3BSBRSK501LearnerGuideRTO.pdf
BSBRSK501
Manage risk Learner Guide
P a g e | 1
Table of Contents
Unit of Competency .......................................................................................................................... 5
Application ........................................................................................................................................... 5
Performance Criteria ............................................................................................................................ 6
Foundation Skills .................................................................................................................................. 7
Assessment Requirements ................................................................................................................... 8
1. Establish risk context ..................................................................................................................... 9
1.1 – Review organisational processes, procedures and requirements for undertaking risk
management in accordance with current risk management standards ................................................ 10
Reviewing your workplace processes to manage risk ....................................................................... 10
Organisational policy and procedures ............................................................................................... 11
Risk management in your working processes .................................................................................... 11
Activity 1A .......................................................................................................................................... 12
1.2 – Determine scope for risk management process ........................................................................... 13
Determining the nature and scope of workplace hazards ................................................................. 13
Sources of risk and hazard information ............................................................................................. 13
Legislative and regulatory context ..................................................................................................... 14
Risk management for work health and safety (WHS) ........................................................................ 14
Other legislation that may be applicable ........................................................................................... 16
Activity 1B .......................................................................................................................................... 20
1.3 – Identify internal and external stakeholders and their issues ........................................................ 21
Your stakeholders .............................................................................................................................. 21
Identifying relevant stakeholder issues ............................................................................................. 21
Activity 1C .......................................................................................................................................... 23
1.4 – Review political, economic, social, legal, technological and policy context ................................. 24
Context of risk .................................................................................................................................... 24
Organisation influences ..................................................................................................................... 25
Activity 1D .......................................................................................................................................... 26
1.5 – Review strengths and weaknesses of existing arrangements ...................................................... 27
Strengths and weaknesses of your business operations ................................................................... 27
Look at your existing risk management ............................................................................................. 29
Activity 1E........................................................................................................................................... 30
1.6 – Document critical success factors, goals or objectives for area included in scope ...................... 31
P a g e | 2
Report on risk management .............................................................................................................. 31
Critical success factors ....................................................................................................................... 31
Activity 1F ........................................................................................................................................... 32
1.7 – Obtain support for risk management activities ............................................................................ 33
1.8 – Communicate with relevant parties about the risk management process and invite participation
............................................................................................................................................................... 33
Seek organisational support .............................................................................................................. 33
External stakeholder support............................................................................................................. 33
Work with your stakeholders ............................................................................................................. 33
A process of communication ............................................................................................................. 34
Activity 1G .......................................................................................................................................... 36
2. Identify risks ............................................................................................................................... 37
2.1 – Invite relevant parties to assist in the identification of risks ........................................................ 38
Identifying risks with the help of others ............................................................................................ 38
Interacting with stakeholders ............................................................................................................ 38
Communication conventions ............................................................................................................. 39
Activity 2A .......................................................................................................................................... 40
2.2 – Research risks that may apply to scope ........................................................................................ 41
Researching risks ................................................................................................................................ 41
Tools for performing research ........................................................................................................... 42
Activity 2B .......................................................................................................................................... 43
2.3 – Use tools and techniques to generate a list of risks that apply to the scope, in consultation with
relevant parties ...................................................................................................................................... 44
Tools to identify risks ......................................................................................................................... 44
Risk management strategies .............................................................................................................. 46
Activity 2C .......................................................................................................................................... 47
3. Analyse risks ............................................................................................................................... 48
3.1 – Assess likelihood of risks occurring ............................................................................................... 49
3.2 – Assess impact or consequence if risks occur ................................................................................ 49
Assess and analyse your risk factors .................................................................................................. 49
Risk categorisation ............................................................................................................................. 50
Risk matrix .......................................................................................................................................... 51
The level of risks ................................................................................................................................. 52
Activity 3A .......................................................................................................................................... 53
P a g e | 3
3.3 – Evaluate and prioritise risks for treatment ................................................................................... 54
Prioritise the risks .............................................................................................................................. 54
Hierarchy of risk controls ................................................................................................................... 54
Contingency planning ........................................................................................................................ 55
Activity 3B .......................................................................................................................................... 56
4. Select and implement treatments ................................................................................................ 57
4.1 – Determine and select most appropriate options for treating risks .............................................. 58
Strategies for controlling risk ............................................................................................................. 58
Sequence risk control activities ......................................................................................................... 58
Treatment options ............................................................................................................................. 59
Porter’s Five Forces ............................................................................................................................ 60
Activity 4A .......................................................................................................................................... 61
4.2 – Develop an action plan for implementing risk treatment ............................................................ 62
Measures you can take ...................................................................................................................... 62
Developing a plan to treat the risks ................................................................................................... 62
Activity 4B .......................................................................................................................................... 66
4.3 – Communicate risk management processes to relevant parties ................................................... 67
Communicate your risk management processes ............................................................................... 67
Verbal communication ....................................................................................................................... 67
Non-verbal communications .............................................................................................................. 69
Activity 4C .......................................................................................................................................... 70
4.4 – Ensure all documentation is in order and appropriately stored ................................................... 71
Documentation .................................................................................................................................. 71
Documenting the results of risk assessments .................................................................................... 71
Activity 4D .......................................................................................................................................... 73
4.5 – Implement and monitor action plan ............................................................................................. 74
Implementing treatment plans .......................................................................................................... 74
Operational risks ................................................................................................................................ 75
Implementing a risk control plan ....................................................................................................... 75
Activity 4E........................................................................................................................................... 76
4.6 – Evaluate risk management process .............................................................................................. 77
Monitoring risk ................................................................................................................................... 77
Evaluating implemented risk controls ............................................................................................... 78
Activity 4F ........................................................................................................................................... 79
P a g e | 4
Summative Assessments ........................................................................................................................ 80
References ............................................................................................................................................. 81
P a g e | 5
Unit of Competency
Application This unit describes skills and knowledge required to manage risks in a range of contexts across an organisation or for a specific business unit or area in any industry setting. It applies to individuals who are working in positions of authority and are approved to implement change across the organisation, business unit, program or project area. They may or may not have responsibility for directly supervising others. No licensing, legislative or certification requirements apply to this unit at the time of publication.
Unit Sector Regulation, Licensing and Risk – Risk Management
P a g e | 6
Performance Criteria
Element Elements describe the essential outcomes.
Performance Criteria Performance criteria describe the performance needed to demonstrate achievement of the element.
1. Establish risk context 1.1 Review organisational processes, procedures and requirements for undertaking risk management in accordance with current risk management standards
1.2 Determine scope for risk management process 1.3 Identify internal and external stakeholders and their issues 1.4 Review political, economic, social, legal, technological and
policy context 1.5 Review strengths and weaknesses of existing arrangements 1.6 Document critical success factors, goals or objectives for
area included in scope 1.7 Obtain support for risk management activities 1.8 Communicate with relevant parties about the risk
management process and invite participation
2. Identify risks 2.1 Invite relevant parties to assist in the identification of risks 2.2 Research risks that may apply to scope 2.3 Use tools and techniques to generate a list of risks that apply
to the scope, in consultation with relevant parties
3. Analyse risks 3.1 Assess likelihood of risks occurring 3.2 Assess impact or consequence if risks occur 3.3 Evaluate and prioritise risks for treatment
4. Select and implement treatments
4.1 Determine and select most appropriate options for treating risks
4.2 Develop an action plan for implementing risk treatment 4.3 Communicate risk management processes to relevant
parties 4.4 Ensure all documentation is in order and appropriately
stored 4.5 Implement and monitor action plan 4.6 Evaluate risk management process
P a g e | 7
Foundation Skills
This section describes language, literacy, numeracy and employment skills incorporated in the performance criteria that are required for competent performance. Skill Performance
Criteria
Description
Reading 1.1, 1.4, 1.5, 2.2 ➢ Comprehends a variety of relatively complex texts ➢ Gathers, interprets and analyses textual
information from a range of sources to identify relevant information
Writing 1.6, 1.8, 2.1, 2.3, 4.3 ➢ Develops textual material and organises content in a manner that effectively documents risk management analysis and assessment priorities and processes
Oral communication
1.8, 2.1, 2.3, 4.3 ➢ Participates in interactions with stakeholders using questioning and listening to elicit opinions, and to confirm and clarify understanding
Numeracy 2.2 ➢ Uses numerical tools to assess risk and uses numerical data to review plans
Navigate the world of work
1.1, 2.1, 4.3 ➢ Refers to organisational processes, procedures and requirements when making decisions about risk management
Interact with others
1.8, 2.1, 2.3, 4.3 ➢ Establishes and uses appropriate conventions and protocols when communicating with stakeholders about risk management
➢ Consults and negotiates with stakeholders about risk management processes and outcomes
Get the work done
1.2, 1.3, 1.5, 1.7, 2.1, 2.2, 2.3, 3.1, 3.2, 3.3, 4.1, 4.2, 4.4, 4.5, 4.6
➢ Sequences and schedules a range of routine and complex activities, monitors implementation, evaluates processes and manages relevant communication
➢ Systematically analyses information to decide on appropriate risk management treatments
➢ Uses digital technologies and systems to access information, document plans and communicate with others
P a g e | 8
Assessment Requirements
Performance Evidence Evidence of the ability to: ➢ Analyse information from a range of sources to identify the scope and context of the risk
management process including: o stakeholder analysis o political, economic, social, legal, technological and policy context o current arrangements o objectives and critical success factors for the area included in scope o risks that may apply to scope
➢ Consult and communicate with relevant stakeholders to identify and assess risks, determine appropriate risk treatment actions and priorities and explain the risk management processes
➢ Develop and implement an action plan to treat risks ➢ Monitor and evaluate the action plan and risk management process ➢ Maintain documentation Note: If a specific volume or frequency is not stated, then evidence must be provided at least once. Knowledge Evidence To complete the unit requirements safely and effectively, the individual must: ➢ Outline the purpose and key elements of current risk management standards ➢ Outline the legislative and regulatory context of the organisation in relation to risk management ➢ Outline organisational policies, procedures and processes for risk management Assessment Conditions Assessment must be conducted in a safe environment where evidence gathered demonstrates consistent performance of typical activities experienced in the regulation, licensing and risk - risk management field of work and include access to: ➢ Relevant legislation, regulations, standards and codes ➢ Relevant workplace documentation and resources ➢ Case studies and, where possible, real situations ➢ Interaction with others Assessors must satisfy NVR/AQTF assessor requirements. Links Companion volumes available from the IBSA website: http://www.ibsa.org.au/companion_volumes - https://vetnet.education.gov.au/Pages/TrainingDocs.aspx?q=11ef6853-ceed-4ba7-9d87-4da407e23c10
P a g e | 9
1. Establish risk context
1.1. Review organisational processes, procedures and requirements for undertaking risk management in accordance with current risk management standards
1.2. Determine scope for risk management process
1.3. Identify internal and external stakeholders and their issues
1.4. Review political, economic, social, legal, technological and policy context
1.5. Review strengths and weaknesses of existing arrangements
1.6. Document critical success factors, goals or objectives for area included in scope
1.7. Obtain support for risk management activities
1.8. Communicate with relevant parties about the risk management process and invite participation
P a g e | 10
1.1 – Review organisational processes, procedures and requirements for undertaking risk management in accordance with current risk management standards
By the end of this chapter, the learner should be able to:
➢ Assess the different situations of workplace risk
➢ Understand the importance of workplace policy for managing risk
➢ Be able to look at working processes when seeking to manage risk.
