Learning Objective
Establish risk context
Identify risks
Analyse risks
Select and implement treatments
2
Risk Management Process
Risk
Uncertain or chance events that planning can not overcome
or control.
Risk Management
A proactive attempt to recognize and manage internal events
and external threats that affect the likelihood of a project’s
success.
What can go wrong (risk event).
How to minimize the risk event’s impact (consequences).
What can be done before an event occurs (anticipation).
What to do when an event occurs (contingency plans).
7–3
Risk Management’s Benefits
A proactive rather than reactive approach.
Reduces surprises and negative consequences.
Prepares the project manager to take advantage
of appropriate risks.
Provides better control over the future.
Improves chances of reaching project performance objectives
within budget and on time.
7–4
Risk Management’s Benefits
A proactive rather than reactive approach.
Reduces surprises and negative consequences.
Prepares the project manager to take advantage
of appropriate risks.
Provides better control over the future.
Improves chances of reaching project performance objectives
within budget and on time.
7–5
The Risk Management Process
7–6
CHAPTER 1
REVIEW ORGANISATIONAL PROCESSES, PROCEDURES
AND REQUIREMENTS FOR UNDERTAKING RISK
MBAefoNreA beGginEninMg yEouNr rTisk management project, it is important to take the time to review your
organisation’s risk management policies and procedures.
Different organisations create different levels of expectations for risk management strategies, along
with the difference between cost effectiveness and acceptable risk.
You will need to know this information so that you can keep your risk management project can stay in
line within the company’s guidelines, goals and objectives.
Organisational procedures will also provide information on risks associated with specific areas or the
organisation as a whole and these should be included in your risk management assessment.
Most companies have the same types of risks that are consistent across organisations. If it is your
organisation’s standard procedure to include these risks in their assessments, you will need to be sure
you include them in your review.
7–7
Types of Risks
Risks may include those relating to:
Commercial relationships
Economic circumstances and scenarios
Human behaviour
Individual activities
Legislation
Management activities and controls
Natural events
Political circumstances
Technology
8
Determine scope for risk management process
Every risk management project has limitations. It is impossible
for one person to identify all possible risks that exist for a
company. This process is usually broken down into subprojects.
It is important to determine the scope of the risk management
project first because there are always risk factors which arise,
that are outside of the person or teams authority who are
performing the risk analysis.
If you try to be all inclusive in your scope, you’ll never
complete the project. Each new risk that presents itself can
open the doors to whole new areas of risks to plan for.
9
Scope
The scope that you create or that is assigned by the organisational policies will
create the limits for your risk management project. Anything that doesn’t fall
within that scope is not your responsibility and you should not begin
developing plans for these areas.
You should forward the list of risks that are outside your scope of
management to the person who is responsible for risk management within
your organisation; this could be the Health and Safety Rep.
When determining the scope of your risk management process, you need to
think along practical lines that are in agreement with your organisations
operational plan. Trying to develop a risk management program that extends
across geographical separation
10
Scope
Your scope may apply to:
A specific project
An individual business unit or area
Specific functions such as:
Financial management
WHS
Governance
External environment – for facilities
Internal environment – also for facilities
Or, in the case of a small organisation, it can cover the whole
organisation
11
Scope
The scope document includes the following key sections:
Scope statement – This clearly states the project goal, objectives and
deliverables.
Project constraints – These are any limiting factors that prevent the project from
moving in a particular path.
Assumptions – These are aspects that the project manager builds into the scope
document to allow for any uncertainties that may occur.
Tasks list – You need to specify a list of tasks (and deliverables) to be achieved
during the project.
Estimates – You need to make initial estimates in relation to cost, time and
human resource requirements.
Contract statement – This will include the names of those authorised to initiate
contract work, sign contracts and completion acceptances.
12
RISK ASSOCIATED WITH PROJECT MANAGEMENT
Risk management is a vital part of project management. It is important to identify as many risks as
possible and be prepared if something happens that is out of the ordinary.
Here are some examples of common project risks:
Time and cost estimate too optimistic
Customer review and feedback cycle too slow
Unexpected budget cuts
Unclear roles and responsibilities
Stakeholder input is not sought, or their needs are not properly understood
Stakeholders changing requirements after the project has started
Stakeholders adding new requirements after the project has started
Poor communication resulting in misunderstandings, quality problems and rework
Lack of resource commitment
Risks can be tracked using a simple risk log. Add each risk you have identified to your risk log and write
down what you will do in the event it occurs and what you will do to prevent it from occurring.
