Beyond the lab coat

Risk assessment is more than just getting staff to wear a lab coat and safety specs, it can ensure the continuity of your business. Simon Flanagan explains

Almost everyone working in a laboratory will be familiar with the concept of risk assessment and risk management. The very nature of the laboratory environment – with the widespread use of flammable and hazardous chemicals – obliges everyone to be aware of risk. The very act of wearing a lab coat and a pair of safety specs acknowledges, albeit it tacitly, that someone, at sometime has made a risk assessment and deemed it necessary to insist on protective clothing as an absolute minimum. Moreover, most laboratories have plenty of fume cupboards, emergency showers, safe storage facilities and prominent posters offering a permanent reminder that risk and hazard (which are not the same thing) are to be taken very seriously.

What is less obvious is that all of the above mentioned safety measures are just as important in protecting the business as they are in protecting or safeguarding the individual employee. For, whilst everyone would accept that the health and safety of the workforce is paramount, it is also the case that any 'incident' could also result in the closure or disabling of facilities and render the laboratory incapable of delivering its service. This might be a temporary or permanent situation, but either case could seriously damage the business of a contract laboratory, or the business of a manufacturer, hospital or research institute in which the laboratory was located.

There are other incidents too, that have nothing to do with the use of hazardous chemicals that could present a risk to business continuity for a laboratory or its parent company. These include the kind of risk one associates with insurance – such as fire and flood – but there are also issues such as industrial dispute, breakdown of equipment, failure in the supply of necessary solvents or reagents, or challenges to the use of laboratory techniques or intellectual property.

The fact is there are business risks arising in all areas of a laboratory's function – human resources, health and safety, marketing, I.T. and so on – and none of these risks is necessarily independent of each other. For example, site security is not only about preventing theft of expensive laboratory equipment – it may also be about preventing an intruder from disturbing the integrity of a research project that has been running for months. Similarly, whilst a laboratory's approach to method development is concerned primarily with producing a reliable analytical technique, poorly designed procedures might also have implications for the safety of staff (thereby creating a health and safety or employee relations issue), or the infringement of intellectual property (creating a legal issue).

Whether one is considering a contract laboratory whose sole business is the provision of scientific services, or considering a laboratory that functions within a facility that also manufactures, teaches, etc, there is an inter-connection between all areas of risk. This means it makes sense to consider business risks jointly across the whole business rather than independently or departmentally as has usually been the case.

Risk means different things to different people. Hence many of us are happy to drive above the speed limit from time to time, ignoring the reasoned, calculated risk assessment that has been made by transport engineers. Similarly, plenty of people are happy to smoke but won't eat the 'cancer-causing' foods that have been 'exposed' by the latest sensationalist headline. So in our daily lives we juggle risk inconsistently, either through ignorance or a willingness to accept the odds even if they aren't in our favour.

A laboratory or any other business for that matter cannot afford to be quite so cavalier. It needs first to understand, and then, as far as possible, control the factors that might damage its business, giving priority to the areas of greatest risk. So whilst it might seem 'obvious' that the explosive fire is the greatest risk to business continuity that may not be true. The faulty equipment, or the incompetent technician, or the unreliable supplier might actually be a far greater risk in practice.

Of course, it is hard to assess and quantify a risk. After all, there are risks associated with everything. Even drinking pure water is risky if too much is consumed. As Paracelsus, wrote in the 16th century, "All things are poisonous and nothing is without poison, only the dose permits something not to be poisonous."

However, that does not make risk assessment a pointless exercise. There are a variety of ways in which a risk assessment might be made and recorded, but the aim should be to reach a conclusion about which matters, if left uncontrolled, would be most likely to prove most damaging to the business.

The ultimate purpose of carrying out a risk assessment is to develop a Business Continuity Plan, which also identifies roles and responsibilities for key personnel in the event of a crisis. Clearly these will differ depending on the crisis. The actions taken and people involved in responding to an I.T. issue that knocks out the LIMS will be different from those involved in response to the unavailability of a solvent. Moreover, the response may differ between different organisations. During the recent period when TMF was in short supply, many laboratories reacted by trying to find other suppliers, whilst others changed procedures and methods to use less or alternative solvents. In either case, the laboratory best placed to cope would be the one that had risk assessed a failure in supply of 'raw materials' and planned its response in advance.

It is one thing to consider the risks that are within direct control of a business, and another to consider those that are not. Modern supply chains are enormously complicated, with chemicals, glassware and equipment being sourced from many different countries, all of which may adopt different standards, not just in relation to product quality management, but also in relation to employment conditions, labour laws and business ethics.

It is appropriate therefore to question the business risks associated with suppliers, not only in terms of continuity of supply, but also in terms of quality and ethics. Even after all these years, the Bhopal disaster – a leak of methyl isocyanate (MIC) gas and other chemicals which resulted in the exposure of several thousands of people – continues to pose the question of all involved in the supply and use of industrial or laboratory chemicals, as to whether they are always produced in good, safe, environmentally acceptable conditions.

Clearly, it is not within the power of any laboratory to change the employment laws in any of the countries from which its reagents or solvents are sourced. Nor perhaps do laboratories come under the direct consumer pressure that a food company might to demonstrate that its supply chain is fair and humane. However, there may sometimes be a commercial, as well as a moral, incentive for laboratories not to ignore the working conditions of suppliers.

Even where labour standards are not an issue, there are other ways in which working with suppliers can prove to be one of the most complicated and potentially sensitive areas of risk management. The whole issue of business continuity was recently been brought into sharp focus with the air-freight disruption caused by the Icelandic volcano. Whilst a shipment of glassware from Bulgaria was not going to perish in the airport warehouse in the same way as a box of tomatoes, nonetheless, the event should have caused every laboratory to ask 'what if?' What would be the consequence of a delivery not arriving and what are the contingency plans in place to deal with that eventuality?

In traditional business models, risks have been dealt with departmentally, with no-one assuming overall control of risk management. The I.T department had its strategies. Human resources had theirs. The safety officer set his own agenda and so on.

This approach has the potential to set departments into conflict and many businesses are coming to the conclusion that it is preferable to take a broader overview of business risks and the various issues that could compromise a business going forward.

The ultimate aim is to guarantee Business Continuity by recognising – and controlling/managing where possible – all the factors that might prevent a laboratory from carrying out its business. The same questions can be asked whether the laboratory is a contract laboratory serving many clients or an in-house laboratory serving one client. In both cases there are risks that could compromise the business continuity of the laboratory, and these same risks might compromise the business of the client(s).

Of course, some of these factors are more obvious than others. Shared experience might identify less obvious issues, but it is rare for laboratory managers to admit to their mistakes inside their own company, never mind externally. However, a meeting at Leatherhead Food Research on November 25 (Planning for the Unexpected: Business Continuity Planning for Contract Labs and Internal/QC Labs) promised to do just this. Moreover, there are experienced practitioners available for consultation who can advise on risk management/business continuity strategies and their experience can be invaluable in helping a laboratory establish its own Business Continuity Plan.