as-nzs 4360-2004 risk management
DESCRIPTION
AS/NZS 4360:2004THE AUSTRALIAN & NEW ZEALANDSTANDARD ON RISK MANAGEMENTTRANSCRIPT
![Page 1: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/1.jpg)
Kevin W Knight
CHAIRMANISO WORKING GROUP - RISK MANAGEMENT TERMINOLOGY
MEMBERSTANDARDS AUSTRALIA / STANDARDS NEW ZEALAND
JOINT TECHNICAL COMMITTEE OB/7 - RISK MANAGEMENT
P0 BOX 226, NUNDAH QLD 4012E-mail: [email protected]
0505
AS/NZS 4360:2004 THE AUSTRALIAN & NEW ZEALAND STANDARD ON RISK MANAGEMENT
![Page 2: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/2.jpg)
Taking a risk: it isn’t all bad• Risk taking is positive, not implicitly negative • We take risks not to avoid harm, but to
achieve benefits and gains• Taking risks is a normal unavoidable
everyday necessity• Taking controlled, informed risks is a sensible
and everyday essential part of life• The higher the risk the higher the reward• Without risk there is no progress.
![Page 3: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/3.jpg)
MANAGING RISK RISK• We all manage risk consciously or unconsciously
- but rarely systematically• Managing risk involves both threats and
opportunities• Managing risk requires rigorous thinking• Managing risk means forward thinking• Managing risk requires accountability in decision
making• Managing risk requires communication• Managing risk requires balanced thinking• RM provides a framework to facilitate more
effective decision making
![Page 4: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/4.jpg)
Corporate GovernanceThe way in which an organisation is governed and controlled in order to achieve its objectives. The control environment makes an organisation reliable in achieving these objectives within an acceptable degree of risk.It is the glue which holds the organisation together in pursuit of its objectives while risk management provides the resilience.
![Page 5: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/5.jpg)
Corporate GovernanceAs I look back on my career as an independent director, I realise that my efforts were mostly futile.Management gave us reams of information about past performance and we dutifully discussed it. We were looking at the wrong information and asking the wrong questions. We should have focussed on the future and questioned the strategy and competence of management to execute it. The board did not wake up until it was too late
Guidance for Directors - Dealing with risk in the boardroom, Canadian Institute of Chartered Accounts, 2000
![Page 6: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/6.jpg)
Risk Management as Defined in AS/NZS 4360:2004
“THE CULTURE, PROCESSES AND STRUCTURES THAT ARE DIRECTED TOWARDS REALISING POTENTIAL
OPPORTUNITIES WHILST MANAGING ADVERSE EFFECTS.”
Structure Direction
MONITOR
&
REVIEW
COMMUNICATE
CONSULT
1. Strategic Ct
2. Identify Threats
7. Manage the Risk
ASSESS
3. Analyze 4. Assess
5. Assess/
Processes Culture Communication RisksOpportunities
![Page 7: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/7.jpg)
COMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
The External ContextThe Internal ContextThe Risk Management ContextDevelop Criteria & Define the Structure
Identify optionsAssess optionsPrepare and Implement treatment optionsAnalyse & evaluate residual risk
Identify existing controlsDetermineLikelihood
DetermineConsequences
Determine Level of Risk
Compare with criteria?Set priorities
Treat Risks NOYES
What can happen, when, where, how & whyIDENTIFY RISKS
![Page 8: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/8.jpg)
RM is everybody’s RM is everybody’s business
• RM is not just the responsibility of management
• For RM to be effective it must be implemented by every person in the organisation
• RM must become an integral part of the organisational culture
• The risk makers and risk takers must be the risk managers.
![Page 9: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/9.jpg)
Communicate and consult - at all steps
Step 1 : Establish the Context• external context• internal context• risk management context• risk criteria (i.e. threshold levels)• define the structure
Step 2 : Identify Risks• what can happen, when, where and how• identify key processes, tasks, activities• recognise risk areas• define risks• categorise risk
Step 3 : Analyse Risks• identify controls• determine likelihood• determine consequence/impact• determine level of risk
Step 4 : Evaluate Risks• identify tolerable/unacceptable risks (referring risk rating against risk criteria)• prioritise risks for treatment
Step 5 : Treat Risks
Step 6 : Monitor and Review Risks• process• environment• organisation• strategy• stakeholders
Accept/Retain• based on judgement or documented procedures/policy
Avoid• consider discontinuing or avoiding activity• consult• risk treatment preferable to risk aversion
Reduce consequence• Business Continuity Plans• contractual arrangements• public relations
Share• insurance• outsourcing
Reduce likelihood• controls• process improvement• training & education• policies and communication• audit and compliance
Communication & Consultation in the risk management process
![Page 10: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/10.jpg)
COMMUNICATE & CONSULTCOMMUNICATE & CONSULT
• ANY TWO-WAY DIALOGUE BETWEEN STAKEHOLDERS
• DEVELOP COMMUNICATION STRATERGY AT THE CONTEXT STAGE
• ENSURE STAKEHOLDERS PERCEPTATION OF RISK IS ADDRESSED
![Page 11: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/11.jpg)
ACCOUNTABILITY
SUPERVISIONGOVERNANCE
STRATEGICSTRATEGICMANAGEMENTMANAGEMENT
MANAGEMENTEXECUTIVE
MANAGEMENTDECISION & CONTROL
OPERATIONAL MANAGEMENT
Potential greaterfuture role of riskmanagement
Traditional and currentrisk managementapplication
Risk Management’s Role in Corporate Governance
![Page 12: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/12.jpg)
Adding Value
Preserving Value
Taking Risks
Managing Risk
STRATEGIC FRAMEWORK FOR MANAGING RISKS
CommunicationConsultation
RiskRisk
Business Processes
Business Strategies
![Page 13: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/13.jpg)
COMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
The External ContextThe Internal ContextThe Risk Management ContextDevelop Criteria & Define the Structure
Tolerate Risks NO
YES
IDENTIFY RISKS
![Page 14: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/14.jpg)
ESTABLISH ESTABLISH THE THE CONTEXT• Objectives and environment• Relevant Legislation• Stakeholder identification & analysis• Government Policy• Corporate Policy• Management Structures• Community Expectations• Criteria• Consequence criteria.