Review your risk log on a regular basis adding new risks as they occur during the life of the project.
Remember, when risks are ignored they don’t go away.
13
IDENTIFY INTERNAL AND EXTERNAL STAKEHOLDERS AND
THEIR ISSUES
The term “stakeholders” typically, refers to the people who have an interest or share in the
project. In the case of risk management, we can include anyone and everyone whose lives
and businesses can be negatively impacted by the risks or actions of the business.
This means that stakeholders can be either internal or external. Stakeholders may includes:
Staff and employees
Owners,
Shareholders
Customers
Suppliers
The community
Anyone who could be affected by your company taking a negative turn can be considered a
stakeholder.
Different stakeholder groups will have different concerns and not all will be financial.
14
REVIEW POLITICAL, ECONOMIC, SOCIAL, LEGAL,
TECHNOLOGICAL AND POLICY CONTEXT
Political climate
What effect a downturn in the economy will have to your company
or project
New applications for existing technologies that can invalidate
existing products
How trends, fads and other changes in society can negatively affect
your company
Potential upcoming changes in the political climate
The state of the economy
Proposed legislation, and how it can affect your company
New technologies being introduced into the marketplace
15
Commercial and Strategic Risks
Commercial and strategic risks arising from:
Competition
Market demand levels
Growth rates
Technological change
Stakeholder perceptions
Market share
Private sector involvement
New products and services and
Site acquisition
16
Economic risks
Economic risks arising from:
Discount rate
Economic growth
Energy prices
Exchange rate variation
Inflation
Demand trends
Population growth and
Commodity prices
17
Contractual Risks
Contractual risks arising from:
Client problems
Contractor problems
Delays
Insurance and indemnities and
Joint venture relations
18
Financial Risks
Financial Risks arising from:
Debt/equity ratios
Financing costs
Taxation impacts
Interest rates
Investment terms
Ownership
Residual risks for government and
Underwriting
19
Poverty
Poverty arising from:
Weak governance
Remoteness
Low incomes
Gender inequalities
Social and ethnic inequalities
Low education
Poor infrastructure
Weak institutions
Inadequate policy framework and
Human rights infringements
20
Environmental Risks
Amenity values
Approval processes
Community consultation
Site availability/zoning
Endangered species
Conservation/heritage
Degradation or contamination
Environmental emergencies and
Visual intrusion
21
Political risks
Parliamentary support
Community support
Government endorsement
Policy change
Sovereign risk and
Taxation
22
Social Risks
Community expectations
Pressure groups
Activity initiation
Analysis and briefing
Functional specifications
Performance objectives
Innovation
Evaluation program and
Stakeholder roles and responsibilities
23
Procurement planning Risks
Industry capability
Technology and obsolescence
Private sector involvement
Regulations and standards
Utility and authority approvals
Completion deadlines and
Cost estimation
24
Procurement and contractual Risks
Contract selection
Client commitment
Consultant/contractor performance
Tendering
Negligence of parties
25
REVIEW STRENGTHS AND WEAKNESSES OF EXISTING
ARRANGEMENTS
In most cases, there will be an established risk analysis from which you will
begin. However, even if you are creating a totally new analysis, there are
probably some contingency plans already in existence.
There may be already plans in existence for some of the risks that you are
going to be working on. If so, there is no reason not to use them. However, if
this plan is not strong enough, you will have to revise it.
Realistically speaking, there’s no such thing as a perfect plan. All plans have
strong points and weak ones. Experience in creating plans can help reduce
the number of weak points in a given plan, but the fact that there are too
many variables which are outside of your control precludes creating a perfect
plan.
26
REVIEW STRENGTHS AND WEAKNESSES OF EXISTING
ARRANGEMENTS
So, once you have identified the risk, there are two general
approaches that you can choose from to begin the decisionmaking
process.
Will you:
Control the risk?
Transfer the risk?
27
CONDUCTING A SWOT ANALYSIS
To determine the best control measures for risks you should perform a SWOT
analysis.
