Risk Management Presentation Notes - Office for · PDF fileSTRATEGIC PLANNING GROUP ESTABLISH THE CONTEXT The Strategic Context The Organisational Context The Risk Management Context

STRATEGICPLANNING GROUP

ESTABLISH THE CONTEXTThe Strategic Context

The Organisational ContextThe Risk Management Context

DevelopAssessment

Criteria

Mo

nito

r and

Review

IDENTIFY RISKSWhat can happen?

How can it happen?

Decide the structure

ANALYSE RISKSDetermine existing Controls

Determine LikelihoodDetermine ConsequenceEstablish Level of Risk

ASSESS RISKSCompare against Criteria

Set Priorities

TREAT RISKIdentify Treatment StrategiesEvaluate Treatment Options

Prepare Implementation PlansImplement PlansGOAL STRATEGIES PREFERRED

STRATEGYACTION PLAN

DEFINEDRISK

To reduce this risk …” Courses of Action

Benefits RisksTimetable

Responsible Officer

Performance Issues

1 Major Steps

2 Action Officer

3 Timetable

4 Costs

5 Other IssuesLIST 1

Left over issues

to resolve

LIST 2

Good ideas

not explored

Reference Manual

RISK MANAGEMENTFOR COMMUNITY GROUPS

2© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1

Risk Management

This workbook was prepared by Strategic Planning Group as an in-house document for the use of the organisation. Thisworkbook is not to be distributed or reproduced outside of this organisation without written permission from the publishersas it contains some proprietary planning methodology copyrighted to Strategic Planning Group Pty Ltd, PO Box 371,Miranda NSW 1490, Australia. Phone (612) 9524-0077. Email: [email protected]. James Crown, Managing Director.

Contents

Managing Risk as a Way of Life ................................................................................... 3

Risk Management Standard AS/NZS 4360 .................................................................. 3

Benefits of Risk Management ........................................................................................ 5

Some Definitions ........................................................................................................... 5

Holistic Risk Management ............................................................................................. 6

The Risk Management Process ..................................................................................... 6

Quantifying and Qualifying Risks ................................................................................... 9

Controls in Place ......................................................................................................... 10

Determining Likelihood and Consequence .................................................................. 10

Analysing Likelihood/ Consequence for Risk Rating ................................................... 11

Identify Risk Mitigation Strategy Options ................................................................... 14

Action Plans — Implementing the Strategy ................................................................. 16

Risk Management Forms ............................................................................................. 17

How to Do a Risk Assessment .................................................................................... 23


Risk Management

Managing Risk as a Way of Life

Our objective should be that our organisation embraces risk management as a way of

life, a way of protecting and improving the way we plan and carry out our activities..

We should follow the Australia and New Zealand Risk Management Standard AS/

NZS 4360. This risk management standard is easy to understand and is suitable for

almost any type of organisation or activity. It provides a robust methodology for risk

identification, discussion and an appropriate treatment to reduce the risk.

ESTABLISH THE CONTEXTThe Strategic Context

The Organisational ContextThe Risk Management Context

DevelopAssessment

Criteria

Mo

nito

r and

Review

IDENTIFY RISKSWhat can happen?How can it happen?

Decide the structure

ANALYSE RISKSDetermine existing Controls

Determine LikelihoodDetermine ConsequenceEstablish Level of Risk

ASSESS RISKSCompare against Criteria

Set Priorities

TREAT RISKIdentify Treatment StrategiesEvaluate Treatment Options

Prepare Implementation PlansImplement Plans

Risk Management Standard AS/NZS 4360

This risk management process takes you through some simple steps. . .


Risk Management

Risk Management is not difficult but it does require rigour and discipline in applying the

method. The sequence involves:

1 Preparation and understanding of the context in which the risk assessment is being

carried out (what are we trying to accomplish? What areas of concern will we be

looking at?)

2 Identification of potential risks and outcomes (What could happen and what would

be the result if it did happen?)

3 Identification and valuing of controls in place which have a mitigating effect on the

risk (What’s in place now that reduces either the likelihood of the risk occurring or

the consequence if the risk does occur?)

4 Analysis of the risk in terms of its likelihood to occur and consequence if it does occur

thus producing a risk that is either acceptable or unacceptable. (Determined by using

the Risk Likelihood/Consequence Matrix.)

5 Development and implementation of an appropriate strategy and action plan to

reduce the unacceptable risks. (What action can we take to reduce either the

Likelihood or Consequence of the risk?)

6 Appropriate monitoring and reporting of both the treatment strategy and overall

effectiveness of the risk management process.

Risk management is only a tool. How well it works for us is determined by how much

effort we put in and how diligent we are in following the processes.

There are two other basic principles we should remember about Risk Management.

• 1 — Manage risk where risk occurs — across the whole organisation, all of its

activities, indoors, outdoors, projects, programs, age groups, administration, assets

and equipment, publicity, fundraising, financial management.

• 2 — Establish some priorities — what do we see as the most important types of

risks when confronted with a number of Unacceptable Risks. There will often be

more risks than you can manage. Some risks are more important than others.


