Académique Documents
Professionnel Documents
Culture Documents
Note: BSBRSK501 Manage risk supersedes and is equivalent to BSBRSK501B Manage risk
2|Page
About BSBRSK501 Manage risk
Application
This unit describes skills and knowledge required to manage risks in a range of contexts across an
organisation or for a specific business unit or area in any industry setting.
It applies to individuals who are working in positions of authority and are approved to implement
change across the organisation, business unit, and program or project area. They may or may not
have responsibility for directly supervising others.
No licensing, legislative or certification requirements apply to this unit at the time of publication.
Unit Sector
3|Page
2.2 Research risks that may apply to scope
2.3 Use tools and techniques to generate a list of risks that apply to
the scope, in consultation with relevant parties
3. Analyse risks 3.1 Assess likelihood of risks occurring
Foundation Skills
This section describes language, literacy, numeracy and employment skills incorporated in the
performance criteria that are required for competent performance.
Criteria
Reading 1.1, 1.4, 1.5, 2.2 Comprehends a variety of relatively
complex texts
Gathers, interprets and analyses textual
information from a range of sources to identify
relevant information
Writing 1.6, 1.8, 2.1, 2.3, 4.3 Develops textual material and organises
content in a manner that effectively documents
risk management analysis and assessment
priorities and processes
4|Page
understanding
Interact with 1.8, 2.1, 2.3, 4.3 Establishes and uses appropriate
others conventions and protocols when communicating
with stakeholders about risk management
Consults and negotiates with
stakeholders about risk management processes
and outcomes
Get the work 1.2, 1.3, 1.5, 1.7, 2.1, 2.2, Sequences and schedules a range of
done 2.3, 3.1, 3.2, 3.3, 4.1, 4.2, routine and complex activities, monitors
4.4, 4.5, 4.6 implementation, evaluates processes and
manages relevant communication
Systematically analyses information to
decide on appropriate risk management
treatments
Uses digital technologies and systems to
access information, document plans and
communicate with others
5|Page
Performance Evidence
analyse information from a range of sources to identify the scope and context of the risk
management process including:
stakeholder analysis
political, economic, social, legal, technological and policy context
current arrangements
objectives and critical success factors for the area included in scope
risks that may apply to scope
consult and communicate with relevant stakeholders to identify and assess risks, determine
appropriate risk treatment actions and priorities and explain the risk management processes
develop and implement an action plan to treat risks
monitor and evaluate the action plan and risk management process
maintain documentation.
Note: If a specific volume or frequency is not stated, then evidence must be provided at least once.
Knowledge Evidence
To complete the unit requirements safely and effectively, the individual must:
outline the purpose and key elements of current risk management standards
outline the legislative and regulatory context of the organisation in relation to risk
management
outline organisational policies, procedures and processes for risk management.
6|Page
Risk Management1
A risk management framework will help your organisation to identify its risks and to make plans to
reduce potential negative impacts, and to improve the likelihood of beneficial outcomes.
Good risk management practices will:
• help your organisation identify and manage risks effectively
• reduce uncertainty by anticipating and preparing for possibilities and outcomes
• reduce the chance that something will go wrong and reduce the impact if it does go wrong
• improve the organisation’s performance.
For example, applying good financial risk management practices will reduce the risk of losing money
and improve the financial position of the organisation.
Involving stakeholders in your risk management planning and thinking helps to create a risk
management culture. Everyone in the organisation needs to be aware of their roles and
responsibilities and the processes for managing risks.
Involve employees in the process of developing a risk management framework to help improve their
understanding and preparedness to manage the risks they face every day.
Have a plan for how you will communicate with and engage employees, and how they can
participate and provide feedback.
Risk Management is defined in the standard (AS/NZS 4360:2004) as "the systematic application of
management policies, procedures and practices to the tasks of establishing the context, identifying,
analysing, assessing, treating, monitoring and communicating".
It is an iterative process that, with each cycle, can contribute progressively to organisational
improvement by providing management with a greater insight into risks and their impact.
Risk management can be applied to all levels of an organisation, in both the strategic and
operational contexts, to specific projects, decisions and recognised risk areas.
1
Source: Creative NZ, as at
http://www.creativenz.govt.nz/assets/ckeditor/attachments/1022/risk_management_toolkit_-
_august_2014.pdf?1409203287, as on 11th August, 2015.
2
Source: Southern Cross University, as at http://scu.edu.au/risk_management/index.php/8/, as on 11th
August, 2015.
7|Page
Risk is defined as 'the chance of something happening that will have an impact on objectives'. It is,
therefore, important to understand what the objectives of the organisation unit or your position,
are, prior to attempting to analyse the risks.
8|Page
Before beginning your risk management project, it is important to take the time to review your
organisation’s risk management policies and procedures. Different organisations create different
levels of expectations for risk management strategies, along with the difference between cost
effectiveness and acceptable risk. You will need to know this information so that you can keep your
risk management project can stay in line within the company’s guidelines, goals and objectives.
You may also find that the company’s procedures provide some ideas of specific areas of risk that
you should include within your risk management assessment.
Typically, companies face the same sort of risks repeatedly, with different products, projects or
locations. If it is your company’s standard procedure to include certain types of risks in their
assessments, you will want to be sure to include them in your review.
Commercial relationships
Economic circumstances and scenarios
Human behaviour
Individual activities
Legislation
9|Page
Management activities and controls
Natural events
Political circumstances
Technology
Another thing to look for, as you are reviewing the company’s risk management procedures is any
specific formatting requirements for contingency plans. Areas such as emergency services
(Ambulance, Fire, SES and Police departments) are famous for creating contingency plans for many
different potential emergencies.
They always follow the same format in all of their plans. This allows the reader of the plan to quickly
find the information that they need.
In the case of needing to implement a contingency plan, following that standardized format may
save critical minutes in implementation. Instead of the reader having to seek out the information
they need, understand the format of your document and absorb the information that they need to
complete their part of the plan, all they have to do is open the plan to the appropriate section, and
find the information they are looking for.
If there are other risk management assessments that have been done in parallel parts of the
organisation, such as other business units, other locations or for other projects, you may want to
consider getting your hands on a copy of those risk management assessments and plans. While you
shouldn’t just blanket copy their work into yours, there is no reason to duplicate effort that has
already been expended. Often, the risk management plans created for other company facilities can
be adapted to your needs, with only minor modifications. This provides for a cost savings to the
company.
While it is useful to utilize other people’s work in the preparation of your risk management project,
don’t try and take credit for their work. Should you attempt to do so and be caught, it will reflect
10 | P a g e
poorly on you. On the other hand, if you are up front about using the risk management plan from
Division X of your company, it will appear to upper management that you are working efficiently, not
wasting the company’s resources.
Finally, your organisation’s procedures should provide you with information about how your final
documentation is to be filed; who should receive copies, where they should be located, and how
they should be distributed are all important factors in finalizing your risk management project.
Every risk management project has limitations. It is impossible for one person to achieve all possible
risks that exist for a company. This process is usually broken down into sub-projects.
It is important to determine the scope of the risk management project first, because there are
always risk factors which arise, that are outside of the person or teams authority who are
performing the risk analysis.
If you try to be all inclusive in your scope, you’ll never complete the project. Each new risk that
presents itself, can open the doors for whole new areas of risks to plan for.
The scope that you create or that is assigned by the organisation policies to you will create the limits
for your risk management project. Anything that doesn’t fall within that scope is not your
responsibility. That doesn’t mean that you should totally ignore those risks, but only that you should
note them as risks that will need to be dealt with by other teams or individuals.
3
Source: Our Community, as at
https://www.ourcommunity.com.au/insurance/view_help_sheet.do?articleid=339, as on 11th August, 2015.
11 | P a g e
You should forward the list of risks that are outside your scope of risk management to the person
who is responsible for risk management within your organization; this could be the Health and
Safety Rep.
When determining the scope of your risk management process, you need to think along practical
lines that are in agreement with your organisations operational plan. Trying to develop a risk
management program that extends across geographical separation, business units or different
projects can be extremely difficult. Realistically, your scope may apply to:
A given project – some projects require a risk management analysis as part of the project
scope
Specific business unit (division) or area
Specific functions such as:
o Financial management
o WHS
o Governance
External environment – for facilities
Internal environment – also for facilities
Or, in the case of a small organisation, it can cover the whole organisation
As you proceed in your risk management process, be sure to keep that scope before you. It might be
a good idea to print it out, somewhat like a slogan, and hang it on the wall in front of your desk. That
scope becomes the rule to which you compare every risk you encounter. If it is within the scope, you
deal with it, if it is outside the scope; you pass it on to others.
Questions you need to ask as part of the process of establishing a risk management context for your
organisation can be broken down into two areas: the organisation context and the strategic context.
This involves looking at your organisation's aims, activities, structure, membership and methods of
operation.
Below we have provided examples of some questions you might want to ask, with some answers
supplied for a fictional junior football club, the Joeys, to give you an idea of where to start.
12 | P a g e
What are the aims and objectives of your organisation?
One way of getting a clearer picture of all the people involved in your organisation is to draw a
simple diagram, starting with a small circle in the centre in which you list the main participators in
your group's activities, and moving outward.
Going through the process of deciding who goes in which circle will help you get a clearer grasp on
what (and who) is important to your organisation.