A SWOT analysis is the best tool to identify the internal strengths and weaknesses
and external or environmental threats and opportunities to any organisation.
The SWOT allows an organisation to answer the question: ‘where are we now?’
When analysing the best control measures for risk, you should ask the following
questions:
What are the strengths of this control measure?
What are the weaknesses of this control measure?
What are the opportunities provided by using this control measure?
What are the threats involved in using this control measure?
28
CONDUCTING A SWOT ANALYSIS 29
The SWOT analysis can comprise five major categories
and can be compiled using the following matrix:
CONDUCTING A SWOT ANALYSIS
The method of implementing the flexible elements of the
contingency plan will depend upon the severity of the crisis, how
rapidly the crisis is developing and a number of safety factors.
It may seem extreme to force everyone out of the facility but it
will ensure everyone’s safety. Machines, technology and materials
can be replaced, people can’t.
As part of your review of existing plans, you need to seek out
possible issue related to your plan. Those things that could put
people, material or critical data at risk.
Pay special attention to systems which have been put into place
since the creation of that plan, as those are the most likely places
to encounter these issues.
30
DOCUMENT CRITICAL SUCCESS FACTORS, GOALS OR
OBJECTIVES FOR AREA INCLUDED IN SCOPE
As part of determining the impact of risks, it is important to
determine the critical success factors, goals and objectives.
They are the most important factors for your company to have
contingency plans for.
The following questions might assist you in this process:
Where does my company’s income come from?
What affects my company’s reputation in the marketplace?
What functions are critical to ensuring that my company can
continue operations? Are there some that we can do without for a
day or a week?
31
DOCUMENT CRITICAL SUCCESS FACTORS, GOALS OR
OBJECTIVES FOR AREA INCLUDED IN SCOPE
Which company goals are essential to ensure continued operations? How
would a delay in the completion of those goals affect the company?
How many shareholders are affected by the temporary cessation of this
function?
Every risk that you encounter will end up needing to be compared to each
of these critical factors.
Any risk factor can affect a number of different factors, each of them to a
different extent, with a different overall impact to the company’s
operations.
32
COMMUNICATE WITH RELEVANT PARTIES ABOUT THE
RISK MANAGEMENT PROCESS AND INVITE
PARTICIPATION
Identifying stakeholders and developing communication strategies are
critical to the successful implementation of a risk management plan.
It is important to consult with stakeholders and keep communication
pathways open so that you foster a supportive environment for risk
management activities.
You must ensure communication is continuous during the process with all
those relevant to the successful implementation of risk management
plans.
33
COMMUNICATE WITH RELEVANT PARTIES ABOUT THE
RISK MANAGEMENT PROCESS AND INVITE
PARTICIPATION
Stakeholders may include:
All staff
Internal and external stakeholders
Senior management
Specific teams or business units
Technical experts
34
COMMUNICATE WITH RELEVANT PARTIES ABOUT THE
RISK MANAGEMENT PROCESS AND INVITE
PARTICIPATION
The way to communicate information is to make sure you:
Accept and involve consumers as legitimate partners
Plan carefully and evaluate your efforts
Listen to the specific concerns
Be honest, frank, and open
Coordinate and collaborate with other credible sources.
Meet the needs of the media (if required)
Speak clearly and with compassion
35
COMMUNICATE WITH RELEVANT PARTIES ABOUT THE
RISK MANAGEMENT PROCESS AND INVITE
PARTICIPATION
Consultation gives everyone the opportunity to influence
decisions.
It is an effective way to gather useful input and ensure that all
viewpoints are taken into account when identifying and
evaluating risks.
Communication and consultation are essential to the overall risk
management process as well as each individual step in that
process.
36
TOPIC 2 – IDENTIFY RISKS
INVITE RELEVANT PARTIES TO ASSIST IN THE
IDENTIFICATION OF RISKS
Identifying potential risks is best achieved through a brainstorming session. Just like with any other
brainstorming session, the more people you can get involved in the process, the better. By having a group of
people involved, you can generate more ideas.
People who may be involved to assist in the identification of risks are:
Stakeholders:
Managers
Supervisors
Health and safety and other employee representatives
WHS/OHS committees
Employees and contractors
The community
37
INVITE RELEVANT PARTIES TO ASSIST IN THE
IDENTIFICATION OF RISKS
Key personnel is:
People who are involved in WHS/OHS decision-making or who are affected by decisions.
