The following is an edited transcription of an interview with me conducted by Dr Howard Morris of Safe Work Australia in 2016. The web link to this interview is apparently no longer available, so I have been free with my editing to improve readability and in places expand on content.
Derek Viner August 2025
INTRODUCTION
Dr Howard Morris
Welcome to today’s discussion on work, health and safety risk as part of Safe Work Australia’s virtual seminar series for 2016.
I’d first like to acknowledge the traditional custodians of the land on which we meet, the Ngunnawal people, and recognize and respect their continuing culture and the contribution they make to this city and to this region.
It’s my very great pleasure to introduce Derek Viner. Derek is a consulting risk engineer and a management consultant in risk control. Derek has contributed courses in risk for the Faculty of Science, Engineering and Technology at Swinburne University of Technology for over 20 years.
A major focus of Derek’s work throughout his career has been on the very practical application of knowledge and skill to manage issues around risk in the workplace. So while Derek has a very strong academic background, he comes with a very strong practical component to the application of the work, and it’s great to have him here today. So welcome Derek, and thank you for participating in Safe Work Australia’s virtual seminar series to start the discussion today,
SIMPLIFYING RISK MANAGEMENT
Dr Howard Morris
Derek sometimes WHS Risk Management can be seen to be a complex activity. Is there a way to simplify our understanding of it and its aims to help us apply it effectively in practice?
Derek Viner
Howard, thank you for your introduction and welcome.
I think it is particularly important for senior executive management to have a very simplified view of Risk Management, because it’s so easy to get engrossed in the complexity of it. This complexity is important in the implementation of particular things in the workplace, but not particularly valuable or useful when it comes to having a strategic view. I think it is possible to simplify the strategic view quite significantly.
I think it can be simply said that the primary goal of the organisation is to both achieve and then maintain required standards of risk control. Now, of course, that simple statement can be applied to any of the risks in the organisation, and one needs to understand a little bit about what is meant by required standards of risk control. What I think of as a required standard of risk control is one that satisfies legal obligations, one that could be presented with some confidence in a court of law, in the event that something did go wrong, in order to convince the court that in fact you are a responsible organisation that been doing what was necessary.
It is important to realise with risk that absolute prevention isn’t normally one of our options, and so even doing absolutely the right thing, at times something may well go wrong and the organisation suffers an adverse outcome as a result.
Understanding what the required standards of control are for each risk and doing what one can to achieve those required standards is important. Doing what one can depends a bit on how much you can afford and what the capital or operational cost is of actually reaching those required standards. That decision making process helps one to understand how what’s required applies to the particular circumstances of the organisation that you’re managing.
The second part is to maintain those standards of risk control. That’s quite a challenging thing to do in some respects, but not if you have it in your mind as a task that does need to be achieved. The maintenance of standards of risk control really just involves people in the organisation doing the things they do, but recognising that they need to include aspects of risk controls. And who in the organisation? Well, it’s your maintenance organisation, it’s your training organisation, it’s your human resources people, it’s your procurement staff, it’s line managers in operating parts of the organisation and so on that maintain these. If there’s any particular challenge involved it is that these things need to be maintained over a long period of time, not just over the next year or two or three.
So that’s a simple way of looking, I think, at the goals of a Risk Management program.
WHS AND CORPORATE RISK MANAGEMENT
Dr Howard Morris
Derek, in some organisations, Risk Management and work health and safety activities can be managed separately. What’s your experience of this situation?
Derek Viner
Yes, not a very happy experience, I must say. I have worked with organisations where there is a Workplace Health and Safety and possibly Environment part of the organisation, as well as a Risk Management one and the two tend to be located in different parts of the organisation. Workplace Health and Safety typically is located where operating things are happening and risks actually arise of a physical sort that might affect people and the environment, whereas the Risk Management part of an organisation often resides somewhere in head office, probably located In the finance or Treasury area, may involve a board Risk Management committee overseeing its operations and so on. So two very different places in the organisation. And while the Risk Management part of the organisation has an interest in risks that go beyond health and safety, and rightly so, it also has an interest in risks involving health and safety, because boards are very conscious of the responsibilities in this area.