Reviewing your workplace processes to manage risk
When seeking to manage risk in the workplace, you will first need to understand the current situation of
risk and how this is being addressed throughout the workplace. This will include all aspects of the
business and can affect both your internal and external stakeholders.
Risk management in business is also known as:
➢ Enterprise risk management (ERM)
➢ Business risk management (BRM).
Risk can apply to both your organisation’s business
activities and to the immediate environmental factors
within the workplace.
Managing risk includes looking at the following areas:
➢ Work health and safety
➢ Operations
➢ Finances
➢ Environmental and sustainability factors
➢ Reporting
➢ Compliance
➢ Governance.
For example, within your business activities you will need to check whether organisational processes
support business needs and whether money is being wasted unnecessarily within organisational
spending. In aspects of work health and safety, risks need to be eliminated or minimised to safe levels,
(e.g. if chemicals are used, how these should be stored and used).
You should assess the current level of risk management in place and determine if this is meeting all the
needs of your organisation’s business.
P a g e | 11
Organisational policy and procedures
Organisational policy provides a description of the legal and ethical requirements that must be followed
in business; it can also include the values, philosophy and codes of conduct that the organisation
believes in and uses. Each policy statement will need to have an accompanying procedure to fulfil the
policy requirements. This provides all employees with structured processes and actions.
As such, you will need to review organisational policy and procedures to check that this meets
organisational requirements to manage workplace risks.
You should also check your specific policy on managing risk; this may also be identified in work health
and safety/occupational health and safety policy.
Risk management policies and procedures
Policy to manage risks should cover your business and work needs; all situations and scenarios should
be considered so that risk management can be applied across all areas.
Risk management policy and procedures includes:
➢ Identification of risks and hazards
➢ Assessment of risks and hazards (categorising risks for the likelihood of occurrence and
the consequence of this)
➢ Risk measures and controls
➢ A process of monitoring and reviewing risk controls.
Risk management in your working processes
You should pay attention to how effective your organisation’s business activities are being carried out.
Check your current standards and how other managers and employees conduct business, with a view to
ensuring adequate controls are in place to counteract the potential risks within your organisation’s
work.
For example, risks in work activities may include:
➢ How money is handled, e.g. are budgets being maintained?
➢ How resources are used, e.g. is equipment/machinery
being looked after (is your organisation using
sustainable practices)?
➢ How your business relationships are conducted, e.g. are
working relationships successful and well-established?
➢ How customers/clients are managed, e.g. do you
provide good customer service practices/are you
retaining or attracting new business?
P a g e | 12
Activity 1A
P a g e | 13
1.2 – Determine scope for risk management process
By the end of this chapter, the learner should be able to:
➢ Understand the necessity to determine the scope for risk management
➢ Assess legislative and regulatory requirements for your areas of risk
➢ Know the value of standards in business.
Determining the nature and scope of workplace hazards
Determining the nature and scope of workplace hazards is vital if you are to successfully minimise the
number (and the impact) of hazards at work. Taking the time to assess each area of risk and the possible
hazards will not only enable you to more effectively prevent unwanted incidents, but also to develop a
contingency plan for whenever incidents do occur.
To determine the nature and scope of workplace hazards, ask yourself questions such as:
➢ Which area of business needs to be addressed?
➢ What types of hazards exist there?
➢ What are the individual hazards and where do they originate from?
➢ How many times, on average, do specific incidents occur as a result of the hazard each
month or year?
➢ When, and in what circumstances, do these
incidents tend to occur?
➢ Who is most likely to be affected?
➢ What kind of a risk to individuals does the
hazard pose?
o For example, risk of injury or loss of
reputation or business.
Your key elements for risk management
Determine your priorities and key needs for managing risk. For example, if you work within the financial
industry, you will need to look at the key financial risk areas when conducting business. If you work
within hospitality your key areas may include health and hygiene in handling food, security of
employees and customers, and sustainable work practices. Each business industry will have its own
priorities alongside the core areas of risk such as work health and safety.
Sources of risk and hazard information
In order to identify hazards and assess and control risks, it helps to have a strong understanding of the
various work issues that apply – or could apply. This means identifying and consulting a range of sources
of information and data on hazards and risks.
P a g e | 14
Sources of information and data on hazards and risks include:
➢ Colleagues, managers/supervisors and employees
➢ Organisational policies and procedures
➢ Codes of conduct
➢ Work health and safety (WHS) legislation
➢ Industry regulations
➢ Federal and state government regulations
➢ Incident and hazard logbooks
➢ In-house statistics and data
➢ Anecdotal evidence
➢ Training days, workshops, seminars, conferences and other events
➢ Newspapers, magazines, journals.
Once you have identified a wide range of sources of information and data on hazards, you then need to
obtain this information and analyse it to determine the nature and scope of workplace hazards, the
range of harms they may cause and how these harms are caused.
Legislative and regulatory context
Risk management in work activities will also come under relevant business industry legislation and
regulation, depending on your particular industry of business.
For instance, your organisation may need to obtain specific licences or permits for conducting business
activities, for example if working in the transport industry, licences to ship certain goods may be
required. Ensuring your organisation is fully compliant in business will prevent unnecessary risks in
carrying out your business activities.
Risk management for work health and safety (WHS)
The specifics and features of your WHS policies will vary according
to the nature and scope of work your organisation does. But there
are certain issues which should always be covered, regardless of
your industry.
P a g e | 15
WHS policies and procedures should cover:
➢ The organisation’s commitment to establishing a safe and healthy workplace
➢ The full range of hazards and risks associated with each job and workplace location
➢ An awareness of relevant industry guidelines, regulations and relevant legislation
➢ The procedures to be followed for each specific area of work
➢ The WHS responsibilities of each employee (according to their position)
➢ The importance of communication and cooperation between all employees
➢ The organisation’s commitment to regular reviews of policies and procedures.
For example, a workplace policy could be to ‘minimise work health and safety hazards’, while the
procedures that underpin this policy could include ‘clearing up all spills immediately,’ and ‘washing
hands after exposure to chemicals’.
WHS policies and procedures play a huge role in protecting the health and safety of employees. They
serve to remind employees of safe behaviour and help minimise hazards and reduce risks.
Work Health and Safety (WHS)/Occupational Health and Safety (OHS) legislation
Under relevant state/territory (and harmonised Commonwealth) work health and safety laws, all
persons in the workplace will have a duty to comply with health and safety requirements.
A worker under Section 28 of the WHS Act must:
➢ Take reasonable care of their health and safety
➢ Take reasonable care of the health and safety of the people
around them
➢ Comply with their employer’s instructions.
An employer under Section 19 of the WHS Act is required to provide:
➢ Processes to ensure that the health and safety of
persons is not put at risk by maintaining:
o a safe work environment
o maintenance of all equipment, personal protective equipment (PPE) and
chemicals as required by law
o up-to-date information, training and instruction to ensure that all persons are
protected from risk.
Persons conducting a business or undertaking (PCBUs)
PCBUs have a legal duty to ensure that health and safety are maintained at their workplace and should
ensure that duties to carry out the safety of the workforce are performed. A PCBU is the legal
individual(s) or organisation that operates the business.
P a g e | 16
A PCBU can be someone that:
➢ Employs workers to carry out work for them
➢ Directs work that is performed by workers
➢ May put others at risk from their business or undertaking
➢ Manages, or is in charge of, the workplace and facilities.
