TREATEMENT

The assessment of likelihood and consequence is mostly subjective but can be supported by data or information that is available within the organisation, audits, inspections, personal experience,
corporate knowledge, knowledge of previous events, data generated by surveys and other internal and external information.

Assess the likelihood

An example of a model that can be used for assessing the likelihood of a risk is provided:

Score Description

A Almost certain Highly likely to happen, possibly frequently

B Likely Will probably happen, but not a persistent issue

C Possible May happen occasionally and in foreseeable future

D Unlikely Not expected to happen, but is a possibility

E Rare Very unlikely this will ever happen (only in exceptional circumstances)

Assess the severity of the consequence

An example of the model that can be used for assessing the consequence is provided:
 Area of impact – description of consequence
Generic impact
Score
description
Supply chain Human Brand reputation Finance Compliance
 Serious harm or death  Long-term damage to  Huge financial loss  Serious breach of contract
Event or circumstance  Huge loss in raw material  Loss of significant number of reputation  Significant budget or legislation
with potentially and/or final products people  Sustained negative overrun with no capacity  Significant prosecution &
disastrous impact on  Irreparable impact on  Staff/employee industrial media attention to adjust within existing fines likely
5 Extreme
business or significant relationship with action  Brand or image budget or resources  Potential for litigation
material adversely suppliers and/or cus-  Loss of significant number of nationally or  May attract adverse including class actions
impacted in a key tomers key staff impacting on skills, internationally affected findings from external  Suspension of certificate
area knowledge & expertise  Recall regulators or auditors
 Major breach of contract,
 Significant loss in raw
 Sustained damage to regulatory or statutory
material and/or final  Serious harm and/or recall  Major financial loss
Critical event or brand, image or requirements
products  Threat of industrial action  Requires significant
circumstance that can reputation nationally  Expected to attract
4 Major  Serious long-term  Loss of some key staff adjustment to approved
be endured with or internationally regulatory attention
damage to supplier resulting in skills, knowledge or funded projects/
proper management  Adverse national or  Investigation, prosecution
and/or customer & expertise deficits programmes
local media coverage and/or major fine possible
relationships

 Significant loss or  Potential recall  Significant breach of

 Significant but short-
reduction of raw material  Severe staff morale issues or contract, regulatory or
Significant event or term damage to
or final product increase in workforce  Significant financial loss statutory requirements
circumstance that can reputation
3 Moderate  Significant but short-term absenteeism  Impact may be reduced  Potential for regulatory
be managed under  Stakeholder concerns
damage to supplier  Short-term loss of skills, by reallocating resources action or suspension of
normal circumstances  Sustained or
and/or customer knowledge & expertise certificate
prominent local media
relation-  Employee dissatisfaction
ships coverage
 Minor non-compliances or
Event with  Health implications
 Some short-term breaches of contract,
consequences that  Potential for liability claims  Some financial loss
negative media regulatory or statutory
can be readily Moderate reduction in raw  Some loss of staff members  Requires monitoring &
2 Minor coverage requirements
absorbed but requires material and/or final products with tolerable loss possible corrective action
 Concerns raised by  May result in infringement
management effort to  Dialogue required with within existing resources
stakeholders notice
minimise the impact industrial groups

 Complaint without minor

Some loss, but not health implication
material; existing  Negligible skills or knowledge
controls and Minor reduction in raw material Minor damage to brand, Unlikely to impact on the Unlikely to result in adverse
1 Insignificant loss
procedures should be and/or final product image or reputation budget regulatory response or action
 Dialogue with industrial
able to cope with
groups may be required
event or circumstance

Rate the risk level

A model (risk matrix) can be developed to combine likelihood and consequence level of risks to determine the significance of the risk.