WHS/OHS technical advisors:
Risk managers
Health professionals
Injury management advisors
Legal practitioners with experience in WHS/OHS
Engineers (such as design, acoustic, mechanical, civil)
Security and emergency response personnel
Workplace trainers and assessors
Maintenance and trade persons
38
INVITE RELEVANT PARTIES TO ASSIST IN THE
IDENTIFICATION OF RISKS
WHS/OHS specialists:
Safety professionals
Ergonomists
Occupational hygienists
Audiologists
Safety engineers
Toxicologists
Occupational health professionals
When you encourage people to participate in risks identification procedures you
will need to ensure you use a wide variety of people.
39
RESEARCH RISKS THAT MAY APPLY TO SCOPE
Every idea that is brought forth in your brainstorming session has some merit. You
won’t really know how much merit each idea has until you research the likelihood of
that problem happening.
For the ideas that were brought forth in your brainstorming session, you’ll need to
research. That research may include:
Data or statistical information
Information from other business areas
Lessons learned from other projects or activities
Market research
Public consultation
Review of literature and other information sources
Accurate research will provide you with a real image of the risks involve in your area
or organisation. Don’t guess, do your research and get it right the first time.
40
USE TOOLS AND TECHNIQUES TO GENERATE A LIST OF RISKS
THAT APPLY TO THE SCOPE, IN CONSULTATION WITH
RELEVANT PARTIES
RISK IDENTIFICATION TECHNIQUES
Inspections: Walking through and conducting inspections of each task, location,
team, group or process within an organisation.
Consultation: a process that allows evidence on unreported incidents to be
gathered, for example, injuries, machine breakdown.
Safety or management audits: these can be conducted by individual managers
or team leaders and focus on their own or associated areas, or can be
conducted by members of the organisation who specialise in this area.
Testing: of plant and equipment in an operational context, or of staff in a
service area. This also can be accomplished as part of the local group or team
approach or can be part of a wider organisation-wide approach.
41
RISK IDENTIFICATION TECHNIQUES
Scientific or technical evaluation or expert instruction in up-to-date methods
(service industry): these are usually provided by third parties or consultants and
often form part of the training process of the organisation.
Collection and evaluation of material: from suppliers, manufacturers, designers,
and from safety organisations, unions, interest groups and employer organisations.
Expert advice: engaging professional consultants and advisors, lawyers, engineers,
safety experts, process experts.
Seeking government or regulatory information and help: from government
departments, investigatory and regulatory bodies, royal commissions,
commissions of inquiry, coronial inquests, industrial commission hearings,
statistical bodies and ‘think tanks’.
42
RISK IDENTIFICATION TECHNIQUES
Networking: with other members of the market, or users of similar
machines or processes.
Benchmarking is a process of seeking out and identifying the best
practices of the organisation’s competitors, where those best practices
represent a higher quality level or performance. The process means
that the organisation, having identified the best practice in the industry
then uses that ‘benchmark’ as the quality standard to be obtained
within its industry.
43
RISK IDENTIFICATION TECHNIQUES
Brainstorming; the brainstorming process can take various forms, but one of the most
effective is in meetings of staff in an environment where there is freedom to experiment
with ideas and to express opinions.
Brainstorming is usually a process of energetic interaction with the goal of forming and
discussing ideas and concepts in a round-table or group dynamic.
It allows examination of existing and emerging risk by using the ideas and experience of
fellow workers, managers, experts, other stakeholders and the users of the process or
service.
Audits and physical inspections; Regulatory based risk management procedures often
include regular audits and inspections, for example, Occupational Health and Safety,
activities of brokers and traders on the Australian Stock Exchange register and the
regulation of Registered Training Organisations.
44
Process Charting
45
The fishbone diagram provides a good example of a process chart,
sometimes called a cause and effect diagram. Each line or ‘fishbone’
represents an area that may have caused a problem.
SCENARIO ANALYSIS
Scenario anaysis is a process of examining options and
competing scenarios based on an assessment of future events.
The focus is on the future and may take into account past and
present events as elements of the examination.
46
BENCHMARKING SIMILAR ORGANISATIONS AND
ACTIVITIES
Benchmarking is a process of identifying the industry best
practice, and setting that as the standard for the particular
organisation.
