Session No. 640 Right-Sizing Your Risk Assessment Approach for Efficiency & Effectiveness Introduction Kevin Dix, M.S., GSP Consultant Aon Global Risk Consulting Chicago, IL Kevin Murray, M.S., CSP Lead Consultant Aon Global Risk Consulting Middlefield, CT Risk assessment is a fundamental building block of any robust safety management system. The authors have successfully designed, developed and implemented safety management systems, including various risk assessment methodologies, throughout their careers. Additionally, the authors have audited safety management systems, both as Health, Safety and Environmental (HSE) leaders of a manufacturing organization, as well as casualty risk control consultants for an insurance broker. This broad perspective has offered an opportunity to identify a number of lessons learned and best practices, which will be reviewed in this paper. Mr. Dix and Mr. Murray, have a combined HSE experience of over 25 years. They have also collaborated as colleagues for over half of their respective careers, which has allowed them to refine and continuously improve risk assessment strategies and tactics. These strategies and tactics have been successfully applied on a range of risk assessments, from task-based assessments to assessments on processes covered by the OSHA Process Safety Management (PSM) standard. Risk assessment is a broad topic, which spans numerous industries and disciplines. From financial institutions to the United States Military the wide-ranging and flexible nature of risk assessment makes it a great tool for identifying, assessing and remediating risk. Although risk assessment is a commonly used term, the definition and application of risk assessment methods can vary widely. Even in the HSE discipline the term risk assessment can mean different things and encompass a range of criteria. This paper will review some of the common risk assessment methodologies utilized by HSE professionals and introduce a process called OSCAR, which can help identify a right-sized risk assessment approach to fit your needs.
What Is Risk Assessment Why Is It Important? What is Risk Assessment? Almost all of us are familiar with the term risk assessment, but if asked, how many of us would be able to succinctly define it? Furthermore, how many of us would define it in the same terms? According to ANSI-ASSE Z690.2-2011, risk assessment is defined as the overall process of risk identification, risk analysis and risk evaluation 1. The standard further defines risk identification, as the process of finding, recognizing and describing risks ; risk analysis, as the process to comprehend the nature of risk and to determine the level of risk, and risk evaluation, as the process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable 2. The ASSE Risk Assessment Institute defines risk assessment, as a process that commences with hazard identification and analysis through which the severity of harm or damage is established, followed by an estimate of the probability of the incident severity or exposure occurring, an evaluation of controls, and concluding with a statement of risk 3. Traditionally risk assessment has tended to focus on managing negative outcomes or threats; however, organizations are increasingly developing an integrated approach to risk management in order to improve the management of potential opportunities 4. This broader definition of risk management, including risk assessment processes, provides an opportunity to further expand the application of sound risk assessment techniques. In its simplest terms, risk assessment can be defined as a process to identify and respond to uncertainty. Risk assessment is a practice we all utilize, whether it is formally documented or more spontaneous, it is inherent to human nature. On an individual basis we make risk-based decisions multiple times a day, whether it s investing money or driving a car. When we conduct this activity for an organization there are processes and methods that can be developed to formalize a consistent and objective approach. This paper will delve into these processes and methods. Why Is Risk Assessment Important? Risk assessment is a fundamental component of any management system, and is often considered the foundation of the entire structure. There is an old saying, You don t know, what you don t know and this holds true in risk management. How can you prioritize efforts and the application of resources to mitigate risk, if you don t have a good system to continuously identify and assess it? The answer is you can t. In addition to the fact that risk assessments are a critical component to any effective management system, there are plenty of other drivers for risk assessment, such as corporate policies, regulatory requirements, consensus standard recommendations and others. We discuss these drivers and their criteria later in this paper.