1 2 3 4 5
 Consequence
Insignificant Minor Moderate Major Extreme
Likelihood

A Almost certain (frequent) M M H E E

B Likely (probable) L M H H E

C Possible (occasional) L M M H H

D Unlikely (uncommon) L L M M H

E Rare (remote) L L L L M

 Step 2.3: Risk evaluation

The purpose of risk evaluation is to assist with decision making as to whether a risk should be treated and the priority for the treatment. Whether a risk is acceptable or unacceptable depends on
the risk appetite. The following model can be used:

Risk Action

Extreme Immediate attention & response needed, risk assessment & management plan must be prepared

High Risk to be given appropriate attention & demonstrably managed

Determine whether current controls are adequate or if further action or treatment is needed, monitor and review locally, e.g. through regular business practices or local area
Medium
meetings

Low Manage by routine procedures, report to local managers, monitor & review locally as necessary

 Step 3: Risk treatment

Risk treatment involves the selection of one or more options for modifying risks and subsequent implementation of the treatment option. Treatment option s not applied to the source or root cause
of a risk are likely to be ineffective and promote a false belief within the organisation that the risk is controlled.

It could be decided that specific treatment is necessary or that the risk can be adequately treated with standard management procedures and activities where it is embedded into the daily practices
or processes. It is advisable to modify existing standard practices to ensure control.

A risk may be acceptable or tolerable in the following circumstances:

No treatment is available

Treatment costs are prohibitive (especially relevant to lower ranked risks) The organisation must determine what the goal

The level of risk is low and does not warrant using resources to treat it is in treating the risk – whether it is to avoid it
completely, reduce the likelihood or
The opportunities involved significantly outweigh the threats.
consequence, transfer the risk (to someone else such as an insurer or contractor) or accept the level of risk. The type of risk treatment
chosen will depend on the nature of the risk and the tolerance for that risk.
Treatment options
Avoid risk by not starting or continuing an
If the goal is to reduce the likelihood or possibility of the risk, it could require modifying the approach to the activity by identifying the causes of the threat and the links activity
Take or increase risk to pursue an
between the threat and its impact. If it is not possible to change the approach of th e project or
opportunity Remove the risk source
Change the likelihood
activity, it may be possible to take other intervening actions that will mitigate the event from occurring or reduce the likelihood of the Change the consequence
threat. Share the risk, e.g. through insurance,
contracts, financing
Retain the risk by informed decision (accept
the risk)
Actively treat the risk
 If the goal is to reduce the consequence or impact of the risk, contingency plans might be required to respond to a threatening event if it occurs. This planning may be perfor med in

combination with other controls, e.g. even if steps have been taken to minimise the likelihood of the risk, it may still be worthwhile to have a plan in place to reduce the consequences if the
event actually occurs.

If the goal is to share the risk, involving another party such as an insurer or contactor may help. Risk can be shared contractually, by agreement and in a variety of ways that meet all

parties’ needs. Sharing the risk does not remove the obligations of the organisation if something unexpected happens.

If the goal is to eliminate or avoid the risk altogether , the options are limited to changing the project, choosing alternative approaches or processes to render the risk irrelevant or
abandoning the activity. It is not often that a risk can be completely eliminated, and balance is an important part of the risk assessment exercise.

If a decision is made to accept or tolerate the risk, thought should be given to contingency planning to deal with and reduce the consequences, should they arise.

Once the treatment options have been identified, a risk treatment plan must be prepared that should include:

The reasons for selection of treatment options, including expected benefits to be gained
Those who are accountable for approving the plan
Those who are responsible for implementing the plan
Proposed actions
Resource requirements including contingencies
Performance measures and constraints
Reporting and monitoring requirements and
Timing and schedule.

Treatment plans should clearly identify the priority order in which individual risk treatments should be implemented and should be integrated with
the management processes of the organisation. They should be discussed with appropriate stakeholders. Monitoring must be an integral part of the
risk treatment plan to give assurance that the measures remain effective.

Once any options requiring authorisation for resourcing, funding or other actions have been approved, treatments should be implemented by those identifie d as having the responsibility to do so.
Finally, monitoring and review is part of the risk management process and responsibilities for these should be clearly defined.

4.1.4 Risk-based thinking…in conclusion

 Is not something new

 Ensures greater knowledge of risks and  Makes prevention a habit
 Is something that is done by organisations already
improves preparedness  Risk-based thinking is not restricted to management
 Is an ongoing process
 Increases the probability of reaching objectives – it must become an integral part of the
 Reduces the probability of negative results organisational culture
The following template can be used for to summarise risks in the business:

Existing Likelihood Additional controls Responsibility (for Due date (for additional
Risk description Impact score Level of risk
controls score (treatment) required additional controls) controls)