This separation shouldn’t be a problem, but it can be at times. Apart from the two different locations of the two different functions, if you look at the principles of what one is trying to do in promoting Work Health and Safety and what one is trying to do in promoting better Risk Management, the underlying principles and theory are identical. It’s all about risk, and risk is all about the potential for something adverse going on in the context that we’re talking about here, which is pure risk (ed. as distinct from speculative risk). While the underlying principles are clearly the same, the underlying practices are often somewhat at odds with one another. I have been in organisations where the Workplace Health and Safety Team are promoting one understanding of risk registers, for example, and the Risk Management group have ownership of risk registers, but have a very different understanding of what they should contain. So if the philosophy that is used to underpin the activities of the Risk Management team and the Workplace Health and Safety Team are incompatible we have a situation of confusion.
I have seen operational management and engineering management being subject to the different expectations of the Workplace Health and Safety team on one side and the Risk Management team on the other. The confusion that arises is not helpful. With shared understanding of the common principles comes shared language and expectations.
ADVICE FOR SENIOR EXECUTIVES – THE DISTINCTION BETWEEN GENERAL WHS AND OPERATIONAL SAFETY
Dr Howard Morris
How should risk be managed in practice? Is there advice that you can provide for senior executives on effective approaches they can use to promote and oversee Risk Management in their companies.
Derek Viner
I think that first of all, despite what I’ve just said, it’s terribly important for senior executive management to separate in their own minds the practices of what I call “general occupational health and safety” and those practices in what I call “operational health and safety”
General Health and Safety activities are those directed at common hazards. Most organisations, for example, have standard 240 volt electricity in their offices. That’s a general health and safety matter. Some organisations actually generate, transmit or distribute electricity and are handling it at significantly higher voltages and in completely different applications of technology. That same hazard type of electricity exists in sufficient quantities and is so utterly tied up with the function of the operation that it needs to be managed by specialist people and that’s an example of what I call operational risks. Another example is flying operations where operational risks clearly arise in the operation of aircraft. Another example is a petrol refinery, where operational Risks arise due to the large quantities of very flammable liquids and gasses which are to be found there, whereas even your average transport operation uses flammable liquids or gases but the circumstances are more routine, more simple and shared with many other industries.
I think it’s very important that managers don’t assume that the practices of their generalist health and safety people can be just read across to operational risks. There have been examples in recent times which I rightly or wrongly see as being largely a consequence of this. Consider for example, a CEO who is proud of their company’s very low lost time injury frequency rate, which is a measure used by generalist health and safety people, whereas in the background, their management of operational risks is deteriorating unrecognized to the point where suddenly they have a significant disaster on their hands, which pretty much threatens the operation, the life of their organisation.
In my career, there have been disasters well publicized in the press, that may never have happened had the operational managers of a plant had a focussed understanding of the fundamental processes of risk analysis and Risk Management.
Most of the valuable methods and techniques that are available in risk analysis and Risk Management, to my mind, have originated in the needs of the aerospace and the petrochemical industry. Some of these have been adopted by generalist health and safety people and used not necessarily in a particularly skillful manner. I think it’s very important that senior executive management ensure that these aren’t then imported back into the operational risk area, where the changes that have been made to them and the changes to the understanding of them may really have rendered them inappropriate for use in the operational risk area.
So a short summary of that is the clear need to separate operational risk from general risk in the management of an organisation.
THE RISK MATRIX
Dr Howard Morris
I understand you have issues in relation to use of the risk matrix. Can you explain these, please?
Derek Viner
My concerns with the risk matrix are threefold. The first one is that I think it’s a misdirected effort. In an earlier question, maybe the first question, you asked me
what I thought the goal was, and I said it was to achieve the right standards of risk control. The goal is in no way to try to work out what level of risk are we managing.
That’s that’s not what legislative obligations in Workplace Health and Safety are asking of us. They’re asking of us to achieve the right standard of control over a risk. So trying to identify or trying to estimate the level of risk in a matrix is not actually what’s required of us and using a matrix to then determine what management effort is needed as a result of that is just a building onto something which shouldn’t have a foundation at all. So number one, it’s misdirected efforts, not what we’re here to do.
