Vous êtes sur la page 1sur 99

Business, Accounting and Finance

BSBRSK501 Manage risk

Learner Materials and Assessment Tasks


1|Page
Table of Contents

About BSBRSK501 Manage risk ............................................................................................................. 3


Risk Management................................................................................................................................... 7
Reviewing organisational processes, procedures and requirements for undertaking risk management
................................................................................................................................................................ 7
Identifying internal and external stakeholders and their issues .......................................................... 16
Reviewing political, economic, social, legal, technological and policy context .................................... 18
Review strengths and weaknesses of existing arrangements .............................................................. 21
Obtaining support for risk management activities ............................................................................... 24
Communicate with relevant parties about the risk management process and invite participation .... 26
Activity 1 ............................................................................................................................................... 28
Identifying Risks .................................................................................................................................... 30
Invite relevant parties to assist in the identification of risks ................................................................ 30
Researching risks that may apply to scope ........................................................................................... 32
Process charting .................................................................................................................................... 35
Activity 2 ............................................................................................................................................... 37
Analysing Risk........................................................................................................................................ 38
Assessing impact or consequence if risks occur ................................................................................... 39
Evaluating and prioritise risks for treatment ........................................................................................ 41
Activity 3 ............................................................................................................................................... 44
Selecting and implementing risk treatments ........................................................................................ 44
Developing an action plan for implementing risk treatment ............................................................... 48
Communicating risk management processes to relevant parties ...................................................... 50
Ensuring all documentation is in order and appropriately stored ........................................................ 51
Implementing and monitoring action plan ........................................................................................... 54
Evaluating risk management process ................................................................................................... 55
Activity 4 ............................................................................................................................................... 56

Note: BSBRSK501 Manage risk supersedes and is equivalent to BSBRSK501B Manage risk

Mapping Notes Date

Supersedes and is equivalent to Updated to meet Standards for 25/Mar/2015


BSBRSK501B - Manage risk Training Packages

2|Page
About BSBRSK501 Manage risk
Application

This unit describes skills and knowledge required to manage risks in a range of contexts across an
organisation or for a specific business unit or area in any industry setting.

It applies to individuals who are working in positions of authority and are approved to implement
change across the organisation, business unit, and program or project area. They may or may not
have responsibility for directly supervising others.

No licensing, legislative or certification requirements apply to this unit at the time of publication.

Unit Sector

Regulation, Licensing and Risk – Risk Management

Elements and Performance Criteria


ELEMENT PERFORMANCE CRITERIA
Elements describe the Performance criteria describe the performance needed to
essential outcomes. demonstrate achievement of the element.
1. Establish risk context 1.1 Review organisational processes, procedures and requirements
for undertaking risk management in accordance with current risk
management standards

1.2 Determine scope for risk management process

1.3 Identify internal and external stakeholders and their issues

1.4 Review political, economic, social, legal, technological and policy


context

1.5 Review strengths and weaknesses of existing arrangements

1.6 Document critical success factors, goals or objectives for area


included in scope

1.7 Obtain support for risk management activities

1.8 Communicate with relevant parties about the risk management


process and invite participation
2. Identify risks 2.1 Invite relevant parties to assist in the identification of risks

3|Page
2.2 Research risks that may apply to scope

2.3 Use tools and techniques to generate a list of risks that apply to
the scope, in consultation with relevant parties
3. Analyse risks 3.1 Assess likelihood of risks occurring

3.2 Assess impact or consequence if risks occur

3.3 Evaluate and prioritise risks for treatment


4. Select and implement 4.1 Determine and select most appropriate options for treating risks
treatments
4.2 Develop an action plan for implementing risk treatment

4.3 Communicate risk management processes to relevant parties

4.4 Ensure all documentation is in order and appropriately stored

4.5 Implement and monitor action plan

4.6 Evaluate risk management process

Foundation Skills

This section describes language, literacy, numeracy and employment skills incorporated in the
performance criteria that are required for competent performance.

Skill Performance Description

Criteria
Reading 1.1, 1.4, 1.5, 2.2  Comprehends a variety of relatively
complex texts
 Gathers, interprets and analyses textual
information from a range of sources to identify
relevant information

Writing 1.6, 1.8, 2.1, 2.3, 4.3  Develops textual material and organises
content in a manner that effectively documents
risk management analysis and assessment
priorities and processes

Oral 1.8, 2.1, 2.3, 4.3  Participates in interactions with


Communication stakeholders using questioning and listening to
elicit opinions, and to confirm and clarify

4|Page
understanding

Numeracy 2.2  Uses numerical tools to assess risk and


uses numerical data to review plans

Navigate the 1.1, 2.1, 4.3  Refers to organisational processes,


world of work procedures and requirements when making
decisions about risk management

Interact with 1.8, 2.1, 2.3, 4.3  Establishes and uses appropriate
others conventions and protocols when communicating
with stakeholders about risk management
 Consults and negotiates with
stakeholders about risk management processes
and outcomes

Get the work 1.2, 1.3, 1.5, 1.7, 2.1, 2.2,  Sequences and schedules a range of
done 2.3, 3.1, 3.2, 3.3, 4.1, 4.2, routine and complex activities, monitors
4.4, 4.5, 4.6 implementation, evaluates processes and
manages relevant communication
 Systematically analyses information to
decide on appropriate risk management
treatments
 Uses digital technologies and systems to
access information, document plans and
communicate with others

Unit Mapping Information


Code and title Code and title Comments Equivalence status

current version previous version


BSBRSK501 Manage BSBRSK501B Updated to meet Equivalent unit
risk Manage risk Standards for Training
Packages

5|Page
Performance Evidence

Evidence of the ability to:

 analyse information from a range of sources to identify the scope and context of the risk
management process including:

 stakeholder analysis
 political, economic, social, legal, technological and policy context
 current arrangements
 objectives and critical success factors for the area included in scope
 risks that may apply to scope

 consult and communicate with relevant stakeholders to identify and assess risks, determine
appropriate risk treatment actions and priorities and explain the risk management processes
 develop and implement an action plan to treat risks
 monitor and evaluate the action plan and risk management process
 maintain documentation.

Note: If a specific volume or frequency is not stated, then evidence must be provided at least once.

Knowledge Evidence

To complete the unit requirements safely and effectively, the individual must:

 outline the purpose and key elements of current risk management standards
 outline the legislative and regulatory context of the organisation in relation to risk
management
 outline organisational policies, procedures and processes for risk management.

6|Page
Risk Management1
A risk management framework will help your organisation to identify its risks and to make plans to
reduce potential negative impacts, and to improve the likelihood of beneficial outcomes.
Good risk management practices will:
• help your organisation identify and manage risks effectively
• reduce uncertainty by anticipating and preparing for possibilities and outcomes
• reduce the chance that something will go wrong and reduce the impact if it does go wrong
• improve the organisation’s performance.

For example, applying good financial risk management practices will reduce the risk of losing money
and improve the financial position of the organisation.

Involving stakeholders in your risk management planning and thinking helps to create a risk
management culture. Everyone in the organisation needs to be aware of their roles and
responsibilities and the processes for managing risks.

Involve employees in the process of developing a risk management framework to help improve their
understanding and preparedness to manage the risks they face every day.
Have a plan for how you will communicate with and engage employees, and how they can
participate and provide feedback.

Reviewing organisational processes, procedures and requirements for


undertaking risk management2
The Risk Management Process

Risk Management is defined in the standard (AS/NZS 4360:2004) as "the systematic application of
management policies, procedures and practices to the tasks of establishing the context, identifying,
analysing, assessing, treating, monitoring and communicating".

It is an iterative process that, with each cycle, can contribute progressively to organisational
improvement by providing management with a greater insight into risks and their impact.

Risk management can be applied to all levels of an organisation, in both the strategic and
operational contexts, to specific projects, decisions and recognised risk areas.

1
Source: Creative NZ, as at
http://www.creativenz.govt.nz/assets/ckeditor/attachments/1022/risk_management_toolkit_-
_august_2014.pdf?1409203287, as on 11th August, 2015.
2
Source: Southern Cross University, as at http://scu.edu.au/risk_management/index.php/8/, as on 11th
August, 2015.

7|Page
Risk is defined as 'the chance of something happening that will have an impact on objectives'. It is,
therefore, important to understand what the objectives of the organisation unit or your position,
are, prior to attempting to analyse the risks.

The Risk Management Flow Chart

8|Page
Before beginning your risk management project, it is important to take the time to review your
organisation’s risk management policies and procedures. Different organisations create different
levels of expectations for risk management strategies, along with the difference between cost
effectiveness and acceptable risk. You will need to know this information so that you can keep your
risk management project can stay in line within the company’s guidelines, goals and objectives.

You may also find that the company’s procedures provide some ideas of specific areas of risk that
you should include within your risk management assessment.

Typically, companies face the same sort of risks repeatedly, with different products, projects or
locations. If it is your company’s standard procedure to include certain types of risks in their
assessments, you will want to be sure to include them in your review.

Risks may include those relating to:

 Commercial relationships
 Economic circumstances and scenarios
 Human behaviour
 Individual activities
 Legislation

9|Page
 Management activities and controls
 Natural events
 Political circumstances
 Technology

Another thing to look for, as you are reviewing the company’s risk management procedures is any
specific formatting requirements for contingency plans. Areas such as emergency services
(Ambulance, Fire, SES and Police departments) are famous for creating contingency plans for many
different potential emergencies.

They always follow the same format in all of their plans. This allows the reader of the plan to quickly
find the information that they need.

In the case of needing to implement a contingency plan, following that standardized format may
save critical minutes in implementation. Instead of the reader having to seek out the information
they need, understand the format of your document and absorb the information that they need to
complete their part of the plan, all they have to do is open the plan to the appropriate section, and
find the information they are looking for.

If there are other risk management assessments that have been done in parallel parts of the
organisation, such as other business units, other locations or for other projects, you may want to
consider getting your hands on a copy of those risk management assessments and plans. While you
shouldn’t just blanket copy their work into yours, there is no reason to duplicate effort that has
already been expended. Often, the risk management plans created for other company facilities can
be adapted to your needs, with only minor modifications. This provides for a cost savings to the
company.
While it is useful to utilize other people’s work in the preparation of your risk management project,
don’t try and take credit for their work. Should you attempt to do so and be caught, it will reflect

10 | P a g e
poorly on you. On the other hand, if you are up front about using the risk management plan from
Division X of your company, it will appear to upper management that you are working efficiently, not
wasting the company’s resources.

Finally, your organisation’s procedures should provide you with information about how your final
documentation is to be filed; who should receive copies, where they should be located, and how
they should be distributed are all important factors in finalizing your risk management project.

Determining scope for risk management process3

Every risk management project has limitations. It is impossible for one person to achieve all possible
risks that exist for a company. This process is usually broken down into sub-projects.

It is important to determine the scope of the risk management project first, because there are
always risk factors which arise, that are outside of the person or teams authority who are
performing the risk analysis.

If you try to be all inclusive in your scope, you’ll never complete the project. Each new risk that
presents itself, can open the doors for whole new areas of risks to plan for.

The scope that you create or that is assigned by the organisation policies to you will create the limits
for your risk management project. Anything that doesn’t fall within that scope is not your
responsibility. That doesn’t mean that you should totally ignore those risks, but only that you should
note them as risks that will need to be dealt with by other teams or individuals.

3
Source: Our Community, as at
https://www.ourcommunity.com.au/insurance/view_help_sheet.do?articleid=339, as on 11th August, 2015.

11 | P a g e
You should forward the list of risks that are outside your scope of risk management to the person
who is responsible for risk management within your organization; this could be the Health and
Safety Rep.

When determining the scope of your risk management process, you need to think along practical
lines that are in agreement with your organisations operational plan. Trying to develop a risk
management program that extends across geographical separation, business units or different
projects can be extremely difficult. Realistically, your scope may apply to:

 A given project – some projects require a risk management analysis as part of the project
scope
 Specific business unit (division) or area
 Specific functions such as:
o Financial management
o WHS
o Governance
 External environment – for facilities
 Internal environment – also for facilities
 Or, in the case of a small organisation, it can cover the whole organisation

As you proceed in your risk management process, be sure to keep that scope before you. It might be
a good idea to print it out, somewhat like a slogan, and hang it on the wall in front of your desk. That
scope becomes the rule to which you compare every risk you encounter. If it is within the scope, you
deal with it, if it is outside the scope; you pass it on to others.

Questions you need to ask as part of the process of establishing a risk management context for your
organisation can be broken down into two areas: the organisation context and the strategic context.

1. The organisational context

This involves looking at your organisation's aims, activities, structure, membership and methods of
operation.

Below we have provided examples of some questions you might want to ask, with some answers
supplied for a fictional junior football club, the Joeys, to give you an idea of where to start.

12 | P a g e
What are the aims and objectives of your organisation?

What is your organisation's core activity?

Who is involved with your organisation - both internally and externally?

One way of getting a clearer picture of all the people involved in your organisation is to draw a
simple diagram, starting with a small circle in the centre in which you list the main participators in
your group's activities, and moving outward.

Going through the process of deciding who goes in which circle will help you get a clearer grasp on
what (and who) is important to your organisation.

What facilities do you have and/or use?

Try to include absolutely everything.

Also make a note if you allow anyone else to use your facilities - you could be liable if something
goes wrong.

Other questions

Finally, to establish an internal context for your risk management strategy, ask:

 What is your organisation currently doing to manage risk, either formally or informally?
 What type of insurances does your organisation have (if any)?
 What is the legal structure of your organisation. Is it incorporated?

2. The Strategic Context

This step involves looking at the environment in which your group operates. The answers to these
questions may involve some research. Some questions you should look at are:

What relationships does your organisation have and how important are these?

It's important for your organisation to recognise relationships you have established with other
parties that are necessary for you to operate. For the fictional football group the Joeys, these might
include players and parents, the league the team plays in, a peak sporting body and councils that
provide facilities they play on. Some of these will be more important than others.

Your circle diagram already undertaken (see above) will help you to define those relationships.

What laws, regulations, rules or standards apply to your organisation?

