risk management, managing risk

7/28/2019 Risk Management, Managing Risk

http://slidepdf.com/reader/full/risk-management-managing-risk 1/56

IDENTIFY RISK AND APPLY RISK MANAGEMENT

PROCESSES

Tony Rizk – Smart Academy

22 April 2009



Session 1:

Identify risks



Risk in an organisational setting

• Risk is unavoidable and a natural part of virtually every

human situation. It is present in our daily lives, when we

are awake or asleep, and in both public and private sector

organisations.

• Risk management is about being pre-emptive, rather than

reactive. Any manager should actively seek to identify

and determine how to prevent risk from happening. This

may mean modifying current processes, practices,

thinking or systems to maximise our chances of successwhile minimising the factors that may promote failure,

injury or loss



Risk and its management

• Risk can be defined as the combination of the probability

of an event and its consequences (ISO/IEC Guide 73:2002 Risk Management).

• Risk management is the process of identifying potential

negative events and the development of plans to mitigate

or minimise the likelihood of the negative event occurring

and/or the consequences resulting if that event did occur.



Risk factorsRisks may include such factors as:

• Occupational health and safety (including

disease)

• Environmental

• Product failure

• Financial or economic loss/failure• Damage to property/equipment

• Industrial disputes

• Professional incompetence

• Natural disasters

• Security failure

• Equipment/system failure• Breaches of privacy

Risks may need to be managed to:

• Avoid creating more risk

• Sort negative from positive risks

• Decrease unexpected and unwanted events

• Develop an operational and organisational

profile of existing risks• Decrease possible vulnerabilities

• Increase preparedness for unexpected and

unwanted events

• More efficiently prioritise the treatment of risks

• Avoid waste, errors or defects that may result

from untreated risks

• Protect people and customers from harm

• Control risks

• Build risk management into its culture



Risk and levels within the organistion

• Risk management can occur at all levels of management

and operations. This includes:

• Strategic level – spans across functions, products and services,

customers.

• Operational level – within a function, operational area, or specificmarkets, customers, processes, products and services.

• Team/task level – within a team, occupational, professional or

specific job role.



Risk management process

• The risk management process is a:

… the systematic application of management policies,

procedures and practices to the tasks of communicating,

establishing the context, identifying, analysing, evaluating,

treating, monitoring and reviewing risk (AS/NZS 4360:2004, page 5)



Risk Management Process



Establish goals and context

• At this first stage establish the externaland internal risk management context inwhich the overall risk managementprocess will take place.

• Establish categories and criteria againstwhich risk will be evaluated and shapelater risk analysis activities. The

alignment of criteria against goals andobjectives (organisation, operational or project) will set the scope for the riskmanagement process and guide howactions at all stages of the process canlater be evaluated.

• It is at this stage study of theenvironment should occur. This will

confirm if the risks being addressedresult from factors that are externaland/or internal to the organisation



Identify risk

• This stage is the first step in the

3 steps associated with risk

assessment. At this stage

identify where, when, why and

how events could prevent,degrade, delay or enhance the

achievement of the objectives.

It is important to specifically

classify (identify and code) risks

and confirm the source and

impact of the risk so treatments

strategies can later be shaped

correctly



Analyse risks

• This stage is the second step in

the three steps associated with

risk assessment. At this stage

identify and evaluate existing

controls. Determine theconsequences and likelihood

and therefore the overall rating

for the level of risk. This analysis

should cover the range of

potential consequences and

how they could occur.



Evaluate risks

• This stage is the fourth stage in therisk management process and thefinal step in risk assessment. At thisstage determine whether the risksare acceptable or unacceptable.Compare estimated levels of riskagainst the pre-established riskcategories and criteria, andconsider the balance betweenpotential benefits and costs. Thelevel of risk will need to beconsidered so as to determine who

has the authority to treat the risk.Given the person’s authority theevaluation stage will inform thetreatments required and priorities.



Determine the treatments for the risks

• Develop and implement

specific and cost-effective

options and action plans

for treating a risk. This

includes considering how

monitor and review any

treatments.



Monitor and report on the effectiveness of risk

treatments

• It is necessary to monitor the

effectiveness of all steps in the

risk management process. This

is important for both innovation

and continuous improvement.Risks and effectiveness of

treatment measures need to be

monitored to ensure changing

circumstances or contextual

matters (eg. Goals, operating

environment, etc.), don’t alter priorities or a treatment plan



1. Identify the context for risk management



Goals and objectives

• While the structure of a team or an operational area may

vary, generally the variance is due to their purpose.

However, the purpose of the team will be established in

the organisation’s vision and its goals and objectives.

Some key questions a manager will need to answer before they start to identify risks will include:• What goals and responsibilities has the team been allocated?