Also make a note if you allow anyone else to use your facilities - you could be liable if something
goes wrong.
Other questions
Finally, to establish an internal context for your risk management strategy, ask:
What is your organisation currently doing to manage risk, either formally or informally?
What type of insurances does your organisation have (if any)?
What is the legal structure of your organisation. Is it incorporated?
This step involves looking at the environment in which your group operates. The answers to these
questions may involve some research. Some questions you should look at are:
What relationships does your organisation have and how important are these?
It's important for your organisation to recognise relationships you have established with other
parties that are necessary for you to operate. For the fictional football group the Joeys, these might
include players and parents, the league the team plays in, a peak sporting body and councils that
provide facilities they play on. Some of these will be more important than others.
Your circle diagram already undertaken (see above) will help you to define those relationships.
There are a lot of laws and you're supposed to observe all of them. It goes without saying that you're
not supposed to defraud people, discriminate against or harass them, or breach the general
prohibitions applying to everyone. Critically, there are laws that apply particularly to not-for-profit
organisations.
13 | P a g e
Depending on where you are and what you do, your organisation may also have to comply with
council by-laws.
External trends
In defining your strategic context you should also consider external trends. Some of these are
outlined below (though you will have others that apply to your particular organisation).
Litigiousness: There is a greater public awareness of legal rights and an increasing tendency
for people to take legal action if they feel they have been unfairly treated. Not-for-profits
should no longer assume they will be treated leniently by the community or the courts just
because they are doing "good work". You must review your legal obligations.
Higher standards: Volunteers require a greater level of expertise than in the past and, as a
result, are becoming harder to find and harder to hold on to. People are also more time-
poor than they used to be. What other factors are affecting your volunteer workforce?
Duty of care: To establish a context in which to consider risks, your organisation must
identify its duty of care, and accept it. If you don't feel you can accept that level of
responsibility, your group should review its activities.
Establishing a risk management context for your organisation is the first step in the process of
successfully tackling risk management in your organisation. The second step is communicating risk
management.
14 | P a g e
Scope statement - This clearly states the project goal, objectives and deliverables.
Project constraints - These are any limiting factors that prevent the project from moving in a
particular path.
Assumptions - These are aspects that the project manager builds into the scope document
to allow for any uncertainties that may occur.
Tasks list - You need to specify a list of tasks (and deliverables) to be achieved during the
project.
Estimates - You need to make initial estimates in relation to cost, time and human resource
requirements.
Contract statement - This will include the names of those authorised to initiate contract
work, sign contracts and completion acceptances.
Risks can be tracked using a simple risk log. Add each risk you have identified to your risk log and
write down what you will do in the event it occurs and what you will do to prevent it from occurring.
Review your risk log on a regular basis adding new risks as they occur during the life of the project.
Remember, when risks are ignored they don't go away.
4
GR Health, as at http://www.gru.edu/ie/epmo/documents/steptwoplanprojectpdf.pdf, as on 11th August,
2015.
15 | P a g e
Identifying internal and external stakeholders and their issues
The term “stakeholders” typically, refers to the people who have an interest or share in the project.
In the case of risk management we can include anyone and everyone whose lives and businesses can
be negatively impacted by the risks or actions of the business.
This means that stakeholders can be either internal or external. When thinking about stakeholders,
be sure to consider all of the following:
Anyone who could be affected by your company taking a negative turn can be considered a
stakeholder. Not all stakeholders will have the same concerns about how a particular risk might
affect your company. While it is easy to focus on the financial risks, there are a number of other
issues that may be issues to stakeholders in the case of a crisis striking your company.
The most important of these is the risk to health. This type of risk can be extremely dangerous, even
to the point of death. While that is rare, the risk does exist.
To a large part, risk management deals with unknowns. Nobody can see every possible risk that
exists, nor does the fact that the risk exists mean that it’s likely to happen. However, we can’t just
assume that it won’t either. The more likely a risk is, and the more severe its impact, the more ready
we need to be to deal with it.
Your stakeholders are all the internal and external people and organisations that are involved in, or
influence your organisation’s operation and achievement of objectives.
Your stakeholders influence your organisation’s risks through the potential impact that any change
in their contribution could have. For example, if the priorities of your main sponsor or funder
change, you may face a financial risk. Being reliant on volunteers may be a risk if fewer people
choose to volunteer.
Look at any analysis identifying your strengths, weaknesses, threats and opportunities (SWOT) that
you have to inform this stage.
16 | P a g e
Add other stakeholders your organisation has to the list below.
Internal stakeholders:
• board members
• management team
• employees
• volunteers.
External stakeholders:
• audience, visitors and patrons
• advertisers, media and sponsors
• funders
• members
• public and community
• clients
• contractors and suppliers
• local government (councils / territorial authorities)
• central government (ministers, crown agencies, SOE, regulators etc)
• similar or competing organisations
• suppliers
• emergency services.
Some relationships, such as with major funders, may be more important than others so consider the
effect on the organisation if there was a significant change in any of the stakeholder contributions.
The greater the influence the more important this factor or stakeholder is likely to be when you are
identifying risks in the next stage.
Ask participants in the group to discuss how your stakeholders affect or influence your organisation’s
operation and achievement of objectives and what is the importance and possible consequence of
the influence. The answers to some questions may involve research.
Use the questions below to identify risk factors in relation to each of your stakeholders. Write down
your conclusions about each stakeholder and its influence on the Stakeholder.
Questions to help you identify risk factors:
• What relationships do you have that are necessary for your organisation to operate
successfully?
• What relationship does the organisation have with those stakeholders, what do they contribute
and how important are these?
• How do those stakeholders effect or influence your organisation’s achievement of its purpose
(or the achievement of an event or project)?
• What changes or trends may affect your stakeholders or your operation?
17 | P a g e
• What perceptions do your external stakeholders have about your organisation and your
activities?
• What are your contractual relationships and obligations?
• What laws, regulations, rules or standards apply to your organisation?
Many factors external to your company can create risks. While you must accept that these exist, and
that they are outside of your control; that doesn’t mean that you should just ignore them, or hope
that they will never be a problem.
Therefore, as part of your risk management analysis, you need to take into account as many outside
influences as you possibly can. These may include:
Political climate
What effect a downturn in the economy will have to your company or project
New applications for existing technologies that can invalidate existing products
How trends, fads and other changes in society can negatively affect your company
Potential upcoming changes in the political climate
The state of the economy
Proposed legislation, and how it can affect your company
New technologies being introduced into the marketplace
Competition
Market demand levels
Growth rates
Technological change
Stakeholder perceptions
Market share
Private sector involvement
New products and services and
Site acquisition
Discount rate
Economic growth
Energy prices
Exchange rate variation
Inflation
18 | P a g e
Demand trends
Population growth and
Commodity prices
Client problems
Contractor problems
Delays
Insurance and indemnities and
Joint venture relations
Debt/equity ratios
Financing costs
Taxation impacts
Interest rates
Investment terms
Ownership
Residual risks for government and
Underwriting
19 | P a g e
Visual intrusion
Parliamentary support
Community support
Government endorsement
Policy change
Sovereign risk and
Taxation
20 | P a g e
Review strengths and weaknesses of existing arrangements
In most cases there will be an established risk analysis from which you will begin. However, even if
you are creating a totally new analysis, there are probably some contingency plans already in
existence.
It is quite possible that there are already plans in existence for some of the risks that you are going
to be working on. If so, there is no reason not to use them. However, if this plan is not strong enough
you will have to revise it.
Realistically speaking, there’s no such thing as a perfect plan. All plans have strong points and weak
ones. Experience in creating plans can help reduce the number of weak points in a given plan, but
the fact that there are too many variables which are outside of your control precludes creating a
perfect plan.
So, once you have identified the risk, there are two general approaches that you can choose from to
begin the decision making process.
Will you:
Control the risk? That is, take ownership of it, and directly implement strategies to take the
risk and deal with it
Transfer the risk? That is, remove the risk from the organisation or the process within the
organisation
When analysing the best control measures for risk, the SWOT questions become:
21 | P a g e
The SWOT analysis can comprise five major categories and can be compiled using the following
matrix:
When reviewing existing contingency plans, it is helpful to identify which items are flexible and
which are rigid. A good plan will often have the first elements rigid and consistent, so that the
people who have to react to those plans won’t have to think about which option to take. At the
same time, follow-up parts of the plan will have the flexibility to overcome weaknesses caused by
the difference between the expected emergency used in creating the plan, and the actual crisis that
erupts.
For example, let’s say that there is an emergency plan for dealing with weather or natural disaster
damage to a facility. Since the type of weather damage can vary, we really don’t know all the details
of how the facility may be damaged. However, there are some things which should always be done,
for reasons of safety. These can include shutting off the assembly line, shutting off power and
natural gas to the facility, evacuating personnel and a final sweep through the facility to determine
that everyone has vacated. No matter what sort of disaster strikes the facility, these elements are
always done.
Once those steps have been completed, it’s time to move into the flexible phase of the plan. In this
phase, some personnel may be allowed back into the facility, key data may be removed from the
facility, or materials in process may be removed from equipment, to avoid damaging that
equipment.
How we implement these flexible elements of the contingency plan will depend upon the severity of
the crisis, how rapidly the crisis is developing and a number of safety factors. While it may seem
inefficient to force everyone to evacuate the facility, then allow them back in to take care of those
flexible elements, it insures everyone’s safety. Machines and materials can be replaced, people
can’t.
