Source: OHSAlert - Subscription Service (20.03.2026)
Discovering how work is really done and developing credible risk scenarios underpin effective risk assessments, a leader in investigations and risk management says. He warns that employers aren't getting the value out of risk assessments that they used to.
Speaking at the NSCA Foundation's National Safety Conference in Sydney yesterday, Investigations Differently director Mark Alston asked delegates a simple question: "What is risk?"
He said he has "asked a lot of safety professionals this question... I get answers like hazards, consequences... But how can you run a risk assessment if you don't know the definition of a risk?"
"Risk" is the effect of uncertainty, he explained. "It's what we're unsure about, it's what we don't know. That is risk."
Alston said he sees employers continuing to conduct risk assessments on hazards that are already known.
"We are so time poor in our industry, yet we keep doing the same thing time and time again. Really, we should be focusing risk management in a completely different direction," he said.
He suggested some steps safety professionals can take to improve risk systems, including focusing on the things they "don't know".
The first step Alston encouraged the safety professionals at the conference to take is to focus on the unknown risks workers are facing, and in order to do that, to learn what they don't already know.
"Risk comes from discovering the normal work, the everyday work, and how it happens," he said.
The context and conditions of work, and how it makes sense for workers to perform tasks every day, are crucial to such an understanding, "because no one carries a procedure in their back pocket".
"When do people read procedures? When they start, and when something goes wrong. There are so many other things that influence how work is done in the day-to-day operations.
"There's production pressure in every organisation... Every single organisation has that pressure – goal conflicts, trade-offs, the equipment they have, the tools they have, the time they have, the people they have, the experience they have."
Even generational changes should be considered, Alston said, as the introduction of a new generation into the workforce that has different values about work-life balance will mean those workers are driven by new pressures.
"This is where risk lies, because this is how people are influenced to do the work and how they make decisions. Discover this, because where it intersects with risk, that's what we want to know.
"Ask: why does it make sense for workers to do it the way they do it? That's what we should be discovering in our risk assessments."
Turning to how safety professionals should develop and map risk scenarios, Alston noted "we can't risk-assess every single level of impact".
"The convention we talk about is the credible worst-case scenario... So what are we talking about? The worst thing that could reasonably happen."
What that means is really considering whether a risk scenario is credible, plausible, and reasonable, according to Alston.
He told the conference a credible risk scenario has four key ingredients.
"For it to be a risk, it must have a hazard, and it must have a target. We know that. There must be an interaction between the two, we also know that.
"But there must also be a consequence. Without a consequence, there is no risk."
Alston said he has seen thousands of employers develop a risk matrix that has no consequences from hazard-target interactions. He stressed this isn't a valid risk matrix.
"Don't just say 'damage', put a price on it. Don't just say 'environment', say how much environmental damage. Is it 5,000 litres, is it two days of remediation?
"For any credible risk you must be able to demonstrate those four ingredients".
For the next stage of a risk assessment, Alston urged delegates to have an honest conversation about the effectiveness of the controls used for risk management.
"This is our obligation, to eliminate or minimise risk so far as is reasonably practicable.
"It is fairly straightforward, but do you hold the mirror up to your controls for effectiveness? Do they actually work? Can you prove it? This is what it all comes down to and this is where the rubber hits the road," he said.
Safety professionals should ensure risk controls are both available and reliable, as Alston noted it "doesn't matter what is put on paper", but whether or not that control is effective.
Honesty is crucial to understanding whether an employer's controls legitimately reduce risk, and "if you can't be honest, you aren't getting anywhere".
Alston's final risk management tip involves safety professionals looking beyond tools like spreadsheets.
"There is nothing worse than when a safety practitioner walks into a room, hooks up their laptop, puts up a spreadsheet and goes through it cell by cell, column by column, and calls it a risk assessment," he said.
That isn't a risk assessment, it's "filling in a form".
"It absolutely stops innovation, it stops thinking, it stops communication, and we just end up with something that is cut-and-paste."
Instead, safety professionals should "ditch the tools", have conversations, and learn about what's going on, Alston suggested.
"When I do a risk assessment, I don't want a laptop. I just have whiteboards and flip charts ‐ it doesn't matter if it is risks of manual handling or the risks of diving," he said.
But when the tools drive the workshop instead, risk assessment is constrained, he warned.
Alston said that for a safety professional to know if all reasonably foreseeable risks have been identified, the risk assessment must involve communication and having these conversations with the workers themselves.
"We will only know that if we talk to the people who do the work, and we have their trust, and they are willing to tell the stories about things that we don't know that we don't know.
"That is what risk assessments should be about."