This website uses non-intrusive cookies to improve your user experience. You can visit our cookie privacy page for more information.

Communication of Risk – Institute of Risk Management

8 October 2015

Judith Hackitt CBE, HSE Chair

Good morning and thank you for inviting me to give my perspectives on communication of risk. You will not be surprised to hear that given my current role as Chair of HSE, some of the specific examples I will talk about today will be in relation to health and safety risks but many of the principles will be more widely applicable. Effective risk communication is essential to ensuring that we all have the same perspective. There is plenty of evidence to suggest that our perspective on risk is not all that it should be – all too often we see people focussing on small and even trivial risks whilst ignoring the much bigger issues. We also have a tendency to see different risks in isolation – health and safety, financial, reputational and so on.

But by planning ahead, researching, testing and evaluating what works, it is possible to get people to identify, understand and manage risks in a proportionate and in an integrated holistic way.

We need to ensure that we improve understanding of the difference between hazard and risk, and also to recognise that risk management, not risk elimination is what we are all about.

Naturally there will be a lot of talk today about risk, but we must not lose sight of the benefits brought about by many activities that carry some form of risk. Getting this balance right lies at the heart of effective risk communication

Consequences of not managing risk

My career started 40 years ago in an industry where the hazards are very significant. I am a chemical engineer and I spent the first 15 years of my career in the petrochemical industry. I have been Operations Director of a top tier COMAH facility.  With experience like this very early in my career it has been ingrained into my thinking that risk management is not just important but an integral and essential part of being successful in such a business. The consequences of getting it wrong include loss of life and livelihoods – the very survival of the business is threatened.

I took on more specific responsibility for risk in 1996 when I was appointed to the role of Group Risk manager in a UK plc which operated businesses in a number of sectors ranging from chemicals manufacturing and distribution, mining, animal feeds, building trade suppliers and others – I was  the organisation’s risk leader reporting directly to the Board. It was a role that I thoroughly enjoyed and which enabled me to influence some very important strategic issues within the company – I was very much “the Executive Voice of Risk” but I was also aware at the time that my remit as a Group Risk Manager was significantly different from that of many of my “equivalents” in other organisations. “Risk manager” in many organisations even today is still seen as being about risk financing and insurance. Management of health and safety is viewed as something of a specialised field and somewhat separate.

But if I look at the issue of “risk” from my current perspective as Chair of HSE, I see very clearly the need for a much more integrated and holistic approach to risk management. I spend a good deal of my time talking to Boards and senior managers in companies, explaining why doing good health and safety is about good business practice, not about business cost and the so-called burden of regulation. All too often I see the silo mentality which leads to the poor health and safety manager feeling responsible for everything to do with health and safety rather than the risks and the potentially devastating consequences being recognised and owned by the most senior leadership of the organisation. It is equally clear to me that those companies who are good at health and safety are good because their Boards and senior managements do get it. That doesn’t mean they’re health and safety zealots – far from it – the good companies are the ones who understand all of the risks in their organisation and have a good understanding of those that present the biggest threat.

Companies like this are much less likely to seek to compartmentalise risk   - into financial, reputational, safety, environmental or whatever other functional boxes people may choose to use.  Companies who have the right culture understand interdependency of risks. It would be futile to try to categorise BP’s Gulf of Mexico incident in 2010 in this way – it is clear to anyone and everyone with the benefit of hindsight that it was every one of those things and posed a threat to the company’s very survival.

Companies who manage risk well also know how to prioritise and to discern the issues that really matter. But this is only possible if they have a good purview of all of the risks and their interconnectedness. Boards can only do this if they are well informed and have a consistency of language and thinking across the organisation; this very much requires that “Executive Voice of Risk” whether it is present in one individual or a common language and set of values across the whole organisation – a culture.

All too often risk management is misinterpreted as being about risk elimination or risk aversion – let us be clear it is neither of these things. Good risk management and risk leadership are essential if companies are to be successful in innovating and surviving in a rapidly changing and increasingly complex world. Risk taking is  an essential element of any enterprise – the key is to understanding what those risks are, those that can – and should - be mitigated at the outset, those that can’t and what the consequences might be if those risks do materialise versus the benefits if they don’t.

Hoping that the worst will not happen is not a strategy.

Complexity is often a convenient excuse for not being able to anticipate all of the things that could go wrong – but what does this actually mean in practice? We know that in some cases it means that the level of complexity of business operations is now such that no-one really understands how it all works.  This sounds like a very good case for having someone – at least one person in every organisation - who does have an overview of the whole risk agenda, who is charged with understanding the uncertainty and interconnectedness of those risks and is charged with reporting directly to the Board.