As part of your review of existing plans, you need to seek out “holes” in the plans, which can put
people, material or critical data at risk. Pay special attention to systems which have been put into
place since the creation of that plan, as those are the most likely places to encounter these holes.
22 | P a g e
For example, a risk management plan may contain contingency plans for backup of data that is in the
IT computer cloud. However, it might not deal at all with information stored on personal computers.
At the time that the original plan was created, there was no risk of that, because all critical data was
stored in IT; however, changes in operations have created new types of data storage in
departmental servers or individual computers. That creates a “hole” in the plan, which needs to be
“plugged” in the new plan.5
Risk management, like other aspects of project management, will need success criteria. Without
these you won’t know if the project has ended. When putting together a project management plan,
if key points or activities on that plan do not have success criteria, then it will be hard to assess how
easily they can be met i.e. where the risk areas are.
Once criteria have been identified the project management team will need to agree how they are
measured. If the objectives are not clear, criteria for its completion cannot be set. Even if the
objective and success criteria are clear the measurement may not be easy.
Any difficulty in setting objectives and criteria will result in higher risk as there will be a lack of
confidence in completion. How do we find out the exact nature of the objective, criteria and
measurement techniques? There is no short cut, we have to ask the people that know (for
objectives) and agree criteria and measurement techniques with them.
You can decide which factors are the most critical by determining how great an impact it will have on
your company to not have those things functioning correctly. Some things, like cleaning the offices,
will only create an inconvenience for your staff. Others, like the computer system going down, can
totally shut down your business. Can you imagine the impact of having the computer system of an e-
commerce business go down?
As part of determining the impact of risks, it is important to determine the critical success factors,
goals and objectives. They are the most important factors for your company to have contingency
plans for. The following questions might assist you in this process:
5
http://tae.fortresslearning.com.au/?page_id=4945
23 | P a g e
How many shareholders are affected by the temporary cessation of this function?
Every risk that you encounter will end up needing to be compared to each of these critical factors.
Any risk factor can affect a number of different factors, each of them to a different extent, with a
different overall impact to the company’s operations.
Promote learning
However in some smaller organisation the responsibility of risk identification is allocated to one
worker or contracted to an external risk management team. A team approach works better because
the diversity of skills that various staff have will strengthen the risk management process.
24 | P a g e
The skills mix in an organisation may include:
Financial expertise
OH&S expertise
Emergency services expertise
HR expertise
Legal knowledge
Board or management committee
Industry Expertise
Staff representation
Board or management committee representation (governance)
Staff representation from the ground up
Management
Volunteer representation
Other specialist expertise, depending on the work context for example: appropriate
responses to violent/potentially violent clients, hazardous chemicals, etc.
Whether the process is driven by a risk management team, more common –even in smaller
organisations with few staff; or an individual, the role is as follows:
Identifying risks
Identifying exposures
Documenting risks
Developing an action plan
Putting it into practice
Monitoring
Review
25 | P a g e
Topics which should be covered during risk management training include:
What is 'Risk'?
Positive Risk taking
Business Risks versus project Risk
The 'Management of Risk' model
The steps in Risk analysis
Numeric versus discrete levels when estimating risks
Evaluating Risks
The steps in Risk management
Risk response and action planning
Risk assessment methods (advanced)
The people side of Risk
Putting it into practice
Another important part of the process of risk management is ensuring that managers and employees
can:
Each of these steps requires skills specific to the task and to the organisation. While recruitment
processes can deliver staff with some of these skills, others will need to be developed during their
employment with you, and will need to be refreshed or increased as part of continuous
improvement.
Communicate with relevant parties about the risk management process and
invite participation
As with any business process, identifying the stakeholders and developing pathways of
communication are critical for a successful implementation of risk management. Stakeholders may
have perceptions regarding risk factor impacts or conceptualise the process in a different way than
other relevant parties. Because stakeholders have such a high level of influence, it is important to
seek consultation and keep communication pathways open in order to foster a supportive
environment for risk management activities. Communication and consultation must occur during
26 | P a g e
each step of the process. Participation from stakeholders and other relevant parties can assist in
broadening the considerations relating to the risk management program.
Stakeholders can be both internal and external to the team, department, company and industry.
Internal stakeholders include those people who are directly involved in or affected by the activities
prescribed for the team, department, or company. They include employees, managers, owners, and
shareholders. External stakeholders involve the people or groups outside the organisation that have
an influence on or are influenced by the procedures and processes involved in the risk management
program. Examples of external stakeholders include customers, vendors, suppliers, consultants,
government agencies, regulatory agencies, industry groups, and educational organisations.
All staff
Internal and external stakeholders
Senior management
Specific teams or business units
Technical experts
Communication and consultation are essential elements of risk management. They are critical at
every step to ensure all the participants understand, are involved in, and contribute to the process.
The effectiveness of your Risk Management process depends upon, amongst other things, involving
the right people at the right time.
27 | P a g e
Communication is the sharing of information and viewpoints
Consultation gives stakeholders the opportunity to influence decisions, however, it is not joint
decision making, but rather an effective way to receive useful input and ensure that all relevant
viewpoints are taken into account in identifying and evaluating risks. Communication and
consultation are essential to the overall risk management process as well as each individual step in
that process.
A well-structured approach to communication and consultation can provide the following benefits:
Each step of the Risk Management process relies on communication and consultation to achieve its
purpose. For instance, in setting the context, consultation with internal and external stakeholders is
essential to reach a thorough understanding of the operating environment and to define the
purpose and scope of the exercise.
28 | P a g e
Activity 1
Think carefully about your workplace, or a workplace you are familiar with. How do they establish
risk context? Briefly describe the steps that they take/could take to do this. (If you do not work in
an organisation, briefly describe the steps that you could take to do this).
29 | P a g e
Identifying Risks6
Identifying potential risks is best achieved through a brainstorming session. Just like with any other
brainstorming session, the more people you can get involved in the process, the better. By having a
group of people involved, you can generate more ideas.
Stakeholders:
Managers
Supervisors
Health and safety and other employee representatives
OHS committees
Employees and contractors
The community
People who are involved in OHS decision-making or who are affected by decisions.
Risk managers
Health professionals
Injury management advisors
Legal practitioners with experience in OHS
Engineers (such as design, acoustic, mechanical, civil)
Security and emergency response personnel
Workplace trainers and assessors
Maintenance and trade persons
OHS specialists:
Safety professionals
Ergonomists
Occupational hygienists
6
Source: Queensland Government, as at https://www.business.qld.gov.au/business/starting/starting-a-
business/managing-risk/identifying-risks, as on 11th August, 2015.
30 | P a g e
Audiologists
Safety engineers
Toxicologists
Occupational health professionals
When you invite people to participate in identifying possible risks, be sure to invite as broad a range
of people as possible, from as broad a range of departments as possible. Each department will have
its own view of things, some of which can be quite unique. Purchasing and engineering don’t see
things the same way, nor do production and maintenance. However, between all those different
viewpoints, you are more likely to identify potential risks.
Types of risk
There are many different types of risk. The Australian standard (AS/NZS ISO 31000:2009, Risk
management) defines risk as 'the chance of something happening that will have an impact on
objectives'. The types of risk you face will therefore be specific to your business and its objectives,
but will generally relate to the following areas.
Financial risks
These risks include both external risks, such as changes in interest rates or commodity prices, and
internal risks such as cash flow shortages, customers defaulting on payments, depreciation of assets.
These risks cover a range of environmental, human, systems and procedural impacts such as illness
or retirement of key staff, equipment breakdown, natural disasters and software failures.
Legal risks
These risks include contractual breaches and non-compliance with regulations such as changes to
work health and safety standards.
Strategic risks
These risks relate to your business strategies such as changes in customer demand, increased
competition, adopting new technology and pursuing new business opportunities.
These risks relate to non-compliance with state and national privacy laws on recording, storing and
disposing of customer information.
31 | P a g e
Researching risks that may apply to scope
Every idea that is brought forth in your brainstorming session has some merit. You won’t really know
how much merit each idea has, until you research the likelihood of that problem happening.
These methods will help you identify risks that are relevant to your particular business:
Thoroughly review your business plan and ask as many 'what if?' questions as you can.
Brainstorm with your accountant, financial adviser, staff and other interested parties. Get as
many different perspectives as you can.
Analyse a wide range of possible future events and their outcomes (scenario analysis).
Analyse economic, political, legislative and operating scenarios.
Use flow charts, checklists and inspections to break down and analyse your work procedures
(systems analysis).
When, where, why, and how are risks likely to occur in this business?
Are the risks internal, external or random?
Who might be involved or affected if this occurs?
Once you've identified risks, you'll need to analyse their likelihood and consequences and then come
up with options for managing them.
32 | P a g e
Using tools and techniques to generate a list of risks that apply to the scope,
in consultation with relevant parties
Inspections: walking through and conducting inspections of each task, location, team, group or
process within an organisation. This can be done by individual managers or team leaders and
supervisors. It can also be done by senior or executive management.
Consultation: a process that allows evidence on unreported incidents to be gathered, for example,
injuries, machine breakdown. Again these meetings can be held on a local or team or group or senior
management level. The results of a number of these meetings can then be incorporated in further
meetings with managers at different levels.
