Você está na página 1de 56

IDENTIFY RISK AND APPLY RISK MANAGEMENT PROCESSES

Tony Rizk Smart Academy

22 April 2009

Session 1:

Identify risks

Risk in an organisational setting


Risk is unavoidable and a natural part of virtually every

human situation. It is present in our daily lives, when we are awake or asleep, and in both public and private sector organisations. Risk management is about being pre-emptive, rather than reactive. Any manager should actively seek to identify and determine how to prevent risk from happening. This may mean modifying current processes, practices, thinking or systems to maximise our chances of success while minimising the factors that may promote failure, injury or loss

Risk and its management


Risk can be defined as the combination of the probability

of an event and its consequences (ISO/IEC Guide 73:2002 Risk Management). Risk management is the process of identifying potential negative events and the development of plans to mitigate or minimise the likelihood of the negative event occurring and/or the consequences resulting if that event did occur.

Risk factors
Risks may include such factors as:
Occupational health and safety (including

Risks may need to be managed to:


Avoid creating more risk Sort negative from positive risks Decrease unexpected and unwanted events Develop an operational and organisational

disease) Environmental Product failure Financial or economic loss/failure Damage to property/equipment Industrial disputes Professional incompetence Natural disasters Security failure Equipment/system failure Breaches of privacy

profile of existing risks Decrease possible vulnerabilities Increase preparedness for unexpected and unwanted events More efficiently prioritise the treatment of risks Avoid waste, errors or defects that may result from untreated risks Protect people and customers from harm Control risks Build risk management into its culture

Risk and levels within the organistion


Risk management can occur at all levels of management

and operations. This includes:


Strategic level spans across functions, products and services,

customers. Operational level within a function, operational area, or specific markets, customers, processes, products and services. Team/task level within a team, occupational, professional or specific job role.

Risk management process


The risk management process is a:

the systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk
(AS/NZS 4360:2004, page 5)

Risk Management Process

Establish goals and context


At this first stage establish the external

and internal risk management context in which the overall risk management process will take place. Establish categories and criteria against which risk will be evaluated and shape later risk analysis activities. The alignment of criteria against goals and objectives (organisation, operational or project) will set the scope for the risk management process and guide how actions at all stages of the process can later be evaluated. It is at this stage study of the environment should occur. This will confirm if the risks being addressed result from factors that are external and/or internal to the organisation

Identify risk
This stage is the first step in the

3 steps associated with risk assessment. At this stage identify where, when, why and how events could prevent, degrade, delay or enhance the achievement of the objectives. It is important to specifically classify (identify and code) risks and confirm the source and impact of the risk so treatments strategies can later be shaped correctly

Analyse risks
This stage is the second step in

the three steps associated with risk assessment. At this stage identify and evaluate existing controls. Determine the consequences and likelihood and therefore the overall rating for the level of risk. This analysis should cover the range of potential consequences and how they could occur.

Evaluate risks
This stage is the fourth stage in the

risk management process and the final step in risk assessment. At this stage determine whether the risks are acceptable or unacceptable. Compare estimated levels of risk against the pre-established risk categories and criteria, and consider the balance between potential benefits and costs. The level of risk will need to be considered so as to determine who has the authority to treat the risk. Given the persons authority the evaluation stage will inform the treatments required and priorities.

Determine the treatments for the risks


Develop and implement

specific and cost-effective options and action plans for treating a risk. This includes considering how monitor and review any treatments.

Monitor and report on the effectiveness of risk treatments


It is necessary to monitor the

effectiveness of all steps in the risk management process. This is important for both innovation and continuous improvement. Risks and effectiveness of treatment measures need to be monitored to ensure changing circumstances or contextual matters (eg. Goals, operating environment, etc.), dont alter priorities or a treatment plan

1. Identify the context for risk management

Goals and objectives


While the structure of a team or an operational area may

vary, generally the variance is due to their purpose. However, the purpose of the team will be established in the organisations vision and its goals and objectives. Some key questions a manager will need to answer before they start to identify risks will include:
What goals and responsibilities has the team been allocated? How will success be measured? What exists now and what are we supposed to be doing? What impact does this team have on the business and stakeholders? What deliverables are required and when?

Risk categories and criteria


The risk categories can vary from organisation to organisation.