• How will success be measured?

• What exists now and what are we supposed to be doing?

• What impact does this team have on the business and stakeholders?

• What deliverables are required and when?



Risk categories and criteria

• The risk categories can vary from organisation to organisation.Typically they will establish clear boundaries between differentoperational aspects where a risk may impact. They may relate to:

• People

• Processes

• Compliance• Financial

• Safety

• Customer satisfaction, etc.

• The criteria should be the direct translation of the categories and

provide a tangible basis against which the manager can evaluate anidentified risk to determine if it requires treatment or control. Criteriashould also assist measure and monitor how risk management willimpact goals or stakeholder requirements.



Example risk categories and criteria



Consult and communicate with stakeholders



Risk communication and responses



Defining a stakeholder

• Core or primary stakeholders are those who are

directly involved in the process of delivering the

outcomes being sought or will be positively or

negatively affected by the outcomes being sought.

• Non-core or secondary stakeholders are those

who are indirectly involved in the process of

achieving the outcomes or may be indirectly affected

by the outcomes being sought.



Stakeholder analysis

• Managers studying stakeholders should complete the

following:

• Identify stakeholders

• Sort and prioritise stakeholder interests• Visualise stakeholder relationships to the team/business unit

• Identify each person’s or group’s power and influence



Identify risks



Key questions for identifying risks

• This goes beyond thinking there may be a risk to actually

answer the following questions:

• What can happen?

• Where can it happen?

• How and why could it happen? (AS/NZS 4360:2004: page 13)



Components for risk identification

• The various components for the identification of a risk:

• Source – That which can potentially harm or assist in causing damage to a person,

property, business etc.

• Event or incident – Something that occurs which leads to the source of risk being

able to inflict harm or have an adverse effect.

• Consequence –

The impact or outcome due to the event taking place and inflictingon the person, property, business etc.

• Cause – Is the and why of risk, for example; was design to blame, human error,

incorrect procedure, lack of training, new competitor, insufficient knowledge.

• Controls – Controls are what you put in place to manage the risk in an effective

way. Whether they are policies, systems, machinery or technology.

• When and where –

Simply put, when the risk could occur and also where the riskcould occur. For example in an age care facility, slips are most likely to occur in the

kitchen after the floor has been mopped.



Identification of prospective risks

• The most effective means of identifying prospective risks

can include:• Brainstorming sessions

• ‘Five Why’ analysis

• ‘Five W’ analysis • Task analysis

• SWOT (strengths, weaknesses, opportunities and threats) Analysis

• PEST (Political, Economic, Societal, and Technological) Analysis

• Research such as conducting interviews with relevant people and/or

organisations, or forecasting environmental and market constraints• A range of standard problem solving and decision making tools and

techniques (eg. Cause and effect diagram)



SWOT analysis



PEST analysis



Documenting risk identification

• According to the AS/NZS 4360:2004 standard risk

identification needs four core pieces of information:

• Risk reference

• Risk classification (Type)

• Source of risk

• Impact of risk



The Risk Management Plan

The risk management plan has five main parts:

RMP1 – Contextual information

RMP2 – Risk Register RPM3 – Risk Assessment

RPM4 – Risk treatment plan

RPM5 – Risk Action Plan



Sorting stakeholders

• The two dimensions represent the extent to which the

stakeholder has:

• Power to influence outcomes and the capacity to impose their will

on the image or outcomes the organisation seeks.

• Interest that is real or believethey have a legitimate need

(business or personal) to

be involved



Stakeholder commitment



Session 2:

Analyse and evaluate risks



Risk analysis

• It is at the Risk Analysis stage of the risk management

process that each risk is rated, taking into account factors

that will operate to control the risk.

• In consultation with stakeholders (internal and external)

the analysis of risk has to determine the answer to threequestions:

• How serious are the consequences if the risk occurs?

• What is the likelihood of the risk occurring?

• What is the level of risk?



Determine consequences

Level Descriptor Example detail description

1 Insignificant No operational impact

2 Minor Minimal disruption to operational capability

3 Moderate Interruptions to operations

4 Major Loss of operational capability

5 Catastrophic Loss of operational continuity



Determine likelihood

Level Descriptor Example detail description

1 Highly unlikely May occur only in exceptional circumstances

2 Unlikely Could occur at some time

3 Possible Might occur at some time

4 Likely Will probably occur in most instances

5 Very likely Is expected to occur in most circumstances

Likelihood = probability x exposure



Estimating the level of risk

Risk = consequence x likelihood

Risk



Risk

assessment

matrix



Control

• Control of risk relates to the treatments or plans put in

place to reduce the likelihood and/or the consequence of

a risk happening.

