But if we break it down, we can understand what we’re doing. We can work our way down the fundamentals. And then if we’ve got a good grasp of the fundamentals, that supports getting the more complex stuff right. So, that’s what risk management is all about. That’s your risk management 101 and I hope that you find that helpful.

Copyright Statement

I just need to say briefly that those quotations from the standard. I can do that under a Creative Commons licence. The CC4.0. That allows me to do that within limits that I am careful to observe. But this video presentation is copyright the Safety Artisan.

For More…

And you can see more like these at the Safety Artisan website. That’s And as you can see, it’s a secure site so you can visit without fear of a security breach. So, do head over there. Subscribe to the monthly newsletter to get discounts on paid videos and regular updates of what’s coming up. both paid and free.

So, it just remains for me to say thanks very much for watching and I look forward to catching up with you again very soon.

End of Risk Management 101

This session can also be found at along with more advanced courses like this one. For more introductory sessions on this site start here.

Safety Analysis Start Here

SSRAP Module 1 – Hazard and Risk Basics

Learn Hazard and Risk basics with The Safety Artisan.

So what is this risk analysis stuff all about? What is ‘risk’? How do you define or describe it? How do you measure it?

In this free session, I explain the basic terms and show how they link together, and how we can break them down to perform risk analysis. I understand risk and that allows me to explain it in simple terms. I’ve used all my 20+ years in the business to help me unpack the jargon and focus on what’s really important.  

You Will Learn to:

  • Describe fundamental risk concepts.
Recap: Risk Basics

Topics: Hazard and Risk Basics

  • Risk & Mishap;
  • Probability & Severity;
  • Hazard & Causal Factor;
  • Mishap (accident) sequence; and
  • Hazards: Tests & Example

Transcript: Hazard and Risk Basics

Click here for the Transcript on Risk Basics

Let’s get started with Module One. We’re going to recap on some Risk basics to make sure that we have a common understanding of risk. And that’s important because risk analysis is something that we do every day. Every time you cross the road. Every time you buy something expensive. Every time you decide whether you’re going to travel to something, or look it up online, instead. You’re making risk analysis decisions all the time without even realizing it. But we need something a little bit more formal than the instinctive thinking of our risk that we do all the time. And to help us do that, we need a couple of definitions to get us started.

What is Risk?

First of all, what is Risk? It’s a combination of two things. First, the severity of a mishap or accident. Second, the probability that that mishap will occur. So it’s a combination of severity and probability. We will see that illustrated in the next slide.

We’ll begin by talking about ‘mishap’. Well, what is a mishap? A mishap is an event – or a series of events -resulting in unintentional harm. This harm could be death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.

The particular standard we’re looking at today is covering a range of different harms. That’s why we’re focused on safety. And the term ‘mishap’ will also include negative environmental impacts from planned events. So, even if the cause is a deliberate event, we will include that as a mishap.

Probability and Severity

I said that the definition of risk was a combination of probability and severity. Here we got a little illustration of that.

Probability is; how likely is this thing to go wrong? How likely is this thing to happen?

And severity is; How significant is this event? This can vary in seriousness. From death to injury, illness, property damage or equipment loss, damage to the environment, or monetary loss.

And to be honest, we can apply or define risk any way we want. It doesn’t have to be a Safety Risk. We could be thinking about Financial Risk, Reputational Risk, whatever it might be. But what you see there with the little matrix is we measure risk. And whether we say the risk is high, medium or low, or whatever scheme we use. A combination of high severity and high likelihood is going to result in high risk. At the opposite end of the scale, the low probability that a low impact event is going to happen, we would call a low risk.

That’s what we mean by this combination of probability and severity. We put them together and we can measure risk in, to be honest, whatever way we choose to do so. This is a very simple example.

Safety Risks: Hazards

In safety, we have another concept. One that gives us a much finer degree of control over how we’re thinking about risk. We have this concept of hazards. As it says, a hazard is a real or potential condition that could lead to a mishap. It’s not the mishap, it’s a sort of an intermediate stage, as we will see. And the mishap can result in death, injury, property damage, damage to the environment.

Then there’s also this thing called causal factors, or causes. It might be one or several mechanisms that could trigger the hazard. Or they could lead to the hazard, which in turn can lead to a mishap. So the causal factor or the cause can trigger the hazard and then the hazard can lead to the mishap.