There are a lot of laws and you're supposed to observe all of them. It goes without saying that you're
not supposed to defraud people, discriminate against or harass them, or breach the general
prohibitions applying to everyone. Critically, there are laws that apply particularly to not-for-profit
organisations.

13 | P a g e
Depending on where you are and what you do, your organisation may also have to comply with
council by-laws.

External trends

In defining your strategic context you should also consider external trends. Some of these are
outlined below (though you will have others that apply to your particular organisation).

 Litigiousness: There is a greater public awareness of legal rights and an increasing tendency
for people to take legal action if they feel they have been unfairly treated. Not-for-profits
should no longer assume they will be treated leniently by the community or the courts just
because they are doing "good work". You must review your legal obligations.
 Higher standards: Volunteers require a greater level of expertise than in the past and, as a
result, are becoming harder to find and harder to hold on to. People are also more time-
poor than they used to be. What other factors are affecting your volunteer workforce?
 Duty of care: To establish a context in which to consider risks, your organisation must
identify its duty of care, and accept it. If you don't feel you can accept that level of
responsibility, your group should review its activities.

Establishing a risk management context for your organisation is the first step in the process of
successfully tackling risk management in your organisation. The second step is communicating risk
management.

The scope document and its components


A scope document shows the extent, of a project. Below is an example:

The scope document includes the following key sections:

14 | P a g e
 Scope statement - This clearly states the project goal, objectives and deliverables.
 Project constraints - These are any limiting factors that prevent the project from moving in a
particular path.
 Assumptions - These are aspects that the project manager builds into the scope document
to allow for any uncertainties that may occur.
 Tasks list - You need to specify a list of tasks (and deliverables) to be achieved during the
project.
 Estimates - You need to make initial estimates in relation to cost, time and human resource
requirements.
 Contract statement - This will include the names of those authorised to initiate contract
work, sign contracts and completion acceptances.

Risk associated with project management4


Risk management is an important part of project management. Although often overlooked, it is
important to identify as many risks to your project as possible and be prepared if something bad
happens.

Here are some examples of common project risks:

 Time and cost estimates too optimistic


 Customer review and feedback cycle too slow
 Unexpected budget cuts
 Unclear roles and responsibilities
 Stakeholder input is not sought or their needs are not properly understood
 Stakeholders changing requirements after the project has started
 Stakeholders adding new requirements after the project has started
 Poor communication resulting in misunderstandings, quality problems and rework
 Lack of resource commitment

Risks can be tracked using a simple risk log. Add each risk you have identified to your risk log and
write down what you will do in the event it occurs and what you will do to prevent it from occurring.
Review your risk log on a regular basis adding new risks as they occur during the life of the project.
Remember, when risks are ignored they don't go away.

4
GR Health, as at http://www.gru.edu/ie/epmo/documents/steptwoplanprojectpdf.pdf, as on 11th August,
2015.

15 | P a g e
Identifying internal and external stakeholders and their issues

The term “stakeholders” typically, refers to the people who have an interest or share in the project.
In the case of risk management we can include anyone and everyone whose lives and businesses can
be negatively impacted by the risks or actions of the business.

This means that stakeholders can be either internal or external. When thinking about stakeholders,
be sure to consider all of the following:

 All company staff and employees


 Owners, stockholders and investors
 Customers and customers of your customers
 Suppliers and other companies (especially small suppliers) who depend upon your business
for their business
 Your community at large (loss of jobs can have a negative impact on the community)
 Beneficiaries of your company’s profits (this can include non-profit organisations that your
company supports)

Anyone who could be affected by your company taking a negative turn can be considered a
stakeholder. Not all stakeholders will have the same concerns about how a particular risk might
affect your company. While it is easy to focus on the financial risks, there are a number of other
issues that may be issues to stakeholders in the case of a crisis striking your company.

The most important of these is the risk to health. This type of risk can be extremely dangerous, even
to the point of death. While that is rare, the risk does exist.

To a large part, risk management deals with unknowns. Nobody can see every possible risk that
exists, nor does the fact that the risk exists mean that it’s likely to happen. However, we can’t just
assume that it won’t either. The more likely a risk is, and the more severe its impact, the more ready
we need to be to deal with it.

Your stakeholders are all the internal and external people and organisations that are involved in, or
influence your organisation’s operation and achievement of objectives.
Your stakeholders influence your organisation’s risks through the potential impact that any change
in their contribution could have. For example, if the priorities of your main sponsor or funder
change, you may face a financial risk. Being reliant on volunteers may be a risk if fewer people
choose to volunteer.

Look at any analysis identifying your strengths, weaknesses, threats and opportunities (SWOT) that
you have to inform this stage.

16 | P a g e
Add other stakeholders your organisation has to the list below.
Internal stakeholders:
• board members
• management team
• employees
• volunteers.

External stakeholders:
• audience, visitors and patrons
• advertisers, media and sponsors
• funders
• members
• public and community
• clients
• contractors and suppliers
• local government (councils / territorial authorities)
• central government (ministers, crown agencies, SOE, regulators etc)
• similar or competing organisations
• suppliers
• emergency services.

Some relationships, such as with major funders, may be more important than others so consider the
effect on the organisation if there was a significant change in any of the stakeholder contributions.
The greater the influence the more important this factor or stakeholder is likely to be when you are
identifying risks in the next stage.
Ask participants in the group to discuss how your stakeholders affect or influence your organisation’s
operation and achievement of objectives and what is the importance and possible consequence of
the influence. The answers to some questions may involve research.

Use the questions below to identify risk factors in relation to each of your stakeholders. Write down
your conclusions about each stakeholder and its influence on the Stakeholder.
Questions to help you identify risk factors:
• What relationships do you have that are necessary for your organisation to operate
successfully?
• What relationship does the organisation have with those stakeholders, what do they contribute
and how important are these?
• How do those stakeholders effect or influence your organisation’s achievement of its purpose
(or the achievement of an event or project)?
• What changes or trends may affect your stakeholders or your operation?

17 | P a g e
• What perceptions do your external stakeholders have about your organisation and your
activities?
• What are your contractual relationships and obligations?
• What laws, regulations, rules or standards apply to your organisation?

Reviewing political, economic, social, legal, technological and policy context

Many factors external to your company can create risks. While you must accept that these exist, and
that they are outside of your control; that doesn’t mean that you should just ignore them, or hope
that they will never be a problem.

Therefore, as part of your risk management analysis, you need to take into account as many outside
influences as you possibly can. These may include:

 Political climate
 What effect a downturn in the economy will have to your company or project
 New applications for existing technologies that can invalidate existing products
 How trends, fads and other changes in society can negatively affect your company
 Potential upcoming changes in the political climate
 The state of the economy
 Proposed legislation, and how it can affect your company
 New technologies being introduced into the marketplace

Specific risk areas

Commercial and strategic risks arising from:

 Competition
 Market demand levels
 Growth rates
 Technological change
 Stakeholder perceptions
 Market share
 Private sector involvement
 New products and services and
 Site acquisition

Economic risks arising from:

 Discount rate
 Economic growth
 Energy prices
 Exchange rate variation
 Inflation

18 | P a g e
 Demand trends
 Population growth and
 Commodity prices

Contractual risks arising from:

 Client problems
 Contractor problems
 Delays
 Insurance and indemnities and
 Joint venture relations

Financial arising from:

 Debt/equity ratios
 Financing costs
 Taxation impacts
 Interest rates
 Investment terms
 Ownership
 Residual risks for government and
 Underwriting

Poverty arising from:


 Weak governance
 Remoteness
 Low incomes
 Gender inequalities
 Social and ethnic inequalities
 Low education
 Poor infrastructure
 Weak institutions
 Inadequate policy framework and
 Human rights infringements

Environmental arising from:


 Amenity values
 Approval processes
 Community consultation
 Site availability/zoning
 Endangered species
 Conservation/heritage
 Degradation or contamination
 Environmental emergencies and

19 | P a g e
 Visual intrusion

Political risks arising from:

 Parliamentary support
 Community support
 Government endorsement
 Policy change
 Sovereign risk and
 Taxation

Social arising from:

 Community expectations and


 Pressure groups
 Activity initiation
 Analysis and briefing
 Functional specifications
 Performance objectives
 Innovation
 Evaluation program and
 Stake holder roles and responsibilities

Procurement planning arising from:


 Industry capability
 Technology and obsolescence
 Private sector involvement
 Regulations and standards
 Utility and authority approvals
 Completion deadlines and
 Cost estimation

Procurement and contractual Arising from:


 Contract selection
 Client commitment
 Consultant/contractor performance
 Tendering
 Negligence of parties

20 | P a g e
Review strengths and weaknesses of existing arrangements

In most cases there will be an established risk analysis from which you will begin. However, even if
you are creating a totally new analysis, there are probably some contingency plans already in
existence.

It is quite possible that there are already plans in existence for some of the risks that you are going
to be working on. If so, there is no reason not to use them. However, if this plan is not strong enough
you will have to revise it.

Realistically speaking, there’s no such thing as a perfect plan. All plans have strong points and weak
ones. Experience in creating plans can help reduce the number of weak points in a given plan, but
the fact that there are too many variables which are outside of your control precludes creating a
perfect plan.

So, once you have identified the risk, there are two general approaches that you can choose from to
begin the decision making process.

Will you:

 Control the risk? That is, take ownership of it, and directly implement strategies to take the
risk and deal with it
 Transfer the risk? That is, remove the risk from the organisation or the process within the
organisation

Conducting a SWOT Analysis


Conducting a SWOT Analysis to determine the best control measures for risk is a common approach.
Organisations use this tool to identify their internal strengths and weaknesses and external or
environmental threats and opportunities. The analysis allows an organisation to answer the
question: ‘where are we now?’

When analysing the best control measures for risk, the SWOT questions become:

 What are the strengths of this control measure?


 What are the weaknesses of this control measure?
 What are the opportunities provided by using this control measure?
 What are the threats involved in using this control measure?

21 | P a g e
The SWOT analysis can comprise five major categories and can be compiled using the following
matrix:

When reviewing existing contingency plans, it is helpful to identify which items are flexible and
which are rigid. A good plan will often have the first elements rigid and consistent, so that the
people who have to react to those plans won’t have to think about which option to take. At the
same time, follow-up parts of the plan will have the flexibility to overcome weaknesses caused by
the difference between the expected emergency used in creating the plan, and the actual crisis that
erupts.

For example, let’s say that there is an emergency plan for dealing with weather or natural disaster
damage to a facility. Since the type of weather damage can vary, we really don’t know all the details
of how the facility may be damaged. However, there are some things which should always be done,
for reasons of safety. These can include shutting off the assembly line, shutting off power and
natural gas to the facility, evacuating personnel and a final sweep through the facility to determine
that everyone has vacated. No matter what sort of disaster strikes the facility, these elements are
always done.

Once those steps have been completed, it’s time to move into the flexible phase of the plan. In this
phase, some personnel may be allowed back into the facility, key data may be removed from the
facility, or materials in process may be removed from equipment, to avoid damaging that
equipment.

How we implement these flexible elements of the contingency plan will depend upon the severity of
the crisis, how rapidly the crisis is developing and a number of safety factors. While it may seem
inefficient to force everyone to evacuate the facility, then allow them back in to take care of those
flexible elements, it insures everyone’s safety. Machines and materials can be replaced, people
can’t.
As part of your review of existing plans, you need to seek out “holes” in the plans, which can put
people, material or critical data at risk. Pay special attention to systems which have been put into
place since the creation of that plan, as those are the most likely places to encounter these holes.

22 | P a g e
For example, a risk management plan may contain contingency plans for backup of data that is in the
IT computer cloud. However, it might not deal at all with information stored on personal computers.
At the time that the original plan was created, there was no risk of that, because all critical data was
stored in IT; however, changes in operations have created new types of data storage in
departmental servers or individual computers. That creates a “hole” in the plan, which needs to be
“plugged” in the new plan.5

Documenting critical success factors, goals or objectives for area included in


scope

Risk management, like other aspects of project management, will need success criteria. Without
these you won’t know if the project has ended. When putting together a project management plan,
if key points or activities on that plan do not have success criteria, then it will be hard to assess how
easily they can be met i.e. where the risk areas are.

Once criteria have been identified the project management team will need to agree how they are
measured. If the objectives are not clear, criteria for its completion cannot be set. Even if the
objective and success criteria are clear the measurement may not be easy.

Any difficulty in setting objectives and criteria will result in higher risk as there will be a lack of
confidence in completion. How do we find out the exact nature of the objective, criteria and
measurement techniques? There is no short cut, we have to ask the people that know (for
objectives) and agree criteria and measurement techniques with them.

You can decide which factors are the most critical by determining how great an impact it will have on
your company to not have those things functioning correctly. Some things, like cleaning the offices,
will only create an inconvenience for your staff. Others, like the computer system going down, can
totally shut down your business. Can you imagine the impact of having the computer system of an e-
commerce business go down?

As part of determining the impact of risks, it is important to determine the critical success factors,
goals and objectives. They are the most important factors for your company to have contingency
plans for. The following questions might assist you in this process:

 Where does my company’s income come from?


 What affects my company’s reputation in the marketplace?
 What functions are critical to insure that my company can continue operations? Are there
some that we can do without for a day, or a week?
 Which company goals are essential to insure continued operations? How would a delay in
the completion of those goals affect the company?

5
http://tae.fortresslearning.com.au/?page_id=4945

23 | P a g e
 How many shareholders are affected by the temporary cessation of this function?

Every risk that you encounter will end up needing to be compared to each of these critical factors.
Any risk factor can affect a number of different factors, each of them to a different extent, with a
different overall impact to the company’s operations.