Safety or management audits: these can be conducted by individual managers or team leaders and
focus on their own or associated areas, or can be conducted by members of the organisation who
specialise in this area.
Testing: of plant and equipment in an operational context, or of staff in a service area. This also can
be accomplished as part of the local group or team approach or can be part of a wider organisation-
wide approach.
Collection and evaluation of material: from suppliers, manufacturers, designers, and from safety
organisations, unions, interest groups and employer organisations.
33 | P a g e
Expert advice: engaging professional consultants and advisors, lawyers, engineers, safety experts,
process experts.
Networking: with other members of the market, or users of similar machines or processes.
Benchmarking: is a process of seeking out and identifying the best practices of the organisation’s
competitors, where those best practices represent a higher quality level or performance. The
process means that the organisation, having identified the best practice in the industry then uses
that ‘benchmark’ as the quality standard to be obtained within its industry.
Of course the selection of individual tools and methods to identify risk is largely dependent on the
type of organisation, process and market. The type of tools you use should also be chosen by taking
into consideration the nature of the workforce or membership of the organisation. So take care to
ensure that the tool or method selected is appropriate to the people using and reviewing the
methods.
Brainstorming; the brainstorming process can take various forms, but one of the most effective is in
meetings of staff in an environment where there is freedom to experiment with ideas and to express
opinions. Brainstorming is usually a process of energetic interaction with the goal of forming and
discussing ideas and concepts in a round-table or group dynamic. It allows examination of existing
and emerging risk by using the ideas and experience of fellow workers, managers, experts, other
stakeholders and the users of the process or service.
Brainstorming is a vibrant tool which is designed to open up the creative imaginations of the
participants and to encourage open debate concerning a wide variety of possible alternatives to the
existing or proposed systems and procedures and services.
Audits and physical inspections; Regulatory based risk management procedures often include
regular audits and inspections, for example Occupational Health and Safety, activities of brokers and
traders on the Australian Stock Exchange register and the regulation of Registered Training
Organisations.
Many organisations have their own internal audit and inspection processes, including:
7
Source: Frontline Care Solutions, as at
http://www.google.com.au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CC0QFjAC&url=http%3A%2
F%2Fwww.frontlinecaresolutions.com%2FLiteratureRetrieve.aspx%3FID%3D79124&ei=1t0QVNyjJcnkuQTXlIKQ
34 | P a g e
Process charting
The fishbone diagram provides a good example of a process chart, sometimes called a cause and
effect diagram. Each line or ‘fishbone’ represents an area that may have caused a problem.
Scenario analysis
This is a process of examining options and competing scenarios based on an assessment of future
events. The focus is on the future and may take into account past and present events as elements of
the examination. One topical example which has emerged in the 20th and 21st Century is the
planning of security responses to possible terrorist threats.
System or process flow charts –especially useful in recognising and identifying potential areas of
problem within the process flow.
CA&usg=AFQjCNEbqowMjuyZ1sWuyetgB4l7OFmMcQ&sig2=WHkkQk3u5k6MfynEdjfitA&bvm=bv.74894050,d.
c2E, as on 11th August, 2015.
35 | P a g e
36 | P a g e
Influence diagrams –demonstrate the influence that different aspects of a process have on each
other.
All the above are examples of tools that can be used to evaluate or identify risks in the workplace.
Activity 2
When identifying risks, there are three things you need to ensure you do. List them in the table
below, then give a brief description of what they involve.
Task Brief Description
37 | P a g e
Analysing Risk
The next step of the risk assessment is to determine or estimate both the likelihood of a risk arising
and its potential consequences. All available data sources should be used to understand the risks.
These may include: historical records, procurement experience, industry practice, relevant published
literature, test marketing and market research, experiments and prototypes, and expert and
technical judgement and independent evaluation.
An estimate of the likelihood of each risk arising. This might be done initially on a simple
scale from 'rare' to 'almost certain', or numerical assessments of probability might be made
An estimate of the consequences of each risk. This might be done initially on a simple scale
from 'negligible' to 'severe', or quantitative measurements of impacts might be used8
Analysis of risk levels can be conducted on the inherent risks (assuming no controls are in place) or
on residual risk (that remaining after considering existing control strategies). The former ‘zero-
based’ approach would be appropriate at the outset of an activity or when considering a possibility
of revising controls. The latter would be appropriate when monitoring management action or
reviewing implementation.
The purpose of analysing risk is to provide information to enable the evaluation of risks, using
predefined likelihood and consequence criteria. Risk analysis uses judgments and assumptions,
which may involve uncertainty and be based on incomplete information. Therefore, the best
available information sources and techniques should be used. Wherever possible the confidence
placed on estimates of levels of risk should be included.
8
Source: AUSAid, Australian Government, as at http://portals.wi.wur.nl/files/docs/ppme/ausguidelines-
risk_management.pdf, as on 11th August, 2015.
38 | P a g e
Assessing impact or consequence if risks occur
Cost
Quality
Time
o This includes the time taken to:
Identify, record and report the risk
Analyse and assess the risk
Address the risk
Either reduce its impact or remove it completely as a potential risk
Risk proximity is about:
Our first step in assessing a risk is to determine the likelihood of the risk occurring, meaning what
are the chances. See below for a scale to gauge how likely the risk is:
Just as we did with the likelihood of a risk occurring, the impact or consequences of the risk needs to
be rated. In this case, we are dealing with the amount of disruption to normal business operations
that the event can cause.
The following table shows that the impact of risk is generally ranked from ‘minimal’ (level 1) to
‘severe’ (level 5). You can see from the detail descriptions that these levels focus on the degree to
which the business is affected in regards to its financial and service capability.
39 | P a g e
4 Significant Loss of service capability; major
financial loss
5 Severe Loss of business continuity;
huge financial loss
Analysing the risk will help you decide the impact of the risk on your company and will enable you to
control for this when required.
Another Example:
40 | P a g e
Note: The scales above use 4 different levels; however, you can use as many levels as you need. Also
use descriptors that suit your purpose (e.g. you might measure consequences in terms of human
health, rather than dollar value).
Once you have established the likelihood and consequences of a particular risk, you then need to
create a risk rating table for evaluating the risk. Evaluating a risk means making a decision about its
severity and ways to manage it.
Use the following formula to calculate risk rating: Likelihood x Consequences = Risk rating
For example, you may decide the likelihood of a fire is 'unlikely' (a score of 2) but the consequences
are 'severe' (a score of 4). Using the tables above, a fire therefore has a risk rating of 8 (i.e. 2 x 4 = 8).
Once you have identified, analysed and evaluated your risks, you need to rank them in order of
priority. You can then decide what methods you will use to treat unacceptable risks.
So, by using these two scales, any potential risk can be rated with a risk score. For example, if we live
in an area which commonly has severe thunderstorms, which disrupt electrical service to our
distribution facility for 2 to 3 hours, we might assign a likelihood score of 5 and an impact score of 3.
That would give us a risk score of 15, considering the maximum score we can get with this system is
25, that’s a fairly high risk score.
41 | P a g e
The criteria for ranking and recording:
Take into consideration whether the risk falls within established or accepted guidelines
Differentiate between risks that have high impact/consequence/likelihood and those having
low impact/consequence/likelihood
Assign value to identified risks using available tools
Assess consequences and likelihoods
A risk that has been analysed as having a ‘catastrophic impact’(loss of business continuity; huge
financial loss) is ranked as an ‘extreme ‘level risk if the probability is ‘likely ‘but ‘high ‘if the
probability is ‘rare’. Immediate action is required, involving senior management, to manage the risk.
42 | P a g e
Generally intolerable level of risk
B.F. Hough (1985) developed the following diagram to show the relationship between cost and risk.
This type of reference can contribute to the evaluation and prioritisation process by representing
different factors relating to risk.
Each risk decision and its implementation will have to be based upon what is the most logical and
cost effective for your company. At times, the cost of implementing a change may be so great, that it
is impractical to accomplish. In those cases, mitigation of the impact may consist of buying insurance
against that event occurring, thus transferring some of the risk to an insurance company.
43 | P a g e
Activity 3
Complete the risk analysis table below by indicating true or false for each statement
Analysis of risk levels can only be conducted on the inherent risks (assuming
no controls are in place) and not on residual risk (that remaining after
considering existing control strategies).
Analysing the risk will help you decide the impact of the risk on your
company and will enable you to control for this when required.
A simplified risk analysis can be conducted using probability theory:
Risk treatment involves working through options to treat unacceptable risks to your business.
Unacceptable risks range in severity; some require immediate treatment, others can be monitored
and treated later.
Before you decide which risks to treat, you need to gather information about the:
method of treatment
people responsible for treatment
costs involved
benefits of treatment
likelihood of success
ways to measure and assess treatments.
44 | P a g e
Once you decide how to treat identified risks you will need to develop, and regularly review, your
risk management plan.
You may decide not to proceed with the activity likely to generate the risk, where practical.
Alternatively, you may think of another way to reach the same outcome.
reducing the likelihood of the risk occurring - for example, through quality control processes,
managing debtors, auditing, compliance with legislation, staff training, regular maintenance
or a change in procedures
reducing the impact if the risk occurs - for example, through emergency procedures, off-site
data backup, minimising exposure to sources of risk or public relations.
