BSBRSK501 Risk Management LG

BSBRSK501
Manage risk
Learner Guide
Page |2
BSBRSK501
Manage risk
SBTA BSBRSK501 Learner Guide version 1 16 June 2015

Page |3
Table of Contents
Table of Contents...................................................................................................................................3
Unit of Competency............................................................................................................................5
Performance Criteria...........................................................................................................................6
Foundation Skills.................................................................................................................................7
Assessment Requirements..................................................................................................................8
Housekeeping items................................................................................................................................9
Objectives...............................................................................................................................................9
1. Establish risk context.......................................................................................................................10
1.1 – Review organisational processes, procedures and requirements for undertaking risk
management in accordance with current risk management standards in accordance with current risk
management standards........................................................................................................................11
The legislative framework.................................................................................................................13
The Act..............................................................................................................................................13
Regulations.......................................................................................................................................14
Codes of practice...............................................................................................................................14
Standards Australia...........................................................................................................................15
Legislation.........................................................................................................................................16
Learning Task 1..................................................................................................................................21
1.2 – Determine scope for risk management process...........................................................................22
Define the scope...............................................................................................................................24
Learning Task 2..................................................................................................................................28
1.3 – Identify internal and external stakeholders and their issues........................................................33
Learning Task 3..................................................................................................................................36
1.4 – Review political, economic, social, legal, technological and policy context..............................38
The economic system........................................................................................................................39
The social system..............................................................................................................................40
The political/legal system..................................................................................................................40
The technological system..................................................................................................................43
The policy context.............................................................................................................................44
Learning Task 4..................................................................................................................................45

Page |4
1.5 – Review strengths and weaknesses of existing arrangements...................................................47

Learning Task 5..................................................................................................................................50
1.6 – Document critical success factors, goals or objectives for area included in scope.......................52
1.7 – Obtain support for risk management activities............................................................................54
1.8 – Communicate with relevant parties about the risk management process and invite participation
..............................................................................................................................................................56
Learning Task 6..................................................................................................................................57
2.1 – Invite relevant parties to assist in the identification of risks........................................................59
2.2 – Research risks that may apply to scope........................................................................................61
2.3 – Use tools and techniques to generate a list of risks that apply to the scope, in consultation with
relevant parties.....................................................................................................................................65
Learning Task 7..................................................................................................................................72
3. Analyse risks..................................................................................................................................75
3.1 – Assess likelihood of risks occurring...............................................................................................76
3.2 – Assess impact or consequence if risks occur.................................................................................79
3.3 – Evaluate and prioritise risks for treatment...................................................................................81
Learning Task 8..................................................................................................................................87
4. Select and implement treatments.................................................................................................92
4.1 – Determine and select most appropriate options for treating risks...............................................93
Learning Task 9..................................................................................................................................98
4.2 – Develop an action plan for implementing risk treatment.......................................................100
4.3 – Communicate risk management processes to relevant parties..................................................103
Learning Task 10..............................................................................................................................107
4.4 – Ensure all documentation is in order and appropriately stored.............................................108
Learning Task 11..............................................................................................................................111
4.5 – Implement and monitor action plan...........................................................................................112
Learning Task 12..............................................................................................................................114
4.6 – Evaluate risk management process............................................................................................115
Learning Task 13..............................................................................................................................117
References..........................................................................................................................................119

Page |5
Unit of Competency
Application
This unit describes skills and knowledge required to manage risks in a range of contexts across an
organisation or for a specific business unit or area in any industry setting.
It applies to individuals who are working in positions of authority and are approved to implement
change across the organisation, business unit, program or project area. They may or may not have
responsibility for directly supervising others.
No licensing, legislative or certification requirements apply to this unit at the time of publication.
Unit Sector
Regulation, Licensing and Risk Management

Page |6
Performance Criteria
Element Performance Criteria
Elements describe the Performance criteria describe the performance needed to
essential outcomes. demonstrate achievement of the element.
1. Establish risk context 1.1 Review organisational processes, procedures and

requirements for undertaking risk management in
accordance with current risk management standards
1.2 Determine scope for risk management process
1.3 Identify internal and external stakeholders and their issues
1.4 Review political, economic, social, legal, technological and
policy context
1.5 Review strengths and weaknesses of existing arrangements
1.6 Document critical success factors, goals or objectives for
area included in scope
1.7 Obtain support for risk management activities
1.8 Communicate with relevant parties about the risk
management process and invite participation
2. Identify risk 2.1 Invite relevant parties to assist in the identification of risks
2.2 Research risks that may apply to scope
2.3 Use tools and techniques to generate a list of risks that apply
to the scope, in consultation with relevant parties
3. Analyse risk 3.1 Assess likelihood of risks occurring

3.2 Assess impact or consequence if risks occur
3.3 Evaluate and prioritise risks for treatment
4. Select and implement 4.1 Determine and select most appropriate options for treating
treatments risks
4.2 Develop an action plan for implementing risk treatment
4.3 Communicate risk management processes to relevant
parties
4.4 Ensure all documentation is in order and appropriately
stored
4.5 Implement and monitor action plan
4.6 Evaluate risk management process

Page |7
Foundation Skills
This section describes language, literacy, numeracy and employment skills incorporated in the
performance criteria that are required for competent performance.
Skill Performance Description

Criteria
Reading 1.1, 1.4, 1.5, 2.2  Comprehends a variety of relatively complex texts
 Gathers, interprets and analyses textual
information from a range of sources to identify
relevant information
Writing 1.6, 1.8, 2.1, 2.3, 4.3  Develops textual material and organises content
in a manner that effectively documents risk
management analysis and assessment priorities
and processes
Oral 1.8, 2.1, 2.3, 4.3  Participates in interactions with stakeholders

Communication using questioning and listening to elicit opinions,
and to confirm and clarify understanding
Numeracy 2.2  Uses numerical tools to assess risk and uses

numerical data to review plans
Navigate the 1.1, 2.1, 4.3  Refers to organisational processes, procedures

world of work and requirements when making decisions about
risk management
Interact with 1.8, 2.1, 2.3, 4.3  Establishes and uses appropriate conventions and
others protocols when communicating with stakeholders
about risk management
 Consults and negotiates with stakeholders about
risk management processes and outcomes
Get the work 1.2, 1.3, 1.5, 1.7, 2.1, 2.2, 2.3,  Sequences and schedules a range of routine and
done 3.1, 3.2, 3.3, 4.1, 4.2, 4.4, 4.5, complex activities, monitors implementation,
4.6 evaluates processes and manages relevant
communication
 Systematically analyses information to decide on
appropriate risk management treatments
 Uses digital technologies and systems to access
information, document plans and communicate
with others

Page |8
Assessment Requirements
Performance Evidence
Evidence of the ability to:
 Analyse information from a range of sources to identify the scope and context of the risk
management process including:
o Stakeholder analysis
o Political, economic, social, legal, technological and policy context
o Current arrangements
o Objectives and critical success factors for the area included in scope
o Risks that may apply to scope
 Consult and communicate with relevant stakeholders to identify and assess risks, determine
appropriate risk treatment actions and priorities and explain the risk management processes
 Develop and implement an action plan to treat risks
 Monitor and evaluate the action plan and risk management process
 Maintain documentation.
Note: If a specific volume or frequency is not stated, then evidence must be provided at least once.
Knowledge Evidence
To complete the unit requirements safely and effectively, the individual must:
 Outline the purpose and key elements of current risk management standards
 Outline the legislative and regulatory context of the organisation in relation to risk management
 Outline organisational policies, procedures and processes for risk management.
Assessment Conditions
Assessment must be conducted in a safe environment where evidence gathered demonstrates

consistent performance of typical activities experienced in the regulation, licensing and risk - risk
management field of work and include access to:
 Relevant legislation, regulations, standards and codes

 Relevant workplace documentation and resources
 Case studies and, where possible, real situations
 Interaction with others.
Assessors must satisfy NVR/AQTF assessor requirements.
Links
Companion volumes available from the IBSA website: http://www.ibsa.org.au/companion_volumes -

http://www.ibsa.org.au/companion_volumes Housekeeping Items

Page |9
Housekeeping items
Your trainer will inform you of the following:
 Where the toilets and fire exits are located, what the emergency procedures are and
where the breakout and refreshment areas are.
 Any rules, for example asking that all mobile phones are set to silent and of any
security issues they need to be aware of.
 What times the breaks will be held and what the smoking policy is.
 That this is an interactive course and you should ask questions.
 That to get the most out of this workshop, we must all work together, listen to each
other, explore new ideas, and make mistakes. After all, that’s how we learn.
 Ground rules for participation:
o Smile
o Support and encourage other participants
o When someone is contributing everyone else is quiet
o Be patient with others who may not be grasping the ideas
o Be on time
o Focus discussion on the topic
o Speak to the trainer if you have any concerns
Objectives
 Discover how to establish risk context
 Know how to identify risk
 Learn how to analyse risk
 Understand how to select and implement treatments
 Gain skills and knowledge required for this unit

P a g e | 10
1. Establish risk context

1.1 Review organisational processes, procedures and requirements for undertaking risk
management in accordance with current risk management standards
1.2 Determine scope for risk management process
1.3 Identify internal and external stakeholders and their issues
1.4 Review political, economic, social, legal, technological and policy context
1.5 Review strengths and weaknesses of existing arrangements
1.6 Document critical success factors, goals or objectives for area included in scope
1.7 Obtain support for risk management activities
1.8 Communicate with relevant parties about the risk management process and invite
participation

P a g e | 11
1.1 – Review organisational processes, procedures and requirements for

undertaking risk management in accordance with current risk management
standards in accordance with current risk management standards
The AS/NZS1 4360:2004 has been replaced with ISO 2 31000: 2009, Risk Management Principles and
Guidelines. Risk management involves the ability for organisations to obtain a balance between realising
opportunities for gains while minimising losses. Essential to good management practices, risk
management is also an important element in the element of corporate governance.
Building on AS/NZS 4360:2004, ISO 31000 aims to improve and advance

risk management practices within an organisation, to the point that it can
be utilised by the organisation to benchmark and evaluate the
organisation’s practices.
Risk is defined by ISO 31000 as “effect of uncertainty on objectives” which

is in alignment with AS/NZS 4360:2004 “the chance of something
happening that will impact on objectives.” Hazards are defined as “things
that go wrong”. The ISO 31000 standard has now been implemented;
however, we shall now reflect on the path that it has taken us in.
Purdy (2011) in the Risk Management Magazine wrote that the five
steps to the implementation of ISO 3100:2009 would be:
1. Changing the paradigm for risk and risk management – ISO 31000 interprets risk
“being the uncertainty that lies between us and our objectives” (Purdy, 2011). Taking a
top down approach to risk management, risk will become a key component of an
organisation’s ability to determine and achieve its objectives. Risk is neither positive
nor negative, it is just risk.
2. Take stock – Make sure that the risk management framework is designed to suit the
internal and external context of the organisation. This means that both the systems and
processes should be assessed and ensures that all elements that are missing are
introduced to the framework.
3. Evaluate your maturity – The organisation has to make sure that the treatment of risks
is effective. Goals, targets and benchmarks should be used, to ensure that risk
management processes and systems are effective.
4. Develop your plan to start – If you have not already developed a plan to start risk
management, you should do so as a strategy to engage management in the risk
process, as this will increase the success of the program.
5. Develop your plan to keep it going – Every few months, management will usually
become complacent, believing that the risk management plan is no longer important,
as other projects take their attention away from risk management. For risk
management to work, it must become embedded into key business processes, making
management accountable for the reviewing and assurance of risk management
controls.
1
Australian Standards/New Zealand Standards
2
International Standards Organisation

P a g e | 12
These processes need to be addressed both professionally and at an organisational level, so that
accountability is reinforced; this is evidenced through self-assessment processes in the organisation’s
performance management processes.
For any risk process to succeed, it must be supported from management; all levels of management
should be made aware of the big risks in the organisation. The difference between AS/NZS 4360:2004
and ISO 13000 is that reporting is required on risk management, not on risks. After all, if an
organisation’s approach to risk is defective, any report of the risks it faces must be treated with
suspicion (Purdy, 2011).
Every State/Territory has its own WHS Act and Regulations. These are shown below. Currently, WHS
Law within Australia comprises of both State/Territory and Commonwealth Legislation. For legislation
within your State/Territory, please refer to the following table:
State/ Office URL address

Territory
ACT WorkSafe www.worksafe.act.gov.au
NSW WorkCover www.workcover.nsw.gov.au
NT WorkSafe www.worksafe.nt.gov.au
QLD WorkCover www.workcoverqld.com.au
SA WorkSafe www.safework.sa.gov.au
TAS WorkCover www.workcover.tas.gov.au
VIC WorkSafe www.worksafe.vic.gov.au
WA WorkCover www.workcover.wa.gov.au
The Government of Australia and her States/Territories are currently working at harmonising the WHS
legislation and regulations in Australia. However, this is only a goal – current separate State/Territory
and Commonwealth Laws still apply.
WHS legislation found within this guide shall relate to Commonwealth Legislation including:
 Work Health and Safety Act 2011 (Cth)
 Work Health and Safety (Transitional and Consequential) Act 2011 (Cth).
 Work Health and Safety Regulations 2011 (Cth).
 Work Health and Safety Approved Codes of Practice 2011 (Cth).
The legislative framework

P a g e | 13
The legislative framework that you operate in usually stems from the requirements of:
The Act
Acts aim at ensuring that WHS is managed effectively in the workplace by ensuring that employees are
protected under both their Commonwealth and State/Territory law. The aim of The Act is not to affect
the operation of a State or Territory Act now in operation.
The objectives of the Act are to:

 Ensure that all employees are secure and safe at work
 To protect employees from risk arising from their roles
 To assist employers/employees and other persons who require assistance, as per their
obligations under law
 To provide remedies when obligations at not met, through civil remedies.