(Mishap) Accident Sequence

Here we have an illustration of an accident sequence or a mishap sequence if you prefer. Let’s not get hung up on terminology. So, we may have many causal factors on the left-hand side of this bow tie diagram. Any one of these factors may lead to a particular hazard. A single hazard we’re looking at here. And then that hazard may lead to a range of different consequences.

Not all these consequences are going to be bad. Not all the consequences are going to result in a mishap. There may be lots of consequences where there is no mishap, no accident, no harm whatsoever. There’s going to be a range of possible consequences. What I would like to take away from this diagram is one thought. That thought is ‘Yes, we can have causes leading to a hazard’ – this sort of pinch point in the middle. And from that hazard and number of consequences can arise.

Now that thought is important. It’s a very powerful concept because it helps us to reason about accident sequences. Also, it helps us to do some much more sophisticated work that would otherwise be possible.

Tests for a Hazard

There are three tests, that I know of, for a hazard. The first two are saying the same thing in different ways. We can think of a hazard as being both necessary and enough for harm to occur. We need the hazard to be present before harm can occur, but the hazard is enough for harm to occur. In other words, once the hazard is present, nothing else unusual needs to happen for harm to occur. Once the hazard is there, nothing else needs to go wrong for somebody to get hurt. Normal events can lead to a mishap once the hazard is present. Another helpful way of thinking about it is ‘hazard is an accident waiting to happen’.

Then the third on this list, we can think of a hazard at the point at which we lose control of something. It might be an energy source that we lose control of. It might be something toxic. It might be a physical piece of equipment that we’ve lost control of or a vehicle. It might be a substance. Whatever it might be, we’ve lost control and now somebody could get hurt.

So, those are some tests for a hazard and some different ways of thinking about hazards.

Example of a Hazard

But I always think it’s helpful to have an example. Let’s imagine we’ve got a causal factor. We’ve got some oil that is leaking from its container.

And we can imagine the hazard. The oil has got onto a walkway. Or pavement or a sidewalk or whatever you want to call it. It gets on to an area that human beings would walk on, as the name implies. It’s normal. So once the oil is on the walkway, nothing else unusual needs to happen for there to be an accident. But it doesn’t make the accident inevitable. Because if nobody comes along, there can be no accident. If somebody comes along, but they see the oil and they step over it and avoid it. Or even better, they warn other people about it and tear it up – but that’s another story. But the accident, the mishap is not inevitable.

One of the combinations that is possible is that we get a mishap. A person comes along, doesn’t see the oil, steps on it, slips, and hurts themselves. All these things have to happen in a sequence in this accident sequence for the mishap to occur. For people to get hurt. So there we have a little summary of those risk concepts that we need to get a hold of.

Summary of Module

We’ve covered risk and mishap, probability and severity, hazards, and causal factors. We’ve looked at the mishap or accident sequence, looked at hazards, and at some tests for what makes up a hazard. Including how we tell where the hazard is in the sequence? Where is it between cause, hazard, and consequence, the hazard is? We looked to an example of this in the module.

From this module, we have a common understanding of risk. This will form the foundation for everything that we’re going to do with risk from now on.

This is Module 1 of SSRAP

This is Module 1 from the System Safety Risk Assessment Program (SSRAP) Course. Risk Analysis Programs – Design a System Safety Program for any system in any application. You can access the full course here.

You can find more introductory lessons at Start Here.

Start Here Work Health and Safety

Introduction to WHS Codes of Practice

In the 30-minute session, we introduce Australian WHS Codes of Practice (CoP). We cover: What they are and how to use them; their Limitations; we List (Federal) codes; provide Further commentary; and Where to get more information. This session is a useful prerequisite to all the other sessions on CoP.

Codes of Practice: Topics

  • What they are and how to use them;
  • Limitations;
  • List of CoP (Federal);
  • Further commentary; and
  • Where to get more information.

Codes of Practice: Transcript

Click Here for the Transcript

Hello and welcome to the Safety Artisan, where you will find professional, pragmatic, and impartial teaching and resources on all thing’s safety. I’m Simon and today is the 16th of August 2020. Welcome to the show.


So, today we’re going to be talking about Codes of Practice. In fact, we’re going to be introducing Codes of Practice and the whole concept of what they are and what they do.

Topics for this Session

What we’re going to cover is what Codes of Practice are and how to use them – several slides on that; a brief word on their limitations; a list of federal codes of practice – and I’ll explain why I’m emphasizing it’s the list of federal ones; some further commentary and where to get more information. So, all useful stuff I hope.