Leadership guidance

Let us now take a look at some examples of ways in which HSE has sought to help businesses to get that perspective on health and safety risks. HSE worked with the Institute of Directors and other stakeholders to provide guidance to Boards on why and how they should involve themselves in providing leadership for health and safety risk management. It’s an area we identified as needing concise and straightforward information to help gain greater buy-in.

It is something we try to do in all our work - making health and safety as straightforward as possible. That isn’t a euphemism for lowering of standards, because businesses, workers, the economy and the state all benefit from fewer health and safety incidents occurring – no one wants to see standards decline. But I am a great believer that if you make something easy to understand and do, people are more likely to do it. That principle lies behind HSE’s drive over recent years to modernise and simplify regulations and guidance.

The effort to modernise has to continue but we also see the need to refresh our overall strategy which provides important context not just for HSE but for the whole H&S system. The strategy will recognise the need for health and safety to be incorporated into that wider holistic approach to risk that I mentioned. We as regulators recognise the interconnectedness of risks and our new strategy will now encourage others to get that same perspective.

Let’s delve a little deeper into how HSE communicates risk, but to do that I need to give you a quick run-down of the organisation’s founding philosophies, borne of the Health and Safety at Work Act:

Regulatory approach

It is worth repeating one key principle - those who create risks are best placed to control them. This applies to employers, employees and manufacturers of workplace equipment or substances. The regulator’s role is to ensure that all of these people do that effectively – not to do it for them.

So they need to understand risk. HSE provides guidance and tools where relevant to help achieve this.

We regulate a broad range of workplaces, from factories to farms, offshore gas and oil, onshore major hazard sites and many others. Interventions and communications are tailored according to the risks of the different industry sectors and activities.

Straightforward guidance

For small low risk businesses we provide simple guidelines and tools that enable the business owner to very quickly and easily access information on what he/she needs to do to assess and manage risks.

Safety cases/major hazard approach

But at the major hazard end of the spectrum our approach is somewhat different, even though the principles are the same. Major hazard industries have the potential to create safety incidents which could be catastrophic – resulting in major damage and potential loss of life including to members of the public. For such major hazard industries we operate what is commonly called a safety case regime. We require the business to demonstrate that they have the knowledge and competence to build and operate such a facility. They must demonstrate that they understand the hazards, that they have taken these into consideration from the outset in the design of the facility, that they have processes in place for managing change and for dealing with the consequences of incidents if they happen. Only when that is in place do we grant permission for those major hazard sites to operate.

Our approach is deliberately designed to drive continuous improvement rather than compliance with fixed rules and standards. It is for the operator to decide how best to manage those risks in order to demonstrate that they have adequate measures in place. It means they have to do the thinking, not simply comply with a set of rules to satisfy the regulator. It is a continuous process which enables change and innovation to take place but also ensures that any new risks are properly considered and managed as change is introduced – it is dynamic. Our approach helps to provide public assurance and build public confidence in new and novel technologies.

Outcomes statistics comparison

The statistics show we have a world class system, and we strive to keep it that way because it means fewer fatalities, injuries and less ill-health.

Communication is a particular challenge for the regulator in the 21st Century. Just as regulation itself needs to be tailored to be proportionate to risk, so communications need to be tailored if they are to reach all of the targeted audiences and get them to think and act proportionately to manage risks.


A recent example of risk communication by HSE to tackle a specific issue was the asbestos safety campaign ‘Every Job Beware Asbestos’. We used quality audience insight to help shape a communications strategy which went beyond raising awareness to drive behaviour change.

This innovative campaign sought to get relevant tradespeople to change how they work by accessing information and guidance to help keep themselves safe.

The campaign targeted those workers most at-risk from asbestos – tradespeople working on small sites in the construction and maintenance industries that generally have less knowledge of the dangers of asbestos and less access to information and support.

The focus of the campaign was to move people along their journey towards behaviour change, taking action to work differently to protect themselves against the risks.

Research made it clear to us that the targeted tradespeople would only do things which they considered to be reasonable and not requiring too much effort. Conversely, it showed that there are specific things that they were not willing to do, for example taking time off work to go on a training course.

Beware asbestos products

So HSE developed two new, innovative tools:

The Asbestos Safety Kit distributed through a trade supplier who we partnered with, and the free Beware Asbestos web app which works on all mobile devices providing easy to follow, accessible guidance.

