Ross Woods, rev. 2011, '21
In the wider sense of the term, a risk is any kind of potential or actual problem program that you might need to do something about. In fact, even if you can't do anything about a risk, you still need to list it. Risks are either strategic, affecting long-term plans and goals of the whole organization, or operational, affecting day-to-day activities.
Put another way, risk management is asking What could go wrong?
and then eliminating or minimizing harm.
Risk management has various benefits. It provides a structured basis for strategic planning and improves the quality of decision making, encouraging pro-active rather than reactive management. Consequently it enhances the effectiveness and efficiency of operations and safeguards assets in people, finance and property. It can prevent litigation and insurance claims.
Risks include:
In a college, examples of risk include:
Other areas where risk are often analyzed include the following:
At is simplest, risk management is about systematically identifying potential problems and doing something about them. Risk management is a systematic process of:
It is normally related to a strategy, plan, or program of some kind. It usually enables the organization to minimize losses. Risk management in planning also helps to maximize opportunities by comparing the risks in different scenarios.
The risk management standard AS/NZS 4360:1999 is a generic framework for managing risk. It differs from older approaches by the additional element of context. It comprises the following elements:
This e-book meets this standard.
What is expected of you?
If you can describe your operating environment, you stand a better chance of identifying more risks. You might really only understand it later on in the process, in which case you might want to go through the cycle again.
You can use a variety of methods to help you identify risks. If it's a real risk that really affects what you do, you need to put it in writing. It doesn't necessarily matter if risks never materialize, because you still need to identify important risks and put contingency plans in place. Moreover, fairly improbable scenarios might be so devastating that you still need to have counter-measures.
A problem in identifying risk is that you probably want to write the kinds of things that admin want to hear. You discount your real difficulties. For example, you might identify a chance that you could be sued for something. It's a theoretical possibility that admin will want to know about. So you feel good about reporting it, and so you should.
But at the same time, you are losing sleep over a difficult problem. You can't see a way through and there's nobody around who can give you the kind of specialized advice you need. You feel it's your responsibility and don't want to identify it as a risk. The great temptation is to hide it from admin and handle it informally or ignore it. But it's probably urgent that you report the problem so that something gets done ASAP. The morla of the srory is The real problems are the problem.
So, the point is, report a problem if it affects you. Next, how to investigate risks.
The following documents may reveal different kinds of risks:
Include brainstorming with people who know your organization and its business.
Look through your systems and look for the weakest points.
Speak with an insurance broker. They are (or should be) experts in risk, because that what they sell insurance for. An insurance broker is better than a one-company salesperson, because he/she is familiar with a wide range or products for different risk scenarios.
Just check your search words to get better quality hits.
Meet with a wide range of stakeholders and put their comments in writing. It is often important to include both people from inside your organization and people from outside it. Include the insurance company or an insurance broker with industry-specific experience.
You may want to run formal meetings and keep minutes.
Interviews and formal meetings also help get people on-side by showing that you are listening to them and that you are really trying to do a good job and prevent possible problems.
Hint: Unless you're looking at only WHS risks, beware the word "risk" because many people think only of WHS. It is often better to ask What might go wrong?
A site inspection can reveal many potential problems. (That's why you should never hire an event venue without inspecting it yourself.)
Draw a chart of all that is supposed to happen and look for inconsistencies.
Reference: How Eventive! 2005
seriousrisk
The way you define serious risk will of course depend on the kind of risk being assessed. (The trend, perhaps not a healthy one, is to define most non-WHS risk is dollar values.)
What's the difference between acceptable and unacceptable risk for your organization?
