Monday, October 3, 2016

Rules Are Not Risk Controls

Anyone who has had any sort of formal training in safety management or hazard mitigation is familiar with the hierarchy of controls. To make sure we’re all on the same page, the hierarchy of controls is meant as a decision-making hierarchy to assist people in choosing the most effective risk mitigation measure. There are various versions of the hierarchy of controls, but a typical one is shown below.

Now most of the types of controls work by acting directly on the object creating the risk. For example, ventilation (an engineering control) reduces the number of toxic contaminants in a given atmosphere, reducing the risk. Wearing fall protection PPE reduces the effect of gravity, reducing the likelihood that one will fall
far enough and land hard enough to cause injury. Elimination of a given process through design or redesign eliminates the risks inherent in that process.

However, administrative controls are interesting because they are the one control that actually does not directly act on the object creating the risk. For example, a procedure that requires isolation of hazardous energy sources before work can begin actually has no direct effect on the hazardous energy. Instead, the procedure is designed to influence the worker who will work around the hazardous energy sources.

When you think of other examples of administrative controls you will probably reach the same conclusion – the control itself (rules, procedures, regulations, training, etc.) doesn’t really manage risk. Instead, administrative controls, following the logic, are designed to control people.  It’s the people who control the risk.

If we were to graphically illustrate this, whereas other types of control measures on the hierarchy work in an almost linear fashion on the risk they are meant to control. You implement the control and the risk is reduced.*

Administrative controls, by contrast, have an intervening variable, the person.

To illustrate this point, imagine if the person did not adjust their performance as a result of the rule, either because they didn’t know about the rule or because the rule was unfollowable. In that case there would be no risk reduction as a result of the rule.

Now, the fact that rules and other types of administrative controls do not directly control risk and that people do seems pretty obvious, and so many of you are likely saying “so what?”

Well, here’s the thing, that simple intervening variable of the person may seem like a trivial point, but, in reality, it changes everything. The change is so profound that if you treat administrative controls (rules, regulations, policies, procedures, training, etc.) like you treat any other type of control you likely will run into problems. As the famous astrophysicist, Neil deGrasse Tyson, said recently on Twitter – “In science, when human behavior enters the equation, things go nonlinear. That’s why Physics is easy and Sociology is hard.”

To illustrate, here’s a few implications for rules based on the idea that administrative controls don’t control risk, people do:
  1. The perspective of the rule follower is the only one that matters. For a rule to be effective it needs to make sense to the people who are meant to follow the rule. Often we see a violation of a rule and the first assumption is that the person is the one at fault because we clearly see how the rule makes sense to us. But we forget that our perspective doesn’t matter. We aren’t the one who has to follow the rule. This leads to the second point.
  2. Given how much we rely on rules (and similar), we should devote more attention to understanding the perspective of our workers. Much of safety is designed around creating a standard and then ensuring everyone follows the standard. But, building on the first point, perhaps we should begin to understand more about the people who work for us. How do they see the world? What makes sense to them? What do they see as the challenges that inhibit their ability to do safe work and would do they think adding a rule would do to that? The most important attribute of a safety professional is empathy and we need to practice it in this case through asking good questions. 
  3. And in doing so we see that rules are often not used in the way we think they are – they are more like guidelines than rules. It’s pretty common to hear people speak of someone who violated a rule and point to other people in the organization saying “they aren’t having trouble following the rule.” But often we have no evidence to back up this claim. All we really know most of the time is that we don’t have evidence that people are violating the rule. Others could be better at covering it up, or, more commonly, others may not be violating the rule, but they aren’t following it. Think about it, as people get better at a task they often do the task without much thought. This means that the written rule is not really doing much to enable their performance anymore. Often times it’s quite the opposite, as we just put rules in place without helping people know how to follow them. In some cases the workers find the way to do the work according to the rule in spite of the rule, not because of it.
  4. And then we see that calling them “controls” at all is misleading. A rule doesn’t have the ability to control anything because it is really nothing more than a “good idea” at best. It’s probably better to think of them as “influencing factors” or “guidelines.” Anyone who thinks that people can be easily controlled is obviously not a student of history or the social sciences.

None of this is meant to imply that rules and other administrative controls are not important and that they have no place in how an organization manages itself. Rather, it is to say that we cannot ignore the central role that our people have in managing risk. This is not a bad thing. In fact, given how much is reliant on people we should marvel at how effectively people manage risk, given that most of the time no accidents happen and “the trains run on time.”

So what’s our role here as leaders in the organization? Here’re a few points to consider and discuss:
  • Rules should be resources for action. This means they should enable performance, i.e., help people know what they need to do to achieve goals. Ask your workers what rules help them get their job done and which ones do they merely have to overcome to get the work done. That will give you a clue as to where your rules are adding value and where they are holding you back.
  • Have rules for your rules. We wrote a blog about this in the past, so you should check that out if you’re interested.
  • Try conducting an Appreciative Audit on a rule or procedure. This requires taking a different lens to the audit – focus on identifying and appreciating how work is actually happening in a given process without judgment. Choose one rule or procedure in your organization and trace its movement through your organization. Start where the rule was developed (and why) and work your way down to how it is implemented, taking time to review how people have adopted the rule into how practice. Is it as was intended? Why or why not? Keep in mind what David Woods says – systems work as designed, but rarely as intended. What does how the rule/procedure was implemented tell you about how your system was designed and is functioning?

* A quick note regarding risk reduction. In this blog we were a bit flippant with the idea of risk reduction. Bear in mind that risk reduction is far more complicated than we are making it. Often risks we think have been eliminated or reduced simply have been transferred to other places. That's another topic for another post though. 

Have a particularly troublesome issue with rule violations in your organization or just looking for someone to bounce ideas off of regarding your administrative controls? Contactus today!


  1. Good article.

    At best I would suggest that Administrative Controls are a form of substitution, i.e. substituting one set of potential consequences for another. This can and has proven to be effective, e.g. the use of seatbelts in vehicles became the norm as a result of aversion to a fine and penalty points rather than fear of death.

    However, Administrative Controls tend to come in layers and can rapidly become a self-generating cottage industry. We need to educate, police, audit and ultimately enforce via case management, which can become slavish and at times delivering the process becomes the goal rather than risk reduction.

    The worst cases I have seen are rules being put in place whilst it is realised that enforcement is impractical or even impossible. The purpose here seems to be to shift blame to the offender is the event they get caught out and something goes wrong resulting in an undesirable event. "you broke the rules, its your own fault!"

    Rules are no more than an attempt to influence the behaviour of those affected by them. As such the author is correct that the perception of the rule followers/breakers is key to risk reduction.

  2. when rules do influence the behaviour...then they have controlled!


Note: Only a member of this blog may post a comment.