CoP are Guidance

So, Codes of Practice come in the work, health and safety hierarchy below the act and regulations. So, at the top you’ve got the WHS Act, then you’ve got the WTS regulations, which the act calls up. And then you’ve got the Codes of Practice, which also the act calls up. We’ll see that in a moment. And what Codes of Practice do are they provide practical guidance on how to achieve the standards of work, health and safety required under the WHS act and regulations, and some effective ways to identify and manage risks. So, they’re guidance but as we’ll see in a moment, they’re much more than guidance. So, as I said, the Codes of Practice are called up by the act and they’re approved and signed off by the relevant minister. So, they are a legislative instrument.

Now, a quick footnote. These words, by the way, are in the introduction to every Code of Practice. There’s a little note here that says we’re required to consider all risks associated with work, not just for those risks that have associated codes of practice. So, we can’t hide behind that. We’ve got to think about everything. There are codes of practice for several things, but not everything. Not by a long way.

…Guidance We Should Follow

Now, there are three reasons why Codes of Practice are a bit more than just guidance. So, first of all, they are admissible in court proceedings. Secondly, they are evidence of what is known about a hazard, risk, risk assessment, risk control. And thirdly, courts may rely, or regulators may rely, on Codes of Practice to determine what is reasonably practicable in the circumstances to which the code applies. So, what’s the significance of that?

So first of all, the issue about being admissible. If you’re unfortunate enough to go to court and be accused of failing under WHS law, then you will be able to appeal to a Code of Practice in your defence and say, “I complied with the Code of Practice”. They are admissible in court proceedings. However, beyond that, all bets are off. It’s the court that decides what is anadmissible defence, and that means lawyers decide, not engineers. Now, given that you’re in court and the incident has already happened a lot of the engineering stuff that we do about predicting the probability of things is no longer relevant. The accident has happened. Somebody has got hurt. All these probability arguments are dust in your in the wake of the accident. So, Codes of Practice are a reliable defence.

Secondly, the bit about evidence of what is known is significant, because when we’re talking about what is reasonably practicable, the definition of reasonably practicable in Section 18 of the WHS act talks about what it is reasonable or what should have been known when people were anticipating the risk and managing it. Now, given that Codes of Practice were published back in 2012, there’s no excuse for not having read them. So, they’re pre –existing, they’re clearly relevant, the law has said that they’re admissible in court. We should have read them, and we should have acted upon them. And there’ll be no wriggling out of that. So, if we haven’t done something that CoP guided us to do, we’re going to look very vulnerable in court.  Or in the whatever court of judgment we’re up against, whether it be public opinion or trial by media or whatever it is.

And thirdly, some CoP can be used to help determine what is SOFARP. So in some circumstances, if you’re dealing with a risk that’s described a CoP, CoP is applicable. Then if you followed everything in CoP, then you might be able to claim that just doing that means that you’ve managed the risk SFARP. Why is that important? Because the only way we are legally allowed to expose people to risk is if we have eliminated or minimized that risk so far as is reasonably practicable, SFARP. That is the key test, the acid test, of “Have we met our risk management obligations? “And CoP are useful, maybe crucial, in two different ways for determining what is SFARP. So yes, they’re guidance but it’s guidance that we ignore at our peril.

Standards & Good Practice

So, moving on. Codes of Practice recognize, and I reemphasize this is in the introduction to every code of practice, they’re not the only way of doing things. There isn’t a CoP for everything under the sun. So, codes recognize that you can achieve compliance with WHS obligations by using another method as long as it provides an equivalent or higher standard of work, health and safety than the code. It’s important to recognize that Codes of Practice are basic. They apply to every business and undertaking in Australia potentially. So, if you’re doing something more sophisticated, then probably CoP on their own are not enough. They’re not good enough.

And in my day job as a consultant, that’s the kind of stuff we do. We do planes, trains and automobiles. We do ships and submarines. We do nuclear. We do infrastructure. We do all kinds of complex stuff for which there are standards and recognized good practice which go way beyond the requirements of basic Codes of Practice. And many I would say, probably most, technical and industry safety standards and practices are more demanding than Codes of Practice. So, if you’re following an industry or technical standard that says “Here’s a risk management process”, then it’s likely that that will be far more detailed than the requirements that are in Codes of Practice.