Risk Management

For example, our risk prioritisation might cover these areas:

• Priority Level 1

• Injury to Fatality outcomes • Damage to Image, Reputation, Credibility

• Priority Level 2

• Damage to Private Property • Damage to Organisational Assets

• Damage to the Environment

Benefits of Risk Management

• Effective activities

• A reduction in the need for crisis management

• A universal application — can be used by any organisation

• Proactive (we are looking for problems and opportunities in advance)

• Cost Effective (easy and inexpensive to do, reduces costs associated with

problems)

• Compliance (following whatever rules may be in place)

Some Definitions

What is RISK?Risk is the chance of somethinghappening that will have an impactupon objectives.

Risk is measured in terms of

likelihood and consequences.AS/NZS 4360 - Risk Management Standard

RISK MANAGEMENT PROCESSRisk Management Process is the systematic

application of management policies,procedures and practices to the tasks of

identifying, analysing, evaluating,treating and monitoring risk.AS/NZS 4360 - Risk Management Standard


Risk Management

Holistic Risk Management

Another thing to have in place in our minds is that we are talking here about holistic risk

management. Holistic — the whole organisation. We can look at that in a number of

ways.

The Risk Management Process

This step is an important activity in the AS/NZS 4360 risk management standard but

for the organisation it should not be difficult. It requires the team to recognise what its

aims and goals are. What are your objectives? What does your organisation exist for?

What are your services or deliverables? Who are your members, customers or clients?

This shared understanding is important because it provides you with the boundaries or

context for your risk assessments.

• Establish the Context• Identify Risks• Analyse and Evaluate Risks• Develop Risk Treatment Strategies• Monitor & Review

AREAS &SOURCESOF RISK

Finan

cial Operational

Legal

HazardUnstable People

Unsafe Practices Regulations

State & Federal Action

Duty of care

Contracts

Accidents

Natural Disasters

Fundraising

Cash Flow Issues

Accounting & Taxation

Fraudulent Acts

Debt management Data

Assets

Personnel/Key People

Consequential

Special Events


Risk Management

Here’s how to put it all together . . .

Have a simple system for defining Areas and Sources of Risk.

Start with the Area of Risk that you want to work with. In this example it is the big topic

of Financial Management. But that Area is too big for effective assessment. So, break

it down. Look at the sub-topic of Funding. That sub-topic can be broken down into

more manageable topics — Funding is Late, Funding is Terminated. Notice how,

under Funding is Late, we are down to a level — Cash Flow Issues — where the real

risks are easier to see, analyse and manage.

There is value in dealing with groups of similar risks, rather than one risk at a time. And

There is also value in resources and funding, in looking for strategies that will mitigate

more than one risk at a time. So handle groups of similar risks at the same time. It

becomes very efficient and cost effective.

A SIMPLE, PRACTICAL METHODThree steps to work through1 An exercise on a whiteboard/butcher paper2 Some forms to fill in3 Some ACTION to take place

OUTCOMES• Unable to supply some• of our services• Damage to our reputation

if we can’t supply someservices

Secondary Outcomes• Financial • Social• Legal • Political

FINANCIAL MANAGEMENT

FUNDING MEMBERSHIP FEES

FUND-RAISING

FUNDINGIS LATE

FUNDING IS TERMINATED

CASH FLOWISSUES

MAJORPROJECTS

PAYROLL

AR

EA

SO

UR

CE

S

RISKS1 Not enough money to

meet our needs2 Not enough money to

buy supplies3 Program delays

4

CONTROLS IN PLACE• Budget done (ME)• Bank Overdraft (IE)• Competent Leaders (HE)• Financial Reports (ME)

RATING1 B 4 H U

2 C 3 S U

3 B 4 H U


Risk Management

A Second Example

TRAINING PROJECT

AssessmentAdministration& Management

Delivery

Location &Mode ofDelivery

Course(support)Material &

Design

LearningOutcomes

EndorsedTrainingPackage

Online(Distance)

Face to Face Distance(off-campus)

Mixed Mode(bit of each)

Workplace(on the job)

Site Learning

Home

Community Centre

Telecentre

Classroom (Institutional)

Industry Training Room

Library

OUTCOMES• Clients do not achieve

package competencies• RTO reputation damaged• Qualifications not

recognised• Trainees not employableSecondary Outcomes• Financial • Social• Legal • Political

TRAINING PROJECT

DELIVERY ADMINISTRATION& MANAGEMENT

ASSESSMENT

LOCATION &DELIVERY MODE

COURSE SUPPORTMATERIAL & DESIGN

RISKS1 Failure to usematerials relevant toand supportive of thetraining package oraccredited course.

2 Failure to employcompetent, qualifiedstaff to design, produceand evaluate supportmaterials.

CONTROLS IN PLACE• Quality system to

ensure relevance• Library of related

materials foradaptation

• Policy for versioncontrols

• Qualified,competent staff

RATING1 C4HU

2 D4SU

3

LEARNINGOUTCOMES


Risk Management

Quantifying and Qualifying Risks

I believe that if risk is defined as the chance of something happening that will have an

impact on objectives, measured in terms of likelihood and consequences, (Risk

Management Standard AS/NZS 4360), then we have to have four things in place:

• A clear understanding of our Organisation’s Goals (which we have from planning)

• A clear understanding of the likelihood of something happening

• A clear understanding of the consequences of something happening

• Some form of matrix allowing us to combine likelihood and consequence and arrive

at a risk rating which allows us to separate Unacceptable from Acceptable Risk

(We will examine the Matrix in detail later.)

