Professional Documents
Culture Documents
Risk Management is not difficult but it does require rigor and discipline in applying
the method. The steps in the risk management process may typically follow the
following succession:
1 Preparation and understanding of the context in which the risk assessment is
being carried out (what are to be accomplished? What areas of concern are to be
looked into)
2 Identification of potential risks and outcomes (What could happen and what would
be the result if it did happen?)
3 Identification and valuing of controls in place which have a mitigating effect on the
risk (What’s in place now that reduces either the likelihood of the risk occurring or
the consequence if the risk does occur?)
4 Analysis of the risk in terms of its likelihood to occur and consequence if it does
occur thus producing a risk that is either acceptable or unacceptable. (Determined
by using the Risk Likelihood/Consequence Matrix.)
5 Development and implementation of an appropriate strategy and action plan to
reduce the unacceptable risks. (What action can be taken to reduce either the
Likelihood or Consequence of the risk?)
6 Appropriate monitoring and reporting of both the treatment strategy and overall
effectiveness of the risk management process.
7 Risk management is only a tool. How well it works is determined by how much
effort are applied and how diligent people are in following the processes.
There are two other basic principles that should remember about Risk Management.
• 1 — Manage risk where risk occurs — across the whole organization, all of its
activities, indoors, outdoors, projects, programs, age groups, administration, assets
and equipment, publicity, fundraising, financial management.
• 2 — Establish some priorities — what are visualized as the most important types of
risks when confronted with a number of Unacceptable Risks. There will often be
more risks than can be managed and some risks are more important than others.
Risk is the chance of something happening that will have an impact upon
objectives. Risk is measured in terms of likelihood and consequences.
Holistic Risk Management: Risk Management that takes into all types and areas of
risks that are related to the whole organization.
Another thing to have in place in our minds is that we are talking here about holistic
risk management. Holistic — the whole organization. We can look at that in a number of
ways.
Start with the Area of Risk that you want to work with. As an example, the area of
Financial Management is too broad for effective assessment. So, it might be broken down
into its sub-topics, one of which is Funding. That sub-topic can still be broken down into
more manageable topics — Funding is Late, Funding is Terminated. Under Funding is
Late, a level might be looked into such as — Cash Flow Issues — where the real risks
are easier to see, analyze and manage.
There is value in dealing with groups of similar risks, rather than one risk at a time.
And there is also value in resources and funding, and in looking for strategies that will
mitigate more than one risk at a time. So, groups of similar risks may be handled at the
same time to make risk management very efficient and cost effective.
IDENTIFY RISKS
What can happen?
How can it happen?
M
o
ni
ANALYSE RISKS to
r
Determine existing Controls
an
Determine Likelihood d
Determine Consequence R
Establish Level of Risk ev
ie
w
ASSESS RISKS
Compare against Criteria
Set Priorities
TREAT RISK
Identify Treatment Strategies
Evaluate Treatment Options
Prepare Implementation Plans
Implement Plans
It is opined that if risk is defined as the chance of something happening that will
have an impact on objectives, measured in terms of likelihood and consequences,
(Risk Management Standard AS/NZS 4360), then we have to have four things in
place:
• A clear understanding of our Organization’s Goals (which we have from
planning)
• A clear understanding of the likelihood of something happening
• A clear understanding of the consequences of something happening
• Some form of matrix which allows to combine likelihood and consequence and arrive
at a risk rating which allows the separation of Unacceptable from Acceptable Risk.
Qualitative or Quantitative?
Certainly, quantitative measures are mostly the preference upon which to rest the
risk assessment questions. But information may not be available very often, and
budgets are difficult to get, compounded by the high level of confidentiality of resources
necessary to get quantitative data. With these impediments un-responded, risk
management programs will never get off the ground. That’s a reality. That’s a
practicality. So, such programs shall get on with what it has.
Controls in Place
Code Description
A difficult, but important, task when building the consequence and likelihood
matrix is to determine what constitutes an Almost Certain and what constitutes a Rare;
what is a consequence rated Significant and what rates a Catastrophic.
The answers may come from a number of sources, some subjective and qualitative,
some objective and quantitative. With rising costs and diminishing budgets, it is not
always within an organization’s ability to carry out scientific and technical
measurements and studies. There is a growing body of evidence that suggests that a
group of experienced people, armed with some history, some local knowledge – their
own or by adding some selected stakeholders – working in good faith and within their
training, skills, and knowledge can deliver a credible analysis.
Consequences
1 2 3 4 5
Insignificant Minor Moderate Major Catastrophic
Likelihood I
A
Almost
Certain S S H H H
B
Likely M S S H H
C
Possible L M S H H
D
Unlikely L L M S H
E
Rare L L M S S