You may be able to shift some or all of the responsibility for the risk to another party through
insurance, outsourcing, joint ventures or partnerships.
You may accept a risk if it cannot be avoided, reduced or transferred. However, you will need to
have plans for managing and funding the consequences of the risk if it occurs.
Risk treatment involves identifying the range of options for treating risk, assessing those options,
preparing risk treatment plans and implementing them. It is probable that a combination of options
will be required to treat complex risks. Once a risk is well understood and it is clear that some
treatment will be required, detailed analysis of treatment options may be required. There will
usually be several options, each entailing different costs and benefits and each offering a different
level of risk mitigation.
45 | P a g e
Key outcomes steps
The control or management of risk can be different on an organisational or industry basis. However
there are seven commonly used approaches:
APPROACH DESCRIPTION
1. Elimination / reduction In this approach the risk is either reduced to its lowest
management possible level to enable it to be managed, or it is
eliminated
This latter course may involve divesting a
manufacturing process, a particular service within a
general service industry, or simply deleting a process
and replacing it with a newer, safer or alternative
system
A variation in this approach is not to eliminate the risk if
that is too difficult or too late, but to reduce or
eliminate its effect
2. Assumption of risk Insurance companies assume risk as part of their
operations. Here the expression ‘assume risk’ means to
knowingly accept the risk as part of the agreement with
the person/company that pays the premium.
Organisations unused to risk may assume or accept its
effect because to fail to do so might negatively affect
the organisation’s operations
Once again the decision to assume a risk must be taken
bearing in mind the competing issues of cost, proximity
and extent of the risk
3. Transfer risk Insurance is a means of transferring the risk, through
the payment of insurance premiums, to an insurance
company
It is important to understand that this is generally a way
of managing financially based risk. The insurance
company can only really assume a financial risk. It is not
able to assume risk that relates to culture, personnel or
manufacturing for example
So if the risk of the factory burning down is identified,
then the financial risk can be transferred to the
insurance company, but the actual risk of losing specific
or specialist machinery cannot
Often organisations only transfer part of the financial
risk having assessed the insurance premium cost as too
high to transfer it all
46 | P a g e
To offer a personal example, this may be compared
with a householder insuring the contents of the house
against fire, but not paying extra for the loss of
specialist jewellery or stereo equipment. It then falls on
the householder to fund the replacement of such items
4. Changing processes Risk can be avoided by changing processes, or refraining
from an activity. This is often an ongoing process of
change from risk identification
Organisations with a positive risk identification and
management culture are ready and willing to change or
remove processes that demonstrate a greater degree of
risk or risk potential
Changing a process to avoid an activity also requires a
positive risk management culture as this can be
confronting and expensive, particularly if the process
needs to be replaced
The change or replacement of a process in order to
manage a risk must also be undertaken using risk
management procedures. In other words, the new
process must not create or support the same or similar
risk it was designed to eliminate
5. Delaying An organisation may defer a risk, by delaying it until
such time as it is able to assume the risk or deal with it
in a better and more positive way
An organisation may believe that research or
development
It’s undertaking will make it more able to deal with the
risk at a later time
6. Sharing risk Organisations may seek to share risk with other
organisations by way of joint ventures or cooperative
options
A good example of this is seen in the construction and
maintenance of motorways in capital cities where
government and private industry come together to
share the expense
Similarly in recent times wine and beer companies have
combined with manufacturing industries associated
with wine and beer production, when entering new
markets such as China
7. Spread and minimise An organisation may attempt to spread and
locations of the risk minimise locations of the risk, e.g. a company may
spread its outlets and workforce to a number of
areas in order to spread or reduce the risk of an
incorrect decision in relation to geographic
marketing. For example, a retailer may have outlets
in a number of locations in a town to ensure the
product is available to as many potential customers
as possible
47 | P a g e
The purpose of evaluating risks is to prioritise the need for treatment plan development. Once that
is completed, it is time to determine the best treatment plan option for that particular risk. There
are a number of different options which you can apply to any risk:
Regardless of the final decision ensure that all relevant parties have signed off on it. Although you
may be in charge of developing the risk management plan, this is a group project, with group
decisions.
A risk management plan details your strategy for treating risks. It details information about:
identified risks
the level of risks
your planned strategy
the time frame for implementing your strategy
the resources required
the individuals responsible for ensuring the strategy is implemented.
Your final plan should include appropriate objectives, a budget and milestones on the way to
achieving those objectives.
The business environment is constantly changing. The type of risks you face will change as your
business develops and grows. Regularly reviewing your risk management plan is therefore essential
for identifying new risks and monitoring the effectiveness of your risk treatment strategies.
The action plan formalises the risk management process. The specific format of the risk
management action plan will vary from one organisation to another, but the following is an example
of a relatively straightforward methodology.
Risk
Date identified
Level of risk
Reason for risk rating
48 | P a g e
Risk priority /risk ranking
Action (what is to be done)
What resources are required
Who is responsible for the action
Timeline-when should the action be completed
Strategy for informing relevant stakeholders- i.e. staff volunteers, board, corporate
sponsors, etc.
Review date
A risk control action plan is essential for the effective and systematic introduction of risk control
actions. Remember to compare the levels of the risk control hierarchy with the time frame when
determining target dates.
49 | P a g e
Communicating risk management processes to relevant parties
Risk management communication is the sharing of information about risk and risk management
between the decision makers and others. Parties can communicate at any stage of the risk
management process. When all parties in a project communicate their expectations and perceptions
early and often, the “disconnects” between opposing parties can be readily established.
Steps can then be taken to resolve those differences and align everyone’s expectations and
perceptions. To be effective, communication must flow both up and down the chain of command so
that all parties are informed.
Good planning will lead to good communication. All parties should agree on acceptable means and
lines of communication early in the process. Develop tools to aid the communication process such as
correspondence logs, telephone conversation logs, and e-mail protocol. Communication must be
handled in a professional and courteous manner.
When dealing with a contentious issue, it is not a good practice to send a letter or e- mail
immediately after composing it. Take time and then re-read the communication before sending it.
Communicating only the facts of the case and avoiding emotional outbursts or statements of opinion
can help to avoid problems or making problems worse. 9
Communication must be a two-way street. If individuals are to be able to participate in OHS activity
in a meaningful way they need access to information in a format they can understand, and they
need to be able to communicate back to OHS representatives, supervisors, OHS advisers and others
easily. 10
Diversity of workers
Employees may come from different cultural, age and educational backgrounds with different views
about personal responsibility and authority; they will have different previous experiences,
knowledge and skills and may have different learning styles. They may have external pressures and
9
Source: Civil Engineer, as at http://civilengineerblog.com/foundation-risk-management/, as on 11th August,
2015.
10
Safetyline Institute, as at
http://institute.safetyline.wa.gov.au/pluginfile.php/1642/mod_label/intro/BSBOHS503B.pdf, as on 11th
August, 2015.
50 | P a g e
stresses in their lives or pre-existing physical injuries. All these factors need to be taken into
consideration in designing and developing participative arrangements.
Your risk management plan must be distributed to all appropriate personnel; especially those who
have a part in implementing the plan.
Distribution of your risk management plan to key personnel is best accomplished through a meeting
where you briefly explain the plan. I say briefly, because we all have the tendency to become long
winded when we are talking about our own pet project. You need to ensure that the information
you share verbally in that meeting is the key information, nothing more. Everything else will be
provided in the written plans that you distribute in the meeting.
Not only do you need to distribute the risk management plan to relevant parties, you’ll need to
ensure that copies are created and stored in your company’s information management system. In
many companies, this is a computerised system for the storage of all pertinent company
information. Since part of your risk factors include the possibility of something happening to the
company’s computer systems, you should also ensure that hard copies are created and stored.
It is essential that all copies of the risk management plan are created equal. Nothing can cause more
confusion than to have two different versions of a contingency plan floating around, when it is time
to implement that plan. Instead of the plan becoming a tool to ensure that everyone knows what to
do, it becomes a point of argument, impeding corrective action.
To ensure that all copies are created equal, you want to limit people’s ability to copy it. That can be a
little tricky, considering the ready access to copy machines in most companies. The one thing that
can work in your favour is that most people don’t like standing in front of a copy machine, waiting
for it. So, by placing notices in the plan, instructing people where they can get their own copy, you
reduce the likelihood of them copying somebody else’s.
Now that you have everyone coming to the same place to receive their copies of the risk
management plan, your next step is to ensure that you keep an accurate log of who has those
copies. This log should contain a minimum of:
Person’s name
Title
Department
Phone number or extension
Office location
This list will then become your distribution list for any changes. While not everyone will be quick to
put the updates into their binder, those who have secretaries will be sure to have accurate binders,
with all the latest updates. In other words, the people who have the greatest responsibility and
51 | P a g e
authority in your company will have the updated copies; not because they do the updating, but
because secretaries are really good at making sure that gets done.
Document management is a vital ingredient in any risk management process. For example, where
the risk is addressed by regulatory authorities, then an organisation which is subject to those
regulations must retain the supporting documents to show it has met or exceeded the risk
guidelines. In some situations this forms part of their due diligence procedures. Due diligence is a
formatted or sometimes regulated process of risk assessment and identification. Where an
organisation conducts a process of due diligence it follows a set or agreed procedure to examine
processes, documents or systems, to determine a set of agreed standards.