And that brings me to another fundamental concept:

Fundamental: Unacceptable risk is truly ‘unacceptable’ and must be mitigated or

reduced, even if that mitigation is to merely monitor and be ready to react as necessary.

To ignore unacceptable risk is to court severe danger nowadays.

Now the hard part — Qualitative or Quantitative?

That’s only a hard question until you think about it for a moment or two. Sure, we would

all like quantitative measures upon which to rest our risk assessment questions. But we

don’t have that information very often, and we’re not likely to get the budgets and

resources necessary to get quantitative data upon which we can have a high level of

confidence. If we wait for that we will never get our risk management programs off the

ground. That’s a reality. That’s a practicality. Now let’s get on with what we do have.

IDENTIFY THE RISKS• What can happen?• What is the real effect?

IDENTIFY THE OUTCOMES• Risk occurs — so what?• What is the real effect?


Risk Management

Controls in Place

What is a Risk Control?

A control measure is something already in place — it already exists and is not merely on

someone’s wish list. It may be an existing management policy and procedure, or some

technical system, or some training program which reduces the risk — usually through

impacting on likelihood or consequence. For example:

• a training program • a work procedure (work practice)

• a policy • contract management planning guidelines

Control Values

Code Description

HE The control is highly effective because it reduces the likelihood of therisk occurring and/or it reduces the consequences if the risk does occur.

ME

IE

The control is moderately effective because it only partially reduces thelikelihood of the risk occurring and/or partially reduces theconsequences if the risk does occur. The control needs to be reviewed,abolished, amended, or replaced to make it a highly effective control.

The control is ineffective because it does not reduce the likelihood ofthe risk occurring and/or it does not reduce the consequences if the riskdoes occur. The control needs to be reviewed, abolished, amended, orreplaced to make it a highly effective control.

Determining Likelihood and Consequence

A difficult, but important, task when building the consequence and likelihood matrix is

to determine what constitutes an Almost Certain and what constitutes a Rare; what is

a consequence rated Significant and what rates a Catastrophic.

The answers may come from a number of sources, some subjective and qualitative,

some objective and quantitative. With rising costs and diminishing budgets, it is not

always within an organisation’s ability to carry out scientific and technical

measurements and studies. There is a growing body of evidence that suggests that a

group of experienced people, armed with some history, some local knowledge – their

own or by adding some selected stakeholders – working in good faith and within their

training, skills, and knowledge can deliver a credible analysis.


Risk Management

Analysing Likelihood/Consequence for Risk Rating

Risk analysis is concerned with determining the likelihood of events, the magnitude of

their consequences and the mitigating factors that would reduce the nature, frequency

or deleterious effects of the consequences.

By this point you have a well defined risk with a definable outcome. You also know

and have considered the value of existing controls on that risk. Combining that

information you are ready to analyse the risk from the two key perspectives of

likelihood and consequence.

In assessing likelihood and consequences, (with your assessment of the value of the

existing controls in mind) ask the question:

• How likely is this risk to occur?

• If this risk does occur, what will be the consequences?

• What is the overall risk level?

• Is the risk Acceptable or Unacceptable?

LIKELIHOOD + CONSEQUENCE

- CONTROLS IN PLACE

= VULNERABILITY

The matrix is easy to use, and the formula is simple.


Risk Management

Likelihood and Consequence Matrix

B 4 H UUnacceptableHighMajorLikely

Acceptable /

Unacceptable

Rating

Consequence

Likelihood

They mean different things in different contexts, they mean different things and thus

must be measured in terms of different values. A Major consequence may be a high

dollar value, or it may mean High Profile Adverse Media coverage without any dollars

attached? What is unacceptable to your organisation, and whether it is directly related

to dollars and cents is not always the question — particularly in operational risk.

Let’s keep a simple risk sentence as our basic method of communicating risk. The

sentence should look like this wherever we go in the organisation.

Unacceptable RisksH = a High Risk, Attention, Time and Resources requiredS = a Significant Risk, Attention requiredAcceptable RisksM = a Moderate Risk, MonitorL = a Low Risk, Standard Operating Procedures to handle

AAlmostCertain

BLikely

CPossible

DUnlikely

ERare

S S H

M S S

L M S

L L M

L L M

H

H

H

S

S

H

H

H

H

S

5Catastrophic

4Major

3Moderate

2Minor

1Insignificant

Consequences

Likelihood


Risk Management

Likelihood and Consequences

Level Descriptor Description

Almost Certain The event is expected to occur in most circumstances.A

B

C

D

E

Likely

Possible

Unlikely

Rare

The event will probably occur in most circumstances.

The event should occur at some time.

The event could occur at some time.

The event may occur only in exceptional circumstances.

LIKELIHOOD

Insignificant

Catastrophic


1

5Abolition of the organisation, dismissal of executive,significant irreparable impact on members’ prospects throughmismanagement. Impact on staff, members and morale severe.