Right-Sizing Risk Assessment Using the OSCAR Model What Is the OSCAR Model? The O.S.C.A.R. (OSCAR) model is an acronym that outlines a framework that can be leveraged to help individuals or organizations define key risk assessment criteria. The OSCAR model is independent of the risk assessment methodology used to identify, assess and treat risk; however, the inputs gathered during the OSCAR process are intended to help develop the right risk assessment practices for your organization, a term we describe as Right-Sizing. The OSCAR acronym is defined below, and we will discuss each of these elements in more detail throughout this paper. OSCAR Objectives Scope Criteria Assessment Methods Resources It is very likely you are familiar with each of the above terms; however, the approach detailed in this paper has been developed to focus on evaluating the key principals necessary to help ensure a Right-Sized risk assessment approach. The OSCAR model can be applied at all levels of an organization, such as at its many areas, processes, functions, projects and tasks. The OSCAR framework is intended to be general so that it may be customized to fit application specific needs and help determine the risk assessment processes that can be employed to support organizational goals and objectives. Reviewing the five OSCAR elements prior to deploying a risk assessment model should aide in efficiently utilizing limited resources and help focus your risk assessment activities on delivering the best possible outcomes to achieve organizational objectives, such as risk reduction, loss minimization and injury prevention. Objectives Although we can debate the goal of risk assessment, it is likely our definitions will fall along similar lines, such as the identification, evaluation and elimination or control of hazards, which will result in a positive outcome. The Canadian Centre for Occupational Health and Safety similarly defines the goal of risk assessment, as the process to remove a hazard or reduce the level of its risk by adding precautions or control measures, as necessary, which creates a safer and healthier workplace 5. According to ANSI-ASSE Z690 All activities of an organization involve risk. Organizations manage risk by identifying it, analyzing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria 6. Because organizations will tend to define the goal of risk assessment in a similar manner, we start by focusing on the objectives. In general, objectives are more specific and easier to measure than goals. Objectives are basic tools that underlie all strategic and tactical activities and can focus on different aspects, such as health and safety, financial, environmental, and reputation 7. Risk assessment objectives may be narrow or broad, and will likely be influenced by the organizational level at which risk management planning occurs. For instance, if risk assessment activities are occurring at an individual facility the objectives may differ than if risk
management planning is occurring at a corporate level. Additionally, risk assessment objectives can fluctuate based on a number of other factors, such as individual(s) level of process knowledge, subject matter expertise, professional experience, influence from key stakeholders, organizational structure, company culture, communication styles and effectiveness, etc. Although many inputs can influence the development of company specific risk assessment objectives, the below is a general list of factors that should be considered. Hazard identification Risk elimination, reduction or control Risk prioritization Risk quantification Stakeholder awareness and education Identification of at risk stakeholders and environments Evaluation of existing controls and process robustness Understand consequence of failures Ownership determination Regulatory compliance Once general risk assessment objectives have been identified it is important to develop detailed objectives using the SMART (Specific, Measurable, Achievable, Relevant, and Timebound) format. It is essential to remember that this is step one in the process and that as the OSCAR process is followed, risk assessment objectives may need to be updated as additional information is identified. Properly identifying risk assessment objectives and effectively executing the risk assessment strategy may result in the following. Improved compliance to internal and external requirements Best practice implementation Process maturity and robustness Increased accountability and ownership Enhanced training and education Reduced risk Increased protection of personnel, community and the environment Improved strategies and tactics Efficient resource allocation Development of leading measures Incident and loss reduction Improved mistake proofing Strengthened organization Risk assessment goals and objectives may seem straightforward; however, clearly defining goals and objectives with key stakeholders will help ensure alignment and improve the likelihood of achieving positive outcomes. Scope Developing the risk assessment scope is a critical step in the OSCAR process and is intended to help identify key internal and external parameters to be considered when establishing the risk assessment framework. The scope parameters identified in this step are high-level and should be