P a g e | 14
Regulations
Regulations provide you with a lot of structure within a statutory framework that has been created by
Statute to give you details on how to implement legislation. Unless you can provide a better alternative,
regulations are mandatory.
These regulations cover:

 The Health and Safety Representative election processing
 Statutory notices
 The details about incident notifications.
Codes of practice
Unlike with regulations – where you can be charged for not following them – codes of practice are
written to provide guidance on how to maintain a safe workplace. However, by demonstrating that you
are following a code of practice, you can provide sufficient evidence to demonstrate that you are
following the law. The code of practice based on the WHS Act 2011 (Cwlth) is the Work Health and
Safety Approved Codes of Practice 2011 (Cth).
The aim of the WHS Code of Practice is to assist organisations in interpreting the complete set of
previous 27 codes in an Australian workplace including the associated Australian Standards.
Building on the Legislative framework demonstrated above, we now have:
Mandatory – must
Law - the WHS Act
follow
Compliance
Legislative instruments -
mandated, unless
regulations, approved the
codes
same or better
of practice safety outcomes
are achieved
Guidance - Comcare SRC
guidance material, other
guidance No legal status

P a g e | 15
The approved codes of practice will provide you with guidance on how to meet your WHS Obligations.
Comcare can also provide guidance notes in WHS. Be aware that there are professional association and
other professional bodies that can provide you with guidance notes specific to your industry.
The aim of the WHS Code of Practice 2011 is to provide you with:
 Easier to read and follow guidance
 Provide guidance to areas previously excluded
 Only refers to AS/NZ Standards where necessary for technical matters
 Allows for greater flexibility in achieving compliance.
Look in the WHS Code of Practice (2011) on How to manage Work Health and Safety risks. The aim is
to provide you with practical guidance to:
 Identify hazards
 Assess the risk
 Control risks
 Review controls
 Keep records.
Standards Australia
A standard is how specifications and procedures are designed to make sure that methods and materials
are fit for the purpose intended. They are documents that are published to make sure that the
standards are consistent across Australia. These standards can be found at the SAI Global Limited and
can be purchased through the website: www.saiglobal.com.

P a g e | 16
Legislation
WHS legislation is provides employers with guidance on how they can meet their legislative
requirements.
The Risk Management Process contains:

 Hazard Identification
 Risk assessment
 Implementation of Risk Control Measures:
 The hierarchy of controls
o Elimination
o Substitution
o Isolation
o Engineering
o Administrative
o PPE
 Review the effectiveness of the risk management process in your workplace as part of
your organisations continuously improvement process.
The WHS Code of Practice (2011) aims to provide you with practical guidance for employers and
employees on how to meet their duty of care under the Act, with regards to the how to manage Work
Health and Safety risks. This learner guide will explain your responsibility under the Commonwealth
Work Health and Safety Act and corresponding Regulations. Note that you should also check your
State/Territory Act and Regulations for variations, to ensure that you know the legislation within your
State/Territory.
: www.comcare.gov.au

P a g e | 17
Risks may include those relating to:

 Commercial relationships – a formal business relationship
between two parties, in which there is some agreed on material
or financial benefit to each party. A commercial relationship is
doing business, where there is an exchange of benefits that
have material value.
 Economic circumstances and scenarios – these are the risks

caused from an action or inaction that has an undesirable
outcome. The losses in this scenario are usually called risks
which may be monetary or physical. For example; in response
to a downturn in demand, an organisation may retrench their
staff so that they can keep operating.
If the staff are not retrenched professionally and are not given an opportunity to find
other work, then the reputation of the organisation will be affected. If there is an
increase demand and they start hiring new staff, they may have trouble finding high
calibre staff due to the poor reputation that they have due to the way that the
retrenchments were handled.
The reputation of the organisation can be affected economically in that they:

o May not be able to meet the customers' needs as the organisation does not have
sufficient staff to produce and distribute their goods and services; and
o Because they are unable to meet the customers' needs their ability to make a
profit will be affected
 Individual activities – these can include negligence, untrained personnel and those
unfamiliar with the organisation's procedures. Under WHS Law, employees have a legal
responsibility to ensure that they maintain a safe work environment. It is the
responsibility of the employer to ensure that the health, safety and welfare at work of
all employees and others who come on to the workplace.
 Human behaviour – this refers to the range of behaviours that are

influenced by a person’s culture, attitudes, emotions, values, ethics,
authority, rapport, hypnosis, persuasion, coercion and/or genetics.
Behaviour-based safety focuses on employee behaviour and aims to
minimise the cause of work-related injuries and illnesses.
When employees don’t act safely; the level of risk rises. When unsafe
behaviour is identified, steps need to be taken to correct the workplace.
The longer that the employee takes to learn the correct behaviour, the
greater the risk rises for the organisation.
The key to modifying unsafe behaviour is the organisation’s ability to

identify the cause of the incorrect behaviour and to take steps to
minimise and/or completely remove the behaviour. If the employee still

P a g e | 18
demonstrates the incorrect behaviour, then the organisation needs to determine if the
level of risk is too high to retain their services. However, make sure that you are aware
of the correct organisational policies and procedures that you should follow.
 Management activities and controls – these are usually guided by an organisation’s

policies and procedures and the appropriate job description. The level of risk in a
management position will vary according to their position, the amount of training or
education that they have and their level of experience. If you are in a management
position, it is essential that you make sure that you are aware of all of the risk in your
work area.
Management activities may include ensuring that:

o all members of their team are trained in all safety issues within their work area
o that incident reports are followed up with risk assessments as per organisational
and legislative requirements
o that all paperwork is processed to ensure that patterns in incidents are identified
and action is taken to minimise the chance of the incident occurring again.
 Natural events – these are the effects of natural hazards such as floods, tornados,
hurricanes, volcanic eruptions, earthquakes and landslides. These types of hazards can
lead to financial, environmental and human loss. To counteract and minimise the risk
to an organisation and its employees, organisations – depending on the kinds of risks
relevant to an area – will put together a Natural Disaster Risk Management Plan that
encompasses:
o Relevant State Legislation and the types of risks
o Risk Assessment Methodology including:
 Risk Identification
 Risk Analysis
 Risk Assessment
 Risk Treatment
 Monitoring and review of risks
 Who the stakeholders are
o A risk evaluation including the impact on the local

community, the economy and the infrastructure
Existing disaster measures that are already in place should be continuously reviewed to
ensure that they are up-to-date in relation to change events and legislative
requirements.

P a g e | 19
 Methods to support continuous improvement: Continuous improvement is an ongoing

effort to improve products, services or processes. These efforts can seek “incremental”
improvement over time or “breakthrough” improvement all at once.
A widely used tool for continuous improvement is the four step quality model – the
plan-do-check-act (PDCA) cycle, also known as the Deming Cycle:
The Deming Cycle includes:

o Plan: Plan for change once an opportunity is identified
o Do: Implement a small scale change
o Check: Analyse the data from the small scale that has been implemented and
determine whether it made a difference
o Act: If the change is successful, then implement the change on a larger scale and
assess the results continuously. If the change process does not work, then you
will need to start the cycle again.
Other methods of continuous improvement include Six Sigma, Lean and Total Quality
Management (which emphasises team work), employee involvement, measuring and
systemising processes, and reducing cycle times, variations and defects.

P a g e | 20
 Political circumstances – these are a form of risk that is faced by investors,

governments and corporations. The level of risk can be controlled, as it is understood
and managed from the start. Organisations face political risk by making decisions that
are strategic, financial or personal.
For example, recent changes to industry laws increased the price of a product. Demand
for the product line decreased. The organisation maintained the same level of
production, with the belief that the level of demand is only short-term, based on
previous experience. Maintaining production levels and the increasing the price of the
product would elevate the level of risk for the organisation. If the customer is not
prepared to pay the price and if the organisation is unable to cut costs, then the risk of
the organisation needing to sell the product at a loss will rise. Therefore, this has
become a risk to the organisation.
 Technology is a key factor in an organisation’s ongoing success. Technology, when used

correctly, can be the difference between an organisation obtaining a larger share of the
market, thereby having a competitive advantage, or the loss of a larger share of the
market. Many organisations’ competitive advantage comes from their ability to be
more responsive to market demand.

P a g e | 21
Learning Task 1
What internal and external processes should you consider when you are preparing to review your
organisation’s risk management? Why?
Process Why?

P a g e | 22
1.2 – Determine scope for risk management process

There are many different types of risk that your organisation has to deal with. These include:
 Legal
 Financial
 Safety.
As a member of a team or in your role as leader, supervisor or manager, it is essential that you
understand the risk that your decisions or feedback, with regards to decisions, will impact on not only
on yourself, but also your organisation. Since globalisation in the early part of the 1990s, the level of risk
for many organisations has risen, threatening their overall continued existence.
For example, when the new WHS Act 2011 was introduced to Victoria’s workplace, many organisations
did not take initiative and introduce the new practices to the workplace. This form of risk was non-
compliance with government legislation, increasing security risks to both the organisation and staff.
Responsibility for the risk rests on the organisation/people that have control of it. This includes the
person who controls the budget, the spending and who is responsible for ensuring that decisions have
been carried out.
It is important that your organisation has in place a systematic and holistic approach to risk
management, to protect your organisation and its assets. Risk is defined under AS/NZS 4360:2004 as
“the chance of something happening that will impact on objectives”. Technically, risk is the probability
of a threat agent that exploits vulnerability and the results in impact on the business.
For example; your employees have been trained in WHS in the workplace. The vulnerability is that, even
though they understand WHS, they do not know when to start applying it. The trainer emphasised that
their duty of care started when they began work, so they did not report a ditch in the tarmac at the
main entrance until they started work. Heavy rainfall had cracked the tarmac where it had been laid
incorrectly. Overuse of the tarmac widened the crack into a ditch, over time.
They were busy and did not use their common sense. In the time between entering the workplace and
they starting work, a truck hit the ditch and rolled before it exploded, killing both the driver and his son
(who rode with his father that day).

P a g e | 23
Reflect on the financial risk the organisation would face. For example:
 Employees failed their duty of care because they did not report the ditch when they
saw it.
 The trainer did not train the employees correctly. The employees' duty should have
started the moment they entered the workplace.
 The organisation, as the employer ,was negligent in that they did not provide both the
internal and external customer with a safe work environment
 The organisation’s reputation was damaged, due to their failure to maintain a safe
work environment.
Each of these elements has a financial impact. The level of risk may include:
 The level of responsibility the employees, trainer and organisation have, with regards
to their level of negligence.
 Whether the driver is found partially liable, if the truck itself was not safe. This may
include that the driver was aware of a leak in, say, his fuel tank – this was a risk and he
did not take steps to have the truck repaired. Sparking when the truck rolled over could
have caused the explosion, leading to the death of the driver and his son.
Irrespective of the level of risk, there is a clear demonstration of negligence from all parties. As a
consequence, the organisation is at risk financially from:
1. Its inability to train its staff correctly and thereby
maintain a safe workplace
6. Not taking action when they knew that the tarmac

was cracked and was a possible risk
7. Fines for the above
8. Loss of reputation – the message that their

customers receive from this type of incident is
that, if the organisation does not maintain a safe
work environment for its employees, what level of
risk are they going to be exposed to with the product and/or services that they receive
from their purchases?
Many organisations would not be able to survive this financial burden and, in most instances, would be
closed down. Calculating the risk of this scenario requires an understanding of likelihood and
consequences but, even more importantly, the cost to the organisation.
Costs can be as straightforward as repairs to a fault and medical costs; these are quantitative values to
costs in the form of loss of reputation, market shared, unrealised customers and other intangibles.

P a g e | 24
Define the scope

One of the most important aspects of any risk management plan is your ability to make sure that risk is
broken down to a basic state and analyse the impact for the organisation if risk management practices
and procedures are not followed.
Defining the scope of risk is not easy. All risks need to be recognised and, if required, quantifiable. The
scope should provide details of processes regarding risk and the deliverables. A major part of this
requires that a risk analysis is performed for your work site; this necessitates that you identify and
assess risks that may jeopardise your organisation’s processes and ongoing success.
The analysis of the worksite forms the basis of your Risk Management Plan. The rest of Section 1 in
this Learner Guide shall identify:
 Your stakeholders
 The impact the external environment will have on your organisation within the industry
that you work in
 How the risk management plan shall be communicated
 The process of obtaining support to ensure the ongoing success of the organisation.
As with any other aspect of good organisational management, it is essential that you obtain and
maintain support of organisational members. Obtaining their feedback and ideas allows them to create
ownership for the risk management process. Studies demonstrate that when people take ownership of
a program, there is a higher level of success for that program.
We have now considered the types of risk that may affect an organisation. The scope of the Risk
Management Plan needs to consider what the plan may apply to and the variables that may impact on
the scope.
Before you consider the scope, it is important to have a clear picture of

what you are applying the scope to. For example, you may work in an
organisation where the scope, in the first instance, encompasses the
whole organisation. The organisation also has several projects running at
the same time. The procedures used to identify and resolve or report the
risks during the initial development of the Risk Management Plan will
usually be utilised for individual risk analyses completed on each project.
This clearly demonstrates that an organisation, depending on the

organisational structure, must have at least one Risk Management Plan.
Other organisations may run several risk management plans based on the
amount of projects that may run internal and/or external to the
organisation.