Obtaining support for risk management activities


Creating a supportive work environment
A supportive work environment is a key component of continuous learning. Valuing learning from
experience, sharing best practices and lessons learned, and embracing innovation and responsible
risk-taking characterise an organisation with a supportive work environment. An organisation with a
supportive work environment would be expected to:

Promote learning

 By fostering an environment that motivates people to learn


 By valuing knowledge, new ideas and new relationships as vital aspects of the creativity that
leads to innovation; and
 By including and emphasising learning in strategic plans

Learn from experience

 By valuing experimentation, where opportunities are assessed for benefits and


consequences
 By sharing learning on past successes and failures; and
 By using "lessons learned" and "best practices" in planning exercises

Demonstrate management leadership

 By selecting leaders who are coaches, teachers and good stewards


 By demonstrating commitment and support to employees through the provision of
opportunities, resources, and tools; and
 By making time, allotting resources and measuring success through periodic reviews (e.g.,
learning audits)

Individual or Team approach


Safety culture is described as the attitudes, values, norms and beliefs which a particular group of
people share with respect to risk and safety. All workers are the key to a successful safety culture.
Risk Management will only work if all team members are committed to the process. The first step in
the process of risk identification is to form a risk management team, as per direction of the
governing group.

However in some smaller organisation the responsibility of risk identification is allocated to one
worker or contracted to an external risk management team. A team approach works better because
the diversity of skills that various staff have will strengthen the risk management process.

24 | P a g e
The skills mix in an organisation may include:

 Financial expertise
 OH&S expertise
 Emergency services expertise
 HR expertise
 Legal knowledge
 Board or management committee
 Industry Expertise
 Staff representation
 Board or management committee representation (governance)
 Staff representation from the ground up
 Management
 Volunteer representation
 Other specialist expertise, depending on the work context for example: appropriate
responses to violent/potentially violent clients, hazardous chemicals, etc.

Whether the process is driven by a risk management team, more common –even in smaller
organisations with few staff; or an individual, the role is as follows:

 Identifying risks
 Identifying exposures
 Documenting risks
 Developing an action plan
 Putting it into practice
 Monitoring
 Review

The importance of training

Risk management training is important in the workplace in order for employees:

 To understand the overall Management of Risk Process


 To be able to apply a variety of techniques to determine and quantify potential risks
 To be able to develop alternative solutions and use a variety of techniques to determine
which one(s) to implement
 To understand the importance of planning and implementing identified actions

25 | P a g e
Topics which should be covered during risk management training include:

 What is 'Risk'?
 Positive Risk taking
 Business Risks versus project Risk
 The 'Management of Risk' model
 The steps in Risk analysis
 Numeric versus discrete levels when estimating risks
 Evaluating Risks
 The steps in Risk management
 Risk response and action planning
 Risk assessment methods (advanced)
 The people side of Risk
 Putting it into practice

Another important part of the process of risk management is ensuring that managers and employees
can:

 Recognise a hazard when they encounter one


 Assess the risk that each hazard poses
 Develop controls appropriate to the risk
 Implement those controls; for example, carry out safe work procedures accurately

Each of these steps requires skills specific to the task and to the organisation. While recruitment
processes can deliver staff with some of these skills, others will need to be developed during their
employment with you, and will need to be refreshed or increased as part of continuous
improvement.

Communicate with relevant parties about the risk management process and
invite participation

As with any business process, identifying the stakeholders and developing pathways of
communication are critical for a successful implementation of risk management. Stakeholders may
have perceptions regarding risk factor impacts or conceptualise the process in a different way than
other relevant parties. Because stakeholders have such a high level of influence, it is important to
seek consultation and keep communication pathways open in order to foster a supportive
environment for risk management activities. Communication and consultation must occur during

26 | P a g e
each step of the process. Participation from stakeholders and other relevant parties can assist in
broadening the considerations relating to the risk management program.

Stakeholders can be both internal and external to the team, department, company and industry.
Internal stakeholders include those people who are directly involved in or affected by the activities
prescribed for the team, department, or company. They include employees, managers, owners, and
shareholders. External stakeholders involve the people or groups outside the organisation that have
an influence on or are influenced by the procedures and processes involved in the risk management
program. Examples of external stakeholders include customers, vendors, suppliers, consultants,
government agencies, regulatory agencies, industry groups, and educational organisations.

Relevant parties may include:

 All staff
 Internal and external stakeholders
 Senior management
 Specific teams or business units
 Technical experts

Communication processes involve the dissemination of information through training and


educational seminars, newsletters, emails, meetings, presentations, etc. The way to communicate
information is to make sure you:

 Accept and involve the public/other consumers as legitimate partners


 Plan carefully and evaluate your efforts with a focus on your strengths, weaknesses,
opportunities, and threats
 Listen to the public’s specific concerns
 Be honest, frank, and open
 Coordinate and collaborate with other credible sources.
 Meet the needs of the media
 Speak clearly and with compassion

Communication and consultation are essential elements of risk management. They are critical at
every step to ensure all the participants understand, are involved in, and contribute to the process.
The effectiveness of your Risk Management process depends upon, amongst other things, involving
the right people at the right time.

27 | P a g e
Communication is the sharing of information and viewpoints

Effective communication has the following attributes:

 It is multi-directional. Information, ideas and perspectives are shared across functional


areas, and senior management are receptive to the views of their subordinates
 It involves information and opinions. Other people’s perspectives are understood and
acknowledged. Factual information is gathered from all relevant sources. No individual or
department has a monopoly on “the facts”
 It is interactive. Listening is as important as talking. Good communication involves the
sharing of information, opinions and experiences
 It is respectful. It focuses on ideas and information, not personalities
 Communication is most effective in an environment where people are valued and their
viewpoints are respected
 It engages the participants, promoting their understanding and ownership of the outcomes

Consultation is a process that uses communication to make effective decisions. Importantly,


consultation is not an outcome or an end in itself; it is a means by which outcomes are achieved.

Consultation gives stakeholders the opportunity to influence decisions, however, it is not joint
decision making, but rather an effective way to receive useful input and ensure that all relevant
viewpoints are taken into account in identifying and evaluating risks. Communication and
consultation are essential to the overall risk management process as well as each individual step in
that process.

A well-structured approach to communication and consultation can provide the following benefits:

 Organisational coherence and a positive culture for risk management implementation


 Trust and understanding, resulting in better internal and external relationships
 The risk management process becomes tangible: people know what it is and how it works
 Integration of multiple perspectives
 Risk management embedded as an ongoing part of management and organisational practice

Each step of the Risk Management process relies on communication and consultation to achieve its
purpose. For instance, in setting the context, consultation with internal and external stakeholders is
essential to reach a thorough understanding of the operating environment and to define the
purpose and scope of the exercise.

28 | P a g e
Activity 1

Think carefully about your workplace, or a workplace you are familiar with. How do they establish
risk context? Briefly describe the steps that they take/could take to do this. (If you do not work in
an organisation, briefly describe the steps that you could take to do this).

29 | P a g e
Identifying Risks6

Invite relevant parties to assist in the identification of risks

Identifying potential risks is best achieved through a brainstorming session. Just like with any other
brainstorming session, the more people you can get involved in the process, the better. By having a
group of people involved, you can generate more ideas.

People who may be involved to assist in the identification of risks are:

Stakeholders:

 Managers
 Supervisors
 Health and safety and other employee representatives
 OHS committees
 Employees and contractors
 The community

Key personnel are:

 People who are involved in OHS decision-making or who are affected by decisions.

OHS technical advisors:

 Risk managers
 Health professionals
 Injury management advisors
 Legal practitioners with experience in OHS
 Engineers (such as design, acoustic, mechanical, civil)
 Security and emergency response personnel
 Workplace trainers and assessors
 Maintenance and trade persons

OHS specialists:

 Safety professionals
 Ergonomists
 Occupational hygienists

6
Source: Queensland Government, as at https://www.business.qld.gov.au/business/starting/starting-a-
business/managing-risk/identifying-risks, as on 11th August, 2015.

30 | P a g e
 Audiologists
 Safety engineers
 Toxicologists
 Occupational health professionals

When you invite people to participate in identifying possible risks, be sure to invite as broad a range
of people as possible, from as broad a range of departments as possible. Each department will have
its own view of things, some of which can be quite unique. Purchasing and engineering don’t see
things the same way, nor do production and maintenance. However, between all those different
viewpoints, you are more likely to identify potential risks.

Types of risk

There are many different types of risk. The Australian standard (AS/NZS ISO 31000:2009, Risk
management) defines risk as 'the chance of something happening that will have an impact on
objectives'. The types of risk you face will therefore be specific to your business and its objectives,
but will generally relate to the following areas.

Financial risks

These risks include both external risks, such as changes in interest rates or commodity prices, and
internal risks such as cash flow shortages, customers defaulting on payments, depreciation of assets.

Operational and environmental risks

These risks cover a range of environmental, human, systems and procedural impacts such as illness
or retirement of key staff, equipment breakdown, natural disasters and software failures.

Legal risks

These risks include contractual breaches and non-compliance with regulations such as changes to
work health and safety standards.

Strategic risks

These risks relate to your business strategies such as changes in customer demand, increased
competition, adopting new technology and pursuing new business opportunities.

Privacy and information risks

These risks relate to non-compliance with state and national privacy laws on recording, storing and
disposing of customer information.

31 | P a g e
Researching risks that may apply to scope

Every idea that is brought forth in your brainstorming session has some merit. You won’t really know
how much merit each idea has, until you research the likelihood of that problem happening.

For the ideas that were brought forth in your brainstorming


session, you’ll need to research. That research may include:

 Data or statistical information


 Information from other business areas
 Lessons learned from other projects or activities
 Market research
 Public consultation
 Review of literature and other information sources

It is only through accurate research that you will be able to truly


quantify the severity and likelihood of any risk factor. Trying to do so, without taking the time to
research, is only a guessing game. This doesn’t serve the interests of your company. Wrong guesses
can be extremely expensive.

These methods will help you identify risks that are relevant to your particular business:

 Thoroughly review your business plan and ask as many 'what if?' questions as you can.
 Brainstorm with your accountant, financial adviser, staff and other interested parties. Get as
many different perspectives as you can.
 Analyse a wide range of possible future events and their outcomes (scenario analysis).
Analyse economic, political, legislative and operating scenarios.
 Use flow charts, checklists and inspections to break down and analyse your work procedures
(systems analysis).

For any method, always ask these questions:

 When, where, why, and how are risks likely to occur in this business?
 Are the risks internal, external or random?
 Who might be involved or affected if this occurs?

Once you've identified risks, you'll need to analyse their likelihood and consequences and then come
up with options for managing them.

32 | P a g e
Using tools and techniques to generate a list of risks that apply to the scope,
in consultation with relevant parties

Risk identification Techniques


The terms ‘hazard’ and ‘risk’ tend to be used interchangeably, but risk represents more than a
hazard. Risk takes into account scale, consequences, frequency, duration, extent, probability of
occurrence, and time range. There are some general tools that can be used to identify risk. These
can be incorporated within established risk management processes in any organisation and include:

Inspections: walking through and conducting inspections of each task, location, team, group or
process within an organisation. This can be done by individual managers or team leaders and
supervisors. It can also be done by senior or executive management.

Consultation: a process that allows evidence on unreported incidents to be gathered, for example,
injuries, machine breakdown. Again these meetings can be held on a local or team or group or senior
management level. The results of a number of these meetings can then be incorporated in further
meetings with managers at different levels.

Safety or management audits: these can be conducted by individual managers or team leaders and
focus on their own or associated areas, or can be conducted by members of the organisation who
specialise in this area.

Testing: of plant and equipment in an operational context, or of staff in a service area. This also can
be accomplished as part of the local group or team approach or can be part of a wider organisation-
wide approach.

Scientific or technical evaluation or expert instruction in up-to-date methods (service industry):


these are usually provided by third parties or consultants and often form part of the training process
of the organisation.

Collection and evaluation of material: from suppliers, manufacturers, designers, and from safety
organisations, unions, interest groups and employer organisations.

33 | P a g e
Expert advice: engaging professional consultants and advisors, lawyers, engineers, safety experts,
process experts.

Seeking government or regulatory information and help: from government departments,


investigatory and regulatory bodies, royal commissions, commissions of inquiry, coronial inquests,
industrial commission hearings, statistical bodies and ‘think tanks’.

Networking: with other members of the market, or users of similar machines or processes.

Benchmarking: is a process of seeking out and identifying the best practices of the organisation’s
competitors, where those best practices represent a higher quality level or performance. The
process means that the organisation, having identified the best practice in the industry then uses
that ‘benchmark’ as the quality standard to be obtained within its industry.

Of course the selection of individual tools and methods to identify risk is largely dependent on the
type of organisation, process and market. The type of tools you use should also be chosen by taking
into consideration the nature of the workforce or membership of the organisation. So take care to
ensure that the tool or method selected is appropriate to the people using and reviewing the
methods.

Brainstorming; the brainstorming process can take various forms, but one of the most effective is in
meetings of staff in an environment where there is freedom to experiment with ideas and to express
opinions. Brainstorming is usually a process of energetic interaction with the goal of forming and
discussing ideas and concepts in a round-table or group dynamic. It allows examination of existing
and emerging risk by using the ideas and experience of fellow workers, managers, experts, other
stakeholders and the users of the process or service.

Brainstorming is a vibrant tool which is designed to open up the creative imaginations of the
participants and to encourage open debate concerning a wide variety of possible alternatives to the
existing or proposed systems and procedures and services.

Audits and physical inspections; Regulatory based risk management procedures often include
regular audits and inspections, for example Occupational Health and Safety, activities of brokers and
traders on the Australian Stock Exchange register and the regulation of Registered Training
Organisations.

Many organisations have their own internal audit and inspection processes, including:

 Direct observation of activities by appropriate personnel


 Judgments based on experience –personal, local, or international
 Surveys, questionnaires, interviews
 System modelling and analysis 7

7
Source: Frontline Care Solutions, as at
http://www.google.com.au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CC0QFjAC&url=http%3A%2
F%2Fwww.frontlinecaresolutions.com%2FLiteratureRetrieve.aspx%3FID%3D79124&ei=1t0QVNyjJcnkuQTXlIKQ

34 | P a g e
Process charting
The fishbone diagram provides a good example of a process chart, sometimes called a cause and
effect diagram. Each line or ‘fishbone’ represents an area that may have caused a problem.

Scenario analysis
This is a process of examining options and competing scenarios based on an assessment of future
events. The focus is on the future and may take into account past and present events as elements of
the examination. One topical example which has emerged in the 20th and 21st Century is the
planning of security responses to possible terrorist threats.