You should document the results of the analysis process, including changes and recommendations.
These documents should be easy to understand by all those whose role includes their use. It is very
important that all documentation communicates clearly. Often people who are very literate will
write documents that are difficult to understand.
Make sure you use plain English and that your message is understood by all who read it. Keep in
mind that language difficulty also impact on the success of the documents used and must always be
taken into account.
There is always a role for training in relation to the completion of the documents, and that training
should take these issues into account. Focusing on the documentation may also highlight the need
for amendments to be made to operational and training manuals, schedules, checklists and
instructional documents to ensure they communicate clearly.
52 | P a g e
What skills and technology will be required to access the information?
Most organisations will have some records, such as incident and injury reports, workplace
inspections and/or newsletters, in hard copy.
Even in the smallest community services organisation is likely to have electronic storage for any
information or records that meet one or more of the following criteria.
There are many software options for storing electronic OHS information. These options may range
from simple spreadsheets to highly interactive purpose-designed software packages that may
incorporate functions such as incident reporting, injury management, chemical and risk registers,
asset and maintenance registers and training records.
Having determined the format for storing OHS information (i.e. the nature of software) the next
question is whether it should be on a single computer or networked hardware for an intranet-type
system.
It is beyond the scope of this unit to compare the relative features of the various systems, but some
factors to consider are:
53 | P a g e
Implementing and monitoring action plan
Part of your role will be to implement and monitor the action plan throughout its life.
Invariably, your risk management plan will require a number of actions to be taken in order to
implement it. I’ve already mentioned the need to take the initiative to insure that those items are
completed. You can’t count on others, even other managers doing it, because they are all busy with
other work.
It would be advisable to create a master list of action items that need to be done to implement your
risk management plan. Depending upon how many risk factors you have discovered, and the types
of options you have selected for dealing with these risks, you may have a rather extensive list of
items on your to do list.
Hopefully, there will be some overlap in different action items, where the same action item may deal
with several different risks. Take insurance for example; you may have identified several different
risks (fire, hurricane, earthquake) for which the option decided upon was to share the risk with a
third party, an insurance company. In reality, that’s only one action item, although it deals with
three separate risks. You can take that one action item to the appropriate party, and track the
progress of it as one line item on your master list.
While there are parts of the risk management plan which require your direct involvement to
implement, especially if the appropriate manager doesn’t have the time or resources to implement
them, there are other parts which will be implemented by other. You will still want to track these
areas, to insure that they are actually completed and not derailed mid-stream.
Once the action items have been implemented, you also need to check and monitor, to ensure that
they will function as expected. There are always a certain number of plans that don’t work out the
way we expect. Don’t be so rigid that you can’t recognise a failure when you see it. Should that
happen, be willing to admit your fault and try something else. People will respect you for admitting
your fault.
54 | P a g e
Evaluating risk management process
It is critical to constantly monitor and review the processes and outcomes. Monitoring and reviewing
risk management processes helps to include risk management as a valuable part of the company.
The risk management process in not static but is taken in the context of the internal and external
environments. As these environments change, the variables affecting risk also change.
Evaluating the process of risk management can be assigned to individuals within departments or to
dedicated staff depending upon the nature of the organisation and the resources available.
Consultants may be brought in at critical times to evaluate processes and institute changes based on
risk contexts or environmental, social and political changes.
In addition to planned and scheduled monitoring and review sessions to examine new risk, review of
the management plan must be ongoing in order to stay relevant. As policies, procedures, and visions
of a corporation change, risk changes. As external contexts change, risks change. Suitability and cost
factors for treatment options change. Treatment options or contingency plans may lose relevancy
throughout the process. External variables such as legislative actions may develop which creates a
different context under which to analyse and evaluate risk.
One of the key components to the risk management process is keeping an accurate record of
documentation relating to the communications, justifications, analyses and relevant information
pertaining to risk. Remember how we began the risk assessment process? With research relating to:
55 | P a g e
Monitoring is not only a practical requirement but a legal obligation, as the common law duty of care
and WHS legislation requires that the employer “provide and maintain a working environment that
is safe”.
All organisations should ensure that risk identification, assessment analysis, evaluation techniques
and the change arising from these processes fall within the culture of the organisation. This requires
commitment from the most senior levels of management in the organisation, and it requires
communication throughout all ranks of the organisation.
Leadership and coaching are two of the most commonly used processes to engage an organisation in
cultural change to embrace the issues of risk identification and management and the issues arising
from the change that flows from these procedures.
Activity 4
When selecting and implementing treatments, there are six things you need to ensure you do. List
them in the table below, then give a brief description of what they involve.
56 | P a g e
Life is full of risks. Everything we do, from buying a car, to crossing the street carries some degree of
risk. Therefore, it shouldn’t surprise us that our business activities have risk associated with them as
well. While some of those business activities carry very little risk, others come loaded with risk at
every turn. Some risks have a great potential for impact, while the impact of others can hardly be
seen.
57 | P a g e
While the risks in our personal life can cause problems for us and our families, even the smallest
business risks carry a much broader potential for causing damage. Employees, customers and even
people who seem unrelated to our business can end up being hurt by the risks associated with
business.
We had a perfect example of this with the earthquake and tsunami that hit Japan in March of 2011.
Millions of lives were affected by what happened; first by the earthquake, then the tsunami, and
then by the damage to the nuclear power plant. Not only workers in the plant were affected, but
millions of customers, everyone who lived within 20 miles of that nuclear plant, even people as far
away as the western part of the United States were affected by what happened in that event.
Even without the destruction and eventual meltdown of the nuclear power plant, the tsunami itself
wreaked havoc on the northeastern part of the Japanese home island of Honshu. Over five million
families lost their homes, with over 15,000 lives lost.
"In many cases, there is nothing we can do to stop these disasters from happening. Risk
management isn’t about that, it’s about understanding the potential risks and managing how a
company deals with that risk"
If you have any questions about this resource please ask your trainer. They will be only too happy to
assist you when required.
58 | P a g e
Business, Accounting and Finance
BSBRSK501 MANAGE RISK
This unit describes skills and knowledge required to manage risks in
BSBRSK501 Manage risk a range of contexts across an organisation or for a specific business
unit or area in any industry setting.
Many factors external to your company can create risks. While you must accept
Conducting a SWOT Analysis to determine the best control measures for risk is a
that these exist, and that they are outside of your control; that doesn’t mean that
common approach. Organisations use this tool to identify their internal strengths
you should just ignore them, or hope that they will never be a problem.
and weaknesses and external or environmental threats and opportunities. The
Therefore, as part of your risk management analysis, you need to take into analysis allows an organisation to answer the question:‘where are we now?’
account as many outside influences as you possibly can. These may include:
Political climate
When analysing the best control measures for risk, the SWOT questions become:
What effect a downturn in the economy will have to your company or project
What are the strengths of this control measure?
New applications for existing technologies that can invalidate existing
products What are the weaknesses of this control measure?
How trends, fads and other changes in society can negatively affect your What are the opportunities provided by using this control measure?
company What are the threats involved in using this control measure?
Potential upcoming changes in the political climate
The state of the economy
Proposed legislation, and how it can affect your company
New technologies being introduced into the marketplace
Documenting critical success factors, goals or As part of determining the impact of risks, it is important to determine
the critical success factors, goals and objectives. They are the most
objectives for area included in scope
important factors for your company to have contingency plans for. The
Risk management, like other aspects of project management, will need
success criteria. following questions might assist you in this process:
Without these you won’t know if the project has ended. When putting Where does my company’s income come from?
together a project management plan, if key points or activities on that plan What affects my company’s reputation in the
do not have success criteria, then it will be hard to assess how easily they marketplace?
can be met i.e. where the risk areas are. What functions are critical to insure that my
company can continue operations? Are there
Once criteria have been identified the project management team will need
some that we can do without for a day, or a
to agree how they are measured. week?
If the objectives are not clear, criteria for its completion cannot be set. Even Which company goals are essential to insure
if the objective and success criteria are clear the measurement may not be continued operations? How would a delay in the
easy. completion of those goals affect the company?
Any difficulty in setting objectives and criteria will result in higher risk as How many shareholders are affected by the
there will be a lack of confidence in completion. temporary cessation of this function?
The importance of training;
Obtaining support for risk management activities
Risk management training is important in the workplace in order for employees:
Creating a supportive work environment
Topics which should be covered during risk management training include:
A supportive work environment is a key component of continuous
What is 'Risk'? The steps in Risk analysis
learning.
How do they establish risk context? Information from other business areas
Lessons learned from other projects or activities
Briefly describe the steps that they take/could take to do this. (If
Market research
you do not work in an organisation, briefly describe the steps that
you could take to do this). Public consultation
Review of literature and other information sources
Risk identification Techniques
Invite relevant parties to assist in the identification of
risks
The terms ‘hazard’ and ‘risk’ tend to be used interchangeably, but risk represents
more than a hazard. Risk takes into account scale, consequences, frequency,
Identifying potential risks is best achieved through a brainstorming session. Just
duration, extent, probability of occurrence, and time range. There are some
like with any other brainstorming session, the more people you can get involved
general tools that can be used to identify risk. These can be incorporated within
in the process, the better.
established risk management processes in any organisation and include:
• Inspections
By having a group of people involved, you can generate more ideas.