focused on identifying key decision making factors that will help direct future risk assessment activities, including criteria and resources. Because the OSCAR process is intended to be general to allow application at various levels of the organization, the parameters considered when defining the scope will be influenced by the desired level of focus. Some organizations may wish to use the OSCAR model to establish a risk assessment framework for processes or individual tasks, while other may wish to apply the technique at a higher level to develop a broader more comprehensive risk assessment process. A robust risk assessment process will evaluate risk across an enterprise; however, the level at which the risk assessment framework will be developed and applied can depend on a number of variables. Such variables can include organizational objectives, culture, or stakeholder involvement, as well as many other potential factors that can be unique to a specific industry, geographic area or political climate. Because organizations have the flexibility to establish a risk assessment process at various levels of an organization the below list represents elements that should be considered when working to establish a scope framework: Organizational risk tolerance Lifecycle stage Research & Development Scale up Design Construction Existing process Process change or modification Decommissioning Execution timeline and ownership Process or activity type Field versus location-based Continuous versus project-based Automated versus manual Routine versus non-routine Complex versus simple Static versus dynamic processes Level of uncertainty Combination of types Key Stakeholders Internal leadership, employees, etc. External shareholders, community, environment, etc. Assessment boundaries Level organization, division, campus, facility, process, task, machine, etc. Frequency of task, activity or process Focus area environmental, safety, financial, reputation and brand, etc. Data sources Process flow diagrams Incident and loss trends Failure rates Chemical inventory Toxicology studies
Monitoring data Other information on hazards and stressors Job descriptions Relevant historical information Requirements internal and external Company requirements Regulatory requirements Consensus standards Industry recognized best practices Information Technology New or existing technology platforms to help collect, evaluate and address information Resources availability Although we discuss this in a later step, it is still prudent to begin identifying potential human, financial, and data and technology resources that are available Criteria Criteria can be defined as a standard by which things or people may be compared and evaluated. Risk assessment criteria can be established or adopted via a number of different sources including, but not limited to: 1. Company specific policies, 2. Industry recognized best practices, 3. Regulatory requirements, and 4. Consensus Standards (i.e. Management Systems, Risk Management, Technical Standards such as for Machinery, Hazardous Energy, Prevention Through Design etc.) Company specific policies can vary widely based on a company s maturity, in terms of risk management practices and are typically developed using a mix of regulatory requirements, consensus standards and other best practices. We will focus on Regulatory and Consensus Standards as the two major considerations for criteria development within this paper. Regulatory Part of the reason that many companies struggle to implement a robust risk assessment process that is both effective and efficient is because there are very little regulations that dictate specifically what needs to be done. OSHA expects employers to examine workplace conditions to make sure they conform to applicable OSHA standards and eliminate recognized hazards, but does not offer much guidance beyond that. Many think that OSHA specifically requires employers to perform Job Hazard Analysis (JHA) on all of their work tasks and that is not accurate. Yes, OSHA released a JHA Publication back in 2002, but it only provided a suggested method to identify and assess hazards in the workplace. Can JHA be an effective tool? Sure. Is it the best tool for every application? It is likely not. Federal OSHA does, however, require certain types of assessments for specific exposures and programs. The below information is a summary of general information from the OSHA and EPA websites 8, 9. Personal Protective Equipment (PPE) Requires a Hazard Assessment to identify a need for
