Risk management is recognised as an integral part of good management practice. It is an iterative process consisting of steps which, when undertaken in sequence, enable continuous improvement in decision-making. Risk management is the term applied to a logical and systematic method of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity in a way that will enable organisations to minimise loss and maximise opportunities.
Risk may be treated variously by avoidance, by transfer, by acting upon causes, and by managing consequences. Any or all of these strategies may be appropriate in particular circumstances:
A number of approaches are used to determine the relative importance of risk scenarios and how to decide the allocation of resources for treatment. Quantitative methods are helpful when statistical information is available for certain events, such as the failure of devices or systems. Often this is collected from industry-wide sources, enabling a degree of confidence when developing probability distributions. On the other hand, qualitative analysis can be used in assessing whether one situation is of greater risk than another.
Risk assessment is an important step when organisations are considering the actions and resources to be committed to risk reduction strategies. Without it, organisations cannot be confident that resources are being sensibly applied as part of their risk management obligations.
The main elements of a risk management process are shown in the figure at right. It starts with the organisation identifying its potential risk situations, then follows a path through describing, assessing, evaluating and treating risks. National standard AS/NZS 4360 Risk Management* provides more guidance.
This approach helps organisations identify their risk situations and rank their importance prior to making decisions. It collects qualitative judgements of event consequence and event likelihood and calculates risk scores for ranking. It allows information to be kept in summarised form as a risk register, thus retaining knowledge from previous iterations so that further improvements can be made at any time. It recognises that new insights will be gained through a rational analysis of system performance and business operations.
A way of describing the scope, nature and boundaries of the activity to which the risk management process is being applied, eg “OH&S,” “Financial“.
Tangible and intangible things of value to the organisation, relevant to the risk context.
A source of potential harm or a situation with potential to cause loss.
A value applied to a risk scenario, indicating the severity of the damage caused by the actualisation of the scenario.
A value applied to a risk scenario, indicating the likelihood of the actualisation of the scenario.
A descriptor or numerical value indicating the level of risk associated with a risk scenario of a particular Consequence Likelihood ranking combination. Any combination of Consequence ranking and Likelihood ranking values will produce a risk score.
The acceptable level of risk, as determined by the user, based on the risk score. Any risk scenario with a score greater than this value is deemed to be unacceptable and will require some action to reduce the level of risk.
A list of identified risk scenarios together with their risk scores.
Advitech Pty Limited has been providing risk management services to industry for over twenty years. For further information on risk management, contact Larry Platt on 02 4961 6544.