Tony Rizk – Smart Academy

22 April 2009

Session 1:

Identify risks

Risk in an organisational setting
• Risk is unavoidable and a natural part of virtually every

human situation. It is present in our daily lives, when we are awake or asleep, and in both public and private sector organisations. • Risk management is about being pre-emptive, rather than reactive. Any manager should actively seek to identify and determine how to prevent risk from happening. This may mean modifying current processes, practices, thinking or systems to maximise our chances of success while minimising the factors that may promote failure, injury or loss

Risk and its management
• Risk can be defined as the combination of the probability

of an event and its consequences (ISO/IEC Guide 73:2002 Risk Management). • Risk management is the process of identifying potential negative events and the development of plans to mitigate or minimise the likelihood of the negative event occurring and/or the consequences resulting if that event did occur.

Risk factors
Risks may include such factors as:
• Occupational health and safety (including • •

Risks may need to be managed to:
• Avoid creating more risk • Sort negative from positive risks • Decrease unexpected and unwanted events • Develop an operational and organisational • • • • • • •

• • • •

• •

disease) Environmental Product failure Financial or economic loss/failure Damage to property/equipment Industrial disputes Professional incompetence Natural disasters Security failure Equipment/system failure Breaches of privacy

profile of existing risks Decrease possible vulnerabilities Increase preparedness for unexpected and unwanted events More efficiently prioritise the treatment of risks Avoid waste, errors or defects that may result from untreated risks Protect people and customers from harm Control risks Build risk management into its culture

customers. . This includes: • Strategic level – spans across functions. or specific markets. products and services. products and services. • Operational level – within a function. • Team/task level – within a team. occupational. processes.Risk and levels within the organistion • Risk management can occur at all levels of management and operations. operational area. professional or specific job role. customers.

evaluating. analysing. establishing the context. identifying.Risk management process • The risk management process is a: … the systematic application of management policies. page 5) . procedures and practices to the tasks of communicating. monitoring and reviewing risk (AS/NZS 4360:2004. treating.

Risk Management Process .

• It is at this stage study of the environment should occur. operational or project) will set the scope for the risk management process and guide how actions at all stages of the process can later be evaluated. This will confirm if the risks being addressed result from factors that are external and/or internal to the organisation .Establish goals and context • At this first stage establish the external and internal risk management context in which the overall risk management process will take place. The alignment of criteria against goals and objectives (organisation. • Establish categories and criteria against which risk will be evaluated and shape later risk analysis activities.

Identify risk • This stage is the first step in the 3 steps associated with risk assessment. delay or enhance the achievement of the objectives. It is important to specifically classify (identify and code) risks and confirm the source and impact of the risk so treatments strategies can later be shaped correctly . when. degrade. why and how events could prevent. At this stage identify where.

This analysis should cover the range of potential consequences and how they could occur. Determine the consequences and likelihood and therefore the overall rating for the level of risk. At this stage identify and evaluate existing controls. .Analyse risks • This stage is the second step in the three steps associated with risk assessment.

Evaluate risks • This stage is the fourth stage in the risk management process and the final step in risk assessment. At this stage determine whether the risks are acceptable or unacceptable. and consider the balance between potential benefits and costs. Compare estimated levels of risk against the pre-established risk categories and criteria. Given the person’s authority the evaluation stage will inform the treatments required and priorities. . The level of risk will need to be considered so as to determine who has the authority to treat the risk.

.Determine the treatments for the risks • Develop and implement specific and cost-effective options and action plans for treating a risk. This includes considering how monitor and review any treatments.

don’t alter priorities or a treatment plan .).Monitor and report on the effectiveness of risk treatments • It is necessary to monitor the effectiveness of all steps in the risk management process. This is important for both innovation and continuous improvement. etc. operating environment. Risks and effectiveness of treatment measures need to be monitored to ensure changing circumstances or contextual matters (eg. Goals.

Identify the context for risk management .1.

Some key questions a manager will need to answer before they start to identify risks will include: • What goals and responsibilities has the team been allocated? • How will success be measured? • What exists now and what are we supposed to be doing? • What impact does this team have on the business and stakeholders? • What deliverables are required and when? . However.Goals and objectives • While the structure of a team or an operational area may vary. generally the variance is due to their purpose. the purpose of the team will be established in the organisation’s vision and its goals and objectives.