And just a little note to say that for those of us who love numbers and quantitative safety analysis, what this statement about equivalent or higher standards of health and safety is talking about  –We want requirements that are more demanding and more rigorous or more detailed than CoP. Not that the end –result in the predicted probability of something happening is better than what you would get with CoP because nobody knows what you would get with CoP. That calculation hasn’t been done. So, don’t go down the rabbit hole of thinking “I’ve got a quantitatively demonstrate that what we’re doing is better than CoP.” You haven’t. It’s all about demonstrating the input requirements are more demanding rather than the output because that’s never been done for CoP. So, you’ve got no benchmark to measure against in output terms.

The primacy of WHS & Regulations

A quick point to note that Codes of Practice, they are only guidance. They do refer to relevant WHS act and regulations, the hard obligations, and we should not be relying solely on codes in place of what it says in the WHS Act or the regulations. So, we need to remember that codes are not a substitute for the act or the regs. Rather they are a useful introduction. WHS ACT and regulations are actually surprisingly clear and easy to read. But even so, there are 600 regulations. There are hundreds of sections of the WHS act. It’s a big read and not all of it is going to be relevant to every business, by a long way. So, if you see a CoP that clearly applies to something that you’re doing, start with the cop. It will lead you into the relevant parts of WHS act and regulations. If you don’t know them, have a read around in there around the stuff that – you’ve been given the pointer in the CoP, follow it up.

But also, CoP do represent a minimum level of knowledge that you should have. Again, start with CoP, don’t stop with them. So, go on a bit. Look at the authoritative information in the act and the regs and then see if there’s anything else that you need to do or need to consider. The CoP will get you started.

And then finally, it’s a reference for determining SOFARP. You won’t see anything other than the definition of reasonably practicable in the Act. You won’t see any practical guidance in the Act or the regulations on how to achieve SOFARP. Whereas CoP does give you a narrative that you can follow and understand and maybe even paraphrase if you need to in some safety documentation. So, they are useful for that. There’s also guidance on reasonably practicable, but we’ll come to that at the end.

Detailed Requirements

It’s worth mentioning that there are some detailed requirements in codes. Now, when I did this, I think I was looking at the risk management Code of Practice, which will go through later in another session. But in this example, there are this many requirements. So, every CoP has the statement “The words ‘must’, ‘requires’, or ‘mandatory’ indicate a legal requirement exists that must be complied with.” So, if you see ‘must’, ‘requires’, or ‘mandatory’, you’ve got to do it. And in this example CoP that I was looking at, there are 35 ‘must’s, 39 ‘required’ or ‘requirement’ – that kind of wording – and three instances of ‘mandatory’. Now, bearing in mind the sentence that introduces those things contains two instances of ‘must’ and one of ‘requires’ and one of ‘mandatory’. So, straight away you can ignore those four instances. But clearly, there are lots of instances here of ‘must’ and ‘require’ and a couple of ‘mandatory’.

Then we’ve got the word ‘should’ is used in this code to indicate a recommended course of action, while ‘may’ is used to indicate an optional course of action. So, the way I would suggest interpreting that and this is just my personal opinion – I have never seen any good guidance on this. If it says ‘recommended’, then personally I would do it unless I can justify there’s a good reason for not doing it. And if it said ‘optional’, then I would consider it. But I might discard it if I felt it wasn’t helpful or I felt there was a better way to do it. So, that would be my personal interpretation of how to approach those words. So, ‘recommended’ – do it unless you can justify not doing it. ‘Optional’ – Consider it, but you don’t have to do it.

And in this particular one, we’ve got 43 instances of ‘should’ and 82 of ‘may’. So, there’s a lot of detailed information in each CoP in order to consider. So, read them carefully and comply with them where you have to work and that will repay you. So, a positive way to look at it, CoP are there to help you. They’re there to make life easy for you. Read them, follow them. The negative way to look at them is, ”I don’t need to do all this says in CoP because it’s only guidance”. You can have that attitude if you want. If you’re in the dock or in the witness box in court, that’s not going to be a good look. Let’s move on.

Limitations of CoP

So, I’ve talked CoP up quite a lot; as you can tell, I’m a fan because I like anything that helps us do the job, but they do have limitations. I’ve said before that there’s a limited number of them and they’re pretty basic. First of all, it’s worth noting that there are two really generic Codes of Practice. First of all, there’s the one on risk management. And then secondly, there’s the one on communication, consultation and cooperation. And I’ll be doing sessions on both of those. Now, those apply to pretty much everything we do in the safety world. So, it’s essential that you read them no matter what you’re doing and comply with them where you have to.

