risk management, managing risk
TRANSCRIPT
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 1/56
IDENTIFY RISK AND APPLY RISK MANAGEMENT
PROCESSES
Tony Rizk – Smart Academy
22 April 2009
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 2/56
Session 1:
Identify risks
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 3/56
Risk in an organisational setting
• Risk is unavoidable and a natural part of virtually every
human situation. It is present in our daily lives, when we
are awake or asleep, and in both public and private sector
organisations.
• Risk management is about being pre-emptive, rather than
reactive. Any manager should actively seek to identify
and determine how to prevent risk from happening. This
may mean modifying current processes, practices,
thinking or systems to maximise our chances of successwhile minimising the factors that may promote failure,
injury or loss
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 4/56
Risk and its management
• Risk can be defined as the combination of the probability
of an event and its consequences (ISO/IEC Guide 73:2002 Risk Management).
• Risk management is the process of identifying potential
negative events and the development of plans to mitigate
or minimise the likelihood of the negative event occurring
and/or the consequences resulting if that event did occur.
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 5/56
Risk factorsRisks may include such factors as:
• Occupational health and safety (including
disease)
• Environmental
• Product failure
• Financial or economic loss/failure• Damage to property/equipment
• Industrial disputes
• Professional incompetence
• Natural disasters
• Security failure
• Equipment/system failure• Breaches of privacy
Risks may need to be managed to:
• Avoid creating more risk
• Sort negative from positive risks
• Decrease unexpected and unwanted events
• Develop an operational and organisational
profile of existing risks• Decrease possible vulnerabilities
• Increase preparedness for unexpected and
unwanted events
• More efficiently prioritise the treatment of risks
• Avoid waste, errors or defects that may result
from untreated risks
• Protect people and customers from harm
• Control risks
• Build risk management into its culture
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 6/56
Risk and levels within the organistion
• Risk management can occur at all levels of management
and operations. This includes:
• Strategic level – spans across functions, products and services,
customers.
• Operational level – within a function, operational area, or specificmarkets, customers, processes, products and services.
• Team/task level – within a team, occupational, professional or
specific job role.
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 7/56
Risk management process
• The risk management process is a:
… the systematic application of management policies,
procedures and practices to the tasks of communicating,
establishing the context, identifying, analysing, evaluating,
treating, monitoring and reviewing risk (AS/NZS 4360:2004, page 5)
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 8/56
Risk Management Process
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 9/56
Establish goals and context
• At this first stage establish the externaland internal risk management context inwhich the overall risk managementprocess will take place.
• Establish categories and criteria againstwhich risk will be evaluated and shapelater risk analysis activities. The
alignment of criteria against goals andobjectives (organisation, operational or project) will set the scope for the riskmanagement process and guide howactions at all stages of the process canlater be evaluated.
• It is at this stage study of theenvironment should occur. This will
confirm if the risks being addressedresult from factors that are externaland/or internal to the organisation
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 10/56
Identify risk
• This stage is the first step in the
3 steps associated with risk
assessment. At this stage
identify where, when, why and
how events could prevent,degrade, delay or enhance the
achievement of the objectives.
It is important to specifically
classify (identify and code) risks
and confirm the source and
impact of the risk so treatments
strategies can later be shaped
correctly
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 11/56
Analyse risks
• This stage is the second step in
the three steps associated with
risk assessment. At this stage
identify and evaluate existing
controls. Determine theconsequences and likelihood
and therefore the overall rating
for the level of risk. This analysis
should cover the range of
potential consequences and
how they could occur.
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 12/56
Evaluate risks
• This stage is the fourth stage in therisk management process and thefinal step in risk assessment. At thisstage determine whether the risksare acceptable or unacceptable.Compare estimated levels of riskagainst the pre-established riskcategories and criteria, andconsider the balance betweenpotential benefits and costs. Thelevel of risk will need to beconsidered so as to determine who
has the authority to treat the risk.Given the person’s authority theevaluation stage will inform thetreatments required and priorities.
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 13/56
Determine the treatments for the risks
• Develop and implement
specific and cost-effective
options and action plans
for treating a risk. This
includes considering how
monitor and review any
treatments.
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 14/56
Monitor and report on the effectiveness of risk
treatments
• It is necessary to monitor the
effectiveness of all steps in the
risk management process. This
is important for both innovation
and continuous improvement.Risks and effectiveness of
treatment measures need to be
monitored to ensure changing
circumstances or contextual
matters (eg. Goals, operating
environment, etc.), don’t alter priorities or a treatment plan
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 15/56
1. Identify the context for risk management
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 16/56
Goals and objectives
• While the structure of a team or an operational area may
vary, generally the variance is due to their purpose.
However, the purpose of the team will be established in
the organisation’s vision and its goals and objectives.
Some key questions a manager will need to answer before they start to identify risks will include:• What goals and responsibilities has the team been allocated?
• How will success be measured?
• What exists now and what are we supposed to be doing?
• What impact does this team have on the business and stakeholders?