Assessing risk means determining how serious it is. The way to do it is in terms of:
This fits on a graph like this:
| ↑ Probability of occurrence ↓ |
Very probable | |||
| Medium | ||||
| Very improbable | ||||
| Very little harm | Medium harm | Very serious harm | ||
| ← How much harm → | ||||
This gives a risk rating. The example below is simple because it has only three levels of harm and probability:
In a diagram it looks like this
| ↑ Probability of occurrence ↓ |
Very probable | Medium risk | High risk | Very high risk |
| Medium | Low risk | Medium risk | High risk | |
| Very improbable | Very low risk | Low risk | Medium risk | |
| Very little harm | Medium harm | Very serious harm | ||
| ← How much harm → | ||||
However, most risk diagrams have five levels of probability and five levels of harm, so the diagram looks like this:
| Very high probability (5) |
Medium risk |
Medium to high risk | High risk | High/Very high risk | Very high risk (25) |
| High probability (4) |
Low to medium risk | Medium risk | Medium to high risk | High risk | High/Very high |
| Medium probability (3) |
Low risk | Low to medium risk | Medium risk | Medium to high risk | High risk |
| Low probability (2) |
Low/very low risk | Low risk | Low to medium risk | Medium risk | Medium to high risk |
| Very low probability (1) |
Very low risk (1) | Low/very low risk | Low risk | Low to medium risk | Medium risk |
| Very little harm (1) |
Little harm (2) |
Medium harm (3) |
Serious harm (4) |
Very serious harm (5) |
These examples are all taken from WHS:
| Amount of harm: | Very serious (Serious falls, especially elderly people) | Score: 3 |
| Probability: | Very probable | Score: 5 |
| Risk level: | Medium risk | Final score: 15 |
What to do: Mop up as much as possible, Put caution signs out until floor is dry.
| Amount of harm: | Serious | Score: 4 |
| Probability: | Low | Score: 2 |
| Risk level: | High risk | Final score: 8 |
What to do: Regularly rotate workers between jobs.
| Amount of harm: | Very serious (planetary destruction) | Score: 5 |
| Probability: | Zero | Score: 0 |
| Risk level: | No risk | Final score: 0 |
What to do: Nothing.
| Amount of harm: | Medium (injuries) | Score: 3 |
| Probability: | High probability | Score: 5 |
| Risk level: | Medium to high risk | Final score: 15 |
What to do: Put non-slip edges on stairs.
Controlling risk is normally called manage the risk.
You will be asked to manage risks, that is, take whatever steps are necessary to solve the problem and prevent negative consequences. Ask whether your risk control will solve the problem. In many cases, this means identifying how much risk is acceptable. Be sure that a controlled risk is not unacceptably high.
You must record your risk management. We recommend use a form or database designed for the purpose.
Did the risk management solve the problem? What further steps need to be taken? You will need to periodically update records. (Out of date records are no help to anyone.)
The rationale certainly follows a step by step process, but I'm not sure that it's really that simple. You can't simply assume that you will finish a step and then move on to the next one. You may need to go back and revise.
It's more like:
A. Go though steps 1 - 7.
B. Check the whole document is well-researched and consistent. You may need to revise some of those steps depending on the other steps.
C. Make your risk management an ongoing process of research, planning, implementation, and review.
Our steps are as follows
Steps 1 and 2 are "Define your task" and "Identify your context." What if you find later on risks that are borderline, nearly outside your scope. You may need to redefine your scope. Depending on what you find later on, you may need to come back and have a better look at your context.
Step 3. Identify and record your risks. But you might find more risks later on, too.
Step 4. "Define erious risk." You will need to check it later on and perhaps revise your definition.
Step 5. "Define the difference between acceptable and unacceptable risk for your organization." You will need to check it later on and perhaps revise your definition.
Step 6. "Assess your risks." Keep your assessment under review because you might need to re-assess when you learn more about it.
Step 7. "Control the risk."
Step 8. "Monitor the risk and check the outcome." In other words, keep steps 1-8 under review. You might need to update them as you learn more about them.
Look at a variety of different scenarios and consider which ones are probable, especially with combinations of things that could go wrong. In other words, envisage a range of scenarios, evaluate their probability, and evaluate the ramifications of each.
Scenario Analysis is a way of exploring what might happen in unpredictable circumstances.It is one of the best approaches for analyzing risks in possible disasters and emergencies, because you need to identify risks even if they never materialize and think through the issues and make detailed plans before anything might happen.
If you can do a better job of considering possible outcomes and exploring the implications of each, you can make more informed plans, so making good decisions under pressure will be easier.
The steps in Scenario Analysis are:
Quality standards mention many kinds of requirements for managing programs:
Quite clearly, four of these are all the same thing, that is, quality management, marked *.
That leaves us with three:
Moderation is simply managing risks relating to inconsistency in assessment and it often involves review and improvement. So it's really the same thing too.