P a g e | 25
This means that scope may apply to:

 Given project – different projects have different goals and objectives, legislative and
environmental requirements, timeframes, budgets and needs; these will depend on the
type of project, the industry of the partner company and the project, and the needs of
the customer. Each project should be assessed separately and decisions made on these
projects should be reviewed, to minimise the chance for error.
 Specific business unit or area – many laws have been designed that are industry
specific. When planning a risk management plan, care should be taken to ensure that
you consider this industry specific legislation. For this, you should consider a subject
matter expert as a stakeholder or as someone to refer to when you are unsure about
aspects of your Risk Management Plan. These subject matters may include specific
functions, such as:
o Financial management – Any decision that a manager makes depends on the

amount of budget allocated to their department or project. When decisions are
made with regards to the organisation’s risk management plan, it is essential to
determine what the organisation can afford. For example, to control a risk in
your factory, engineers have recommended that re-engineering of a specific
piece of machinery should be performed. However, your budget may be $2500
to minimise the risk. The cost of re-engineering may be more than this, so you
will need to come up with an acceptable, affordable alternative.
o WHS – Currently, WHS Law within Australia comprises of both State/Territory

and Commonwealth Legislation. For legislation within your State/Territory please
refer to the following table:
State/ Office URL address

Territory
ACT WorkSafe www.worksafe.act.gov.au
NSW WorkCover www.workcover.nsw.gov.au
NT WorkSafe www.worksafe.nt.gov.au
QLD WorkCover www.workcoverqld.com.au
SA WorkSafe www.safework.sa.gov.au
TAS WorkCover www.workcover.tas.gov.au
VIC WorkSafe www.worksafe.vic.gov.au
WA WorkCover www.workcover.wa.gov.au
o Governance – Corporate Governance is the set of processes, customs, policies,

laws and institutions affecting the way an organisation is directed, administered
or controlled. Corporate Governance assists you in identifying your level of
authority within the organisation. Your job description will describe what your

P a g e | 26
role within the organisation is; policies and procedures will assist you in clarifying
your accountability and to whom. If you are not sure about either your
accountability or your level or authority, you should consult with your supervisor
or a member of your team.
This definition touches on the bare minimum for Corporate Governance. To find
out more information on Australian Corporate Governance, refer to the
Australian Corporate Governance website:
http://www.governanceinstitute.com.au/
External environment – the external environment includes other players who have an
impact on the decisions you will make. The external environment consists of:
o The economic system
o Competitors
o The social system
o The political/legal system; and
o The environmental system.
The external environment shall be covered thoroughly in Section 1.4.
 Internal environment – there may be times when your partner’s internal processes are
in conflict with your own. When on a customer’s work site, their risk management
processes must take precedence over your organisation’s processes. Internal processes
may include policies, procedures and practices that include identification, assessment,
control or reporting of risk.
This does not mean that you should not ignore your own organisation’s procedures. In
most instances of your organisation’s historical records, you should still follow your
organisational procedures. This is to assist future individuals undertaking a similar
project in the preparation and management of their own project.
 Whole organisation – the context of a risk management plan will assist in establishing
the whole risk management plan for the organisation. This means that you need to
make sure that you include:
o The scope of the plan
o The objectives of your stakeholders and who they include
o How the risks will be established and evaluated
o The processes framework
o The identification and analysis of the risk.
When an organisation considers the context of the risk management

process, it should:

P a g e | 27
o Consider the environment that it is operating in
o How the operating environment will impact on the risk assessments conducted,
including the process of defining the context as part of the planning process.
Before developing the context of the risk assessment, you need to consider all of the above so that you
have a clear picture of the level of risk your stakeholders will be exposed to. Once you consider the
internal and external environment and the different scenarios that may impact on your organisation,
you will have a clear, broad perspective of the scope the Risk Management Plan that you are
developing.
The context will assist you in defining the purpose and importance of the scope for your organisation
and how risk assessments will take place. The scope will help define:
 What areas should be covered
 What should be covered within a specified time period
 The resources that are needed
 Will you need the expertise of external specialists; if so, who?
 Who the stakeholders are
 How risk shall be evaluated
 What records need to be kept and how
 How much analysis you will need to complete the assessment safely
 The environment that the risk assessment operates in and how it will impact on the
way in which the risk assessment is performed
 What needs to be evaluated and why

P a g e | 28
Learning Task 2
Demonstrate your understanding of the scope of a risk management plan by reflecting on the level of
risk in your organisation. When identifying the scope of risk, what area(s) do you need to consider?
Areas of the Scope What do you think should be considered within the scope?
The whole organisation
The internal environment
The external environment
WHS
Corporate Governance

P a g e | 29
Spend time with your trainer discussing the variances in your answers. What differences are there?
Do you feel that the internal environment will impact on these variances? Why? Why not?
Using the information that you have gathered, outline the scope of the risk assessment by briefly
outlining:
What areas should be covered?
What should be covered within a specified time period?
What resources are needed?

P a g e | 30
Will you need the expertise of external specialists; if so, who?
What records need to be kept and how?

P a g e | 31
How much analysis do you need to complete the assessment safely?
The environment that the risk assessment operates in and how it will impact on the way in which the
risk assessment is performed.
What needs to be evaluated and why?

P a g e | 32
Use the space below to add information if you require more space. Make sure that you have sufficient
information, as it will be used to answer the rest of the learning activities.

P a g e | 33
1.3 – Identify internal and external stakeholders and their issues

Look at your list of stakeholders in Learning Task Two. The stakeholders shall be either internal or
external. Internal stakeholders are people who support the organisation and who are internal to the
organisation, including employees, investors and management. External stakeholders include people
who are impacted by the organisation including the consumer and the community. It is important to
know each perspective and their objectives so that you can address their needs in the Risk Management
Plan.
Take the time to work out what each party’s interest in risk management is and use it to determine their
objectives.
Internal stakeholders include:

 Employees:
Employees need to be protected from risk. They require information that will assist
them in ensuring that the workplace is safe. Risks and the procedures on controlling
and/or minimising the risk should be made available to them. Employees need to be
kept up-to-date on safety issues and changes to legislation that will impact on their
practices. Employers must communicate changes to employees and provide training
when necessary.
 Internal Investors:
It can be argued that employees are investors in the organisation, in terms

of investing their knowledge and skills to the organisation to maintain
safety. For the sake of this guide, the investors are the owners of the
organisation. They provide capital, to ensure that their duty of care is
maintained by guaranteeing that employees are provided with a safe work
environment.
 Management:
Management needs to ensure that they balance providing support for the
employees with being accountable for working within their budget. Risk
management decisions should address the safety of staff and working
within their allocated budget. They need to make economic decisions
while ensuring that their team is not placed at risk.

P a g e | 34
External stakeholders include:

 Customers:
Customers purchase the goods and services that the organisation either produces or
sells. They may be other organisations or individuals. When the customer purchases
your product, it is essential to make sure that the product is safe. Customers need to be
confident that they are not at risk.
 Suppliers:
In the same instance, suppliers need to make sure that the products that they sell are
free of risk.
 Creditors:
Creditors need to know that they are going to be protected, by

ensuring that all legislative requirements are met within your
organisation; and
 Government:
That all taxes are paid, and appropriate industry laws are
followed and adhered to.
Now that you know what a stakeholder’s interest in your organisation is, you should change their
interests into objectives. Be aware that these objectives will become an important part of the context of
the Risk Management Plan. It is through these objectives that you will be able to plan your risk
management plan.
Your stakeholders’ objectives need to be identified, depending on the nature of their relationship with
you and who they are.
You can identify stakeholder objectives by:

 Consulting with industry experts to clarify information.
 Being familiar with the legislation relating to your industry.
 Using information provided by professional associations to keep up-to-date, with

regards to industry trends.
 Consulting with stakeholders to determine objectives. You could use contracts and
agreements to assist you in identifying these objectives.
 Implementing feedback and consultation procedures, to allow you to keep in touch

with your stakeholders requirements.

P a g e | 35
When developing a risk assessment, take the time to reflect on your plan to ensure that the
event/situation and the existing elements that may have an impact on the level of risk that the
stakeholders are exposed to are clear. Make sure that each stakeholder is aware of the elements that
may impact on their decisions. The success of any planning rests on ensuring that the information
provided is clear and up-to-date. Stakeholders can then make informed decisions that will, in turn, assist
you in developing the policies and procedures for the Risk Management Plan.
For example, weather conditions of previous years indicate that staff will be exposed to minimal risk of
rock slide on a building site. However, one of the effects of El Nino saw an increase in rain fall over the
summer. Dried dirt has shifted and the chances of a mud slide over the winter period have increased.
Your contractor is concerned that the level of risk has risen and the equipment left on-site shall be at a
higher level of risk also.
Stakeholders would weigh the cost of insurance, putting in placing more safety practices and the cost of
replacement. The priority of this risk would rise as the chances of rain causing a mud slide rose. By
ensuring that the stakeholders have a report on the after effects of El Nino, stakeholders’ decisions
would be more informed and the budget and time allocated to minimising the risk would be varied
according to their responses.

P a g e | 36
Learning Task 3
Briefly outline a project or activity that you are involved in.
Using the project or activity described above, who are your stakeholders? Are they internal or external
to the organisation? What variables may impact on their decisions? What decisions may they assist in
that will impact on the Risk Management Plan? The variables must have an impact on the decisions that
they are making.
Internal (I)
Or
Stakeholders Variables Types of
External
(E)

P a g e | 37
Internal (I)
Or
Stakeholders Variables Types of
External
(E)
Discuss your answers with a team member/your trainer/class.

P a g e | 38
1.4 – Review political, economic, social, legal, technological and policy context
The successful management of any organisation or individual project or group of projects rests on the
ability of your organisation to adapt rapidly to the pressures of the external environment. Once your
stakeholder has made a decision on an event, whether they are an owner or a worker, your
responsibility does not cease to exist. In a global market that is static, you need to have the ability to
scan the environment and identify areas that will impact on your organisation or project.
Time is a highly regarded commodity and you are not able to spend too much of it studying the market
so that information you can present information (if so required) to make a decision that will change the
procedures of the organisation. You need to have a method that will allow you to understand both the
external environment and the interconnections between its various sectors, and translate the
understanding to planning and decision-making processes.
This activity can be done through environmental scanning. Brown and Weiner (1985, p. ix) define
environmental scanning as “a kind of radar to scan the world systematically and signal the new, the
unexpected, the major and the minor”.
Environmental scanning can be utilised to:

 Control the flow of information – if staff are provided with too much information,
information overloading may occur. Employees may become confused trying to work
out which information is relevant and which is not. By controlling the flow of
information, you are ensuring that your team are provided with the appropriate
information, so that they will be able to provide an informed decision.
 Keep managers up-to-date – information should be timely and should give managers
time to identify changes in market trends, market conditions and any other variables
that will impact on the final decision.
The way in which information is provided will vary between organisations, according to the industry of
the individual organisation; it will also vary according to the procedures and requirements of the
management team and stakeholders who will have an impact on the decision-making process. The
scanning of the external environment can be completed internally or externally. Employees may be
required to scan the market to identify changes to trends. External organisations or bodies may be used
to monitor the external environment. These external bodies may include stakeholders, professional
associations and government bodies.
The type of information gathered will vary. However, the streams of information gathered in the
external market will usually include:
 The economic system
 The social system
 The policy context
 The political/legal system
 The technology system.

P a g e | 39
The economic system

An organisation’s economic system comprises of the allocation, consumption, distribution and
production of resources. The economy tends to go through periods of varying degrees of growth.
Businesses prosper when the economy is booming and living standards are rising. Conversely,
businesses are prone of go under when the economy is in a state of recession.
The economic system is the organisation of the economy to allocate scarce resources. It is governed by
the needs of the individual departments. Resources are allocated according to their priority of the
organisation. For example, if your organisation has been audited, with regards to its WHS, and the
report stipulated that your organisation was not fully complying with the law, then quick action would
be taken to correct the safety of your internal and external customer. This may mean that the
organisation’s budgets would need to be reviewed and reallocated, due to the reprioritisation of the
decision-making process.
This example clearly demonstrates that decisions about resource allocation impact on the decision-
making process. Decisions of an economic nature can be influenced by:
 The decision making structure of the organisation
 Who makes the decisions
 Whether decision making is centralised or decentralised; or both;

and
 How resources are allocated.
The economic system can also be influenced by:

 The way in which information is obtained and analysed to make a decision. Planning –
whether centralised, decentralised or both – will be influenced by how the information
is coordinated and utilised.
 Ownership and control – Stakeholders, as we have already identified, provide input to

the decision-making process and can, in some instances, be a major contributor in the
final decision. The level of control will vary according to the organisation.
 The incentive structure, which uses recognition and rewards, to encourage human
resources to build their skills and take ownership of their roles and responsibilities,
allowing management to fulfil other roles. This could also be part of the social system
also.
Economic systems are usually divided through the way in which economic inputs (the means of
production) and the decisions made about the inputs.
The two main economic systems are:

 Capitalism
 Socialism.

P a g e | 40
The capitalist economic system is concerned with the production of profit maximisation through
investments and competition with other business owners. These systems may be both regulated and
unregulated.
The socialist economic system produces goods and services upon demand and ensures that sufficient
production is carried out for this end. This system is based on capital accumulation seeking to control or
direct the system through state ownership or cooperative control.
The social system

The social system is the use of attitudes, behaviours and ideas influenced by human relationships. The
incentive structure can be influenced by the social system. Using the example above in the incentive
structure, we can see that when employees to take ownership for their actions, their productivity
usually encourage increases which will release resources (management) to perform other tasks.
The social system is initialised through empowerment. Empowerment is the process of increasing the
capacity of individuals or groups to make choices and transform those choices into desired outcomes
and actions. (PovertyNet, 2011).
Organisations can also be influenced externally by including consumer attitudes and behaviours, which
will invariably depend on the age of the consumer, the type of consumer and whether they are
professionals, trade workers or admin staff, etc.
The political/legal system

The political/legal system creates the rules and frameworks within which business operates.
Government policy supports and encourages some business activities, e.g. enterprise, while
discouraging others, e.g. the creation of pollution. A political system is one of politics and government
that is usually compared to a legal or social system. A political system is composed of a complete set of
institutions, interest groups (such as political parties, trade unions, and lobby groups), the relationships
between those institutions and the political norms and rules that govern their function.
Formerly a colony of Britain, Australia has one of the

oldest continuous democracies in the world that is
shaped on pre-federation colonial parliaments, such as
“one man, one vote and women’s suffrage”. The
Australian Constitution defines the following
responsibilities including those of the:
The Australian Constitution sets out the powers of

government into three chapters:
The Federal Government
Foreign affairs, trade, defence and immigration

Government of states and territories

For all matters not assigned to the Commonwealth
Government, they adhere to the principles of responsible
government. P a g e | 41
The High Court

There are four main political parties in Australia. They are:
TheArbitrates on disputes between the commonwealth and states.
socialhave
Many court decisions
Australian democratic
expanded party founded by the
the constitutional
powers and responsibilities of the federal Government.
Labour Party Australian labour movement
The Liberal
party of the centre right
Party
The National
a conservative party representing rural
Party of
Australia interests (formerly the Country Party)
The
Australian left-wing and environmentalist party
Greens
State parliaments are subject to the federal constitution and their state constitutions. A federal law
overrides a state law. In most instances, the relationships between the states and commonwealth are
formerly responsible. Local government bodies are developed by legislature at both the state and
territory level. This is a brief outline of Australia’s political system. For a more thorough explanation,
refer to: http://www.australia.gov.au/about-australia/australian-stories/political-system-and-
institutions
The legal system in Australia has three sources that you may need to refer to. The sources are:
1. The laws that are made in parliament
2. Delegated legislation
3. The decisions made by judges in courts, that are published in volumes of law reports.
The legal system can be a complicated process and the task to finding the relevant law may be
difficult, even for a lawyer. The basic legal system in Australia consists of:
 The fundamental belief in the rule of the law, where all people are treated equally
under the law
 That the common law system is formed on the basis of the United Kingdom’s
jurisprudence
 That the common laws system encompasses the law of precedence where judge’s
decisions are based on previously settled cases
 Nine legal systems – the eight state and territory systems and one federal system
which incorporates three separate branches of government – legislative, executive and
judicial.

