BSBRSK501 Manage risk
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Topic 1: Establish the risk context
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Establish the risk context
Before conducting or implementing any form of risk management, you must establish your risk context.
Discuss why this is important and how this could be done.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
3
Understand types of risks
Commercial relationships
Economic circumstances
Human behaviour
Individual activities
Legislation
Management activities
Natural events
Political
Technology
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Understand categories of risks
Property-centred risks
Personnel-centred risks
Market-centred risks
Operation-centred risks
Legislation-centred risks
Governance-centred risks
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
The process for managing risks
Communicate and consult.
Establish the context.
Identify the risks.
Analyse the risks.
Address the risk.
Monitor and review the system.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Determine the scope for risk management processes
Identify the scope, such as the stakeholders involved and the time frame.
Ask questions such as:
‘How is the organisation structured?’
‘What is the purpose of the risk management process?’
‘What business projects, units or areas will be examined?’
What else could you ask?
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Identify stakeholders and their issues
Internal stakeholders:
Owners
Employees
Managers
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Identify stakeholders and their issues cont’d …
External stakeholders:
Suppliers
Society
Government
Creditors
Stakeholders
Customers
Discuss consultation and prioritisation.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Review the context
Context can include:
Political
Legal
Economic
Social
Technological
Policy
How can you go about understanding each context?
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Review existing arrangement
Ask:
How do your existing internal mechanisms address the current environment?
How is policy influencing the processes and procedures?
What are the strengths and weaknesses of these mechanisms?
Identify strengths and weaknesses.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Document critical success factors, goals and objectives
Critical success factors include:
scope
stakeholders
resources
goals.
Set SMART goals, and document outcomes and objectives.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Obtain support for risk management activities
Who should you communicate with about the risk management processes?
What should you communicate?
How should you communicate?
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Topic 2: Identify risks
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Identify risks
What do you need to be able to do to identify risks?
Who is responsible for identifying risks?
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Identify parties for consultation
Who should you consult about:
finance
sales and marketing
security
equipment
safety
personal
legal
politics?
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Strategies for consultation
Contact participants by formal letter, mail or telephone.
Explain the scope of the risk management.
Describe the expertise they can offer.
Arrange a forum for their contribution such as a one-on-one meeting, interview discussion, a focus group or a public consultation meeting.
Ask participants to bring along or send you relevant documents that justify their points of view.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Research risks
Research methods include:
using and analysing statistics
consulting other business areas
analysing previous activities and experience
conducting market research
consulting the public
conducting a literature review.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Generate a list of potential risks
Prepare a draft list of the risks that stakeholders and your research have identified that apply to your scope.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Tools and techniques for generating a list of potential risks
Brainstorm
Use fishbone diagrams
Use flow charts
Use scenario analysis
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
A fishbone diagram
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
A flow chart
Steps in property management would involve:
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Screening the potential tenants
Signing them to a lease
Making regular property inspections
Scenario analysis steps
Prepare basic scenario on a whiteboard; for example, releasing a new product on the market.
Form the basic storyline, develop participants and plot a course of action.
Identify major actions and a ‘safe’ route, where no risks are encountered. For example, releasing a new product may include a product launch, advertising blitz, free samples.
Tease out potential deviations from the planned ‘safe’ route (unforeseen incidents or contingencies) by brainstorming, and adding these ideas and suggestions along the pathway.
Interpret the scenario once it’s finished to develop a checklist.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Gain approval for the project plan
You have now researched and identified a number of potential risks that apply to your scope.
How can you simplify and manage data for presentation?
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Topic 3: Analyse risks
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Analyse risks
What does it mean to analyse the risk?
How could this be done?
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Assess the likelihood of risks occurring
Likelihood is usually expressed in terms of:
probability (the chance that when a risk exists, a consequence will follow)
frequency of exposure to the risk (how often and for how long the source of the risk exists)
a combination of both.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Analysing the level of risk
To analyse risks, you need to work out the likelihood of it happening (frequency or probability) and the consequences it would have (the impact) of the risks you have identified. This is referred to as the level of risk, and can be calculated using this formula:
level of risk = consequence x likelihood
Level of risk is often described as low, medium, high or very high.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
| Level | Consequence | Description |
| 4 | Severe | Financial losses greater than $50,000 |
| 3 | High | Financial losses between $10,000 and $50,000 |
| 2 | Moderate | Financial losses between $1000 and $10,000 |
| 1 | Low | Financial losses less than $1000 |
Consequences scale example
Note: Ratings vary for different types of businesses.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Types of analysis
Qualitative analysis
Semi-qualitative analysis
Quantitative analysis
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Qquqqqqd
Three risk elements that concern project management:
Schedule – will the project be completed within the planned timeframe?