The process involves significant industry knowledge and an
ability to examine competitors’ processes in order to identify
why that market is dominant or produces the leading product
or service.
47
Flowchart Method
48
System or process flow charts are
especially useful in recognising and
identifying potential areas of the
problem within the process flow.
TOPIC 3 – ANALYSE RISKS
ASSESS LIKELIHOOD OF RISKS OCCURRING
The risk analysis involves:
An estimate of the likelihood of each risk is arising. This might be done initially on a
simple scale from ‘rare’ to ‘almost certain’, or numerical assessments of probability
might be made.
An estimate of the consequences of each risk. This might be done initially on a
simple scale from ‘negligible’ to ‘severe’, or quantitative measurements of impacts
might be used.
The purpose of analysing risk is to provide information to enable the evaluation of
risks, using predefined likelihood and consequence criteria.
Risk analysis uses judgments and assumptions, which may involve uncertainty and
be based on incomplete information.
Therefore, the best available information sources and techniques should be used.
Wherever possible the confidence placed on estimates of levels of risk should be
included.
49
ASSESS IMPACT OR CONSEQUENCE IF RISKS OCCUR
Impact itself can be assessed in terms of its effect on:
Cost
Quality
Time
This includes the time taken to:
Identify, record and report the risk
Analyse and assess the risk
Address the risk
Either reduce its impact or remove it completely from a
potential risk
50
ASSESS IMPACT OR CONSEQUENCE IF RISKS
OCCUR
Risk proximity is about:
When and where the risk will occur
It’s role in the process or system
It’s damage or potential damage reaches
Our first step in assessing a risk is to determine the likelihood of the risk occurring, meaning
what are the chances. See below for a scale to gauge how likely the risk is:
Not likely – 10%
Low likelihood – 30%
Likely – 50%
Highly likely – 70%
Near certainty – 90%
51
ASSESS IMPACT OR CONSEQUENCE IF RISKS
OCCUR
The following table shows that the impact of risk is generally ranked from
‘minimal’ (level 1) to ‘severe’ (level 5). You can see from the detail
descriptions that these levels focus on the degree to which the business is
affected in regards to its financial and service capability.
52
LEVEL DESCRIPTOR EXAMPLE DETAIL DESCRIPTION
1 Minimal No service impact; low financial loss
2 Minor Minimal disruption to service capability; medium financial loss
3 Moderate Interruptions in service delivery; high financial loss
4 Significant Loss of service capability; major financial loss
5 Severe Loss of business continuity; huge financial loss
RISK REPORTING MATRIX 53
Analysing the risk will help you decide the impact of the
risk on your company and will enable you to control for
this when required.
EVALUATE AND PRIORITISE RISKS FOR TREATMENT
A simplified risk analysis can be conducted using probability theory:
Likelihood X consequence = Risk Score
By using these two scales, any potential risk can be rated with a risk
score.
For example, if we live in an area which commonly has severe
thunderstorms, which disrupt electrical service to our distribution
facility for 2 to 3 hours, we might assign a likelihood score of 5 and an
impact score of 3. That would give us a risk score of 15, considering the
maximum score we can get with this system is 25, that’s a fairly high-risk
score.
54
Criteria for ranking and recording Risks
The criteria for ranking and recording includes:
Taking into consideration whether the risk falls within established or accepted
guidelines
Differentiating between risks that have high impact/consequence/likelihood and
those having low impact/consequence/likelihood.
Assigning value to identified risks using available tools
Assessing consequences and likelihoods
A risk that has been analysed as having a ‘catastrophic impact’(loss of business
continuity; huge financial loss) is ranked as an ‘extreme ‘level risk if the probability
is ‘likely ‘but ‘high ‘if the probability is ‘rare’. Immediate action is required, involving
senior management, to manage the risk.