• What deliverables are required and when?
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 17/56
Risk categories and criteria
• The risk categories can vary from organisation to organisation.Typically they will establish clear boundaries between differentoperational aspects where a risk may impact. They may relate to:
• People
• Processes
• Compliance• Financial
• Safety
• Customer satisfaction, etc.
• The criteria should be the direct translation of the categories and
provide a tangible basis against which the manager can evaluate anidentified risk to determine if it requires treatment or control. Criteriashould also assist measure and monitor how risk management willimpact goals or stakeholder requirements.
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 18/56
Example risk categories and criteria
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 19/56
Consult and communicate with stakeholders
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 20/56
Risk communication and responses
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 21/56
Defining a stakeholder
• Core or primary stakeholders are those who are
directly involved in the process of delivering the
outcomes being sought or will be positively or
negatively affected by the outcomes being sought.
• Non-core or secondary stakeholders are those
who are indirectly involved in the process of
achieving the outcomes or may be indirectly affected
by the outcomes being sought.
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 22/56
Stakeholder analysis
• Managers studying stakeholders should complete the
following:
• Identify stakeholders
• Sort and prioritise stakeholder interests• Visualise stakeholder relationships to the team/business unit
• Identify each person’s or group’s power and influence
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 23/56
Identify risks
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 24/56
Key questions for identifying risks
• This goes beyond thinking there may be a risk to actually
answer the following questions:
• What can happen?
• Where can it happen?
• How and why could it happen? (AS/NZS 4360:2004: page 13)
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 25/56
Components for risk identification
• The various components for the identification of a risk:
• Source – That which can potentially harm or assist in causing damage to a person,
property, business etc.
• Event or incident – Something that occurs which leads to the source of risk being
able to inflict harm or have an adverse effect.
• Consequence –
The impact or outcome due to the event taking place and inflictingon the person, property, business etc.
• Cause – Is the and why of risk, for example; was design to blame, human error,
incorrect procedure, lack of training, new competitor, insufficient knowledge.
• Controls – Controls are what you put in place to manage the risk in an effective
way. Whether they are policies, systems, machinery or technology.
• When and where –
Simply put, when the risk could occur and also where the riskcould occur. For example in an age care facility, slips are most likely to occur in the
kitchen after the floor has been mopped.
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 26/56
Identification of prospective risks
• The most effective means of identifying prospective risks
can include:• Brainstorming sessions
• ‘Five Why’ analysis
• ‘Five W’ analysis • Task analysis
• SWOT (strengths, weaknesses, opportunities and threats) Analysis
• PEST (Political, Economic, Societal, and Technological) Analysis
• Research such as conducting interviews with relevant people and/or
organisations, or forecasting environmental and market constraints• A range of standard problem solving and decision making tools and
techniques (eg. Cause and effect diagram)
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 27/56
SWOT analysis
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 28/56
PEST analysis
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 29/56
Documenting risk identification
• According to the AS/NZS 4360:2004 standard risk
identification needs four core pieces of information:
• Risk reference
• Risk classification (Type)
• Source of risk
• Impact of risk
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 30/56
The Risk Management Plan
The risk management plan has five main parts:
RMP1 – Contextual information
RMP2 – Risk Register RPM3 – Risk Assessment
RPM4 – Risk treatment plan
RPM5 – Risk Action Plan
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 31/56
Sorting stakeholders
• The two dimensions represent the extent to which the
stakeholder has:
• Power to influence outcomes and the capacity to impose their will
on the image or outcomes the organisation seeks.
• Interest that is real or believethey have a legitimate need
(business or personal) to
be involved
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 32/56
Stakeholder commitment
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 33/56
Session 2:
Analyse and evaluate risks
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 34/56
Risk analysis
• It is at the Risk Analysis stage of the risk management
process that each risk is rated, taking into account factors
that will operate to control the risk.
• In consultation with stakeholders (internal and external)
the analysis of risk has to determine the answer to threequestions:
• How serious are the consequences if the risk occurs?
• What is the likelihood of the risk occurring?
• What is the level of risk?
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 35/56
Determine consequences
Level Descriptor Example detail description
1 Insignificant No operational impact
2 Minor Minimal disruption to operational capability
3 Moderate Interruptions to operations
4 Major Loss of operational capability
5 Catastrophic Loss of operational continuity
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 36/56
Determine likelihood
Level Descriptor Example detail description
1 Highly unlikely May occur only in exceptional circumstances
2 Unlikely Could occur at some time
3 Possible Might occur at some time
4 Likely Will probably occur in most instances
5 Very likely Is expected to occur in most circumstances
Likelihood = probability x exposure
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 37/56
Estimating the level of risk
Risk = consequence x likelihood
Risk
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 38/56
Risk
assessment
matrix
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 39/56
Control
• Control of risk relates to the treatments or plans put in
place to reduce the likelihood and/or the consequence of
a risk happening.
