Malcolm Tullett - Lloyd-Davies Associate - Health and Safety and Risk Management

A seafaring and fire fighting background has provided Malcolm Tullett with the knowledge base to advise in the vital are of Health and Safety, here he talks to Don Phillips about gaining the experience he has, writing his book ‘Risk -IT’ and his dream of a simple system to support the scaling of making work safe for all.

Interview November 2023: Don Phillips

“Malcom, we have known each other for quite a long time and I've always regarded you as being quite a leading light in the whole risk and compliance space. How did you get into it? How did your career start and did you always want to do this?”

Vaguely, yes I suppose it all started if you read my book which is called Risk-IT, it is all about my mum and dad. Basically my mum was a matron in a hospital and she had a really good way of dealing with her staff and it was all about love and care and basically making sure that she treated her staff as if they were part of her extended family. She had that paid back in bucket loads. I saw her at work.

I then joined the Merchant Navy. I basically studied as part of my job, cadet navigating officers role, safety of life at sea, which is called SOLAS which some people might know SOLAS was my first technical introduction to health and safety, but obviously it was about seamanship skills, keeping the ship afloat at all costs! After that I joined the London Fire Brigade.

“Why the switch out of interest?”

I went to college and found that I was repeating everything I'd actually learned at Naval college. So I asked the commandant if I could switch to a sandwich course, which was the lower HNC course, just so that I could go to sea. That didn't go down very well because first of all I was downgrading my qualification and secondly I was mucking about the company which was Cunard. So basically they got their own back on me and flew me out to Durban to pick up a refrigerated cargo ship as opposed to a cruise liner, which is what I had intended to end up on. We sailed back to Southampton. It was extremely boring, not what I'd expected, and I jacked it in a fit of pique.  So not a good story but that's the truth. At which point I was looking around for something similar.

I toyed with joining the merch at the Royal Navy. At that stage I was accepted, but I'd also put in applications for the police and the fire service. I actually got accepted for all three, which was a bit of a dilemma.I decided not to go into the police force because they wouldn't let me ride motorbikes from scratch and I wanted to be a police biker. I had to wait at least two to three years to do that. So I thought now maybe I'd sit on the back of a fire engine with a few muckers, squirt water about and rescue fair damsels in distress, which is what I ended up doing and loved every minute of it. It was better than going to work for a living.

I rose to the ranks quite rapidly and ended up in fire safety, in health and safety eventually. Sadly, I was put on an incident investigation course to investigate the fatalities of two firefighters in the East End of London and was seconded to the Health and Safety Executive, a group called the Special Interest Group. I learned one hell of a lot at that point and developed or further developed my interest in health and safety.

So when I retired on medical grounds in 1993 I started off by becoming a Senior Lecturer at Southwark College first and then the University of Middlesex, for Occupational Safety and basically I turned that technical academic couple of years into starting a new company.

I was freelancing initially and then in 1997 I started what was the forerunner of Risk and Safety Plus, which was a company called Integrated Risk Management. We joined forces with another organisation,called Risk Interventions, in 2008. Combined the two together to form Risk and Safety Plus Limited and there I am now.

“You've always had a vision of what risk and safety management could be globally. My question is we've got thousands of standards or what feels like thousands of standards in this space, but we still seem to be doing it in a very individual way. Is this view fair?

It's more than fair. It's totally accurate, which is again all in my book called Risk It!  

The idea of Risk IT is to extract from all those thousands of standards around the world (there's over 600 pieces of legislation in the UK that have something to do with health and safety.) but they all say the same thing Effectively I've boiled it down to what are the common factors and there aren't that many. Overall it comes back to my mum, would you believe? It's all about this thing called the duty of care. Now most organisations understand there is such a beast. The Beast is effectively care, not

the duty of’

The trouble with that phrase ‘the duty of’ is it's always a post event that is brought into effect. So what happens is someone has breached their duty of care. Therefore there's either a civil case to claim compensation or a criminal case to either put them inside or fine them, or some other form of enforcement mechanism. If you impose a duty on someone, what people tend to do is create a tick list or a tick box and tick the boxes of care to prove or provide evidence that care has been undertaken. But it doesn't mean that they've actually cared at all.