P a g e | 42
For a basic understanding of Australia’s legal system, it is best to start with easy explanations of the
relevant law. If you wish to find out more information about Australia’s legal system, refer to the
following URL Addresses:
 The Law Handbook: http://www.lawhandbook.org.au/fact_sheets/ch01.php
 Law and justice: http://www.australia.gov.au/topics/law-and-justice
 The Australian Legal System:

http://www.lawlink.nsw.gov.au/lawlink/lawlink_libraries/ll_libraries.nsf/pages/LL_Stud
ents_centre_legal_system
The technological system

Technological systems refer to material objects, such as machines and hardware that are used by
employees, to ensure that they are productive within their industry. The aim of the technological
system is to ensure that the human environment – such as the materials, tools, techniques and sources
of power – are utilised to make life easier and local more productive.
For example, to remain competitive, an organisation will usually purchase an upgrade their technology –
such as computers or equipment – if there is evidence that the upgrade will have a positive impact on
their ability to meet their customers’ needs and increase sales.
A technological system may also be described as a network of agents interacting in the

economic/industrial area under a particular institutional infrastructure, and involved in a generation,
diffusion and utilisation of technology. This means that firms, taken individually, can’t explain economic
change. Instead, they must be viewed as a part of a larger system; various firms interact with each other
and institutions matter.
The aim of the study of technological systems is to understand the links between technological systems
and economic growth. This linkage can be observed after your organisation purchases new technology.
If the organisation aims to improve productivity, then a purchase of equipment to allow the
organisation to meet the demand means they will be able to take a larger share of the market and
ultimately improve their profits.
Another way the organisation can improve their productivity and profits is through the improvement of
processes or the quality of their output. For instance, employees may identify a way to improve
productivity, by changing or eliminating steps in the development process without affecting output.
Eliminating steps in the production process will also improve productivity and more units will be
produced to meet customer demand.

P a g e | 43
The policy context

The policy context is the course of action the business takes in the decision-making process that
influences the way they make decisions and the actions that they take. Let’s refer to the examples
discussed in the technological system. One of the goals of the organisation is to improve productivity.
Imagine that the organisation becomes aware of a new computer program that would revolutionise
their industry by increasing productivity, so that they would be a market leader.
However, due to the infancy of the technology, the price of the equipment would blow the
organisation's budget. In the same instance, a member of the organisation’s production team identified
a way in which to improve productivity, so that they are on par with the new technology.
Preliminary investigations have identified that the improvement in processes would save the
organisation a lot of money, in that they would increase productivity. The policy context comes into play
here when the processes of the organisation will have an impact on the final decision made.
Consider the two options:

1. New equipment equals blowout in the organisation’s budget
2. New processes equal cost savings, empowered staff and improve productivity
equivalent to the new technology found in the equipment.
What may be obvious to you may not be so to others. Your organisation's procedures may be geared to
the procurement of new equipment. The stakeholders of the organisation may not believe that the
processes that the employees and to put in place will meet their goals. If you are manager, your goal
would be to change the mind of the stakeholder.

P a g e | 44
Learning Task 4
Using the project you briefly outlined in Learning Task 3, identify what information your manager may
ask you to gather in the following areas, to assist in making informed decisions about risk for the
project/activity.
System Type of information
Economic
Social
Political/Legal
Technological

P a g e | 45
System Type of information
Policy context

P a g e | 46
1.5 – Review strengths and weaknesses of existing arrangements

As you are considering the development of the risk management plan, it is important that you take the
time to review the weaknesses and strengths of any existing risk management arrangements. To use a
systematic approach, you should perform a SWOT analysis.
SWOT is an acronym for strengths, weaknesses, opportunities and threats which make up the four
factors of the SWOT matrix. The aim of this tool is to produce a model that can serve to provide
direction in the development, formulation and assessment of risk management plans. As an important
step in the planning process, many organisations tend to undervalue or omit it from the Risk
Management Plan.
The SWOT analysis is straightforward and easy-to-use. The four factors are divided into external and
internal issues. The organisation's risk management objectives can be obtained by analysing the
information gathered in the tool. The SWOT analysis can assist in identifying any potential obstacles to
the success of the risk management plan, as well as the flaws in the plan.
Risk management requires organisations to avoid, eliminate or, at the very least, minimise identified
threats and weaknesses. The organisation should scrutinise the weaknesses, to ascertain whether or not
it is possible to change them into assets. Identified threats should be examined to see if there are
opportunities to strengthen areas that have been eliminated.
The opportunities and strengths should be analysed to identify whether the threats and weaknesses
have met the organisation’s objectives.

P a g e | 47
SWOT Matrix
 What risk management areas can

 What does the organisation do well,
according to risk management? you improve upon?
 What unique resources (i.e. staff  What resource areas do you use
skills) can you draw from? less of than your competitors?
 What are the organisation’s  What may your competitors see as
strengths? your weaknesses, with regards to
risk management?
 What risk management areas can  What trends could have a

you improve upon? negative impact on your
 What resource areas do you use organisation?
less of than your competitors?  What are your competitors
 What may your competitors see as doing?
your weaknesses, with regards to  What threats do you weaknesses
risk management? expose the organisation to?
Risk management is also central to strategic management and some organisations utilise the SWOT
analysis tool by determining the benefits of each activity that they perform, in terms of risk
management. This is done by focusing risk management processes and determining the value of each
potential value the ultimate strategies will apply to the organisation. It makes the organisation consider
the potential success or failure each strategy that can be implemented and the impact that the strategy
will have on the organisation.
Risk management must be a continuous process that considers the past, present and future activities of
the organisation. The risks facing an organisation can result from both external and internal factors that
can impact on the organisation.
Some organisations consider these internal and external drivers and, at times, can overlap over both
areas. These can be further categorised into types of risk such as strategic, financials, operational,
hazard, etc.

P a g e | 48
When analysing the SWOT analysis, care should be taken to ensure that the final decision is aligned with
the organisation's goals. For example; a change within your industry is a strategic risk. Within that
change, your organisation may be called to change their procedures to ensure that safety standards are
maintained. To close any gap wrought by this change, a risk assessment should be performed to ensure
that the employer performs their duty of care of providing a safe work environment to their employees.
: www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf

P a g e | 49
Learning Task 5
Changes to environmental legislation calls for a rubber organisation to change the way in which excess
waste is disposed of. Complete a SWOT analysis of your industry.

P a g e | 50
Use the SWOT analysis to identify whether this is internally or externally driven. Briefly explain your
answer.

P a g e | 51
1.6 – Document critical success factors, goals or objectives for area included in
scope
Critical success factors (CSFs) is the term for an element that is necessary for an organisation or project
to achieve its mission. CSFs are those few things that must go well, to ensure success for an organisation
and, therefore, they represent those enterprise areas that must be given special and continual attention
to bring about high performance. CSFs aim to assist organisations in narrowing their results, and if their
results are satisfactory, the organisation will ensure the successful competitive performance for the
organisation (Rochart, 1979, p.84).
Your organisation's critical success factors need to match the areas that will assist the organisation to
succeed. CSFs need to maintain a high level of performance, so that the organisation’s current and
future needs are met. Grabowski and Roberts (1999) suggest that the following four factors are
designed to ensure the high level of performance that your organisation needs. These factors include:
 Organisational structuring and design
 Communication
 Organisational culture
 Trust
Galorath (2006) writes that the importance and essence of risk management requires five activities
that are:
1. Top management support
2. An integral part of the entire program management

structure and processes
3. The participation of everyone involved
4. Cultural imperative
5. A pattern of measurement.
Critical success factors should correlate with the pattern of values, ideas and thoughts transmitted by
the symbols that shape the organisation’s behaviour. For example, management support demonstrates
a support for an initiative. In this instance, risk management is an important part of the organisation’s
culture. If management demonstrates the appropriate support for the organisation’s risk management
culture, then the level of team members who follow organisational procedures should increase.
The more information that is shared to the team, the greater the chance is that desired behaviour will
become organisation-wide. As more and more of the team start demonstrating and participating in the
risk management process, the clearer the organisation’s culture becomes.
The importance of culture within effective risk management is that knowledge transference requires
individuals to come together to interact, exchange ideas and share knowledge with one another.

P a g e | 52
Moreover, culture creates individuals who are constantly encouraged to generate new ideas, knowledge
and solutions (Muller, 2009).
The relationships developed within an organisation involve the building of the organisation’s structure.
Think about your own organisation. What common vocabulary do the teams share? How do they differ
from other organisations within your industry?
Trust is also another critical success factor. Trust is the “willingness of a party to be vulnerable to the
actions of another party, based on the expectation that the other will perform a particular action
important to the trustor, irrespective of the ability to monitor or control that other party” (Mayer, Davis
and Schoorman, 1995, p.711).
For trust as a critical success factor to succeed, it is essential that risk management processes include
cooperation and teamwork. Trust is an important prerequisite to “changing those related alliances, thus
mitigating risk, as organisations are unwilling to adopt alliance-like organisational structures that make
them vulnerable to the fluctuation of the environment” (McAllister, 1995).
To measure the success and/or failure of the organisation’s critical success factors, the organisation
must, according to the WHS Act 2011, maintain records of actions and dangerous occurrences. By
monitoring and reviewing the risk management process, the organisation will be able to provide
evidence that they are continuously maintaining and reviewing the effectiveness of risk control.
Completing documentation and keeping records in a systematic manner allows the organisation to
demonstrate that they are adhering to the WHS Act in their State and/or Territory.
These records can also assist management in identifying whether the organisation is meeting its needs,
with regards to the critical success factors.
For example, based on the three critical success factors discussed, measurement of success can be
demonstrated:
 When employees demonstrate that they are following
the organisation’s culture by adhering to the safety
procedures in place
 That employees are building relationships by

discussing and communicating decisions and change
with each other to identify the best practice
 That trust is being developed and reinforced as staff

members become empowered and take initiative with regards to risk management
issues.
This trust is built on management’s ability to support their team and communicate changes, so that
their team members become empowered. In turn, they will be able to make informed decisions.

P a g e | 53
1.7 – Obtain support for risk management activities

Management support and commitment is one of the final critical success factors, with regards to risk
management. Management actions are important. They can be constructive and build staff confidence;
they can also be destructive, which can lead to the failure of organisational initiatives. Destructive
management is where management provides no feedback and, if they provide feedback, it destroys
staff morale.
Conversely, constructive feedback and support can lead to the empowerment of management’s
subordinates. The aim of constructive feedback is to provide employees with information to improve
their actions, to create better results. For feedback to be useful, it is important to make sure that it is
actionable. This is an important management interpersonal skill.
To give constructive feedback to team members it is important to make sure that your feedback is:
 Timely – Give feedback as soon as the behaviour is demonstrated.
 Supported with positive words – Be positive and make sure that your choice of words
demonstrates a positive work environment. The receiver needs to know that they are
making a positive contribution to the risk management process.
 Descriptive and gives facts – Stick to facts. Be clear and specific to ensure that the
receiver know and understands the issue and what their goals are. Make sure that the
receiver knows, for example, how their failure to act will impact on the organisation,
staff members and management. For instance, if you identify a hazard and do not
report it, a customer or a member of your team may be injured – this will have a
negative impact for management of the organisation, in terms of loss of business,
reputation, productivity or profits.
 Aimed at supporting collaboration so that new ideas for improvement are devised –
Acknowledge all recipients’ efforts, even if they are not appropriate at the time. Failure
to acknowledge their input can lead to the failure of the recipients contributing in the
future.
Creating an environment where people are empowered, productive and

contribute happily to risk management is an essential part of the success of a
risk management plan. Empowerment aims to enable an individual to take
action and control their work and make decisions in an autonomous way. It
allows employees to feel that they are controlling their own destiny.
To reinforce this environment:

 Demonstrate that you value them – Use positive body
language and demonstrate your appreciation for their
contributions.
 Share vision – Help your team members to see the bigger picture by giving them access
to your organisation’s policies, procedures, mission, values and vision statement

P a g e | 54
 Share goals and direction – Make sure that the team knows the direction of the group
and their connection to the rest of the organisation, so they obtain a sense of
belonging.
 Trust people – Trust your team members to make the correct decision to meet these
goals. In turn, when they are given clear expectations, they will learn to trust and relax
you.
 Provide information for decision making – Keep staff abreast with what is happening.
Informed decisions can only be made when team members are provided with up-to-
date information
 Delegate authority – Use opportunities to delegate authority to team members, so

that they can make become empowered and build confidence to operate
autonomously.
 Provide continuous feedback – Give rewards and recognition by acknowledging the

team members’ efforts. Work with the team to develop employee skills and
knowledge.
 Focus on the problem, not the people – What is the cause of the problem? Do not
automatically assume that a person’s actions are at fault. Is there a way in which
processes can be improved?
 Listen and ask questions – Show respect and treat people how you prefer to be
treated. Ask questions and encourage team members to ask questions, to either
reinforce their knowledge or to clarify information
 Reward and recognise empowered behaviour – Recognition and rewards that

acknowledge team member’s contributions will counteract any feeling of inadequacy
that team members may feel.

P a g e | 55
1.8 – Communicate with relevant parties about the risk management process
and invite participation
For everyone to be involved in the Critical Success Factors, it is imperative that they receive ongoing
support and training. This is part of an employer’s duty of care for each State and/or Territory. Effective
risk management plans have communication procedures in place that give clear expectations for staff.
Communication ensures that team members understand and support not only where the team is now
but also where they want to be (Clutterback and Hirst, 2002).
Communication needs to also be addressed, with regards to any party that has an impact on the Risk
Management Plan. Relevant parties may include:
 All staff
 Internal and external stakeholders
 Senior management
 Specific teams or business units
 Technical experts.
Professionals, both inside and outside the organisation, also need to be informed about what is
happening. Communication does not only need to be verbal. It is essential for professionals to be
supplied with the information required to perform the correct tasks under the WHS Act as part of their
duty of care. Communication could include the update of procedures or required participation in
training.
It is also imperative to ensure that relevant parties are given a chance to clarify information, so that
they can improve the organisation’s channels of communication.
Team members need to use the communication process to understand their roles and responsibilities in
the risk management process. A clear understanding of the communication process is required so that
team members can be given an opportunity to see how their contributions impact on the organisation.