Benchmarking similar organisations and activities


Benchmarking is as you have seen above, a process of identifying the industry best practice, and
setting that as the standard for the particular organisation. The process involves significant industry
knowledge and an ability to examine competitors’ processes in order to identify why that market is
dominant or produces the leading product or service.

System or process flow charts –especially useful in recognising and identifying potential areas of
problem within the process flow.

CA&usg=AFQjCNEbqowMjuyZ1sWuyetgB4l7OFmMcQ&sig2=WHkkQk3u5k6MfynEdjfitA&bvm=bv.74894050,d.
c2E, as on 11th August, 2015.

35 | P a g e
36 | P a g e
Influence diagrams –demonstrate the influence that different aspects of a process have on each

other.

All the above are examples of tools that can be used to evaluate or identify risks in the workplace.

Activity 2

When identifying risks, there are three things you need to ensure you do. List them in the table
below, then give a brief description of what they involve.
Task Brief Description

37 | P a g e
Analysing Risk

Assessing likelihood of risks occurring

The next step of the risk assessment is to determine or estimate both the likelihood of a risk arising
and its potential consequences. All available data sources should be used to understand the risks.
These may include: historical records, procurement experience, industry practice, relevant published
literature, test marketing and market research, experiments and prototypes, and expert and
technical judgement and independent evaluation.

The risk analysis involves:

 An estimate of the likelihood of each risk arising. This might be done initially on a simple
scale from 'rare' to 'almost certain', or numerical assessments of probability might be made
 An estimate of the consequences of each risk. This might be done initially on a simple scale
from 'negligible' to 'severe', or quantitative measurements of impacts might be used8

Analysis of risk levels can be conducted on the inherent risks (assuming no controls are in place) or
on residual risk (that remaining after considering existing control strategies). The former ‘zero-
based’ approach would be appropriate at the outset of an activity or when considering a possibility
of revising controls. The latter would be appropriate when monitoring management action or
reviewing implementation.

The purpose of analysing risk is to provide information to enable the evaluation of risks, using
predefined likelihood and consequence criteria. Risk analysis uses judgments and assumptions,
which may involve uncertainty and be based on incomplete information. Therefore, the best
available information sources and techniques should be used. Wherever possible the confidence
placed on estimates of levels of risk should be included.

8
Source: AUSAid, Australian Government, as at http://portals.wi.wur.nl/files/docs/ppme/ausguidelines-
risk_management.pdf, as on 11th August, 2015.

38 | P a g e
Assessing impact or consequence if risks occur

Impact itself can be assessed in terms of its effect on:

 Cost
 Quality
 Time
o This includes the time taken to:
 Identify, record and report the risk
 Analyse and assess the risk
 Address the risk
 Either reduce its impact or remove it completely as a potential risk
Risk proximity is about:

 When and where the risk will occur


 Its role in the process or system
 Its damage or potential damage reaches

Our first step in assessing a risk is to determine the likelihood of the risk occurring, meaning what
are the chances. See below for a scale to gauge how likely the risk is:

1. Not likely - 10%


2. Low likelihood - 30%
3. Likely - 50%
4. Highly likely - 70%
5. Near certainty - 90%

Just as we did with the likelihood of a risk occurring, the impact or consequences of the risk needs to
be rated. In this case, we are dealing with the amount of disruption to normal business operations
that the event can cause.

The following table shows that the impact of risk is generally ranked from ‘minimal’ (level 1) to
‘severe’ (level 5). You can see from the detail descriptions that these levels focus on the degree to
which the business is affected in regards to its financial and service capability.

LEVEL DESCRIPTOR EXAMPLE DETAIL DESCRIPTION


1 Minimal No service impact; low financial
loss
2 Minor Minimal disruption to service
capability; medium financial
loss
3 Moderate Interruptions to service
delivery; high financial loss

39 | P a g e
4 Significant Loss of service capability; major
financial loss
5 Severe Loss of business continuity;
huge financial loss

Analysing the risk will help you decide the impact of the risk on your company and will enable you to
control for this when required.

Another Example:

Likelihood scale example


Level Likelihood Description
4 Very likely Happens more than once a year in this industry
3 Likely Happens about once a year in this industry
2 Unlikely Happens every 10 years or more in this industry
1 Very unlikely Has only happened once in this industry
Consequences scale example
Level Consequence Description
4 Severe Financial losses greater than $50,000
3 High Financial losses between $10,000 and $50,000
2 Moderate Financial losses between $1000 and $10,000
1 Low Financial losses less than $1000

40 | P a g e
Note: The scales above use 4 different levels; however, you can use as many levels as you need. Also
use descriptors that suit your purpose (e.g. you might measure consequences in terms of human
health, rather than dollar value).

Once you have established the likelihood and consequences of a particular risk, you then need to
create a risk rating table for evaluating the risk. Evaluating a risk means making a decision about its
severity and ways to manage it.

Use the following formula to calculate risk rating: Likelihood x Consequences = Risk rating

For example, you may decide the likelihood of a fire is 'unlikely' (a score of 2) but the consequences
are 'severe' (a score of 4). Using the tables above, a fire therefore has a risk rating of 8 (i.e. 2 x 4 = 8).

Risk rating table example


Risk rating Description Action
12-16 Severe Needs immediate corrective action
8-12 High Needs corrective action within 1 month
4-8 Moderate Needs corrective action within 3 months
1-4 Low Does not currently require corrective action

Your risk evaluation should consider:

 the importance of the activity to your business


 the amount of control you have over the risk
 potential losses to your business
 any benefits or opportunities presented by the risk.

Once you have identified, analysed and evaluated your risks, you need to rank them in order of
priority. You can then decide what methods you will use to treat unacceptable risks.

Evaluating and prioritise risks for treatment

A simplified risk analysis can be conducted using probability theory:

Likelihood X consequence = Risk Score

So, by using these two scales, any potential risk can be rated with a risk score. For example, if we live
in an area which commonly has severe thunderstorms, which disrupt electrical service to our
distribution facility for 2 to 3 hours, we might assign a likelihood score of 5 and an impact score of 3.
That would give us a risk score of 15, considering the maximum score we can get with this system is
25, that’s a fairly high risk score.

41 | P a g e
The criteria for ranking and recording:

 Take into consideration whether the risk falls within established or accepted guidelines
 Differentiate between risks that have high impact/consequence/likelihood and those having
low impact/consequence/likelihood
 Assign value to identified risks using available tools
 Assess consequences and likelihoods

A risk that has been analysed as having a ‘catastrophic impact’(loss of business continuity; huge
financial loss) is ranked as an ‘extreme ‘level risk if the probability is ‘likely ‘but ‘high ‘if the
probability is ‘rare’. Immediate action is required, involving senior management, to manage the risk.

Sample Level of Risk Matrix

EXAMPLE OF RISK TABLE OF DEFINITIONS

E Extreme risk; immediate action required

H High risk; senior management attention needed

M Moderate risk; management attention must be specified

L Low risk; manage by routine procedures

Acceptability Risk level

Acceptable Low and Moderate

Not acceptable High and Extreme

Risk Criteria include:

 Scope of the risk policy


 Internal and external contexts
 Internal and external stakeholders
 Corporate objectives, policies, values and visions
 Standards and laws
 Resource availability
 Social, economic, environmental, and political factors

Another type of scale describes risk in terms of acceptable levels:

 Broadly acceptable level of risk


 Best achievable level of risk
 As low as reasonably practicable (ALARP)

42 | P a g e
 Generally intolerable level of risk

B.F. Hough (1985) developed the following diagram to show the relationship between cost and risk.
This type of reference can contribute to the evaluation and prioritisation process by representing
different factors relating to risk.

Each risk decision and its implementation will have to be based upon what is the most logical and
cost effective for your company. At times, the cost of implementing a change may be so great, that it
is impractical to accomplish. In those cases, mitigation of the impact may consist of buying insurance
against that event occurring, thus transferring some of the risk to an insurance company.

43 | P a g e
Activity 3

Complete the risk analysis table below by indicating true or false for each statement

Please Tick () True False

All available data sources should be used to understand the risks.

Analysis of risk levels can only be conducted on the inherent risks (assuming
no controls are in place) and not on residual risk (that remaining after
considering existing control strategies).
Analysing the risk will help you decide the impact of the risk on your
company and will enable you to control for this when required.
A simplified risk analysis can be conducted using probability theory:

Likelihood + consequence = Risk Score


A risk that has been analysed as having a ‘catastrophic impact’(loss of
business continuity; huge financial loss) is ranked as an ‘extreme ‘level risk if
the probability is ‘likely ‘but ‘high ‘if the probability is ‘rare’.
Each risk decision and its implementation will have to be based upon what is
the most logical and cost effective for your company.

Selecting and implementing risk treatments

Risk treatment involves working through options to treat unacceptable risks to your business.
Unacceptable risks range in severity; some require immediate treatment, others can be monitored
and treated later.

Before you decide which risks to treat, you need to gather information about the:

 method of treatment
 people responsible for treatment
 costs involved
 benefits of treatment
 likelihood of success
 ways to measure and assess treatments.

44 | P a g e
Once you decide how to treat identified risks you will need to develop, and regularly review, your
risk management plan.

The following are different options for treating risk.

Avoid the risk

You may decide not to proceed with the activity likely to generate the risk, where practical.
Alternatively, you may think of another way to reach the same outcome.

Reduce the risk

You can control a risk by:

 reducing the likelihood of the risk occurring - for example, through quality control processes,
managing debtors, auditing, compliance with legislation, staff training, regular maintenance
or a change in procedures
 reducing the impact if the risk occurs - for example, through emergency procedures, off-site
data backup, minimising exposure to sources of risk or public relations.

Transfer the risk

You may be able to shift some or all of the responsibility for the risk to another party through
insurance, outsourcing, joint ventures or partnerships.

Accept the risk

You may accept a risk if it cannot be avoided, reduced or transferred. However, you will need to
have plans for managing and funding the consequences of the risk if it occurs.

Determining and selecting most appropriate options for treating risks

Risk treatment involves identifying the range of options for treating risk, assessing those options,
preparing risk treatment plans and implementing them. It is probable that a combination of options
will be required to treat complex risks. Once a risk is well understood and it is clear that some
treatment will be required, detailed analysis of treatment options may be required. There will
usually be several options, each entailing different costs and benefits and each offering a different
level of risk mitigation.

45 | P a g e
Key outcomes steps

Identify treatment options


The most suitable risk treatment options for the organisation are identified.

The options are summarised below.

The control or management of risk can be different on an organisational or industry basis. However
there are seven commonly used approaches:

APPROACH DESCRIPTION
1. Elimination / reduction  In this approach the risk is either reduced to its lowest
management possible level to enable it to be managed, or it is
eliminated
 This latter course may involve divesting a
manufacturing process, a particular service within a
general service industry, or simply deleting a process
and replacing it with a newer, safer or alternative
system
 A variation in this approach is not to eliminate the risk if
that is too difficult or too late, but to reduce or
eliminate its effect
2. Assumption of risk  Insurance companies assume risk as part of their
operations. Here the expression ‘assume risk’ means to
knowingly accept the risk as part of the agreement with
the person/company that pays the premium.
Organisations unused to risk may assume or accept its
effect because to fail to do so might negatively affect
the organisation’s operations
 Once again the decision to assume a risk must be taken
bearing in mind the competing issues of cost, proximity
and extent of the risk
3. Transfer risk  Insurance is a means of transferring the risk, through
the payment of insurance premiums, to an insurance
company
 It is important to understand that this is generally a way
of managing financially based risk. The insurance
company can only really assume a financial risk. It is not
able to assume risk that relates to culture, personnel or
manufacturing for example
 So if the risk of the factory burning down is identified,
then the financial risk can be transferred to the
insurance company, but the actual risk of losing specific
or specialist machinery cannot
 Often organisations only transfer part of the financial
risk having assessed the insurance premium cost as too
high to transfer it all

46 | P a g e
 To offer a personal example, this may be compared
with a householder insuring the contents of the house
against fire, but not paying extra for the loss of
specialist jewellery or stereo equipment. It then falls on
the householder to fund the replacement of such items
4. Changing processes  Risk can be avoided by changing processes, or refraining
from an activity. This is often an ongoing process of
change from risk identification
 Organisations with a positive risk identification and
management culture are ready and willing to change or
remove processes that demonstrate a greater degree of
risk or risk potential
 Changing a process to avoid an activity also requires a
positive risk management culture as this can be
confronting and expensive, particularly if the process
needs to be replaced
 The change or replacement of a process in order to
manage a risk must also be undertaken using risk
management procedures. In other words, the new
process must not create or support the same or similar
risk it was designed to eliminate
5. Delaying  An organisation may defer a risk, by delaying it until
such time as it is able to assume the risk or deal with it
in a better and more positive way
 An organisation may believe that research or
development
 It’s undertaking will make it more able to deal with the
risk at a later time
6. Sharing risk  Organisations may seek to share risk with other
organisations by way of joint ventures or cooperative
options
 A good example of this is seen in the construction and
maintenance of motorways in capital cities where
government and private industry come together to
share the expense
 Similarly in recent times wine and beer companies have
combined with manufacturing industries associated
with wine and beer production, when entering new
markets such as China
7. Spread and minimise  An organisation may attempt to spread and
locations of the risk minimise locations of the risk, e.g. a company may
spread its outlets and workforce to a number of
areas in order to spread or reduce the risk of an
incorrect decision in relation to geographic
marketing. For example, a retailer may have outlets
in a number of locations in a town to ensure the
product is available to as many potential customers
as possible

47 | P a g e
The purpose of evaluating risks is to prioritise the need for treatment plan development. Once that
is completed, it is time to determine the best treatment plan option for that particular risk. There
are a number of different options which you can apply to any risk:

 Accept the risk


 Avoid the risk
 Reduce the risk
 Develop a contingency plan
 Mitigate the impact
o Change the consequences
o Change the likelihood
 Transfer or Share the risk with a third party

Regardless of the final decision ensure that all relevant parties have signed off on it. Although you
may be in charge of developing the risk management plan, this is a group project, with group
decisions.