Other legislation that may be applicable
You may need to consider the following areas of legislation and industry standards, within your working
practices, for managing the different kinds of risk.
Considerations may include:
➢ Consumer and competition laws for fair trading practices
➢ Product liability regulations
➢ Food safety standards
➢ Work health and safety legislation.
Anti-discrimination
Anti-discrimination protects against discriminatory behaviour in and out of the workplace; it prevents
you from non-compliance with employees and customers/clients.
Anti-discrimination legislation includes:
➢ Age Discrimination Act 2004
➢ Australian Human Rights Commission Act 1986
➢ Disability Discrimination Act 1992
➢ Racial Discrimination Act 1975
➢ Sex Discrimination Act 1984.
You must follow these laws in all aspects of your work. You cannot discriminate against individuals
based on characteristics like age, gender, disability and race and you must afford everyone equal
opportunities. Full details about these Acts can be found at https://www.humanrights.gov.au/our-
work/legal/legislation (access date: 27.09.2016).
Privacy of information
The main aspect of confidentiality requirements is The Privacy Act. This is
an Australian law that came into force in 1988 and governs how
organisations handle personal information about people, whether staff,
clients or customers, etc.
P a g e | 17
The Privacy Act comprises of 13 privacy principles which are:
➢ Open and transparent management of personal information
➢ Anonymity and pseudonymity
➢ Collection of solicited personal information
➢ Dealing with unsolicited personal information
➢ Notification of the collection of personal information
➢ Use or disclosure of personal information
➢ Direct marketing
➢ Cross-border disclosure of personal information
➢ Adoption, use or disclosure of government related identifiers
➢ Quality of personal information
➢ Security of personal information
➢ Access to personal information
➢ Correction of personal information.
Further information on the privacy principles and the Privacy Act can be found at the Office of the
Australian Information Commissioner (OAIC) website: https://www.oaic.gov.au/individuals/privacy-fact-
sheets/general/privacy-fact-sheet-17-australian-privacy-principles and
https://www.oaic.gov.au/privacy-law/privacy-act/ (access date: 27.09.2016).
Environmental issues
Minimising negative impact to the environment and running a sustainable business operation can help
manage risks within your organisation. Guidance and compliance on elements such as
importing/exporting goods, managing hazardous waste and maintaining our culture and heritage exists.
Environmental legislation will also let you know whether your particular business activities require a
licence or permit.
P a g e | 18
Environmental legislation includes:
➢ Environment Protection and Biodiversity Conservation (EPBC) Act (Federal)
➢ Environmental Protection Act 1997 (Australian Capital Territory)
➢ Protection of the Environment Operations Act 1997 (New South Wales)
➢ Environmental Assessment Act 1982 (Northern Territory)
➢ Environmental Protection Act 1994
(Queensland)
➢ Environment Protection Act 1993 (South
Australia)
➢ Environmental Management and Pollution
Control Act 1994 (Tasmania)
➢ Environment Protection Act 1970 (Victoria)
➢ Environment Protection Act 1986 (Western Australia).
Further information on environmental compliance in business can be found at the following
Government website: https://www.business.gov.au/Info/Run/Environmental-
management/Environmental-legislation (access date: 27.09.2016).
ISO 14000 is the international standard for environmental management, for businesses. This is a family
of standards that covers a range of environmental concerns.
ISO 14000 standards include:
➢ Environmental performance evaluation
➢ Labelling and declarations
➢ Life-cycle assessment
➢ Water and carbon footprints.
International risk management standards
ISO 31000 is the international standard for risk management and helps organisations in their risk
analysis and assessment.
This applies to business activities such as:
➢ Planning
➢ Management operations
➢ Communications.
P a g e | 19
By following ISO 31000, organisations can look to improve their business operations, governance and
increase stakeholder confidence through minimising losses. It also focuses on health and safety in the
workplace, provides tools to help in decision-making for pro-active management. Organisations can look
to improve their compliance with relevant legislation and become better equipped to identify the
potential threats and also the opportunities.
Further information on ISO 31000 can be found at the ISO website:
http://www.iso.org/iso/home/standards/iso31000.htm (access date: 27.09.2016).
P a g e | 20
Activity 1B
P a g e | 21
1.3 – Identify internal and external stakeholders and their issues
By the end of this chapter, the learner should be able to:
➢ Recognise stakeholder groups
➢ Understand different stakeholder issues.
Your stakeholders
Stakeholders refer to any individual, group or organisation that has an interest in an organisation’s
business. This interest stems from the fact that decisions made within that business will have an impact
directly upon them. The level of impact will depend upon the association with that business.
Stakeholders relevant to your risk management include:
➢ Your organisation’s employees
➢ Organisational management
➢ The business owner/person
conducting a business or
undertaking (PCBU)
➢ Contractors
➢ Volunteers
➢ Customers/clients
➢ Service providers and suppliers
➢ Unions
➢ Regulatory associations and peak bodies
➢ Health and safety representatives (HSRs) or a health and safety committee (HSC).
Identifying relevant stakeholder issues
Each type of stakeholder will have their own perspective on risks and these should be incorporated into
your overall risk management. To truly understand their concerns, you should consult with your
stakeholders. This may be in the form of an official workplace consultation on health and safety
practices or a work review, or you may hold separate discussions and consultations with specific
stakeholder groups to gain opinions and understanding.
If consulting with your customers or clients, you may want to provide a questionnaire or feedback form
to obtain their comments. The form of communication or consultation should be appropriate to the
stakeholder group; this can be formal or informal in approach.
P a g e | 22
Consultations with stakeholders should be performed in-line with legal requirements and as courtesy to
those who have an interest in your business. It allows you to inform them of any potential major
changes with your business and enables you to record their thoughts and feedback. This provides
evidence of other viewpoints which should be documented clearly and thoroughly.
Stakeholder risk concerns may include:
➢ Unregulated working hours, causing worker
fatigue
➢ Poor customer service levels and feedback
➢ Work area ergonomics
➢ Supplier delivery issues
➢ Changes to business legislation
➢ Financial stability/available equity.
Meeting with stakeholders may require detailed reporting and
minute-taking so that a record can be made of the meeting and its
outcomes. This may be needed to provide information to your
stakeholders when communicating any changes to business.
P a g e | 23
Activity 1C
P a g e | 24
1.4 – Review political, economic, social, legal, technological and policy context
By the end of this chapter, the learner should be able to:
➢ Determine different contexts for risk
➢ Look at organisational and societal contexts.
Context of risk
Looking at the context of risk will help you to recognise the
type of risks and the likelihood of their occurrence. This can
be particular to your organisation, such as risk for a specific
project or for new workplace premises, or it can be related
to broader issues.
Context is determining the circumstances that are
applicable to the situation of risk, i.e. the factors that
surround and influence it.
Risk context includes:
➢ Political – this can relate to the politics of the organisation and how business is
conducted, or this could include the current political climate within your
state/territory, or Australia as a whole. Internal organisational politics will be
concerned with how the business is structured and how it is run, e.g. the preferences in
work approaches, management styles and philosophy. Australian or world politics may
have an influence on your business, e.g. current political agendas, trade laws and
business funding.
➢ Economic – this is about the business climate and how well your organisation or
business industry is fairing in the current economic market. Influences on economy
include politics and how customers/clients decide to spend their money, and world
events such as conflicts and acts of terrorism. A shift in economy can cause a boost or
decline in your profits or demand for business.
➢ Social – this can refer to the collective within your organisation (how employees are
working, their working relationships and morale), it can also include the wider
community or your customer/client-base. Your employees’ attitudes and practices can
influence work activities positively or negatively, being aware of the social setting can
help you to deter situations of risk or decide on control measures. The social attitudes
of your community can have a bearing on how well your business performs, e.g. if your
organisation is well-thought of, or whether you work positively with the community.
➢ Legal – this concerns the legal and regulatory needs that your organisation must follow
and the risks that can be incurred as a result of non-compliance. Risks associated with
legal business can be easily identified and rectified. This context should provide you
with a clear means to resolve a situation of risk.
P a g e | 25
➢ Technological – this is about how your organisation uses and responds to technology.
Risks can include out-dated equipment, old technologies or even a lack of embracing
current technologies in the workplace. With continual technological advances, it is not
always easy to evolve working practices as fast as technology moves. Organisations
investing in new machinery or equipment will need to ensure its longevity within
organisational work plans.
➢ Policy-based – a look at the internal structure and workings of the organisation and
whether policy truly captures the potential areas of risk. Identifying issues with
organisational policy (and/or procedures) will require a review of current policy. Policy
influences may also be felt through Government/local government business activities
and associated trade or industry regulatory bodies/associations.
➢ Health and safety – this will concern the organisation’s practices to support the health
and well-being of employees and visitors to the workplace. This can include safe
premises, safe working methods and systems, ergonomic work areas, safe equipment
and machinery and emergency procedures.
It is important to review the context of your risk to make sure you assess and tackle the underlying
influences and causes.
Organisation influences
The way that your organisation functions will influence how circumstances
and contexts impact on business. Knowing how your organisation performs
its day-to-day requirements will help to better assess how other factors will
affect it.
For example, if a change in legislation puts one of your business activities at
risk of health and safety, the speed of response from within your
organisation may be fast, with little or no impact felt. Alternatively, your
organisation may need to review its practices or budgets to find compliant
methods to maintain health and safety, which could take time. The
structure and governance of your organisation can determine how issues of
risk are felt within work practices and how they are ultimately dealt with.