P a g e | 56
Learning Task 6
Under the table supplied below, outline the how your organisation has developed their procedures with
regards to the five critical success factors. If your organisation has no procedure in place, write N/A. In
the third column, write what procedures they should put in place if there are none. Where there are
procedures in place; identify a way in which procedures can be improved.
Procedures or improvements
Critical Success Factor Procedure
recommended
Organisational Culture
Organisational Structure
Trust
Management support

P a g e | 57
Communication
Identify risks
2.1 Invite relevant parties to assist in the identification of risks
2.2 Research risks that may apply to scope
2.3 Use tools and techniques to generate a list of risks that apply to the scope, in consultation
with relevant parties

P a g e | 58
2.1 – Invite relevant parties to assist in the identification of risks

Another form of good communication is the utilisation of consultation. This is a way in which
management not only provides staff with up-to-date information, but also provides stakeholders and
any relevant parties with the opportunity to assist in the identification of risk.
A part of good management, with regards to risk management, is management’s ability to work in
consultation on the subject of promoting a safe and healthy workplace. Using the government
legislation that encourages the team approach to the consultation process creates effective
communication, which in turn improves productivity and encourages workers to build a sense of
ownership where their contributions are made.
Consultation with employees ensures that the organisation is proactive with regards to risk
management. Employers need to consult with employees during each step of the consultation process.
All types of hazards need to be identified and methods to eliminate or control the workplace
environment hazards and risks need to be created.
The WHS Acts and Regulations of each state and/or territory will contain legislation with regards to
consultation within your relevant State/s and/or Territory/ies. Even though they will vary in each State
and/or Territory, the following overview should be part of the consultation process including:
 WHS representatives and Committee. Gives employees an opportunity to be consulted

on WHS issues. The feedback they provide will ensure that best practices are met. The
aim of consultation is to ensure that informed decisions are made. Informed decisions
can only be made when all of the people who operate in the risk area are heard. These
personnel are able to give the WHS committee and representative’s different
perspectives and feedback about which action to take.
 Workplace Health and Safety Officer are trained to identify risk and
to provide expert advice on hazards and the risks involved and the
ways in which to either eliminate or control the risk. They can also
clarify any areas in which the WHS representatives and committees
need assistance.
Other agreed arrangements can include:

 Employees seeking industrial representation with regards to
obtaining assistance in WHS issues. Industrial representation will
differ from industry to industry. It usually includes the engagement
of an industry and WHS expert who can assist employees with
regards to WHS issues.
 Regular meetings may be either a preventative measure against unsafe acts by the
education of employees on how to perform their job roles and responsibilities safely.
Staff, WHS committee and representative meetings should be held to ensure that
hazards and risks are eliminated or controlled as soon as possible.

P a g e | 59
These meetings should be of a consultative nature where management shows support

for WHS and risk issues and employees are actively encouraged to participate in the
consultative process.
 Brief talks about hazards and risks on a regular basis. These talks may be either formal
or informal. The aim is to provide employees with up-to-date information and to ask if
they have identified any risks and hazards within the workplace. Talks may include
whether they have reported the risk or hazard and if the organisation has actioned
steps to minimise the risk.
 Work groups include groups working together to meet a common goal. This could
include a whole department, an entire section or personnel from each department,
who work together to minimise a problem that requires different perspectives.
 Job task training includes the training of employees to learn the tasks involved in their
job role. Specific attention will usually be aimed at ensuring that employees are trained
in WHS issues attached to the job task.
Note that each form of contact includes employers and employees consulting with each other. During
the consultation process, team members may use a variety of tools and methods to explore the options
that could be available to them.

P a g e | 60
2.2 – Research risks that may apply to scope

Stakeholders can only assist you when they have the information they need, so that they can make
informed decisions or recommendations. At times, this may not be a viable option. This means that you
may need to research the risk to determine whether a risk or hazard can be eliminated or controlled.
Research is the search for knowledge through a systematic investigation, with an open mind, to
investigate ways to eliminate or control risk within the organisation’s procedures and legislative
requirements. The purpose of research is to discover, interpret and develop methods and systems with
regards to risk in a systematic manner.
Research may include:

 Data or statistical information (such as qualitative and/or quantitative research)
Quantitative research relies on the investigation of mathematical information to assist
in the decision-making process. Quantitative analysis is a simple tool used to measure
things, so that you can evaluate an investment to determine which measure to use to
control risk.
For example, the repeated flooding of the shop floor in the back room, the WHS
representative gave the WHS Committee three recommendations with regards to
either eliminating or controlling the flooding. These recommendations may include:
o Purchasing a sign and allocating a staff member to maintain the area to minimise
the chance that anyone will slip;
o Purchasing equipment to replace the damaged equipment which is causing the

flooding of the back room; or
o Hiring a pump to siphon the water into the drain behind the factory.
Statistical measurement would be completed to identify which recommendation is

more viable. However, a final decision is usually not made until a complete story is told.
This story can be researched through qualitative research.
In risk management, quantitative analysis on a numerical scale considers the

consequences and likelihood and the level of risk involved in the process. Methods of
numerical analysis may include:
o Consequence analysis
o Influence diagrams
o Simulation and computer modelling
o Probability analysis.

P a g e | 61
More of these shall be considered in more detail below.
 Qualitative research is the non-quantifiable methods of evaluating business

opportunities and making decisions. Analysis of qualitative research can give you
insight into the company and can assist in the decision-making process. Using the
example above, let us now analyse options available to you.
You research the policies and procedures. The price of the equipment exceeds the
budget allocated for the department. The cost of a pump is negligible and suitable for
the short term. In today’s high pressured globalised economy, money is usually scarce
and reallocating a member of your team to maintain the area, to minimise risk, will
make your resources scarcer.
In your search, you find that your organisation prioritises all WHS issues as the highest
priority. Failure to meet your industry’s minimum standards and a record of a member
of your team being injured could have a negative impact on the organisation. As such,
it is important to make sure that your decision ensures that the WHS issue is resolved
as soon as possible.
As reassigning a staff member and pumping the water from the area is a short-term
resolution, you may need to either purchase a new unit or obtain a second opinion to
determine if there are other viable options. When you are trying to make a decision on
which avenue you will take, it is important to make sure that you are going to meet
your objectives, but also that your decision is not going to eat away at your profit. This
means that you may need to research through other avenues, such as those listed
below.
Qualitative analysis is descriptive and involves the subjective assessment of the

consequence or likelihood and consequence of an event happening. In risk
management, it includes:
o The evaluation of groups
o Expert and specialist judgement; and
o Structured questionnaires.
WHS COP 2008, p.26

P a g e | 62
 Information from other business areas – Business areas are part

of your organisation's operations. This may include product lines,
branch offices or subsidiaries. For instance, if you work at a
branch of an organisation and a member of the team identifies a
risk or hazard, by consulting with another branch, you may find
that they have already resolved the problem and so you can act
accordingly.
 Lessons learned from other projects or activities – Records and

documentation are maintained and kept up-to-date for several reasons. One reason
may be to meet your legal obligations. Another reason may be so that you have access
to the historical records of the organisation. Historical records are documents stored
away so that you can use them to resolve hazards and risk in the workplace.
You may even need to review them so that you can identify what methods have been
used to resolve a hazard or risk in the past. There are times when procedures become
obsolete, as technology evolves. However, over time the procedure that became
obsolete, may come back into currency under a completely different set of
circumstances.
Historical records of projects and activities can also be used to review the procedures
that may have been rejected in the past, but may prove current due to the changing
structure of the organisation.
 Market research – Market research is an organised effort to gather information about

markets or customers. It is a very important component of business strategy. Even
though market research primarily aims to assist your organisation in obtaining a
competitive advantage over your competitors, it also ensures that you can find out
what your competitors are doing. As such, you can use your competitor to benchmark
best practice and then set out to emulate their practices, to minimise the chance of
jeopardising the health and safety of your staff, customers and stakeholders.
 Previous experience – Pushing humans as an important resource to the organisation

teaches HR personnel that all humans have different backgrounds that can be utilised
to improve the internal processes of the organisation. When a hazard or risk is raised at
your workplace that you do not have background in, do not automatically assume that,
because you do not know something, members of your team will not know how to
resolve the problem.
Instead approach employees to find out if they have been exposed to a risk and/or
hazard. When a team member is familiar with a problem and how it was resolved, you
may either use their knowledge to resolve your organisation’s internal issues, or as a
starting point to resolve the organisation’s internal issues.

P a g e | 63
 Public consultation – Public consultation is a regulatory process by which the public’s

input on matters affecting them is sought. Its main goal is to improvement the
efficiency, transparency and public involvement in large scale projects or laws and
policies. Keep Australia Beautiful (WA) is one such public consultation. Refer to the URL
Address: www.kabc.wa.gov.au – this will give you information on how public
consultation operates in Australia.
 Review of literature and other information sources – A literature review is a review of

the writing/ literature that is relevant to your industry, which can be used to support,
evaluate or critique a decision that you are trying to make. A literature review is not
just a summary of texts, journals and articles; it is a collection of articles used to
support your stance and recommendations.
The purpose of a literature review is to:

o Establish a theoretical framework for your topic/subject area
o Define key terms, definitions and terminology
o Identify studies, models, case studies etc. to support your topic
o Define/establish your area of study, i.e. your research topic.
Other sources of information may include:

o Articles that clarify information to assist in proving your stance
o Journals, such as industry journals, that may identify and explain how to resolve
industry risks and best practice to resolve hazards and risks inherent in your
industry; and
o Texts providing industry advice and assistance with ensuring that WHS standards
are maintained
o Websites, such as professional associations and government legislative and

environmental sites that keep industry up-to-date with changes to legislation,
best practice advice and industry support to ensure that employers have the best
information to meet their legal obligations under the law.

P a g e | 64
2.3 – Use tools and techniques to generate a list of risks that apply to the scope,
in consultation with relevant parties
Once you have completed your research you should also work in consultation with the stakeholders
of the work area. This can include:
 Employees
 Owners
 Suppliers
 Investors
 Contractors
 Industry sources.
Any other relevant party should also be consulted, so that a list of risks can be identified. These risks
should be relevant to the scope of the risk management process. When gathering information, you may
find yourself handling a lot of data. To be systematic in your approach, you should take advantage of the
tools and techniques that are available to you.
These tools and techniques may include:

 Brainstorms. These are an excellent tool that can be used to generate creative problem
solving. It is good to use brainstorming to bring together a wide range of personnel so
they can bring their diverse experience and meaning to the task of solving the
problems that you face. Brainstorming also assists in ensuring that you look at a
problem from a different perspective.
Brainstorming aims to get personnel out of their comfort zone and come up with
innovative and different ideas to resolve problems. Make sure that staff are very clear
that no criticism is allowed during the brainstorming session. Take the time to make
sure that all incorrect ideas are clarified and employees know the limits of the problem.
Group brainstorming is a good tool; however, many studies demonstrate that

individuals who brainstorm on their own have the greater chance of generating more
ideas. This is ideal, as individuals forget their own ideas in light of the ideas others are
generating.

P a g e | 65
To run a group brainstorming session effectively, you should:

o Make sure that you provide the relevant parties with a comfortable environment
o That one member of the team is assigned with writing ideas in your
organisation’s preferred format
o Clearly define the problem that you would like to resolve
o Use icebreakers, if people are not comfortable working together
o Give people time to generate ideas so that they can generate as many ideas as
possible
o Do not criticise and try to make sure that everyone contributes new ideas
o Encourage people to have fun during the brainstorming session
o Make sure that are sufficient ideas to work with
o Take regular breaks, if your brainstorming session is going to be a long one.
 Checklists. These are informational job aids, aimed at compensating for a human’s lack
of memory or attention. It can help you in performing the steps of a task in order and
can be used as a schedule. Checklists should be utilised to develop formal procedures
that can assist you in looking at the internal risk of activities.
Care should be taken when developing a risk, to ensure that you focus on a checklist
that helps you perform your task. They can be exhaustive. For this reason, you should
control how long they are.

P a g e | 66
 Fishbone diagrams. These are also known as Ishikawa diagrams or Cause and Effect
diagrams and look like a skeleton of a fish, as shown below:
: www.project-management-skills.com/fishbone-diagram.html
Cause and effect diagrams can also be drawn to look like a tree. As with the fishbone,
the trunk of the tree or fish should lead to a final outcome. The large branches should
represent major categories and then the smaller links lead to smaller ideas that fall
under that category.
To build a successful tree or fishbone, you need to:

o Make sure that everyone knows what the problem is
o Be clear
o Pursue each line of causality back to its root cause
o Make sure that the cause of each category is added to the tree
o For control, if the branches become overcrowded, split them
o Reflect and determine which has merit and pursue them.

P a g e | 67
 Flow charts
Flow charts are representative of a process and are used to demonstrate the steps
involved in the process.
Note that each step in the process is divided by arrows that connect the symbols. Flow
charts aim to demonstrate the steps in a process and the visual of the flow chart will
allow you to view problems in the process, so that you can take appropriate corrective
action.
Flow charts can also assist you in identifying when there are areas that are inaccurate,
unnoticed and ignored. Flow charts do not have to be accurate; they just need to give
workers a pictorial diagram from which to work from. There are three main types of
flow charts and they are:
o High level flow charts used to map the major steps in a process for a good
overview.
 C  R  M
 H a is i
az
u k n
ar
s is i
d
o Detailed flow charts that demonstrate a step by step mapping of all of the
decisions in the process:

P a g e | 68
Hazard is identified
Cause of hazard is identified
Level of risk is determined
Steps to minimise or control the hazard are identified
Hazard elimination and control implemented
Does control or step to minimise risk work?
Yes No
Problem resolved
o Deployment flow charts that are organised by columns, each column is assigned
a person or department who is responsible for the process.
Office clerk WHS WHS representative Repairman

representative
Paul Wet floor

causes Fridge is
identifies
Fridge is repaired to
wet floor employees
leaking to slip stop
and reports
leakage
it
As a flow chart is developed, flaws shall come to light. Flow charts should be created
using different types of shapes which mean different types of steps in the process.
Shapes usually include: ovals, rectangles, diamonds and clouds.

