10 Identify risk and apply risk management processes BSBRSK401

About the unit This unit describes the skills and knowledge required to identify risks and to apply established risk management processes to a defined area of operations that are within the responsibilities and obligations of the role. It applies to individuals with a broad knowledge of risk analysis or project management who contribute well developed skills in creating solutions to unpredictable problems through analysis and evaluation of information from a variety of sources. They may have responsibility to provide guidance or to delegate aspects of these tasks to others. In this unit, risks applicable within own work responsibilities and area of operation, may include projects being undertaken individually or by a team, or operations within a section of the organisation.

Risk is… Risk management is defined in the standard (AS/NZS 4360:2004) as "the systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, assessing, treating, monitoring and communicating".

IDENTIFY – EVALUATE – TREAT – MONITOR - REVIEW Key words IDENTIFY – EVALUATE – TREAT – MONITOR - REVIEW

Identify risks

Risk context Risk is everywhere, some risks are obvious and some not so. Establishing/identifying context defines the basic parameters within which risks must be managed and sets the scope for the rest of the risk management process.

Consider When you think of where to look for risk, in addition to the above you must also consider the following: Technology (new, changing, old) Political factors Legislation Behaviour of consumers and the market place ( trends, fads) Management: controls, procedures, activities Natural events (weather: drought, storms,floods) Competitors Commercial relationships Terrorism Staff/people (what happens if CEO leaves/injured?)

Types of risk Commercial and legal relationships Economic circumstances and scenarios Financial risk Human behaviour Natural events Political circumstances Terrorism Technology and technological issues Reputational risk Product liability Strategic management Work health and safety

Tools to identify risk Inspection Consultation Safety and management audits Testing Scientific and technical evaluation Industry currency Collection and evaluation of material Expert advice Seeking government or regulatory information and help Networking Benchmarking

Using tools Tools are specific They look at cause and effect in relation to the risk This can be either from: a cause to effect perspective, where you identify the outcome of possible causes, or an effect to cause perspective, where you look back from a worst case scenario to its possible causes.

Document identified risks Follow and abide by: Policies Procedures Legislation Risk management plan Use: Legislated forms Organisatonal processes Risk registers

Analyse and evaluate risks

Key words Due diligence Qualitative risk analysis Quality Quantitative risk analysis

Sources of risk changes in the external environment (natural, political, social, economic) problems or deficiencies in business processes or systems inadvertent or deliberate errors and mistakes inadequate information flow or breakdowns in the flow of information that supports the business processes facilities or equipment that are not suited to the job lack of training management actions – or inaction – or dysfunction, for example leadership/management style, communication abilities, etc inappropriate or unrealistic performance expectations lack of incentives insufficient resources lack of planning.

Analysing risk By analysing the causes of risk, it should be possible to develop forward-looking risk indicators that will tell you of impending risk events

Assessing risks Once you have identified a risk or a number or series of risks, you need to analyse the risks so that you know: how likely it is that the risk/s will occur – its probability what consequences will be if the risk does occur – its impact.

Probability of risk You can look at the probability, or likelihood of a risk event actually occurring as being on a continuum from ‘Almost certain’ (level A) to ‘Rare’ (level E) as described in the table below. Sample Probability Table of Definitions Level Descriptor Description A Almost certain 90-100% Is expected to occur in most circumstances B Likely 50-90% Will probably occur in most instances C Possible 25-50% Might occur at some time D Unlikely 10-25% Could occur at some time E Rare 1-10% May occur only in exceptional circumstances

Impact of risk Impact itself can be assessed in terms of its effect on: time cost quality Sample Consequences (Impact) Table of Definitions Level Descriptor Example detail description 1 Insignificant No service impact; low financial loss 2 Minor Minimal disruption to service capability; medium financial loss 3 Moderate Interruptions to service delivery; high financial loss 4 Major Loss of service capability; major financial loss 5 Catastrophic Loss of business continuity; huge financial loss

Risk analysis Risk analysis is sometimes called risk assessment. It is a step by step process. Risk analysis needs to consider the following: What can go wrong? How likely is it that it can go wrong? What are the consequences if it does go wrong?

Qualitative vs Quantitative Quantitative data is information about quantities; that is, information that can be measured and written down with numbers. Some examples of quantitative data are your height, your shoe size, and the length of your fingernails. Qualitative data is information about qualities; information that can't actually be measured. Some examples of qualitative data are the softness of your skin, the grace with which you run, and the color of your eyes.