Developing an action plan for implementing risk treatment

A risk management plan details your strategy for treating risks. It details information about:

 identified risks
 the level of risks
 your planned strategy
 the time frame for implementing your strategy
 the resources required
 the individuals responsible for ensuring the strategy is implemented.

Your final plan should include appropriate objectives, a budget and milestones on the way to
achieving those objectives.

Reviewing your risk management plan

The business environment is constantly changing. The type of risks you face will change as your
business develops and grows. Regularly reviewing your risk management plan is therefore essential
for identifying new risks and monitoring the effectiveness of your risk treatment strategies.

The action plan formalises the risk management process. The specific format of the risk
management action plan will vary from one organisation to another, but the following is an example
of a relatively straightforward methodology.

 Risk
 Date identified
 Level of risk
 Reason for risk rating

48 | P a g e
 Risk priority /risk ranking
 Action (what is to be done)
 What resources are required
 Who is responsible for the action
 Timeline-when should the action be completed
 Strategy for informing relevant stakeholders- i.e. staff volunteers, board, corporate
sponsors, etc.
 Review date

A risk control action plan is essential for the effective and systematic introduction of risk control
actions. Remember to compare the levels of the risk control hierarchy with the time frame when
determining target dates.

Sample risk treatment action plan

49 | P a g e
Communicating risk management processes to relevant parties
Risk management communication is the sharing of information about risk and risk management
between the decision makers and others. Parties can communicate at any stage of the risk
management process. When all parties in a project communicate their expectations and perceptions
early and often, the “disconnects” between opposing parties can be readily established.

Steps can then be taken to resolve those differences and align everyone’s expectations and
perceptions. To be effective, communication must flow both up and down the chain of command so
that all parties are informed.

Good planning will lead to good communication. All parties should agree on acceptable means and
lines of communication early in the process. Develop tools to aid the communication process such as
correspondence logs, telephone conversation logs, and e-mail protocol. Communication must be
handled in a professional and courteous manner.

When dealing with a contentious issue, it is not a good practice to send a letter or e- mail
immediately after composing it. Take time and then re-read the communication before sending it.
Communicating only the facts of the case and avoiding emotional outbursts or statements of opinion
can help to avoid problems or making problems worse. 9

Communication factors such as language and literacy


Effective communication is obviously critical to genuine participation. The specific needs of
individuals in the workplace need to be taken into account. Individuals will have different levels of
literacy and either may not speak much English or may not have English as their first language. For
example, induction and instruction in policies and procedures need to reflect the language and
literacy levels of each person, and things like safety and emergency warning signs, which are for the
whole workplace, need to be based on easily understandable pictures, rather than complex
language.

Communication must be a two-way street. If individuals are to be able to participate in OHS activity
in a meaningful way they need access to information in a format they can understand, and they
need to be able to communicate back to OHS representatives, supervisors, OHS advisers and others
easily. 10

Diversity of workers
Employees may come from different cultural, age and educational backgrounds with different views
about personal responsibility and authority; they will have different previous experiences,
knowledge and skills and may have different learning styles. They may have external pressures and

9
Source: Civil Engineer, as at http://civilengineerblog.com/foundation-risk-management/, as on 11th August,
2015.
10
Safetyline Institute, as at
http://institute.safetyline.wa.gov.au/pluginfile.php/1642/mod_label/intro/BSBOHS503B.pdf, as on 11th
August, 2015.

50 | P a g e
stresses in their lives or pre-existing physical injuries. All these factors need to be taken into
consideration in designing and developing participative arrangements.

Your risk management plan must be distributed to all appropriate personnel; especially those who
have a part in implementing the plan.

Distribution of your risk management plan to key personnel is best accomplished through a meeting
where you briefly explain the plan. I say briefly, because we all have the tendency to become long
winded when we are talking about our own pet project. You need to ensure that the information
you share verbally in that meeting is the key information, nothing more. Everything else will be
provided in the written plans that you distribute in the meeting.

Ensuring all documentation is in order and appropriately stored

Not only do you need to distribute the risk management plan to relevant parties, you’ll need to
ensure that copies are created and stored in your company’s information management system. In
many companies, this is a computerised system for the storage of all pertinent company
information. Since part of your risk factors include the possibility of something happening to the
company’s computer systems, you should also ensure that hard copies are created and stored.

It is essential that all copies of the risk management plan are created equal. Nothing can cause more
confusion than to have two different versions of a contingency plan floating around, when it is time
to implement that plan. Instead of the plan becoming a tool to ensure that everyone knows what to
do, it becomes a point of argument, impeding corrective action.

To ensure that all copies are created equal, you want to limit people’s ability to copy it. That can be a
little tricky, considering the ready access to copy machines in most companies. The one thing that
can work in your favour is that most people don’t like standing in front of a copy machine, waiting
for it. So, by placing notices in the plan, instructing people where they can get their own copy, you
reduce the likelihood of them copying somebody else’s.

Now that you have everyone coming to the same place to receive their copies of the risk
management plan, your next step is to ensure that you keep an accurate log of who has those
copies. This log should contain a minimum of:

 Person’s name
 Title
 Department
 Phone number or extension
 Office location

This list will then become your distribution list for any changes. While not everyone will be quick to
put the updates into their binder, those who have secretaries will be sure to have accurate binders,
with all the latest updates. In other words, the people who have the greatest responsibility and

51 | P a g e
authority in your company will have the updated copies; not because they do the updating, but
because secretaries are really good at making sure that gets done.

Document management is a vital ingredient in any risk management process. For example, where
the risk is addressed by regulatory authorities, then an organisation which is subject to those
regulations must retain the supporting documents to show it has met or exceeded the risk
guidelines. In some situations this forms part of their due diligence procedures. Due diligence is a
formatted or sometimes regulated process of risk assessment and identification. Where an
organisation conducts a process of due diligence it follows a set or agreed procedure to examine
processes, documents or systems, to determine a set of agreed standards.

You should document the results of the analysis process, including changes and recommendations.
These documents should be easy to understand by all those whose role includes their use. It is very
important that all documentation communicates clearly. Often people who are very literate will
write documents that are difficult to understand.

Make sure you use plain English and that your message is understood by all who read it. Keep in
mind that language difficulty also impact on the success of the documents used and must always be
taken into account.

The person writing the document must be clear about:

 The reason the document is being created


 What is should contain
 Its purpose –what it will be used for and who will be reading it

There is always a role for training in relation to the completion of the documents, and that training
should take these issues into account. Focusing on the documentation may also highlight the need
for amendments to be made to operational and training manuals, schedules, checklists and
instructional documents to ensure they communicate clearly.

Storage of OHS information


In storing information, it is important to remember that information is being stored so that it can be
used. It is important not to create ‘data cemeteries’. So when deciding how to store information
keep in mind:

 Why is the information being stored?


 Who will want to use it?
 When and how often will they want to access the information?
 What protections (privacy, confidentiality) are required for the information?
 What ‘links‘, or other factors, need to be considered for the data to be meaningful?
 What technology is available?
 What are the skills of the people in using the technology?
 This will then lead to the following questions:
 What is the best medium (electronic; hard copy) for storage?
 What is the best format for organising the information?

52 | P a g e
 What skills and technology will be required to access the information?

Most organisations will have some records, such as incident and injury reports, workplace
inspections and/or newsletters, in hard copy.

 Hard copy formats tend to be used where:


 The original record is in handwriting
 The original requires a signature; and
 The material is ‘for information’ and is usually circulated or left in an open location for
people to read (i.e. newsletter)

Even in the smallest community services organisation is likely to have electronic storage for any
information or records that meet one or more of the following criteria.

The record or document has to be:

 Communicated to somebody else


 Retained for legal reasons
 Collated to identify a trend; and
 Used for planning

There are many software options for storing electronic OHS information. These options may range
from simple spreadsheets to highly interactive purpose-designed software packages that may
incorporate functions such as incident reporting, injury management, chemical and risk registers,
asset and maintenance registers and training records.

Having determined the format for storing OHS information (i.e. the nature of software) the next
question is whether it should be on a single computer or networked hardware for an intranet-type
system.

It is beyond the scope of this unit to compare the relative features of the various systems, but some
factors to consider are:

 Who needs to access the information?


 Do they have access to the hardware?
 Do they have the skills to access the system?
 What level of technological support is required/available?

53 | P a g e
Implementing and monitoring action plan

Part of your role will be to implement and monitor the action plan throughout its life.

Invariably, your risk management plan will require a number of actions to be taken in order to
implement it. I’ve already mentioned the need to take the initiative to insure that those items are
completed. You can’t count on others, even other managers doing it, because they are all busy with
other work.

It would be advisable to create a master list of action items that need to be done to implement your
risk management plan. Depending upon how many risk factors you have discovered, and the types
of options you have selected for dealing with these risks, you may have a rather extensive list of
items on your to do list.

Hopefully, there will be some overlap in different action items, where the same action item may deal
with several different risks. Take insurance for example; you may have identified several different
risks (fire, hurricane, earthquake) for which the option decided upon was to share the risk with a
third party, an insurance company. In reality, that’s only one action item, although it deals with
three separate risks. You can take that one action item to the appropriate party, and track the
progress of it as one line item on your master list.

While there are parts of the risk management plan which require your direct involvement to
implement, especially if the appropriate manager doesn’t have the time or resources to implement
them, there are other parts which will be implemented by other. You will still want to track these
areas, to insure that they are actually completed and not derailed mid-stream.

Once the action items have been implemented, you also need to check and monitor, to ensure that
they will function as expected. There are always a certain number of plans that don’t work out the
way we expect. Don’t be so rigid that you can’t recognise a failure when you see it. Should that
happen, be willing to admit your fault and try something else. People will respect you for admitting
your fault.

54 | P a g e
Evaluating risk management process

Risk management is a continual process. Reaching a point of completion in a risk management


project, only means that it’s time to go back and review everything over again.

It is critical to constantly monitor and review the processes and outcomes. Monitoring and reviewing
risk management processes helps to include risk management as a valuable part of the company.
The risk management process in not static but is taken in the context of the internal and external
environments. As these environments change, the variables affecting risk also change.

Evaluating the process of risk management can be assigned to individuals within departments or to
dedicated staff depending upon the nature of the organisation and the resources available.
Consultants may be brought in at critical times to evaluate processes and institute changes based on
risk contexts or environmental, social and political changes.

In addition to planned and scheduled monitoring and review sessions to examine new risk, review of
the management plan must be ongoing in order to stay relevant. As policies, procedures, and visions
of a corporation change, risk changes. As external contexts change, risks change. Suitability and cost
factors for treatment options change. Treatment options or contingency plans may lose relevancy
throughout the process. External variables such as legislative actions may develop which creates a
different context under which to analyse and evaluate risk.

Examination of successes and failures in relation to anticipated outcomes is a necessary component


of the risk management process. It increases the probability that future risks can be evaluated with
higher levels of accuracy and greater success. An inability to achieve outcomes does not indicate
failure, but provides an opportunity to gain valuable knowledge regarding process change.
Duplication of ineffective processes leading to a repetition of unachieved outcomes indicates a
failure to learn. That can be tragic when corporations, and the people that depend on them, are at
risk.

One of the key components to the risk management process is keeping an accurate record of
documentation relating to the communications, justifications, analyses and relevant information
pertaining to risk. Remember how we began the risk assessment process? With research relating to:

 Data or statistical information


 Information from other business areas
 Lessons learned from other projects or activities
 Market research
 Previous experience
 Public consultation
 Review of literature and other information sources

55 | P a g e
Monitoring is not only a practical requirement but a legal obligation, as the common law duty of care
and WHS legislation requires that the employer “provide and maintain a working environment that
is safe”.

All organisations should ensure that risk identification, assessment analysis, evaluation techniques
and the change arising from these processes fall within the culture of the organisation. This requires
commitment from the most senior levels of management in the organisation, and it requires
communication throughout all ranks of the organisation.

Leadership and coaching are two of the most commonly used processes to engage an organisation in
cultural change to embrace the issues of risk identification and management and the issues arising
from the change that flows from these procedures.

Activity 4

When selecting and implementing treatments, there are six things you need to ensure you do. List
them in the table below, then give a brief description of what they involve.

Task Brief Description

56 | P a g e
Life is full of risks. Everything we do, from buying a car, to crossing the street carries some degree of
risk. Therefore, it shouldn’t surprise us that our business activities have risk associated with them as
well. While some of those business activities carry very little risk, others come loaded with risk at
every turn. Some risks have a great potential for impact, while the impact of others can hardly be
seen.

57 | P a g e
While the risks in our personal life can cause problems for us and our families, even the smallest
business risks carry a much broader potential for causing damage. Employees, customers and even
people who seem unrelated to our business can end up being hurt by the risks associated with
business.

We had a perfect example of this with the earthquake and tsunami that hit Japan in March of 2011.
Millions of lives were affected by what happened; first by the earthquake, then the tsunami, and
then by the damage to the nuclear power plant. Not only workers in the plant were affected, but
millions of customers, everyone who lived within 20 miles of that nuclear plant, even people as far
away as the western part of the United States were affected by what happened in that event.

Even without the destruction and eventual meltdown of the nuclear power plant, the tsunami itself
wreaked havoc on the northeastern part of the Japanese home island of Honshu. Over five million
families lost their homes, with over 15,000 lives lost.

"In many cases, there is nothing we can do to stop these disasters from happening. Risk
management isn’t about that, it’s about understanding the potential risks and managing how a
company deals with that risk"

If you have any questions about this resource please ask your trainer. They will be only too happy to
assist you when required.

58 | P a g e
Business, Accounting and Finance
BSBRSK501 MANAGE RISK
This unit describes skills and knowledge required to manage risks in
BSBRSK501 Manage risk a range of contexts across an organisation or for a specific business
unit or area in any industry setting.

It applies to individuals who are working in positions of authority and


are approved to implement change across the organisation, business
unit, program or project area.

They may or may not have responsibility for directly supervising


others.

