environmental

Introduction to EHS Risks, Part Three: Understanding and Managing Risk Controls

Welcome to the third installment of our blog series “Introduction to EHS Risks,” in which we’ll talk about the importance of selecting and managing good risk controls. In case you missed our previous posts in this series, take a little time to check out our first installment for an overview of EHS risks, and our second installment for an introduction to using a risk matrix to prioritize your workplace risks.

Now, let’s talk about risk controls, and why better management of your controls is so crucial to your job as an EHS professional.

A Review of Risk

First, it might help to review the basic concept of what risk is, so we’re prepared to understand how controls work.

In our first post in this series, we introduced the idea that, according to the international occupational health & safety (OH &S) standard ISO 45001, “risk is often expressed as a combination of the consequences of an event and its associated likelihood.” This is a common way of talking about risk, broadly applicable to any situation where occupational risks exist.

This leads to the conclusion that a good way to assign a rating for a specific risk is to multiply the probability of an event occurring by the severity of impact if it occurs. We can estimate each of these using our own incident records and analysis, exposure monitoring results (when appropriate and available), published industry data, or engineering estimates.

Introduction to Risk Controls

A risk control is a method you use to reduce the overall amount of risk.

Of course, controls work in different ways. If a control works on the front end of risk, by reducing the probability that an accident will occur, it’s a preventive control. If the control works on the back end, by reducing the potential impacts if the event occurs anyway, then it’s a mitigative control. Another kind of control that works on the back end is a detective control, which alerts us that an undesired event has happened.

Let’s look at a specific example to see how preventive, mitigative and detective controls work.

Suppose we have an aboveground storage tank (AST) of an organic solvent. This type of chemical tends to build up vapor, or volatilize, at room temperature or higher, and the rate can significantly increase if the tank is stored outside in climates where higher temperatures can be reached. Should the integrity of the tank fail and result in a release, it could potentially impact air, water and land. Symptoms of short-term, or acute exposure would typically include nausea and dizziness, although you’d need to consult the specific SDS for the chemical. But the point here is just to sketch out the main safety concerns for this scenario in broad strokes, so we can better understand our choices in controls.

Our first priority should always be to make sure we have good preventive controls, to keep tank failure from happening. A common preventive control for ASTs is a “breather valve,” or pressure relief valve. This is a safety device that prevents over pressurization and reduces potential for vapor pressure inside the tank to cause a release.

Preventive controls won’t always stop a release from happening, though, which is why we also need mitigative controls to reduce the impact. Mitigative controls can be structural features, such as a berm (a kind of raised barrier) around the tank or a concrete basin to contain at least some of the contents in the event of a spill. Other mitigative controls may be systems or procedures, such as an emergency response program, which might include evacuation plans to get as many employees as possible quickly out of harm’s way.

Of course, our response plans depend on knowing that there’s something to respond to. That’s where detective controls come in. As the name implies, these are controls that “detect” that something undesirable has happened. A good example of this might be an alarm system that senses when a release of solvent vapor occurs. That lets us know that we might now need to deploy some of our mitigative controls, such as our emergency plans.

Reviewing this example, we see that all of these different controls work together to reduce the overall level of risk, like layers of protection. In fact, a type of risk analysis called layers of protection analysis (LOPA) is just a more formal way of making this point. Because LOPA models a succession of control layers that let smaller and smaller amounts of risk through the “holes” in the control, sometimes it’s called the “Swiss cheese model,” as shown below.

Understanding the Hierarchy of Controls

An important part of our job is to select the controls that will do the most to reduce the level of risk. But which controls best accomplish that? Is there a way of categorizing and ranking controls that helps us determine where to focus our efforts?

EHS professionals have long recognized that not all controls are created equal. Back in the 1940s, the National Safety Council (NSC) researched the main causes of serious workplace accidents. One of the outcomes of that research was the publication, in 1950, of the “hierarchy of controls” model. The hierarchy is often depicted in the form of pyramid, as shown in the image below.

The visual organization of the pyramid quickly gets the key ideas across. In this version, there are four categories of controls, ranked in order of increasing effectiveness from bottom to top. Let’s review what the takeaways of the hierarchy of controls would be for a common scenario: exposure to a hazardous chemical in the workplace.

The most effective controls, found at the top of the pyramid, are elimination or substitution, because those actually make the source of risks go away. In our chemical exposure example, this would mean removing the hazardous chemical from the workplace, either by eliminating the need for a chemical, or by finding a substitute product that does not have the hazards of the original product. Either way, we’ve removed the hazard and eliminated the risks.