Risk categories and criteria • The risk categories can vary from organisation to organisation. etc. Criteria should also assist measure and monitor how risk management will impact goals or stakeholder requirements. They may relate to: • People • Processes • Compliance • Financial • Safety • Customer satisfaction. • The criteria should be the direct translation of the categories and provide a tangible basis against which the manager can evaluate an identified risk to determine if it requires treatment or control. . Typically they will establish clear boundaries between different operational aspects where a risk may impact.

Example risk categories and criteria .

Consult and communicate with stakeholders .

Risk communication and responses .

• Non-core or secondary stakeholders are those who are indirectly involved in the process of achieving the outcomes or may be indirectly affected by the outcomes being sought. .Defining a stakeholder • Core or primary stakeholders are those who are directly involved in the process of delivering the outcomes being sought or will be positively or negatively affected by the outcomes being sought.

Stakeholder analysis • Managers studying stakeholders should complete the following: • Identify stakeholders • Sort and prioritise stakeholder interests • Visualise stakeholder relationships to the team/business unit • Identify each person’s or group’s power and influence .

Identify risks .

Key questions for identifying risks • This goes beyond thinking there may be a risk to actually answer the following questions: • What can happen? • Where can it happen? • How and why could it happen? (AS/NZS 4360:2004: page 13) .

human error. When and where – Simply put. when the risk could occur and also where the risk could occur. new competitor. business etc. Event or incident – Something that occurs which leads to the source of risk being able to inflict harm or have an adverse effect. systems.Components for risk identification • The various components for the identification of a risk: • Source – That which can potentially harm or assist in causing damage to a person. for example. Cause – Is the and why of risk. insufficient knowledge. For example in an age care facility. was design to blame. machinery or technology. • • • • • property. property. lack of training. Whether they are policies. slips are most likely to occur in the kitchen after the floor has been mopped. Consequence – The impact or outcome due to the event taking place and inflicting on the person. Controls – Controls are what you put in place to manage the risk in an effective way. incorrect procedure. business etc. .

Cause and effect diagram) . or forecasting environmental and market constraints • A range of standard problem solving and decision making tools and techniques (eg. opportunities and threats) Analysis • PEST (Political. weaknesses.Identification of prospective risks • The most effective means of identifying prospective risks can include: • Brainstorming sessions • ‘Five Why’ analysis • ‘Five W’ analysis • Task analysis • SWOT (strengths. and Technological) Analysis • Research such as conducting interviews with relevant people and/or organisations. Economic. Societal.

SWOT analysis .

PEST analysis .

Documenting risk identification • According to the AS/NZS 4360:2004 standard risk identification needs four core pieces of information: • Risk reference • Risk classification (Type) • Source of risk • Impact of risk .

The Risk Management Plan The risk management plan has five main parts: RMP1 – Contextual information RMP2 – Risk Register RPM3 – Risk Assessment RPM4 – Risk treatment plan RPM5 – Risk Action Plan .

• Interest that is real or believe they have a legitimate need (business or personal) to be involved .Sorting stakeholders • The two dimensions represent the extent to which the stakeholder has: • Power to influence outcomes and the capacity to impose their will on the image or outcomes the organisation seeks.

Stakeholder commitment .

Session 2: Analyse and evaluate risks .

taking into account factors that will operate to control the risk. • In consultation with stakeholders (internal and external) the analysis of risk has to determine the answer to three questions: • How serious are the consequences if the risk occurs? • What is the likelihood of the risk occurring? • What is the level of risk? .Risk analysis • It is at the Risk Analysis stage of the risk management process that each risk is rated.

Determine consequences Level 1 2 3 4 Descriptor Insignificant Minor Moderate Major Example detail description No operational impact Minimal disruption to operational capability Interruptions to operations Loss of operational capability 5 Catastrophic Loss of operational continuity .

Determine likelihood Likelihood = probability x exposure Level 1 2 3 4 5 Descriptor Highly unlikely Unlikely Possible Likely Very likely Example detail description May occur only in exceptional circumstances Could occur at some time Might occur at some time Will probably occur in most instances Is expected to occur in most circumstances .

Estimating the level of risk Risk = consequence x likelihood .

Risk assessment matrix .

• Existing controls maybe in place and involve stakeholders .Control • Control of risk relates to the treatments or plans put in place to reduce the likelihood and/or the consequence of a risk happening.

Evaluate Risk .

