Identify risk and apply risk management processes

Identify risk and apply risk management processes.Description Identify risk and apply risk management processes BSBRSK401 TAFE Western Page | 2 This page is blank intentionally BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 1 Identify risks Introduction Risk management is defined in the standard (AS/NZS 4360:2004) as “the systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, assessing, treating, monitoring and communicating”. In this unit, you will explore how to identify risks and how to apply established risk management processes. Life is full of risks, some are small and some are large. Everything that we do from crossing the street to buying a home carries with it a degree of risk. In business it is vital to understand that risk needs to be understood and incorporated into strategy, as even the smallest risks can have catastrophic consequences on a business. Managing risk is not about trying to stop all risks from happening, it is more about understanding the risks that are out there and having strategies in place that identify, evaluate, monitor and plan for the risks. Key words are: IDENTIFY – EVALUATE – TREAT – MONITOR – REVIEW BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 2 The International Organisation for Standardisation (ISO) defines risk as the combination of the probability of an event and its consequences. The ISO 31000 2009 has defined the principles that sit within and govern a good risk management program. It must be noted that the ISO is not a regulatory agency and so the principles and generic guidelines on risk management should be used as a basis to form your organisations guidelines to produce a risk management frame work that best suits the objective of the organisation. Risk management: • Creates and protects value • Is an integral part of all organisational processes • Is part of decision making • Is systematic, structured and timely • Explicitly addresses uncertainty • Based on the best available information • Is tailored • Takes into account human and cultural factors • Is transparent and inclusive • Is dynamic, reactive and responsive to change • Facilitates continual improvement of the organisation One of the problems with the term risk management is that we tend to only see it in the negative, but it is actually an event in conjunction with the perceived likelihood of occurrence. It is the about the relationships between events, projects, work or incidents. As a leader or manager dealing with risk, there are three important things for you to remember: • Risk refers to a future event. • Risk normally arises from an organisation’s market, the economy that influences it, and its environmental context (culture, politics and place). Risk assessment involves the identification, and then the assessment, of that risk. • The risk assessment process should be conducted in the context of the risk and of the organisation, market, economy or country which is subject to the risk. Once you have identified the risk, it is important to then identify the strategic, organisational and risk management context in which the assessment and treatment will occur. The term ‘strategic context’ means the organisation’s current and future planning, its goals, and objectives. ‘Organisational’ context means the type of organisation, the way it is managed, including its management structure, the way it organises what it does and what it produces. Risk must also be assessed against the relevant criteria or particular standards in relation to that risk. Activity Access Appendix A – AS/NZS ISO 31000:2009 Risk Management – Principles and guidelines You will need to read this standard and use it for part of your assessment BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 3 Identify the context for risk management Establishing the context defines the basic parameters within which risks must be managed and sets the scope for the rest of the risk management process. The context may include: • Any related projects or organisations • Any resources, including physical assets, which are vital to operations • Key operational elements and service of the organisation • An organisation or project, how it is organised and its capabilities, or • Your own role and responsibilities in relation to an overall project or organisation design. • Future changes that will impact on the organisation. • The organisations processes, policies and procedures. As we have said risk is everywhere, some risks are obvious and some not so. The risks that your business will face will change and will depend on many different factors. A risk should be seen as anything that can affect the company’s ability to function at its current capacity and deliver profit. When you think of where to look for risk, in addition to the above you must also consider the following: • Technology (new, changing, old) Think of the implementation of a new program in your workplace. People need to learn how to use the program so it may involve training and a period of time to allow for people to get used to using the system to complete work tasks. This may affect productivity and costs, how much or how little depends on how well the risks were assessed and planned for. Also think about records security, the threat of IT hacking or fraud, virus attacks and the risk of not keeping up to date with technology. Pixi Fotos Australia is an example of a company that became obsolete by failing to address the change in their marketplace due to technological advances. • Political factors Many organisations depend on givernemtn funding, grants and contracts. Changes in government or government policy often result in changes to money flow which is a massive risk to many organisations. See the changes to the homelessness sector who went from 150 providers to 40 providers due to funding changes and government policy. Similarly, if your organisation has government bodies as clients, suppliers or stakeholders then you need to monitor areas with potential impact on your operations • Legislation Changes in legislation and regulations can have a huge impact on an organisation. Think about the changes in superannuation. As the rate of compulsory superannuation rises BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 4 so to does the amount of money that organisations have to allocate to wages and salaries. Think about the introduction of the GST in Australia. Small businesses reported that GST compliance had a massive impact on their direct costs of up to 3% of their reported annual turnover. The introduction also meant that business had to implement significant on-going record keeping and accounting costs so that small business could meet their GST obligation. • Behaviour of consumers and the market place ( trends, fads) • Management: controls, procedures, activities Controls, procedures and workplace activities are in place in organisations so that tasks are carried out according to benchmarks, inline with compliance requirements, for safety reasons and for efficiency. Imagine that a workplace policy has changed but the procedure and processes attached to the policy are not updated to reflect these changes. This may result in an increase in workplace accidents, inefficiencies in production and or lost time. It may even result in an organisation operating in a non compliant way. • Reputational risk Reputational risk is a threat or danger to the good name or standing of an organisation. It can occur a number of ways: o as a direct result of the organisations actions o indirectly due to the actions of an employee or employees; o poor handling of confidential information o failure to disclose information o through other parties, such as joint venture partners or suppliers. In addition to having good governance practices and transparency, companies also need to be socially responsible and environmentally conscious to avoid reputational risk. Think of recent examples of natural disasters where insurers were slow to assist policy holders or refused to cover policy holders. • Product liability Your business is responsible for the goods it sells or the services it providers to customers/consumers. If you sell a defective product you are responsible to replace or repair the product under the Australian Competition and Consumer Act 2010. If you sell a defective product that injures people or has the potential to injury people you may have to recall the product or make reparations of a punitive nature. For example, your business manufactures cars and it has been found that a fault in the brakes has led to a death. Your business is being sued by the victim’s family and, as a BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 5 risk mitigation strategy in order to reduce the instances of this happening again, your company recalls all cars of a particular model built between a certain time period. Imagine the financial impact this would have on your business. • Natural events (weather: drought, storms, floods) Natural events caused by weather and geography can constitute risks. They may be dramatic such as earthquake, erosion, landslide or water encroachment, or they may be more common such as rain, hail and snow storms. They are often predicted by third parties, for example meteorological organisations. The risk can be addressed through such things as maintenance of buildings, structural elements of buildings, safety clothing, instructions on what to do in the event of fire or earthquake, provision of facilities in the event or rain and snow and avoidance procedures. Think about the impact on holiday makers, travel insurers and airlines caused by the recent volcano eruptions in Bali. • Competitors • Commercial relationships and partnerships A commercial relationship is an agreement between organisations that is mutually beneficial to all parties. Risk arises where: o part or parts of the agreement are subject to competing forces o there is error o there is misunderstanding or no understanding o performance issues of the contract itself are subject to variance or scrutiny. Clear risk arises where an organisation commits to a contract and then finds itself unable to carry out some of the terms and conditions, thus risking financial or reputation damage. Risk in commercial and legal relationships exists where employees commit the organisation to an agreement by error or without knowing that their discussions with a supplier or customer, oral or written, actually constitute a valid agreement or contract. • Terrorism The recent spate of terrorist attacks in Australia has identified that many organisations do not have appropriate risk measures in place to adequately address this issue. For example, during the Lindt Café siege many businesses went into lockdown but did not have this on their risk register. This meant that there were no policies or procedures in place to follow. ie no procedures alert staff to stay at home • Staff/people (what happens if CEO leaves/injured?) BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 6 • Health and safety Under the Work Health and Safety Act 2011 (WHS Act) persons conducting a business or undertaking (PCBU) have a primary duty to manage risks to health and safety by eliminating them as much as is reasonably practicable. This responsibility extends to employers, the selfemployed, principal contractors, those who manage or control a workplace, as well as designers, manufacturers, importers and suppliers of plant, substances or structures that are used for work. And it applies to all types of work and all workplaces that are covered by the WHS Act. Efficiently managing work health and safety risks within a workplace means having a systematic approach, which involves five key elements. The list can go on and on and you must be careful to analyse each risk carefully and base it on fact. The bottom line is that you are trying to make a management plan that will enable your business to function if something happens. Step 1 The first step in establishing the context identifies the organisational objectives and the external and internal environment in which the objectives operate. This step defines the external relationship in which the organisation operates as well as the relationship between the organisation and its external environment. Examples may include: • The business, social, regulatory, cultural, competitive, financial and political environment • The organisation’s strengths, weaknesses, opportunities and threats • External stakeholders, and • Key business drivers This step also includes an understanding of the organisation itself. Key areas include: • Culture • Internal stakeholders • Structure • Capabilities in terms of resources such as people, systems, processes, capital, and • Goals and objectives and the strategies that are in place to achieve them. • Stakeholders are the people and organisations that have an interest in, or are affected by the business or project. Step 2 The second step identifies the scope of the risk management. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 7 Setting the scope of the project is important as it is impossible for one person or team to identify all possible risks that exist for a company. From each project or division a master set of risks can be developed that is the overarching set of principals or guidelines for the organisation. As a leader or manager you will usually find that the process of risk management will be divided and assigned according to project, division, business unit, geography or for a specific product or service. In developing your scope you need to be very clear of what falls within your authority or what has been assigned to you and your team. That means that there may be some risks that you and your team identify that may be outside your scope, these should not be discarded but forwarded onto whoever would be responsible for that risk management in your organisation. In setting the scope it is important to remember that risk management affects all aspects of an organisation and or a project, from your budget, schedule the level of quality, stakeholder communications and engagement and the project or organisational outcomes. Risks are not always negative, they can also be positive: opportunities. Risk management is about having a culture and behaviours that foster risk management as a top priority for you, your team and the organisation. It is important that you are constantly aware of your environment and what might happen. Then agree on strategies for all identified risks, to minimise negative risks and maximise the opportunities of positive risks. In setting your scope you may wish to consider factors such as: • The project itself • Business unit or division • Financial considerations • WHS • Governance • Internal and external factors • Operational • Competitive environment • Political ( social, public perceptions/image) • Cultural • Legal Once you have set and agreed on your scope, it needs to be communicated to the whole team. It is important that the scope is kept visible to the team so that you can refer back it when new risks surface. If it falls within the scope then you need to deal with it, if it falls outside your scope refer it on. Identify internal and external stakeholders and their issues When we talk about stakeholders in terms of risk management you need to consider a broader definition of the term stakeholder to include anyone and everyone that can be impacted by the risks that you are identifying and analysing. This will include internal and external stakeholders such as: • All company employees BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 8 • Owners • Customers and people who are also include down the chain • Suppliers • Directors, Stockholders and investors • Community Every stakeholder will be impacted differently by all the risks that you will identify. If a Company closes for a short period of time due to a fire, there will be a chain of stakeholders that will be affected such as: • Employees: if they cannot work for a period how will they pay their personal bills? • Suppliers: no access to products to on sell, therefore a decline in sales and profits • Customers: products not available in the market, might choose to purchase competitors product • Community: impact of closure can affect the Community at large in terms of money not circulating into the community, or that the said Company cannot donate to a charity The chain of events can be severe if proper risk management is not put in place and can have a very wide impact not just internally with the organisation but to the broader community and economy at large. The more likely the risk, the more serve the impact and therefore robust contingency plans must be ready. Review strengths and weaknesses of existing arrangements In most cases when you are looking at Risk, you will start by looking at what your organisation has already developed or has on record in terms of a Risk analysis and contingency plan. You may be able to use what has been developed for your project, but before you use any documentation you will need to review the contents and asses the strengths and weaknesses of the document. There is no such thing as a perfect plan, as the external and external environment is constantly changing and all plans will have weak spots. A fresh set of eyes will often be able to identify any weak spots. Then plans can be made to update and make the plan more robust. You will also be able to take the strengths of the current plan and include in your plan, for consistency in organisational procedure. It will also save you time and resources as much risk will be common across the organisation and contingency plans can be generic or easily modified. Once you have established the scope you can look at the criteria against which risk is to be evaluated t is important that appropriate criteria be determined at the outset. Decisions concerning whether risk treatment is required may be based on operational, technical, financial, legal, social, environmental, humanitarian or other criteria. Criteria may be affected by the perception of stakeholders and legal or regulatory requirements. Examples of risk in context The following are examples of risk in context and the criteria against which to assess the risk. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 9 Example 1 Where the risk is an injury risk arising from the operation of a machine, the criteria are the relevant Workl Health and Safety provisions of the legislation related to the industry. It may also include the safe operation procedures of the manufacturer or the organisation that owns the machine. Example 2 A business is experiencing falling profits. In an effort to raise those profits it adopts an aggressive marketing strategy. The risk of adopting or not adopting this strategy is assessed against financial criteria. By looking at the context and the criteria for assessing risk, you are then able to select the appropriate tools to treat the risk. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 10 Different types of risk Commercial and legal relationships The identification of risks arising from legal relationships are usually dealt with and communicated through the organisation by those involved in legal issues within the organisation, for example, by the company secretary. Legal risk might also include, for example adverse comments made by a staff member that could result in defamation proceedings being taken against the organisation. A commercial relationship is an agreement between organisations where exchange of money, financial credit or debit, or exchange of something of value occurs to support the agreement. One or more of the parties to the agreement should be commercial entities or organisations. Commercial relationships may be informal or formal. There is risk associated with either form. Informal relationships are those which are not supported by any form of written agreement between the parties. They are often agreements reached by mutual acceptance that a particular situation exists A formal agreement is reached by negotiation, the result of which is a formal contract or exchange of letters. Such agreements in a commercial sense are often reached using standard form documents, eg leases, agreements regarding payment, etc. Risk arises where: • part or parts of the agreement are subject to competing forces • there is error • there is misunderstanding or no understanding • performance issues of the contract itself are subject to variance or scrutiny. Performance issues include, for example, the requirement to perform elements of a contract in particular ways, for example: • having employees’ security cleared by a supplier before entering the premises • having certain quarantine and health issues completed by the organisation’s employees prior to contact with a suppler or customer. Clear risk arises where an organisation commits to a contract and then finds itself in difficulty in the performance of some or all of its terms and conditions, thus risking financial or reputation damage. Risk in commercial and legal relationships exists where employees commit the organisation to an agreement by error or without knowing that their discussions with a supplier or customer, oral or written, actually constitute a valid agreement or contract. The creation of a commercial relationship is often evidenced by a contract or by the exchange of documents. If there is no consultation with the organisation’s legal representatives, then a risk has been created. Economic circumstances and scenarios When changes directly impact on an organisation, sound financial management and financial and economic awareness are needed. A good example is the regular review of interest rates by the Reserve Bank—organisations sensitive to the effects of changes in interest rates need to monitor trends and possible changes very closely. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 11 If your organisation is affected by changes in interest rates, then you need to be able to address and anticipate possible risks by methods such as ‘scenario planning’ which involves estimating and predicting the effect of variations in interest rates on your operations. Similarly organisations with high staff turnover and high staff numbers need to be constantly aware of the unemployment figures that are published regularly by the government. For instance, many organisations that employ travellers in part-time positions are aware of the annual trends of the inflow of travellers and students. Organisations thinking of opening new plants or branch offices need to be aware of the employment or unemployment characteristics of the geographic and socio-economic area they are intending opening in. Economic upturns or downturns can directly affect some industries more than others. It is believed that one of the first industries to be adversely affected by a downturn in economic activity is the taxi and hire car industry. A person who owns either a single or multiple taxis should be aware of the risk issues affecting his or her business arising from an economic downturn. The home building industry is another industry that is immediately affected by either downturns or upturns in economic activity in Australia, and companies in this industry must be aware of the risks associated with changes in activity. Financial risk A ratio analysis is a good risk assessment and management tool used in financial operations. Ratios (which express the relationship between two quantities) are used throughout the financial operations of large companies and companies open to constant scrutiny, for example companies listed on the stock exchange. They are also used in organisations of all sizes to monitor profit levels against variables. For example, you can use the operating expense ratio to monitor the expenses of running an organisation. It is easy for small to medium sized organisations to focus on expenses associated with the purchase and production of stock, but you should not ignore the expenses associated with actually running or administering the company. Organisations that find themselves expanding often fail to notice that the cost of the administration is growing at a greater rate than the revenue; this in turn depletes the organisation’s resources. The operating expense ratio divides the operating expenses, ie rent, office expenses, vehicle costs, by the sales total and is viewed as a percentage figure. So if the result is 34%, it means that 34% of the sales revenue needs to be allocated to operating expenses, which are separate from those related to the buying and making of stock for sale. The profit and loss statement of a company can be interpreted by the use of ratios such as the current ratio, which relate to the liquidity of the organisation. The current ratio looks to the short-term ability of the business to pay its debts, eg 2:1. The formula for the current ratio is current assets divided by current liabilities. The liquidity ratio looks at the immediate liquidity of the organisation. It is arrived at by dividing the current assets less stock (known as inventory) by the current liabilities less overdraft. Many of these ratios can be further interpreted by looking at the industry benchmark, or by comparison of previous quarters’ or years’ results. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 12 Human behaviour Human behaviour is a risk in any organisation, but increases in service organisations where the performance of individual employees and stakeholders directly impacts on the organisation’s success. In addition, the results of decisions taken on changes to cultural, organisational or procedural processes are often seen in changes in behaviour. These changes may be directly observable—such as strikes, delays, meetings of employees obviously demonstrating a negative reaction to the change or proposed change. As a laeder/manager or team leader, you must report negative reactions or negative views on issues where the organisation is changing or not changing. There is also risk of indirect reaction to the change, for example increased stress, increased sick leave taken, or workers compensation claims made. If we take this into the human resource context, labour turnover and absenteeism are indicators of covert conflict which impact on productivity. Risk also arises from the profile of the labour force and the HR strategy related to remuneration and performance management. Natural events Natural events caused by weather and geography can constitute risks. They may be dramatic such as earthquake, erosion, landslide or water encroachment, or they may be more common such as rain, hail and snow storms. They are often predicted by third parties, for example meteorological organisations. The risk can be addressed through such things as maintenance of buildings, structural elements of buildings, safety clothing, instructions on what to do in the event of fire or earthquake, provision of facilities in the event or rain and snow and avoidance procedures. Think about the impact on holiday makers, travel insurers and airlines caused by the recent volcano eruptions in Bali. Political circumstances Changes in political environments at local, state and federal level constitute potential risk issues. It is important that organisations whose operations either depend on government support or regulation, monitor changes and developments at the crucial political level. For example, building companies need to monitor changes in local government regulation and independent council decision making processes. Similarly, if your organisation has government bodies as clients, suppliers or stakeholders then you need to monitor areas with potential impact on your operations. If your organisation habitually seeks or is provided with government funding, then you need to constantly assess the risks associated with changes to the funding packages, including their applicability and base makeup. Changes can occur not just with a change of government but a change of policy. Such changes are published in specialist government publications which are often not known to the organisations that benefit from the funding. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 13 Terrorism The recent spate of terrorist attacks in Australia has identified that many organisations do not have appropriate risk measures in place to adequately address this issue. For example, during the Lindt Café siege many businesses went into lockdown but did not have this on their risk register. This meant that there were no policies or procedures in place to follow. ie no procedures alert staff to stay at home Technology and technological issues The introduction of new technology often directly affects the competitive position of both users and non users of that technology. Often governments or semi-government bodies insist on changes based on new technology—this often means that further technological advances are needed to ensure compliance with the new standards. You need to assess the risk involved in any new technology against your scenario impact statements. Testing your product against future scenarios and predicting changing results is a significant area of risk identification. Where the risk arises from the use of substances, statements of risk by suppliers or manufacturers should be recorded and suppliers/manufactures should provide demonstrations or information on the potential risks in the storage, use or application of their product, plus how to properly perform these functions to avoid risk. Reputational risk Reputational risk is a threat or danger to the good name or standing of an organisation. It can occur a number of ways: • as a direct result of the organisations actions • indirectly due to the actions of an employee or employees; • poor handling of confidential information • failure to disclose information • through other parties, such as joint venture partners or suppliers. In addition to having good governance practices and transparency, companies also need to be socially responsible and environmentally conscious to avoid reputational risk. Think of recent examples of natural disasters where insurers were slow to assist policy holders or refused to cover policy holders. Product liability Your business is responsible for the goods it sells or the services it providers to customers/consumers. If you sell a defective product you are responsible to replace or repair the product under the Australian Competition and Consumer Act 2010. If you sell a defective product that injures people or has the potential to injury people you may have to recall the product or make reparations of a punitive nature. For example, your business manufactures cars and it has been found that a fault in the brakes has led to a death. Your business is being sued by the victim’s family and, as a risk mitigation BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 14 strategy in order to reduce the instances of this happening again, your company recalls all cars of a particular model built between a certain time period. Imagine the financial impact this would have on your business. Strategic management Strategic risks are those risks that are most impact on the organisation’s ability to implement and carry out its strategies and achieve its objectives. These are the risk exposures that can ultimately affect the value, or the viability, of the organisation. “Strategic risk management” then can be defined as “the process of identifying, assessing and managing the risk in the organisation’s business strategy—including taking swift action when risk is actually realised.” Health and safety Under the Work Health and Safety Act 2011 (WHS Act) persons conducting a business or undertaking (PCBU) have a primary duty to manage risks to health and safety by eliminating them as much as is reasonably practicable. This responsibility extends to employers, the self-employed, principal contractors, those who manage or control a workplace, as well as designers, manufacturers, importers and suppliers of plant, substances or structures that are used for work. And it applies to all types of work and all workplaces that are covered by the WHS Act. Efficiently managing work health and safety risks within a workplace means having a systematic approach, which involves five key elements. Governance In regard to work health and safety, governance is the organisational framework, procedures, policies and processes a body employs at a strategic level to manage the performance of its work health and safety duties, functions and operations. As part of its governance role, a PCBU will develop organisational work health and safety policies, define key WHS roles and responsibilities, address consultation obligations and define arrangements for working with Comcare. Workplace safety culture also falls within this category. Prevention Prevention is always better than a cure! At the heart of an effective preventative system is compliance with work health and safety obligations and stopping hazards entering the workplace. Information should be provided on developing hazard specific policies and procedures, health and safety in design, safety data analysis, WHS audit, WHS training and education, WHS within procurement, WHS inspection testing and health monitoring, and internal hazard reporting arrangements. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 15 Response If a safety incident takes place an organisation must take steps to remove the hazard that caused it, and implement changes to stop it from happening again. Information on incident investigation, incident notification requirements, emergency preparedness and response, including first aid policies and procedures should be found within an organisation’s response documentation. Managing hazards An effective risk and hazard management methodology allows an organisation to identify hazards that pose a risk to its workers and resolve them before they cause injury or illness. It should outline the process for identifying hazards within the workplace. Risk, remedy, and resources are provided for specific hazards identified within the WHS Act, Regulations and codes of practice. Recovery Where a worker has been injured the employer has responsibilities under both the Safety Rehabilitation and Compensation Act 1988 (SRC Act) and WHS Act. These responsibilities are usually addressed under a rehabilitation management system that will usually include an organisational structure, responsibilities, practices, procedures, processes, and resources, for managing workplace injury or illness. Identify risks using tools, ensuring all reasonable steps have been taken to identify all risks Organisations and the markets they operate in are all different—so are the risks they face. Each organisation has its own systems and methodology and even organisations operating in the same market usually have distinctive approaches to the same systems. A market, whether it is the steel market, women’s shoes, or the tourist market, comprises a number of competing factors. It’s important to remember that the type of tools used to identify risk will depend largely on the type of organisation you work in. The tools you use will depend on what your organisation and your section does, and how you do it. The tools used for identifying risk in production-based industries differ from those in servicebased industries. Risk focus in production-based industries Production-based industries usually emphasise procedural and systematic risk assessment. The focus is on the systems and procedures set up within the organisation. When you are assessing actual or potential risk, it is important to understand that each component of each procedure and each step in each system is capable of examination as a risk assessment. Risk focus in service-based industries Service-based industries look more to culture and performance as areas of potential risk that need to be managed. An organisation’s culture includes the values and attitudes it promotes internally and externally. This culture can be what identifies the organisation within its market. It is a perception that is shared by a number of members of the organisation, customers, and often if the organisation is well known, members of the general public. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 16 Examples of some organisational cultures include: • a culture of fun and achievement – some discount airlines and radio stations with a youth focus • a culture of adventure or danger – some recreational sports, such as skydiving or bungee jumping • a culture that is conservative and secure – most banks and insurance companies. So, the organisation’s culture is about how it is perceived and this may be an individual or group perception. Performance in service companies refers to personal performance. Service companies do not produce actual objects which can be put onto shelves and sold at a future time. They produce services which must be used or experienced as they are being given, for example a hairdressing salon provides the service of cutting hair. The experience for the client is immediate, and that service can only be performed by that person. As we work in the areas of risk, its identification and management you will see that the identification of the type of organisation will impact on the selection process. General risk identification tools Each organisation and situations and areas within them are is unique. Different tools may be effective for some areas of operation but less effective for others. It is important to appreciate that more than one tool may be required to identify risks. There are, however, some general tools that can be used to identify risk. These can be incorporated within established risk management processes in any organisation and include: • Inspections: walking through and conducting inspections of each task, location, team, group or process within an organisation. This can be done by individual managers or team leaders and supervisors. It can also be done by senior or executive management. • Consultation: a process that allows evidence on unreported incidents to be gathered, for example, injuries, machine breakdown. Again these meetings can be held on a local or team or group or senior management level. The results of a number of these meetings can then be incorporated in further meetings with managers at different levels. • Safety or management audits: these can be conducted by individual managers or team leaders and focus on their own or associated areas, or can be conducted by members of the organisation who specialise in this area. • Testing: of plant and equipment in an operational context, or of staff in a service area. This also can be accomplished as part of the local group or team approach or can be part of a wider organisation-wide approach. • Scientific or technical evaluation or expert instruction in up-to-date methods (service industry): these are usually provided by third parties or consultants and often form part of the training process of the organisation. • Collection and evaluation of material: from suppliers, manufacturers, designers, and from safety organisations, unions, interest groups and employer organisations. • Expert advice: engaging professional consultants and advisors, lawyers, engineers, safety experts, process experts. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 17 • Seeking government or regulatory information and help: from government departments, investigatory and regulatory bodies, royal commissions, commissions of inquiry, coronial inquests, industrial commission hearings, statistical bodies and ‘think tanks’. • Networking: with other members of the market, or users of similar machines or processes. • Benchmarking: a process of seeking out and identifying the best practices of the organisation’s competitors, where those best practices represent a higher quality level or performance. The process means that the organisation, having identified the best practice in the industry then uses that ‘benchmark’ as the quality standard to be obtained within its industry. As mentioned above, the selection of individual tools and methods to identify risk is largely dependent on the type of organisation, process and market. The type of tools you use should also be chosen by taking into consideration the nature of the workforce or membership of the organisation. So take care to ensure that the tool or method selected is appropriate to the people using and reviewing the methods. Using tools to identify risks Some tools are quite specific in their application to risk management. Many risk management tools aim to identify cause and effect in relation to risk. This can be either from: • a cause to effect perspective, where you identify the outcome of possible causes, or • an effect to cause perspective, where you look back from a worst case scenario to its possible causes. • Once you have identified the potential risks using such tools, you can then make control decisions such as can the risk be managed, is it worth the effort, what is the best management approach etc Selected examples of tools Brainstorming The brainstorming process can take various forms, but one of the most effective is in meetings of staff in an environment where there is freedom to experiment with ideas and to express opinions. Brainstorming is usually a process of energetic interaction with the goal of forming and discussing ideas and concepts in a round-table or group dynamic. It allows examination of existing and emerging risk by using the ideas and experience of fellow workers, leaders/managers, experts, other stakeholders and the users of the process or service. Brainstorming is a vibrant tool which is designed to open up the creative imaginations of the participants and to encourage open debate concerning a wide variety of possible alternatives to the existing or proposed systems and procedures and services. Record and document analysis Any organisation that is effectively managed has systems and procedures to record day-to-day operations and provide assessments of performance for its employees. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 18 So the creation and retention of records becomes part of the risk identification process. For example, production records exist in most manufacturing organisations, and variances and changes in performance levels often identify a risk. Similarly most companies have a sign-in book at reception, and examination of that register can be part of a risk assessment relating to lengths of appointments by staff, speed of processing customers in a reception room, absence of visits by regular customers. Many reports and records are more complicated, and contain records that are important for a number of areas of risk assessment and management. Examples include: • Financial reports • Regulatory based reports, eg accident reports • Production reports • Sick leave reports • Attendance and time records • Quality production figure reports • Complaint level reports • Sales figures • Warranty claim records • Check and procedure lists. Records such as these can assist you in monitoring the consistency of operations and production processes, or if you are working in a service-based industry, in presentation and effective communication. There are also other records that can help you in assessing risk, such as operation manuals, quality procedure sheets, policy and operational instructions, mission statements, and basic instruction sheets. One method to identify risk is to take an instruction sheet and determine what happens if you remove a step or process. Audits and physical inspections Regulatory based risk management procedures often include regular audits and inspections, for example Work Health and Safety, activities of brokers and traders on the Australian Stock Exchange register and the regulation of Registered Training Organisations. Many organisations have their own internal audit and inspection processes, including: • direct observation of activities by appropriate personnel • judgments based on experience – personal, local, or international • surveys, questionnaires, interviews • system modelling and analysis • process charting. