IDENTIFY RISK AND APPLY RISK MANAGEMENT

PROCESSES

Tony Rizk Smart Academy

22 April 2009
Session 1:
Identify risks
Risk in an organisational setting
Risk is unavoidable and a natural part of virtually every
human situation. It is present in our daily lives, when we
are awake or asleep, and in both public and private sector
organisations.
Risk management is about being pre-emptive, rather than
reactive. Any manager should actively seek to identify
and determine how to prevent risk from happening. This
may mean modifying current processes, practices,
thinking or systems to maximise our chances of success
while minimising the factors that may promote failure,
injury or loss
Risk and its management
Risk can be defined as the combination of the probability
of an event and its consequences (ISO/IEC Guide 73:2002 Risk Management).
Risk management is the process of identifying potential
negative events and the development of plans to mitigate
or minimise the likelihood of the negative event occurring
and/or the consequences resulting if that event did occur.
Risk factors
Risks may include such factors as:

Occupational health and safety (including
disease)
Environmental
Product failure
Financial or economic loss/failure
Damage to property/equipment
Industrial disputes
Professional incompetence
Natural disasters
Security failure
Equipment/system failure
Breaches of privacy
Risks may need to be managed to:

Avoid creating more risk
Sort negative from positive risks
Decrease unexpected and unwanted events
Develop an operational and organisational
profile of existing risks
Decrease possible vulnerabilities
Increase preparedness for unexpected and
unwanted events
More efficiently prioritise the treatment of risks
Avoid waste, errors or defects that may result
from untreated risks
Protect people and customers from harm
Control risks
Build risk management into its culture
Risk and levels within the organistion
Risk management can occur at all levels of management
and operations. This includes:
Strategic level spans across functions, products and services,
customers.
Operational level within a function, operational area, or specific
markets, customers, processes, products and services.
Team/task level within a team, occupational, professional or
specific job role.
Risk management process
The risk management process is a:
the systematic application of management policies,
procedures and practices to the tasks of communicating,
establishing the context, identifying, analysing, evaluating,
treating, monitoring and reviewing risk
(AS/NZS 4360:2004, page 5)
Risk Management Process
Establish goals and context
At this first stage establish the external
and internal risk management context in
which the overall risk management
process will take place.
Establish categories and criteria against
which risk will be evaluated and shape
later risk analysis activities. The
alignment of criteria against goals and
objectives (organisation, operational or
project) will set the scope for the risk
management process and guide how
actions at all stages of the process can
later be evaluated.
It is at this stage study of the
environment should occur. This will
confirm if the risks being addressed
result from factors that are external
and/or internal to the organisation
Identify risk
This stage is the first step in the
3 steps associated with risk
assessment. At this stage
identify where, when, why and
how events could prevent,
degrade, delay or enhance the
achievement of the objectives.
It is important to specifically
classify (identify and code) risks
and confirm the source and
impact of the risk so treatments
strategies can later be shaped
correctly
Analyse risks
This stage is the second step in
the three steps associated with
risk assessment. At this stage
identify and evaluate existing
controls. Determine the
consequences and likelihood
and therefore the overall rating
for the level of risk. This analysis
should cover the range of
potential consequences and
how they could occur.
Evaluate risks
This stage is the fourth stage in the
risk management process and the
final step in risk assessment. At this
stage determine whether the risks
are acceptable or unacceptable.
Compare estimated levels of risk
against the pre-established risk
categories and criteria, and
consider the balance between
potential benefits and costs. The
level of risk will need to be
considered so as to determine who
has the authority to treat the risk.
Given the persons authority the
evaluation stage will inform the
treatments required and priorities.
Determine the treatments for the risks
Develop and implement
specific and cost-effective
options and action plans
for treating a risk. This
includes considering how
monitor and review any
treatments.
Monitor and report on the effectiveness of risk
treatments
It is necessary to monitor the
effectiveness of all steps in the
risk management process. This
is important for both innovation
and continuous improvement.
Risks and effectiveness of
treatment measures need to be
monitored to ensure changing
circumstances or contextual
matters (eg. Goals, operating
environment, etc.), dont alter
priorities or a treatment plan
1. Identify the context for risk management
Goals and objectives
While the structure of a team or an operational area may
vary, generally the variance is due to their purpose.
However, the purpose of the team will be established in
the organisations vision and its goals and objectives.
Some key questions a manager will need to answer
before they start to identify risks will include:
What goals and responsibilities has the team been allocated?
How will success be measured?
What exists now and what are we supposed to be doing?
What impact does this team have on the business and stakeholders?
What deliverables are required and when?
Risk categories and criteria
The risk categories can vary from organisation to organisation.
Typically they will establish clear boundaries between different
operational aspects where a risk may impact. They may relate to:
People
Processes
Compliance
Financial
Safety
Customer satisfaction, etc.
The criteria should be the direct translation of the categories and
provide a tangible basis against which the manager can evaluate an
identified risk to determine if it requires treatment or control. Criteria
should also assist measure and monitor how risk management will
impact goals or stakeholder requirements.
Example risk categories and criteria
Consult and communicate with stakeholders
Risk communication and responses
Defining a stakeholder
Core or primary stakeholders are those who are
directly involved in the process of delivering the
outcomes being sought or will be positively or
negatively affected by the outcomes being sought.
Non-core or secondary stakeholders are those
who are indirectly involved in the process of
achieving the outcomes or may be indirectly affected
by the outcomes being sought.
Stakeholder analysis