The book is all about throwing that idea away and saying, look, if we actually just care, and when I say care, I mean love your fellow worker as you would do your other family members. Then basically they will respond with loyalty and commitment.

Tick boxes don't work in terms of health and safety, it definitely doesn't work, especially if things like piece work. You crowd people to do a lot of work in a short amount of time and things will go wrong. Especially in the high risk industries like construction and manufacturing, you push people to work quickly or to work too hard. They will have an accident. I've seen it happen in reality

“How do you get the balance right between forcing business owners to comply with the law as well as being compassionate in their management? What lessons have you learned through balancing that Malcolm?”

I have a very Machiavellian approach to things, as you know, and the way Machiavelli went about these things was what is the advantage to the person you're talking to to achieve the desired output? The advantage to most entrepreneurs is money. So the way we sell it to them is actually health and safety isn't just good sense, it's profitable as well. That is where they tend to open their eyes. And when you say to an entrepreneur who's fixated on performance and productivity, my response to that is, if you think health and safety is expensive, try having an accident.

That's when it really becomes expensive. And unfortunately you can't undo it at that point. So actually putting in safe management practises into place up front. You are saving yourself a whole heap of toil, heartache and other people's hurt.

“I think if I put it to an entrepreneur starting out in life, who is probably more focused on establishing whatever it is that they've created without necessarily thinking about the operational consequences, is your argument that they should just pay attention earlier? How do you sell it to an entrepreneur that's really focused on "can I survive” as a business first?”

Can I answer that in a slightly different way? I normally have the people that come to me come to me for one of four reasons. Unfortunately the ones that come to me on the basis of whether this is a good idea or not are few and far between. Probably 10% The people that come to me on the basis “I think this health and safety issue is a good idea should I put it into practise and can you help me do it before I start to get too big and unwieldy and I'll have to rejig all of my practises that I obviously didn't know anything about when I first started?” Brilliant client. They're absolutely fine because you start with a clean sheet of paper.

So in direct answer to your question, whether it's making widgets or cutting holes in the floor or digging holes in the ground or whatever it is, just do it safely. So that word safely just gets tacked on to the end of what they're doing. So they don't do anything different. They just make sure they do it safely. And yes, I can help them with what that means, because it's dynamic risk assessments that not many people get involved in.  But very quickly I'll mention the other three as well. I call them push, pull and squeeze and enquiries split 30%/30%/30% 

Push is the one clients really don't want. That's where they've had a visit from the enforcement officer because they've had an incident or that they've been whistle blown or there's been an alleged risk of some description from a member of the public. The enforcing officer turns up, walks around and issues them with a notice. God forbid they prosecute them. God forbid someone died. And then they turn up with the police. Then you actually look at corporate manslaughter or corporate homicide. That's the absolutely last thing you want. So people come to me in a frantic state saying I've just received a notice. Can you help? Of course you can. But, it would have been so much easier to have done it right in the first place. 

Pull is where big companies like the ones you and I have worked for previously won't engage with a smaller company unless they go through their supply chain hoops. These supply chain hoops end up on an approved suppliers list. To get onto an approved suppliers list they have to prove that they are a competent organisation employing competent people that are aware of and implement good health and safety practises. At which point a lot of the smaller companies fall down. They can't get on the approved suppliers list. Third party accreditation is the same thing. If someone wants to get an approval by one of the big third party accreditation companies, they also have to jump through their hoops as well. They don't get work unless they can prove their health and safety credentials. 

The final one is a squeeze that is placed on organisations by the insurance companies. When an insurance assessor turns up to ascertain whether or not they are paying the right premium, which is what it's all about for their insurance cover. The insurance assessor can turn around and say we're not going to insure you because you're uninsurable. When that happens, they'll never get insured because Lloyd's brokers work on the basis of personal contact and they all sit in the same room across the desks from each other. They say I've just turned someone down and everybody else hears that and they'll also turn them down. So at which point the only way to carry on is to operate illegally, which is obviously also fraught with danger. Alternatively, they say we will insure you, but the risk is greater than we thought. We're going to double or triple your premium. 