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 19 The fishbone diagram shown in figure 1 provides a good example of a process chart, sometimes called a cause and effect diagram. Each line or ‘fishbone’ represents an area that may have caused a problem. In this example they are ‘organisational practices’, ‘equipment’, ‘systems’ and ‘environment’. Other examples might include human factors, procedures, hardware or management. Fishbone diagram Scenario analysis This is a process of examining options and competing scenarios based on an assessment of future events. The focus is on the future and may take into account past and present events as elements of the examination. One topical example is the planning of security responses to possible terrorist threats. Benchmarking similar organisations and activities Benchmarking is as you have seen above, a process of identifying the industry best practice, and setting that as the standard for the particular organisation. The process involves significant industry knowledge and an ability to examine competitors’ processes in order to identify why that market is dominant or produces the leading product or service. Sample Risk Data Collection Record Below is a sample Risk Data Collection Record for a fictional manufacturing business identifying how the shift work environment affects the health and safety of employees. The sample includes a full list of the kinds of data that may be collected, however because of the nature of this fictional business and the issue it is investigating, only some of these methods have been used. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 20 Data Collection Method Identified Risks Possible Risk Consequences Stakeholder consultation, eg staff, customers, suppliers N/A Organisational records, eg attendance, accidents & incidents Increased absenteeism and accidents at beginning of shift rotation Labour shortage Increased labour costs Increased insurance costs Human suffering Expert input, eg professionals Studies show increased anxiety and personal problems at end of night shift rotation Long-term consequences, eg depression, family stress Scenario analysis, eg asking ‘what if?’ questions N/A Brainstorming N/A Flow chart analysis N/A System testing N/A Surveys Indicated tendency to take ‘long weekends’ during shift rotations that clashed with family commitments Labour shortages Increased labour costs Production delays Fishbone diagrams N/A SWOT analysis N/A Observation Took staff a couple of days at beginning of rotation to realign to new roster Increased lateness and reports of minor illness, eg headaches Long term health costs Increase in absenteeism and accidents (see above) Audit N/A Other N/A Practical example Promotion’s Plus is a brand new company specialising in marketing and promotions. The leader/manager recognises that the reputation of Promotion’s Plus lies in their ability to successfully market and promote events. As a specialist risk manager, Anita has been engaged to advise on some possible tools to identify potential risks for event management. Anita divides her tasks into a number of steps: • Select a specific tool to identify risk • Identify the central core process or activity and then identify the major and minor components parts of the process Anita decides to use a fault tree as a tool to identify risk. A fault tree is a visual representation that will allow her to trace and manage the development of risks through their cause and effect. Anita’s next step is to identify the central core process or activity, and then identify the major and minor component parts of the process. Anita realises that this association will help her to: BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 21 • structure her approach to identify and link risks, and • distinguish what risks can be controlled and what risks cannot. Anita considers a worst case scenario that attendance would be poor at one of the events that is being promoted. She works through the various areas of the likelihood of the event to identify possible causes of non-attendance. Anita produces the following: Poor Attendance at a Promotional Event Cause Event/Content Operations Venue Bad publicity Inappropriate event No parking/transport Venue comfort and size Targeted promotion fails Wrong combination of events Venue too commercial Tickets too expensive or not expensive enough Incorrect timing of press releases Event too commercial Tickets difficult to obtain Other events at the same time for that target audience Wrong staff talking to the media Incompetent event manager Too many other similar events running at the same time Insufficient food outlets for quick service at intermission Anita knows that this fault tree could be expanded to other areas. Also each of the boxes could be further expanded. She contacts her supervisor to discuss her work so far. Document identified risks in accordance with relevant policies, procedures, legislation and standards All documents that are produced in your organisation need be saved securely for future use and reference. There needs to be a strict process for the safe and secure storage of all documentation. It is no good if you need to access your risk documents that cannot be located. It is also important that templates and systems are easily accessible within the organization so that consistency of record keeping is maintained, this will also save organizational time, money and resources as new formats do not have to be developed. Some documents will need password access to prevent unwanted editing and these measures need to be clearly documented and in place. A log should be created so that everyone in the organization knows who has access to risk documents. Since part of your risk strategy will have a component of IT threat, it will be important that documents are stored electronically and physically. It will also be important to keep records according to legal and legislative requirements Documentation of this step should include detail of: • the approach or method used • the scope covered by the identification • the participants in the risk identification and the information sources consulted; and BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 22 • a risk register. Documenting risks to meet legislation requirements Much of the legislation that controls and regulates commercial and other activity also contains specific information dealing with the requirements for the recording of identified risks. The WHS legislation and regulations of each state and territory are an example of such specific information. Documentary support The legislation sets out the documentary support that must be set up by organisations to deal with these issues. They include reporting systems designed to apply to any variety of organisations and sections and divisions within organisations. The legislation also sets out prescribed forms which must be completed and also designates those people (by reference to their position within the organisation), whose responsibility it is to oversee and implement the documentation process. A further example of a statutory based risk system is that found in the Australian Stock Exchange (ASX) regulations concerning stockbrokers and other traders on the futures exchanges. The state and federal governments also regulate risk in areas such as construction, education and transport, including air land and sea transport. These regulations cover both government managed and private transport companies. There are a number of examples of risk registers, and many statutory authorities that require strict reporting from organisations in relation to risk provide pro forma examples. The following is a non statutory pro forma of a risk register. Sample risk register Unique ID This may be simply a title, but some kind of alphanumeric coding is likely to be useful when you are dealing with a large number of risks. Description Presented in a structured format: Condition – ‘There is a risk that’ Cause – ‘Caused by’ Consequence – ‘Resulting in’ Probability What is the likelihood of the risk occurring? It would be helpful to record the justification behind this analysis. Impact What will the impact be if the risk occurs? It would be helpful to record the justification behind this analysis. Timescale What is the ‘risk window’ when this risk may occur and when do you start to lose options as to how you respond? BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 23 Cost What will the risk cost if it does occur? Note: you can’t assess this unless you know what your response action will be. Owner There should be a person nominated to ‘own’ the risk which means monitoring the situation and ensuring that necessary management actions are carried out. In a project situation this should be somebody within the project team and in all cases it should be somebody who will be impacted by the risk and who has a vested interest in addressing it. Management approach What are the agreed response actions? These may be broken into: preventative actions to mitigate the risk and the response action if the risk actually occurs. This is sometimes known as an ‘impact plan’. Residual risk This is the expected level of risk once all the mitigating actions are complete. Early warning signs What ‘trigger’ might alert you to the fact that the risk is about to occur? In some cases you may only choose to spend money on a response action once the trigger occurs. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 24 Risk Register Example Function/Activity: Compiled by: Date: Date of risk review: Reviewed by: Date: Reference The Risk What can happen? (event) How can it happen? What can happen? (consequences) Identify existing controls Effectiveness and implementation of existing controls Analysis Risk priority Treat risk Y/N Further action Likelihood Consequences Level of risk BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 25 Activity 1. What procedures can you identify in your workplace that are used solely as risk identification tools, or can serve as tools for the identification of risk in addition to their usual operation? 2. What are the greatest risks to your section, team, division or organisation? This may be a continuous risk, or possible individual risks. What steps are taken to identify those risks? 3. What documents are required by your organisation to be completed as part of its risk identification and management process? What documents which are currently required to be completed but which relate to general processes could be used to form part of a risk identification and management process? BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 26 Analyse and evaluate risks Overview In this content guide, you will find out about: • the process of risk analysis and some tools and models to conduct this • the frequency and likelihood of the risks as part of the analysis and evaluation • the prioritisation and ranking of the risks and their effect. Key terms Due diligence In risk management this is a formatted or sometimes regulated process of risk assessment and identification. Where an organisation conducts a process of due diligence it follows a set or agreed procedure to examine processes or documents or systems, to determine a set of agreed standards. In environmental management all reasonable steps are taken to prevent pollution and protect the environment, to promote action to prevent or minimise potential environmental damage and to ensure that all precautionary and control measures are in place and are regularly checked and maintained to minimise the risk of an environmental incident. Qualitative risk analysis This involves looking at the extent of the risk and its potential or current impact on the product or process or both. It may involve an assessment of the impact of the risk on the general culture of the organisation. Quality In customer service, quality is when a product or service meets or exceeds the customer’s expectations. Risk assessment often deals with the effect of the risk event on the quality of the product or service of the organisation. The quality may be the quality of the product or service, or may be the impact on the culture or individual employees, which is viewed or assessed from a quality viewpoint. Quality itself means an inherent or distinguishing characteristic or property. Quantitative Risk Analysis Something that is able to be quantified can be expressed in either as a measurement, quantity or amount. Quantitative Risk Analysis takes a numerical approach to assessing project risks. Analysing causes of risk A risk assessment and evaluation process must identify the ‘drivers’ of the risk, in other words, the causes as opposed to the symptoms of risk. Managing the symptoms might be beneficial in some cases, but unless the causes are identified and dealt with the risk cannot be eliminated or effectively managed. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 27 Risk assessment focuses on what can happen, while risk sourcing focuses on why, how and where the risk occurs. Sources of risk might include: • changes in the external environment (natural, political, social, economic) • problems or deficiencies in business processes or systems • inadvertent or deliberate errors and mistakes • inadequate information flow or breakdowns in the flow of information that supports the business processes • facilities or equipment that are not suited to the job • lack of training • management actions – or inaction – or dysfunction, for example leadership/management style, communication abilities, etc • inappropriate or unrealistic performance expectations • lack of incentives • insufficient resources • lack of planning. By analysing the causes of risk, it should be possible to develop forward-looking risk indicators that will tell you of impending risk events. Just as seismologists use equipment to warn them of earthquakes that may be risks to nearby populations, so you can use various indicators to warn of risks in your area of responsibility. For instance, by monitoring customer feedback you can get early warning signals of problems such as product faults that might prove a financial risk to the organisation. Below you will see an example of an event tree analysis. This can be used to identify causes of risk. The one below identifies at potential causes of failure to an emergency lighting scheme. Event tree analysis: by following a chain of events from left to right, this diagram shows that the main areas where risk could occur are in mains power failure, generator power failure and battery failure. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 28 Assessing risks Once you have identified a risk or a number or series of risks, you need to analyse the risks so that you know: • how likely it is that the risk/s will occur – its probability • what consequences will be if the risk does occur – its impact. Probability of risk You can look at the probability, or likelihood of a risk event actually occurring as being on a continuum from ‘Almost certain’ (level A) to ‘Rare’ (level E) as described in the table below. Sample Probability Table of Definitions Level Descriptor Description A Almost certain 90-100% Is expected to occur in most circumstances B Likely 50-90% Will probably occur in most instances C Possible 25-50% Might occur at some time D Unlikely 10-25% Could occur at some time E Rare 1-10% May occur only in exceptional circumstances Impact of risk Qualitative risk analysis involves looking at the extent of the risk and its potential or current impact on the product or process, or both. It may involve an assessment of the impact of the risk on the general culture of the organisation. In this case, culture refers to how the members of the organisation perceive the organisation—it is a perception shared by a number of members of the organisation. Impact itself can be assessed in terms of its effect on: • time • cost • quality. Time This includes the time taken to: • identify, record and report the risk • analyse and assess the risk • address the risk • either reduce its impact or remove it completely as a potential risk. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 29 Cost Although you may have assessed something as a risk, the cost of identification, recording, analysis and addressing it may operate against making a proper response to it. Once identified, some risks will also be identified as having a potentially significant cost to the organisation if they allowed to continue unchecked. Quality Risk assessment also includes an analysis of the impact of the risk on quality. In this case, quality may be the quality of the product or service, the impact on the culture or employees of the organisation, or the issue of risk proximity. Risk proximity is about: • when and where the risk will occur • its role in the process or system • its damage, or potential damage reach. The following table shows that the impact of risk is generally ranked from ‘Insignificant’ (level 1) to ‘Catastrophic’ (level 5). You can see from the detail descriptions that these levels focus on the degree to which the business is affected in regards to its financial and service capability. Sample Consequences (Impact) Table of Definitions Level Descriptor Example detail description 1 Insignificant No service impact; low financial loss 2 Minor Minimal disruption to service capability; medium financial loss 3 Moderate Interruptions to service delivery; high financial loss 4 Major Loss of service capability; major financial loss 5 Catastrophic Loss of business continuity; huge financial loss As with most areas of our lives, the immediate risks often have more impact than risk that has become part of the working life or system of the organisation. In the workplace, an immediate risk is often easier to deal with than a future risk, because future risks need planning. To manage future risk, you need to be able to mobilise a team to plan against these future issues. For example, before the Sydney 2000 Olympics many businesses that considered they would be affected in some way during the Olympics period (for example by heavy traffic, road closures or increased/decreased patronage) conducted risk analyses around 1998. This gave them the time and opportunity to plan to manage the risks effectively. Some organisations believe that risks that are not going to occur in the current financial year should not be considered until the year in which they will occur. On the other hand, there may be a risk that has an imminent effect, or has already had its effect. Or the effect may be latent. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 30 Evaluating risk and setting priorities This section looks at qualitative and quantitative risk analysis and the ranking or priority listing of the risk(s). Risk analysis Risk analysis is sometimes called risk assessment. It is a step by step process. Risk analysis needs to consider the following: • What can go wrong? • How likely is it that it can go wrong? • What are the consequences if it does go wrong? The first step is to determine the causes of the risks you have identified. The tools used to determine causes of risk are very similar to those used in the risk identification stage. Informal tools such as brainstorming, stakeholder consultation, benchmarking and observation all help to find the root causes of each risk event. Other tools that can be used to effectively determine the causes of risks are diagrammatic techniques. Your analysis may be qualitative, quantitative or a combination of both. Qualitative analysis uses words to describe the magnitude of potential consequences and the likelihood that those consequences will occur, These scales can be adapted or adjusted to suit the circumstances, and different descriptions may be used for different risks. Quantitative analysis uses numerical values for both consequences and likelihood using date from a variety of sources. The quality of the analysis depends on the accuracy and completeness of the numerical values and the validity of the models used. Qualitative and Quantitative Risk Analysis Once you have identified and analysed the risks, it is important to rank them so that you can prioritise the focus of resources and attention. It is also important that this ranking is carried out in an objective way and is not influenced by emotion or self-interest. There is some evidence that people tend to focus on risks that have recently occurred rather than those that have arisen some time before and may be repeated. Qualitative risk analysis is commonly used because it is easy. The skills needed for quantitative analyses are a little more specialised. However, a structured approach will allow analyses to take into account both qualitative and quantitative approaches. While it is important to canvass a range of people within the organisation, you and other leaders/managers must be cautious when taking into account people’s personal perspectives. Self-interested and self-promoting motives are not uncommon during the process. For example, ‘Angela’s priority is network security as she has always advocated new network security purchases’. A technique that is sometimes used to keep the focus on the problem is the Delphi Technique. Here opinions and views are collated anonymously then cross-checked with a range or panel of experts. In this method the data is examined and forms the examinable material. Personalities are not considered. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 31 Risk control plan To create an effective risk control plan you should consider the following: • Causes of the risk • Potential consequences of the risk • The likelihood of the risk occurring Once you have considered these factors during your analysis, you are in a position to categorise and prioritise the risk. Risk consequences The consequence is the impact that could result if the risk event occurs. Sometimes there are several consequences from a particular risk event. Consequences should be documented in the Risk Register. Risk analysis systems Most risk analysis systems use two measures: • Consequences – the potential severity of the impact of the risk event. Impact could be cost, time, people or quality. • Likelihood – the probability of the risk event happening. An overall risk rating is determined by multiplying the consequences by the likelihood. Each risk is considered and scored against both measures. The following tables describe how this may work: Consequence Rating Rating Score Description Insignificant 1 Negligible loss. Consequences easily dealt with Minor 2 Noticeable impact. Minimal damage Moderate 3 Moderate damage. Manageable scale of loss Major 4 Large-scale damage. High loss or restriction Catastrophic 5 Widespread damage. Business objectives severely compromised. Huge financial loss. Likelihood Rating Rating Score Description Rare 1 Risk may occur only in exceptional circumstances Unlikely 2 Risk is less than likely during normal operations Possible 3 Risk event is as likely as not Likely 4 Risk event is more likely than not in most circumstances Almost Certain 5 Risk event is expected to occur in most circumstances BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 32 By assessing each risk against the consequences and likelihood scales and assigning a score you can then multiply these scores and determine an overall risk rating for each risk. This will give you a risk rating between 1 and 25. The higher the score the more important it is to address and take action to manage the risk. The consequences and likelihood of a risk can be very subjective. It is best to engage a group of informed stakeholders in the process of determining consequences and likelihood to achieve a balanced outcome. Risk prioritisation One way of graphically representing and sorting your data is with a consequences-likelihood matrix. This matrix, along with shading representing the three risk categories, is shown in the following figure. Significant 5 High 4 Consequences Medium 3 Low 2 Insignificant 1 1 2 3 4 5 Rare Unlikely Possible Likely Very Likely Likelihood Where: = Low risk. No action required unless risk occurs = Medium Risk. Plan for, but limit resources. = High Risk. Action immediately Risk analysis documentation You must maintain records of your analysis processes and outcomes in order to meet organisational, insurance, quality accreditation and legislative requirements. This could include your: • identification and analysis or risks • recommendations for change • actions to control and monitor risk. Using a risk register you can now allocate an overall risk rating to each risk and a priority rating (priority 1 for the most serious risk). Alternatively you can group the risks as high, medium and low. At this stage, consider who should ‘own’ each of the risks. This is the person allocated the risk to manage throughout the project. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 33 The categorisation and prioritisation of risk is a vital process in risk management. Categorise, rank and set priorities for risk in order of importance. Cost factors and planning priorities may later influence the way your organisation or department acts on your risk control priorities. Risk Analysis Template Over the page you will find a sample risk analysis form completed for a fictional workplace. It describes: • the risk – what can happen and how • current controls and how suitable they are • likelihood and impact of the risk after the controls have been applied • the level of risk • its treatment • the person responsible • where to find the risk action plan. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 34 Sample risk analysis template. Tables on previous pages provide sample definitions. Date of risk review: 20 May 2015 Compiled by: Garry O’Brien Function/Activity: Rehabilitation Service Risk # Risk (what can happen & how) Current controls & suitability After control (impact/ likelihood) Level of risk Treatment Person responsible Risk action plan number 1. Staff resist change because they are unsure of its implications for their work duties Little or no communication about the proposal to staff: Ineffective Consequence: medium Likelihood: likely High Develop and deliver communication about the proposal and benefits to all, including staff. Include them in planning Head Nurse RAP #1 2. Staff cannot complete new duties because they are untrained Buddy system of on-job training: Ineffective Consequence: significant Likelihood: likely High Design and delivery of relevant training program as soon as proposal is approved Board (proposal decision) Director of Nursing (training program) RAP#2 3. New equipment not used or maintained properly Current equipment training & maintenance schedule: Ineffective Consequence significant Likelihood: likely High Source manuals from suppliers; review and prepare training and maintenance instructions Head Nurse RAP#3 4. Patient care (rehab.) not monitored properly Patient care monitoring software: Effective Consequence: possible Likelihood: low Medium Current software be upgraded to include rehab patient care monitoring IT Officer RAP#4 BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 35 Practical example Kristen is the supervisor of the local medical practice. She wanted to determine the risk of cross contamination. Kristen divides her tasks into a number of steps: • She calls a meeting of stakeholders to determine the risks • Using the collective knowledge of the stakeholders, the consequences, likelihood and frequency of each risk is determined • Kristen then determines the overall risk rating and is able to priorities the risks • Finally, the risk analysis is documented. 1. Kristen schedules a meeting and invites at least one person (stakeholder) from every section in the practice. She determines that these stakeholders need to represent suppliers, doctors, nurses and patients. 2. Kristen thought through the various tools available to identify risks. She opted to use informal methods and settled on a facilitated brainstorming session with as many of the stakeholders who could attend. She was hoping to utilise their collect knowledge, experience and research they had conducted. 3. Each stakeholder was issued with sticky notes and pens. The idea was that all the potential risks would be written on the sticky notes and placed on the wall for discussion. The session was professionally run by a facilitator from a business consultancy. 4. When Kristen counted the risks, she identified eight major risks. Using the broad input of the stakeholders the impacts were determined for each risk. Once again using the expertise of the stakeholders, the likelihood of each risk was determined. Finally, everyone agreed of the frequency of each risk. 5. Once this was complete, the impacts ratings were multiplied by the likelihood ratings and the frequency to come up with an overall risk rating. This figure was used to prioritise the risks. Even though the session ran for two hours everyone was happy with the results 6. The table below documents how the medical practices ranked and prioritised the risks of cross contamination. Column four shows the medical practice’s evaluation of the seriousness of the risk. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 36 Risk Ratings Order of Likelihood Consequences Frequency Severity Instrument incorrectly sterilised 3 1 2 1 Needle mishandling 3 1 1 2 Poor personal hygiene 1 2 3 2 Inadequate staff training 2 2 2 2 Failure to use gloves, masks 1 2 3 3 Barriers to infection inadequate 3 1 2 4 Soiled linen 3 3 3 5 Inadequate ventilation 4 2 4 6 Key Likelihood Consequences Frequency 1 Very Likely 2 Likely 3 Unlikely 4 Very Unlikely 1 Significant 2 High 3 Low 4 Insignificant 4 is continuous 3 is frequent 2 is occasional 1 is rare Documenting analysis processes and outcomes Document management is a vital ingredient in any risk management process. For example, where the risk is addressed by regulatory authorities, then an organisation which is subject to those regulations must retain the supporting documents to show it has met or exceeded the risk guidelines. In some situations this forms part of their due diligence procedures. Due diligence is a formatted or sometimes regulated process of risk assessment and identification. Where an organisation conducts a process of due diligence it follows a set or agreed procedure to examine processes, documents or systems, to determine a set of agreed standards. You should document the results of the analysis process, including changes and recommendations. These documents should be easy to understand by all those whose role includes their use. It is very important that all documentation communicates clearly. Often people who are very literate will write documents that are difficult to understand. Make sure you use plain English and that your message is understood by all who read it. Keep in mind that language difficulties also impact on the success of the documents used and must always be taken into account. The person writing the document must be clear about: • the reason the document is being created BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 37 • what is should contain • its purpose – what it will be used for and who will be reading it. There is always a role for training in relation to the completion of the documents, and that training should take these issues into account. Focusing on the documentation may also highlight the need for amendments to be made to operational and training manuals, schedules, checklists and instructional documents to ensure they communicate clearly. Activity 1. Consider a number of risks that exist in your workplace. Complete the table below by sourcing the risks and identifying their possible causes. Risk: Possible Cause: Increasing customer complaints Workplace accidents Theft High employee attrition rates Other? Other? 2. Identify a risk in your organisation that is dealt with on a continuing basis. What are the factors that determine: • When the risk is dealt with? • Who deals with it? • The level and success of the management of the risk? • What are the cost factors involved in the identification and then the management of each of these risks? 3. How does your organisation and your particular team or section prioritise and rank risk? Can you suggest any variations or changes to this established process? 4. How would you use documents to support analysis of process and outcomes? BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 38 Treat risks Overview This content guide addresses the issues surrounding the treatment of risks. The first important step is to determine the strategies you will use control and assess both the ongoing and the short term nature of the risk. You will find out about the differing strategies in risk management. As risk is a continuous issue in active organisations, you will find out about various models and devices to monitor risk. These allow you to continue the examination and identification of risk. Finally you will find out about the preparation and implementation of treatment plans. Key Terms Assumption of risk This means knowingly accepting the risk as part of the organisation’s general business or operation. Usually refers to an insurance company ‘assuming risk’ of a financial nature on payment of an insurance premium. For example, when an organisation pays its fire insurance premium over a factory, the insurance company assumes or takes the risk of the financial cost of rebuilding the structure if it burns down. SWOT Analysis Organisations use this tool to identify their internal strengths and weaknesses and external or environmental threats and opportunities. The analysis allows an organisation to answer the question ‘where are we now?’ Determining and assessing strengths and weaknesses of control systems It is important to remember that many organisations view risk in different ways. Some have risk as part of their culture, for example, airlines address risk in a number of areas as part of their most basic of operations. Here risk control and management is a dominant factor in the organisation and it attracts and expends much of the resources of the organisation. Other organisations that are involved in less obviously risky processes may view risk identification and management as of low importance. However, it is often easy to find risk issues that, although they do not directly impact on the organisation, they create processing or production slowdowns or problems. Sometimes this is accepted and nothing is done about implementing an active, positive system to address and change it. In fact, such situations are as much a part of a risk management process as those in more obviously high risk operations, such as an airline. Once you have identified the risk, there are two general approaches that you can choose from to begin the decision making process. Will you: • Control the risk? That is, take ownership of it, and directly implement strategies to take the risk and deal with it. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 39 • Transfer the risk? That is, remove the risk from the organisation or the process within the organisation. Removal may include outsourcing, having a specialist supplier conduct the process, or having a specialist supplier or contractor take ownership of it within the parent organisation. Alternatively the solution may be to change a process or system in such a way as to remove the risk. This change may be imposed on the organisation by regulatory authorities, for example in the case of the risk associated with dangerous material or machines. Or it may simply be a better financial decision. SWOT analysis Conducting a SWOT analysis to determine the best control measures for risk is a common approach. Organisations use this tool to identify their internal strengths and weaknesses and external or environmental threats and opportunities. The analysis allows an organisation to answer the question: ‘where are we now?’ When analysing the best control measures for risk, the SWOT questions become: • What are the strengths of this control measure? • What are the weaknesses of this control measure? • What are the opportunities provided by using this control measure? • What are the threats involved in using this control measure? Common approaches to risk control The control or management of risk can be different on an organisational or industry basis. However there are seven commonly used approaches: Approach Description 1. Elimination / reduction management In this approach the risk is either reduced to its lowest possible level to enable it to be managed, or it is eliminated. This latter course may involve divesting a manufacturing process, a particular service within a general service industry, or simply deleting a process and replacing it with a newer, safer or alternative system. A variation in this approach is not to eliminate the risk if that is too difficult or too late, but to reduce or eliminate its effect. 2. Assumption of risk Insurance companies assume risk as part of their operations. Here the expression ‘assume risk’ means to knowingly accept the risk as part of the agreement with the person/company that pays the premium. Organisations unused to risk may assume or accept its effect because to fail to do so might negatively affect the organisation’s operations. Once again the decision to assume a risk must be taken bearing in mind the competing issues of cost, proximity and extent of the risk. 3. Transfer risk Insurance is a means of transferring the risk, through the payment of insurance premiums, to an insurance company. It is important to understand that this is generally a way of managing financially based risk. The insurance company can only really assume a BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 40 Approach Description financial risk. It is not able to assume risk that relates to culture, personnel or manufacturing for example. So if the risk of the factory burning down is identified, then the financial risk can be transferred to the insurance company, but the actual risk of losing specific or specialist machinery cannot. Often organisations only transfer part of the financial risk having assessed the insurance premium cost as too high to transfer it all. To offer a personal example, this may be compared with a householder insuring the contents of the house against fire, but not paying extra for the loss of specialist jewellery or stereo equipment. It then falls on the householder to fund the replacement of such items. 4. Changing processes Risk can be avoided by changing processes, or refraining from an activity. This is often an ongoing process of change from risk identification. Organisations with a positive risk identification and management culture are ready and willing to change or remove processes that demonstrate a greater degree of risk or risk potential. Changing a process to avoid an activity also requires a positive risk management culture as this can be confronting and expensive, particularly if the process needs to be replaced. The change or replacement of a process in order to manage a risk must also be undertaken using risk management procedures. In other words, the new process must not create or support the same or similar risk it was designed to eliminate. 5. Delaying An organisation may defer a risk, by delaying it until such time as it is able to assume the risk or deal with it in a better and more positive way. An organisation may believe that research or development it is undertaking will make it more able to deal with the risk at a later time. 6. Sharing risk Organisations may seek to share risk with other organisations by way of joint ventures or cooperative options. A good example of this is seen in the construction and maintenance of motorways in capital cities where government and private industry come together to share the expense. Similarly in recent times wine and beer companies have combined with manufacturing industries associated with wine and beer production, when entering new markets such as China. 7. Spread and minimise locations of the risk An organisation may attempt to spread and minimise locations of the risk, eg a company may spread its outlets and workforce to a number of areas in order to spread or reduce the risk of an incorrect decision in relation to geographic marketing. For example, a retailer may have outlets in a number of locations in a town to ensure the product is available to as many potential customers as possible. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 41 Control Control is a significant option for risk treatment. In Australia much of the OHS or associated legislation creates an obligation on companies and organisations to control risks and hazards effectively. Hierarchy of control is the process for managing risk, and its starting point is the elimination of risk. If it is not possible to eliminate the risk then the obligation is to reduce it. This then flows down to taking steps for personal protection, which is the least favoured option. An example of a hierarchy of control for managing risk BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 42 Risk control measures Controls are the policies, practices and processes used to treat, or manage risk. There are many different types of controls you can use. Control method selection depends on the approach, or treatment strategy you intend to use for each risk. Treatment Strategy Possible Control Measures Avoid the risk Restructure Training Staffing Security Delay activity Reduce the likelihood/consequences of the risk Expand business Contract business\ Joint venture Modify objectives Maintenance agreement Quality control Standards Legislative requirements Diversification Hedging Transfer or share the responsibility of the risk Insurances/warranties Subcontractors Contracts Retain the risk Monitoring Progress reporting Monitoring risks on a continuous basis Any risk management program must reflect the potential instability of risk. You can never assume that risk will remain constant, so your management program must include an inbuilt ability to monitor the changing nature of risk. Remember also that some risks will change as a result of managing the risk. Risk can appear in any process or system at any time. Accordingly it is essential that the issue of ‘risk’ is prominent, and that continuous monitoring becomes part of the process of the organisation. In other words, it is necessary to instill the process of the organisation with an awareness of the need to identify and manage risk. Many organisations have a culture that is positive and supportive towards risk and its management at all levels. The identification of risk should form part of the general training at all levels of an organisation. In this way, members of the organisation and all stakeholders understand that the organisation fully supports and encourages the identification of risk in all areas. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 43 As an operational issue, processes designed to monitor risk can be included in many—if not all—the general procedures and systems. One of your work responsibilities as a leader/manager, team leader or supervisor is to advise on how best to incorporate risk monitoring into systems and how best to document and report it, as a continuing renewing process. There are many examples of how the failure to monitor risk has created significant problems. For example, insurance regulatory authorities failed to continue to monitor FAI Insurance and HIH Insurance, causing significant damage when both organisations imploded. A risk monitoring form might include the headings: • Activity • Risk • Rank • Treatment • Reassessment • Date. Risk monitoring form Below is a sample of what a risk monitoring form might look like and how it might be completed. In this case, the activity around which the risks are identified is the implementation of a new accounting system. A sample risk monitoring form Activity Risk Rank Treatment Reassessed Date Implementation of new accounting system Untrained staff High Design and deliver training program By Accounts Supervisor 10 June As above Staff resistance to change Unlikely Determine reasons for resistance; ensure all operators understand benefits to selves and others; have ‘out with the old, in with the new’ party Accounts Supervisor 27 May As above Time constraints in installing new system; interruptions to work schedules Moderate Install new system outside normal working hours Accounts Supervisor 20 May BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 44 Identifying control measures for all risks Once you have identified, assessed/evaluated a risk, it is then either permanently avoided, or has been eliminated, or the risk is then under control. ‘Control’ here refers to a process which reduces substantially or to nil, the effect of the risk if and when it arises. Where the risk has not been eliminated it is necessary for you to use a control mechanism to measure the absence of the risk or to ensure that monitoring shows the ineffectual nature of the risk if and when it arises. This can be as simple as viewing sales reports, breakdown reports, or production figures. In other words documents and records relating to the process can be used to control the risk. Appropriate referral of risks Risk is an issue that can affect many different areas of an organisation so it is important that you communicate the existence and qualities of a risk to other areas of the organisation. Leaders and managers can take a positive role in risk advocacy. You can identify and monitor risk within your own area, and in consultation with other leaders/managers, particularly those in your immediate area of operation, become involved in and provide advice on the wider effects or potential effects of the risk. General meetings of leaders/managers, either weekly or monthly, provide the opportunity to raise issues associated with a wider risk management potential. A culture of positive risk management can be created and supported by discussions of risk and its management that begin ‘on the shop floor’ but take an ever widening focus to embrace the organisation as a whole. Naturally, this requires the support of senior management, but any leader/manager who has been trained in risk management can be a trainer for those who have not and can do so either informally or formally. Preparing and implementing treatment plans When an organisation plans to implement a risk treatment it creates a risk treatment plan. This should include: 1. The activity, ie the service or production activity that contains the risk or that is the dominant area to be affected by the risk. The plan should be created and written in terms that are easy to understand, not only in their description but in the reason behind them. It is important that risk in all its management forms is communicated effectively—this means that your communication must be clear and it must be understood by the person or persons to whom it is to be communicated. 2. The risk events should be chronicled and set out in full. 3. Evaluation and analysis of the risks as set out in this section should be set out in the plan. Again this should be done in a way that is easily understood both in its descriptive parts but also in those areas dealing with the effects and future plans. 4. Risk rankings should be agreed upon, and a system that allows re-assessment of the rankings must be put in place. Again, the ranking process must be designed to be understood by all those who are affected by it or who have as part of their work to either compile, add to or interpret the ranking and ranking system. 5. The selected treatment options should be set out clearly and without overly technical language unless they are to be read only by technical groups. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 45 6. Identification of the relevant personnel for managing the risk options. 7. Resource allocation ie the resources required and where they will come from 8. Measures of performance ie how the treatment plan will be monitored and evaluated 9. Estimated time for completion should be established. 10. Review dates should be established. Sample risk treatment plan Risk Ranking Treatment option Date Eg loss of contract due to…. Objective: (set out objective in summary) Steps Who responsible When Resources Cost Cost Total cost BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 46 Risk treatment action plan You can use this tool to identify and record appropriate risk treatment measures, and the actions, responsible persons, and time frames for implementation. This action plan picks up from the risk monitoring document above, in which the action that was the focus of the risk was the implementation of a new accounting system. Sample risk treatment action plan Date of risk review: Compiled by: Function/Activity: Risk # from Register Treatment Risk level after treatment Person responsible for treatment Implement by date Indicators to monitor Person responsible for monitoring 1. Lack of operator expertise Design and delivery of relevant training program Reduce likelihood but not impact: risk level reduced to high HR Consultant 3 weeks Staff competence and confidence in operating new system Accounts Supervisor 2. Resistance to change by some operators Determine reasons for resistance; ensure all operators understand benefits of new system to themselves & other stakeholders; have ‘out with the old, in with the new’ party Reduce likelihood and impact: risk level reduced to unlikely Accounts Supervisor 2 weeks Attitude of staff to new system; willingness to adopt changes Team leaders 3. Time constraints in installing the new system and possible interruptions to daily work schedules Install new system outside of normal working hours Reduce likelihood and impact: risk level reduced to moderate System supplier 2 days (weekend) Installation time; customer complaints about delays Accounts Supervisor BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 47 Keys to risk treatment action plan: Example Consequences (Impact) Table of Definitions – this is different to one on previous pages Level Descriptor Example detail description 1 Insignificant No service impact; low financial loss 2 Minor Minimal disruption to service capability; medium financial loss 3 Moderate Interruptions to service delivery; high financial loss 4 Major Loss of service capability; major financial loss 5 Catastrophic Loss of business continuity; huge financial loss. Example Likelihood (Probability) Table of Definitions Level Descriptor Description A Almost certain Is expected to occur in most circumstances B Likely Will probably occur in most instances C Possible Might occur at some time D Unlikely Could occur at some time E Rare May occur only in exceptional circumstances Example Level of Risk Matrix – this is different to one on previous pages CONSEQUENCE Insignificant Minor Moderate Major Catastrophic LIKELIHOOD Almost certain H H E E E Likely M H H E E Possible L M H E E Unlikely L L M H E Rare L L M H H Example of Risk Table of Definitions – this is different to one on previous pages Example of Risk Table of Definitions E extreme risk; immediate action required H high risk; senior management attention needed M moderate risk; management attention must be specified L low risk; manage by routine procedures Acceptability Risk level Acceptable Low and Moderate Not acceptable High and Extreme BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 48 Practical example Some types of risks can be completely eliminated by making changes in the organisation or project. Other risks cannot be eliminated, but their impact or consequences can be significantly reduced through various controls. Many risks, however, can be identified before a project starts and so can be planned for and managed proactively with treatment plans. Kareena is the Product Manager for a new line of swimwear. Through an extensive analysis of risks, Kareena determined that there were two main risks that posed a major threat to the launch of her new line of swimwear. The most serious risk was the delays to deliveries caused during production. Further investigation of this risk found that the delivery delay could be caused by the following: • Equipment problems • Staff problems • Raw material problems • High rate of fault product The second most serious risk came from competitor activity. Possible competitor actions that could affect Kareena’s sales were determined to be: • Copying product designs and positioning • Offers to customer to bulk purchase Kareena needed some mechanisms to monitor her project and alert her when risks were beginning to develop. She also needed clear plans telling her what action to take if and when the risks did develop. Kareena divides her tasks into a number of steps: 1. Firstly, she gathers her team together to consider possible treatment strategies for the risk of delivery delays. 2. Next, the team considers possible treatment strategies for competitor activity. 3. Finally, the treatment strategies are documented. Kareena has identified two main risks to her product launch. She decides to take each risk and determine possible handling approaches or treatment strategies that she could use to manage each risk. Delivery delay Treatment strategies for this risk revolve around contingency planning. In the event of: • equipment problems, Kareena had researched companies where she could hire industrial equipment for the short term • staffing problems, Kareena has contacted the local employment agency and discovered she would be able to contact suitably qualified staff if required • problems obtaining raw materials, Kareena has sourced an alternative supplier in the event that raw materials are not available • high rate of product fault, Kareena allocated more production time and a higher cost structure for the swimwear that had more complicated designs. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 49 Competitor activity Treatment strategies for this risk also revolve around contingency planning. In the event of: • copying product designs, Kareena introduced new security measures to ensure that there were no design label leaks to competitors • offer to customers to buy in bulk, Kareena offered all customers incentives to buy the new range in large quantities with follow-up orders. This reduced the chance that they would succumb to counter offers from competitors. Finally, Kareena utilises a template for a risk treatment plan to document the process. Following is a basic example for delivery delays. Project Details Project Name: Lingerie Production Project Manager: Kareena Risk Details Risk ID: LG001 Raised by: Production Team Treatment Responsibility: Kareena Risk Rating: High Risk Description: Delivery delay caused by: • Equipment problems • Staff problems • Raw material problems • High rate of fault product Risk Treatment Treatment Approach: Contingency Control Measure: Contingency Plan Monitoring Measure: any equipment problems, staff problems, high fault rates, delivery delays Estimated Cost: Minimal Expected Outcome: Reduced or no delivery delays Approval Signature: Date: BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 50 Activity 1. Conduct a SWOT analysis of your organisation’s risk control measures: • What are the strengths of our control measures? • What are the weaknesses of our control measures? • What are the opportunities provided by using these control measures? • What are the threats involved in using these control measures? 2. Identify systems in your organisation that monitor, record and report risk or that can be used to do this. How might you incorporate in these systems and procedures, a process that monitors, records and reports risk? Suggest improvements designed to increase the quality of the monitoring process. 3. What reports and reporting procedures do you use as a leader or manager that could also be used as a control measure for risk identification? 4. How do you and your fellow leaders and managers deal with referral of risks? Can this system be improved and what would you suggest to improve it? 5. Does your organisation have a risk plan? If so, how would you describe it in relation to its terms or make-up? If you can not recognise such a plan, in summary form what sort of plan would you implement? BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 51 Monitor and review effectiveness of treatment/s Overview This section discusses the need to constantly review any risk management program, to ensure that the chosen solution is working and that there are no new risks arising. You will also find out about the importance of using the results of current risk management techniques to constantly improve the overall risk management culture of the organisation. You will look at the process of monitoring and reviewing risk and find out about a sample system that you may use in your area. Key Terms Risk audit process A formulated and/or proven method to examine processes or systems, or particular areas of an organisation’s operations to identify the existence of risk or potential risk. Quality In customer service, quality is when a product or service meets or exceeds the customer’s expectations. Risk assessment often deals with the effect of the risk event on the quality of the product or service of the organisation. The quality may be the quality of the product or service, or may be the impact on the culture or individual employees, which is viewed or assessed from a quality viewpoint. Quality itself means an inherent or distinguishing characteristic or property. Reviewing treatments against measures of success Once a risk management system has been put in place, and risks have been identified, analysed and evaluated, you must establish a constant review process. Risks are a continuing, ever present factor in any business or organisation. In many areas they are a daily factor in the operation of the organisation. For example consider the kinds of risks faced on a daily basis by, for example, airline companies, construction businesses, restaurants, financial institutions, service businesses such as legal and accounting firms, where advice is constantly given and decisions are made. This is just the start of the list! As part of your continued risk management program, your constant reviews should ask: • Have the chosen risk treatments and solutions been implemented as planned: o control measures