Managers studying stakeholders should complete the
following:
Identify stakeholders
Sort and prioritise stakeholder interests
Visualise stakeholder relationships to the team/business unit
Identify each persons or groups power and influence
Identify risks
Key questions for identifying risks

This goes beyond thinking there may be a risk to actually
answer the following questions:
What can happen?
Where can it happen?
How and why could it happen? (AS/NZS 4360:2004: page 13)
Components for risk identification
The various components for the identification of a risk:
Source That which can potentially harm or assist in causing damage to a person,
property, business etc.
Event or incident Something that occurs which leads to the source of risk being
able to inflict harm or have an adverse effect.
Consequence The impact or outcome due to the event taking place and inflicting
on the person, property, business etc.
Cause Is the and why of risk, for example; was design to blame, human error,
incorrect procedure, lack of training, new competitor, insufficient knowledge.
Controls Controls are what you put in place to manage the risk in an effective
way. Whether they are policies, systems, machinery or technology.
When and where Simply put, when the risk could occur and also where the risk
could occur. For example in an age care facility, slips are most likely to occur in the
kitchen after the floor has been mopped.
Identification of prospective risks
The most effective means of identifying prospective risks
can include:
Brainstorming sessions
Five Why analysis
Five W analysis
Task analysis
SWOT (strengths, weaknesses, opportunities and threats) Analysis
PEST (Political, Economic, Societal, and Technological) Analysis
Research such as conducting interviews with relevant people and/or
organisations, or forecasting environmental and market constraints
A range of standard problem solving and decision making tools and
techniques (eg. Cause and effect diagram)
SWOT analysis
PEST analysis
Documenting risk identification
According to the AS/NZS 4360:2004 standard risk
identification needs four core pieces of information:
Risk reference
Risk classification (Type)
Source of risk
Impact of risk


The Risk Management Plan
The risk management plan has five main parts:

RMP1 Contextual information
RMP2 Risk Register
RPM3 Risk Assessment
RPM4 Risk treatment plan
RPM5 Risk Action Plan
Sorting stakeholders
The two dimensions represent the extent to which the
stakeholder has:
Power to influence outcomes and the capacity to impose their will
on the image or outcomes the organisation seeks.
Interest that is real or believe
they have a legitimate need
(business or personal) to
be involved
Stakeholder commitment
Session 2:
Analyse and evaluate risks
Risk analysis
It is at the Risk Analysis stage of the risk management
process that each risk is rated, taking into account factors
that will operate to control the risk.
In consultation with stakeholders (internal and external)
the analysis of risk has to determine the answer to three
questions:
How serious are the consequences if the risk occurs?
What is the likelihood of the risk occurring?
What is the level of risk?
Determine consequences
Level Descriptor Example detail description
1 Insignificant No operational impact
2 Minor Minimal disruption to operational capability
3 Moderate Interruptions to operations
4 Major Loss of operational capability
5 Catastrophic Loss of operational continuity
Determine likelihood
Level Descriptor Example detail description
1 Highly unlikely May occur only in exceptional circumstances
2 Unlikely Could occur at some time
3 Possible Might occur at some time
4 Likely Will probably occur in most instances
5 Very likely Is expected to occur in most circumstances
Likelihood = probability x exposure
Estimating the level of risk
Risk = consequence x likelihood
Risk
assessment
matrix
Control
Control of risk relates to the treatments or plans put in
place to reduce the likelihood and/or the consequence of
a risk happening.
Existing controls maybe in place and involve stakeholders