Number two, it’s not a suitable tool for the estimation of risk. It’s not possible to
judge what likelihood is on a simple word scale with any meaning at all. Likelihood is a synonym for probability. It is sometimes used as a synonym for frequency. Probability and frequency are two different things.
The two are related by exposure to the circumstances in which it could happen, and in using scales of likelihood, one is not giving explicit recognition to this fact. Risk matrix word scales and their explanations sometimes confuse probability and frequency in any event.
This second point is that a simple matrix doesn’t adequately represent what is, in reality, a logarithmic relationship between likelihood and consequence value, and in asking somebody to pick a single cell of the matrix in order to pick a single cell carries a misunderstanding of what risk is. Risk is actually a relationship between frequency and consequence value. It is quite commonly understood that high frequency but low consequence things, and low frequency and high consequence things arise from the same risk. And so risk is this relationship. The Matrix doesn’t help to make this evident, and so it’s often incorrectly used.
The third point I’d like to make about it is that my own research with colleagues, and anecdotal experience in industry, is that the risk matrix is incapable of consistent use, either between groups of people or individuals or even from the same person over a different over a period of time.
So I think these are three significant reasons why the risk matrix is not something which should be the focus of activity.
I think the use of the risk matrix to actually make what are operational risk decisions is particularly unfortunate. I have spoken to a number of engineers in industry who are quite concerned that because of the lack of any other tool that’s available to them, their senior executives are making use of the risk matrix to justify expenditure of significant sums of money, which a rational engineering assessment would quite possibly say was a waste of money.
This is important, because money that is spent unwisely on risk could actually be better spent wisely on risk. And so Risk Management should be aiming to actually make the organisation more efficient in the face of uncertainty, not less efficient in the face of uncertainty.
I think that there is a very definite need for a nationally accepted practice protocol, which would give senior executive management a sense of confidence that the processes that they were using to make risk-related expenditure decisions was a process which is recognized and approved in our country. I would really like to see this happen.
AN ALTERNATIVE TO THE RISK MATRIX
Dr Howard Morris
What’s an alternative approach to the use of a risk matrix that can be used to manage Work Health and Safety risk?
Derek Viner
The risk matrix is commonly used as the foundation of a risk assessment – wherever any work is being done, you’ve got to risk assess it. A decision process therefore occurs at the level at which the risk matrix is being used.
This process should actually be about the adequacy of standards of controls, not about putting an X on a risk matrix and this should be done at the level of responsibility in the organisation at which to decide on the adequacy of the level of controls: the responsibility generally does not lie with the people who are typically using the risk matrix. Depending on how severe the likely worst consequence is, the responsibility actually could reside at the CEO level or even the board. Just read your newspapers recently. So you’ve got to put something else into the process.
My belief is that what needs to go into the process is a top down view from where these decisions are best made and by whom and with what level of information. From a tactical point of view, at a senior executive management level, I think that there is a need for three simple foundations.
One is an inventory of risks. You’ve got to know what it is you’re dealing with. And this inventory needs to be sensibly developed. There are not 1000s and 1000s of risks because Risk is not a synonym for probability or likelihood in the context in which we’re talking about it. A sensible inventory of Risks in many organisations should contain only up to 40 or 50 entries. Given the “agenda”, decisions can be made about the knowledge and skills needed to understand the significance of the entries, the technologies of controls and the legal standards that determine the moral obligations that the organisation has to manage.
Secondly, there needs to be a process for periodic review of the adequacy of the control measures that have been identified in the inventory, because requirements for standards of control measures change as community standards and technology available changes.
Thirdly, there needs to be a conscious effort to maintain those risk control measures over a time scale, measured in decades, not just the interval between CEO appointments. A really good corporate memory is needed so that a new CEO knows what the organisation is doing here and keeps a steady course rather than just starting from scratch, which seems to happen in quite a few organisations.