The Risk Management Process


Typically, companies face the same sort of risks repeatedly, with
Risk Management is defined in the standard (AS/NZS 4360:2004) as "the
different products, projects or locations. If it is your company’s
systematic application of management policies, procedures and
practices to the tasks of establishing the context, identifying, analysing, standard procedure to include certain types of risks in their
assessing, treating, monitoring and communicating". assessments, you will want to be sure to include them in your review.

It is an iterative process that, with each cycle, can contribute


progressively to organisational improvement by providing management Risks may include those relating to:
with a greater insight into risks and their impact.
• Commercial relationships
Risk management can be applied to all levels of an organisation, in both • Economic circumstances and scenarios
the strategic and operational contexts, to specific projects, decisions and • Human behaviour
recognised risk areas. • Individual activities
Risk is defined as 'the chance of something happening that will have an • Legislation
impact on objectives'. • Management activities and controls
• Natural events
It is, therefore, important to understand what the objectives of the • Political circumstances
organisation unit or your position, are, prior to attempting to analyse the • Technology
risks.

In the case of needing to implement a contingency plan, following that


standardized format may save critical minutes in implementation. Every risk management project has limitations. It is impossible for
one person to achieve all possible risks that exist for a company.
Instead of the reader having to seek out the information they need,
This process is usually broken down into sub-projects.
understand the format of your document and absorb the information
that they need to complete their part of the plan, all they have to do is
open the plan to the appropriate section, and find the information they
are looking for.

It is important to determine the scope of the risk management


project first, because there are always risk factors which arise, that
are outside of the person or teams authority who are performing the
risk analysis.
Risk management is an important part of project management. Although often Stakeholders
overlooked, it is important to identify as many risks to your project as possible
The term “stakeholders” typically, refers to the people who have an interest or
and be prepared if something bad happens.
share in the project.
Here are some examples of common project risks:
In the case of risk management we can include anyone and everyone whose
 Time and cost estimates too optimistic lives and businesses can be negatively impacted by the risks or actions of the
 Customer review and feedback cycle too slow business.

 Unexpected budget cuts


Your stakeholders are all the internal and external people and organisations
 Unclear roles and responsibilities
that are involved in, or influence your organisation’s operation and achievement
 Stakeholder input is not sought or their needs are not properly understood of objectives.
 Stakeholders changing requirements after the project has started
Your stakeholders influence your organisation’s risks through the potential
 Stakeholders adding new requirements after the project has started impact that any change in their contribution could have.
 Poor communication resulting in misunderstandings, quality problems and For example, if the priorities of your main sponsor or funder change, you may
rework face a financial risk.
 Lack of resource commitment
Being reliant on volunteers may be a risk if fewer people choose to volunteer.

Many factors external to your company can create risks. While you must accept
Conducting a SWOT Analysis to determine the best control measures for risk is a
that these exist, and that they are outside of your control; that doesn’t mean that
common approach. Organisations use this tool to identify their internal strengths
you should just ignore them, or hope that they will never be a problem.
and weaknesses and external or environmental threats and opportunities. The
Therefore, as part of your risk management analysis, you need to take into analysis allows an organisation to answer the question:‘where are we now?’
account as many outside influences as you possibly can. These may include:
 Political climate
When analysing the best control measures for risk, the SWOT questions become:
 What effect a downturn in the economy will have to your company or project
 What are the strengths of this control measure?
 New applications for existing technologies that can invalidate existing
products  What are the weaknesses of this control measure?

 How trends, fads and other changes in society can negatively affect your  What are the opportunities provided by using this control measure?
company  What are the threats involved in using this control measure?
 Potential upcoming changes in the political climate
 The state of the economy
 Proposed legislation, and how it can affect your company
 New technologies being introduced into the marketplace

Documenting critical success factors, goals or As part of determining the impact of risks, it is important to determine
the critical success factors, goals and objectives. They are the most
objectives for area included in scope
important factors for your company to have contingency plans for. The
Risk management, like other aspects of project management, will need
success criteria. following questions might assist you in this process:

Without these you won’t know if the project has ended. When putting  Where does my company’s income come from?
together a project management plan, if key points or activities on that plan  What affects my company’s reputation in the
do not have success criteria, then it will be hard to assess how easily they marketplace?
can be met i.e. where the risk areas are.  What functions are critical to insure that my
company can continue operations? Are there
Once criteria have been identified the project management team will need
some that we can do without for a day, or a
to agree how they are measured. week?
If the objectives are not clear, criteria for its completion cannot be set. Even  Which company goals are essential to insure
if the objective and success criteria are clear the measurement may not be continued operations? How would a delay in the
easy. completion of those goals affect the company?

Any difficulty in setting objectives and criteria will result in higher risk as  How many shareholders are affected by the
there will be a lack of confidence in completion. temporary cessation of this function?
The importance of training;
Obtaining support for risk management activities
Risk management training is important in the workplace in order for employees:
Creating a supportive work environment
Topics which should be covered during risk management training include:
A supportive work environment is a key component of continuous
 What is 'Risk'? The steps in Risk analysis
learning. 

 Positive Risk taking  Numeric versus discrete levels


Valuing learning from experience, sharing best practices and lessons
 Business Risks versus project Risk when estimating risks
learned, and embracing innovation and responsible risk-taking
characterise an organisation with a supportive work environment.  The 'Management of Risk' model  Evaluating Risks
 The steps in Risk management
An organisation with a supportive work environment would be
expected to:  Risk response and action planning
 Risk assessment methods
• Promote learning (advanced)
• Learn from experience  The people side of Risk
• Demonstrate management leadership  Putting it into practice

Communicate with relevant parties about the risk


Communication is the sharing of information and viewpoints
management process and invite participation
Effective communication has the following attributes:
As with any business process, identifying the stakeholders and developing pathways of
communication are critical for a successful implementation of risk management.  It is multi-directional. Information, ideas and perspectives are shared across
functional areas, and senior management are receptive to the views of their
Stakeholders may have perceptions regarding risk factor impacts or conceptualise the subordinates
process in a different way than other relevant parties.
 It involves information and opinions. Other people’s perspectives are
Because stakeholders have such a high level of influence, it is important to seek understood and acknowledged. Factual information is gathered from all
consultation and keep communication pathways open in order to foster a supportive relevant sources. No individual or department has a monopoly on “the facts”
environment for risk management activities.
 It is interactive. Listening is as important as talking. Good communication
Communication and consultation must occur during each step of the process. involves the sharing of information, opinions and experiences
Participation from stakeholders and other relevant parties can assist in broadening the  It is respectful. It focuses on ideas and information, not personalities
considerations relating to the risk management program.
 Communication is most effective in an environment where people are valued
Relevant parties may include: and their viewpoints are respected
• All staff
• Internal and external stakeholders  It engages the participants, promoting
• Senior management their understanding and ownership of the outcomes
• Specific teams or business units and Technical experts

Researching risks that may apply to scope

Every idea that is brought forth in your brainstorming session has


some merit. You won’t really know how much merit each idea has, until
ACTIVITY 1 you research the likelihood of that problem happening.
For the ideas that were brought forth in your brainstorming session,
you’ll need to research.
Think carefully about your workplace, or a workplace you are That research may include:
familiar with.  Data or statistical information

How do they establish risk context?  Information from other business areas
 Lessons learned from other projects or activities
Briefly describe the steps that they take/could take to do this. (If
 Market research
you do not work in an organisation, briefly describe the steps that
you could take to do this).  Public consultation
 Review of literature and other information sources
Risk identification Techniques
Invite relevant parties to assist in the identification of
risks
The terms ‘hazard’ and ‘risk’ tend to be used interchangeably, but risk represents
more than a hazard. Risk takes into account scale, consequences, frequency,
Identifying potential risks is best achieved through a brainstorming session. Just
duration, extent, probability of occurrence, and time range. There are some
like with any other brainstorming session, the more people you can get involved
general tools that can be used to identify risk. These can be incorporated within
in the process, the better.
established risk management processes in any organisation and include:
• Inspections
By having a group of people involved, you can generate more ideas.
• Consultation
• Safety or management audits
People who may be involved to assist in the identification of risks are: • Testing
• Scientific or technical evaluation or expert instruction in up-to-date methods
• Stakeholders
(service industry)
• Key personnel; People who are involved in OHS decision-making or who are • Collection and evaluation of material
affected by decisions. • Expert advice
• OHS technical advisors • Seeking government or regulatory information and help
• Networking
• OHS specialists
• Benchmarking

Many organisations have their own internal audit and inspection


Scenario analysis
processes, including:
This is a process of examining options and competing scenarios based on an
 Direct observation of activities by appropriate personnel assessment of future events.
 Judgments based on experience –personal, local, or international The focus is on the future and may take into account past and present events as
 Surveys, questionnaires, interviews elements of the examination.
 System modelling and analysis One topical example which has emerged in the 20th and 21st Century is the
planning of security responses to possible terrorist threats.
Process charting
The fishbone diagram provides a good example of a process chart, sometimes Benchmarking similar organisations and activities
called a cause and effect diagram. Each line or ‘fishbone’ represents an area that Benchmarking is as you have seen above, a process of identifying the industry best
may have caused a problem. practice, and setting that as the standard for the particular organisation.
The process involves significant industry knowledge and an ability to examine
competitors’ processes in order to identify why that market is dominant or
produces the leading product or service.

Assessing likelihood of risks occurring


The next step of the risk assessment is to determine or estimate both the
likelihood of a risk arising and its potential consequences.
ACTIVITY 2 All available data sources should be used to understand the risks. These may
include: historical records, procurement experience, industry practice, relevant
published literature, test marketing and market research, experiments and
When identifying risks, there are three things you need to prototypes, and expert and technical judgement and independent evaluation.
ensure you do.

List them in the table provided in your workbook, then give a The risk analysis involves:
brief description of what they involve.  An estimate of the likelihood of each risk arising. This might be done
initially on a simple scale from 'rare' to 'almost certain', or numerical
assessments of probability might be made
 An estimate of the consequences of each risk. This might be done initially
on a simple scale from 'negligible' to 'severe', or quantitative measurements
of impacts might be used
Assessing impact or consequence if risks occur
Our first step in assessing a risk is to determine the likelihood of the risk
occurring, meaning what are the chances. See below for a scale to gauge
Impact itself can be assessed in terms of its effect on:
how likely the risk is:

 Cost 1. Not likely - 10% LEVEL DESCRIPT EXAMPLE DETAIL DESCRIPTION


OR
 Quality 2. Low likelihood - 30% 1 Minimal No service impact; low financial loss
 Time 2 Minor Minimal disruption to service capability;
 This includes the time taken to: 3. Likely - 50% medium financial loss
3 Moderate Interruptions to service delivery; high
 Identify, record and report the risk 4. Highly likely - 70% financial loss
 Analyse and assess the risk 4 Significant Loss of service capability; major financial
 Address the risk 5. Near certainty - 90% loss
 Either reduce its impact or remove it completely as a potential risk 5 Severe Loss of business continuity; huge
financial loss
Just as we did with the likelihood of a risk occurring, the impact or
Risk proximity is about:
consequences of the risk needs to be rated.
 When and where the risk will occur
 Its role in the process or system In this case, we are dealing with the amount of disruption to normal
 Its damage or potential damage reaches business operations that the event can cause.

Evaluating and prioritise risks for treatment


A simplified risk analysis can be conducted using probability
theory:
ACTIVITY 3
Likelihood X consequence = Risk Score
Complete the risk analysis table in your workbook by
So, by using these two scales, any potential risk can be rated with a indicating true or false for each statement
risk score. For example, if we live in an area which commonly has
severe thunderstorms, which disrupt electrical service to our
distribution facility for 2 to 3 hours, we might assign a likelihood
score of 5 and an impact score of 3.

That would give us a risk score of 15, considering the maximum


score we can get with this system is 25, that’s a fairly high risk score.

The following are different options for treating risk.


Selecting and implementing risk treatments
Avoid the risk
Risk treatment involves working through options to treat You may decide not to proceed with the activity likely to generate the risk, where
unacceptable risks to your business. practical. Alternatively, you may think of another way to reach the same outcome.
Reduce the risk
Unacceptable risks range in severity; some require immediate
You can control a risk by:
treatment, others can be monitored and treated later.  reducing the likelihood of the risk occurring - for example, through quality control
processes, managing debtors, auditing, compliance with legislation, staff training,
Before you decide which risks to treat, you need to gather regular maintenance or a change in procedures
information about the:
 method of treatment  reducing the impact if the risk occurs - for example, through emergency
procedures, off-site data backup, minimising exposure to sources of risk or public
 people responsible for treatment relations.

 costs involved Transfer the risk


 benefits of treatment You may be able to shift some or all of the responsibility for the risk to another party
through insurance, outsourcing, joint ventures or partnerships.
 likelihood of success Accept the risk
You may accept a risk if it cannot be avoided, reduced or transferred. However, you will
 ways to measure and assess treatments.
need to have plans for managing and funding the consequences of the risk if it occurs.
Developing an action plan for implementing risk Communicating risk management processes to relevant
treatment parties
A risk management plan details your strategy for treating risks. It
Risk management communication is the sharing of information about
details information about:
 identified risks risk and risk management between the decision makers and others.

 the level of risks Parties can communicate at any stage of the risk management process.

 your planned strategy When all parties in a project communicate their expectations and
perceptions early and often, the “disconnects” between opposing
 the time frame for implementing your strategy parties can be readily established.
 the resources required
 the individuals responsible for ensuring the strategy is Steps can then be taken to resolve those differences and align
implemented. everyone’s expectations and perceptions.

 Your final plan should include appropriate objectives, a budget and To be effective, communication must flow both up and down the chain of
milestones on the way to achieving those objectives. command so that all parties are informed.