Then there are other codes of practice that apply to specific activities or hazards, and some of them are very, very specific, like getting rid of asbestos, or welding, or spray painting – or whatever it might be – shock blasting. Those have clearly got a very narrow focus. So, you will know if you’re doing that stuff. So, if you are doing welding and clearly you need to read the welding CoP. If welding isn’t part of your business or undertaking, you can forget it.

However, overall, there are less than 25 Codes of Practice. I can’t be more precise for reasons that we will come to in a moment. So, there’s a relatively small number of CoP and they don’t cover complex things. They’re not going to help you design a super –duper widget or some software or anything like that. It’s not going to help you do anything complicated. Also, Codes of Practice tend to focus on the workplace, which is understandable. They’re not much help when it comes to design trade –offs. They’re great for the sort of foundational stuff. Yes, we have to do all of this stuff regardless. When you get to questions of, “How much is enough?” Sometimes in safety, we say, “How much margin do I need?” “How many layers of protection do I need?” “Have I done enough?” CoP aren’t going to be a lot of use helping you with that kind of determination but you do need to have made sure you’ve done everything CoP first and then start thinking about those trade –offs, would be my advice. You’re less likely to go wrong that way. So, start with your firm basis of what you have to do to comply and then think “What else could I do?”

List of CoP (Federal) #1

Now for information, you’ve got three slides here where we’ve got a list of the Codes of Practice that apply at the federal or Commonwealth level of government in Australia. So, at the top highlighted I’ve already mentioned the ‘how’ to manage WHS risks and the consultation, cooperation, and coordination codes. Then we get into stuff like abrasive, blasting, confined spaces, construction and demolition and excavation, first aid. So, quite a range of stuff, covered.

List of CoP (Federal) #2

Hazardous manual tasks – so basically human beings carrying and moving stuff. Managing and controlling asbestos, and removing it. Then we’ve got a couple on hazardous chemicals on this page, electrical risks, managing noise, preventing hearing loss, and stevedoring. There you go. So, if you’re into stevedoring, then this CoP is for you. The highlighted ones we’re going to cover in later sessions.

List of CoP (Federal) #3

Then we’ve got managing risk of Plant in the workplace. There was going to be a Code of Practice for the design of Plant, but that never saw the light of day so we’ve only got guidance on that. We’ve got falls, environment, work environment, and facilities. We’ve got another one on safety data sheets for another one on hazardous chemicals, preventing falls in housing – I guess because that’s very common accident – safe design of structures, spray painting and powder coating, and welding processes. So, those are the list of – I think it’s 24 – Codes of Practice are applied by Comcare, the federal regulator.

Commentary #1

Now, I’m being explicit about which regulator and which set of CoP, because they vary around Australia. Basically, the background was the model Codes of Practice were developed by Safe Work Australia, which is a national body. But those model Codes of Practice do not apply. Safe Work Australia is not a regulator. Codes of Practice are implemented or enforced by the federal government and by most states and territories. And it says with variations for a reason. Not all states and territories impose all codes of practice. For example, I live in South Australia and if you go and look at the WorkSafe South Australia website or Safe Work – whatever it’s called – you will see that there’s a couple of CoP that for some reason we don’t enforce in South Australia. Why? I do not know. But you do need to think about these things depending on where you’re operating.

It’s also worth saying that WHS is not implemented in every state in Australia. Western Australia currently have plans to implement WHS, but as of 2020 but I don’t believe they’ve done so yet. Hopefully, it’s coming soon. And Victoria, for some unknown reason, have decided they’re just not going to play ball with everybody else. They’ve got no plans to implement WHS that I can find online. They’re still using their old OHS legislation. It’s not a universal picture in Australia, thanks to our rather silly version of government that we have here in Australia – forget I said that. So, if it’s a Commonwealth workplace and we apply the federal version of WHS and Codes of Practice. Otherwise, we use state or territory versions and you need to see the local regulator’s Web page to find out what is applied where. And the definition of a Commonwealth workplace is in the WHS Act, but also go and have a look at the Comcare website to see who Comcare police. Because there are some nationalised industries that count as a Commonwealth workplace and it can get a bit messy.