PPE and must be verified through a written certification including scope, requirements, assessor and date. Process Safety Management (PSM) For employers with PSM covered processes a detailed Process hazard analysis is required. The process hazard analysis methodology selected must be appropriate to the complexity of the process and must identify, evaluate, and control the hazards involved in the process. The employer must use one or more of the following methods, as appropriate, to determine and evaluate the hazards of the process being analyzed: o What-if, o Checklist, o What-if/checklist, o Hazard and operability study (HAZOP), o Failure mode and effects analysis (FMEA), o Fault tree analysis, or o An appropriate equivalent methodology. The hazard analysis must be updated and revalidated every five years or when changes to process occur, i.e. changes in chemicals, technology, equipment, procedures, or change to facilities that affect a covered process. Risk Management Program (RMP) The Environmental Protection Agency (EPA) RMP requires covered employers to submit a Risk Management Plan every five years. The Plan must include a hazard assessment that details the potential effects of an accidental release, including an accident history of the last five years, and an evaluation of worst-case and alternative accidental releases. Permit Required Confined Space (PRCS) The PRCS program requires applicable employers to identify and evaluate the hazards of permit spaces before employees enter them. This translates to employers performing documented PRCS assessments. NFPA 70e via OSHA General Duty Clause Though NFPA 70E has not been adopted by OSHA, NFPA 70E can be used as a reference or guide as to how to meet certain requirements within OSHA s Electrical Safety Standard. One of those areas is the performance of Arc Flash Analysis. Injury & Illness Prevention Programs (IIPP) - Though Federal OSHA only encourages employers to adopt Injury & Illness Prevention Programs (IIPP) that includes a hazard identification component, Cal OSHA, as well as other state programs, requires them. Cal OSHA s IIPP program requires employers to include procedures for identifying and evaluating work place hazards including scheduled periodic inspections to identify unsafe conditions and work practices. These Inspections are required at the onset of the IIPP program, when changes take place that introduce new safety and health hazards, or when the employer is made aware of new or previously unrecognized hazard. As you can see, this more stringent requirement still allows a great amount of flexibility and customization. Consensus Standards Consensus standards are a valuable tool to risk management and safety professionals, as they provide a great deal of framework and guidance to aid in the successful implementation of effective safety programs and management systems. Some standards allow for employers to
become certified by 3 rd party registrars (i.e. ISO & OHSAS Management Systems) while others are purely advisory in nature. Let s explore a couple of these that include risk assessment elements. ANSI Z690/ISO 31000 series is a Risk Management standard that provides principles and generic guidelines on risk management but is not intended for certification, regulatory or contractual use, which is possible with some OHSAS & ISO standards. It does not provide specific criteria for identifying risk nor does it specify the type of risk analysis method that is required for a particular application. It does, however, include some good considerations and guidance, such as: o The organization should apply risk identification tools and techniques that are suited to its objectives and capabilities, and to the risks faced. o ANSI/ASSE Z690.3 / ISO 31010 Risk Assessment Techniques provides detailed guidance in the following areas 10 : Risk assessment concepts Risk assessment process Selection of risk assessment techniques ISO 14001 Environmental Management System & OHSAS 18001 Occupational Health and Safety Management System are similar in that they were both developed to be compatible with the ISO 9001 Quality Standard in order to facilitate the integration of quality, environmental and occupational health and safety management systems by organizations. Both standards provide requirements for a management system that will enable an organization to control its risks and to improve its performance, which can become certified through the use of 3 rd party registrars. Neither state specific performance criteria, nor do they give detailed specifications for the design of a management system or their risk assessment components. Both of these standards can be implemented within the above ANSI/ASSE Z690/ISO 31000 Risk Management series as they do not conflict but rather complement each other. o ISO 14001 states 11 : The organization shall establish, implement and maintain a procedure(s) a) to identify the environmental aspects of its activities, products and services within the defined scope of the environmental management system that it can control and those that it can influence taking into account planned or new developments, or new or modified activities, products and services, and b) to determine those aspects that have or can have significant impact(s) on the environment (i.e. significant environmental aspects). o OHSAS 18001 states 12 : The organization shall establish, implement and maintain procedures for the ongoing hazard identification, risk assessment and determination of necessary controls The organization s methodology for hazard identification and risk assessment shall: Be defined with respect to its scope, nature and timing to ensure it is proactive rather than reactive; and Provide for the identification, prioritization and documentation