Evaluating risk management process


Ensuring all documentation is in order and
appropriately stored
Risk management is a continual process. Reaching a point of completion in a
Not only do you need to distribute the risk management plan to relevant risk management project, only means that it’s time to go back and review
parties, you’ll need to ensure that copies are created and stored in your everything over again.
company’s information management system. In many companies, this is
It is critical to constantly monitor and review the processes and outcomes.
a computerised system for the storage of all pertinent company
Monitoring and reviewing risk management processes helps to include risk
information. Since part of your risk factors include the possibility of
management as a valuable part of the company. The risk management
something happening to the company’s computer systems, you should
process in not static but is taken in the context of the internal and external
also ensure that hard copies are created and stored.
environments. As these environments change, the variables affecting risk
It is essential that all copies of the risk management
plan are created equal. Nothing can cause more also change.
confusion than to have two different versions of a Evaluating the process of risk management can be assigned to individuals
contingency plan floating around, when it is time to within departments or to dedicated staff depending upon the nature of the
implement that plan. Instead of the plan becoming a organisation and the resources available. Consultants may be brought in at
tool to ensure that everyone knows what to do, it critical times to evaluate processes and institute changes based on risk
becomes a point of argument, impeding corrective contexts or environmental, social and political changes.
action.

Life is full of risks. Everything we do, from buying a car, to crossing the street
carries some degree of risk. Therefore, it shouldn’t surprise us that our
business activities have risk associated with them as well. While some of
those business activities carry very little risk, others come loaded with risk at
ACTIVITY 4 every turn. Some risks have a great potential for impact, while the impact of
others can hardly be seen.
While the risks in our personal life can cause problems for us and our
families, even the smallest business risks carry a much broader potential for
When selecting and implementing treatments, there are six causing damage. Employees, customers and even people who seem
things you need to ensure you do.
unrelated to our business can end up being hurt by the risks associated with
business.
List them in the table in your workbook, then give a brief
description of what they involve. "In many cases, there is nothing we can do to stop these disasters from
happening. Risk management isn’t about that, it’s about understanding
the potential risks and managing how a company deals with that risk“
If you have any questions about this resource please ask your trainer. They
will be only too happy to assist you when required.
Any Questions?
Student Assessment Information
The process you will be following is known as competency-based assessment. This means
that evidence of your current skills and knowledge will be measured against national and
international standards of best practice, not against the learning you have undertaken either
recently or in the past. (How well can you do the job?)

Some of the assessment will be concerned with how you apply the skills and knowledge in
your workplace, and some in the training room.

The assessment tasks utilized in this training have been designed to enable you to demonstrate
the required skills and knowledge and produce the critical evidence required so you can
successfully demonstrate competency at the required standard.

What happens if your result is ‘Not Yet Competent’ for one or more assessment tasks?

The assessment process is designed to answer the question “has the participant satisfactorily
demonstrated competence yet?” If the answer is “Not yet”, then we work with you to see how we
can get there.
In the case that one or more of your assessments has been marked ‘NYC’, your Trainer will provide
you with the necessary feedback and guidance, in order for you to resubmit/redo your assessment
task(s).
What if you disagree on the assessment outcome?

You can appeal against a decision made in regards to an assessment of your competency. An appeal
should only be made if you have been assessed as ‘Not Yet Competent’ against specific competency
standards and you feel you have sufficient grounds to believe that you are entitled to be assessed as
competent.
You must be able to adequately demonstrate that you have the skills and experience to be able to
meet the requirements of the unit you are appealing against the assessment of.
You can request a form to make an appeal and submit it to your Trainer, the Course Coordinator, or
an Administration Officer. The RTO will examine the appeal and you will be advised of the outcome
within 14 days. Any additional information you wish to provide may be attached to the form.
What if I believe I am already competent before training?

If you believe you already have the knowledge and skills to be able to demonstrate competence in
this unit, speak with your Trainer, as you may be able to apply for Recognition of Prior Learning
(RPL).
Credit Transfer
Credit transfer is recognition for study you have already completed. To receive Credit Transfer, you
must be enrolled in the relevant program. Credit Transfer can be granted if you provide the RTO with
certified copies of your qualifications, a Statement of Attainment or a Statement of Results along
with Credit Transfer Application Form. (For further information please visit Credit Transfer Policy)

59 | P a g e
LEARNING OUTCOMES
The following critical aspects must be assessed as part of this unit:

1. Interact with customers, collect the necessary information and match customers' needs to
company products or service
2. Sell products and services including matching customers' requirements to company products and
services and finalise and record the sale

LEARNING ACTIVITIES

Class will involve a range of lecture based training, activities, written task, case study and
questioning.

STUDENT FEEDBACK

We welcome your feedback as one way to keep improving this unit. Later this semester, you will be
encouraged to give unit feedback through completing the Quality of Teaching and Learning Survey

LEARNING RESOURCES
Other Learning Resources available to students include:

 Candidate Resource & Assessment: BSBRSK501 Manage Risk.


 Presentation handout
 PPT Presentation

TEXTBOOKS

You do not have to purchase the following textbooks but you may like to refer to them:

Unit Code(s) Unit Title Reference Book/ Trainer & Learner Resource

BSBRSK501 Manage Risk.  7BCole, Kris. 2010 Management Theory and


Practice
 Judith Dwyer,2006 The Business
Communication Handbook 7th edition
 Joan V Gallos, Business Leadership 2nd

60 | P a g e
edition
 John Newstrom & Edward Scannell, The big
book of team building games
 Trainer and Learner Resources

Additional Reference Texts  Cole, Kris. 2010 Management Theory and


Practice, 4th Edition. Pearson
 Dwyer, Judith, 2009 the Business
Communication Handbook 8th Edition.
Pearson
 Hubbard, Rice & Beamish. Strategic
rd
Management 2008 3 Edition. Pearson (on
order)
 John Viljoen and Susan Dann, Strategic
Management
 Monger, Brian Marketing in Black and
White 2007 Pearson
 Judith Dwyer,The Business Communication
Handbook 7th edition. 2006 Pearson
 Joan V Gallos, Business Leadership 2nd
edition. 2008 John Wiley & Sons, Inc
 John Newstrom & Edward Scannell, The big
book of team building games. McGraw-Hill
 Michael Dulworth, the Connect Effect. 2008
BK Publishers, Inc

ASSESSMENT DETAILS

Assessment Summary
The assessment for this unit consists of the following items.

Knowledge Assessment

Task 1: Complete a risk management plan

Task 2: Organisational Risk Management

61 | P a g e
Formative Activities
In addition to the three assessment tasks, students will be required to complete activities as outlined
by their trainer/assessor – these will be taken from class resources, Enhance Your Future Learner
Guides.

Referencing Style
Students should use the referencing style outlined by the Trainer when preparing assignments. More
information can be sought from your Course Trainer.

Guidelines for Submission


1. An Assignment Cover Sheet (or cover page) must accompany all assignments at front to
confirm it is your own assessment/ work.

2. All assignments must be within the specified timeframe (please refer to Due Date).

Assignment Marking
Students should allow 14 days’ turnaround for written assignments.

Plagiarism Monitoring
Students should use the referencing style outlined by when preparing assignments. More
information can be sought from your Trainer.

Marking Guide
C Competent: for students who have achieved all of the learning outcomes specified for that
unit/module to the specified standard.

NYC Not Yet Competent: for students who are required to re-enrol in a unit/ module in their
endeavour to achieve competence

S Satisfactory: has achieved all the work requirements

NS Not Satisfactory: has not achieved all the work requirements

Every student at Danford College can expect to have “timely fair and constructive assessment of
work.” Assessment tasks must be marked in such a way that the result reflects how well a student

62 | P a g e
achieved the learning outcomes and in accordance with the assessment criteria. In addition to the
final result, returned assignments must be accompanied by feedback that clearly explains how the
marking result/s was derived (summative), as well as how the student can improve (formative).

Refer to observation checklist below and/or consult your trainer/assessor for marking criteria for
this unit.

STUDENTS’ RIGHTS AND RESPONSIBILITIES


It is the responsibility of every student to be aware of all relevant legislation, policies and procedures
relating to their rights and responsibilities as a student. These include:
 The Student Code of Conduct
 The College’s policy and statements on plagiarism
 Copyright principles and responsibilities
 The College’s policies on appropriate use of software and computer facilities
 Students’ responsibility to attend, update personal details and enrolment
 Course Progress Policy and Attendance
 Deadlines, appeals, and grievance resolution
 Student feedback
 Other policies and procedures.
 Electronic communication with students

International Students Please also refer to ESOS framework for further details
https://internationaleducation.gov.au/Regulatory-Information/Education-Services-for-Overseas-
Students-ESOS-Legislative-Framework/ESOS-Act

ADDITIONAL INFORMATION

Contacts:
If you have a query relating to administrative matters such as obtaining assessment results, please
contact your Course co-ordinator.

Deferrals/Suspensions/Cancellations
Danford College will only allow deferrals/student requested suspensions under exceptional
compassionate circumstances. Once a student has commenced studies, students are not allowed to
take leave unless there are compelling and compassionate reasons. Please refer to the College’s
Deferment, Suspension and Cancellation Policy available in the Student Handbook and at Student
Administration. This policy has been explained to you at Orientation.

63 | P a g e
Course Progress Policy
You are expected to attend all classes and complete your units of study satisfactorily, within your
term. Your Course Trainer will make a report to the Course co-ordinator if there are any concerns
about your progress. The Course Progress Policy is available to you in the Student Handbook and at
Student Administration or on college website www.danford.edu.au.
Assessment Conditions

Assessment must be conducted in a safe environment where evidence gathered demonstrates


consistent performance of typical activities experienced in the regulation, licensing and risk - risk
management field of work and include access to:
 Relevant legislation, regulations, standards and codes
 Relevant workplace documentation and resources
 Case studies and, where possible, real situations
 Interaction with others

Assessors must satisfy SRTO2015/AQF assessor requirements.

64 | P a g e
Lesson/Session Plan
For face-to-face classroom based delivery on as per timetable.
Delivery Day Delivery Topics Activities to be undertaken

1 Introduction and overview of Work through corresponding sections


BSBRSK501 Manage risk of Learner Materials and Assessment
Overview of organisational risk Tasks
Reviewing organisational processes, PowerPoint Presentation Slides 1 - 7
procedures and requirements for
undertaking risk management (Page
4)

2 Determining scope for risk Work through corresponding sections


management process(Page 12) of Learner Materials and Assessment
Tasks
Commence Knowledge Assessment
(Written Tasks)

3 Identifying internal and external Work through corresponding sections


stakeholders and their issues of Learner Materials and Assessment
Reviewing political, economic, social, Tasks
legal, technological and policy Commence Task 1 - Complete a risk
context(Page 17) management plan
PowerPoint Presentation Slides 8 - 9
4 Review strengths and weaknesses of Work through corresponding sections
existing arrangements (Page 21) of Learner Materials and Assessment
Tasks
PowerPoint Presentation Slides 10
5 Documenting critical success factors, Work through corresponding sections
goals or objectives for area included of Learner Materials and Assessment
in scope (Page 24) Tasks
Obtaining support for risk PowerPoint Presentation Slides 11 -
management activities(Page 25) 14
6 Communicate with relevant parties Work through corresponding sections
about the risk management process of Learner Materials and Assessment
and invite participation (Page 28) Tasks
Continue with Knowledge
Assessment (Written Tasks)
PowerPoint Presentation Slides 15 -
17
7 Identifying Risks (Page 32) Work through corresponding sections
Invite relevant parties to assist in the of Learner Materials and Assessment
identification of risks(Page 32) Tasks
Activity 1 (Page 31)
PowerPoint Presentation Slide 18

65 | P a g e
Delivery Day Delivery Topics Activities to be undertaken

8 Researching risks that may apply to Work through corresponding sections


scope (Page 34) of Learner Materials and Assessment
Using tools and techniques to Tasks
generate a list of risks that apply to Commence Task 2 - Organisational
the scope, in consultation with Risk Management
relevant parties (Page 35) PowerPoint Presentation Slides 19 -
23
9 Benchmarking similar organisations Work through corresponding sections
and activities(Page 37) of Learner Materials and Assessment
Tasks
Activity 2 (Page 39)
Continue with Task 2 - Organisational
Risk Management
PowerPoint Presentation Slides 19 -
23
10 Analysing Risk (Page 40) Work through corresponding sections
Assessing impact or consequence if of Learner Materials and Assessment
risks occur(Page 41) Tasks
PowerPoint Presentation Slides 24 -
26
11 Evaluating and prioritise risks for Work through corresponding sections
treatment (Page 43) of Learner Materials and Assessment
Selecting and implementing risk Tasks
treatments(Page 46) Activity 3 (Page 46)
PowerPoint Presentation Slides 27 -
30
12 Determining and selecting most Work through corresponding sections
appropriate options for treating risks of Learner Materials and Assessment
(Page 47) Tasks
Developing an action plan for PowerPoint Presentation Slides 31
implementing risk treatment (Page
48)
13 Communicating risk management Work through corresponding sections
processes to relevant parties (Page of Learner Materials and Assessment
52) Tasks
Ensuring all documentation is in order PowerPoint Presentation Slides 32 -
and appropriately stored(Page 53) 33

14 Implementing and monitoring action Work through corresponding sections


plan (Page 56) of Learner Materials and Assessment
Evaluating risk management Tasks
process(Page 56) Activity 4 (Page 58)
Complete Knowledge Assessment
(Written Tasks)
PowerPoint Presentation Slides 34 –
37

66 | P a g e
Delivery Day Delivery Topics Activities to be undertaken

15 Completion of Assessment Tasks Complete Task 1 - Complete a risk


management plan
Complete Task 2 - Organisational Risk
Management

67 | P a g e
Knowledge Assessment - Questions and Answers

1. What are the questions involved in completing a SWOT analysis?

2. Who are the technical experts that should be involved in identification of risks?

68 | P a g e
3. Who is responsible for implementing the risk action plan in your organisation or an
organisation you are familiar with, and why?

69 | P a g e
4. What is the 6 step process for monitoring and reviewing risk?

70 | P a g e
5. What does the term ‘stakeholders’ typically refer to?

6. There are some general tools that can be used to identify risk, name and briefly describe four
of them?

71 | P a g e
7. What are the general headings needs in a risk management action plan?

72 | P a g e
8. What should you keep in mind when storing OHS information?

9. What is the basic process used to establish the context of a risk?

73 | P a g e
10. What is the process used to identify a risk?

11. What steps should you take to analyse a risk?

74 | P a g e
12. How should you select and implement treatments for a risk?