P a g e | 26
Activity 1D
P a g e | 27
1.5 – Review strengths and weaknesses of existing arrangements
By the end of this chapter, the learner should be able to:
➢ Assess strengths and weaknesses in organisational operations
➢ Perform a S.W.O.T. analysis
➢ Determine current risk measures in place.
Strengths and weaknesses of your business operations
As part of your risk management, you will need to assess the capabilities of your organisation and
whether you have the resources and the level of experience required. Make an open assessment and
look at the strengths and weaknesses of your current business arrangements.
Strengths may include:
➢ Experienced personnel with excellent training
➢ Good resources available
➢ Thorough analysis of risk management
➢ Backing from your insurance agents/financial managers.
Weaknesses may include:
➢ Lack of overall project management
➢ Unassigned roles of responsibility with risk
management
➢ Poor resources available
➢ Limited budget.
S.W.O.T analysis
A strengths, weaknesses, opportunities and threats (S.W.O.T.) analysis can be used to evaluate
measures in place for addressing potential risks. Strengths and weaknesses usually refer to the internal
factors within your organisation – these are the elements that need to be assessed and controlled
before looking at the possible opportunities or threats.
Opportunities and threats are the factors that you will come against – to optimise your opportunities
and to eliminate/minimise the threats; you need to plan your tasks accordingly. These are mostly
external factors that influence a situation, although this can be anything external to the management of
the business (e.g. employee opportunities or threats).
This can be a useful tool to keep you on track and to help you readjust any strategies or to redirect your
objectives along the way.
P a g e | 28
Example S.W.O.T. analysis table:
Strengths Weaknesses
➢ Budgets approved for new resources
➢ Employee skillsets varied
➢ Loyal customer-base
➢ Time will be needed to gain all the resources
➢ Costs may increase
➢ Training to use new technologies will be needed
Opportunities Threats
➢ Better equipment and tools to carry out work
➢ New resources for new business
➢ Possible expansion of organisation
➢ Consumer market close to saturation
➢ Longevity of outcome unsure
➢ Delays in meeting deadlines
Gather all the information that you need to start making decisions on the next steps. Without all the
information at hand, making decisions will be difficult and could prove to be incorrect for your
organisation’s needs. Never assume anything, find the information that you need and make sure it is
from trusted and approved sources.
The following highlights some of the steps you may need to take when looking to make decisions:
➢ Identify the issues and determine initial risks
➢ Analyse the situation to understand what information you have, what you will need
and how you can get this
➢ Use a S.W.O.T. analysis to determine if further investigations are plausible
➢ Identify all scenarios and options available (brainstorm with colleagues and anyone else
who can help)
➢ Select the best option and develop a risk analysis and contingency plan
➢ Implement the decision and document the steps taken to get to this point.
P.E.S.T. analysis
Alongside a S.W.O.T. analysis, you may find a P.E.S.T. analysis useful to do. This is a political, economic,
social and technological analysis and can be used to target specific areas and influences to the business.
This is best done prior to a S.W.O.T. analysis as it can help you to target your S.W.O.T. analysis on
specifics.
A P.E.S.T. analysis should have a clear focus on the position for the analysis. For example, it can be the
organisation looking at its market/customers, an opportunity to make an investment or when making an
acquisition. P.E.S.T. looks at the bigger decision-making activities, while S.W.O.T. addresses the factors
that impact at a working level.
P a g e | 29
P.E.S.T. analysis questions can include:
➢ Political – are state/territory or national elections taking place and could this impact
your direction?
➢ Economic – is the country’s economy at a stable point for making your decision?
➢ Social – is a generational shift going to impact on your outcomes?
➢ Technological – will changes in technology have a bearing on current actions?
Look at your existing risk management
Your current controls may be as effective as you require them to be, but you should always check your
controls on a regular basis to ensure they are, and remain, appropriate at managing your organisation’s
business needs.
Questions to ask regarding your existing risk controls can include:
➢ What measures are in place to minimise this risk?
➢ What is the reasoning behind establishing these measures?
➢ How effective are these measures?
➢ Which individuals are protected by these measures?
➢ Which individuals are not protected by these measures?
➢ Can we do more to minimise the risk?
P a g e | 30
Activity 1E
P a g e | 31
1.6 – Document critical success factors, goals or objectives for area included in scope
By the end of this chapter, the learner should be able to:
➢ Know the necessity for documenting requirements
➢ Understand the relevancy of a critical success factor.
Report on risk management
Ensure you document all your findings and investigations into risk management needs. Records need to
be kept and maintained for different reasons.
Records are kept for:
➢ Documenting work activities
➢ Evidence of research, investigations and outcomes
➢ Logging progress and completion of work
➢ Gaining statistics for assessing and analysing information
➢ Legal reporting requirements.
For your risk area, gather the documentation you have gained and assess the information for its worth
and relevancy in determining the critical success factors. The critical success factors will enable you to
focus on achieving your organisational goals and objectives. This will maintain your focus when
assessing the matter further and looking to implement suitable controls.
Critical success factors
The term critical success factor (CSF) in business describes a
requirement that is recognised as being essential for
achieving success. Critical success factors are closely aligned
to organisational objectives and goals. These are the actions
that enable goals to be reached, for example, acquiring new
computer technology in order to manage a new customer
database (CRM – customer relationship management
software) is a CSF. This action can assist an organisation to
attain their goal to improve their business relationships.
As mentioned above, goals and objectives are the elements
that need to be achieved for the organisation to consider
itself successful.
P a g e | 32
Activity 1F
P a g e | 33
1.7 – Obtain support for risk management activities
1.8 – Communicate with relevant parties about the risk management process and invite participation
By the end of this chapter, the learner should be able to:
➢ Recognise the value in obtaining support for risk management activities
➢ Assess communication methods for inviting participation
➢ Formulate a risk management process.
Seek organisational support
Support for carrying out your risk management activities will
primarily come from your internal stakeholders. Managers and
supervisors will need to be involved in your actions to perform
risk management; they will help implement the recognised
measures and controls at a higher level. They can provide
guidance and encouragement to work teams and employees in
every-day work tasks.
Employees can also help support risk management by complying
with, and carrying out, the identified measures and controls.
To gain support from management and employees, you will also need to give support. This will be in the
form of providing clear and thorough information and viable work practices and methods for risk
management at work. You may also need to ensure employees have the correct knowledge and skills
training to enable them to manage workplace risks to risk management plans.
External stakeholder support
You may also need to gain the support of some of your external stakeholders; this may include your
suppliers, contractors and volunteers. These will be the people who work closely with you; for example,
you may need to request a different work process with your suppliers, in order to minimise workplace
risk, which may include using new documentation or forms for placing and receiving orders.
Contractors and volunteers that work within (or for) your organisation will also need to be informed on
new risk-related practices and be provided with additional instruction or training to carry these out.
Work with your stakeholders
Gaining support from relevant stakeholders will require you to take the lead and be clear on the type of
support that is needed. You should take a direct approach, provide all relevant information and assist in
the set-up of any requirements. This may include producing workplace guidance documentation.
P a g e | 34
Risk management activities may include:
➢ Carrying out regular workplace safety checks
➢ Logging information
➢ New working practices and procedures
➢ Communication processes.
Showing your support will be of value in achieving stakeholder participation. You need to treat others
with respect and courtesy, do not presume all stakeholders will necessarily see the immediate benefits
of your risk management activities. Take time to explain changes and provide a means to engage in
open communications to assist in any transitions and to gain stakeholder understanding.
You can:
➢ Place value on your workplace practices
➢ Provide training and instruction on procedural changes
➢ Share information on the organisation’s objectives and risks management needs
➢ Trust stakeholders, and delegate roles and responsibilities to manage risks.
A process of communication
To include the relevant parties in the risk management process you will need to let them know that
their input is welcomed or required. Communications will need to take place to provide this information
and to invite participation.
Communications may take the form of:
➢ Consultations
➢ Workplace meetings
➢ Individual and group discussions
➢ Telephone conversations
➢ Written information and letters
➢ Electronic communications, such as email
➢ Website/intranet communications.
Participation may be compulsory (e.g. organisational employees) or at request (e.g. a supplier input into
improving ordering processes). Ensure that you receive confirmation of participation so that you know
stakeholders are in receipt of the communication. This will allow you to also confirm understanding of
the situation and in the level of involvement.
P a g e | 35
Risk management process
The process to manage risks will include a step-by-step procedure; this will show a logical application to
recognise and control risks. Situations of risk will differ but a process to manage these will operate in
the same way; this serves to provide a straightforward application.
A risk management process will include:
➢ Identifying risks involved
➢ Analysing risks and assessing their impact
➢ Evaluating how these will affect the organisation
➢ Rating the risks to determine the control measures
➢ Treating the risks to either eliminate or control them to safe levels
➢ Monitoring and reviewing risk management activities on a regular basis.
P a g e | 36
Activity 1G
P a g e | 37
2. Identify risks
2.1. Invite relevant parties to assist in the identification of risks
2.2. Research risks that may apply to scope
2.3. Use tools and techniques to generate a list of risks that apply to the scope, in consultation with relevant parties
P a g e | 38
2.1 – Invite relevant parties to assist in the identification of risks
By the end of this chapter, the learner should be able to:
➢ Look at identifying risks with stakeholder assistance
➢ Interact positively with stakeholders
➢ Understand communication conventions and protocols.