of risks, and the application of controls, as appropriate. ANSI Z10 is an Occupation Health & Safety Management System issued in 2012. Like the ISO 14001 and OHSAS 18001 management systems, Z10 is designed to facilitate organizational effectiveness using the elements of the Plan-Do-Check-Act (PDCA) model as a basis for continual improvement. The standard states the following 13 : o The organization shall establish and implement a risk assessment process appropriate to the nature of hazards and level of risk Assessing risks can be done using quantitative (numeric) and qualitative (descriptive) methods. o The method of assessment should be selected based on the type of issue, nature of risk, or operations. ISO 45001 OHS Management System is a standard still under development and expected to be released in late 2016. It is modeled after the ANSI Z10 standard and should look somewhat similar and have a similar expectation in terms of risk assessment. This standard could replace OHSAS 18001 but ANSI Z10 is still expected to be kept alive and would be revised following the release of the ISO 45001 standard. Assessment Methods Selecting a risk assessment methodology can be a difficult process, as multiple techniques will likely be a viable option. The goal of this process should be to select a method or multiple methods that meets the defined criteria, is suitable to the scope, and will help achieve objectives. Because the OSCAR technique can be applied at different levels of the organization, facility or process, it is important to remember that a single risk assessment model may not be sufficient for the different types of hazards present, or apply to the different levels risk will be assessed at. For instance, the technique used to assess individual tasks may be different than the method used to assess risk at a machine or process level. Some important aspects to consider when selecting a risk assessment method include the following: Is there an industry or regulatory recognized best in class method Does the complexity level of the risk assessment method match the complexity of the task, process or area being assessed Will the method help achieve desired objectives, align with scope and meet key criteria Can the technique be applied consistently Does the assessment method align with organizational resources Will the method produce usable and actionable results Methodology Overview Level of Focus Complexity Analysis Type Broad or Aggregate Hazard Analysis Focused on identifying high-level broad facility, area or system-level hazards. Can assist in prioritizing risk across a general area with multiple unknowns and include a High-level, broad or general level of focus Low - Medium Qualitative
Methodology Overview Level of Focus Complexity Analysis Type Checklist What-if Analysis Brainstorming HAZOP Hazard and Operability Study FMEA Failure Modes and Effects Analysis Fault Tree qualitative likelihood and consequence evaluation. Checklist based technique that identifies hazards based on predefined criteria. Checklists can be detailed or broad, depending on the available guidance and assessment level. The checklist usually necessitates a yes/no-type response for each criterion. A structured brainstorming analysis that focuses on uncertainly related to failures or upset conditions 14. Process usually includes a qualitative likelihood and consequence evaluation. A flexible approach aimed at collecting a broad set of ideas and evaluating and ranking such ideas based on potential significance 15. Formal method to systematically assess each aspect of a system or process for ways parameters can deviate from the intended design, function or process conditions to create hazards and operability problems 16. Guidewords, such as too much, too little, reverse; can be used to help identify failures. Process can include a qualitative or quantitative likelihood/probability and consequence evaluation. Methodical study of individual component failures. Assesses each component in the system or process being evaluated. Each system components is recorded in the assessment worksheet and individually evaluated, either qualitatively or quantitatively 17. Quantitative assessment of undesirable outcomes, such as