Typically they will establish clear boundaries between different operational aspects where a risk may impact. They may relate to:
People Processes Compliance Financial Safety Customer satisfaction, etc.

The criteria should be the direct translation of the categories and

provide a tangible basis against which the manager can evaluate an identified risk to determine if it requires treatment or control. Criteria should also assist measure and monitor how risk management will impact goals or stakeholder requirements.

Example risk categories and criteria

Consult and communicate with stakeholders

Risk communication and responses

Defining a stakeholder
Core or primary stakeholders are those who are

directly involved in the process of delivering the outcomes being sought or will be positively or negatively affected by the outcomes being sought. Non-core or secondary stakeholders are those who are indirectly involved in the process of achieving the outcomes or may be indirectly affected by the outcomes being sought.

Stakeholder analysis
Managers studying stakeholders should complete the

following:
Identify stakeholders Sort and prioritise stakeholder interests Visualise stakeholder relationships to the team/business unit

Identify each persons or groups power and influence

Identify risks

Key questions for identifying risks


This goes beyond thinking there may be a risk to actually

answer the following questions:


What can happen? Where can it happen?

How and why could it happen? (AS/NZS 4360:2004: page 13)

Components for risk identification


The various components for the identification of a risk:
Source That which can potentially harm or assist in causing damage to a person,

property, business etc. Event or incident Something that occurs which leads to the source of risk being able to inflict harm or have an adverse effect. Consequence The impact or outcome due to the event taking place and inflicting on the person, property, business etc. Cause Is the and why of risk, for example; was design to blame, human error, incorrect procedure, lack of training, new competitor, insufficient knowledge. Controls Controls are what you put in place to manage the risk in an effective way. Whether they are policies, systems, machinery or technology. When and where Simply put, when the risk could occur and also where the risk could occur. For example in an age care facility, slips are most likely to occur in the kitchen after the floor has been mopped.

Identification of prospective risks


The most effective means of identifying prospective risks

can include:
Brainstorming sessions Five Why analysis Five W analysis Task analysis SWOT (strengths, weaknesses, opportunities and threats) Analysis PEST (Political, Economic, Societal, and Technological) Analysis Research such as conducting interviews with relevant people and/or

organisations, or forecasting environmental and market constraints A range of standard problem solving and decision making tools and techniques (eg. Cause and effect diagram)

SWOT analysis

PEST analysis

Documenting risk identification


According to the AS/NZS 4360:2004 standard risk

identification needs four core pieces of information:


Risk reference Risk classification (Type) Source of risk

Impact of risk

The Risk Management Plan


The risk management plan has five main parts:
RMP1 Contextual information RMP2 Risk Register

RPM3 Risk Assessment


RPM4 Risk treatment plan RPM5 Risk Action Plan

Sorting stakeholders
The two dimensions represent the extent to which the

stakeholder has:
Power to influence outcomes and the capacity to impose their will

on the image or outcomes the organisation seeks. Interest that is real or believe they have a legitimate need (business or personal) to be involved

Stakeholder commitment

Session 2: Analyse and evaluate risks

Risk analysis
It is at the Risk Analysis stage of the risk management

process that each risk is rated, taking into account factors that will operate to control the risk. In consultation with stakeholders (internal and external) the analysis of risk has to determine the answer to three questions:
How serious are the consequences if the risk occurs? What is the likelihood of the risk occurring? What is the level of risk?

Determine consequences
Level 1 2 3 4 Descriptor Insignificant Minor Moderate Major Example detail description No operational impact Minimal disruption to operational capability Interruptions to operations Loss of operational capability

Catastrophic Loss of operational continuity

Determine likelihood
Likelihood = probability x exposure
Level 1 2
3 4 5

Descriptor Highly unlikely Unlikely


Possible Likely Very likely

Example detail description May occur only in exceptional circumstances Could occur at some time
Might occur at some time Will probably occur in most instances Is expected to occur in most circumstances

Estimating the level of risk


Risk = consequence x likelihood

Risk assessment matrix

Control
Control of risk relates to the treatments or plans put in

place to reduce the likelihood and/or the consequence of a risk happening. Existing controls maybe in place and involve stakeholders

Evaluate Risk

Determine priorities
Having completed the initial risk analysis it is now

possible to determine how each risk should be prioritised. This involves two main actions:
Set priorities. This can be done by comparing the analysis of each

risk against the original criteria set for the risk management exercise. The criteria confirm how each risk is impacting goals and the operational context. Determine if the risk is acceptable or unacceptable. This follows on from setting priorities but here we clearly indicate if the risk is acceptable or not. This will involve making a decision based on the evaluation of the risk level and the benefits derived from managing the risk versus doing nothing.