High financial loss, products and services curtailed due tofailure to deliver, serious external criticism (eg keystakeholders, high profile media). Substantial impact onoverall staff, members and morale with performance affected.Measurable increase in stress related issues.

Minimal financial loss, no impact on overall program orfunctional outcomes (eg Confined to very small number ofproducts, services or members), no adverse external criticismor publicity, no impact on staff.

Small financial loss, small impact on overall program orfunctional outcomes (eg Confined to a substantial minority ofproducts, services to members), criticism by directly affectedmanagers or customers, minimal impact on staff, members oroverall morale.

Medium financial loss, substantial impact on overall programor functional outcomes (eg Many products and servicesaffected), some external criticism directed at executive, Board(eg by members and key stakeholders, low key media).Impact on staff noticeable, degree of change in morale.

Major4

Moderate3

Minor2

Insignificant

Catastrophic

CONSEQUENCE

Insignificant


1Minimal financial loss, no impact on overall program orfunctional outcomes (eg Confined to very small number ofproducts, services or customers), no adverse externalcriticism or publicity, no impact on staff.

Insignificant

CONSEQUENCE

Insignificant



Insignificant

CONSEQUENCE

Insignificant

• Injury to Fatality• Damage to Organisation’s Assets• Damage to Private Property• Damage to Environment• Damage to Reputation/Credibility

PRIORITY CRITERIA


Risk Management

Identify Risk Mitigation Strategy Options

Risk mitigation or treatment options that may be considered include:

• Risk avoidance

An informed decision is made to eliminate risk or to opt for another level of risk.

Examples include cancelling a project or seeking alternative methods of service

delivery.

• Risk transfer

The responsibility or burden for loss is shifted to another party through legislative or

contractual arrangements, insurance or other means. For example, an organisation

may transfer the risk of providing some specific service to a contractor.

• Risk reduction

Appropriate techniques and management principles are selectively applied to

reduce (mitigate) either the likelihood or consequences (or both) of identified risks.

For example, including a back-up diesel generator for a key function to reduce the

likelihood of being out of action during a power outage, or moving an activity from

one location to another because the second location is safer.

Evaluating Risk Mitigation Strategies

Risk treatment options should be evaluated on the basis of the extent of risk reduction

achieved and the benefits or opportunities created. The evaluation should take into

account the organisation’s risk acceptance criteria as well as how risk is perceived by

affected parties or stakeholders. Selection of the most appropriate option involves

balancing the cost of implementing each against the benefits derived from each. A

number of options may be applied, individually or in combination.

Where large reductions in risk can be obtained with relatively lower expenditure, such

options should be implemented. However, careful consideration should be given to rare

(but severe) risks which may justify risk reduction measures not justifiable against

economic criteria alone.

Strategies are detailed statements of process which outline how the Goal is to be

achieved. A Goal can have one or many Strategies. A question which might be asked

when developing Strategies is:

How are you going to achieve the Goal?


Risk Management

GOAL STRATEGIES PREFERREDSTRATEGY

ACTION PLAN

DEFINEDRISK

“To reduce this risk …” Courses of Action

Benefits RisksTimetable

Responsible Officer

Performance Issues

1 Major Steps

2 Action Officer

3 Timetable

4 Costs

5 Other IssuesLIST 1

Left over issues

to resolve

LIST 2

Good ideas

not explored

RISK MITIGATION STRATEGY DEVELOPMENT

STRATEGY SOURCES• Communication (Internal/External)

• Training• Documentation• Resourcing• Systems• Planning (Additional)

Because Risk Management is something that has to be done relatively quickly — so as

not to hold up the project or activity — simple sources of effective strategies should be

found.

In these six words, you can usually find something that can help lower the level of risk.

Not always, but most of the time.

For example:

For communications: Can I open up the line of communications in some way? Will

that help people understand the risk and thus be better positioned to manage that risk?

For training: Can I develop a short training activity which will help mitigate the risk?

For documentation: Can I provide a checklist, or a step-by-step process document

that will help overcome the likelihood of the risk occurring?

There are other words that could be on this list, but these are the main ones which

provoke our thinking.


Risk Management

Action Plans — Implementing the Strategy

What we will actually do to carry out the strategy.

It must be precisely defined, include timetables, and so forth.

That is, the WHAT, WHO, WHEN.

The Action Planning Rule(what level of detail?)

Something Executable (But not Trivial)Something Measurable (In Time and/or in Cost)

Group: Leader:Area/Source of Risk:

Risk # IDENTIFIED RISK

IMPLEMENTATION PLAN

When ID’d(date)

Rating(H/S)

ActionOfficer

Completedby

Done(date)

CommentsAction#

1

2

3

4

MITIGATION STRATEGY

Risk Mitigation Plan


Risk Management

Risk Management Forms

RIS

K M

AN

AG

EM

EN

T —

AS

SE

SS

ME

NT

FO

RM

— A

reas

an

d S

ou

rces

of

Ris

kN

ame

of G

roup

:___

____

____

____

____

__ L

eade

r:__

____

____

____

____

___

Dat

e A

sses

smen

t C

ompl

eted

: __

____

_A

sses

smen

t Tea

m:

Are

a o

f R

isk

So

urc

es o

f R

isk

AR

EA

:__

____

____

____

____

____

____

____

____

____

SO

UR

CE

: ___

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

DA

TE

:__

____

____

____

____

____

_

①①①① ① I

den

tifi

ed R

isk(

s)__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__

②②②② ②

Ou

tco

mes

____

____

____

____

____

____

____

____

③③③③ ③ C

on

tro

ls in

Pla

ce__

____

____

____

____

___

Rat

ing

(ti

ck o

ne)

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

_�

HE

� M

E �

IE__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

___�

HE

� M

E �

IE__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

___�

HE

� M

E �

IE__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

___�

HE

� M

E �

IE__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__�

HE

� M

E �

IE__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

___�

HE

� M

E �

IE__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

__�

HE

� M

E �

IE__

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

___�

HE

� M

E �

IE

④④④④ ④

Rat

ing

L

C

R

A/U

1 __

___

___

___

_2

___

___

___

___

3 __

___

___

___

_4

___

___

___

___

5 __

___

___

___

_6

___

___

___

___

7 __

___

___

___

_8

___

___

___

___

9 __

___

___

___

_10

___

__

__

__

__

_

⑤⑤⑤⑤ ⑤

Str

ateg

ies

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____

____


Risk Management

Code Description

HE The control is highly effective because it reduces the likelihood of therisk occurring and/or it reduces the consequences if the risk does occur.

ME

IE

The control is moderately effective because it only partially reduces thelikelihood of the risk occurring and/or partially reduces theconsequences if the risk does occur. The control needs to be reviewed,abolished, amended, or replaced to make it a highly effective control.

The control is ineffective because it does not reduce the likelihood ofthe risk occurring and/or it does not reduce the consequences if the riskdoes occur. The control needs to be reviewed, abolished, amended, orreplaced to make it a highly effective control.

CONTROL VALUES

LIKELIHOOD/CONSEQUENCE MATRIX

Unacceptable RisksH = a High Risk, Attention, Time and Resources requiredS = a Significant Risk, Attention requiredAcceptable RisksM = a Moderate Risk, MonitorL = a Low Risk, Standard Operating Procedures to handle

AAlmostCertain

BLikely

CPossible

DUnlikely

ERare

S S H

M S S

L M S

L L M

L L M

H

H

H

S

S

H

H

H

H

S

5Catastrophic

4Major

3Moderate

2Minor

1Insignificant

Consequences

Likelihood


Risk Management

LIKELIHOOD & CONSEQUENCE


Almost Certain The event is expected to occur in most circumstances.A

B

C

D

E

Likely

Possible

Unlikely

Rare

The event will probably occur in most circumstances.

The event should occur at some time.

The event could occur at some time.

The event may occur only in exceptional circumstances.

LIKELIHOOD

Insignificant

Catastrophic


1

5Abolition of the organisation, dismissal of executive,significant irreparable impact on members’ prospects throughmismanagement. Impact on staff, members and morale severe.

High financial loss, products and services curtailed due tofailure to deliver, serious external criticism (eg keystakeholders, high profile media). Substantial impact onoverall staff, members and morale with performance affected.Measurable increase in stress related issues.

Minimal financial loss, no impact on overall program orfunctional outcomes (eg Confined to very small number ofproducts, services or members), no adverse external criticismor publicity, no impact on staff.

Small financial loss, small impact on overall program orfunctional outcomes (eg Confined to a substantial minority ofproducts, services to members), criticism by directly affectedmanagers or customers, minimal impact on staff, members oroverall morale.

Medium financial loss, substantial impact on overall programor functional outcomes (eg Many products and servicesaffected), some external criticism directed at executive, Board(eg by members and key stakeholders, low key media).Impact on staff noticeable, degree of change in morale.

Major4

Moderate3

Minor2

Insignificant

Catastrophic

CONSEQUENCE

Insignificant



Insignificant

CONSEQUENCE

Insignificant



Insignificant

CONSEQUENCE

Insignificant

• Injury to Fatality• Damage to Organisation’s Assets• Damage to Private Property• Damage to Environment• Damage to Reputation/Credibility

PRIORITY CRITERIA

Gro

up

:L

ead

er:

Are

a/S

ou

rce

of

Ris

k:

Strategic Planning Group

Ris

k #

IDE

NT

IFIE

D R

ISK

IMP

LE

ME

NT

AT

ION

PL

AN

Wh

en ID

’d(d

ate)

Rat

ing

(H/S

)

Act

ion

Off

icer

Co

mp

lete

db

yD

on

e(d

ate)

Co

mm

ents

Act

ion

# 1 2 3 4

MIT

IGA

TIO

N S

TR

AT

EG

Y

RIS

K M

ITIG

AT

ION

AC

TIO

N P

LA

N


Risk Management

How To Do A Risk Assessment


Risk Management

RISK MANAGEMENT — ASSESSMENT FORMS

Name of Unit: _____________________ Manager: ______________________________Date Assessment Completed:_____________

Assessment Team:

Risk Management Areas and Sources of Risk

The Forms

The graphic above shows the Risk Management Areas and Sources of Risk page. This

is where your recording starts.

