Protecht.ERM Showcase: Manage the full lifecycle of risk management in one system
Register Now

Now that the Pandemic risk has “hatched” and we are operating in the midst of its development, it has produced a substantially changed risk profile by modifying many of our existing risks as well as adding some new risks.

An analysis and assessment of the treatment methods and controls for COVID-19 - cover

For our pre-existing risks that have been impacted, it is critical that these are reassessed in light of COVID-19 and continually monitored and reassessed on an ongoing basis as the virus develops and the world continues to change. This assessment should focus on:

  1. How the inherent risks (before considering controls) has changed. This enables us to understand where our biggest threats come from and where our treatment and controls need to be very strong.
  2. The level of residual risk considering the controls we have in place at present. This will highlight where our control framework is inadequate through either:

    • existing controls are no longer adequate for the changed risk, or
    • the change in inherent risk has opened up control gaps where we do not have any controls.

For any new risks, we first have to gain a rational understanding of them.

Once our risk assessments for changed and new risks are updated, we need to identify those risks that are outside of risk appetite. In the case of threat risks, particularly health and safety risks, our risk appetite will be determined by “As Low As Reasonably Practicable (ALARP)” or “So Far As  Reasonably Practicable” (SFARP).

We then need to consider what is the most appropriate treatment method for the risks in order to:

  1. Achieve ALARP / SFARP level
  2. Balance the costs and benefits of each control.

We will initially take a look at the COVID-19 infection risk from a personal perspective.

Fig 1. Example Bow Tie from an individual’s perspective

An analysis and assessment of the treatment methods and controls for COVID-19 - figure 1

This shows an individual’s perspective focused on the objectives of physical and mental well-being, together with some example controls.

Controls can be classified into the following three categories:

Table 1: Types of Control

Type of control

Can also be called




Based on preventing getting infected

  • Social distancing / Isolation
  • Hand-washing
  • Surface cleaning
  • Gloves
  • Masks (although of limited benefit we understand)



  • Monitoring if contact made with infected person / high risk person
  • Body temperature monitoring
  • Infection testing


Corrective, Responsive Recovery

Based on you not infecting someone else

  • Isolation
  • Hand-washing
  • Surface cleaning
  • Gloves
  • Face mask

Based on managing personal impacts

  • Medical attention
  • Income protection / Health / Life insurance


Some methodologies also recognise “Directive” controls which cover such things as policies and documented procedures.  

A look at risk treatment methods

Controls are only one of several risk treatment methods. We should also look at the others.

At Protecht we recognise seven possible responses to a risk. Three of them, methods 3, 4 and 7 below relate to controls. The seven methods are:

Table 2: Risk treatment methods

Treatment method


Examples for COVID-19

1.     Accept the risk

This will occur when the risk is within appetite and it is at the risk’s targeted / desired level. This would include where we believe the risk has been reduced to ALARP / SFARP.

All risks where we are comfortable with the current level.

2.     Process re-engineer / transform the risk

Achieved through process re-engineering in order to de-risk the process. An example would be to automate a manual process.

Working from home. This has changed the nature of risks we face, reducing the infection risk but potentially increasing other risks such as cyber.

3.     Improve controls

This is aimed at improving the effectiveness of controls to reduce the risk further. This will cover Preventive, Detective and Reactive / Corrective controls.

As in Table 1.

4.     Transfer the impact

This involves transferring some or all of the financial impact of a risk to another party. The main methods are insurance and risk sharing service level agreements and contracts. It is only useful for reducing the financial impact through such things as insurance.

This is special type of reactive control which is aimed at reducing impact.


As in Table 1. Insurance.

5.     Accept the risk outside of appetite

This involves formal acceptance of the risk when it is outside of appetite. It requires the appropriate delegated sign-off and a finite period for which the acceptance is given. 

This may be applied where the “cost” of reducing to an acceptable level is too high.


I would argue we see this being practiced by many medical staff who accept high levels of infection risk in order to help others.

6.     Avoid

This involves stopping the activity that causes the risk.

This would be total isolation from people, products and services that could cause infection. The issue is the related cost as the benefits of various activities are lost (e.g. going for a walk, shopping, helping others).

