Guidance on Risk Assessment in Ethics Applications

Risk assessment requires thinking about (and if necessary) documenting two issues:

• What are the risks which participants (and others) will typically encounter during their involvement in the proposed research?
   
• What could go wrong? These are things that might happen albeit rarely, but with potentially serious consequences. Equally there might be risks that are very likely, but with mild consequences. Predicting what could go wrong, and the probability and severity of the potential harm is difficult but can be crucial.

In both cases, non-exhaustive promptlists are given within this guidance to indicate the kind of issues involved. The definitive lists require careful consideration by all members of the research team.

The findings of risk assessments should be clearly set out in the ethics application form as well as Participant Information Sheets (PISs). Aston has a PIS template, which should be used, and there are appropriate sections where identified risks can be explained to participants. It is crucial that these are clearly presented if participants are to be able to give fully informed consent.

Risks

Risk assessment is in principle straightforward. It involves seeking to predict what might go wrong. For more details you should consult the University risk assessment guidance.

Assessment usually involves:

• Specifying activities: what is actually being done.
• Identifying the hazards: sources, situations, or human failures with a potential for harm.

What is often much more difficult is to estimate the:

• Probability/likelihood of the bad event.
• The severity of harm if the bad event occurs.
• Whether the preventive action proposed is sufficient to reduce the risk to an acceptable level.

The Risk Matrix described in ‘Complex Risks’ below may shed light on these difficulties; it is, however, vital to address fully and list the activities and hazards before using the Matrix.

Risk Promptlist

• Loss or partial loss of experimental data (which can be addressed through a Research Data Management Plan).
   
• Participant distress believing (usually wrongly) that they have performed badly in a test.
   
• Participants completing questionnaires (or answering verbal questions) in the mistaken belief that there are ‘preferred’ responses.
   
• Participants feeling the need to be counselled.
   
• Researchers being harassed/in receipt of unwanted contact from potential participants (either when personal or professional contact details are disseminated).
   
• Loss of confidentiality: during data collection, analysis, storage; persons having access; publications.
   
• Inducements to participate, eg, financial or benefits in kind, where these could be viewed as coercive.
   
• Consideration to potential adverse events which could compromise the integrity of the research/researchers.

Vulnerabilities Promptlist

There are several issues that might make the probability of an unwanted event more likely, such as:

• The presumption that ‘it has never happened before’, but it probably has. Researchers may think that inclusion of such information in published papers is undesirable or irrelevant.
   
• A greater likelihood of non-compliance with rules, notably those insisted upon by reviewers which may be perceived as over-bureaucratic by the applicants.
   
• A decision to increase the number of participants (please remember that any changes to an approved ethics application require submission of an amendment request to the relevant REC).
   
• Cultural differences, particularly in data collection overseas.
   
• Opportunism, eg, a fleeting opportunity to gather data from people ‘demonstrating’ where consent may be difficult to attain (note, you cannot begin data collection without ethics approval in place).

Complex Risks

As mentioned above, there may be occasions where it is difficult to estimate the probability/likelihood of a bad event; the severity of harm if the bad event occurs, and whether the preventive action proposed is sufficient to reduce the risk to an acceptable level.

What is an ‘acceptable’ (or tolerable) risk depends on the ‘reasonable practicability’ of the controls that may be required. A ‘high’ risk may be just acceptable if it can be shown that further preventive action is disproportionate.

Severity Rating
1	Negligible	Minor disruption to activities or a minor injury that has no long term impact (e.g. a minor fall resulting in bruising or a minor cut)
2	Minor	Minor injury or ill health. Likely to need some treatment such as first aid. No long term effects or days lost
3	Moderate	Injury or ill health requiring medical treatment. Loss of critical equipment or data. Significant disruption to operational activity. Specialist medical treatment likely to be needed, lost time likely or significant damage to buildings and infrastructure requiring remedial action.
4	Major	Loss of life, serious illness or multiple injuries requiring hospitalisation. Requires immediate cessation of activities. Major disruption to service delivery requiring a significant changes in the way things are done or a long recovery period.
5	Critical	Numerous losses of life or life threatening injuries, prolonged absence resulting from incident. Loss of access to facilities or damage requiring isolation of operational areas.

---

Likelihood Rating
1	Rare	A highly unlikely event, it would be very surprising if it happened. There would have to be a combination of unlikely events for this to happen
2	Unlikely	An unlikely event that remains a possibility in under normal circumstances (e.g. it could occur if a person was particularly inexperienced or unlucky but would usually be prevented by usual safety awareness training)
3	Possible	An event which has a reasonable chance of happening (e.g. incidents that are foreseeable and rely heavily on people wearing PPE or following instructions)
4	Likely	An event which has a high probability of occurring (e.g. it happens every few months or near misses / incidents have been reported before)
5	Almost Certain	An event which will occur or is highly likely to happen without specific action being taken (e.g. it is accepted that people will almost certainly fall over in icy weather)

 

Analysing the Level of Risk

Once we have identified potential hazards and estimated the magnitude of the risk we then need to decide whether the risks are acceptable, tolerable or unacceptable, this is called risk evaluation. We may decide that if a hazard is unlikely to cause harm and if it did the harm was minor, we would accept this level of risk as low. Consequently we may not need to take any action to prevent the hazard causing harm and we would evaluate the level of risk as acceptable.

View our Impact Risk image.

Overall Risk Rating
Risk Score	Risk Level	Risk Description	Risk Evaluation
(1 - 3)	Insignificant	Minimal levels of risk that do not require additional precautions	Acceptable / Tolerable
(4 - 6)	Low	Minor levels of risk that can be managed by general safety procedures
(7 - 10)	Moderate	Significant levels of risk which require specific actions to manage the risk. Where possible precautions should be taken to reduce risk. (Note: this is the highest residual risk level that can be authorised without escalation of approval to the Health and Safety Unit).	Tolerable
(12 - 19)	High	High levels of risk that should not proceed without very careful planning to determine precautions to reduce or manage these risks. If residual risks of the risk assessment are still high this must be referred to Health and Safety Unit for review.	Unacceptable
20+	Very High	Extreme levels of risk, such as loss of life or breach of legislation and must not be undertaken if precautions cannot be identified to reduce these risks. If risks are extreme the risk assessment must be referred to H&S Unit for review.

 

With thanks to Richard Booth for an earlier draft of this guidance.