• Write the Name of the Group

• Write the Leader’s name

• Write the date the assessment is completed

• Write the members of the assessment team

• Write the risk Area in the top empty box

• Write the Sources of risk (from that risk Area) in the lower boxes. (This is a sample.

Your combination of boxes will vary from subject to subject.)

How to Document the Risk Process

RISK MANAGEMENT — ASSESSMENT FORM — Areas and Sources of Risk

Area of Risk

Sources of Risk

Name of Group:_____________________ Leader:_____________________ Date Assessment Completed: _______

Assessment Team:


Risk Management

An Example

1 Id

enti

fied

Ris

k(s)

5 S

trat

egie

s

AR

EA

: P

rop

erty

an

d F

acili

ties

, Co

mm

un

ity

Hal

l

S

OU

RC

E:

Fir

e, B

ush

fire

, Sm

oke

DA

TE

: 8

Ap

ril 2

002

WO

RK

AR

EA

: P

rop

erty

an

d A

sset

s

LE

AD

ER

: R

ob

ert

Sm

ith

2 O

utc

om

es3

Co

ntr

ols

in P

lace

Rat

ing

4 R

atin

g

LC

RA

/U

#1B

4H

U (

bef

ore

)#2

C3

SU

#3A

4H

U

#1C

2M

A (

afte

r)

#1

Lac

k o

f fi

re s

pri

nkl

ers

in H

all a

nd

pre

sen

ce o

f h

igh

ly c

om

bu

stib

le m

ater

ials

sto

red

in e

qu

ipm

ent

roo

m.

#2

Bu

sh f

ire

dan

ger

no

rth

en

d o

f H

all f

rom

hea

vy c

on

cen

trat

ion

of

dry

un

der

gro

wth

.

#3

Sig

nif

ican

t sm

oke

fro

m a

nn

ual

bu

sh f

ires

nea

r H

all.

#1

Sig

nif

ican

t p

rop

erty

dam

age

po

ten

tial

an

d lo

ss o

feq

uip

men

t; lo

ss o

f lif

e

#2

Po

ten

tial

loss

of

pro

per

ty;

Tem

po

rary

lost

of

ven

ue

fro

mle

sser

dam

age

#3

Hea

lth

co

nce

rns;

Lo

st a

ctiv

ity

tim

e

Ris

k #1

- C

on

du

ct u

rgen

t re

view

of

the

Hal

l an

d d

evel

op

bu

sin

ess

case

, in

clu

din

g c

ost

, fo

rin

stal

lati

on

of

req

uir

ed s

pri

nkl

er s

yste

m. T

emp

ora

ry m

itig

atio

n o

f so

me

asp

ects

of

this

ris

k b

yre

loca

tin

g s

om

e o

f th

e co

mb

ust

ible

mat

eria

ls t

o a

pri

vate

co

ntr

acto

r’s

bu

sin

ess

wh

ich

has

spri

nkl

er s

yste

m in

pla

ce. M

on

ito

r th

is r

isk

and

ad

just

its

rati

ng

aft

er in

stal

lati

on

of

spri

nkl

ersy

stem

is c

om

ple

te a

nd

tes

ted

Ris

k #2

- O

rgan

ise

a w

ork

ing

par

ty f

or

the

lon

g w

eeke

nd

to

cle

ar b

ush

at

no

rth

en

d o

f H

all,

mak

ing

sure

bu

sh c

lear

ed b

y su

mm

er f

ire

seas

on

late

r th

is y

ear.

Ris

k #3

- R

etai

n t

he

risk

an

d c

lose

th

e H

all i

f sm

oke

can

no

t b

e cl

eare

d b

y th

e fa

n s

yste

m.

Bu

sh F

ire

Bri

gad

e w

ell t

rain

ed, a

vaila

ble

ME

Sec

uri

ty s

yste

ms

for

earl

y w

arn

ing

in p

lace

ME

Ove

rhea

d f

ans

in p

lace

in H

all

IE


Risk Management

Running a Risk Assessment Session

The most successful general risk assessments will come from bringing together a group

of people with a shared understanding of the topics you are going to discuss. If you

have documented data or evidence, use it. If you do not have documented evidence,

use the power of the team. Discuss, argue, and arrive at a consensus.

If you have not requested a facilitator to assist you, have one of your own people act as

the facilitator. Brainstorm the general risks on a whiteboard following the forms in this

manual. As you complete your discussions have one of the team act as a scribe and

transfer the information from the whiteboard to the forms.

Do not hurry the process as you will gain from the detailed discussion and considered

opinions from around the team. We are estimating that small groups may complete the

assessments in one 4-hour session. Others might take two or three sessions. We

believe you will find the time well spent with a number of rewards for your efforts: a

more professional approach to the risks you take, an improved and shared

understanding among the participants of the work you do, the risks you face, and a

sense of achievement in having contributed to the good governance of the organisation.

Documenting the Risk Assessment Session

There should be a minute taker appointed for each session. This person will record the

wording of the risk and the details of the assessment of the risk on the forms provided

as mentioned above, as well as discussion on controls in place, treatment strategies for

unacceptable risks, future review dates for acceptable risks and any other relevant

data. The minutes should be validated by participants as soon as is practicable after the

session, and the minutes should be filed in a Risk Management folder.