55
Sample Level of Risk Matrix
EXAMPLE OF RISK TABLE OF DEFINITIONS
E Extreme risk; immediate action required
H High risk; senior management attention needed
M Moderate risk; management attention must be specified
L Low risk; manage by routine procedures
Acceptability Risk level
Acceptable Low and Moderate
Not acceptable High and Extreme
56
Risk Criteria
Risk Criteria include:
Scope of the risk policy
Internal and external contexts
Internal and external stakeholders
Corporate objectives, policies, values and visions
Standards and laws
Resource availability
Social, economic, environmental, and political factors
57
Another type of scale describes risk in terms of acceptable
levels
Another type of scale describes risk in terms of acceptable levels:
Broadly acceptable level of risk
Best achievable level of risk
As low as reasonably practicable (ALARP)
Generally intolerable level of risk
58
Another type of scale describes risk in terms of
acceptable levels
Each risk decision and its implementation will depend on your organisation
and its guidelines on what is acceptable.
The cost of implementing some changes may be so great, that it is not
possible.
In those cases, mitigation of the impact may consist of buying insurance
against that event occurring, this then transfers some of the risk to an
insurance company and lessens the load on the organisation.
59
TOPIC 4 – SELECT AND IMPLEMENT TREATMENTS
DETERMINE AND SELECT MOST APPROPRIATE OPTIONS
FOR TREATING RISKS
Risk treatment involves identifying the range of options for treating risk,
assessing those options, preparing risk treatment plans and
implementing them.
It is probable that a combination of options will be required to treat
complex risks. Once a risk is understood, you will need to treat the risk,
to do this you may need a detailed analysis of treatment options.
There are usually be several options, each with different costs and
benefits and each will offer different levels of risk mitigation.
60
Approaches to Manage Risks
APPROACH DESCRIPTION
- Elimination / reduction
management
In this approach, the risk is either reduced to its lowest possible level to
enable it to be managed or it is eliminated
A variation in this approach is not to eliminate the risk if that is too difficult
or too late, but to reduce or eliminate its effect - Assumption of risk Insurance companies assume risk as part of their operations. Here the
expression ‘assume risk’ means to knowingly accept the risk as part of the
agreement with the person/company that pays the premium. Organisations
unused to risk may assume or accept its effect because to fail to do so
might negatively affect the organisation’s operations
Once again, the decision to assume a risk must be taken bearing in mind the
competing issues of cost, proximity and extent of the risk - Transfer risk Insurance is a means of transferring the risk, through the payment of
insurance premiums, to an insurance company
It is important to understand that this is generally a way of managing
financially based risk. The insurance company can only really assume a
financial risk. It is not able to assume risk that relates to culture, personnel
or manufacturing for example
So if the risk of the factory burning down is identified, then the financial risk
can be transferred to the insurance company, but the actual risk of losing
specific or specialist machinery cannot
Often organisations only transfer part of the financial risk having assessed
the insurance premium cost as too high to transfer it all
To offer a personal example, this may be compared with a householder
insuring the contents of the house against fire, but not paying extra for the
loss of specialist jewellery or stereo equipment. It then falls on the
61
Approaches to Manage Risks - Changing processes Risk can be avoided by changing processes, or refraining from an
activity. This is often an ongoing process of change from risk
identification
Organisations with a positive risk identification and management culture
are ready and willing to change or remove processes that demonstrate a
greater degree of risk or risk potential
Changing a process to avoid an activity also requires a positive risk
management culture as this can be confronting and expensive,
particularly if the process needs to be replaced
The change or replacement of a process in order to manage a risk must
also be undertaken using risk management procedures. In other words,
the new process must not create or support the same or similar risk it
was designed to eliminate - Delaying An organisation may defer a risk, by delaying it until such time as it is
able to assume the risk or deal with it in a better and more positive way
An organisation may believe that research or development
It’s undertaking will make it more able to deal with the risk at a later
time
62
Approaches to Manage Risks - Sharing risk Organisations may seek to share risk with other organisations by way of
joint ventures or cooperative options
A good example of this is seen in the construction and maintenance of
motorways in capital cities where government and private industry
come together to share the expense
Similarly in recent times wine and beer companies have combined with
manufacturing industries associated with wine and beer production
when entering new markets such as China. - Spread and minimise
locations of the risk
An organisation may attempt to spread and minimise locations of the
risk, e.g. a company may spread its outlets and workforce to a number
of areas in order to spread or reduce the risk of an incorrect decision in
relation to geographic marketing. For example, a retailer may have
outlets in a number of locations in a town to ensure the product is
available to as many potential customers as possible.