a rupture, over pressurization, or explosion, as a result of an initiating event. This method applies a graphic illustration, using logic symbols, of all possible event sequences that could result in an incident. The developed diagram looks like a tree with many branches each branch listing the sequential events (failures) for different independent paths to the High-level or targeted, based on checklist level of detail High-level or targeted, based desired level of focus High-level or targeted, based desired level of focus Process, system or function - based focus Function or componentbased focus Scenario or event-based focus Low Low Low Medium - High Medium - High High Qualitative Qualitative Qualitative Qualitative/Quantitative Qualitative/Quantitative Quantitative
Methodology Overview Level of Focus Complexity Analysis Type PRA Process Risk Assessment JHA/JSA Job Hazard Analysis / Job Safety Analysis Monte Carlo Analysis top event. Probabilities (using failure rate data) are assigned to each event and then used to calculate the probability of occurrence of the undesired event 18. A process or system-based hazard identification technique. This method broadly focuses on system level hazards, as opposed to the JHA/JSA that focuses at the task or activity level. A job or task-based hazard identification technique. This method narrowly focuses on the worker, task, tool, and work environment relationship 19. Statistical simulation technique that evaluates numerous randomly selected what if scenarios for a number of inputs. When Monte Carlo simulation is applied to risk assessment, risk appears as a frequency distribution graph similar to the familiar bell-shaped curve, which non-statisticians can understand intuitively 20. Process or system-based focus Task or employeebased focus Targeted assessment Medium Medium High Qualitative Qualitative Quantitative Table 1: Comment Risk Assessment Methodologies. Primary source: ANSI/ASSE Z.690-3 21 The above table provides a general overview of some of the more common risk assessment techniques; however, there are other methods that can be considered. ANSI/ASSE Z.690.3, Risk Assessment Techniques, provides an excellent resource to review additional risk assessment methodologies, as well as further considerations related to the techniques listed above. Factors, such as inputs, process flow, outputs and strengths and limitations can be found in this standard. Other elements that should be considered during the Assessment Methods review process can include risk matrix development, defining likelihood and severity levels; information collection methods; identifying criteria to support the method selected; risk treatment planning, including ownership and closure tracking; etc. Once a method or methods have been selected the required resources to execute the risk assessment technique should be evaluated. During the resource evaluation element of the OSCAR model organizations should work to identify available internal and external support resources to help achieve desired results. Resources Resource identification can begin once the assessment method has been selected. It can be tempting to assess resources prior to selecting an assessment method and choose a method most
favorable to internal expertise and personnel; however, this can impact the potential effectiveness of the risk evaluation method selected. There are a number of factors to consider when identifying and evaluating available resources, such as: Financial Resources Internal budgets that can be used for risk assessment activities, such as development, training and execution Resources to mitigate or treat risks identified during assessment process External support personnel, software, standards, etc. Internal support resources, including hourly team members Data and Technology Resources Building piping and instrumentation diagrams Design overviews and schematics Historical risk assessments Technical information, such as consensus standard or other technical knowledge Information technology platforms Process information, such as process flow diagrams Original Equipment Manufacturer (OEM) specifications Incident and loss runs Preventive Maintenance (PM) systems, including documented failure rates Inventory management systems chemical inventory Monitoring data Relevant information on hazards and stressors Job descriptions Risk Matrices Data collection methods Risk treatment actions and closure Human Resources Internal and external technical expertise in both the risk assessment method(s) and process knowledge Training internal employees on the assessment method(s) Cross functional team participation including supervision and labor employees Role Facilitator/ Leader Safety & Health Lead Environmental Lead Operations / Supervision Lead Responsibilities Facilitates assessment technique and helps organize the team and approach, but may lack specific process knowledge on specific processes or hazards Knowledgeable on health and safety compliance, hazards and impacts, but may lack specific process knowledge Knowledgeable on environmental compliance, hazards and impacts, but may lack specific process knowledge Individual(s) familiar with overall operations, resource constraints, equipment conditions, personnel, and has specific knowledge on facility, processes, and hazards