Risk Management

Identifying Risks

Step by Step

This is where you begin your risk identification.

• Write in the Area of Impact

• Write in the Source of the Risk

• Write in the Date of the risk assessment

• Write in the Identified Risks with enough detail to make it clear what you are

assessing as a risk

• If there are more than ten identified risks, use photocopies of the form page to list

the rest

A R E A :

1 Identified Risk(s)

2 Outcomes

4 R ating 5 Strategies

3 C ontrols in Place Value (t ick one)

S O U R C E : D AT E :

1__ __ __ __2__ __ __ __3__ __ __ __4__ __ __ __5__ __ __ __6__ __ __ __7__ __ __ __8__ __ __ __9__ __ __ __10_ __ __ __

H E

H E

H E

H E

H E

H E

H E

M E

M E

M E

M E

M E

M E

M E

IE

IE

IE

IE

IE

IE

IE

Identifying the Risks

Identifying Outcomes

Step by Step

Identifying the Outcomes

• Write in the Outcome(s) for each risk in detail

• If you have more than ten identified risks, photocopy as many copies of the form

needed to write the outcomes for the risks.

A R E A :


2 Outcomes




1__ __ __ __2__ __ __ __3__ __ __ __4__ __ __ __5__ __ __ __6__ __ __ __7__ __ __ __8__ __ __ __9__ __ __ __10_ __ __ __

H E

H E

H E

H E

H E

H E

H E

M E

M E

M E

M E

M E

M E

M E

IE

IE

IE

IE

IE

IE

IE


Risk Management

Identifying and Assessing the Controls

• On the next section of the form, write the Control in place for each risk

• Tick the Value of the control as the group assess it (Is the control highly effective at

minimising the risk, moderately effective or ineffective? HE, ME or IE? see

definitions on page 20)

Identifying Controls and then Values

Step by Step A R E A :


2 Outcomes




1__ __ __ __2__ __ __ __3__ __ __ __4__ __ __ __5__ __ __ __6__ __ __ __7__ __ __ __8__ __ __ __9__ __ __ __10_ __ __ __

H E

H E

H E

H E

H E

H E

H E

M E

M E

M E

M E

M E

M E

M E

IE

IE

IE

IE

IE

IE

IE

A R E A :


2 Outcomes




1__ __ __ __2__ __ __ __3__ __ __ __4__ __ __ __5__ __ __ __6__ __ __ __7__ __ __ __8__ __ __ __9__ __ __ __10_ __ __ __

H E

H E

H E

H E

H E

H E

H E

M E

M E

M E

M E

M E

M E

M E

IE

IE

IE

IE

IE

IE

IE

Assigning the Risk Rating

If the risk falls in the acceptable categories (Moderate or Low), document the

assessment meeting, and file the risk to be reviewed at a future date.

Unacceptable risks must be treated by developing options and strategies and

incorporated within the Risk Control Statement to lower the level of risk.

• Using the matrix, assess the likelihood and consequence of the risk occurring

• Write those values (ie the Rating) from the matrix onto the form

• Under L write the letter corresponding to the likelihood (C = Possible)

• Under C write the number corresponding to the consequence (4 = Major)

• Under R write the letter in the square on the matrix where the likelihood and

consequence meet (for example, C + 4 = H)

• Under U/A write either U for unacceptable risk (white squares on the matrix) or A

for acceptable risk (black squares)

Rating the Risk

Step by Step


Risk Management

Developing Strategies for Risk Mitigation

Step by Step

Mitigation Strategies

• On page 2 of the form set, write the Mitigation Strategies for dealing with the

unacceptable risks only

A R E A :


2 Outcomes




1__ __ __ __2__ __ __ __3__ __ __ __4__ __ __ __5__ __ __ __6__ __ __ __7__ __ __ __8__ __ __ __9__ __ __ __10_ __ __ __

H E

H E

H E

H E

H E

H E

H E

M E

M E

M E

M E

M E

M E

M E

IE

IE

IE

IE

IE

IE

IE


Risk Management

Implementing the Risk Mitigation Action Plan

Step by Step

Risk Mitigation Action Plan

This page is for recording unacceptable risks only

• On this form write the Group, the Leader’s name and Area or Source of the risk

• Write the Risk Number and Description (from page 2 of the form set)

• Write the Date the risk was identified at When Id’d (date) (from page 2 of the form

set) and the letter corresponding to the Risk Rating (H for high or S for significant)

• Write the Mitigation Strategy in the form of a full description

• Write the steps under Action

• Write the name of the person who will do the action under Action Officer

• Write the date you want the action completed under Completed by

• Write the actual date the action was completed under Done (date)

• Write any useful comments in the last column

Group:__________________ Leader:______________________

Area / Source of Risk: _________________________________

Risk # IDENTIFIED RISK

IMPLEMENTATION PLAN

When ID’d(date)

Rating(H/S)

ActionOfficer

Completedby

Done(date)

CommentsAction#

1

2

3

4

MITIGATION STRATEGY


Risk Management

Ris

k #

IDE

NT

IFIE

D R

ISK

IMP

LE

ME

NT

AT

ION

Wh

en ID

’d(d

ate)

Rat

ing

(H/S

)

Act

ion

Off

icer

Co

mp

lete

db

yD

on

e(d

ate)

Co

mm

ents

Act

ion

# 1 2 3 4

MIT

IGA

TIO

N S

TR

AT

EG

Y

#1P

ote

nti

al f

or

a fi

re in

th

e H

all a

nd

lack

of

spri

nkl

ers,

as

wel

l as

pre

sen

ce o

f h

igh

ly c

om

bu

stib

lem

ater

ials

sto

red

th

ere

may

res

ult

in s

ign

ific

ant

fire

dam

age

and

loss

of

ven

ue.