63
Regardless of the final decision ensure that all relevant parties have signed off on it. Although you
may be in charge of developing the risk management plan, this is a group project, with group
decisions.
DEVELOP AN ACTION PLAN FOR IMPLEMENTING
RISK TREATMENT
The action plan formalises the risk management process.
The specific format of the risk management action plan will vary from one organisation to
another, but the following is an example of a relatively straightforward methodology:
Risk
Date identified
Level of risk
Reason for risk rating
Risk priority /risk ranking
Action (what is to be done)
What resources are required
Who is responsible for the action
Timeline-when should the action be completed
Strategy for informing relevant stakeholders- i.e. staff volunteers, board, corporate
sponsors, etc.
Review date
64
SAMPLE RISK TREATMENT ACTION PLAN
65
COMMUNICATE RISK MANAGEMENT
PROCESSES TO RELEVANT PARTIES
COMMUNICATION FACTORS SUCH AS LANGUAGE AND
LITERACY
Effective communication is obviously critical to genuine participation. The specific needs of individuals in
the workplace need to be taken into account.
Individuals will have different levels of literacy, and either may not speak much English or may not have
English as their first language.
For example, induction and instruction in policies and procedures need to reflect the language and
literacy levels of each person, and things like safety and emergency warning signs, which are for the
whole workplace, need to be based on easily understandable pictures, rather than complex language.
Communication must be a two-way street. If individuals are to be able to participate in WHS/OHS activity
in a meaningful way they need access to information in a format they can understand, and they need to
be able to communicate back to WHS/OHS representatives, supervisors, WHS/OHS advisers and others
easily.
66
COMMUNICATE RISK MANAGEMENT PROCESSES TO
RELEVANT PARTIES
DIVERSITY OF WORKERS
Employees may come from different cultural, age and educational backgrounds with
different views about personal responsibility and authority; they will have different previous
experiences, knowledge and skills and may have different learning styles.
They may have external pressures and stresses in their lives or pre-existing physical injuries.
All these factors need to be taken into consideration in designing and developing
participative arrangements.
Your risk management plan must be distributed to all appropriate personnel; especially those
who have a part in implementing the plan.
In order to disseminate information to key personnel you should be face-to-face with them.
In this way you can provide them with a brief outline of the plan containing the key
information. Any details can be provided in written form.
67
ENSURE ALL DOCUMENTATION IS IN ORDER
AND APPROPRIATELY STORED
Consider the following points while deciding how to store information:
Why is the information being stored?
Who will want to use it?
When and how often will they want to access the information?
What protections (privacy, confidentiality) are required for the information?
What ‘links‘, or other factors, need to be considered for the data to be meaningful?
What technology is available?
What are the skills of the people in using the technology?
This will then lead to the following questions:
What is the best medium (electronic; hard copy) for storage?
What is the best format for organising the information?
What skills and technology will be required to access the information?
68
ENSURE ALL DOCUMENTATION IS IN ORDER AND
APPROPRIATELY STORED
Most organisations will have some records, such as incident and injury reports,
workplace inspections and/or newsletters, in hard copy.
Hard copy formats tend to be used where:
The original record is in handwriting
The original requires a signature; and
The material is ‘for information’ and is usually circulated or left in an open location
for people to read (i.e. newsletter)
69
ENSURE ALL DOCUMENTATION IS IN ORDER AND
APPROPRIATELY STORED
Even in the smallest community services organisation is likely to have electronic storage for any
information or records that meet one or more of the following criteria.
The record or document has to be:
Communicated to somebody else
Retained for legal reasons
Collated to identify a trend; and
Used for planning
There are many software options for storing electronic WHS/OHS information. These options
may range from simple spreadsheets to highly interactive purpose-designed software packages
that may incorporate functions such as incident reporting, injury management, chemical and
risk registers, asset and maintenance registers and training records.
Having determined the format for storing WHS/OHS information (i.e. the nature of the
software) the next question is whether it should be on a single computer or networked
hardware for an intranet type system.
70
ENSURE ALL DOCUMENTATION IS IN ORDER AND
APPROPRIATELY STORED
It is beyond the scope of this unit to compare the relative features of the various
systems, but some factors to consider are:
Who needs to access the information?
Do they have access to the hardware?
Do they have the skills to access the system?
What level of technological support is required/available?
