14.1 Chapter overview

Cross reference to ISO31000 (2009) clause 5.3, ISO31000 (2018) clause 6.3 and Annex SL clause 4.1.
Check for key readings, webinars, and videos for complementary resources.
Definitions of italicised terms are in the Glossary.

Relevant law

• Health and Safety at Work Act 2015

Useful management techniques

Engagement, communication, and consultation process (see section 21.3.9)
More techniques are identified in section 14.1.2 below.

14.1.1 Introduction

If we don’t know and understand the context of a business or undertaking, it will be difficult to make decisions about and manage uncertainty. Identify assumptions and understand the context in which decisions are made.
The context of an organisation consists of the:

• internal context – the “internal environment in which the organisation seeks to achieve its objectives and can include:
  • governance, organisational structure, roles, and accountabilities
  • policies, objectives, and the strategies that are in place to achieve them
  • the capabilities, understood in terms of resources and knowledge (eg, capital, time, people, processes, and technologies)
  • information systems, information flows and decision-making processes (both formal and informal)
  • relationships with, and the perceptions and values of internal stakeholders
  • the organisation’s culture
  • standards, guidelines, and models adopted by the organisation, and
  • form and extent of contractual relationships”.
• external context – the “external environment in which the organisation seeks to achieve its objectives” and can include:
  • the Political, Economic, and financial, Social, and cultural, Technological, Legal, and regulatory, and natural and competitive Environment, whether international, national, regional, or local [adapted to align with PESTLE]
  • “key drivers and trends having impact on the objectives of the organisation; and
  • relationships with, and perceptions and values of external stakeholders”.

14.1.2 Discovering the work environment and objectives

A well-researched description of the environment of an organisation helps with decisions about risk and may also identify some risks. Simple techniques to help such work include:

• literature or document review to better understand, for example, contractual obligations, the history of the activity, business plans, etc (section 21.3.22)
• PESTLE (Political, Economic, Social, Technological, Legal and Environmental) analysis to help understand the external context (section 21.3.27), perhaps supported by:
  • Porter’s Five Forces to help understand the competitive environment (section 21.3.28)
• SWOT (Strengths, Weaknesses, Opportunities and Threats) to help understand the internal context (section 21.3.39), perhaps supported by:
  • Porter’s Value Chain analysis to understand how the organisation works (section 21.3.29)
  • mind mapping to discover and show complex relationships (section 21.3.23)
  • causal mapping to discover more complex relationships.

Often (but not always) a process map developed in a workshop will help understand how things link together and may show gaps in knowledge that need to be filled.
The following diagram shows how these might be linked together and includes VUCA (Bennett, N. & Lemoine, 2014a; Bird, R., 2018), another way of thinking about the context of a PCBU.

14.2 Risk criteria and appetite

See clause 6.3.4, ISO31000(2018). Risk appetite and risk criteria are similar concepts, although some people argue there is no such thing as risk appetite – we should only use risk criteria – while others argue that understanding the appetite is paramount.

Risk criteria

Risk criteria are (ISO31073, 2022) the “terms of reference by which the significance of risk is assessed.

Note 1: Risk criteria are based on organisation objectives, and external and internal context.
Note 2: Risk criteria can be derived from standards, laws, policies, and other requirements.

Using substitution the definition becomes: the “terms of reference by which the significance of the effects of uncertainty on objectives are assessed”.
Examples of risk criteria might be:

• reject an activity/plant/substance if people could suffer harm
• do not allow employees to clean windows above ground level, hire a contractor who will use a mobile elevating work platform
• do not sell clothing made in an offshore factory that lacks an acceptable “fire safety certificate”.

In plain English, for OHS professionals, criteria help us to answer the question “How safe is safe enough”(Fischhoff et al., 1978; Manuele, 2010)? This should be linked with the interpretation of reasonably practicable in section 18.2.1.

Criteria are used to decide if the effects of uncertainty on objectives are acceptable “as is”. Criteria are developed as part of understanding the context and can be based on (Hoegberg, 1998):

• organisation values, objectives, and resources
• legislation or other requirements.

