Professional Documents
Culture Documents
The assessment of likelihood and consequence is mostly subjective but can be supported by data or information that is available within the organisation, audits, inspections, personal experience,
corporate knowledge, knowledge of previous events, data generated by surveys and other internal and external information.
An example of a model that can be used for assessing the likelihood of a risk is provided:
Score Description
E Rare Very unlikely this will ever happen (only in exceptional circumstances)
An example of the model that can be used for assessing the consequence is provided:
Area of impact – description of consequence
Generic impact
Score
description
Supply chain Human Brand reputation Finance Compliance
Serious harm or death Long-term damage to Huge financial loss Serious breach of contract
Event or circumstance Huge loss in raw material Loss of significant number of reputation Significant budget or legislation
with potentially and/or final products people Sustained negative overrun with no capacity Significant prosecution &
disastrous impact on Irreparable impact on Staff/employee industrial media attention to adjust within existing fines likely
5 Extreme
business or significant relationship with action Brand or image budget or resources Potential for litigation
material adversely suppliers and/or cus- Loss of significant number of nationally or May attract adverse including class actions
impacted in a key tomers key staff impacting on skills, internationally affected findings from external Suspension of certificate
area knowledge & expertise Recall regulators or auditors
Major breach of contract,
Significant loss in raw
Sustained damage to regulatory or statutory
material and/or final Serious harm and/or recall Major financial loss
Critical event or brand, image or requirements
products Threat of industrial action Requires significant
circumstance that can reputation nationally Expected to attract
4 Major Serious long-term Loss of some key staff adjustment to approved
be endured with or internationally regulatory attention
damage to supplier resulting in skills, knowledge or funded projects/
proper management Adverse national or Investigation, prosecution
and/or customer & expertise deficits programmes
local media coverage and/or major fine possible
relationships
A model (risk matrix) can be developed to combine likelihood and consequence level of risks to determine the significance of the risk.
1 2 3 4 5
Consequence
Insignificant Minor Moderate Major Extreme
Likelihood
B Likely (probable) L M H H E
C Possible (occasional) L M M H H
D Unlikely (uncommon) L L M M H
E Rare (remote) L L L L M
The purpose of risk evaluation is to assist with decision making as to whether a risk should be treated and the priority for the treatment. Whether a risk is acceptable or unacceptable depends on
the risk appetite. The following model can be used:
Risk Action
Extreme Immediate attention & response needed, risk assessment & management plan must be prepared
Determine whether current controls are adequate or if further action or treatment is needed, monitor and review locally, e.g. through regular business practices or local area
Medium
meetings
Low Manage by routine procedures, report to local managers, monitor & review locally as necessary
Risk treatment involves the selection of one or more options for modifying risks and subsequent implementation of the treatment option. Treatment option s not applied to the source or root cause
of a risk are likely to be ineffective and promote a false belief within the organisation that the risk is controlled.
It could be decided that specific treatment is necessary or that the risk can be adequately treated with standard management procedures and activities where it is embedded into the daily practices
or processes. It is advisable to modify existing standard practices to ensure control.
No treatment is available
Treatment costs are prohibitive (especially relevant to lower ranked risks) The organisation must determine what the goal
The level of risk is low and does not warrant using resources to treat it is in treating the risk – whether it is to avoid it
completely, reduce the likelihood or
The opportunities involved significantly outweigh the threats.
consequence, transfer the risk (to someone else such as an insurer or contractor) or accept the level of risk. The type of risk treatment
chosen will depend on the nature of the risk and the tolerance for that risk.
Treatment options
Avoid risk by not starting or continuing an
If the goal is to reduce the likelihood or possibility of the risk, it could require modifying the approach to the activity by identifying the causes of the threat and the links activity
Take or increase risk to pursue an
between the threat and its impact. If it is not possible to change the approach of th e project or
opportunity Remove the risk source
Change the likelihood
activity, it may be possible to take other intervening actions that will mitigate the event from occurring or reduce the likelihood of the Change the consequence
threat. Share the risk, e.g. through insurance,
contracts, financing
Retain the risk by informed decision (accept
the risk)
Actively treat the risk
If the goal is to reduce the consequence or impact of the risk, contingency plans might be required to respond to a threatening event if it occurs. This planning may be perfor med in
combination with other controls, e.g. even if steps have been taken to minimise the likelihood of the risk, it may still be worthwhile to have a plan in place to reduce the consequences if the
event actually occurs.
If the goal is to share the risk, involving another party such as an insurer or contactor may help. Risk can be shared contractually, by agreement and in a variety of ways that meet all
parties’ needs. Sharing the risk does not remove the obligations of the organisation if something unexpected happens.
If the goal is to eliminate or avoid the risk altogether , the options are limited to changing the project, choosing alternative approaches or processes to render the risk irrelevant or
abandoning the activity. It is not often that a risk can be completely eliminated, and balance is an important part of the risk assessment exercise.
If a decision is made to accept or tolerate the risk, thought should be given to contingency planning to deal with and reduce the consequences, should they arise.
Once the treatment options have been identified, a risk treatment plan must be prepared that should include:
The reasons for selection of treatment options, including expected benefits to be gained
Those who are accountable for approving the plan
Those who are responsible for implementing the plan
Proposed actions
Resource requirements including contingencies
Performance measures and constraints
Reporting and monitoring requirements and
Timing and schedule.
Treatment plans should clearly identify the priority order in which individual risk treatments should be implemented and should be integrated with
the management processes of the organisation. They should be discussed with appropriate stakeholders. Monitoring must be an integral part of the
risk treatment plan to give assurance that the measures remain effective.
Once any options requiring authorisation for resourcing, funding or other actions have been approved, treatments should be implemented by those identifie d as having the responsibility to do so.
Finally, monitoring and review is part of the risk management process and responsibilities for these should be clearly defined.
Existing Likelihood Additional controls Responsibility (for Due date (for additional
Risk description Impact score Level of risk
controls score (treatment) required additional controls) controls)