P a g e | 69
An effective flow chart shall be constructed by:

o Defining the process starting and ending points
o Completing the picture by filling the details between the start and end
o Making sure that each step is clear and honest
o Identifying steps that do not add value or time lags, which may impact on the
steps of the process; and
o Passing the flow chart to other stakeholders involved in the process and obtains
feedback from them.
Flow charts must have a clear indication of each step of the process, so that everyone is
very clear on how the process works. When you complete a flow chart ask yourself the
following questions. If you answer “no” for any of these questions, you should review
the process.
The questions are:

1. Can you identify time lags or non-value-adding steps?
2. Has responsibility been allocated to any member of staff or

department for each step?
3. Have you brainstormed any of the problems in the process?
4. Have any minor or major inputs from the brainstorming been viewed
in a cause and effect diagram?
 Scenario analysis
Scenario analysis involves the assessment of various potential future events and the
development of scenarios that will be likely to pass if specific events took place.
Scenario analysis can be helpful in risk management by reflecting on your analysis of
the internal and external environment and determining the events that may impact on
your organisation’s risk management plan.
Based on the information that you acquire, you will be able to predict possible
scenarios that will impact on your Risk Management Plan. There are five steps to the
scenario analysis process. They are:
o Defining the problem – Know precisely what you want to achieve and when you
want to achieve it.

P a g e | 70
o Gathering data – Identify trends, key factors and uncertainties that may impact
on your plan. Use the information you would find in Section 1.4 of this Learner
Guide. Another name for the study of the external market is called the PEST –
political, economic, socio-cultural and technological factors that could impact on
your plan.
o Separating certainties from the uncertainties – Separate the factors that you
believe are certain to happen from the ones that you are uncertain about. Adopt
these certainties into the plan. Prioritise the uncertainties (from highest to
lowest) and consider what impact they will have on your plan.
o Developing scenarios – Starting with your highest uncertainty, develop a story

around what you believe the impact of the uncertainty will have on your plan.
Try to balance the outcomes between good and bad to give you an idea of the
possible scenarios.
o Using scenarios in your planning – Consider the scenarios and the level of risk
that they may have to your business and start to include them tentatively in your
planning process.
When developing these scenario plans, make sure that you use evidence to back up
your ideas. To presume is not sufficient grounds upon which to develop your plan.

P a g e | 71
Learning Task 7
(Note that the aim of this assessment is for you to demonstrate that you understand the research and
consultation process of a risk. You also need to identify tools and techniques that you believe are
appropriate for the research you are undertaking. You can use your own work environment to be more
specific in answering these questions, or you can be generic in your answers.) This means that you can
use your work environment to answer these questions.
Your organisation is considering the purchase of new robots for the production of your products. You
have been asked to research the risks involved in both using and the implementation of the robots.
Answer the following questions:

Who do you believe the relevant personnel are with regards to the introduction of the new robots?
Why?

P a g e | 72
What research methods could you use to determine the risks involved in using and implementing the
robots?
What tools and techniques would you recommend to determine ways to minimise any possible risk?
Why would you use these tools and techniques?

P a g e | 73
Demonstrate your understanding of the research process by using the space below and drawing a flow
chart to demonstrate the steps that you have just completed in this Learning Task. Review and discuss
with your team or teacher.

P a g e | 74
3. Analyse risks
3.1 Assess likelihood of risks occurring
3.2 Assess impact or consequence if risks occur
3.3 Evaluate and prioritise risks for treatment

P a g e | 75
3.1 – Assess
likelihood of
risks occurring
Once a list of risks has been
identified, you will
need to learn how to
analyse the level of
risk so that you can
identify how to
minimise, control or
eliminate the risk. It is
the role of your employer
to ensure that a risk
assessment is
conducted. Risk
assessments should
also be conducted when3:
3
All notes are taken from the Occupational Health and Safety Code of Practice 2008

P a g e | 76
 New substances and plant is introduced
 New work practices and procedures are introduced
 Changes are made to process, equipment and substances.
When you consider the level of risk, you should consider the injury or disease causing the hazard. As the
level of risk rises, so too does the level of the hazards – this means that there will be more chance that
the risk will cause an injury. Part of your Risk Management Plan needs to address risk assessments. The
risk assessment needs to determine the likelihood and level of injury (severity) or disease that can result
from exposure to the hazard. When a hazard is identified, your employer should make sure that they
follow the regulations that deal with that hazard. There are usually specific regulations that deal with
the risk management of occupational electricity, driver fatigue, falls from heights, confined spaces,
construction and storage and handling of dangerous goods, noise and plant. When you are unable to
find any regulations for a hazard, then a risk assessment should be performed.
Employers need to consider:

 How often the hazard has the potential to cause harm
 The number of people exposed to the hazard
 The length of exposure to the hazard
 Amount of materials or exposure points
 The position of the employees in relation to the hazards
 The skills and experience of the people exposed
 The special characteristics of the people exposed
 Any elements that could distract personnel in the work environment
 Environmental conditions
 The work organisation – like rostering, shift arrangements and the pace in which work
should be performed
 The introduction of new work processes and procedures
 The effectiveness of existing control measures.
When talking about the likelihood, we are describing the probability or frequency of an injury or illness
occurring.
Likelihood may refer to:

 Probability of a given risk occurring, such as:
o Very likely (exposed to hazard constantly)
o Likely (exposed to hazard occasionally)

P a g e | 77
o Unlikely (could happen but only rarely)
o Highly unlikely (could happen but probably never will).
Risk Matrix
CONSEQUENCES Level of Risk
5 Fatality H E E E E
4 Major Injury H H E E E
3 Moderate Injury M M H H E
2 Minor Injury L L M H H
1 Negligible injury L L L M H
E
D C B A
Highly
Unlikely Possible Likely Very Likely
Unlikely
LIKELIHOOD
LEGEND
E Extreme risk – Detailed research and management planning required at senior

levels
H High risk – Senior management attention needed
M Moderate risk – Management responsibility must be specified
L Low risk – Manage by routine procedures
Remember, these may vary between states and territories. For the rest of this Learner Guide, risk
management shall draw from the federal WHS Act, 2011, WHS Regulations 2011 and the WHS Code of
Practice 2011. You should refer to the appropriate legislation of your State and/or Territory so you are
clear on the health and safety in your area.
Once you understand the likelihood of the hazard, you should also consider the consequences of each
injury in respect to its type.

P a g e | 78
3.2 – Assess impact or consequence if risks occur

Consequence is the outcome or impact of an occurrence. In other words, you need to be able to make a
judgement about how much harm workers may be vulnerable to if they are exposed to the hazard.
Consequences may be rated as:

 A fatality 4.
 Major or serious injury (serious damage to health that may be irreversible, requiring
medical attention and ongoing treatment). This is likely to involve significant time off
work.
 Minor injury (reversible health damage that may need medical attention but limited
ongoing treatment). This means that it is less likely to spend more than a day off work.
 Negligible injuries (might sustain slight injury and may require only primary first aid)
and no time off work.
Moderate Injury Consequence and possible likelihood form part of standard Risk Management, but you
can decide if they meet your requirements.
4
All notes are taken from the Occupational Health and Safety Code of Practice 2008

P a g e | 79
Variations of consequences in states and/or territories may include:

 Significance of outcomes if the risk occurs, such as:
 Disastrous
 Severe
 Moderate impact
 Minimal impact.
If there is an uncertainty about the level of risk, or a lack of information about the level of exposure
to the risk after a risk assessment, your employer will need to consider:
 Whether there is more information available
 What specialists are available to consult
 Whether surveys, environmental and medical monitoring are needed
 The records and data that should be reviewed including employee complaints, staff
turnover, unscheduled absences and sick leave
 Whether the organisation's culture and the behaviour of its staff add to the risk, or are
the actual risk factor; and
 Assessing the training levels and competency of the team.

P a g e | 80
3.3 – Evaluate and prioritise risks for treatment

Once you have collected your data, you need to make sure that you familiarise yourself with the risk
management system in place, so risks can be managed and controlled. These systems should be
identified and form part of the risk analysis.
The risk analysis is the study of the likelihood and consequences where you should ask:
 What is the likelihood of an incident occurring?
 If an accident occurs, what would be the magnitude of its consequence?
The level of risk created by an incident is determined by the analysis of combined impact of likelihood
and consequence. To properly identify levels of risk, the best information can be found in the types of
areas that you researched in Section 2 of this Learner Guide and may have included:
 Available records
 Results from inspections carried out
 Statistical data from various sources
 Relevant experience
 Research
 Specialist and expert judgement
 Experiments.
Much of this information can be obtained through the consultative process that you have developed
with stakeholders, using the techniques discussed above.
There are three types of risk analysis. They are qualitative, semi-quantitative and quantitative. The type
of analysis that you do will depend on the data available. In practice, most organisations will generally
use qualitative analysis to obtain an indication of risk levels. It is only when more specific and precise
indicators are required that quantitative analysis is applied.
Qualitative analysis uses scales to analyse the likelihood of an event occurring and its consequences.
These can be used to analyse different risks in different circumstances by simply varying, adapting and
adjusting them to suit.

P a g e | 81
Qualitative analysis would be used in most cases. This type of analysis is used:
 As an initial screening exercise, to identify risks that require more detailed analysis
 Where the level of risk does not justify the time and effort spent on a more detailed
analysis.
This is a review of the likelihood.
Expression Attributes
Very likely Exposed to hazard constantly
Likely Exposed to hazard occasionally
Unlikely Could happen but only rarely
Highly unlikely Could happen but probably never will
In the same way, consequences arising from an incident occurring may be qualitatively measured. An
example of a consequence measure is:
A fatality Death
Major or serious (Serious damage to health that may be irreversible, requiring

injury medical attention and ongoing treatment). This is likely to
involve significant time off work;
Minor injury (Reversible health damage that may need medical attention
but limited ongoing treatment). This means that it is less likely
to spend more than a day off work
Negligible injuries Might sustain slight injury and may require only primary first
aid, and no time off work

P a g e | 82
When the likelihood and consequence are put together, you have an example of the analysis matrix.
Risk Matrix
CONSEQUENCES Level of Risk
5 Fatality H E E E E
4 Major Injury H H E E E
3 Moderate Injury M M H H E
2 Minor Injury L L M H H
1 Negligible injury L L L M H
E
D C B A
Highly
Unlikely Possible Likely Very Likely
Unlikely
LIKELIHOOD
LEGEND
E Extreme risk – Detailed research and management planning required at senior

levels
H High risk – Senior management attention needed
M Moderate risk – Management responsibility must be specified
L Low risk – Manage by routine procedures

P a g e | 83
Risk analyses are usually aimed at the negative consequence of risk. The consequence measure
therefore reflects the losses and undesired outcome that might arise. However, risk management is
increasingly being applied to identify and prioritise opportunities, as the risk associated with not
exploiting an opportunity or embarking on a particular business strategy can be high. In many instances,
the ‘upside risks’ are potentially more serious than the risk that bad events will occur (i.e. the ‘downside
risks’).
When considering the opportunities, the likelihood measure need not change, as it will describe the
chance that a benefit will arise. The consequence measure must, however, be adjusted.
An example is as follows:
Insignificant Small benefit, low financial gain
Minor Minor improvements to image, some financial gain
Moderate Some enhancements to reputation, high financial gain
Major Enhanced reputation, major financial gain
Outstanding Significantly enhance reputation, huge financial gain

P a g e | 84
When risks and opportunities are being considered together, a two directional measure of consequence
may be appropriate.
Negative Consequence Positive Consequence
-H -H -H -M M H H H
-H -H -M -M M M H H
-H -M -M -L L M M H
-M -M -L -L L L M M
Fatality
Fatality
Major
Minor
Minor
Major
Negligible
Negligible
Likelihood
Legend (for opportunities):
L = low opportunity, manage by routine procedures
M = moderate opportunity, management responsibility must be specified
H = high opportunity, detailed planning required at senior levels to prepare for and capture opportunity.
Another way to measure risk includes the hierarchy of control. The hierarchy of control will be discussed
in more detail in Section 4 of this learner guide.
There will be times when you will not have the skills, knowledge and experience to complete a risk
assessment of a work area. When this occurs, then you may need to consult with an expert. Expert
advice may include:
 Federal, state and local government regulatory authorities
 Private consultants appropriate to the risk being evaluated.

P a g e | 85
Once you have evaluated the level of risk, it is important that you develop a priority rating. This means
that the level and acceptability of risk associated with a given event should be based only on a
recommended timeframe for management of the risk, according to the assessment and on expert
advice. Once risk level has been analysed and evaluated, it is important to prioritise the risk. Risks
should be categorised into low, medium and high risks that will be create a risk priority rating. This can
also be called a risk profile.
The risk priority rating should consider:
 Cost-benefit analysis to determine acceptance or rejection of treatment – There may

be times when your first choice is rejected by the company. The cost of the project may
surpass the benefits derived from the action plan put forward. Other factors will have
an effect, such as if the hazard is site-specific, the length in which a contract is left to
run or any other external factor.
 Development of a risk action plan incorporating:
o Specification of the risk
o Summary of recommended response and anticipated impact
o Proposed actions
o Resources required
o Responsibilities
o Timing
o Reporting and monitoring requirements
 Possible risk treatments/controls in order of priority for resolution – There may be

times where a control and treatment may cause other unforseen problems. You may
be required to prioritise the order in which these problems are resolved or in some
cases reassess the risk to identify another viable option.
 Preferred options for treatment of risks – Your organisation may have a preferred
treatment for risks. These should be considered when you are determining which
control measure or treatment you are going to recommend.
 Timetable for implementation – Timing may also impact when a treatment/control is

implemented. For example you may only be able to obtain engineering assistance
during normal business hours and the access to an area may only be allowed outside
business hours.
Management and staff will be in the best position to determine and evaluate the risk
profile of your organisation, operation, program, project or individual. Before
implementing a risk management strategy, you should spend time determining what
the risk profile will be.

P a g e | 86
Learning Task 8
Identify a hazard in the workplace. What is the hazard?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Complete a risk assessment for the hazard and answer the following questions. Use the tables
provided to answer the following questions:
Very likely Exposed to hazard constantly
Likely Exposed to hazard occasionally
Unlikely Could happen but only rarely
Highly unlikely Could happen but probably never will
What is the likelihood that an incident will arise from the hazard?

P a g e | 87
A fatality Death
Major or serious (Serious damage to health that may be irreversible, requiring

injury medical attention and ongoing treatment). This is likely to
involve significant time off work;
Minor injury (Reversible health damage that may need medical attention
but limited ongoing treatment). This means that it is less likely
to spend more than a day off work
Negligible injuries Might sustain slight injury (may require only primary first aid)
and no time off work
If an incident occurs due to an incident, what rating would you give the incident?