“Changing tack slightly, In the time I've known you, you're really majoring in saying I'm a health and safety consultant. There are many other standards you could be aligning yourself to. Why have you aligned yourself to health and safety?”

Well, when we talk about the difference between standards and codes and the legislative branch, There's the phrase that's out there at the present moment is compliance. There's a lot of compliance specialists. But a compliance specialist doesn't necessarily operate under the auspices of a statutory requirement. Codes of practice are sometimes design codes. Of course they've got health and safety embedded in them, but to actually have the authority to do what I do, um, you need to be qualified or you need to be competent and the entrepreneur or employer that's engaging you has to be confident that you can carry out the task that you're carrying out. 

 The statutory side of it is where I get my credibility from. It's not just health and safety, it's fire safety as well. Bearing in mind my background is fire engineering, I'm actually first and foremost a fire engineer. Fire is just but one risk that's addressed under the health and safety legislation. It has its own group of legislative standards, It's just another risk. It's just the most devastating. If you fall off a ladder, it normally only applies to one person unless you fall onto someone else. If you have a fire, it affects everybody in that building, and it can kill everybody in that building. You're not just going to necessarily break a leg. You could die quite easily!. But it's generally one person at a time. 

So that's effectively why I say I am a fire and occupational safety specialist. 

In addition I need to know about quality standards, which again is not statutory. Environmental standards aren't necessarily statutory, unless you are a major polluting industry then they do become statutory. Food hygiene is another statutory requirement which we get involved in. The construction industry has its own separate set of standards. I also carry out what's called Principal Designer Work under the Construction Design and Management Regulations.

I have a number of other business related and project management skills.. Project management is key to what I do. As a principal designer, I'm heavily involved in the sequencing of work to make sure that tradespeople don't step over each other to make sure it's not rear end loaded, which a lot of construction projects are. They're all rushing to a deadline so everything gets squeezed at the end of the project as opposed to being front end loaded in some IT projects, so it squeezes the opportunity to have an accident into a very short time scale. If I look at a Gantt chart and it is anywhere near vertical, it sends out an immediate message to me that this is a problem. 

“A slightly random question, but relates to what I regard as a modern age thing, is everybody and every company is virtue signalling with ESG. Do you think that's an extension of and another way of presenting fire and occupational safety?” 

If you remember not that long ago we had this thing called corporate social responsibility. Well, it's the same thing. Large organisations have to please their stakeholders. I'm not just talking about shareholders and board members, I'm talking about including their clients and their supply chain, especially if they work on government contracts. Larger organisations are doing their utmost to put themselves into a favourable position with their stakeholders, including their clients.

“Can we come back to your comment on dynamic risk assessment as I think risk assessment should be a core management skill, how do you view risk assessment and mitigation?”

This is an inherent core value for me. When we get up in the morning and open our eyes, we start assessing risk. If you've got children and you've got stairs in your house, you're going to look at the top of the stairs, see if there's toys at the top so you don't want to fall down the stairs. Everything is intuitive. It's the way human life has survived. We wouldn't be here on the planet today if we couldn't do risk assessment.

I'll have a training course and I say to the group, how many risk assessments have you done today They'll say I did one this morning and I did three in the week. That's nonsense. I say to everybody, did you drive here this morning? How many risk assessments did you do in the car? You're looking around you all the time. You know what's about? Otherwise you'd have an accident as soon as you got in the car. Then all of a sudden they get it. Then you explain the different types of risk assessment. But before you even get into the types of risk assessment, you have to analyse what the purpose of the risk assessment is.

The types of risk assessment are threefold. Most organisations know only about two of them. At a corporate level you have what's called a generic risk assessment. each company will operate their processes in a particular way. The next level down is departmental, so middle managers. The first one is undertaken on behalf of directors. The board of directors should have a list of all of their generic risks and a risk register and regularly review their risk register. A very generic risk assessment.  We create safe operating procedures that we adopt. To make sure that generally across the board all of our workforce work the same way and control risk in the same way. 

