What is Risk?

What is risk?

ISO 31000:2018 defines risk as the effect of uncertainty on objectives.

In safety risk, we consider the possibility of injury or harm to people.

We then apply a process to identify, assess and manage risk.

ISO 31000:2018 introduced a small but important change to the 2009 version of the Standard, relating to human behaviour and culture:

Principle (g) – human behaviour and culture significantly influence all aspects of risk management at each stage.

The Standard goes a little further – suggesting we should consider:

  • Biases, beliefs, assumptions and tangible and intangible sources of risk (Risk Identification, 6.4.2);
  • Perceptions of risk and judgements (Risk Analysis, 6.4.3);
  • The values and perceptions of stakeholders (Risk Treatment, 6.5.2).

So how do we consider these elements?

What have behaviour and culture got to do with risk?


They drive the intangible sources of risk.

It’s also where it gets a little tricky:

  • ISO 31000 does not define ‘culture’ or offer guidance on what drives behaviour.
  • Behaviour and culture are complex.
  • There are different worldviews and definitions of both culture and behaviour.
  • The culture we work in, and social influences, affect our behaviour and decision-making.
  • Risks arising from behaviour and culture are less tangible – making them hard to identify.

The authors sighted in the reading list below do an excellent job of highlighting key findings and supporting evidence – so they are a good place to start.

Is it important?

The Pike River Royal Commission report makes an important distinction between “What” happened (immediate causes), and “Why” (with much of Volume 2 analysing organisational, cultural, leadership and human elements contributing to the disaster).

What lesson should we take from this report?

To manage safety in an organisation - we need to consider both the “what” and the “why”.

Haven't we already identified these risks?

In short, no.

Over the past 20+ years, we have seen hundreds of safety management systems, and thousands of safety risk assessments.

Despite the salient lessons of Pike River –  consideration of why is rare.

If we look across different layers of risk:

Layer 1 - Physical Hazards

Falls, energy, pressure, chemicals, plant, chemicals, thermal, manual handling etc.

Safety risk assessments we  see in organisations typically focus on physical hazards (or what we call “Workspace” hazards).

And they need to.

They can cause serious injury.

Layer 2 - Psychological Hazards

Overconfidence, rushing, distraction, complacency, heuristics, beliefs, biases, desensitisation, auto-pilot, inflexibility etc.

Layer 3- Cultural Hazards

Culture, language, power, bullying, complex communication, group thing, trust, values, norms, 'get the job done', histories etc.

Images and terminology in images (c) Dr Rob Long

Psychological hazards (Layer 2) include things that influence our decision-making and behaviour. We call this layer “headspace”.

Cultural hazards (Layer 3) include cultural factors that can both be a source of risk, and also impact on participation and compliance with safety processes.

Layers 2 and 3 are not easy to identify, but they are present in every workplace and inherent in many serious safety accidents.

They give us insight into:

  • The “biases, beliefs, assumptions, perceptions” and “intangible sources of risk” – to borrow phrases used in ISO 31000.
  • The “why” behind the “what” – as described by the Pike River Royal Commission report

Should we be concerned?


Most risk assessments we see don’t identify any Layer 2 or 3 risks.

This means serious risks are not managed in your OH&S management system.

Not considered in:

  • Risk treatment.
  • Safety programs.
  • Communication, training and consultation.
  • Site inspections and audits.
  • Monthly reporting.

In short, significant sources of risk remain unmanaged by your business.

So how do we identify these risks?

In our next Post, we look at three methods to surface hazards in Layers 2 and 3.

To apply these methods effectively we need to develop advanced knowledge and skills in engagement, building trust and listening.


Layers 2 and 3 are intangible.

With trust, people tell you. 

You only hear it if you are attuned to psychological and cultural language.

What influences our decision-making and behaviour? (a very brief overview)

We cover this topic in more detail in Theme 2 in our series of posts – Understanding People and Decision Making.

Traditional decision-making models suggest we go through an ordered, logical process to evaluate alternatives and select an optimal option.

Figure 1. Traditional Decision-Making Model

Think about the major decisions (and risks) you have made in your life – choosing a partner, a place to live, or a career.

Does the traditional decision-making model reflect how you chose your partner?

If yes, I suggest you keep that to yourself!

It’s a very common model, but not reflective of how we make decisions in the workplace. Consider if:

  • Do your workers step through this process every time they make a decision (given they make hundreds a day)?
  • If they did, would they be efficient in their work (keeping in mind most organisations coach their team members to be efficient and productive)?

A better model for understanding risk and decision making in the workplace

The 1 Brain 3 Minds model ((c) Dr Rob Long) provides an excellent visual tool for understanding decision-making and risk in an operational workplace.

(c) Dr Rob Long

The Model encapsulates what decades of research tell us – 

many of our decisions are rapid and occur without conscious awareness.

This has important ramifications for risk and safety.

Rather than decisions always being an ordered logical process, and behaviour being “a choice you make” we:

  • Take mental shortcuts (heuristics).
  • Have a range of cognitive biases (over 200 identified).
  • Can become overconfident or desensitised to risk.
  • Perceive risk differently based on our values, experiences, identity, expectations and other factors.
  • Are socially influenced (e.g. the need to belong – a powerful influence that can lead to normalisation and acceptance of risk).
  • Have attentional limits and satisfice (make decisions on some of the information) when overloaded.
  • Give meaning to things that may not be factually supported (attribution).
  • Our behaviour is influenced by our emotions – not just a cognitive process.
  • Our decisions are influenced and normalised by organisational culture (e.g. Enron maintained a documented ‘Code of Ethics’. Culture drove what was perceived as acceptable).
  • Perform some tasks in ‘auto pilot’ (automaticity).
  • The way we make sense, evaluate information and make decisions is influenced by our personality type.
  • Have imperfect memory.

Think these factors don’t influence you? Enjoy the slide show!

Actions you can take

Understanding and influencing how people perform their work, make decisions and perceive risk is a key challenge for risk leadership.

Our training programs are designed for all levels within your organisation to help them:

  • Apply practical tools to surface and discuss psychological and cultural risks.
  • Engage better and build trust and ownership of risk.
  • Listen for risks others are desensitised to.
  • Better understand  drivers of risk, behaviour and action.

Over the coming months we will also be posting on the following themes to help you:

1. Understanding Risk (current theme).

2. Understanding People and Decision Making.

3. Understanding Culture.

4. Bringing it All Together – How to Better Manage Risk.risk leadership

Further Reading

Bargh, J.  (2017). Before You Know It. The Unconscious Reasons We Do What We Do. William Heinemann.

Gigerenzer G. (2007). Gut Feelings – The Intelligence of the Unconscious. Penguin Books.

Long R, and Long J (2012). Risk Make Sense. Scotoma Press. Available for free download: https://www.humandymensions.com/product-category/books/

Plous, S (1993). The Psychology of Judgement and Decision Making. McGraw Hill.

Slovic, P (2000). The Perception of Risk. Earthscan Publications.

Weick, K (2001). Making Sense of the Organisation.

Want to Know More?

For more information on how to start your training