“Some safety professionals, in the name of ‘zero-injuries’, will heap regulation after regulation on a job until the organization rebels and simply refuses to comply.”  — Phil La Duke

There was a time when getting ready for winter meant making sure you had enough firewood to heat your cabin until spring. If you didn’t, your family could freeze to death. Once you had enough wood to make it through the winter, though, you didn’t need more. Cutting wood, splitting it, stacking it—those all take time and energy. Time and energy that can also go into other activities necessary for assuring that your family survives and thrives.

Surviving and thriving depends on being safe enough. Yet there is a tendency to pile on safeguards to hazards that frighten us, long after we’ve reduced the risk to a tolerable level. Our time and energy are finite. If we’re devoting them into safeguards where they’re not needed—where we are safe enough—then we’re diverting them from other necessary activities.


Some hazards can lead to an event with relatively minor impact severity, a first aid, for instance. Some hazards can lead to an event with severe impact, such as a fatality, or worse, multiple fatalities. These impacts, however, don’t define the risk of the hazards. Knowing the impact severity—the consequence—doesn’t tell you what the risk is, though. To know the risk, it is equally necessary to know the likelihood of the hazardous event. Risk is the product of likelihood and consequence.

Don’t believe that?

Then consider your plant being hit by an asteroid the size of a barn. There would be multiple fatalities. Massive environmental damage. The asset destruction would be total. In other words, extremely severe impacts. Do you consider asteroid strikes as a high risk? No, of course not. Not because the impact severity is minor, but because the likelihood is extremely low.

It can go the other way as well. A hazard might lead to an event resulting in a first aid. But if it happens all the time, to any and all, the high likelihood of the event will give the hazard a high risk.

Too often, though, that’s not how we treat risk.

A Portfolio of Hazards

Every facility has a portfolio of hazards. When we analyze them, we discover that some of those hazards have a risk—the consequence severity times the frequency of occurrence—that is low enough to be tolerable. These require no more risk reduction. To spend your finite resources on reducing them further diverts those resources from hazards that truly need attention. Some of those hazards have a risk that is intolerable. The risk of these hazards must be reduced, regardless the cost.

Then there is the third category, the hazards with risk that is higher than can be freely tolerated, but for which risk reduction measures are applied based on a cost-benefit analysis. This is general known as the ALARP zone – As Low As Reasonably Practicable. The risk of these hazards should be reduced to the extent the risk reduction warrants the expense.

In a typical hazard portfolio, most of the hazards are already in the tolerable risk zone. Many are in the ALARP zone; the application of additional risk reduction measures will depend on a cost-benefit analysis. Typically, there will be a few hazards that analysis shows to be in the intolerable risk zone. The application of additional risk reduction measures to these hazards is imperative.

Figure 1. A Typical Portfolio of Hazards

In an ideal hazard portfolio, the hazards that may have been in the intolerable zone have all been addressed with risk reduction measures that at least push them down into the ALARP zone. There will be some hazards in the ALARP zone, but most hazards will be in the tolerable risk zone.

Figure 2. An Ideal Portfolio of Hazards

Then, with time and resources, the hazards in the ALARP zone can be addressed to drive them toward the tolerable risk zone.

Piling On

Instead of addressing all hazards with intolerable risk, however, we tend to focus our efforts on those hazards with high consequence severity—the hazards on the right side of the risk graph. Worse, we tend to neglect hazards with low consequence severity, even if their frequency makes their risk intolerable.

Often, this is done out of instinct. The more fearsome the consequences of a hazard, the more we want to do something about it. Unfortunately, most risk reduction measures do not reduce the consequence severity of a hazard. If it happens, it is going to be as bad as it is going to be. Instead, most risk reduction measures reduce the likelihood—the frequency—of the hazardous event. This drives the hazard down on the risk graph, not to the left.

Many organizations go beyond instinct and formalize it in their risk tolerance criteria (RTC).

Figure 3. Typical Organizational Risk Tolerance Criteria

The unfortunate result of setting up RTC is that hazards with most severe consequences (the two columns on the right) can never be resolved. The bottom row in the RTC is for the lowest frequency hazards, but that row is always defined as less often than once per “X” years. Since risk reduction measures reduce frequency, not consequence severity, risk reduction measures move hazards down. But after reaching the bottom row, there is no way out of the Yellow RTC zone. Which means that every time that hazard is examined, it still requires work because the risk is not and cannot ever reach the Green RTC zone.

That forces organizations to pile on.

Figure 4. A Portfolio of Hazards after Piling On

Because resources are finite, something must be put off to “someday”. As a result, high-consequence hazards get all the attention while low-consequence hazards are neglected, even those low-consequence hazards in the intolerable risk zone. Every time the risk assessment is revisited, those high-consequence hazards are still in the Yellow zone of the RTC, compelling more attention

A Way Out

For every hazard, there is a level of risk that is low enough to be tolerated. That is true whether the consequences of that hazard are mild or extremely severe. Again, consider the asteroid. That means that for every level of consequence severity, there must be frequency low enough for the risk to be tolerable. Otherwise, there is no rational way address all hazards.

Figure 5. Rational Risk Tolerance Criteria

Can You Ever Be Too Safe?

One of the key purposes of RTC is to encourage a rational allocation of resources, which are finite. Hazards with intolerable risk must be addressed first. Hazards in the ALARP zone should be addressed as warranted by a cost-benefit analysis. Hazards with tolerable risk do not warrant the allocation of any resources.

Any time or effort spent on a hazard with tolerable risk is time and effort diverted away from work on other hazards. A misallocation of resources, while making one hazard safer, leaves the overall portfolio of hazards with a higher risk than necessary. Overall, misallocations of safety resources are bad for safety.

When RTC do not allow the risk of a hazard to be reduced to the point of being tolerable, they encourage a misallocation of resources. Consider your own risk tolerance criteria. Are you piling on?