Identifying risks with the help of others
Your invite to the relevant stakeholders, asking for their participation in identifying risks, will help raise
concerns and highlight areas not yet recognised. By including those parties that have a vested interest in
your organisation and workplace activities you are more likely to raise and recognise all associated risks.
Stakeholders can help identify risks in the following ways:
➢ Through reviewing workplace procedures
➢ When discussing work opportunities and business ventures or projects
➢ In performing workplace risk assessments within the workplace
➢ When documenting incidents and near misses
➢ When completing and checking workplace records
➢ Through asking questions and making observations.
Work health and safety
In matters of work health and safety, all employees need to be consulted and allowed to contribute in
risk identification and in making safety changes. As these directly impact on workers, they will need to
provide their comments and feedback when management are seeking to make health and safety risk
assessments and improvements. This may also include the presence of a health and safety
representative (HSR), a health and safety committee (HSC) and/or a work health and safety officer or
personnel.
Interacting with stakeholders
Your interactions and workplace communications can also be used to determine appropriate risk
treatment actions and the order that risks should be treated. (More on risk treatment actions can be
found in section 4.1 of this unit).
Techniques to use in your interactions include:
➢ Questioning – closed questions require short and direct answers
(e.g. ‘yes’ or ‘no’), these are good to confirm details and
understanding. Open questions require longer, informative
replies (e.g. as when asked a question such as ‘what happened
when you followed the current procedure?’), these are useful for
discussing subject matter in detail and for problem-solving.
P a g e | 39
➢ Listening – active listening is repeating or paraphrasing back what has been spoken to
clarify understanding. Reflective listening involves the same as active listening, but
includes confirming the feelings or emotions of the speaker to gain insight into how
they feel.
➢ Open communications – this form of communication is about being honest and fully
open to discussions in order to share and explore information in an unbiased manner
and without repercussions. It can be used to fully understand viewpoints and to assess
areas of risk and the impacts.
Discussions should provide different opinions and the opportunity to fully investigate how stakeholders
work with risks. Highlighting occurrences and potential areas of risk will ensure you take the correct
measures to control and manage these.
Communication conventions
Conventions and protocols for carrying out your organisational
communications will need to follow accepted workplace practices. These
establish the groundwork for following good practice with all business
communication requirements, and will help to build successful working
relationships.
Communications may be:
➢ Formal
➢ Informal.
These conventions and protocols will be based on equitable practices which serve to promote
professional communications. Informal communications will be relaxed and less-guarded; these are the
communications that you have with colleagues and other employees, the people you know best.
Formal communications will tend to be those that you have with clients/customers and other external
stakeholders; these must represent the ideas and decisions of your organisation. You will need to take
care over confidentiality of information and appropriate use of language and words.
All communications should be conducted politely and with respect to other people’s viewpoints and
experiences.
Conventions and protocols may include:
➢ Following communication organisational procedures
➢ How you greet and speak to stakeholders
➢ Use of body language and gestures
➢ Documenting and reporting communications
➢ The process to invite stakeholders to meetings and engage in discussions
➢ Following-up on communications within a certain timeframe
➢ Responding to communications within organisational communication timeframes.
P a g e | 40
Activity 2A
P a g e | 41
2.2 – Research risks that may apply to scope
By the end of this chapter, the learner should be able to:
➢ Determine research methods
➢ Organise and present research appropriately.
Researching risks
Researching is a process that involves gathering information from as many different sources as possible.
For example, information may come from books and papers, word-of-mouth, proven facts and statistics,
and work reports. Using a variety of sources can help you to gain more information and viewpoints.
Sources of information must be:
➢ Reliable
➢ Reputable
➢ Verifiable
➢ Valid.
Set yourself a period of time to perform your research and to
identify the different areas and types of information that can assist
in your risk management. This will help you to keep working to
targets and any required deadlines.
Research should be done responsibly:
➢ Seeking permission to obtain information when needed
➢ Following organisational and communication protocols and procedures when obtaining
information
➢ Conducting courteous and professional communications
➢ Ensuring information is handled correctly, such as:
o maintaining confidentiality and data privacy
o storing information appropriately (e.g. securely/under lock and key if
confidential)
o never disclosing private information to those who do not have permission to
access this
o keeping records and information logs.
Researching also involves assessing and analysing the information. You will need to determine what you
are looking for, such as past accounts, incident statistics, and confirmation of events. Assessing for each
need will help you to understand the information as it applies to your risk management needs.
P a g e | 42
Tools for performing research
When information is gathered, you will need to collate this in a presentable manner to allow you to see
and use data appropriately.
Written information may need to be scanned and stored digitally, or paper copies placed into relevant
files or folders. Data from database runs or computer logs may need to be taken and put into another
format, for example, Microsoft Excel spreadsheets, Word, PowerPoint, in another software program or
printed onto paper.
This will allow you or others to present data in the most effective way in order to assess information
and to show important features.
Information can be shown in:
➢ Tables
➢ Graphs
➢ Text
➢ Diagrams
➢ Illustrations, such as maps, charts
and graphics.
Information may need to be presented within an organisational report or as individual research
papers/results. Organise your research into an appropriate form and ensure this is compiled and shown
truthfully and without undue bias, as this may affect your or other interpretations.
Numerical tools
Using software that allows you to look at and analyse figures can greatly assist in your numerical
analysis. This helps to order data and information quickly and easily, preventing the possibility of human
error. You can perform equations, section or separate data fields and create new pages with specific
information.
Software that configures numbers and enables calculations includes:
➢ Microsoft Excel
➢ MATLAB
➢ Intuit QuickBooks
➢ Apple numbers.
P a g e | 43
Activity 2B
P a g e | 44
2.3 – Use tools and techniques to generate a list of risks that apply to the scope, in consultation with relevant parties
By the end of this chapter, the learner should be able to:
➢ Work with others in risk management identification
➢ Understand and use tools and techniques to list risks
➢ Be aware of risk management strategies.
Tools to identify risks
Documentation is essential in assisting you in the process of identifying risk. It will help you to assess the
impact and likelihood of risk occurring. Seeing information on paper is a valuable way to make it real.
Make sure you use staff resources to help you identify risk; you could bring together a team of
experienced people to work on identifying and assessing the risk, or even bring in a consultant with
expertise in risk management.
Consult with all available and relevant persons who can help you identify and list the possible risks as
applicable to the scope.
Relevant persons may include:
➢ Department managers
➢ Health and safety representative
➢ Contractors and employees.
Use checklists and testing procedures, and prioritise risks by developing a system of scale to evaluate
high and low risks, such as a numerical scoring system. Checklists can be used to help identify the risk
factors, prioritising will let you know which are the most important or urgent to deal with.
To recap, risks may include:
➢ Commercial and legal relationships
➢ Economic circumstances and scenarios
➢ Human behaviour
➢ Individual activities
➢ Management activities and controls
➢ Natural events
➢ Political circumstances
➢ Positive risk
P a g e | 45
➢ Use of technology
➢ Hazards in the workplace such as:
o physical hazards
o biological hazards
o ergonomic hazards
o psychological hazards.
An example of information in a risk checklist:
Risk checklist for Project X – new client business
Risk factors Risk
Project set-up Low risk – acquiring work space, work team, and resources
Staff resources No risk – recruited two personnel to manage project, assigned two workers to project
Technology resources Low risk – ICT dept. booked to set up computer system/technologies
Team skills Medium risk – two workers require additional skills and knowledge
You and any designated others can use a range of techniques and tools to assess risks. Consultations
and discussions can also help bring together knowledge and experience; working together will allow you
to investigate risks and negotiate priorities.
Techniques, tools and processes for determining risks include:
➢ Qualitative analysis
o this involves plotting risks on a graph or matrix
o the likelihood of a risk occurring can be ranked horizontally, while the impact of
the risk can be ranked vertically
➢ Quantitative analysis
o this involves assigning numbers to risks according to whether they are highly
likely or highly unlikely to occur
➢ Speaking with colleagues, managers and supervisors
➢ Assessing in-house statistics and data relating to incidents, hazards and risks
➢ Examining equipment, materials and substances
P a g e | 46
➢ Conducting a ‘Hazard and Operability (HAZOP)’ study
o a systematic approach to examining each separate part of a work practice,
identifying along the way all the associated risks
➢ Conducting a ‘Failure Mods and Effects Analysis (F.M.E.A.)’
o a F.M.E.A. is a ‘bottom-up method for assessing the ways in which the basic
elements of a system, process or piece of equipment can fail, leading to health
and safety risks
➢ The ‘Structured What-If Technique’ (S.W.I.F.T.)
o S.W.I.F.T. involves a team of experts brainstorming ‘what if?’ scenarios
o e.g. ‘What is there is a power cut?’ ‘What if there is a flood?’
Risk management strategies
Risk management is a two-stage process; identify the risk and control the risk. Develop a strategy (or
strategies) that will encompass these needs. Ensure all persons involved in identifying risk are thorough
in their process and detail the entire risk factors.
There are different approaches to manage risk and these include:
➢ Risk assumption – this strategy lets the other party know that there is an element of
risk involved, for example, building a new hotel that is scheduled to be open for
business by a certain date. If the hotelier is aware that this may not be completed in
time, he/she cannot expect to take issue if this is delayed.
➢ Risk avoidance – this strategy looks to avoid the risk by not taking the course of action
that could cause any negative impact to occur, for example, not using an unknown
manufacturer to make your products.
➢ Risk retention – this strategy accepts the potential risk because the successful outcome
far outweighs the negatives.
