The Risk Manager and Occupational Health and Safety Manager – What is the Connection.
By Darius A. Delon, CCIB, FCIP, CRM
Risk Manager
Risk Manager (RM) and Occupational Health and Safety Manager (H&SM) responsibilities are similar in some aspects and as a result there is synergy in putting the two roles within the same department.
The typical H&SM responsibility is to manage the safety of the corporations’ employees and contractors while on the corporations’ sites. When you have an Occupational Health and Safety (OH&S) incident, or near miss, the H&SM will investigate the incident, report it to the proper authorities in the province, log it in the Management Information System (MIS), write a comprehensive incident report, which may go to the OH&S jurisdiction in the province, develop protocols to avoid any future incidents and train managers and staff on the new protocol. The H&SM can rely on the power of legislation to move new practice within the organization since the fines and criminal prosecution, associated with non-compliance with OH&S legislation, gets the attention of the C-suite.
The typical RM responsibility is not defined by legislation so the role often centers on insurance procurement, claims management, contract reviews and the anomalous “Risk”. Risk includes, but is not limited to, the need to protect the corporation from claims brought forward by third parties (guests, trespassers, those not associated with the corporation) that are caused by the actions, or lack of action, of the corporation’s employees, contractors or agents. Once you have a claim from a third party you investigate the incident, report it to the insurer, log it in the MIS, develop protocols to avoid any future incident and train managers and staff on the new protocol.
The difference between the two roles, from a hazard control perspective, is that the H&SM is responsible for employee and on-site contractor safety while the RM is responsible for third party safety. The very same safety protocols put in place by an H&SM is often the same protocol that is needed for third party safety. There is an obvious overlap in these roles with OH&S management benefiting from a well defined and tested set of protocols intended to protect the corporations’ employees.
The simple solution is to combine these two departments into one – Enterprise Risk Management (ERM) unit. There is synergy in combining the units, especially within a large organization. OH&S officer training includes incident investigation which will help in determining the root cause of the incident or claim and OH&S guidebooks have already identified unsafe conditions and developed credible safe work practices. OH&S legislation is a good hammer to wield when you need to get the job done but meet resistance from other management or staff. Risk Manager training includes Risk Assessment, Risk Control and Risk Finance which ties in the macro operations risk with the micro employee safety risk of the H&SM. Good risk control, including OH&S controls, works well to reduce insurance premium (the RM should also be managing the WCB claims process).
Many larger organizations have both an RM and H&SM yet they usually report to two different departments. Often, the H&SM reports to someone within human resources or operations while the RM often reports to finance, operations or procurement – none of which is ideal. Ideally, the combined unit would report directly to the Risk Management Committee and administratively to the CEO, CFO or an EVP. The dual reporting role is needed since critical information may be filtered if the role reports to a middle level management position or the focus of the RM role becomes one of cost containment if reporting to finance or becomes an insurance procurement function within the procurement department.
Who should run the department – the Risk Manager, or another way to put it, the Chief Risk Officer. There needs to be an individual, at the C-Suite level, that is held accountable for the management of the unending new legislation that is brought forward from OH&S, workers compensation, environmental, privacy and other governmental departments. Without a CRO to filter through the unending amount of data, the corporation is at risk of implementing non-priority project while at the same time ignoring high priority emerging risks that could cripple the corporation if not addressed with sufficient resources in a timely manner.
Risk equals reward when it comes to business. The RM job is to allow, and encourage, certain risks so that the organization can complete its main function - while developing systems for avoiding unnecessary risk, mitigating the outcome for necessary risks and transferring surplus risks. An RM, or Chief Risk Officer, that is responsible for insurance procurement, claims management (including WCB), OH&S and “Risk” is well positioned to effectively manage operational risk and keep one if its biggest assets (employees) safe.