are in place o the measures are being used, ie read, examined and analysed o the measures are being used correctly? • Is the treatment or solution working: BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 52 o the changes made to address the risk have had the planned/envisaged outcome o the risk has been eliminated or adequately reduced o any changes to the processes, influences or factors surrounding the area in which the risk arose have been identified and analysed for their impact on the risk and its effects? • Are there any new or additional issues or problems: o new risks or the potential for new risks in the area have been examined o control measures are monitored for their potential to worsen the potential of risk? There are a number of methods that can be used to assess and evaluate this process, and they include: • examination of risk management process documents • interviewing workers in the area, leaders/managers and stakeholders. As with any process within an organisation there should be milestones of success built in the processes which allow those affected to see that success is being reached on a regular basis. This allows for a growth in support for monitoring and for positive risk management as it progresses. This in turn adds to the quality of the risk management in general. In addition, failure to achieve milestones is often a positive and easy way to identify problems in the process itself, and allows a focus on the process at that milestone to examine the potential risk Using review results to improve the treatment of risks You should examine all results—documentary, verbal, process results, increased or change production values or rates—as part of the risk process. This is of particular importance for the assessment of future risk and the treatment of current and future risks. This is linked with the flow of communication within an organisation or within a section or team in an organisation. Regular, effective identification, recording and reporting of risk will only continue if there is return communication from those assessing the management process. If your group or team regularly identifies monitors and reports risk, but there is no reaction or positive feedback from the group, person or management structure to whom it is reported, then the impetus for continued quality risk management will decrease. Risk management as a cultural aspect of an organisation will die unless it is fed by positive, supportive and communicated responses from you as the team leader, in conjunction with the senior management or executive management of the organisation. Keep in mind that as risk management is usually a skill or way of thinking that needs to be taught in addition to a worker’s technical skills it also needs to be supported actively by those higher in the organisation. If the organisation is supporting risk management as part of its overall culture then the support must flow throughout the organisation embracing all levels of it. The next step is that this support is communicated throughout the organisation in a way that is relevant to all those for whom it must be part of their every day work life. It must be made relevant to them and made a positive aspect of their work—not an added administrative or procedural burden. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 53 Assisting the constant audit process If you are required to implement risk management procedures, or you do so as a way of increasing and monitoring performance in your area, then you will be able to provide a number of ways of assisting in the constant audit process. These include: • team meetings • performance standards • mentoring and coaching facilities • personal goal and performance setting. As stated above, risk management needs to be supported by communication and the organisational culture. There should also be logistical or operational support to ensure that the processes themselves can be completed. You must ensure that there is a process of auditing of risk in your area of operation, and that this audit process does not decrease the overall effectiveness of the workplace or the production output or service quality. The difficulty of inserting a risk audit process into a section or team or even throughout an organisation without impacting the production or service quality is high. Audit processes can be time-consuming and inherently disruptive, particularly while the group, team or individual is becoming familiar with the process or requirements. In many organisations the requirement of an effective audit function is imposed on leaders/managers who are not in a position to increase staff numbers or vary their work procedures to incorporate an audit function. They often need to find ways to incorporate risk audit functions within the accepted systems and procedures. This can be accomplished by widening the process to include associated or aligned areas of operation within the organisation. The result is a more effective audit process. It is important for you as a leader/manager to be able to discuss these issues with more senior leaders/managers and members of your organisation’s Human Resources department who may be able to advise on systems, procedures or staff changes to support audit processes. Once an audit process is in place, this audit system itself needs to be subject to risk management to ensure it remains a viable process for the identification and management of risk. Remember that the audit process must change when there are any procedural, system or staff changes in the area that is being audited. Monitoring and reviewing risk in your area of operation As stated earlier, organisations need to have in place a risk assessment process which is continuous, reviewed regularly, tested regularly, and monitored. Such a process is dependent on a number of variables and is often industry or organisation linked. However, organisations need to be systematic in their risk planning, identification management and control. To that extent all organisations should have a culture of risk assessment and management. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 54 A monitoring and reviewing system Here is an example of a system for monitoring and reviewing risk. Step One Plan and implement risk management monitoring program • Analysis of tasks and activities for risk requirements • Selection and training of staff who are given various levels of responsibility in relation to risk identification, analysis and management • Measurable performance standards are implemented. Step Two Measurement of performance • By using activity reports a monitoring of processes and trends and results continues • Conduct continuous comparison between organisational risk policy and actual activities within the organisation • Conduct organised audits of all activities within the organisation • Implement a system supporting continuous restructuring to reflect management of identified risks and organisational compliance issues. Step Three Analyse historical data • Review reports and establish trends • Examine history of prior risks to establish cause and effect • Analyse processes and procedures to identify need for changes • Support, identify and implement innovation and improvement. Step Four Gain commitment to improvements • Ensure improvements and innovations fall within mission statements, policies and quality systems • Gain commitment from senior management for change and innovation as a process. Step Five Gain commitment of staff • Support change as a continuous cultural process, ensure that support is given to all staff to identify and implement innovation and change • Involve staff in all areas of operation • Involve staff in communication at all levels relating to risk, change and innovation. Step Six External audit • Ensure all legislative and regulatory issues are complied with • Gain support of external stakeholders • Review all external audit findings and communicate to staff as much of your finds as possible • Identify and implement changes proposed. All organisations should ensure that risk identification, assessment analysis and the change arising from these processes fall within the culture of the organisation. This requires commitment from the most senior levels of management in the organisation, and it requires communication throughout all ranks of the organisation. Leadership and coaching are two of the most commonly used processes to engage an organisation in cultural change to embrace the issues of risk identification and management and the issues arising from the change that flows from these procedures. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 55 Risk Monitoring and Review tool Here is a sample Risk Management Monitoring and Review tool, in this case for a risk of discrimination in this fictional workplace’s recruitment system. You can use this tool to: • review a particular risk recorded in the risk register • review the relevant risk action plans. A sample Risk Monitoring and Review tool Risk Review Date: 10 June 2015 Risk Register Reviewed Date By Whom Name & Signature Follow-up Actions Comments Discrimination in recruitment system 10 June Shauna Kumar External audit of legislative compliance Completed Risk Action Plans Risk Action Plan # Date By Whom Name & Signature Follow-up Actions Comments RAP #4 10 June Shauna Kumar Monitor legislative compliance and client satisfaction by reviewing existing personnel records Communicate results of monitoring to senior management and secure their commitment to required changes to the selection criteria Develop and deliver an anti-discrimination training program for recruiters All follow-up actions complete by 10 August. Need to continue monitoring. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 56 Practical example Once the risk management process of risk identification, risk analysis and risk treatment is complete, it is necessary to review performance. If risk treatments are being monitored for effectiveness, then the results will be used to improve the risk treatments. At the end of the project, reviewing the risk treatments will make new projects more efficient and successful. Kareena is the Product Manager for a new line of swimwear. Six months after the launch of the new product line, Kareena reviews all that has occurred. Sales were strong, and the range was showing a profit. Two of the new lines experienced a high rate of faults, but Kareena had anticipated that these more complex designs could pose a problem and allocated more time and a higher cost structure. Kareena could thank her risk management plan for that contingency plan. Kareena’s project plan had included a very thorough section on risk management. In addition, new security measure had to be put in place to ensure that there were no design leaks to competitors. Kareena knew that to really evaluate the success of her project, she needed to monitor and review the risk treatments and also review the performance of the whole risk management process. Kareena divides her tasks into a number of steps: 1. Review the treatment strategies for the risk of delivery delays. 2. Review the risk management process 3. Document, distribute and file the findings to inform and improve future projects Kareena gather her team together to review the treatment strategies for the risk of deliver delays. She utilises a SMART review, focusing on targets that are: Specific Measurable Achievable Relevant Time Referenced The outcomes are shown in Figure 1 over the page. Next, the team reviews the risk management process as a whole. The outcomes are show in Figure 2 over the page. On completion of these reviews Kareena will ensure the documented reports are distributed to relevant people within the organisation so lessons learned can be incorporated across all parts of the business. She will then ensure all documents are securely filed. If Kareena and her team had found the risk treatment strategies had been inappropriate or ineffective she and her team would have undertaken a more detailed review of all aspects and every stage of their risk management processes to identify where and why the strategies hadn’t achieved their objectives, eg was the problem initial poor risk identification, classification, inappropriate treatments identified, poor implementation or a combination of various factors. BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 57 Figure 1: Risk Treatment Review Progress Report Risk Treatment SMART Goal(s) Progress Date Reviewed Name Recommendations Equipment 98% uptime on all equipment each day Not Required Daily Kareena Monitor equipment failure on a daily basis Staffing 99% staff at work each day Not Required Weekly Kareena Review staffing levels weekly Raw materials 100% raw materials available at all times Not Required Daily Kareena Consider lead time for raw materials and check with manufacturer weekly Product fault 2% fault rate on all products Implemented Daily Kareena Complete QA on random samples daily Security measures 100% security on all product lines Implemented Weekly Kareena High risk from competitors Bulk-buy Incentives 98% retention rate of all customer Not Required Prior to Launch Kareena Ensure no opportunities for competitors Figure 2: Risk Management Review Report Procedure to be Reviewed Review Team to Review Procedures Number Name Comments Review Date Review Team Review Action Sign as Complete 1 Identify Risks No further risks were identified Project Completion Quality Assurance Nil QAT 2 Evaluate Risks Number of competitors in the market has increased. One supplier of raw materials have ceased trading Project Completion Quality Assurance Monitor competitors Utilise new supplier QAT 3 Treat Risks Implement bulk buy incentives as standard practise. Project Completion Quality Assurance Implement QAT BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE Western Page | 58 Activity 1. Identify the ways your organisation reviews its risk management system. How effective do you think it is? In view of the matters dealt with in this content guide, how would you suggest improvements? 2. How does your organisation communicate to its employees the issues, eg results and problems related to the management of risk? 3. Does your organisation have an audit process which in a formal or systematic way to analyses risk in its operation? 4. How would you either improve your organisation’s monitor and review system, or implement such a system in your organisation? What particular challenges would you face in either process? You have reached the end of this learner guide BSBRSK401 Identify risk and apply risk management processes Version 1 September 2015 © TAFE WesternAttachment