Sort risks

Acceptability
Acceptable Not acceptable

Risk level
Low and possibly Moderate High and Extreme

Risk acceptability and need for treatment

Session 3: Treat risks

Treat risks
Risk treatment involves identifying and selecting from a

range of options, then implementing what needs to be done to treat a risk. A risk treatment plan should be established that will not only establish what needs to be done and by when, but how this approach will compliment existing controls and other risk treatments

Risk treatment flowchart

Risk treatment options


Treatment options typically include: Avoiding the risk Reducing the likelihood of the risk, Change the consequences of the risk Transferring the risk, Retaining the risk

Inclusions in a risk treatment plan

The purpose of a treatment plan is to document and report how the chosen options will be implemented. According to AS/NZS 4360:2004 the treatment plans should include:
1. proposed actions;

2. resource requirements;
3. responsibilities; 4. timing; 5. performance measures; and 6. reporting and monitoring requirements
(AS/NZS 4360:2004: page 22)

Control measures
There are two kinds of risk control strategies: Pre-planned:
preventative strategies adopted prior to risk occurrence. For instance a major catering operation for an airline identified that staff were being exposed to safety hazards handling hot food as it was transported from the oven to be packaged into the onboard hot food catering trolleys.
Situational:

highly contextual, responsive strategies based on feedback on day to day activities. For example, a furnace operation used situational control strategies to reduce risk.

Session 4:

Monitor and review effectiveness of risk treatments

Monitoring risks
Monitoring and review occurs at two levels within the risk

management process.
Firstly it occurs at the level when the implementation of a risk

treatment is monitored and reviewed. This is to ensure risk management is both sustainable and effective. The second level of monitoring and review needs to occur on a continuous basis to support improvement to all five stages within the risk management process.

Risk treatment flowchart Monitoring and review

Use review results to improve risk treatment


Standard risk management planning templates or treatment forms will

usually include the headings:


Risk Level of risk Treatment Treatment objectives Action Plan (milestones, dates, and responsible person)

Status (progress)
Dates

To facilitate monitoring Risk Management Plans will usually include:


who has responsibility for approval, implementation and monitoring the plan what resources are to be utilised Resource requirements (ie. budget allocation, full time equivalent work hours,

personnel, etc.) Details of when to do reviews and the status of progress for each review

Examples of risk objectives for a given category of risk


Risk Categories
Operations Financial impact

Examples of risk objective


Less than 2% of all orders received in a calendar month will be rejected Costs must remain within 1% of the allocated budget

Brand protection

All licensees attend formal legal briefing on their obligations and legal ramifications of any breaches to copyright
Customer deliveries within the nation must occur within 36 hours of the order being received All engineers will report maintenance actions according to the CSA3224 regulatory requirements The person allocated the responsibility as Shot firers must be assessed and deemed competent every 12 months in the 4 core role competencies Dispatch operations seek to ensure nil injuries occur that require treatment in the next 6 months

Timing Compliance Staff management

Environment, Health and Safety

Auditing risk
The use of an independent risk auditor can promote:
Objective review that adopted treatments resulted in what was intended Consistency of reviews over time Observations based on past practices and experiences elsewhere Measurement of progress across multiple risk management plans and treatments

within the organisation Use of independent benchmarks Consolidated data collection and storage Translation into action by senior managers Recommendations for improvement to the risk management process Compliance reports that external regulators may accept Review of policies, procedures and processes not within the control of any one manager Integration of risk management across multiple organisations (eg. In a supply chain)

Six step approach to monitor and review risk management


Step One

Establish the Risk Management Plan actions and monitoring requirements Step Two Measurement of risk control and status Step Three Analyse historical data Step Four Align risk management to strategic outcomes Step Five Gain commitment of employees Step Six Monitor and report progress