P a g e | 88
Based on the answers to the last two questions, what is the likelihood and consequence of the incident?

P a g e | 89
Negative Consequence Positive Consequence
-H -H -H -M M H H H
-H -H -M -M M M H H
-H -M -M -L L M M H
-M -M -L -L L L M M
Fatality
Fatality
Major
Minor
Minor
Major
Negligible
Negligible
Likelihood
Legend (for opportunities):
L = low risk, manage by routine procedures
M = moderate risk, management responsibility must be specified
S = significant risk, senior management
H = high risk, immediate action needed

P a g e | 90
Now consider the positive and negative consequences. Do you think the positives outweigh the
negatives? In your answer, make a recommendation on whether you believe that immediate action
should be taken and why?

P a g e | 91
4. Select and implement treatments

4.1 Determine and select most appropriate options for treating risks
4.2 Develop an action plan for implementing risk treatment
4.3 Communicate risk management processes to relevant parties
4.4 Ensure all documentation is in order and appropriately stored
4.5 Implement and monitor action plan
4.6 Evaluate risk management process

P a g e | 92
4.1 – Determine and select most appropriate options for treating risks
There are times when the most effective control measure cannot be implemented immediately. Lack of
funds, resources or physical means that employers will need to identify and prioritise the
implementation of a control measure – this will be determined according to the organisation’s risk
profile for the hazard. High-level risks should be implemented before medium and low-level risks.
Remember, a risk profile is how the organisation rates the hazards, such as whether a risk is low,
medium or high level risk.
Your employer has a duty of care to ensure that employees have a safe work environment to work in.
This means that part of their Risk Management Plan is to eliminate the risk and, if they are unable to
eliminate the risk, they need to minimise it by:
 Controlling employees exposure to the risk
 Do not make changes just so they create a new hazard; and
 Allows employees and contractors to work in a safe and comfortable work

environment.
To do this, employers should use the Hierarchy of Control pyramid. The Hierarchy of Control pyramid
aims to assist employers with the appropriate way in which to control risk. It includes:
: Hierarchy of Control Pyramid

P a g e | 93
The following section is adapted from the WHS Code of Practice 2011. Employers need to start at the
top of the hierarchy and work their way down. The hierarchy of control pyramid is structured in the
following way.
Eliminate the hazard
The elimination of hazards is a very effective control measure. Elimination prevents:

 Human error
 Lack of awareness
 Stress
 Fatigue
 From influencing the selection of control measures
 From acting in an uncontrolled manner
 Giving priority to operational or production plans.
Elimination includes:
 Removing trip hazards
 Disposing of unwanted chemicals
 Removing hazardous plant or substances
 Promptly repairing damaged equipment
 Increasing the use of e-mail to reduce excessive photocopying and collation.
The best time in which to use elimination is at the design stage of a process, equipment or plant. This is
referred to as a safe design; these practices are applied all at once and have a positive impact on health
and safety in the workplace. When no hazards exist, no risk, injury or illness exists. When elimination is
not appropriate, then your employer should minimise the risk by substituting or modifying he hazard.

P a g e | 94
If this is not
possible, then:
Substitute or modify the hazard
Substitution or modification of a hazard ensures that the hazard is minimised. Substitution or

modification should only be considered when risk to employees has been identified and when the
changes will decrease the level of risk for the person performing the task.
Examples of substitution include:

 Substitution of a hazardous chemical with a less hazardous chemical
 Substitution of telephone headsets with headsets in a reception area
 Substitute of smaller package or container to reduce the risk of manual lifting injuries
like back strain.
If this is not
possible, then:
Isolate the hazard
The aim of isolation is to separate the employees from the hazard. This can be performed by putting up
signs and barricades or placing the hazard in a separate room; thereby removing the hazard from the
main work area.
Examples of isolation include:

 Use of a fume cupboard to isolate and store chemicals
 Use of remote handling equipment for hazardous substances and procedures.

P a g e | 95
If this is not
possible, then:
Use engineering controls to control the hazard at its source
Engineering controls is the next control option to minimise risk within the hierarchy of controls.
Engineering controls includes engineering modifications to plant or to a system of work needing to be
changed.
Engineering controls include:

 Modification to plan
 Installation of guarding on machinery
 Use of a ventilation system to remove chemical fumes or dust.
If this is not
possible, then:
Use Administrative controls
Administrative controls include changing procedures and practices to minimise risk. Administrative
controls should be used to back up and supplement other controls that have been put in place. These
control measures may be needed when your employer waits for the evaluation and implementation of
other control measures.
Examples of administration controls include:

 Regular maintenance of equipment and plant
 Written procedures for all equipment and work procedures
 A training, education and supervision program for employees/contractors, which

includes preventative maintenance and housekeeping procedures.

P a g e | 96
If this is not
possible, then:
Use personal protective equipment (PPE)
The final control measure under the hierarchy of control pyramid is the use of personal protective
equipment (PPE). PPE should only be used when the higher control measures are not appropriate or
adequate. They can be used as a final barrier between the hazard and the employee. The use of PPE
may require your employer to make sure that you change your behaviour, as it does not control the
hazard. The PPE must be appropriate for the type of work the employer/employee is doing.
Employers should train employees and contractors in the correct use and maintenance of PPE.
Supervision would also be needed, to make sure that staff are compliant in the use of the Personal
Protective Equipment.

P a g e | 97
Learning Task 9
A member of your team is confused about the options under the hierarchy of control. Use the options
below to assist her in understanding the hierarchy of control pyramid. Briefly explain why you chose the
control measure/s you have.
Option Control measure Why did you choose this

measure?
Avoiding the risk
Changing the consequences
Changing the likelihood
Retaining the risk

P a g e | 98
Sharing the risk with a third

party

P a g e | 99
4.2 – Develop an action plan for implementing risk treatment

The aim of a risk management action plan is to ensure that risk management is embedded in the culture
of the organisation and to ensure that the organisation maintains risk management best practice. It
outlines how an organisation is going to identify, minimise and/or control the risk, including monitoring
and reviewing the risk management process.
The action plan should cover the following areas:

1. Introduction
1.1. Purpose of the Action Plan:
This should include what the risk management plan is for. You
may even write a Risk Management Statement
1.2. Goals of the organisation’s Risk Management:
What are the organisation’s goals? I.e. to ensure that the highest
levels of risk are identified and properly management, risk is
focused where it is needed.
1. Context and Background
2.1. What Risk Management is:
Define risk management and its importance to the organisation.
2.2. Benefits of the plan:
How does your Risk Management Plan benefit your organisation? E.g. meet your legal
obligations
2.3. Organisation's background :
What is the organisation’s background and the areas where risk management has been
applied? E.g. may include policy and procedures, the use of specification, equipment
checks, tests and quality assurance.

P a g e | 100
2. Risk Management at your organisation
3.1. Overview of the risk process:
How risk is handled in the organisation

P a g e | 101
3.2. Risk Management structure and responsibilities:
How is your risk management plan structured? Who is responsible for individual tasks and
in what areas? Who is each party accountable to? Does your organisation, for example,
have a Risk Management Steering Committee?
3.3. How the plan is implemented:
How is the plan implemented? At what level is it implemented at? How is it documented?
What levels of risk are acceptable? How is risk management recorded and documented?
What contingency plans does the organisation have in place?
3.4. Timeframe:
The timeframe should consider who obtains copies of the Action and Risk Management
Plan? When? Other factors that may be included are: training, timeframes for review and
when documentation should be completed and submitted to the Board/Manager,
depending on the size of the organisation.
3.5. Monitoring and review:
Most organisations review their plans annually and align it with their planning process.
Continuous improvement is a legislative WHS requirement, so organisations must
demonstrate that they are working to improve their operations.

P a g e | 102
3. Initial risk identification and risk treatment
4.1. Risk criteria:
In this section, you need to prioritise the importance of Risk Management, in terms of
how it can impact on the organisation. For example, if too many people are injured in the
workplace, the organisation’s reputation will be negatively affected.
4.2. Summary of the organisation’s risks:
This section should include the risk exposures present within the organisation, as
demonstrated by the above graph. The meaning of the graph includes:
o Residual risk – the remaining level of risks after risk measures have been
undertaken.
o Under action – A plan is in place for the action to be done, including who is doing
the plan, the resources needed, the costs and timing targets.
o Controlled – Refers to the level of risks that have been controlled and
maintained at an acceptable level.
o Based on the findings, the scope would probably need to be reviewed, so the
progress is maintained within the Risk Management Plan
1.1. Detail Assessment of the organisation's risks
A detailed report of the organisation’s Risk Management Plan should be shown on a bar
chart, with individual appraisals of the risks. These should be demonstrated in the
organisation’s risk register.

P a g e | 103
4.3 – Communicate risk management processes to relevant parties

Once you have completed your risk management action plan, you need to communicate the plan to the
appropriate parties. The information communicated should align with the needs of the recipient.
For example, a line worker would only need the information to perform their duties and tasks correctly.
Line supervisors would need sufficient information to make sure that their team has the knowledge to
perform their tasks correctly. This would also include making sure that their team had access to
documentation and procedures, so that the empowered team member would be able to make informed
and up-to-date decisions, with regards to their jobs and their work area.

P a g e | 104
The information that will be communicated will vary between organisations and may include the
following internal reporting and communication:
Who to communicate What may be communicated?

with?
Team  Their accountability for individual tasks

Members/Contractors  Understand how they can enable continuous improvement risk
management response
 Understand that risk management and risk awareness are a key part
of the organisation’s culture
 Report systematically and promptly to senior management any
failures or new risks
Leading  Level of authority

hands/supervisors  Risk assessments
 Risk register
 Communicate risks to management
 Ensure policies and procedures are available
 Ensure team members are meeting obligations
 Consult with external sources and stakeholders
Management  Authorise risk management practices within their scope of authority

 Consultant with external consultants
 Individual plan implementation
 Report to the Risk Management Committee and/or senior
management
 Understand that risks management is an ongoing part of the
organisation’s culture
 Performance indicators that allow them to monitor their business
and financial activity progress towards objectives and identify
developments that require intervention
 Training (allocation and confirmation of)
Risk Management  Coordinating the regular formal updating of Business Unit and
Committee corporate Risk Registers and Risk Treatment Action Plans and
compiling a master set;
 Maintaining corporate risk and risk control information;
 Ensuring that all relevant risk areas are considered, including those
emanating from the services of external providers and contractors;
 Analysis and reporting to the organisation’s executive;
 Ensuring appropriate linkages to the organisation’s business and
corporate planning processes and, where necessary, to budget
processes.

P a g e | 105
Board of Directors  Corporate Strategy and planning and aligning strategies to

organisational risk management plan
 Review of Risk Treatment Action Plans
 Know the significant risks to the organisation
 That awareness runs throughout the whole organisation
 Manage communications with the stakeholders as required
 Publish the risk management policy
 How the organisation will manage a crisis
Information must be made available to all stakeholders, so that all members of the team are protected
from risk. The more current the information is, the better position stakeholders will be in to provide
informed decisions.
When providing information to team members, it is important to make sure that they do not access
information that exceeds their level of authority. Breach of privacy of personnel and stakeholders can
bring with it hefty fines and, in some cases, fines. If you are in a position where you are not aware of the
level of authority that a stakeholder has, consult your organisation's policies and procedures or consult
with management. If necessary, consult with your client to obtain permission for external parties to
help in managing risk.
Information should be communicated to stakeholders to:

 Ensure that they are aware of a problem and what impact it may have on their
activities
 Ensure that they have sufficient information to consider alternatives and the feasibility
of suggestions.
When you communicate information, make sure that it is in a format that is easy to
access and understand. For example, if you are required to provide personnel with a lot of
facts and figures, then the information will be easier to read if it is in a graph to
demonstrate a change in trends, a variation in the level of risk staff are exposed to or
other variables. This information can be used to demonstrate when a hazard becomes a
risk.
The way in which information is communicated will vary according to the policies and
procedures of the organisation. Emails are an excellent way to keep a record of staff that
have received their emails and allow the organisation to maintain a trail to demonstrate
their continuous improvement process.

P a g e | 106
As a part of the consultative process, it is important that you discuss the hazard with relevant
stakeholders, with regards to the evaluation of the Risk Management Plan. This means that you should
communicate with:
 Workers, supervisors and health and safety representatives – What staff should you
consult with? Do you have a reporting structure that you need to follow, with regards
to the site? Does your client have safety representatives that need to be consulted
with, if you make changes to the way in which a task is performed? If you answered yes
to any of these questions, then it is important to consult with appropriate personnel
and communicate any changes that you may implement.
 Stakeholders who may be exposed to the control measure – Employees of your

organisation may not be the only party that is exposed to risk. Other stakeholders
should also be included. However, you may also consider members of the public. If
there is any chance that a member of the public is exposed to risk, then it is important
to take steps to ensure that they are aware of the risk.
 Consult and monitor incident reports – Communicate your findings, as your relevant
stakeholders may have important information that they can add to improving the Risk
Management Plan. Incident reports can also assist in identifying the impact changes to
procedures which can be sourced from an increase or variation of incidence in a work
area. If stakeholders are aware of these incidents, then they will be able to take steps
to control the risk.
 Review safety committee meeting meetings where possible – The review process
needs to integrate key performance indicators of the organisation. The risk
management plan needs to link personal performance and drivers, to make sure that
they are measurable to the organisation. For example, by changing the way a
procedure is performed, you will save the organisation money with a decrease in
injuries. This ensures that public liability insurance does not increase and that work
health and safety legislation is not breached, avoiding fines.

P a g e | 107
Learning Task 10
What risk management processes are
communicated to you?
Do you believe that this information is appropriate or should you receive more or less information?
Why? Why not?