Role Responsibilities Engineering / Individual(s) familiar with the design, operation, maintenance, and Maintenance functionality of the general or specific areas of focus, and has Lead specific knowledge on facility, processes, and hazards Operator/Labor Individual(s) knowledgeable in the general or specific areas of focus, and has specific knowledge on facility, processes, and hazards Table 2: Comment Risk Assessment Roles Resources are an important factor when considering the risk assessment method that will be deployed. During the resource identification step it may be determined that sufficient resources are not available to support the risk assessment method(s) selected. If this is the case it is important to go back to the risk assessment method selection step and reconsider alternative, yet equally suitable methods. For instance, a quantitative technique may have been selected during the method selection process; however, known or representative failure rates may not be available. In this instance a qualitative-type study, such as HAZOP, may be an equally effective alternative to use. Conclusion Throughout this paper we have attempted to simplify the complex process of establishing an effective and efficient risk assessment framework through the use of the OSCAR method. The OSCAR method is a flexible process to assist organizations in establishing a Right-Sized risk assessment approach that can be applied at various organizational levels. Whether your organization is large or small, simple or complex, location or field based; the OSCAR method can help any organization to consider the correct elements, and lead to the establishment of a risk assessment structure that meets organizational needs. Endnotes 1. American national Standards Institute (ANSI)/American Society of Safety Engineers (ASSE) (2011). Z690.2, Risk Management Principles and Guidelines National Adoption of ISO 31000:2009. Des Plaines, IL, U.S. p.12 2. ANSI/ASSE (2011). Z690.2 Risk Management Principles and Guidelines National Adoption of ISO 31000:2009. Des Plaines, IL, U.S. p.12-13 3. ASSE Risk Assessment Institute (n.d.) (retrieved March 3, 2015) (http://www.oshrisk.org/fundamentals/terminology.php). 4. ANSI/ASSE (2011). Z690.1 Vocabulary for Risk Management National Adoption of ISO 73:2009. Des Plaines, IL, U.S. p. Introduction 5. Canadian Centre for Occupational Health & Safety (CCOHS) (n.d.) (retrieved March 3, 2015) (http://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html).
6. ANSI/ASSE (2011). Z690.2 Risk Management Principles and Guidelines National Adoption of ISO 31000:2009. Des Plaines, IL, U.S. p.6 7. ANSI/ASSE (2011). Z690.1 Vocabulary for Risk Management National Adoption of ISO 73:2009. p.6 8. Occupational Safety & Health Administration (OSHA) (n.d.) (retrieved March 3, 2015) (https://www.osha.gov/law-regs.html). 9. United States Environmental Protection Agency (US EPA) (n.d.) (retrieved March 3, 2015) (http://www2.epa.gov/regulatory-information-topic). 10. ANSI/ASSE (2011). Z690.3 Risk Assessment Techniques National Adoption of IEC/ISO 31010:2009. Des Plaines, IL, U.S. 11. International Standards Organization (ISO) (2004). ISO 14001-2004. Environmental Management Systems Requirements with guidance for use. Geneva, Switzerland 12. Occupational Health and Safety Assessment Series (OHSAS) (2007). OHSAS 18001-2007. Occupational Health and Safety Management System Requirements. London, England 13. American National Standards Institute (ANSI)/American Industrial Hygiene Association (AIHA) (2012). ANSI/AIHA Z10-2012. American National Standard Occupation Health and Safety Management System. Fall Church, VA, U.S. 14. Massachusetts Institute of Technology (n.d.) (retrieved March 3, 2015) (http://web.mit.edu/course/10/10.27/www/1027coursemanual/1027coursemanual- AppVI.html). 15. ANSI/ASSE (2011). Z690.3 Risk Assessment Techniques National Adoption of IEC/ISO 31010:2009. 16. OSHA (n.d.) (retrieved March 3, 2015) https://www.osha.gov/sltc/etools/safetyhealth/mod4_tools_methodologies.html). 17. OSHA (n.d.) (retrieved March 3, 2015) (https://www.osha.gov/sltc/etools/safetyhealth/mod4_tools_methodologies.html). 18. OSHA (n.d.) (retrieved March 3, 2015) (https://www.osha.gov/sltc/etools/safetyhealth/mod4_tools_methodologies.html). 19. OSHA (n.d.) (retrieved March 3, 2015) (https://www.osha.gov/publications/osha3071.pdf). 20. United States Environmental Protection Agency (US EPA) (n.d.) (retrieved March 3, 2015) (http://www.epa.gov/reg3hscd/risk/human/info/guide1.htm). 21. ANSI/ASSE (2011). Z690.3 Risk Assessment Techniques National Adoption of IEC/ISO 31010:2009.