• Existing controls maybe in place and involve stakeholders



Evaluate Risk



Determine priorities

• Having completed the initial risk analysis it is now

possible to determine how each risk should be prioritised.

This involves two main actions:

• Set priorities. This can be done by comparing the analysis of each

risk against the original criteria set for the risk managementexercise. The criteria confirm how each risk is impacting goals and

the operational context.

• Determine if the risk is acceptable or unacceptable. This follows on

from setting priorities but here we clearly indicate if the risk is

acceptable or not. This will involve making a decision based on theevaluation of the risk level and the benefits derived from managing

the risk versus doing nothing.



Sort risks

Acceptability Risk level

Acceptable Low and possibly Moderate Not acceptable High and Extreme



Risk acceptability and need for treatment



Session 3:

Treat risks



Treat risks

• Risk treatment involves identifying and selecting from a

range of options, then implementing what needs to be

done to treat a risk.

• A risk treatment plan should be established that will not

only establish what needs to be done and by when, buthow this approach will compliment existing controls and

other risk treatments



Risk treatment flowchart



Risk treatment options

Treatment options typically include:

• Avoiding the risk

• Reducing the likelihood of the risk,

• Change the consequences of the risk• Transferring the risk,

• Retaining the risk



Inclusions in a risk treatment plan

• The purpose of a treatment plan is to document and

report how the chosen options will be implemented.

According to AS/NZS 4360:2004 the treatment plans

should include:

1. proposed actions;

2. resource requirements;

3. responsibilities;

4. timing;

5. performance measures; and

6. reporting and monitoring requirements(AS/NZS 4360:2004: page 22)



Control measures

There are two kinds of risk control strategies:

• Pre-planned: preventative strategies adopted prior to risk occurrence. For

instance a major catering operation for an airline identified that

staff were being exposed to safety hazards handling hot foodas it was transported from the oven to be packaged into the

onboard hot food catering trolleys.

• Situational:

highly contextual, responsive strategies based on feedback onday to day activities. For example, a furnace operation used

situational control strategies to reduce risk.



Session 4:

Monitor and review effectiveness of risk

treatments



Monitoring risks

• Monitoring and review occurs at two levels within the risk

management process.

• Firstly it occurs at the level when the implementation of a risk

treatment is monitored and reviewed. This is to ensure risk

management is both sustainable and effective.• The second level of monitoring and review needs to occur on a

continuous basis to support improvement to all five stages within

the risk management process.



Risk treatment flowchart – Monitoring and review



Use review results to improve risk treatment

• Standard risk management planning templates or treatment forms willusually include the headings:• Risk

• Level of risk

• Treatment

• Treatment objectives

• Action Plan (milestones, dates, and responsible person)

• Status (progress)

• Dates

• To facilitate monitoring Risk Management Plans will usually include:• who has responsibility for approval, implementation and monitoring the plan

• what resources are to be utilised• Resource requirements (ie. budget allocation, full time equivalent work hours,

personnel, etc.)

• Details of when to do reviews and the status of progress for each review

Examples of risk objectives for a given



Examples of risk objectives for a given

category of risk

Risk Categories Examples of risk objective

Operations • Less than 2% of all orders received in a calendar month

will be rejected

Financial impact • Costs must remain within 1% of the allocated budget

Brand protection • All licensees attend formal legal briefing on their

obligations and legal ramifications of any breaches to

copyrightTiming • Customer deliveries within the nation must occur within 36

hours of the order being received

Compliance • All engineers will report maintenance actions according to

the CSA3224 regulatory requirements

Staff management • The person allocated the responsibility as Shot firers mustbe assessed and deemed competent every 12 months in

the 4 core role competencies

Environment, Health

and Safety

• Dispatch operations seek to ensure nil injuries occur that

require treatment in the next 6 months



Auditing risk

• The use of an independent risk auditor can promote:

• Objective review that adopted treatments resulted in what was intended

• Consistency of reviews over time

• Observations based on past practices and experiences elsewhere

• Measurement of progress across multiple risk management plans and treatments

within the organisation• Use of independent benchmarks

• Consolidated data collection and storage

• Translation into action by senior managers

• Recommendations for improvement to the risk management process

• Compliance reports that external regulators may accept

• Review of policies, procedures and processes not within the control of any one

manager

• Integration of risk management across multiple organisations (eg. In a supply chain)



Six step approach to monitor and review risk

management• Step One

Establish the Risk Management Plan actions and monitoring

requirements

• Step Two

Measurement of risk control and status

• Step Three

Analyse historical data

• Step Four

Align risk management to strategic outcomes

• Step FiveGain commitment of employees

• Step Six

Monitor and report progress

risk management, managing risk

Documents