➢ Risk transfer – this strategy shares the risk by
either using another party to take on some of
the risk – for example, using a supplier to
source difficult to find parts – or by using an
insurance policy to cover the risk.
P a g e | 47
Activity 2C
P a g e | 48
3. Analyse risks
3.1. Assess likelihood of risks occurring
3.2. Assess impact or consequence if risks occur
3.3. Evaluate and prioritise risks for treatment
P a g e | 49
3.1 – Assess likelihood of risks occurring
3.2 – Assess impact or consequence if risks occur
By the end of this chapter, the learner should be able to:
➢ Understand different analysis techniques for assessing risk
➢ Use a risk categorisation to determine the likelihood of risks
➢ See the value of a risk matrix to show the level of risk.
Assess and analyse your risk factors
Look at the information you have gained and make an understanding on the risks that are involved. This
process is helped by using different analysis techniques; this provides you with additional focus on
target or high risk areas.
Analysing information is about forming a true understanding and can include:
➢ Statistical analysis – looking at data, facts and figures in information to provide
evidence of past situations, this is helpful for looking at straightforward data but will
not highlight any variables or influences that may have affected the outcomes
➢ Critical analysis – the term used for determining the worth of information in analysis;
this is usually from the analyst’s point of view and can be helpful when applying
personal experience and knowledge to a situation
➢ Predictive analysis – this can be used when looking at data and figures to look ahead at
predicting future occurrences, although not an accurate type of analysis, if using a
strong predictive model it can help you to make better decisions
➢ Causal analysis – this is looking at the cause (or root cause) to determine why
something has, or is, repeatedly happening so that this can be changed or eliminated to
prevent future occurrences; causes can operate in cycles and may be systemic within
the organisation
➢ Consequence analysis – this is about identifying the consequences of taking actions or
in making decisions, it can help you to look further along at organisational activities to
ensure you are aware of and factor in any other actions that may occur as a result
➢ Probability analysis – focuses on the possible
occurrences that may happen by looking at
historical data and information (past trends) and
applying that to the current situation.
P a g e | 50
Correlations
Understanding correlations in data is useful as it helps determine the bigger picture. By identifying and
looking at the connections between information you can seek to understand the relationships that exist.
It also helps to tie together different information that may come from different sources.
Things that you may want to focus on in your analysis include:
➢ Stakeholder types and/or activities
➢ Organisational policy and procedures
➢ Organisational culture
➢ Economic and political influences
➢ Legislation and regulation
➢ Technology needs
➢ Current risk management arrangements
➢ The objectives and critical success factors identified in the scope
➢ The risks that may apply to the scope.
Risk categorisation
To help you with categorising the particular risk that may affect you, you should be aware that this
categorisation must be relevant to you and your organisation. You may start with a set categorisation
chart, but invariably to make this work accurately, you should bespoke this to suit your needs every
time you come to need a risk categorisation, adding as many levels as needed.
Construct a system of scale to help you determine how likely a threat or opportunity will be. You could
use the categorisation, as below, or choose a numerical system instead, for example 1-5 (1 being low
risk and 5 being high risk). By using a category for the likelihood of the risk against a category of the
consequences of the risk, you can build a clearer picture of each one.
Risk categorisation may include:
➢ Likelihood of risks:
o almost certain
o likely
o possible
o unlikely
o rare
P a g e | 51
➢ Consequences of risks:
o insignificant
o minor
o moderate
o major
o catastrophic.
Both a worded or numerical categorisation will achieve a rating system that you can use with each risk
to determine its impact. Fine-tune the categories as much as you need to, so you can accurately assign
the risk level and look at preventing any negative consequences.
Risk matrix
A risk matrix categorisation provides an overview of the potential risks to show areas of concern and
any priorities that need to be worked on. This is a useful way to assess any probabilities of risk and to
determine the level of impact they may have.
As in the example below, this template risk matrix shows the scale for risks – just add the risk in the
appropriate box for assessment.
In order for a risk matrix to be successfully used, you should design a specific matrix for your particular
needs and carefully monitor individual risks through the project. If not used correctly the matrix will not
give you a clear indication of risk.
Example risk matrix template:
Im p
ac t
o f
ri sk
Likelihood of risk happening
Rare Unlikely Possible Likely Most likely
Extreme LM M MH H H
High L LM M MH H
Moderate L LM M MH MH
Low L LM LM M MH
Very low L L LM M M
Key:
L – low risk
LM – low/medium risk
M – medium risk
MH – medium/high risk
H – high risk.
P a g e | 52
The level of risks
Once you have identified the level of risk for each factor, you can look at the importance of how this
may affect your organisation and plan the best course of action. The potential impacts on your business
need to be seen.
Level of risk may include:
➢ Low, treated with routine procedures
➢ Moderate, with specific responsibility allocated
for the risk, and monitoring and response
procedures implemented
➢ High, requiring action, as it has potential to be
damaging to the organisation or project
➢ Extreme, requiring immediate action, as it has
potential to be devastating to the organisation
or project.
P a g e | 53
Activity 3A
P a g e | 54
3.3 – Evaluate and prioritise risks for treatment
By the end of this chapter, the learner should be able to:
➢ Know the importance of prioritising risks
➢ Understand the hierarchy of risk controls
➢ See the value in making contingency plans.
Prioritise the risks
In order to manage and control risks, you need to evaluate their importance and impact. As seen in
section 3.1/3.2 of this unit, categorising risk and using a risk matrix can help determine which risks are
more important to manage first.
Once risks have been prioritised, you will then need to determine the best control methods to eliminate
or manage those risks at a safe level.
Hierarchy of risk controls
A hierarchy of risk controls exists in business to help organisations prioritise and manage their risks. It
can apply to all areas of risk management but is primarily concerned with work health and safety risks.
The below list of hierarchy controls is presented in order of effectiveness for controlling risk. Elimination
is the most successful solution to controlling a risk, and personal protective equipment (PPE) is the
option that is used last. Using a combination of risk controls may also be necessary and can increase
safety when controlling situations of risk.
1. Elimination – reorganise systems to remove the risk from the process
2. Substitution – change/swap to a lower risk option
3. Isolation – keep the risk away from others by making the area secure or off-limits
4. Engineering controls – use of appropriate mechanisms to prevent
hazard, such as increased ventilation
5. Administration controls – assess procedures
and revise working practices to eliminate the
risk, e.g. shortening work hours on a task or
rotating staff on a task
6. Personal protective equipment (PPE) –
provide safe and suitable equipment and
clothing to protect from the hazard, e.g. safety
goggles or use of gloves.
P a g e | 55
Contingency planning
When evaluating risks in working procedures and systems, it is good
practice to address and formulate contingency plans; these can be used in
the unlikely event that an undesired situation actually happens.
Contingency planning allows for you and others to think and plan
alternative measures and actions to ensure work is continued and is
carried out safely.
This means that you and others can make well-thought and logical
decisions in a non-reactionary environment. You and your organisation are
able to take control of an unwanted situation without experiencing
unnecessary difficulties or duress.
Working with a contingency plan is similar to identifying risk:
➢ Contingency planning is not just about the major risk or events that may occur, it also
includes those that may happen on a smaller scale
➢ It should be regarded as important to make contingency planning a standard part of
your everyday business operations
➢ Contingency planning is not a procedure or policy but more a systematic approach to
identifying what can go wrong in a variety of situations
➢ Contingency planning does not allow for thinking it will sort itself out or that if left
alone everything will turn out okay.
As in risk management activities, contingency planning will include options to identify the likelihood and consequence of actions occurring or ignoring those actions:
➢ Likelihood – this represents the chance that something will happen
➢ Consequence – this represents the impact that a particular factor may have and is
measured in degrees of severity, or impact on your work plans
➢ Contingency – this is the planning you undertake to address the consequence.
P a g e | 56
Activity 3B
P a g e | 57
4. Select and implement treatments
4.1. Determine and select most appropriate options for treating risks
4.2. Develop an action plan for implementing risk treatment
4.3. Communicate risk management processes to relevant parties
4.4. Ensure all documentation is in order and appropriately stored
4.5. Implement and monitor action plan
4.6. Evaluate risk management process
P a g e | 58
4.1 – Determine and select most appropriate options for treating risks
By the end of this chapter, the learner should be able to:
➢ Use a strategy for treating and controlling risks
➢ Know the importance of sequencing and scheduling work activities
➢ Apply the hierarchy of risk controls.
Strategies for controlling risk
To resolve issues of risk, a strategy of control will be needed. It will
depend upon the type of risk involved as to which strategy will work best.
Strategies to control risk include:
➢ Stop the risk – take away the process/element that is
causing the risk
➢ Treat the risk – stop the action causing risk and change
this action to include controls for risk elimination
➢ Transfer the risk – shift the element of risk elsewhere
➢ Tolerate the risk – on occasions where risk is
unavoidable and needs to be allowed for, make this as
safe a process as possible.
Decide upon the strategy and work to remove the risk. If you need to consult with others, make sure
this is done and the outcome is agreed. Time may also be required to make effective plans and to gather
all necessary resources and means to implement risk treatments.
Factors that may impact on risk treatments include:
➢ Expenditure and budgets, the cost to implement treatment and control measures
➢ Organisational and management needs and priorities
➢ Resource requirements, e.g. human or technical
➢ Time factors, e.g. when needing to implement policy or legislative changes.
Sequence risk control activities
Plan out the sequence and schedules for risk treatments; this will help create order within complex
tasks, and documents the identified activities. Use the available technologies at your place of work to
help you, for example, workplace computer systems to log and communicate information automatically
to employees or relevant others.