So, sometimes you may have to ask for advice from the regulator but go and see what they say. Don’t rely on what consultants say or what you’ve heard on the grapevine. Go and see what the regulator actually says and make sure it’s the right regulator for where you’re operating.

Commentary #2

What’s to come? I’m going to do a session on the Risk Management Code of Practice, and I’m also, associated with that, going to do a session on the guidance on what is reasonably practicable. Now that’s guidance, it’s not a Code of Practice. But again, it’s been published so we need to be aware of it and it’s also very simple and very helpful. I would strongly recommend looking at that guidance if you’re struggling with SFARP for what it means, it’s very good. I’ll be talking about that soon. Also, I’m going to do a session on tolerability of risk, because you remember when I said “CoP aren’t much good for helping you do trade–offs in design” and that kind of thing. They’re really only good for simple stuff and compliance. Well, what you need to understand to deal with the more sophisticated problems is the concept of tolerability of risk. That’ll help us do those things. So, I’m going to do a session on that.

I’m also going to do a session on consultation, cooperation, and coordination, because, as I said before, that’s universally applicable. If we’re doing anything at a workplace, or with stuff that’s going to a workplace, that we need to be aware of what’s in that code. And then I’m also going to do sessions on plant, structures and substances (or hazardous chemicals) because those are the absolute bread and butter of the WHS Act. If you look at the duties of designers, manufacturers, importers, suppliers, and installers, et cetera, you will find requirements on plant, substances and structures all the way through those clauses in the WHS Act. Those three things are key so we’re going to be talking about that.

Now, I mentioned before that there was going to be a Code of Practice on plant design, but it never made it. It’s just guidance. So, we’ll have a look at that if we can as well – Copyright permitting. And then I want to look at electrical risks because I think the electrical risks code is very useful. Both for electrical risks, but it’s also a useful teaching vehicle for designers and manufacturers to understand their obligations, especially if you operate abroad and you want to know, or if you’re importing stuff “Well, how do I know that my kit can be safely used in Australia?” So, if you can’t do the things that the electrical risk CoP requires in the workplace if your piece of kit won’t support that, then it’s going to be difficult for your customers to comply. So, probably there’s a hint there that if you want to sell your stuff successfully, here’s what you need to be aware of. And then that applies not just to electrical, I think it’s a good vehicle for understanding how CoP can help us with our upstream obligations, even though CoP applies to a workplace. That session will really be about the imaginative use of Code of Practice in order to help designers and manufacturers, etc.

And then I want to also talk about noise Code of Practice, because noise brings in the concept of exposure standards. Now, generally, Codes of Practice don’t quote many standards. They’re certainly not mandatory, but noise is one of those areas where you have to have standards to say, “this is how we’re going to measure the noise”. This is the exposure standard. So, you’re not allowed to expose people to more than this. That brings in some very important concepts about health monitoring and exposure to certain things. Again, it’ll be useful if you’re managing noise but I think that session will be useful to anybody who wants to understand how exposure standards work and the requirements for monitoring exposure of workers to certain things. Not just noise, but chemicals as well. We will be covering a lot of that in the session(s) on HAZCHEM.

Copyright & Attribution

I just want to mention that everything in quotes/in italics is downloaded from the Federal Register of Legislation, and I’ve gone to the federal legislation because I’m allowed to reproduce it under the license, under which it’s published. So, the middle paragraph there – I’m required to point that out that I sourced it from the Federal Register of legislation, the website on that date. And for the latest information, you should always go to the website to double–check that the version that you’re looking at is still in force and is still relevant. And then for more information on the terms of the license, you can go and see my page at the because I go through everything that’s required and you can check for yourself in detail.

For More…

Also, on the website, there’s a lot more lessons and resources, some of them free, some of them you have to pay to access, but they’re all there at Also, there’s the Safety Artisan page at where you will see the paid videos. And also, I’ve got a channel on YouTube where the free videos are all there. So, please go to the Safety Artisan channel on YouTube and subscribe and you will automatically get a notification when a new free video pops up.


And that brings me to the end of the presentation, so thanks very much for listening. I’m just going to stop sharing that now. It just remains for me to say thank you very much for tuning in and I look forward to sharing some more useful information on Codes of Practice with you in the next session in about a month’s time. Cheers now, everybody. Goodbye.

There’s more!

You can find the Model WHS Codes of Practice here. Back to the Topics Page.