What is EHS Risk Management in 2023?
EHS risk management is a way to identify potential safety and environmental hazards and minimize their impact on your company. In this guide, we’ll look at some of the challenges organizations face when it comes to risk management, and the tools available to help you meet those challenges.
EHS Risk Management
Risk has always been a part of doing business.
However, many of the risks organizations face today — such as cyberattacks, resource scarcity, and natural disasters due to climate change — didn’t exist or were barely acknowledged a few decades ago.
The risks organizations face today have changed and so have the tools used to identify and manage those risks. Keeping a log of risks in a spreadsheet is no longer the best way to get ahead of potential issues.
That’s why we created this EHS risk management guide.
Table of Contents:
What is EHS risk management?
Why is EHS risk management important?
What are the types of EHS risk?
What is EHS risk assessment?
What is the 5-step risk assessment procedure?
What is a risk register?
What is risk management software?
Next steps & additional resources
(If you’re looking for information about Lisam’s risk management software, visit our risk management software page.)
What is EHS Risk Management?
EHS risk management is a way to identify potential safety and environmental hazards and minimize their impact on your company.
For example, let’s say you run a company that manufactures aircraft parts. There’s a lot riding on your ability to deliver those parts to your customers on time and on budget.
But there’s also a lot that can go wrong — from equipment malfunctions, to employee injuries, to forced shutdowns due to natural disasters — and even a small setback can seriously impact your operations.
EHS risk management offers a way to predict and prepare for these situations before they cause harm to people, property, or processes.
Why is EHS Risk Management Important?
In the past, organizations have focused mainly on EHS compliance — following EPA and OSHA rules, keeping up with regulatory changes, and addressing enforcement.
Unfortunately, even companies with a perfect compliance track record still experience accidents and injuries. That’s because regulations only define the minimum safety and environmental standards your organization must meet.
What’s more, regulatory uncertainty, high stakeholder demands, and the growing challenges posed by a changing climate have created a demand for a different approach — one that focuses on risk management instead of regulatory compliance.
Today, 78% of EHS leaders name “risk management” as a top factor in ensuring EHS success.
What are the Types of EHS Risk?
Most of the time when we’re talking about EHS risk management, we think of safety risks. You’re probably familiar with job hazard assessment (JHA), which is one way of identifying safety risks related to a specific task or activity.
But safety is only one facet of EHS risk. EHS risk management encompasses many different types of risk across your enterprise. Often, these risks span many departments (finance, HR, operations) and activities — which is what makes managing these risks so challenging.
Here are a few common types of EHS risk:
Compliance risk: Potential exposure to fines, legal penalties, and losses when a company fails to comply with laws and regulations
Example: A company receives a serious OSHA violation for failing to use proper fall protection.
Safety risk: A potential source of injury, death, or adverse health consequences
Example: An extension cord lying across a walkway poses a trip hazard.
Environmental risk: A potential source of negative impacts on the environment or living organisms from a company’s emissions, waste, and resource usage
Example: Improperly stored hazardous chemicals can lead to a chemical spill
Climate risk: Potential hazards from climate-related events, trends, forecasts and projections.
Example: A drought raises the price of water needed for production.
Management of change risk: The risk of injury or accident resulting from inadequately planned changes in process chemicals, equipment, facilities, etc.
Example: An explosion occurs when employees aren’t properly trained on new operating procedures
Now, let’s look at the tools your organization can use to identify and reduce these risks — starting with risk assessments.
What is EHS Risk Assessment?
An EHS risk assessment is a formal process to identify potential environmental, health and safety hazards related to your organization’s operations. Conducting an EHS risk assessment can help you determine which risks pose the greatest threat to your operations, and identify controls to reduce the level of risk.
You should conduct a risk assessment any time a hazard is identified, or there’s a change to your operations that could introduce new risks.
Since there are so many different types of EHS risk, EHS risk assessments can vary widely in scope. Here are a few well-known types of risk assessment:
- Environmental risk assessment
- Climate risk assessment
Next, let’s look at the steps to conduct an effective EHS risk assessment.
3. Evaluate & Prioritize
Next, you’ll need to determine the level of risk related to each hazard you’ve identified. Some risks — like the risk of a chemical explosion — are very severe but very unlikely to occur. Other risks may have less potential for harm, but be more likely to occur.
It doesn’t always make sense to implement controls for every single risk you’ve identified — nor would it be feasible to do so. Instead, you’ll need to focus your efforts on those risks that are most severe and most likely to occur.
One way to determine which risks are most serious and therefore need controls is by using risk scoring. Risk scoring is the process of assigning a numerical value to a risk depending on its severity and the likelihood that it will occur. Scoring gives you an objective way to compare and prioritize risks across your organization. Here’s an example of a risk scoring matrix:
4. Implement Controls
Once you’ve determined which risks pose the greatest threat, you will need to decide what should be done to eliminate or reduce the risk.
Controls include measures like policies, procedures, training, tools or personal protective equipment that help manage risk. For example, a lockout/tagout procedure can help control the risk of injuries when equipment is undergoing maintenance.
It’s important that your control measures are specific. Vague, generic statements like “be aware” or “use PPE” are commonly seen on risk assessments and do nothing to make the work environment safer.
What is a Risk Register?
A risk register, also known as a risk registry or risk matrix, is a central record of all the risks you’ve identified across your organization.
Risk registers use a standardized scoring system to rank enterprise risks across thousands of observations.
The benefit of being able to quantify risks in this way is that you don’t have to take a “putting out fires” approach. You know which risks are most likely to occur and most significant, and can address them appropriately.
A risk register can be housed in a document, spreadsheet, or database — but the best way to keep track of an EHS risk register is inside risk management software.
Here’s an example of what a risk registry looks like in Perillon:
What is Risk Management Software?
Risk management software brings all of your risk data and activities together in one place, in order to create a clear picture of your company’s liabilities and opportunities.
Until very recently, EHS risk management was mostly a pencil-and-paper process. A handful of employees (usually supervisors or EHS leaders) would perform risk assessments to identify hazards like unguarded parts in machinery and improperly stored chemicals.
After the risk assessment, they would manually enter that data into spreadsheets. Often, there were different spreadsheets for different facilities or departments.
From there, the data in these spreadsheets had to be compiled into reports by hand — a process that could take weeks or months.
This resulted in a fragmented, outdated picture of the company’s risk profile. And there was no easy way to measure whether or not mitigation plans were actually working to reduce the company’s risks.
Here’s what a typical risk management process used to look like:
Compare that to this view of a modern risk management process that uses risk management software to connect data collection, analysis, reporting, and decision-making via a centralized platform:
In this new model, high volumes of risk information are captured digitally, at the source. The data is entered directly into a central database, where the software performs calculations like risk scoring and triggers tasks or actions based on that information. And because the information is no longer siloed, management is able to see the whole picture and make timely, informed decisions.