Risk criteria are developed as part of understanding the context of an organisation. However, boards, directors and top management may sometimes be unwilling to define criteria for fear of judgement in hindsight (“you were willing to accept X level of harm to people” or “you were willing to accept a loss of Z”). This might be due to misunderstanding that uncertainty is always in the future and very few people have foresight (if they did, they would be very rich, and nothing would ever go wrong). Criteria help us judge if something might be acceptable.

Risk appetite

Risk appetite is (ISO31073, 2022) the “amount and type of risk [effect of uncertainty on objectives] an organisation is willing to pursue or retain”. It is therefore what the organisation is or is not in business to do at the current stage of its development. Risk criteria may help inform decision makers about the level of uncertainty in an activity.

Appetite for uncertainty may change because of a conscious decision (eg, outsource product installation work; hire better-qualified workers).

Developing risk criteria and appetite

The process starts with the development of a context statement and criteria for what is or is not acceptable. In a construction company it may be anticipated that heavy objects will fall on the feet of workers; this may be acceptable provided the workers have appropriate footwear. Failure to wear such footwear shall result in exclusion from the site.

This is followed by a preliminary risk assessment that enables reporting of a risk profile to stakeholders and decision makers. This also helps ensure business objectives have been clearly stated and are aligned with what the organisation does. The decision makers can then develop and state their criteria and appetite as part of the overall management framework. The appetite and criteria should be reviewed periodically and as part of any proposed changes to organisation strategy or its management framework.

When developing a criteria and appetite statement some key issues are:

• the culture of the country (Chauvin & Chassang, 2021; Hammerich & Lewis, 2013), sector, organisation and units within a large organisation, and any potential conflicts between different units within the organisation
• the status of the organisation in the market (whether a new entrant or the incumbent; any barriers to entry or exit; status of the market)
• the timing of uncertainty in relation to size and resources of the organisation
• the clarity of the findings of the assessment that informs the appetite question (ie, are the nature and level of uncertainty clearly stated).

Failure to think about issues such as these may result in unpleasant discoveries or missed opportunities.

Delegated risk authorities

The risk owner (ISO31073, 2022) is the “person or entity with the accountability and authority to manage a risk [effect of uncertainty on objectives]”. This requires that the person has been given that accountability and authority. An example of such authorities is shown in Table 15.

Table 15. Delegated risk authorities

14.3 Chapter summary

This short chapter has covered some key issues that must be addressed when establishing the scope of an assessment activity, the organisational objectives, and understanding the context of an organisation or activity.

14.4 References used in this chapter

Bennett, N., & Lemoine, G. J. (2014a, 2014/05/01/). What a difference a word makes: Understanding threats to performance in a VUCA world. Business Horizons, 57(3), 311-317. https://doi.org/10.1016/j.bushor.2014.01.001

Bird, R. (2018). VUCA [Working Paper SSRN-id3117932]. University of Connecticut School of Business, https://ssrn.com/abstract=3117932

Chauvin, B., & Chassang, I. (2021, 2021/11/21). Cultural Orientation and Risk Perception: Development of a Scale Operating in a French Context. Risk Analysis, n/a(n/a). https://doi.org/10.1111/risa.13859

Fischhoff, B., Slovic, P., Lichtenstein, S., et al. (1978). How Safe Is Safe Enough? A Psychometric Study of Attitudes Towards Technological Risks and Benefits. Policy Sciences, 9(2), 127-152. http://www.jstor.org/stable/4531720

Hammerich, K., & Lewis, R. (2013). Fish can’t see water: How national culture can make or break your corporate strategy. John Wiley & Sons.

Hoegberg, L. (1998). Risk perception, safety goals and regulatory decision-making. Reliability Engineering and System Safety, 59, 135-139.

ISO31000: 2018 Risk management – Guidelines, International Standards Organization, Geneva.

ISO31073: 2022 Risk management — Vocabulary, International Standards Organization, Geneva.

Manuele, F. A. (2010). Acceptable Risk. Professional Safety, 55(5), 30-38.