Qualitative vs Quantitative Some differences between qualitative and quantitative data. The age of your children (Quantitative)   The number of hairs on your head (Quantitative)   The number of coins in your pocket (Quantitative) The softness of a fur coat (Qualitative)   The color of the ocean (Qualitative)  

Risk control plan To create an effective risk control plan you should consider the following: Causes of the risk Potential consequences of the risk The likelihood of the risk occurring

Risk analysis systems Most risk analysis systems use two measures: Consequences – the potential severity of the impact of the risk event. Impact could be cost, time, people or quality. Likelihood – the probability of the risk event happening. An overall risk rating is determined by multiplying the consequences by the likelihood. Each risk is considered and scored against both measures.

Consequence rating Rating Score Description Insignificant 1 Negligible loss. Consequences easily dealt with Minor 2 Noticeable impact. Minimal damage Moderate 3 Moderate damage. Manageable scale of loss Major 4 Large-scale damage. High loss or restriction Catastrophic 5 Widespread damage. Business objectives severely compromised. Huge financial loss.

Likelihood rating Rating Score Description Rare 1 Risk may occur only in exceptional circumstances Unlikely 2 Risk is less than likely during normal operations Possible 3 Risk event is as likely as not Likely 4 Risk event is more likely than not in most circumstances Almost Certain 5 Risk event is expected to occur in most circumstances

Risk prioritsation

Risk analysis documentation You must maintain records of your analysis processes and outcomes in order to meet organisational, insurance, quality accreditation and legislative requirements. This could include your: identification and analysis or risks recommendations for change actions to control and monitor risk. Use a risk register to allocate an overall risk and priority rating.

Document processes and outcomes Document management is important It may be part of due diligence procedures Due diligence is a formatted or sometimes regulated process of risk assessment and identification Documents should be easy to understand, use and apply Documents should be available to all people who need to access them Documents should be updated to reflect changes

Treat risks

Key words Assumption of risk SWOT analysis

Determine and assess control systems Once the risk has been identified, there are two general approaches that you can choose from to begin the decision making process. Control the risk - That is, take ownership of it, and directly implement strategies to take the risk and deal with it. Transfer the risk - That is, remove the risk from the organisation or the process within the organisation.

SWOT analysis Conduct a SWOT analysis to determine the best control measure When analysing the best control measures for risk, the SWOT questions become: What are the strengths of this control measure? What are the weaknesses of this control measure? What are the opportunities provided by using this control measure? What are the threats involved in using this control measure?

Common approaches Elimination/reduction management Assumption of risk Transfer risk Changing processes Delaying Sharing risk Spread and minimise locations of the risk

Control

Risk control measures Avoid the risk Reduce the likelihood/consequences of the risk Transfer or share the responsibility of the risk Retain the risk

Monitor risks Risk is not static Risk must be monitored Failure to monitor risk can cause significant problems within organisation For example, insurance regulatory authorities failed to continue to monitor FAI Insurance and HIH Insurance, causing significant damage when both organisations imploded.

Treatment plans The activity Risk events Evaluation and analysis of the risks Risk rankings Selected treatment options Identification of the relevant personnel Resource allocation Measures of performance Estimate time for completion Review

Sample risk treatment plan

Monitor and review effectiveness of treatments

Key words Risk audit process Quality

Review treatments Establish a constant review process Risk is a continuing and ever present factor As part of your continued risk management program, your constant reviews should ask: Have the chosen risk treatments and solutions been implemented as planned? Is the treatment or solution working? Are there any new or additional issues or problems?

Using review results You should examine all results—documentary, verbal, process results, increased or change production values or rates—as part of the risk process Regular, effective identification, recording and reporting of risk will only continue if there is return communication from those assessing the management process. Risk management as a cultural aspect of an organisation will die unless it is fed by positive, supportive and communicated responses from you as the leader/manager, in conjunction with the senior management or executive management of the organisation.

Assist in audits Ways to assist in the constant review/audit process Effective upwards and downwards communication Support organisational culture Document risks and feedback Use established policies, procedures and systems Communicate with senior leaders/managers

Great Work! For more detailed information on this topic please see the “Learner Resource” located in the topic’s section of the Moodle.