P a g e | 59
Sequencing may include:
➢ Planning work activities
➢ Deciding the order for carrying out tasks
➢ Assigning roles and responsibilities
➢ Identifying the appropriate risk controls
➢ Organising and implementing risk controls
➢ Monitoring and reviewing risk controls and work activities.
Treatment options
Treating risks will depend on the chosen hierarchy of control, or controls. You may decide to try one
control with a view to reviewing this at a further date. Using more than one control may be required, for
example, isolating chemicals under lock and key in a building away from workers may also require
administrative controls to record details of who uses the key and when.
Risk treatment examples using the hierarchy of risk controls:
➢ Elimination – repairing damaged machinery so it is safe to operate
➢ Substitution – installing an improved security system in the workplace to prevent
visitors entering areas that are prohibited
➢ Isolation – locating hazardous chemicals away from work areas
➢ Engineering controls – changing a system of work to enable workers to work without
risk to health and safety
➢ Administration controls – recording work activities and documenting tasks
➢ Personal protective equipment (PPE) – wearing ear muffs to protect from loud
machinery noises.
P a g e | 60
Porter’s Five Forces
The Porter’s Five Forces model allows you to look at where power lies in a business situation and how it
may affect your organisation. This helps you to assess your risk position in the market and the potential
to make profits by looking at the factors that can be changed to put the balance in your favour.
1. Supplier power – this depends upon your reliance upon using suppliers and how many
suppliers can offer you what you need. The fewer options you have, the more
dependent you are upon the supplier and their costs may increase.
2. Buyer power – this depends upon your buyers, whether or not they are willing to pay
what you charge for your products/services. If there are other opportunities for your
buyers to choose different organisations, the weaker your position will be and your
prices could be driven down.
3. Competitive rivalry – this depends upon how many competitors you have and how
comparative their products/services are. The less others offer the same as you, the
better your position will be.
4. Threat of substitution – if your products/services can be substituted for alternative
products/services by other organisations, this will weaken your strength in the market.
5. Threat of new entry – if the market is easy to enter and competitors can easily
establish themselves, this will weaken your organisation’s growth and profits. If the
industry you are in has many obstacles to entry this will protect the market.
Competitive
rivalry
Supplier
power
Buyer
power
Threat
of
substitution
Threat
of new
entry
P a g e | 61
Activity 4A
P a g e | 62
4.2 – Develop an action plan for implementing risk treatment
By the end of this chapter, the learner should be able to:
➢ Understand the need to make efficient plans to treat risks
➢ Know about risk action and treatment plans
➢ Know the use of a risk register.
Measures you can take
Risk measures and controls can vary tremendously, but all will originate from the hierarchy of controls
to provide the correct intention.
To control risk measures, you could:
➢ Look to using technology, e.g. you could use risk management software to monitor risk,
or perform evaluations and compile your results into spreadsheets for reviewing
➢ Confer regularly with those that see your progress, e.g. with your accountant/accounts
department or project managers
➢ Prioritise goals, focus on tasks and complete these before taking the next step
forwards.
Developing a plan to treat the risks
When determining the actions to treat the risks, you will need to have a thorough risk management
plan that details what the risks are, the identified risk treatments, who is responsible for carrying out
the treatments and the timeframes applicable to these.
Documentation that can help your plans:
➢ Risk action plan – to detail the risks(s) associated with an area, project, etc.
➢ Risk treatment plan – to describe the chosen control(s) for the risk(s)
➢ Risk register – to assign responsibilities for monitoring and managing the risks during
risk treatment.
A risk plan will highlight the concerns that you have, but will need to present a feasible course of action.
The correct approval procedures will need to be taken and it must fall within budget to work.
P a g e | 63
To develop a risk control plan, you should consider:
➢ Hazard identification measures
➢ Risk assessment methods
➢ All identified hazards and their associated risks
➢ How likely it is that hazards and risks will cause
harm to employees and the organisation
➢ Which risk control measures are affordable,
workable and effective
➢ Risk triggers
➢ Short term and long term goals for reducing potential hazards and risks
o ideally, your ultimate aim is to eliminate all incidents and accidents that arise
from hazards
o you should identify short term and long term goals so that you can introduce risk
control measures gradually and monitor your progress over a set period of time
➢ Which employees should take responsibility for the risk control plan
➢ Methods of documentation
o you can document your risk control plan on paper or electronically.
P a g e | 64
An example risk action plan could look like this:
Description of identified situation of risk: (For example) an event to promote a hotel complex to increase customer bookings and organisational reputation
Potential impact of risk:
Positive risk will result in customer bookings Negative risk will result in poor customer interest
Comments on the risk:
All staff involved will need to positively promote the hotel and facilities and provide information upon request, including tariffs and offers, to ensure success
Recommendations:
➢ Plan and organise promotional activities and materials
➢ Train staff to participate in the event
Proposed action:
➢ Advertise the event
➢ Produce hotel brochure, leaflets on current packages and deals, free gifts for customers
➢ Run staff training over a two-day period
Staff involved and responsibilities assigned:
Department managers to oversee the event and assist in customer activities Hospitality team to run event and presentations, and to talk with customers ICT personnel to assist in set-up of presentation/demonstration technologies
Resources needed:
Conference suite/reception space, presentation and display equipment, promotional literature and gifts, staff to host
Timelines:
6 week until event day
Deadlines:
1 week to start promotion of event 3 weeks to perform staff training 4 weeks to produce promotional materials
Required reports:
Work progress update Budget report Project report
Frequency of reports:
Twice a week 1 week prior to event 1 week after event
Authorised by: A. Nother Date: 10/10/2016
Implementation comments: (To be confirmed)
P a g e | 65
An example risk treatment plan:
Risk Hierarchy of control(s)
Treatment options
Likelihood of risk occurring
Monitoring options
Person(s) responsible
Customers do not attend event
Administration Ensure event is advertised and invites are sent
Medium Ensure advertisements are in the correct place, check invite response numbers
H. Ospitality
Customers do not see the value in the promotion
Engineering Administration
Ensure customers are aware of the reasons and benefits
Low Check and ask for feedback and invite responses to event
H. Ospitality
Staff do not interact well with customers
Elimination Provide skills training and instruction to staff
Low Attend training sessions and discuss event with staff
Department managers
Presentation does not work correctly
Elimination Substitution
Set equipment up day before event and test, provide back- up equipment
Low to medium
Check with ICT on evening before event and on the day
ICT department
An example of a risk register:
Risk register for hotel event on 12/12/2016
Risk Person/dept. responsible
Date of action
Impact of risk
likelihood of risk
Date action complete
Follow- up actions
Risk status
Customer invites not sent in time
Hospitality To be sent 17/10/2016
Low attendees
Medium 17/10/2016 Check replies
None
Video equipment does not work
ICT 11/12/2016 and 12/12/2016
No display, lack of technical capability
Low to medium
12/12/2016 None None
P a g e | 66
Activity 4B
P a g e | 67
4.3 – Communicate risk management processes to relevant parties
By the end of this chapter, the learner should be able to:
➢ Understand different communication methods
➢ Use communication methods to suit business needs.
Communicate your risk management processes
Your communications should be clear and provide all the necessary details that apply to the situation. If
information is not given correctly, individuals with duties and responsibilities may lack direction or not
know when actions need to be carried out or completed.
Ensure your communications are appropriate to the parties involved and provide them with the facts
and information that they need. How and when you communicate will depend on the situation of risk. If
you are responsible for ensuring information is disseminated to other stakeholders, ensure you provide
a clear process for others to follow and access to the correct and most up-to-date information.
Communications can be:
➢ Verbal, such as:
o speaking directly with others, e.g. one-to-one or within a group setting
o telephone and video conference communications
➢ Non-verbal, such as:
o writing:
▪ emails
▪ letters, reports and other
documentation
▪ using databases and other
software programs
o how you present yourself to others
o use of body language and gestures
o using visual presentations to
communicate information.
Verbal communication
Verbal communications should be professional, courteous and respectful at all times. It is essential to
know how to relay information and how to conduct discussions; these will need to be tailored to suit
the audience, e.g. formal for managerial discussions and informational for team meetings. Your use of
language and terminology should be appropriate and enable understanding.
P a g e | 68
You could inform others of risks at:
➢ Conferences and meetings
➢ Presentations
➢ Training and inductions
➢ Performance reviews
➢ Mentoring or coaching sessions.
It is important to understand social and cultural differences in communication and ensure your
approach and responses are appropriate. Take time to understand the communication needs of your
audience.
Verbal communications include:
➢ Addressing people in a suitable manner
➢ Articulating clearly and impartially
➢ Listening to others – use of active and reflective listening
➢ Asking questions to confirm and clarify meaning (open and closed questioning)
➢ Allowing others to speak, ask questions and contribute
➢ Acknowledging the contribution of others
➢ Performing negotiations to arrive at mutually acceptable outcomes (principled
negotiations)
➢ Facilitating an environment of open discussions and employee participation.
P a g e | 69
Non-verbal communications
You should use non-verbal communication techniques with care and appreciation of the audience.
Meanings may differ between cultures and social groups; these can cause offence to some individuals,
however harmless a gesture may appear to be. Non-verbal communication can signify status, attitudes
and emotions which can be easy to misunderstand.