• Consultation
• Safety or management audits
People who may be involved to assist in the identification of risks are: • Testing
• Scientific or technical evaluation or expert instruction in up-to-date methods
• Stakeholders
(service industry)
• Key personnel; People who are involved in OHS decision-making or who are • Collection and evaluation of material
affected by decisions. • Expert advice
• OHS technical advisors • Seeking government or regulatory information and help
• Networking
• OHS specialists
• Benchmarking
List them in the table provided in your workbook, then give a The risk analysis involves:
brief description of what they involve. An estimate of the likelihood of each risk arising. This might be done
initially on a simple scale from 'rare' to 'almost certain', or numerical
assessments of probability might be made
An estimate of the consequences of each risk. This might be done initially
on a simple scale from 'negligible' to 'severe', or quantitative measurements
of impacts might be used
Assessing impact or consequence if risks occur
Our first step in assessing a risk is to determine the likelihood of the risk
occurring, meaning what are the chances. See below for a scale to gauge
Impact itself can be assessed in terms of its effect on:
how likely the risk is:
the level of risks Parties can communicate at any stage of the risk management process.
your planned strategy When all parties in a project communicate their expectations and
perceptions early and often, the “disconnects” between opposing
the time frame for implementing your strategy parties can be readily established.
the resources required
the individuals responsible for ensuring the strategy is Steps can then be taken to resolve those differences and align
implemented. everyone’s expectations and perceptions.
Your final plan should include appropriate objectives, a budget and To be effective, communication must flow both up and down the chain of
milestones on the way to achieving those objectives. command so that all parties are informed.
Life is full of risks. Everything we do, from buying a car, to crossing the street
carries some degree of risk. Therefore, it shouldn’t surprise us that our
business activities have risk associated with them as well. While some of
those business activities carry very little risk, others come loaded with risk at
ACTIVITY 4 every turn. Some risks have a great potential for impact, while the impact of
others can hardly be seen.
While the risks in our personal life can cause problems for us and our
families, even the smallest business risks carry a much broader potential for
When selecting and implementing treatments, there are six causing damage. Employees, customers and even people who seem
things you need to ensure you do.
unrelated to our business can end up being hurt by the risks associated with
business.
List them in the table in your workbook, then give a brief
description of what they involve. "In many cases, there is nothing we can do to stop these disasters from
happening. Risk management isn’t about that, it’s about understanding
the potential risks and managing how a company deals with that risk“
If you have any questions about this resource please ask your trainer. They
will be only too happy to assist you when required.
Any Questions?
Student Assessment Information
The process you will be following is known as competency-based assessment. This means
that evidence of your current skills and knowledge will be measured against national and
international standards of best practice, not against the learning you have undertaken either
recently or in the past. (How well can you do the job?)
Some of the assessment will be concerned with how you apply the skills and knowledge in
your workplace, and some in the training room.
The assessment tasks utilized in this training have been designed to enable you to demonstrate
the required skills and knowledge and produce the critical evidence required so you can
successfully demonstrate competency at the required standard.
What happens if your result is ‘Not Yet Competent’ for one or more assessment tasks?
The assessment process is designed to answer the question “has the participant satisfactorily
demonstrated competence yet?” If the answer is “Not yet”, then we work with you to see how we
can get there.
In the case that one or more of your assessments has been marked ‘NYC’, your Trainer will provide
you with the necessary feedback and guidance, in order for you to resubmit/redo your assessment
task(s).
What if you disagree on the assessment outcome?
You can appeal against a decision made in regards to an assessment of your competency. An appeal
should only be made if you have been assessed as ‘Not Yet Competent’ against specific competency
standards and you feel you have sufficient grounds to believe that you are entitled to be assessed as
competent.
You must be able to adequately demonstrate that you have the skills and experience to be able to
meet the requirements of the unit you are appealing against the assessment of.
You can request a form to make an appeal and submit it to your Trainer, the Course Coordinator, or
an Administration Officer. The RTO will examine the appeal and you will be advised of the outcome
within 14 days. Any additional information you wish to provide may be attached to the form.
What if I believe I am already competent before training?
If you believe you already have the knowledge and skills to be able to demonstrate competence in
this unit, speak with your Trainer, as you may be able to apply for Recognition of Prior Learning
(RPL).
Credit Transfer
Credit transfer is recognition for study you have already completed. To receive Credit Transfer, you
must be enrolled in the relevant program. Credit Transfer can be granted if you provide the RTO with
certified copies of your qualifications, a Statement of Attainment or a Statement of Results along
with Credit Transfer Application Form. (For further information please visit Credit Transfer Policy)
59 | P a g e
LEARNING OUTCOMES
The following critical aspects must be assessed as part of this unit:
1. Interact with customers, collect the necessary information and match customers' needs to
company products or service
2. Sell products and services including matching customers' requirements to company products and
services and finalise and record the sale
LEARNING ACTIVITIES
Class will involve a range of lecture based training, activities, written task, case study and
questioning.
STUDENT FEEDBACK
We welcome your feedback as one way to keep improving this unit. Later this semester, you will be
encouraged to give unit feedback through completing the Quality of Teaching and Learning Survey
LEARNING RESOURCES
Other Learning Resources available to students include:
TEXTBOOKS
You do not have to purchase the following textbooks but you may like to refer to them:
Unit Code(s) Unit Title Reference Book/ Trainer & Learner Resource
60 | P a g e
edition
John Newstrom & Edward Scannell, The big
book of team building games
Trainer and Learner Resources
ASSESSMENT DETAILS
Assessment Summary
The assessment for this unit consists of the following items.
Knowledge Assessment
61 | P a g e
Formative Activities
In addition to the three assessment tasks, students will be required to complete activities as outlined
by their trainer/assessor – these will be taken from class resources, Enhance Your Future Learner
Guides.
Referencing Style
Students should use the referencing style outlined by the Trainer when preparing assignments. More
information can be sought from your Course Trainer.
2. All assignments must be within the specified timeframe (please refer to Due Date).
Assignment Marking
Students should allow 14 days’ turnaround for written assignments.
Plagiarism Monitoring
Students should use the referencing style outlined by when preparing assignments. More
information can be sought from your Trainer.
Marking Guide
C Competent: for students who have achieved all of the learning outcomes specified for that
unit/module to the specified standard.
NYC Not Yet Competent: for students who are required to re-enrol in a unit/ module in their
endeavour to achieve competence
Every student at Danford College can expect to have “timely fair and constructive assessment of
work.” Assessment tasks must be marked in such a way that the result reflects how well a student
62 | P a g e
achieved the learning outcomes and in accordance with the assessment criteria. In addition to the
final result, returned assignments must be accompanied by feedback that clearly explains how the
marking result/s was derived (summative), as well as how the student can improve (formative).
Refer to observation checklist below and/or consult your trainer/assessor for marking criteria for
this unit.
International Students Please also refer to ESOS framework for further details
https://internationaleducation.gov.au/Regulatory-Information/Education-Services-for-Overseas-
Students-ESOS-Legislative-Framework/ESOS-Act
ADDITIONAL INFORMATION
Contacts:
If you have a query relating to administrative matters such as obtaining assessment results, please
contact your Course co-ordinator.
Deferrals/Suspensions/Cancellations
Danford College will only allow deferrals/student requested suspensions under exceptional
compassionate circumstances. Once a student has commenced studies, students are not allowed to
take leave unless there are compelling and compassionate reasons. Please refer to the College’s
Deferment, Suspension and Cancellation Policy available in the Student Handbook and at Student
Administration. This policy has been explained to you at Orientation.
63 | P a g e
Course Progress Policy
You are expected to attend all classes and complete your units of study satisfactorily, within your
term. Your Course Trainer will make a report to the Course co-ordinator if there are any concerns
about your progress. The Course Progress Policy is available to you in the Student Handbook and at
Student Administration or on college website www.danford.edu.au.
Assessment Conditions
64 | P a g e
Lesson/Session Plan
For face-to-face classroom based delivery on as per timetable.
Delivery Day Delivery Topics Activities to be undertaken
65 | P a g e
Delivery Day Delivery Topics Activities to be undertaken
66 | P a g e
Delivery Day Delivery Topics Activities to be undertaken
67 | P a g e
Knowledge Assessment - Questions and Answers
2. Who are the technical experts that should be involved in identification of risks?
68 | P a g e
3. Who is responsible for implementing the risk action plan in your organisation or an
organisation you are familiar with, and why?
69 | P a g e
4. What is the 6 step process for monitoring and reviewing risk?
70 | P a g e
5. What does the term ‘stakeholders’ typically refer to?
6. There are some general tools that can be used to identify risk, name and briefly describe four
of them?
71 | P a g e
7. What are the general headings needs in a risk management action plan?
72 | P a g e
8. What should you keep in mind when storing OHS information?
73 | P a g e
10. What is the process used to identify a risk?
74 | P a g e
12. How should you select and implement treatments for a risk?
75 | P a g e
Task 1 – Complete a risk management plan
Create a risk management plan that's tailored for your business, a business you are familiar with or a
simulated business provided by your Assessor. To complete these tasks, you must:
1. Identify risks
What are your risks and how likely are they to occur? Some will cause major disruption while others
will be a minor irritation. You must make an educated assessment of both the likelihood and
potential severity of each risk to prioritise your planning efforts.