There are some few situations in which decisions about what standard of risk control should be implemented will benefit from a cost benefit analysis involving an estimation of the actual level of Risk that is being managed in the first place.
Put very simply but very adequately, risk control measures are in one of three categories:
- The Must Do category, because regulations and codes of practice say you must do them.
- The Should Do category, which applies to ideas that you might find in a standard or a code of practice which is not actually imported into a regulation – it’s there as an advisory statement.
- Could Do situations, over and beyond the Must and Should Do’s. If you inform yourself on the way in which decisions are made in Common Law Courts (safe place and safe system of work etc.) then it becomes possible to see the value of control strategies that don’t exist in regulations (or codes of practice, guidance notes or common industry practice) but nevertheless exist as possibilities and cannot in some circumstances be ignored in order to make a responsible decision. It’s in that situation that the variables associated with making reasonably practicable decisions, particularly are helpful: the likelihood of this happening, the ease with which it could be controlled, the cost of controlling it, the difficulty of controlling it etc.
It is in this Could Do area of risk control that one needs to understand how to apply cost-benefit analysis to Risk control possibilities: appropriate tools used in the correct circumstances for decisions involving significant amounts of money. These decisions need to be made at an appropriate level of responsibility, were the foreseeable, likely worst consequence to arise.
This is the understanding and process that should replace the use of the risk matrix.
INDUSTRY ASSOCIATIONS – AN OVERLOOKED POWERFUL NATIONAL STRATEGY
Dr Howard Morris
How can we actually promote cooperation on an industry wide basis, to help companies in this way to manage health and safety?
Derek Viner
It’s very beneficial for industries to work co-operatively for three powerful reasons.
One is the benefit of shared experience of serious incidents. These occur, generally, with low probability and hence infrequently. In the absence of co-operation, a company that has just experienced a serious incident, which no-one currently employed there has known to happen and no story of such an incident has been passed down from previous generations of employees, has to learn the lesson and decide on control measures by itself. The “lesson” is not really learned by all similar companies.
Experience is an excellent teacher. Looked at very simply and not entirely properly, five similar companies will accumulate experience at five times the rate of one alone. These experiences reside in the collective memory of employees in all of the associated companies.
The second benefit of co-operation is that a group is far more likely to be able to promote top of The Hierarchy of Controls, design-related controls, because an equipment supplier will be more motivated to make changes to the design of their equipment and so to make available to the industry equipment which doesn’t contribute to or promote the sorts of risks that it currently does, designs that have also learned from the experiences. The greater buying power of companies in association means a greater potential to influence the design of equipment and facilities.
There’s an excellent Australian example of companies working together in association that I can recall and which goes back perhaps 40 years, in the soft woods plantations of South East of South Australia. Here, the Logging Industry Training Team got the manufacturers of chainsaws together and told them that unless they redesigned chainsaws to stop vibration-related injuries, to stop promoting bushfires and reduce the severity of kick-back injuries, we’re not going to buy chainsaws anymore, we’re going to find some other ways of knocking trees down. Now, they were a very small percentage of the world’s chainsaw market, but they succeeded in motivating the manufacturers of chainsaws to satisfy those requirements, as I recall within a period of some 12 to 18 months.
The third benefit of co-operation is in the compelling role that industry associations can readily adopt. There’s a wonderful example of this in Germany and it’s been there, working successfully, promoting top of the Hierarchy of Control strategies, and going well beyond just work injury into efficiency and happiness and well being since at least the 1980s, and I think this may even date back to just after World War II.
In Germany, membership of an industry association is a legal obligation. The association has the role of a claims agent for insurances, including workers’ compensation. In this role, they collect workers’ compensation insurance premiums plus a small addition that is used to fund the association’s role in developing improved methods, technology, facility design to improve efficiency, and even happiness of the workforce. They even function as training organisations. In short, an association can afford to employ experts to the benefit of members of the association. Problems are solved with higher levels of expertise than a single company could afford and the results shared. As a claims agent, they are able to analyse claims experience in bulk, see where problems are and whether design etc. changes are having the desired effect.