P a g e | 108
4.4 – Ensure all documentation is in order and appropriately stored

Your organisation has a legal obligation to maintain records of all hazards that have been identified by
staff within a work area. Most State/Territory legislation requires that a workplace keeps certain records
for a specified period of time. It is important to make sure that you know how long these records should
be kept in your State/Territory.
The organisation's documentation will include external reporting, where the organisation will:
 To their external stakeholders on a regular basis setting out the organisation's risk
management policies and the effectiveness of its objectives. Many stakeholders now
look to the organisation to provide non-financial information, such as its community
affairs, human rights, employment practices, health and safety and the environment.
This is usually a part of good governance, where the organisation protects the interests
of their stakeholders
 To government bodies if an incident arises from a hazard, such as to the worker’s

compensation body of each State/Territory.
Other records, such as health and safety in the workplace, should be kept as part of the risk
management process. It is important to make sure that your team and any other personnel within your
organisation are aware of the organisation's record-keeping requirements, where the records can be
found and how to access to them. Record keeping is a good work practice and should increase the
efficiency of the workplace.
Documents are recorded to ensure that the State/Territory WHS Act is complied with. Risk is recorded
to:
 Ensure that the risk management process follows the correct legislative requirements
 Provide management and decision makers with a plan that ensures that risk exposures
are addressed in a logical manner
 Provide an audit trail in the case that processes are followed up
 Share and communicate risk management activities to employees and other

stakeholders
 Provide accountability that supports the organisation's

strategic and risk management plans
 Facilitate continuous monitoring and review of risk

management.

P a g e | 109
Management will usually write individual work area reports on the progress of risk management
programs for the risk management or workplace health and safety committee. These reports will, in
most instances, include:
 Compliance and due diligence statement
 First Aid/medical post records
 Hazardous substances registers
 Health surveillance and workplace environmental monitoring records
 Maintenance and testing reports
 Manufacturers’ and suppliers’ information, including SDS and dangerous goods storage
lists
 Mentoring and auditing documents
 WHS audits and inspection reports
 Records of instruction and training
 Risk management policy statement
 Risk register
 Risk treatment and action plan
 Safety bulletins or notices
 Workers’ compensation and injury management records
These documents leave a trail. This trail provides evidence that the
organisation is complying with their legal obligations. The aim of this evidence is to ensure that your
 Demonstrate that the risk assessment process is conducted properly
 Provide management and other decision makers with a plan that addresses the key
exposures for the organisation in a logical and prioritised way
 Provide an accountability mechanism aimed at supporting the corporate plan
 Facilitate continuous monitoring and review of risk management
 Provide an audit trail for the follow-up of key actions related to the exposures being
addressed
 Share and communicate risk management activities among all staff members, most
particularly with staff.
Documentations are important to an organisation. They not only leave an audit trail, they provide a
historical account of risk management processes for the organisation, which can be used to improve its
risk management policies and procedures.

P a g e | 110
Files need to be secured, to ensure that unauthorised personnel cannot access them. To ensure that the
organisation’s confidentiality and the privacy of the team members and external specialists are
maintained, files are usually kept under lock and key, in a secured location. This may be a storage facility
separate from the organisation or a secured room designated for the files.

P a g e | 111
Learning Task 11
What is the importance of making sure that your documentation is completed and processed correctly?

P a g e | 112
4.5 – Implement and monitor action plan

Once an action plan has been developed, it needs to be implemented as soon as possible. It is important
to make sure that the action plan is reported to workgroups and stakeholders.
The information that you need communicate in every step of the process includes:
 Decisions made, with regards to resolving a hazard
 How a change in a procedure is implemented and why the change is implemented
 How the benefits of the change will benefit all parties. Research has shown that if
stakeholders understand how a specific change impacts on them, they will be more
than inclined to take ownership of the change
 The benefits of working safely
 The consequences if they fail to follow the control measures.
For your action plan to succeed, you need to make sure that you gain the support and cooperation of
key personnel at all levels. This means that you need to make sure that you communicate your action
plan to key personnel and that you create awareness of the plan.
To implement an action plan, you should:

1. Create a communication plan that requires you to identify all of the key personnel and
determine what information they need, and adapt the way that you communicate with
them to meet their needs
2. Raise awareness by assigning key personnel with authority over different sections of
the action plan. If necessary, provide them with training and support while they learn
their roles and responsibilities. By allocating key personnel with charge of an area, they
will become involved in the action plan and will feel like they are making a difference in
how the organisation works, meaning they will take more ownership in the success of
the action plan.
Another way to further awareness is to obtain the support of management. Not all
managers will be involved with the action plan. They may not even be aware of the
plan. What you need to do is increase their awareness, so that employees will become
empowered. One way you can improve awareness is through communicating the
action plan with methods applicable to the audience, such as in formal meetings, to
keep the managers up-to-date on progress and changes to the action plan.

P a g e | 113
3. Build capacity. Systems and training should be used to build

the skills and knowledge to build the success of the action
plan by building organisational capacity. Research
demonstrates that the level of employee participation will
increase as their knowledge and confidence rises.
Training should be used to help employees understand the

importance of their performance and its connection to the
information gathered, so that informed decisions can be
made. Training provides the chance to gather feedback and
evaluations, especially as training creates an awareness of
the organisation’s systems.
Training may include how to operate equipment, following organisational procedures

for reporting, monitoring and data collection, and specialised training in using and
maintaining equipment so that they operate at an efficient level.
4. Motivate. Motivation is also another important tool for developing staff participation
in the implementation of the action plan. This can be done by empowering your team.
Stakeholders can be empowered by:

o Offering incentives to create interest and foster employee ownership
o Recognising individual and group efforts
o Offering bonuses and rewards for goals that have been met
o Using environmental messages that they relate to
o Letting stakeholders know the cost if they do not follow procedures; and
o Linking the performance of the stakeholder to the organisation's goals.
5. Track and Monitor. Tracking should be used to demonstrate that the organisation is
monitoring the success and/or failure of the action plan. Tracking should be centralised
and aimed at measuring progress, with regards to meeting the organisation’s
deadlines, goals and milestones.
Once a problem in the action plan is identified, corrective action should be taken and a
reassessment completed, to ensure that the corrective action has done what it was
supposed to do.
This means that you should perform regular updates to make sure that the corrective
action is appropriate, conduct periodic reviews to make sure that risk management and
ensure action plan goals are being met and that the corrective action is still
appropriate.

P a g e | 114
Learning Task 12
When an action plan is implemented; awareness and motivation need to be communicated to your
stakeholders. How would you create this awareness and motivate your team into becoming empowered
in the implementation of the plan? Why would you do this?

P a g e | 115
4.6 – Evaluate risk management process

Risk management is an ongoing process. Risks will change as the environment changes. For example,
you introduce a new piece of equipment to a work site. New risks will arise when the equipment makes
a job easier or changes the way in which other tasks are perform. Risk will arise by the introduction of
the equipment.
Good risk management places emphasis on monitoring and reviewing all current organisational plans,
strategies, systems and controls. Monitoring ensures that, as risks change, new control measures are
introduced.
Ongoing review of the risk management process is required, to ensure that the plan remains relevant to
the workplace. Factors that may impact upon risk assessments and control measures can also change
over time. This means that the risk management process should be repeated regularly, to ensure that
the risk management process remains effective.
There are many methods that can be used to monitor and review procedures and these should be
considered part of your management plan. You can complete:
 Self-assessments
 Physical inspections
 Checking and monitoring success of actions
 Audit and reassessment of risks to achieving objectives
 Key dates, time frames and deadlines should be set for communicating, monitoring,
reporting and review.

P a g e | 116
When you monitor the effectiveness of control measures, it is helpful to ask the following questions:
Have the chosen control measures been implemented as planned? Yes No
Are the chosen control measures in place?
Are the measures being used?
Are the measures being used correctly?
Are the chosen control measures working? Yes No
Have any of the changes made to manage exposure to the assessed
risks achieved what was intended?
Has exposure to the assessed risks been eliminated or adequately
reduced?
Are there any new problems? Yes No
Have the implemented control measures introduced any new
problems?
Have the implemented control measures resulted in the worsening
of any existing problems?
Comments

P a g e | 117
You should be able to answer the following questions:

 Has the risk management process added value for your company?
 Are the outcomes of the program measurable?
 Would you make a decision to contract or expand the risk program based on this
information?

P a g e | 118
Learning Task 13
How is risk evaluated in your organisation?
Do you believe that it is evaluated sufficiently? Why? Why not?

P a g e | 119
Congratulations!
You have now finished the unit BSBRSK501B ‘Manage risks'.

P a g e | 120
References
ASQ – The Global Voice of Quality

Continuous Improvement
URL Address: http://asq.org/learn-about-quality/project-planning-tools/overview/pdca-cycle.html
Access Date: 18.09.2014
Australian Government
Department of Foreign Affairs and Trade
URL Address: http://dfat.gov.au/pages/default.aspx
Brown, A., & Weiner, E. (1985). Supermanaging: How to harness change for personal and organisational
success. New York: Mentor
Clutterback, D. and Hirst, S (2002). “Leadership communication: A status report”, Journal of

Communication Management, Vol 6(4), pp.351-354.
Empowerment – Defined
URL Address:
http://web.worldbank.org/WBSITE/EXTERNAL/TOPICS/EXTPOVERTY/EXTEMPOWERMENT/0,,conte
ntMDK:20245753~pagePK:210058~piPK:210062~theSitePK:486411,00.html
Galorath, D. (2006). “Risk Management Success Factors”, PM World Today, Vol 8(11),
URL Address: http://www.pmforum.org/library/tips/2006/PDFs/12-06-Galorath-
Risk_Management_Success_Factors.pdf
Grabowski, M and Roberts, K. (1999), “Risk mitigation in virtual organisations” Organisational Science.
Vol 10(6). PP.704-722.
Mayer, R.C., Davis, J.H., & Schoorman, F.D. (1995). “An integrative model of organisational Trust”,
Academy of Management Review. Vol. 20 (3), pp. 709 – 734
McAllister, D. J. (1995), “Affect and cognition-based trust as foundations for interpersonal cooperation
in organisations,” Academy of Management Journal, Vol. 38(1), pp.24-59
Muller, R. (2009), Critical Success Factors for effective risk management procedures in financial
industries: A study from the perspectives of the financial institutions in Thailand. Umea University.
Master Thesis

P a g e | 121
Work Health and Safety Act 2011

Work Health and Safety Code of Practice 2011
Work Health and Safety (Safety Standards) Regulations 2011
URL Address: http://www.comcare.gov.au/the_scheme/the_whs_act/codes_of_practice
Raising the standard – the new ISO risk management standard (Purdy, G. 2009)
URL Address: http://www.acera.unimelb.edu.au/sra/2009/Presentations/Purdy.pdf
Risk Management Guide by Shon Harris

URL Address: http://searchsecurity.techtarget.com/tip/Understanding-risk
Rochart, J.F. (1979). “Chief executives define their own data needs”, Harvard Business Review, Vol 57
(2), pp.81-93.
Safety Consultative Process

URL Address: http://safetyconcepts.com.au/474/safety-consultative-process/
SWOTMatrix.com – The Easy Guide to SWOT Analysis

URL Address: http://SWOTmatrix.com/SWOT-strengths.html
The External Environment

URL Address: http://www.thetimes100.co.uk/theory/theory--the-external-environment--236.php
The Law Handbook

The Australian Legal System
URL Address: http://www.lawhandbook.org.au/fact_sheets/ch01.php
Wilhelm, L – Five Steps to Giving Good Constructive Feedback

URL Address: http://www.expressyourselftosuccess.com/five-steps-to-giving-constructive-feedback

BSBRSK501 Risk Management LG

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BSBRSK501 Risk Management LG

Uploaded by

Copyright:

Available Formats

BSBRSK501

SBTA BSBRSK501 Learner Guide version 1 16 June 2015

SBTA BSBRSK501 Learner Guide version 1 16 June 2015

1.5 – Review strengths and weaknesses of existing arrangements...................................................47

SBTA BSBRSK501 Learner Guide version 1 16 June 2015

Regulation, Licensing and Risk Management

SBTA BSBRSK501 Learner Guide version 1 16 June 2015

1. Establish risk context 1.1 Review organisational processes, procedures and

3. Analyse risk 3.1 Assess likelihood of risks occurring

SBTA BSBRSK501 Learner Guide version 1 16 June 2015

Skill Performance Description

Oral 1.8, 2.1, 2.3, 4.3  Participates in interactions with stakeholders

Numeracy 2.2  Uses numerical tools to assess risk and uses

Navigate the 1.1, 2.1, 4.3  Refers to organisational processes, procedures

SBTA BSBRSK501 Learner Guide version 1 16 June 2015

Evidence of the ability to:

Assessment must be conducted in a safe environment where evidence gathered demonstrates

 Relevant legislation, regulations, standards and codes

Assessors must satisfy NVR/AQTF assessor requirements.

Companion volumes available from the IBSA website: http://www.ibsa.org.au/companion_volumes -

SBTA BSBRSK501 Learner Guide version 1 16 June 2015

 That this is an interactive course and you should ask questions.

 Ground rules for participation:

o Support and encourage other participants

o When someone is contributing everyone else is quiet

o Be patient with others who may not be grasping the ideas

o Focus discussion on the topic

o Speak to the trainer if you have any concerns

 Know how to identify risk

 Learn how to analyse risk

 Understand how to select and implement treatments

 Gain skills and knowledge required for this unit

SBTA BSBRSK501 Learner Guide version 1 16 June 2015

1. Establish risk context

1.2 Determine scope for risk management process

1.3 Identify internal and external stakeholders and their issues

1.5 Review strengths and weaknesses of existing arrangements

1.7 Obtain support for risk management activities

SBTA BSBRSK501 Learner Guide version 1 16 June 2015

1.1 – Review organisational processes, procedures and requirements for

Building on AS/NZS 4360:2004, ISO 31000 aims to improve and advance

Risk is defined by ISO 31000 as “effect of uncertainty on objectives” which

SBTA BSBRSK501 Learner Guide version 1 16 June 2015

State/ Office URL address

ACT WorkSafe www.worksafe.act.gov.au

NSW WorkCover www.workcover.nsw.gov.au

QLD WorkCover www.workcoverqld.com.au

TAS WorkCover www.workcover.tas.gov.au

VIC WorkSafe www.worksafe.vic.gov.au

 Work Health and Safety (Transitional and Consequential) Act 2011 (Cth).

 Work Health and Safety Regulations 2011 (Cth).

 Work Health and Safety Approved Codes of Practice 2011 (Cth).

The legislative framework

SBTA BSBRSK501 Learner Guide version 1 16 June 2015

The objectives of the Act are to:

 To protect employees from risk arising from their roles

 To provide remedies when obligations at not met, through civil remedies.

SBTA BSBRSK501 Learner Guide version 1 16 June 2015

These regulations cover:

 The details about incident notifications.

Building on the Legislative framework demonstrated above, we now have:

SBTA BSBRSK501 Learner Guide version 1 16 June 2015

 Provide guidance to areas previously excluded

 Only refers to AS/NZ Standards where necessary for technical matters