71
Implement and monitor action plan
Endorsement of Plan
Having done all the work outlined above (and kept any relevant/necessary
stakeholders, management, committees informed during the process), it’s
now time for those nominated to do so, to present the risk management plan
to whomever has the delegation to authorise its implementation.
This may be a supervisor, a manager or a complains or risk manager. They will
then consider the plan, clarify any questions it has, and after making any
necessary adjustments, endorse the plan.
72
Implementation of Action Plan
Implementation process the plan will involve:
Issuing a risk management statement – A good starting point is to let everyone
in the organisation know that your organisation is serious about risk
management and to outline the key risk management strategies.
The risk management statement should also outline the proposed timetable
and key contact people, and procedures for contributing to the risk management
process.
Training – It is likely that training was identified as a key risk management
strategy in addition to the introduction of new practices will often require
training.
Training for risk management needs to be carried out in the context of your
organisation’s overall training activities.
73
Implementation of Action Plan
Establishing and documenting procedures – Your risk management plan will
have identified areas where written procedures need to be developed and/or
documented.
To implement the plan, it will be necessary for staff, volunteers and
management committee members to work together to develop these
procedures. Existing procedures should be reviewed to ensure that they are
consistent with new procedures.
Allocating specific responsibilities – A risk management plan requires specific
allocation of tasks to ensure no gaps in the process leave room for further risk –
different people within your organisation should be given responsibility to
implement different parts of the plan.
It should be clear to all those involved in the process, who is responsible for
each aspect of implementation for the risk management plan.
74
EVALUATE RISK MANAGEMENT PROCESS
It is critical to constantly monitor and review the processes and outcomes. Monitoring
and reviewing risk management processes helps to include risk management as a valuable
part of the company.
The risk management process in not static but is taken in the context of the internal and
external environments. As these environments change, the variables affecting risk also
change.
Evaluating the process of risk management can be assigned to individuals within
departments or to dedicated staff depending upon the nature of the organisation and the
resources available.
Consultants may be brought in at critical times to evaluate processes and institute
changes based on risk contexts or environmental, social and political changes.
75
EVALUATE RISK MANAGEMENT PROCESS
In addition to planned and scheduled monitoring and review sessions to examine
new risk, review of the management plan must be ongoing in order to stay relevant.
As policies, procedures, and visions of a corporation change, risk changes. As
external contexts change, risks change. Suitability and cost factors for treatment
options change. Treatment options or contingency plans may lose relevancy
throughout the process.
External variables such as legislative actions may develop which creates a different
context under which to analyse and evaluate risk.
Examination of successes and failures in relation to anticipated outcomes is a
necessary component of the risk management process. It increases the probability
that future risks can be evaluated with higher levels of accuracy and greater success.
An inability to achieve outcomes does not indicate failure but provides an
opportunity to gain valuable knowledge regarding process change.
Duplication of ineffective processes leading to a repetition of unachieved outcomes
indicates a failure to learn. That can be tragic when corporations, and the people that
depend on them, are at risk.
76
EVALUATE RISK MANAGEMENT PROCESS
One of the key components of the risk management process is
keeping an accurate record of documentation relating to the
communications, justifications, analyses and relevant information
pertaining to risk.
Remember how we began the risk assessment process? With
research relating to:
Data or statistical information
Information from other business areas
Lessons learned from other projects or activities
Market research
Previous experience
Public consultation
Review of literature and other information sources
77
EVALUATE RISK MANAGEMENT PROCESS
Monitoring is not only a practical requirement but a legal obligation, as the
common law duty of care and WHS legislation requires that the employer “provide
and maintain a working environment that is safe”.
All organisations should ensure that risk identification, assessment analysis,
evaluation techniques and the change arising from these processes fall within the
culture of the organisation.
This requires commitment from the most senior levels of management in the
organisation, and it requires communication throughout all ranks of the
organisation.
Leadership and coaching are two of the most commonly used processes to engage
an organisation in a cultural change to embrace the issues of risk identification and
management and the issues arising from the change that flows from these
procedures.
78
SUMMARY
“In many cases, there is nothing we can do to stop these
disasters from happening. Risk management isn’t about
that; it’s about understanding the potential risks and
managing how a company deals with that risk.”
The post The Center of Excellence Diploma of Business appeared first on My Assignment Online.