Aspects of non-verbal communication that may differ between cultures may include:
➢ Eye contact
➢ Body language
➢ Mannerisms
➢ Gestures
➢ Facial expressions
➢ Posture
➢ Personal space
➢ Touch.
When writing and compiling information, templates and plans,
ensure these are presented neatly and to organisational standards.
Using plain English will help aid understanding and will ensure you
do not over complicate texts. Make these simple to use and follow
for all relevant stakeholders.
P a g e | 70
Activity 4C
P a g e | 71
4.4 – Ensure all documentation is in order and appropriately stored
By the end of this chapter, the learner should be able to:
➢ Know the value and importance of documenting risks
➢ Understand the need for templates and forms for employee use
➢ Store records and information in the workplace.
Documentation
Your organisation will need to keep records for legal
requirements and for any future analysis needs. All incidents of
risk need to be documented so that future occurrences of risk
can be avoided and your organisational systems can be
improved to better handle such situations.
Templates and copies of forms should be made available to staff
for their use and clear procedures should be explained so that all
employees follow the correct documentation processes. You
may have forms for risk assessment, incidents/accidents, risk
monitoring, risk matrix, risk register, etc.
Documenting the results of risk assessments
Documenting the results of risk assessments is a vital means of preventing and minimising the impact of
hazards on individuals and structures in the workplace.
By recording the results, as well as the process, of risk assessments, you will be better prepared to
safeguard the safety and wellbeing of all staff members, work property and organisational activities.
When documenting the results of risk assessments, you should include:
➢ Details of the hazard itself
o e.g. faulty electrical wiring
o including the location/origination of the hazard
➢ Why the risk assessment had to be carried out
➢ The time and date the risk assessment was conducted
➢ Who conducted the risk assessment
➢ A quantitative and qualitative evaluation of how likely an injury or illness will occur as a
result of the hazard
➢ A brief explanation of the reasons – or potential reasons – for the hazard’s existence
P a g e | 72
➢ The measures taken to minimise the risk posed by the hazard
o e.g. power to the electric wiring was switched off
➢ What else needs to be done in order to minimise the risk posed by the hazard
➢ How similar hazards may be prevented in the future.
You may document the results of risk assessments either on paper or electronically; what is important is
that you document the results according to organisational procedure and file and store records in such
a way that relevant stakeholders can access particular documents.
Most organisations have special procedures in place for recording and documenting the results of risk
assessments; be sure to familiarise yourself with any procedures in place and follow them accordingly.
P a g e | 73
Activity 4D
P a g e | 74
4.5 – Implement and monitor action plan
By the end of this chapter, the learner should be able to:
➢ Address implementing plans
➢ Know the importance of providing information to others
➢ Understand the need to monitor plans as risks may change.
Implementing treatment plans
A risk treatment plan is part of the risk management process and should be included in your action plan
to eliminate the negative risks and to look at promoting the opportunities, or positive risks. The
person(s) responsible for the treatment plan(s), if different to you/the project manager, will need to
confer with the appropriate person(s) to ensure that work is completed as and when expected.
Make sure that plans are complete and provide thorough guidance to deal with the hazards and risks
involved. When implementing plans and/or conferring with colleagues and employees on roles and
duties, make sure you discuss the requirements in full. Provide channels of open communication so that
questions can be asked and queries sorted; you should also give guidance and direction as and when it
is needed during the duration of work activities.
Treatment plans should include:
➢ An overview of your risk management needs
➢ Planning your response to dealing with situations of risk,
which will either be:
o avoiding the risk
o lessening the risk
o transferring the risk
o accepting the risk
➢ Documentation of the plan which may include:
o an outline of the approach being used to deal with the risk
o the responsibilities assigned
o if the risks will be internal or external
o information on stakeholders involvement with the risk
o any approval/organisational processes involved.
When looking at the treatment plan, make sure you factor in suitable timings to deal with your solutions
to risk. These will need to be appropriate to the purpose, for example, for a high rated risk it would not
be appropriate to have a long time period of 18 months to resolve the issue.
P a g e | 75
You may also need to consider:
➢ Maintaining budgets in consideration to any treatment plans
➢ Availability of any additional resources
➢ Communicating any treatment plans to other parties, such as company directors, staff,
stakeholders, clients or industry bodies and monitoring activities.
Operational risks
There are many ways that a business could incur risks in the workplace. Always be on the lookout for
potential situations of hazard. Along with health and safety aspects, other business operational risks
may occur. Your plans may have taken these into consideration, or you may meet further hazards and
risks along the way.
These include:
➢ Economic shifts
➢ Financial crisis
➢ Import/export problems
➢ Capital finance
➢ Product failure
➢ Information systems
➢ Cash-flow difficulties
➢ Issues with investors/borrowed capital.
Implementing a risk control plan
To implement a risk control plan effectively:
➢ Explain to colleagues the importance of risk control plans
➢ Train relevant colleagues in the execution of the plan:
o you may choose to do this via training days, workshops, seminars, etc.
o you may also have to run ‘refresher’ courses
➢ Encourage all employees to look out for hazards and to report anything they think
could be a problem, no matter how trivial
➢ Ensure employees stick to the plan
➢ Remain observant throughout and monitor work activities.
P a g e | 76
Activity 4E
P a g e | 77
4.6 – Evaluate risk management process
By the end of this chapter, the learner should be able to:
➢ Monitor and evaluate risks
➢ Integrate risk management into working practices.
Monitoring risk
Make sure that you monitor risks on a continual basis. Changes can occur as work progresses and your
initial risk management strategy or processes may need adjusting over time. It also helps to monitor any
occurrences of residual risk and to identify ways of managing this.
It is prudent to make risk management a part of your regular work with colleagues and/or your team
and make time to discuss this at staff and team meetings. Look to integrate risk management processes
within your area of operation and encourage a working environment that seeks to maximise the
opportunities and diminishes the risks.
Record your findings in a format that highlights any issues in a concise manner and makes it easy to
focus on the points required.
You could monitor your information in the format shown below:
Risk Monitoring options Suggested improvements
Who is involved
E.g. Keeping work premises secure
Security guard at reception and security guard on patrol of premises
Using a pass entry system at reception and at the entrance to each work area; two security guards on patrol of premises
Security and facilities
Your responsibility
Managers should be responsible for providing correct and accurate information to all staff on areas of
risk and this should be checked to ensure it is supplied from a trusted source. Confidentiality of
information should also be respected; never pass on information that is subject to privacy status.
Always check on confidentiality clearance before disclosing information.
All information on your risk management processes and results should be current and regularly
monitored and reviewed for changes. Your reviews will help you to establish good practices and also to
determine what works well and what doesn’t work well in future work.
Risk management needs to be at an effective level to prevent any sudden and unexpected changes
within your work area and also within your organisation. To achieve the successful results, you would
like, make risk management a priority.
P a g e | 78
Evaluating implemented risk controls
As with every business process, it is important to continually review and monitor the risk controls you
have implemented to reduce the potential harmful impact of hazards. This way, you can continually
review, tweak and improve the risk management process, which will lead to more efficient and effective
processes and thereby help to safeguard the safety and wellbeing of all staff members and the work of
the organisation.
You should evaluate implemented risk controls:
➢ At the outset of new projects
➢ Whenever there is a change in working practice or business
➢ Whenever there is a change or addition to the types of equipment, systems and
processes you use
➢ Whenever you move to a new premises, or when new work areas are opened.
To evaluate implemented risk controls, you should:
➢ Consider the advantages and disadvantages of using each measure
➢ Consider which measures are the most effective
➢ Consider which measures you can afford
➢ Consider which measures are realistically workable
➢ Consider whether your organisation has the employees with the required skills and
experience to use a particular measure
➢ Evaluate how likely it is that an injury/illness or negative impact will occur as a result of
a particular hazard, despite the risk control measures being in place
➢ Consider whether new changes to the workplace or working practice
necessitate new risk control measures
➢ Remain observant throughout all shifts.
Remember, it is simply good practice to regularly evaluate your risk controls. Set
specific times to do so and be sure to conduct all evaluations thoroughly, informing
management at all times of the process and results of each assessment.
P a g e | 79
Activity 4F
P a g e | 80
Summative Assessments
At the end of your Learner Workbook, you will find the Summative Assessments.
This includes:
➢ Skills assessment
➢ Knowledge assessment
➢ Performance assessment.
This holistically assesses your understanding and application of the skills, knowledge and performance
requirements for this unit. Once this is completed, you will have finished this unit and be ready to move
onto the next one – well done!
P a g e | 81
References
These suggested references are for further reading and do not necessarily represent the contents of
this unit.
Websites
The Australian Human Rights Commission: https://www.humanrights.gov.au/our-work/legal/legislation
The Office of the Australian Information Commissioner (OAIC) website (the Privacy Act):
https://www.oaic.gov.au/individuals/privacy-fact-sheets/general/privacy-fact-sheet-17-australian-
privacy-principles and https://www.oaic.gov.au/privacy-law/privacy-act/
For information on Environmental legislation for business:
https://www.business.gov.au/Info/Run/Environmental-management/Environmental-legislation
For information on ISO 31000, visit the ISO website:
http://www.iso.org/iso/home/standards/iso31000.htm
Risk Management Institute of Australasia: http://www.rmia.org.au/
Publications
Safe Work Australia publication ‘Model code of practice – How to manage work health and safety risks’:
http://www.safeworkaustralia.gov.au/sites/swa/about/publications/pages/manage-whs-risks-cop
All references accessed on and correct as of 27.09.2016, unless other otherwise stated.