Once risks have been identified you need to either eliminate or minimise those risks. You should
provide specific strategies for minimising risk for each of the six subgroups.
One of the simplest and most powerful tools for a speedy recovery from a disaster is a clear picture
of, and clear directions about, who has to do what should your disaster plan have to be enacted.
Recovery contingencies should be determined by the type, style and size of your business and by the
extent of the damage.
During day to day operations, any number of risks can pop up in a business so it is important to
know how to identify any potential risks before they escalate. This will help you develop realistic and
effective strategies for dealing with risks if they occur.
76 | P a g e
Prepare a risk management plan
A risk management plan can help minimise the impact of cash flow issues, damage to brand and
other risks. It will also help create a culture of sensible risk awareness and management in your
business. Use the template given by your trainer to prepare the risk management plan.
77 | P a g e
Task 2 – Organisational Risk Management
Part A
Identify an organisation and its processes, procedures and requirements for undertaking risk
management.
For an organisation where you are the manager of a department, identify the following:
Name of the organisation, a description of the type of activities it conducts. .
The organisation’s objectives/goals. (One or two sentences.)
The organisation’s requirements and processes for managing corporate and operational risks.
You are required to provide your assessor with the following document:
A document with the title
Part B
As a manager, when developing a risk management plan for a project, you need to identify a
project’s goals or objectives and its scope and critical success factors for risk management.
Describe a project designed to promote the goals/objectives of the organisation that you
identified in Part A.
This may be a major project requiring strategic change management such as:
O Technological innovation
O New products or services
O Opening new markets
O Organisational restructure
Explain the scope of the project in terms of “deliverables” (what it is designed to achieve).
Relate the deliverables to the goals/objectives of the organisation and explain how the project
promotes them.
Identify the Critical Success Factors (CSF) - factors that must be present in order for the project to
be successful and promote the organisation’s goals.
78 | P a g e
You are required to provide your assessor with the following document:
A document with the title “Scope and Critical Success Factors” containing the above information.
Part C
As a manager, when developing a risk management plan, you need to identify the key issues for
stakeholders and the methods of communicating and obtaining support for the risk management
activities.
Refer to each of the Critical Success Factors (CSF) that you identified for the project in Part B. For
each CSF:
O Identify the project stakeholders that are involved in the CSF.
Stakeholders should be considered as any individual, group or entity that the project will affect,
and may include:
Clients or customers
Suppliers and contractors
Internal project team members
Other personnel or departments within the organisation.
The project sponsor or management of the organisation
A project funding body
O Explain the relationship between each group of the stakeholders and the identified CSF.
O Discuss (one paragraph) the methods that you can use to communicate with relevant parties and
obtain their support for your risk management activities.
Explain the kinds of support that you would invite them to give.
You are required to provide your assessor with the following document:
A document with the title “Stakeholder Key Issues and Support” containing the above
information.
Part D
In your role as manager, when developing a risk management plan, you need to establish the
context of the risk management plan in relation to external factors.
Refer to the project that you identified in Part A and the context of the risk management plan that
you have developed in Part B and C.
Identify external factors that could have an impact upon the success or
otherwise of the project.
Your report should have 4 headings and one paragraph under each heading.
79 | P a g e
If you consider that these factors will have no impact upon the project, explain your reasons.
O Political factors
O Economic factors
O Social factors
O Technological factors
You are required to provide your assessor with the following document:
A document with the title “External Factors ” containing the above information.
Part E
As a manager of an organisational project, you need to review the strengths and weaknesses of the
existing arrangements, within the context of the identified project.
Complete a SWOT analysis in relation to your project.
O Refer to the documents you designed in the previous tasks.
O Identify the internal strengths of the team and the organisation as it relates to your project.
O Identify any internal weaknesses of the team and the organisation as it relates to your project.
O Identify any external opportunities that exist for the organisation in relation to your project.
O Identify any external threats that exist for the organisation in relation to your project.
You are required to provide your assessor with the following document:
A document with the title “SWOT analysis” containing the above information
80 | P a g e
BSB51915 Diploma of Leadership and Management
College Copy
Student Signature:
Date :
81 | P a g e
BSB51915 Diploma of Leadership and Management
Student Copy
Student Signature:
Date :
82 | P a g e
ASSESSMENT SUMMARY / COVER SHEET
This form is to be completed by the assessor and used a final record of student competency.
All student submissions including any associated checklists (outlined below) are to be attached to
this cover sheet before placing on the students file. Student results are not to be entered onto the Student
Database unless all relevant paperwork is completed and attached to this form.
Student Name:
Student ID No:
Unit
Assessors Name:
Outcome
C NYC
Result: S = Satisfactory, NYS = Not Yet Satisfactory, NA = Not Assessed
Knowledge Assessment - Questions and Answers S | NYS | NA
Task 1 – Complete a risk management plan
S | NYS | NA
Task 2 – Organisational Risk Management
S | NYS | NA
83 | P a g e
ASSESSMENT COVER SHEET
Group: Date
Assessor Name:
Declaration:
1. I am aware that penalties exist for plagiarism and unauthorized collusion with other
students.
2. I am aware of the requirements set by my educator with regards to the presentation of
documents and assignments.
3. I have retained a copy of my assignment.
Student Signature:___________________________
Date:________________________________________
84 | P a g e
QUESTION & ANSWER CHECKLIST
S NYS
Learner’s name:
Assessor’s name:
Feedback To Learner:
85 | P a g e
ASSESSMENT COVER SHEET
Group: Date
Assessor Name:
Declaration:
1. I am aware that penalties exist for plagiarism and unauthorized collusion with other
students.
2. I am aware of the requirements set by my educator with regards to the presentation of
documents and assignments.
3. I have retained a copy of my assignment.
Student Signature:___________________________
Date:________________________________________
86 | P a g e
TASK 1 CHECKLIST
S NYS
Learner’s name:
Assessor’s name:
Observation Criteria S NS
Reviewed organisational processes, procedures and requirements for undertaking
risk management in accordance with current risk management standards
Determined scope for risk management process
Identified internal and external stakeholders and their issues
Reviewed political, economic, social, legal, technological and policy context
Reviewed strengths and weaknesses of existing arrangements
Documented critical success factors, goals or objectives for area included in scope
Obtained support for risk management activities
Communicated with relevant parties about the risk management process and
invite participation
Invited relevant parties to assist in the identification of risks
Researched risks that may apply to scope
Use tools and techniques to generate a list of risks that apply to the scope, in
consultation with relevant parties
Assessed likelihood of risks occurring
Assessed impact or consequence if risks occur
Evaluated and prioritise risks for treatment
Determined and selected most appropriate options for treating risks
Developed an action plan for implementing risk treatment
Communicated risk management processes to relevant parties
Ensured all documentation is in order and appropriately stored
Implemented and monitored action plan
Evaluated risk management process
Feedback To Learner:
87 | P a g e
ASSESSMENT COVER SHEET
Group: Date
Assessor Name:
Declaration:
1. I am aware that penalties exist for plagiarism and unauthorized collusion with other
students.
2. I am aware of the requirements set by my educator with regards to the presentation of
documents and assignments.
3. I have retained a copy of my assignment.
Student Signature:___________________________
Date:________________________________________
88 | P a g e
TASK 2 CHECKLIST
S NYS
Learner’s name:
Assessor’s name:
Observation Criteria S NS
Identified an organisation and described the type of activities it conducts
Identified the organisation’s objective s/goals in one or two sentences
Reviewed organisational processes, procedures and requirements for
undertaking risk management in accordance with current risk
management standards
Determined scope for risk management process
Described a project that promotes the goals/objectives of the organisation
identified
Explained the scope of the project in terms of “deliverables”
Identified internal and external stakeholders and their issues
Explained how the project promotes the goals/objectives of the
organisation
Reviewed political, economic, social, legal, technological and policy context
Identified the CSFs that are critical to the success of the project.
Reviewed strengths and weaknesses of existing arrangements
Documented critical success factors, goals or objectives for area included
in scope
Obtained support for risk management activities
Communicated with relevant parties about the risk management process
and invite participation
Invited relevant parties to assist in the identification of risks
Researched risks that may apply to scope
Used tools and techniques to generate a list of risks that apply to the
scope, in consultation with relevant parties
Assessed likelihood of risks occurring
Assessed impact or consequence if risks occur
Evaluated and prioritise risks for treatment
Determined and selected most appropriate options for treating risks
Developed an action plan for implementing risk treatment
Communicated risk management processes to relevant parties
Ensured all documentation is in order and appropriately stored
89 | P a g e
Implemented and monitored action plan
Evaluated risk management process
Reports display appropriate readability by using appropriate grammar and
punctuation in sentences and paragraphs.
Feedback To Learner:
90 | P a g e
Student Feedback Form
Unit BSBRSK501 Manage risk
Student Name: Date
Assessor Name:
Please provide us some feedback on your assessment process. Information provided on this form is
used for evaluation of our assessment systems and processes.
This information is confidential and is not released to any external parties without your written
consent. There is no need to sign your name as your feedback is confidential.
Strongly Strongly
Agree
Disagree Agree
I received information about the assessment
1 2 3 4 5
requirements prior to undertaking the tasks
Great
The pace of this unit was: Too Slow Too Fast
Pace
Comments:
91 | P a g e