How do you handle doing risk assessments when a lot of what you do is risky?

[pete]

Tasks I perform on a daily* basis have a high level of risk either to me or the school if you're not trained / qualified / experienced or haven't taken the relevant precautions.

 

Is there a way of writing a general (standing orders if you will) risk assessment for tasks that are common to my job description without me drowning in random paperwork and filling Behind the Red Door as a result?

 

*or more than once a week, anyway.

[TechMonkey]

Depends on what tasks you are talking about? Could you group them into similar activities such as working at height, working with electrical, working with annoying colleagues? Then you could do generic "Do not fall off the ladder" type assessments.

[nicholab]

System changes may risk down time?

[pete]

@Techmonkey

I suppose I'm wondering if people who regularly do $job, day-in and day-out that's potentially bloody dangerous (Zoo vet, say), spend significant amounts of time filling in risk assessments or if the powers that be say "well, he's a trained zoo vet who knows that tigers are pointy, so it falls under 'competent person who's aware and has taken measures to negate or reduce risks of his job'" in a bid to avoid paperwork mountains.

 

Off the top of my head, on any given week I regularly:

 

1) Like most of us, do things that (if I stuff up) can cause network downtime for everyone for which I have the usual measures (training, experience, testing, backups, documentation) in place to negate or manage the risk.

2) Work at height while testing network kit in cabs, planning (or tracing) cable runs or running cable.

3) Work on low voltage wiring (testing cable runs, punching down damaged/new ports)

4) Shift around reasonably heavy to very heavy kit (computers, servers, ups)

5) Work with hot/fast spinny stuff (soldering irons, bench drills, laser cutters, plasma cutters)

 

And I've done all of that for years on a weekly basis with no damage or downtime to myself, others or the school as a result of my actions (or inaction).

 

What I really want is a way of stating (to the satisfaction of H&S) "Pete is a competent person for X, Y & Z (where X, Y & Z encompasses stuff I usually do that for an unaccustomed person would pose a risk) and he doesn't have to create reams of Risk Assessment forms unless he's working on something (say full scale strip out and rebuild IT suite) exceptional."

 

If I had to create a risk assessment every time I did 1 - 5, I'd end up filling them in with "risks: danger of not completing contracted tasks due to amount of time filling in stupid forms".

Edited April 27, 2010 by pete

[srochford]

I think item 1 is very different from the others and should be handled differently. You should have some kind of change management in place. Key parts of this are that you plan what you're going to do and why. You have written plans which should include things like who has to be notified of the change, when it's going to happen, how you've tested it, how you'll know if it's succeeded and how you will roll back if there's a problem (that also means you need to specify how you will know if there's a problem and what the worst case scenario is and how likely that is). Obviously, a small organisation will do this in a simpler way than a big organisation.

 

Just read that paragraph and I'm not sure if it makes sense - look up ITIL Change Management to get a feel for what it's all about.

 

The others are things which involve risk of injury. Here, I think you should have a list of the things which are done, an indication of how often and the "what could go wrong" "how bad would it be" "how likely is it to go wrong" and "what do I to to try and make sure it won't go wrong"

 

For all the routine stuff I think there should be a scheduled check of what's going on - say once a year - and you complete a form at this point. I think our risk assessment forms are public - take a look at the "Combined Risk Assessment & Standard Operating Procedure Template" - it might help (well, it might help more than the gene therapy form!)

[pete]

ITIL Info

 

We've implemented parts of FITS (that admittedly are easy and fit in with "yeah, we already/nearly already do that"), but haven't got round to the long term payoff stuff. The change management/rollback/plan info/vendor docs is all in the IT wiki, by service (say, all the network components necessary for OWA to work) and device (a server). I tend to use the Practise of System & Network Administration as a reference - it does ITIL & FITS-type stuff, but it's more sysadmin-orientated in that it shows demonstrable benefit that your average geek will appreciate.

 

For all the routine stuff I think there should be a scheduled check of what's going on - say once a year - and you complete a form at this point. I think our risk assessment forms are public - take a look at the "Combined Risk Assessment & Standard Operating Procedure Template" - it might help (well, it might help more than the gene therapy form!)

 

Cheers for that. I've also nicked the Genetic Modification form to slip into our H&S folder to see if anyone notices

Edited April 28, 2010 by pete