• Existing controls maybe in place and involve stakeholders
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 40/56
Evaluate Risk
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 41/56
Determine priorities
• Having completed the initial risk analysis it is now
possible to determine how each risk should be prioritised.
This involves two main actions:
• Set priorities. This can be done by comparing the analysis of each
risk against the original criteria set for the risk managementexercise. The criteria confirm how each risk is impacting goals and
the operational context.
• Determine if the risk is acceptable or unacceptable. This follows on
from setting priorities but here we clearly indicate if the risk is
acceptable or not. This will involve making a decision based on theevaluation of the risk level and the benefits derived from managing
the risk versus doing nothing.
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 42/56
Sort risks
Acceptability Risk level
Acceptable Low and possibly Moderate Not acceptable High and Extreme
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 43/56
Risk acceptability and need for treatment
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 44/56
Session 3:
Treat risks
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 45/56
Treat risks
• Risk treatment involves identifying and selecting from a
range of options, then implementing what needs to be
done to treat a risk.
• A risk treatment plan should be established that will not
only establish what needs to be done and by when, buthow this approach will compliment existing controls and
other risk treatments
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 46/56
Risk treatment flowchart
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 47/56
Risk treatment options
Treatment options typically include:
• Avoiding the risk
• Reducing the likelihood of the risk,
• Change the consequences of the risk• Transferring the risk,
• Retaining the risk
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 48/56
Inclusions in a risk treatment plan
• The purpose of a treatment plan is to document and
report how the chosen options will be implemented.
According to AS/NZS 4360:2004 the treatment plans
should include:
1. proposed actions;
2. resource requirements;
3. responsibilities;
4. timing;
5. performance measures; and
6. reporting and monitoring requirements(AS/NZS 4360:2004: page 22)
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 49/56
Control measures
There are two kinds of risk control strategies:
• Pre-planned: preventative strategies adopted prior to risk occurrence. For
instance a major catering operation for an airline identified that
staff were being exposed to safety hazards handling hot foodas it was transported from the oven to be packaged into the
onboard hot food catering trolleys.
• Situational:
highly contextual, responsive strategies based on feedback onday to day activities. For example, a furnace operation used
situational control strategies to reduce risk.
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 50/56
Session 4:
Monitor and review effectiveness of risk
treatments
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 51/56
Monitoring risks
• Monitoring and review occurs at two levels within the risk
management process.
• Firstly it occurs at the level when the implementation of a risk
treatment is monitored and reviewed. This is to ensure risk
management is both sustainable and effective.• The second level of monitoring and review needs to occur on a
continuous basis to support improvement to all five stages within
the risk management process.
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 52/56
Risk treatment flowchart – Monitoring and review
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 53/56
Use review results to improve risk treatment
• Standard risk management planning templates or treatment forms willusually include the headings:• Risk
• Level of risk
• Treatment
• Treatment objectives
• Action Plan (milestones, dates, and responsible person)
• Status (progress)
• Dates
• To facilitate monitoring Risk Management Plans will usually include:• who has responsibility for approval, implementation and monitoring the plan
• what resources are to be utilised• Resource requirements (ie. budget allocation, full time equivalent work hours,
personnel, etc.)
• Details of when to do reviews and the status of progress for each review
Examples of risk objectives for a given
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 54/56
Examples of risk objectives for a given
category of risk
Risk Categories Examples of risk objective
Operations • Less than 2% of all orders received in a calendar month
will be rejected
Financial impact • Costs must remain within 1% of the allocated budget
Brand protection • All licensees attend formal legal briefing on their
obligations and legal ramifications of any breaches to
copyrightTiming • Customer deliveries within the nation must occur within 36
hours of the order being received
Compliance • All engineers will report maintenance actions according to
the CSA3224 regulatory requirements
Staff management • The person allocated the responsibility as Shot firers mustbe assessed and deemed competent every 12 months in
the 4 core role competencies
Environment, Health
and Safety
• Dispatch operations seek to ensure nil injuries occur that
require treatment in the next 6 months
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 55/56
Auditing risk
• The use of an independent risk auditor can promote:
• Objective review that adopted treatments resulted in what was intended
• Consistency of reviews over time
• Observations based on past practices and experiences elsewhere
• Measurement of progress across multiple risk management plans and treatments
within the organisation• Use of independent benchmarks
• Consolidated data collection and storage
• Translation into action by senior managers
• Recommendations for improvement to the risk management process
• Compliance reports that external regulators may accept
• Review of policies, procedures and processes not within the control of any one
manager
• Integration of risk management across multiple organisations (eg. In a supply chain)
7/28/2019 Risk Management, Managing Risk
http://slidepdf.com/reader/full/risk-management-managing-risk 56/56
Six step approach to monitor and review risk
management• Step One
Establish the Risk Management Plan actions and monitoring
requirements
• Step Two
Measurement of risk control and status
• Step Three
Analyse historical data
• Step Four
Align risk management to strategic outcomes
• Step FiveGain commitment of employees
• Step Six
Monitor and report progress