Evaluate Risk
Determine priorities
Having completed the initial risk analysis it is now
possible to determine how each risk should be prioritised.
This involves two main actions:
Set priorities. This can be done by comparing the analysis of each
risk against the original criteria set for the risk management
exercise. The criteria confirm how each risk is impacting goals and
the operational context.
Determine if the risk is acceptable or unacceptable. This follows on
from setting priorities but here we clearly indicate if the risk is
acceptable or not. This will involve making a decision based on the
evaluation of the risk level and the benefits derived from managing
the risk versus doing nothing.
Sort risks
Acceptability Risk level
Acceptable Low and possibly Moderate
Not acceptable High and Extreme
Risk acceptability and need for treatment
Session 3:
Treat risks
Treat risks
Risk treatment involves identifying and selecting from a
range of options, then implementing what needs to be
done to treat a risk.
A risk treatment plan should be established that will not
only establish what needs to be done and by when, but
how this approach will compliment existing controls and
other risk treatments
Risk treatment flowchart
Risk treatment options
Treatment options typically include:
Avoiding the risk
Reducing the likelihood of the risk,
Change the consequences of the risk
Transferring the risk,
Retaining the risk
Inclusions in a risk treatment plan
The purpose of a treatment plan is to document and
report how the chosen options will be implemented.
According to AS/NZS 4360:2004 the treatment plans
should include:
1. proposed actions;
2. resource requirements;
3. responsibilities;
4. timing;
5. performance measures; and
6. reporting and monitoring requirements
(AS/NZS 4360:2004: page 22)
Control measures
There are two kinds of risk control strategies:
Pre-planned:
preventative strategies adopted prior to risk occurrence. For
instance a major catering operation for an airline identified that
staff were being exposed to safety hazards handling hot food
as it was transported from the oven to be packaged into the
onboard hot food catering trolleys.
Situational:
highly contextual, responsive strategies based on feedback on
day to day activities. For example, a furnace operation used
situational control strategies to reduce risk.
Session 4:
Monitor and review effectiveness of risk
treatments
Monitoring risks
Monitoring and review occurs at two levels within the risk
management process.
Firstly it occurs at the level when the implementation of a risk
treatment is monitored and reviewed. This is to ensure risk
management is both sustainable and effective.
The second level of monitoring and review needs to occur on a
continuous basis to support improvement to all five stages within
the risk management process.
Risk treatment flowchart Monitoring and review
Use review results to improve risk treatment
Standard risk management planning templates or treatment forms will
usually include the headings:
Risk
Level of risk
Treatment
Treatment objectives
Action Plan (milestones, dates, and responsible person)
Status (progress)
Dates
To facilitate monitoring Risk Management Plans will usually include:
who has responsibility for approval, implementation and monitoring the plan
what resources are to be utilised
Resource requirements (ie. budget allocation, full time equivalent work hours,
personnel, etc.)
Details of when to do reviews and the status of progress for each review
Examples of risk objectives for a given
category of risk
Risk Categories Examples of risk objective
Operations Less than 2% of all orders received in a calendar month
will be rejected
Financial impact Costs must remain within 1% of the allocated budget
Brand protection All licensees attend formal legal briefing on their
obligations and legal ramifications of any breaches to
copyright
Timing Customer deliveries within the nation must occur within 36
hours of the order being received
Compliance All engineers will report maintenance actions according to
the CSA3224 regulatory requirements
Staff management The person allocated the responsibility as Shot firers must
be assessed and deemed competent every 12 months in
the 4 core role competencies
Environment, Health
and Safety
Dispatch operations seek to ensure nil injuries occur that
require treatment in the next 6 months
Auditing risk
The use of an independent risk auditor can promote:
Objective review that adopted treatments resulted in what was intended
Consistency of reviews over time
Observations based on past practices and experiences elsewhere
Measurement of progress across multiple risk management plans and treatments
within the organisation
Use of independent benchmarks
Consolidated data collection and storage
Translation into action by senior managers
Recommendations for improvement to the risk management process
Compliance reports that external regulators may accept
Review of policies, procedures and processes not within the control of any one
manager
Integration of risk management across multiple organisations (eg. In a supply chain)
Six step approach to monitor and review risk
management
Step One
Establish the Risk Management Plan actions and monitoring
requirements
Step Two
Measurement of risk control and status
Step Three
Analyse historical data
Step Four
Align risk management to strategic outcomes
Step Five
Gain commitment of employees
Step Six
Monitor and report progress