So that leaves us with two:
These are also actually the same thing, which means that you only need to carry out and document the process once. However, the terminology is a little different. Risk managers use the terms "Identify and record the risk, Determine the seriousness of the risk, Manage the risk Check the outcome." In contrast, quality managers use the terms "Review the program and identify improvement needs, Select priority needs for improvement, Implement changes, Check the outcome."
Somebody noticed that some paperwork wasn't getting through. Staff members either didn't fill in the forms correct;ly or didn't hand them in at all. Admin people got frustrated, brought it up in a staff meeting and called it a risk. They put it in the staff meeting minutes. (Step one: Identify and record the risk.)
They identified the possible consequences of the problem. Several students would be deemed to have dropped out and become ineligible for graduation. This was serious. It had already happened and could easily have happened again. In fact, it probably would have if things hadn't been changed. (Step two: figure out how serious it was by looking at the extent of harm and comparing it with the likelihood of occurrence.)
The staff meeting proposed to fix the problem. (Step three: Manage the risk) They found that teaching staff were confused and frustrated by the many forms.
First, the admin staff agreed to see whether the number of forms could be reduced and the forms made clearer and more user friendly. The admin staff also agreed to revise the forms and make the process more efficient and less confusing. They'd also consider whether electronic submission would meet their needs.
Second, they suggested a professional development session. They planned to get all staff together for a session to go through the procedure and paperwork, explaining its purposes, what information the admin people needed and why, how it worked, and what was required in terms of paperwork. They also planned to through the new forms, asking for comments and suggestions, and revising them.
Third, they revised the induction folder for new staff, so that incoming staff understood the requirements.
They put this into practice and found that it worked. The teaching staff actually made a few more minor changes. And admin still needed to remind a few people from time to time.
At the next full staff meeting, they agreed that the steps taken basically worked very well. The program is now better Admin and teaching staff are both generally pleased, and there are no students asking admin about discrepancies in their end of semester results letters. (Step four: monitor the risk and check the outcome.)
Cited from Paul Bullen "Management Alternatives for human services" (www.mapl.com.au/risk/risk3.htm)
Below are examples of risks in community organizations and possible responses to those risks. The list of risks is not comprehensive.
| Area of Risk | Examples | Response | Type of response |
|---|---|---|---|
| Governance | The governing body might not meet its responsibilities | Training and orientation Director's insurance |
Reduce risk through changed practice Transfer risk |
| Strategic directions | The organisation may loose its way in a constantly changing environment | Strategic planning | Reduce risk through changed work practice |
| Professional risks | Staff may not be professionally competent | Recruitment and selection procedures Orientation program Supervision |
Reduce risk through changed work practice |
| Clients may receive an inappropriate service causing harm | Professional indemnity insurance | Transfer risk | |
| Clients homes might be the site of potential violence | Don't do home visits where there is a risk of violence | Avoid risk through not providing service | |
| Staff may not understand what they need to do in a given set of circumstances | Organisational manual | Reduce risk through changed work practice | |
| Physical risks | Office equipment my be unsafe | Occupational health and safety committee and processes | Reduce risk through changed work practice |
| Staff or clients may be involved in a car accident | Insurance | Transfer risk | |
| Legal | Legal requirements may not be met | Register of all relevant legislation Compliance plan |
Avoid risk through compliance |
| Financial risks | Finances may be insufficient to meet operational expenses | Financial planning | Reduce risk through changed work practices |
| Fraud | Financial systems Audit |
Reduce risk through changed work practices | |
| Fraud | Insurance | Transfer risk | |
| Property | Fire | Provision of fire extinguishers; Marked exits; Insurance | Reduce risk through changed work practices Transfer risk |
| Earthquake | Insurance | Transfer risk | |
| Environmental | Tree damage to buildings from fallen trees or branches | Tree maintenance plan | Reduce risk through changed work practices |
| Tree damage during storm | Insurance | Transfer risk | |
| Earthquake | Insurance | Transfer risk | |
| The community B-B-Q will be rained out | Halls on stand-by | Contingency planning |
Template for a basic risk register for general risks (.docx file)
General Building Safety Review Form for a general WHS inspection in an office environment (.docx file)
General business risks (.docx file)