8 A

pri

l 200

2B

- 4

- H

- U

Ris

k #1

- C

on

du

ct a

n u

rgen

t r

evie

w o

f th

e H

all a

nd

dev

elo

p b

usi

nes

s ca

se, i

ncl

ud

ing

co

st,

for

intr

od

uct

ion

of

req

uir

ed s

pri

nkl

ersy

stem

. Mea

nw

hile

, tem

po

rary

mit

igat

ion

of

som

e as

pec

ts o

f th

is r

isk

by

relo

cati

ng

so

me

of

the

com

bu

stib

le m

ater

ials

to

a c

on

trac

tor’

sb

usi

nes

s w

hic

h h

as s

pri

nkl

er s

yste

m in

pla

ce.

Dev

elo

p p

lan

fo

r re

view

of

the

Hal

l an

dm

ove

men

t o

f co

mb

ust

ible

mat

eria

ls f

rom

loca

tio

n.

RS

15 A

pri

l20

02

Co

nsu

lt w

ith

DC

(C

lean

ing

Co

ntr

acto

r), F

R (

Hal

l Man

ager

) an

dT

R (

Co

mm

un

ity

Lia

iso

n O

ffic

er).

Dev

elo

p s

pec

s an

d g

ain

qu

ote

s fo

r re

qu

ired

spri

nkl

er s

yste

m.

JF20

Ap

ril

2002

See

loca

l pro

vid

ers

for

assi

stan

cew

ith

qu

ote

s.

Rem

ove

(te

mp

ora

rily

) as

mu

ch c

om

bu

stib

lem

ater

ial a

s p

oss

ible

.K

L15

Ap

ril

2002

Wo

rk w

ith

FR

(H

all M

gr)

an

d t

eam

to

carr

y o

ut

this

tas

k.

Dev

elo

p b

usi

nes

s ca

se t

o s

ell l

oca

l Co

un

cil

on

sp

rin

kler

inst

alla

tio

n, b

ased

on

ris

ks.

JF25

Ap

ril

2002

Aim

fo

r p

rese

nta

tio

n a

t C

ou

nci

lM

anag

emen

t M

eeti

ng

on

25

Ap

ril.

Incl

ud

e co

st-b

enef

it a

nal

ysis

as

wel

las

HR

issu

es a

nd

saf

ety.

5O

n a

pp

rova

l of

case

, iss

ue

a co

nta

ct f

or

inst

alla

tio

n.

RS

10 M

ay20

02U

se s

imila

r co

ntr

act

form

s to

oth

erco

ntr

acte

d s

ervi

ces.

6 7

JF KL

30 J

un

2002

10 J

ul

2002

Su

per

vise

inst

alla

tio

n a

nd

wh

en c

om

ple

te,

revi

se r

isk

reg

iste

r.

Arr

ang

e re

turn

of

com

bu

stib

les

to t

he

Hal

l.

JF t

o s

up

ervi

se c

on

trac

tors

. KL

will

do

JF

’s d

uti

es d

uri

ng

th

is t

ime.

Wo

rk w

ith

FR

(H

all M

gr)

on

tea

m t

oca

rry

ou

t th

is t

ask.

WO

RK

AR

EA

: P

rop

erty

an

d F

acili

ties

, Co

mm

un

ity

Hal

lL

ead

er:

Ro

ber

t S

mit

h

Dat

e: 8

Ap

ril 2

002

AR

EA

/SO

UR

CE

: P

rop

erty

an

d A

sset

s —

Fir

e/B

ush

fire

/Sm

oke

✯✯ ✯✯✯

Our Mission

Our mission is to strive for excellence in partneringour clients. We achieve this through our focus on

leadership, corporate and business planning,operational and strategic risk management,

policy and procedure documentation,and associated activities.

James CrownManaging Director

Strategic Planning Group (NSW) Pty Ltd#15 Southpoint Tower, 19 Central Road, Miranda NSW 2228

PO Box 371 Miranda NSW 1490 AustraliaPhone: (612) 9524 0077

Email: [email protected]

Visit our website www.stratplan.com.au

STRATEGIC PLANNING GROUP

LEADERSHIPORGANISING

EVALUATING COMMUNICATING

PLANNING

CONTROLLING

Documents

Risk Management Presentation Notes - Office for · PDF fileSTRATEGIC PLANNING GROUP ESTABLISH THE CONTEXT The Strategic Context The Organisational Context The Risk Management Context