There's a generic risk assessment. Most organisations know about them and the majority of them only ever use generic risk assessments and do not go to the next level, which is specific risk assessments.

In different circumstances, that generic risk assessment might not be appropriate. So if you employed someone who was disabled, for instance, they might not be able to climb a ladder. So you'd have to do a risk assessment to say that this person cannot climb a ladder and therefore will not be involved in climbing ladders. That would be a person specific risk assessment. It might be that they can climb a ladder with his prosthetic on, but he should never work alone. 

But you get a person specific risk assessment, you get a site specific risk assessment. So on this particular site we can't pitch a ladder. You know the normal 35°. We'd have to pitch it at 45°, simply to get across a waterway or something like that. Which means we have to provide extra props to the ladder, which means we have to have extra people footing the ladder, and which means we have to have the thing properly tied in at the other side. So it would be a different end result.

Same thing, still climbing a ladder, but you're climbing a ladder in a different way at that location. Probably half of the companies I've come across have got a full suite of specific sites, specific people, specific activities, risk assessments, but not all of them.

We go through a tool, it doesn't take long, online. I do it online with the workers, explain to them what dynamic risk assessment is, and the fact that they have delegated authority from the managing director, chief executive to undertake this. What they have to do is keep in touch with everybody else. So all you have to do is keep in touch with the rest of the workforce to say I'm just about to enter into the dynamic risk assessment phase. I'm doing something slightly different. I have considered this, this and this. I have put in place this as an extra fall back position and I'm going to do this after the event and I will let you know how it goes.

Now that's all documented on our chat. Brilliant because you're only talking to it. You can do it all by verbal messaging. Alright, you then carry out the role with the measures that you say you've put into place. When you've done the role safely successfully, you give feedback to the group to say that it worked.  It also has the benefit of continuous improvement.

“Sometimes, talking to you, it can sound onerous. In terms of your business, do you have many small companies that make use of your services?” 

Absolutely, I have clients who have turned doing this into a service and making money out of it as a result. Implementing dynamic risk assessment demonstrates the caring ethos of the company.

“Interesting,  we've talked over the years of creating platforms that actually allow people to collaborate in Risk management. Why have we not achieved platforms that really helped us start solving this? Is it the sheer perceived complexity?”

It's probably a good final question, it brings us back again to the point of the book. The reason I wrote the book is because people, not just directors or entrepreneurs, but people perceive health and safety to get in the way it stops them doing things. A cost item that never gets recovered. 

Yet the reverse of that is without it, we could be dead! 

So the purpose of the book was to take thousands of guidance documents, thousands of different perceptions of what is reasonable, the actual subject itself is enormous going all the way back to early case law.  But the whole subject is about ‘the duty of care’. 

All competent people need to be kept safe, which is they have to be knowledgeable about their subject, experienced in their subject, and have the personal attributes and professionalism, including integrity to carry out the role, and be properly trained. 

Once you've got your competent staff, the employer needs to provide them with information, instruction, training and supervision, up front. The one that's missing most of the time is supervision.

So the system has got to have the right information in it. It's got to have sufficient levels of training in it, some of which can be online training courses. If you're about to do a job and you haven't been trained, here is the little snippet of information that you can use. 

  • You're helping them  work towards competence. 
  • You can know what knowledge base they've got. 
  • You can actually do a training matrix,
  • You can do a skills matrix, 
  • Have they got the right levels of knowledge for that particular job? 
  • What experience have they got? Have they got the right experience?
  • Have they been properly trained in advance of doing the job

Going all the way back to when we first started doing this about the London Underground map. The London Underground map is a complex structure. You can't get a lot more complex than an underground system and network of interconnecting train lines and trains running along them with all the signals. 

When you sit on the train and just look at the map, it's really easy.  I want to go from there to there. I need the north line to get there and then I'll pick up the central line to get there.

That to me is how the system should operate. So the person at the top should be able to see the overview map. The people in the middle only need to see the train line that they're responsible for and the worker just needs to see the station.

“You make it sound so easy to do, do you think we are on the way”



Innovation Time

Book an initial 30-minute conversation with a Lloyd-Davies Associate

Select a time