search  | feedback
  thriving
  organisations
  governance
  planning
  evaluation
  quality
  improvement
  evidence
  based practice
  risk management
  writing policy
  & organisational
  manuals
  questionnaires
  data analysis
  social capital
  facilitation
  training workshops
  ideas & articles
  about us
  disclaimer | copyright

  Management
  Alternatives Pty Ltd
  ABN 23 050 334 435


2. Risk management process

In the Australian and New Zealand Standard 4360:2004 the risk management process is described with seven phases:

1. Establishing a context for risk management in your organisation
2. Communicating risk management to your organisation
3. Identifying risks in your organisation
4. Analysing risks in your organisation
5. Evaluating risks in your organisation
6. Treating risks in your organisation
7. Monitoring and reviewing risks in your organisation.

1. Establishing a context for risk management in your organisation

This includes:

  • clarifying the vision, mission and goals of your organisation
  • identifying the wider environment within which your organisation operates
  • setting the scope and objectives for the risk management process
  • identifying how risks will be measured
  • identifying what will be involved in the risk assessment process.

2. Communicating risk management to your organisations

Good communication and consultation is essential for risk management and attempts to:

  • improve people's understanding of risks and the risk management processes
  • ensure all relevant stakeholders are heard
  • ensure that everyone is clear on their roles and responsibilities.

3. Identifying risks in your organisation

The aim is to develop a comprehensive list of the sources of risks and their consequences. There is not one right way to do this. Some strategies are:

  • brainstorming at a staff meeting
  • brainstorming with stakeholders with relevant knowledge and experience
  • systematic analysis, eg, flow charting systems and processes
  • development of 'what if' scenarios
  • researching relevant data, such as injury rates, insurance claims, death rates, etc.

4. Analysing risks in your organisation

Some of the key questions in analysing the risks are:

  • What is the likelihood of the risk?
  • What is the consequence?
  • What is the level of risk (combination of likelihood and consequence)?
  • What factors affect the likelihood or consequences?
  • What is the level of uncertainty?
  • What are the limitations to the analysis?

Similar questions can be asked in relation to opportunities (ie risks with positive consequences):

  • What is the likelihood of the opportunity?
  • What is the consequence?
  • What is the level of opportunity/risk (combination of likelihood and consequence)?

5. Evaluating risks in your organisation

Some of the key questions in risk evaluation are:

  • What are acceptable levels of risk?
  • What are intolerable levels of risk?
  • Does the risk need treatment?
  • What are the priorities for treatment of risks?

6. Treating risks in your organisation

To effectively treat risks one needs to understand how risks arise. Some of the ways that risks are treated are:

  • Contingency planning (ie plan in advance for an event that may happen so as to minimise any negative effects should it happen)
  • Sharing the risk eg when entering into contracts with other service providers specifying they share the risk, use of waivers
  • Transfer the risk, eg, through insurance
  • Avoiding the risk, eg, no longer undertake the activity
  • Financing the risk eg, setting funds aside to pay for the consequences
  • Reducing the risk, eg, through changing work practices

In treating risks there will be trade offs between costs and benefits. One will have to make a judgment that the cost of reducing the risk is worth the benefit of the reduced risk.

Key question: What is acceptable risk?

7. Monitoring and reviewing risks in your organisation

Risk management is an ongoing process:

  • the risk management process needs monitoring
  • the effects of risk treatments need to be monitored and reviewed to ensure they are adequate and effective
  • new risks need to be scanned for.