7.     Reduce controls

This involves decreasing the controls based on cost / benefit.

This may occur when the control is too costly / stops the person achieving their objectives adequately.

The most obvious again is the medical profession who may deliberately remove social distancing in order to help a patient.


In comparison to this, Work, Health and Safety methodologies use a hierarchy of treatment methods and controls being:


By National Institute for Occupational Safety and HealthPublic Domain.

  • Elimination is Avoidance
  • Substitution is Process re-engineering
  • Engineering controls are primarily Preventive controls but may also be Detective if machine driven.
  • Administrative controls can be Preventive, Detective and Reactive but involve people acting.
  • Personal Protective Equipment are Reactive controls when protecting the individual from infection but Preventive controls when used to protect the individual from being infected.

Which treatment method and control type should I use?

The decision as to which treatment methods and controls should be put in place is the key to good risk management. The factors to consider in making the decision are:

  1. What are my objectives during the COVID-19 period? Are my objectives to not get infected and not infect others or are they to provide medical assistance to infected patients and so on? 
  2. What is the expected effect on the level of risk, both the likelihood of it occurring and / or the impact if it does occur?
  3. What are the costs of risk treatment methods and controls? The cost of a treatment method is made up of four components. They are:
    1. The $ cost
    2. The time cost
    3. The impact on the objectives
    4. The additional risks created by the control.

We then have to weigh up the effect the control has on the size of risk against the total cost.  This is the decision dilemma.  Trump's recent statement "the cure cannot be worse than the problem" highlights this exact decision-making balancing act. 

Let’s apply this to the preventive control of social distancing (which also includes working from home) from both a preventive and reactive perspective and apply it from society’s, rather than an individual’s, perspective.

Society’s objectives

  • Preserve and maintain the health of our people
  • Provide an economic existence for our people
  • Provide a free and open society
  • Provide a happy environment

“Benefit” Expected impact of the social distancing control on the risk

  • Substantial reduction in infection rates and therefore reducing the likelihood of an individual being infected and reducing the number of people that will be infected. This directly reduces the death rate and any permanent health impacts.
  • Reducing the velocity of the risk so as to flatten the curve and ensure the health service has adequate capacity to manage severe patients thereby reducing the number of deaths. Read blog article: Risk Velocity: Flattening the Curve

“Cost” of the social distancing control

  • The direct $ and time cost is minimal. It requires humans to change their socialising behaviours
  • Impact on other objectives. The impact on economic existence, freedom of our people and overall happiness of the population is substantial.
  • Additional risks cause by the control. There are many additional risks arising from social distancing (including working from home). These include, as examples:
    • Negative impact on mental well-being
    • Increase risk of cyber-attack and external frauds on a decentralised network
    • Increased risk of data loss from a decentralised network

We then need to weigh up the Benefit and the Cost. Globally, governments have almost universally concluded that the benefits exceed the costs. The value we quite rightly put on life and its preservation means that the benefit for society outweighs the various costs. This is the sign of a developed and humane society. As a health and safety risk, we need to say at all times “Have we reduced the risk to As Low As Reasonably Practicable”. If we have, we should be proud of our efforts.



Related Articles

feature image
Health & Safety, Webinars, Protecht.ERM, WHS

From Static to Dynamic WHS Risk Reporting. WHS series session 10.

In this blog, David Tattam summarises his insights from the tenth live session "From Static to Dynamic WHS Risk Reporting" in the webinar series "A...
Read more
feature image
Health & Safety, Webinars, Protecht.ERM, WHS

WHS Compliance and Compliance Risk Management. WHS series session 9.

Protecht’s eleven part complimentary webinar series focusing on a comprehensive deep dive into Workplace Health and Safety (WHS), kicked off on 23...
Read more
feature image
Health & Safety, Webinars, Protecht.ERM, WHS

Controls Design and Controls Assurance for WHS. WHS series session 8.

Protecht’s eleven part complimentary webinar series focusing on a comprehensive deep dive into Workplace Health and Safety (WHS), kicked off on 23...
Read more