Cost – will the project be completed within the allocated budget?
Performance – will the output from the project satisfy the business and technical goals of the project?
Where possible, these risks should be quantified to enable the project team to develop effective mitigation strategies for the risks, or to include appropriate contingencies in the project estimate.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
| Risk rating | Description | Action |
| 12-16 | Severe | Needs immediate corrective action |
| 8-12 | High | Needs corrective action within 1 month |
| 4-8 | Moderate | Needs corrective action within 3 months |
| 1-4 | Low | Does not currently require corrective action |
Risk rating table example
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Qualitative analysis
A: Extremely likely (expected)
B: Likely (probable)
C: Possible
D: Unlikely (unexpected)
E: Rare
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Rating system for semi-qualitative analysis
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Quantitative analysis
Likelihood of illness from a risk
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
For every 50,000 units of a food product packaged at the site, 2,500 have been found to be incorrectly sealed.
Therefore, there is a five per cent risk of exposure to illness.
Statistical analysis can thereafter determine how many people exposed to the unsealed product actually become ill.
The incorrect seals lead to the potential risk of customers becoming unwell.
Consequence scale
1. Insignificant
2. Minor
3. Moderate
4. Major
5. Catastrophic
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Determine likelihood and level of impact
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Determine the frequency of exposure to the risk
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Risk evaluation and prioritising
To prioritise well, take into account the:
controls already in place
cost consequences of managing risks or leaving them untreated (in terms of resources as well as health and safety)
benefits and opportunities presented by the risks
risks to be borne by stakeholders.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Topic 4: Select and implement treatments
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Establish the risk content
This step is extremely important, as a wrongly applied or unsuitable treatment can cost your organisation time and money. Discuss why and how.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Select the most appropriate options for treating risks
Should you:
avoid the risk
change the likelihood
change the consequences?
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Analyse the control measures
Ask:
Is the treatment option feasible?
What is the cost of implementing the control measure?
Are there any benefits to be gained by not reducing the risk?
What resources are needed to control the risk?
Does the treatment mean more risks are identified or does it lead to additional benefits?
Is the control measure sustainable or is it a short-term fix?
Are there rare but severe risks that need to be treated regardless of cost?
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Select risk treatments
Options may be influenced by:
the priority of the risk
the cost and other resources available
the timeliness required in addressing the risk
legal implications
sustainability of controls
stakeholder sentiment and preferences.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Examples of risk treatment measures
How would you decrease risk of the following situations?
Increased competition
Declining demand for products or services
Expenditure over budget
Inadequate IT system
High staff turnover
Litigation
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Develop a risk treatment action plan
What risk areas have been identified?
What are the identified risks?
What are the risk levels?
What actions are required?
Who is taking responsibility?
What are the time lines?
How will you monitor the processes?
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Develop the action plan
Research examples of risk treatment action plans.
Document the plan.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Ensure the document is correct and current
Documents must be current and accurate to:
communicate risk management activities with all stakeholders, participants and employees
facilitate ongoing process monitoring and evaluation of the risk management strategy
provide an accountability mechanism that supports the organisation’s corporate plan
provide an audit trail for the follow-up of key actions identified in the action plan.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Retain documents
Documents that may need to be retained include:
Risk assessments
Risk management plans
Insurance cover forms
Incident report forms
Litigation records
Alliances
Contracts and memoranda of understanding
Training records
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Storage options
Investigate what storage options are available to you.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Communicate, implement and monitor a risk treatment action plan
Implement the plan
Communicate strategies
Overcome difficulties
Monitor the plan
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Evaluate the risk management process
Evaluations can be:
goal-based
process-based
outcomes-based.
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
Methods for conducting evaluations
Questionnaires, surveys and checklists
Interviews
Documentation reviews
Observation
Focus groups
Case studies
Release 1 (Aspire Version 1.2) © Aspire Training & Consulting
55
Likelihood Table
The following can be used as a guide for determining likelihood. However this tool
has limitations as likelihood and frequency of events tend to vary between
disciplines and functional areas.
Level Likelihood Expected or actual frequency experienced
1 Rare
May only occur in exceptional circumstances; simple process; no
previous incidence of non-compliance
2 Unlikely
Could occur at some time; less than 25% chance of occurring; non-
complex process &/or existence of checks and balances
3 Possible
Might occur at some time; 25 – 50% chance of occurring; previous
audits/reports indicate non-compliance; complex process with extensive
checks & balances; impacting factors outside control of organisation
4 Likely
Will probably occur in most circumstances; 50-75% chance of
occurring; complex process with some checks & balances; impacting
factors outside control of organisation
5 Almost
certain
Can be expected to occur in most circumstances; more than 75%
chance of occurring; complex process with minimal checks & balances;
impacting factors outside control of organisation