. This follows on from setting priorities but here we clearly indicate if the risk is acceptable or not. This can be done by comparing the analysis of each risk against the original criteria set for the risk management exercise. • Determine if the risk is acceptable or unacceptable. The criteria confirm how each risk is impacting goals and the operational context. This will involve making a decision based on the evaluation of the risk level and the benefits derived from managing the risk versus doing nothing.Determine priorities • Having completed the initial risk analysis it is now possible to determine how each risk should be prioritised. This involves two main actions: • Set priorities.

Sort risks Acceptability Acceptable Not acceptable Risk level Low and possibly Moderate High and Extreme .

Risk acceptability and need for treatment .

Session 3: Treat risks .

but how this approach will compliment existing controls and other risk treatments . • A risk treatment plan should be established that will not only establish what needs to be done and by when. then implementing what needs to be done to treat a risk.Treat risks • Risk treatment involves identifying and selecting from a range of options.

Risk treatment flowchart .

• Retaining the risk .Risk treatment options Treatment options typically include: • Avoiding the risk • Reducing the likelihood of the risk. • Change the consequences of the risk • Transferring the risk.

According to AS/NZS 4360:2004 the treatment plans should include: 1. and 6. performance measures. responsibilities. 3. 4.Inclusions in a risk treatment plan • The purpose of a treatment plan is to document and report how the chosen options will be implemented. reporting and monitoring requirements (AS/NZS 4360:2004: page 22) . 2. proposed actions. resource requirements. timing. 5.

• Situational: highly contextual. For instance a major catering operation for an airline identified that staff were being exposed to safety hazards handling hot food as it was transported from the oven to be packaged into the onboard hot food catering trolleys. a furnace operation used situational control strategies to reduce risk.Control measures There are two kinds of risk control strategies: • Pre-planned: preventative strategies adopted prior to risk occurrence. For example. responsive strategies based on feedback on day to day activities. .

Session 4: Monitor and review effectiveness of risk treatments .

Monitoring risks • Monitoring and review occurs at two levels within the risk management process. This is to ensure risk management is both sustainable and effective. . • The second level of monitoring and review needs to occur on a continuous basis to support improvement to all five stages within the risk management process. • Firstly it occurs at the level when the implementation of a risk treatment is monitored and reviewed.

Risk treatment flowchart – Monitoring and review .

full time equivalent work hours. dates.) • Details of when to do reviews and the status of progress for each review . budget allocation. implementation and monitoring the plan • what resources are to be utilised • Resource requirements (ie. personnel. and responsible person) • Status (progress) • Dates • To facilitate monitoring Risk Management Plans will usually include: • who has responsibility for approval.Use review results to improve risk treatment • Standard risk management planning templates or treatment forms will usually include the headings: • Risk • Level of risk • Treatment • Treatment objectives • Action Plan (milestones. etc.

Health and Safety • .Examples of risk objectives for a given category of risk Risk Categories Operations Financial impact Examples of risk objective • • Less than 2% of all orders received in a calendar month will be rejected Costs must remain within 1% of the allocated budget Brand protection • All licensees attend formal legal briefing on their obligations and legal ramifications of any breaches to copyright Customer deliveries within the nation must occur within 36 hours of the order being received All engineers will report maintenance actions according to the CSA3224 regulatory requirements The person allocated the responsibility as Shot firers must be assessed and deemed competent every 12 months in the 4 core role competencies Dispatch operations seek to ensure nil injuries occur that require treatment in the next 6 months Timing Compliance Staff management • • • Environment.

In a supply chain) . procedures and processes not within the control of any one manager Integration of risk management across multiple organisations (eg.Auditing risk • The use of an independent risk auditor can promote: • Objective review that adopted treatments resulted in what was intended • Consistency of reviews over time • Observations based on past practices and experiences elsewhere • Measurement of progress across multiple risk management plans and treatments • • • • • • • within the organisation Use of independent benchmarks Consolidated data collection and storage Translation into action by senior managers Recommendations for improvement to the risk management process Compliance reports that external regulators may accept Review of policies.

Six step approach to monitor and review risk management • Step One • • • • • Establish the Risk Management Plan actions and monitoring requirements Step Two Measurement of risk control and status Step Three Analyse historical data Step Four Align risk management to strategic outcomes Step Five Gain commitment of employees Step Six Monitor and report progress .

Sign up to vote on this title
UsefulNot useful