The next most effective category consists of engineering controls. Engineering controls include physical modifications to the workplace, or operation of systems that reduce the level of exposure. Let’s think about how this can work in our chemical exposure example. We can design a chemical storage room operated under negative pressure, so that negligible amounts of chemical vapors escape the room and create exposure risks for employees working in the vicinity. Another option might be to install a local exhaust system near points of use of the chemical, so most vapors are pulled away from the breathing zone of the employee, and typically absorbed into replaceable collection media. In either case, the hazardous chemical is still in the workplace – we’ve just done something to reduce how much of it becomes an exposure risk through inhalation.

Moving a little lower in effectiveness, we have administrative controls. These are changes we make to how work is done or how work shifts are organized. One way to think about this, using the chemical exposure example, is that we’re not keeping the chemical away from our workers, but instead, we’re keeping our workers away from the chemical. A common strategy is work shift rotation, which means that we arrange our shifts so that no employee spends too much time in an area with high potential for chemical exposure.

At the very bottom of the hierarchy of controls, we have personal protective equipment (PPE). There are different kinds of PPE to protect against different kinds of hazards, and choosing the right PPE is called selection. But therein lies part of the problem – we can make mistakes in PPE selection, and if we do, the PPE won’t be effective, and the employee will be exposed to the hazards we’re trying to protect them against.

For our chemical exposure example, we’d need to make sure we’re choosing rubber gloves that are rated to be an effective barrier against the type of chemicals our workers will be using. The wrong kind of material can actually react with the chemical, compounding potential for injury to the employee. If we’ve determined that our employees need respirators, we also need to select those  that are appropriate for vapor exposures, rather than respirators to protect against dust and particulate matter. And even a correctly selected respirator will only remain effective if the employee is properly trained to use it, and they follow proper maintenance guidelines, like changing the filter cartridge with the recommended frequency. These considerations show us why PPE is the least effective form of control and should only be used as a last resort after using the higher-ranked controls in the hierarchy, to reduce remaining risks to acceptable levels.

As we can see, the hierarchy of controls provides a simple framework that we can apply to choosing controls for any kind of risk. The hierarchy pyramid has gained considerable currency and recognition throughout the safety profession precisely because of this universal applicability, as well as for the simple reason that it works.

The Importance of Verifying Controls

We shouldn’t forget that we need to not just choose and implement our controls, but also confirm that all of our controls are installed as planned and working effectively. This process is called controls verification.

Verifying our controls involves scheduling inspections to verify that controls are in place, documenting the inspection results, and instigating corrective actions when needed. Just as importantly, we need visibility of the verification status of all of our controls, so there’s no ambiguity about whether they’re in place and doing their job.

Modern Operational Risk software can greatly simplify the process of control verification and give you the capability to access all of your key data, like inspection records, in one place, and from anywhere. This is particularly useful if you have responsibility for multiple facilities.

Key Takeaways on Risk Controls


Let’s recap some of the key takeaways about risk controls:

  • We quantify risk as the product of the likelihood of an unplanned event occurring, and the potential severity of impact if it happens.
  • Risk controls can be preventive (if they reduce the probability of an accident), mitigative (if they reduce the impacts of the event happening), or detective (if they alert you that something happened).
  • The hierarchy of controls pyramid assigns controls into categories based on effectiveness. Elimination or substitution is always the most effective option, and use of PPE is the least effective, which is why we should only rely on PPE as a last resort to reduce residual risk to acceptable levels.
  • After we’ve chosen and installed our controls, we need to make sure they’re actually working as well as we thought they would. That process is called controls verification, and modern Operational Risk software can be a big help there.

Watch this space for future installments of this series, in which we’ll talk about the benefits of using risk bowtie analysis, and the way that better risk management acts as the glue that holds your whole safety management system together.

Looking for More Information?

Would you like to learn more about the causes of many accidents at chemical facilities, according to investigations by the Chemical Safety and Hazard Investigation Board (CSB)? Watch our on-demand webinar to learn valuable insights regarding the common failures that led to major accidents, and the implications for improving your own risk management practices.

If you can’t wait until our next installment and want to jump right into the deep end of learning about risk bowties, you can register for our 8-hour, 2-day training course:

Introduction to Bowtie Analysis Training Course

Also, be sure to follow us on LinkedIn to catch the latest updates about the worlds of EHS and ESG.

Let VelocityEHS Help!

VelocityEHS understands the challenges of risk management for EHS professionals in every industry. That’s why we offer Operational Risk software that helps organizations of all sizes in all industries manage their risks. We can simplify the process of identifying all risks from all sources, managing risk controls, and engaging your entire workforce in risk management, so you can build and sustain the relationships needed for success.

Ready to see more? Visit our Operational Risk page to request a demo with one of our solutions consultants today!

Operational Risk