Some people might associate use of apps on smartphones as just something for a younger generation, but the insight research showed that tradespeople from a wide ranging age group routinely use smartphones in the course of their work, and that regardless of age, they would be willing to use a web app. Similarly, the effective influence of trade suppliers was common amongst the audience as they have established and trusted relationships with them.

The campaign has won a number of awards.

So we can see that posters, pamphlets and paperwork are not the tools of a 21st century regulatory system. Not only do we need to stay abreast of the changing risks in workplaces but the ways we communicate our messages have to move with the times. It is also no longer enough to “raise awareness”. We have the knowledge and the insight to understand what actually causes people to change their behaviour and we must learn to use it – not do what seems right –because it’s worked in the past. 

Another example of tailored risk communication is HSE’s advice for schools on managing risks, particularly when organising activities out of the norm or outside the classroom.

Communicating risk management to schools

Recognising that there was a need in this sector to communicate quite clearly how to manage risks proportionately, part of the package includes information on what has been dubbed the ‘Goldilocks’ test – a framework to give schools a starting point for considering whether they are getting things just right or whether they are doing too much - potentially losing vital learning opportunities for pupils, ironically often opportunities which help the children themselves to learn and understand more about the subject of risk – or, conversely, if they are doing too little.

Each of the three categories – doing too much, doing too little and getting things right, has helpful descriptors on the HSE website.

Website descriptors

The descriptor provided for getting things just right is when we have sensible health and safety management:

Case studies

Another tool HSE is using to help communicate understanding of the risks to schools are case studies on the HSE website demonstrating sensible and proportionate risk management practices for school trips.

That ‘doing too much’ category relates to a wider problem on communicating risk that HSE identified and is tackling. It’s about over interpretation or misinterpretation of health and safety requirements. Thinking that health and safety is a byword for banning anything and everything with even the vaguest of risks, and that reams of paperwork are required for assessing the most trivial of activities.


You wouldn’t think health and safety was a success in GB from stories in the press – unfortunately the phrase ‘elf ‘n’ safety gone mad’ became a byword for bizarre decisions made in the name of health and safety. Often the incidents that gave birth to the stories turn out to be nothing to do with health and safety at all.

Because of this, HSE realised it needed to help protect the image of health and safety from misinterpretation or worse still when it is used as an expedient excuse for doing something unpopular.


We did this by setting up the Myth Busters Challenge Panel in 2012, for members of the public to submit instances where they believe they have been on the receiving end of baffling or over-the-top decisions made in the name of ‘health and safety’.  The Panel publishes its conclusions on HSE’s website and seeks to set the record straight, making it clear where health and safety has been misrepresented, or used as a catch all reason for stopping activities.  Hundreds of cases have been considered to date.

And earlier this year independent research by the University of Exeter into the cases brought to the panel has shed further light on the causes of these issues.

The research shows that retail and leisure businesses feature prominently, with half of all cases put to the Panel being from shops, cafes and leisure centres. The fear of being sued, cost avoidance and lack of training were other key reasons behind the use of the health and safety myth.

Examples included customers being told by a leisure centre that they wouldn’t lend floats or goggles to use in the swimming pool for health and safety reasons!

Unbelievable, you would like to think. So, with the Mythbusters Panel we are very publicly communicating examples of when something has been wrongly considered as a health and safety risk, or where the level of risk and subsequent management have been misidentified, often leading to a disproportionate response. This identification and the accompanying feedback from the Panel is designed to help others to recognise how to consider similar risks in similar situations, whilst understanding that each situation is unique so they must still understand the specific risk they are dealing with.

I hope I have given you some insight into the different ways in which HSE sets about communicating risk depending on the audience and actions that are necessary, but always approached from the same perspective – those who create risk are best placed to manage it – and HSE helps by providing regulations, guidance, tools and advice on how to manage risks effectively and proportionately.   

Whilst our advice and all of our activities are obviously focused on management of risks which can cause harm to people in the workplace, the principles of proportionate risk management, focusing on the outcomes to be achieved are applicable across the broader spectrum of all aspects of risk management. The time has come to apply these important principles to managing – and communicating - all risks.

We are starting to see examples of businesses that get this process. They talk less about “health and safety” as a topic and much more about asset and integrity management. These are the companies who understand the interconnectedness of risks and are already practicing that holistic approach. Business success requires integrated risk management and integrated proportionate risk communication – within every organisation, with policy makers, with regulators and with stakeholders. 

Thank you for listening.

Updated 2018-03-06