75 | P a g e
Task 1 – Complete a risk management plan

Create a risk management plan that's tailored for your business, a business you are familiar with or a
simulated business provided by your Assessor. To complete these tasks, you must:

1. Identify risks

What are your risks and how likely are they to occur? Some will cause major disruption while others
will be a minor irritation. You must make an educated assessment of both the likelihood and
potential severity of each risk to prioritise your planning efforts.

2. Minimise or eliminate risks

Once risks have been identified you need to either eliminate or minimise those risks. You should
provide specific strategies for minimising risk for each of the six subgroups.

3. Identify who has to do what should a disaster occur

One of the simplest and most powerful tools for a speedy recovery from a disaster is a clear picture
of, and clear directions about, who has to do what should your disaster plan have to be enacted.

Sample of response checklist

4. Determine and plan your recovery contingencies

Recovery contingencies should be determined by the type, style and size of your business and by the
extent of the damage.

5. Communicate the plan to all the people it refers to


This stage of planning is all about ensuring that all people within your business sphere (staff,
suppliers, contractors, service providers) are made aware of the strategies you have put in place to
either mitigate or recover from a disaster situation. Make decisions about whether the physical
communication will be done by phone, email, text or other means. Once these decisions are made,
procedural statements can be created and relevant people can be informed. The next part is to train
staff and ensure everyone practices what has been done so if a disaster occurs the process can take
over and guide the staff.

During day to day operations, any number of risks can pop up in a business so it is important to
know how to identify any potential risks before they escalate. This will help you develop realistic and
effective strategies for dealing with risks if they occur.

76 | P a g e
Prepare a risk management plan

A risk management plan can help minimise the impact of cash flow issues, damage to brand and
other risks. It will also help create a culture of sensible risk awareness and management in your
business. Use the template given by your trainer to prepare the risk management plan.

77 | P a g e
Task 2 – Organisational Risk Management
Part A

Identify an organisation and its processes, procedures and requirements for undertaking risk
management.
For an organisation where you are the manager of a department, identify the following:
 Name of the organisation, a description of the type of activities it conducts. .
 The organisation’s objectives/goals. (One or two sentences.)
 The organisation’s requirements and processes for managing corporate and operational risks.

This should identify:


o A list of the organisational documentation or plans that must incorporate a risk management
plan.
o A list of the structure (or headings) that must be included in the risk management plan.

You are required to provide your assessor with the following document:
 A document with the title

“Organisational Risk Management Processes” containing the above information.

Part B
As a manager, when developing a risk management plan for a project, you need to identify a
project’s goals or objectives and its scope and critical success factors for risk management.
 Describe a project designed to promote the goals/objectives of the organisation that you
identified in Part A.

This may be a major project requiring strategic change management such as:
O Technological innovation
O New products or services
O Opening new markets
O Organisational restructure

Alternatively, it may be an internal operational project such as:


O Office refurbishment
O Relocation of premises
O Re-tooling of assembly plant
O Marketing activities
O Training activities

 Explain the scope of the project in terms of “deliverables” (what it is designed to achieve).
 Relate the deliverables to the goals/objectives of the organisation and explain how the project
promotes them.
 Identify the Critical Success Factors (CSF) - factors that must be present in order for the project to
be successful and promote the organisation’s goals.

78 | P a g e
You are required to provide your assessor with the following document:
 A document with the title “Scope and Critical Success Factors” containing the above information.

Part C

As a manager, when developing a risk management plan, you need to identify the key issues for
stakeholders and the methods of communicating and obtaining support for the risk management
activities.
 Refer to each of the Critical Success Factors (CSF) that you identified for the project in Part B. For
each CSF:
O Identify the project stakeholders that are involved in the CSF.
Stakeholders should be considered as any individual, group or entity that the project will affect,
and may include:
 Clients or customers
 Suppliers and contractors
 Internal project team members
 Other personnel or departments within the organisation.
 The project sponsor or management of the organisation
 A project funding body
O Explain the relationship between each group of the stakeholders and the identified CSF.
O Discuss (one paragraph) the methods that you can use to communicate with relevant parties and
obtain their support for your risk management activities.

Explain the kinds of support that you would invite them to give.

Relevant parties may include:


 All staff
 Internal and external stakeholders
 Senior management
 Specific teams or business units
 Technical experts

You are required to provide your assessor with the following document:
 A document with the title “Stakeholder Key Issues and Support” containing the above
information.

Part D
In your role as manager, when developing a risk management plan, you need to establish the
context of the risk management plan in relation to external factors.
Refer to the project that you identified in Part A and the context of the risk management plan that
you have developed in Part B and C.
Identify external factors that could have an impact upon the success or
otherwise of the project.

Your report should have 4 headings and one paragraph under each heading.

79 | P a g e
If you consider that these factors will have no impact upon the project, explain your reasons.
O Political factors
O Economic factors
O Social factors
O Technological factors

You are required to provide your assessor with the following document:
 A document with the title “External Factors ” containing the above information.

Part E
As a manager of an organisational project, you need to review the strengths and weaknesses of the
existing arrangements, within the context of the identified project.
 Complete a SWOT analysis in relation to your project.
O Refer to the documents you designed in the previous tasks.
O Identify the internal strengths of the team and the organisation as it relates to your project.
O Identify any internal weaknesses of the team and the organisation as it relates to your project.
O Identify any external opportunities that exist for the organisation in relation to your project.
O Identify any external threats that exist for the organisation in relation to your project.
You are required to provide your assessor with the following document:
 A document with the title “SWOT analysis” containing the above information

The overall project task:


Compile all the above documents together. They will be assessed separately and then assessed for
overall readability, which includes use of appropriate grammar and punctuation in sentences and
paragraphs.

80 | P a g e
BSB51915 Diploma of Leadership and Management
College Copy

Unit Code and Title: BSBRSK501 Manage risk

Assessment task Due Dates

Assessment 1 Due Date:

Assessment 2 Due Date:

Assessment 3 Due Date:

I Student ID acknowledge receiving the

Student Assessment Information Pack, which contains:

o Assessment Due Date Sheet


o Time table /Training Plan
o Lesson Plan
o Student Assessment Information Guide
o Assessment Cover Sheets
o Feedback form
o Student Resource
o Internet Access for online Business Environment Simulation with Login Key or access to college
simulated business documents on internal intranet.

Student Signature:

Date :

81 | P a g e
BSB51915 Diploma of Leadership and Management
Student Copy

Unit Code and Title: BSBRSK501 Manage risk

Assessment task Due Dates

Assessment 1 Due Date:

Assessment 2 Due Date:

Assessment 3 Due Date:

I Student ID acknowledge receiving the

Student Assessment Information Pack, which contains:

o Assessment Due Date Sheet


o Time table / Training Plan
o Lesson Plan
o Student Assessment Information Guide
o Assessment Cover Sheets
o Feedback form
o Student Resource
o Internet Access for online Business Environment Simulation with Login Key or access to college
simulated business documents on internal intranet.

Student Signature:

Date :

82 | P a g e
ASSESSMENT SUMMARY / COVER SHEET
This form is to be completed by the assessor and used a final record of student competency.
All student submissions including any associated checklists (outlined below) are to be attached to
this cover sheet before placing on the students file. Student results are not to be entered onto the Student
Database unless all relevant paperwork is completed and attached to this form.
Student Name:

Student ID No:

Final Completion Date:

Unit Code: BSBRSK501

Unit Title: Manage risk

Unit
Assessors Name:
Outcome
C NYC
Result: S = Satisfactory, NYS = Not Yet Satisfactory, NA = Not Assessed
 Knowledge Assessment - Questions and Answers S | NYS | NA
 Task 1 – Complete a risk management plan
S | NYS | NA
 Task 2 – Organisational Risk Management
S | NYS | NA

Is the Learner ready for assessment? Yes No


Has the assessment process been explained? Yes No
Does the Learner understand which evidence is to be collected and
Yes No
how?
Have the Learner’s rights and the appeal system been fully
Yes No
explained?
Have you discussed any special needs to be considered during
Yes No
assessment?
I agree to undertake assessment in the knowledge that information gathered will only be used for
professional development purposes and can only be accessed by my manager and the RTO:
Learner Signature:
Date:
I have received, discussed and accepted my result as mentioned above for
this unit assessment and I am aware about my rights to appeal.
Assessor Signature:
Date:
I declare that I have conducted a fair, valid, reliable and flexible
assessment with this student, and I have provided appropriate feedback.

83 | P a g e
ASSESSMENT COVER SHEET

Unit BSBRSK501 Manage risk

Course BSB51915 Diploma of Leadership and Management

Student Name: Student ID:

Group: Date

Title of Assignment: Knowledge Assessment - Questions and Answers

Assessor Name:

This cover sheet must be attached to your assignment.

Declaration:
1. I am aware that penalties exist for plagiarism and unauthorized collusion with other
students.
2. I am aware of the requirements set by my educator with regards to the presentation of
documents and assignments.
3. I have retained a copy of my assignment.

Student Signature:___________________________

Date:________________________________________

84 | P a g e
QUESTION & ANSWER CHECKLIST

S NYS
Learner’s name:

Assessor’s name:

Question Correct ()


1
2
3
4
5
6
7
8
9
10
11
12

Feedback To Learner:

Assessor’s Signature: Date:

85 | P a g e
ASSESSMENT COVER SHEET

Unit BSBRSK501 Manage risk

Course BSB51915 Diploma of Leadership and Management

Student Name: Student ID:

Group: Date

Title of Assignment: Task 1

Assessor Name:

This cover sheet must be attached to your assignment.

Declaration:
1. I am aware that penalties exist for plagiarism and unauthorized collusion with other
students.
2. I am aware of the requirements set by my educator with regards to the presentation of
documents and assignments.
3. I have retained a copy of my assignment.

Student Signature:___________________________

Date:________________________________________

86 | P a g e
TASK 1 CHECKLIST

S NYS
Learner’s name:

Assessor’s name:

Observation Criteria S NS
Reviewed organisational processes, procedures and requirements for undertaking
risk management in accordance with current risk management standards
Determined scope for risk management process
Identified internal and external stakeholders and their issues
Reviewed political, economic, social, legal, technological and policy context
Reviewed strengths and weaknesses of existing arrangements
Documented critical success factors, goals or objectives for area included in scope
Obtained support for risk management activities
Communicated with relevant parties about the risk management process and
invite participation
Invited relevant parties to assist in the identification of risks
Researched risks that may apply to scope
Use tools and techniques to generate a list of risks that apply to the scope, in
consultation with relevant parties
Assessed likelihood of risks occurring
Assessed impact or consequence if risks occur
Evaluated and prioritise risks for treatment
Determined and selected most appropriate options for treating risks
Developed an action plan for implementing risk treatment
Communicated risk management processes to relevant parties
Ensured all documentation is in order and appropriately stored
Implemented and monitored action plan
Evaluated risk management process
Feedback To Learner:

Assessor’s Signature: Date:

87 | P a g e
ASSESSMENT COVER SHEET

Unit BSBRSK501 Manage risk

Course BSB51915 Diploma of Leadership and Management

Student Name: Student ID:

Group: Date

Title of Assignment: Task 2

Assessor Name:

This cover sheet must be attached to your assignment.

Declaration:
1. I am aware that penalties exist for plagiarism and unauthorized collusion with other
students.
2. I am aware of the requirements set by my educator with regards to the presentation of
documents and assignments.
3. I have retained a copy of my assignment.

Student Signature:___________________________

Date:________________________________________

88 | P a g e
TASK 2 CHECKLIST

S NYS
Learner’s name:

Assessor’s name:

Observation Criteria S NS
Identified an organisation and described the type of activities it conducts
Identified the organisation’s objective s/goals in one or two sentences
Reviewed organisational processes, procedures and requirements for
undertaking risk management in accordance with current risk
management standards
Determined scope for risk management process
Described a project that promotes the goals/objectives of the organisation
identified
Explained the scope of the project in terms of “deliverables”
Identified internal and external stakeholders and their issues
Explained how the project promotes the goals/objectives of the
organisation
Reviewed political, economic, social, legal, technological and policy context
Identified the CSFs that are critical to the success of the project.
Reviewed strengths and weaknesses of existing arrangements
Documented critical success factors, goals or objectives for area included
in scope
Obtained support for risk management activities
Communicated with relevant parties about the risk management process
and invite participation
Invited relevant parties to assist in the identification of risks
Researched risks that may apply to scope
Used tools and techniques to generate a list of risks that apply to the
scope, in consultation with relevant parties
Assessed likelihood of risks occurring
Assessed impact or consequence if risks occur
Evaluated and prioritise risks for treatment
Determined and selected most appropriate options for treating risks
Developed an action plan for implementing risk treatment
Communicated risk management processes to relevant parties
Ensured all documentation is in order and appropriately stored

89 | P a g e
Implemented and monitored action plan
Evaluated risk management process
Reports display appropriate readability by using appropriate grammar and
punctuation in sentences and paragraphs.

Feedback To Learner:

Assessor’s Signature: Date:

90 | P a g e
Student Feedback Form
Unit BSBRSK501 Manage risk
Student Name: Date
Assessor Name:
Please provide us some feedback on your assessment process. Information provided on this form is
used for evaluation of our assessment systems and processes.
This information is confidential and is not released to any external parties without your written
consent. There is no need to sign your name as your feedback is confidential.
Strongly Strongly
Agree
Disagree Agree
I received information about the assessment
1 2 3 4 5
requirements prior to undertaking the tasks

The assessment instructions were clear and easy to


1 3 4 5
understand 2

I understood the purpose of the assessment 1 2 3 4 5

The assessment meet your expectation 1 2 3 4 5


My Assessor was organised and well prepared 1 2 3 4 5

The assessment was Fair, Valid, Flexible and Reliable 1 2 3 4 5

My Assessor's conduct was professional 1 2 3 4 5


The assessment was an accurate reflection of the unit
1 2 3 4 5
requirements
I was comfortable with the outcome of the assessment 1 2 3 4 5

I received feedback about assessments I completed 1 2 3 4 5

Great
The pace of this unit was: Too Slow Too Fast
Pace
Comments:

91 | P a g e

Vous aimerez peut-être aussi