![Page 15: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/15.jpg)
Adapted from Johnson & Scholes, 1993, p.61
An Organisation’s
Paradigm
Symbols
PowerStructures
OrganisationalStructures
ControlSystems
Rituals &Routines
Stories(business
experiences)
![Page 16: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/16.jpg)
Organisation risk personality or propensity
Risktolerance
rangeAversion Excessive
appetiteDenial
Dislike
Disinclination
Indecision
Irresponsible
Impulsive
Strategicmanagement
decision
Corporate culture
ORGANISATIONAL ORGANISATIONAL RISK CRITERIA CRITERIA
![Page 17: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/17.jpg)
Board of DirectorsApproves policy
Approves risk limitsApproves risk tolerance
Provides oversight
Risk Management CommitteeMonitor - Coordinate - Teach
Measure - BenchmarkReport to Board
Enforce
Line ManagersIdentify risk
Propose risk limitsControlReport
ExecutiveManagement
Establishes policyEstablishes risk limits
Establishes risk tolerancesReports to Board
Enforces
![Page 18: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/18.jpg)
COMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
Treat Risks NOYES
What can happen, when, where,how & why
IDENTIFY RISKS
![Page 19: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/19.jpg)
Risk IdentificationA risk is associated with• A source• An event or incident• A consequence, outcome or impact• A cause (what & why)• Controls and their level of effectiveness
and application• When & where could a risk occur.
![Page 20: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/20.jpg)
Identification of Sources of Risk
• personnel/human behaviour • management activities and controls• economic circumstances• natural and unnatural events• political circumstances• technology/technical issues• commercial and legal relationships• public/professional/product liability• the activity itself.
![Page 21: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/21.jpg)
Risk Management Methods
HB436:2004 Risk Management GuidelinesA Companion to AS/NZS 4360:2004
Comprehensive identification using a well-structured systematic process is critical, because a risk not identified at this stage may be excluded
from further analysis.
More Significantly
A well-structured process leads to quality collection of data, as strongly emphasized by AS/NZS 4360:2004.
![Page 22: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/22.jpg)
COMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
Identify existing controlsDetermineLikelihood
DetermineConsequences
Determine Level of Risk
Treat Risk NOYES
IDENTIFY RISKS
![Page 23: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/23.jpg)
Risk Analysis
• Purpose– Separate minor risks from major– Provide data to assist in evaluation and treatment
• Preliminary Analysis– Excluded Risks where possible should be listed
Where possible confidence limits placed on estimates
Best available information sources used
![Page 24: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/24.jpg)
Examples of Qualitative Analysis
• Checklists and Questionnaires• SWOT Analysis• Physical Inspections• Analysis Based on Records of the
Operation• Flowcharts • Event trees.
![Page 25: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/25.jpg)
TRANSFORMATION PROCESSINPUTS OUTPUTS
Intrinsic/ExtrinsicRewards
Resources(Skills & Experience)
OrganisationalEnvironment(Internal/External)
Power(Authority,Knowledge,Delegations)
I m p a c t s
Influences attitudes,approach and process Influences
efficiency
Influences attitudes and approach
Affects Affects
Affects
Affects
Resources(Financial)
Affects
Stakeholders(External/Internal)
Influences
CulturalWeb
Source: HD 240:2000
S.W.O.T. ANALYSIS
![Page 26: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/26.jpg)
Examples of Quantitative Analysis
• Computer Modelling• Fault Tree Analysis• Hazard Indices• Statistical Analysis.
![Page 27: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/27.jpg)
Examples of Likelihood Tables
1Rare
2Unlikely
3Possible
4Likely
5Almost Certain
Likelihood Ex. 1
1Almost Never
2Low Potential
3Potential
4Common
Likelihood Ex. 2
1Low Frequency
2Moderately Frequent
3High Frequency
Likelihood Ex. 3
It Is up to each organisation to define the parameters that allow users to assess likelihood
![Page 28: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/28.jpg)
Examples of Consequence Tables
1Insignificant
2Minor
3Moderate
4Major
5Catastrophic
Consequence Ex. 1
1Negligible
2Medium
3Severe
4Critical
Consequence Ex. 2
1Insignificant
2Moderate
3Significant
Consequence Ex. 3
It Is up to each organisation to define the severity of impact that allow users to assess consequence
![Page 29: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/29.jpg)
Examples of Risk Rating Tables
1Very Low
2Low
3Tolerable
4High
5Very High
Risk Rating Ex. 1
1Low
2Moderate
3Significant
4Extreme
Risk Rating Ex. 2
1Low
2Medium
3High
Risk Rating Ex. 3
It Is up to each organisation to define the terminology for risk rating levels, and how this is set in the risk rating
matrix.
![Page 30: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/30.jpg)
Example Of A Risk Rating Matrix
AS/NZS4360 – 2004 emphasises that organisations tailor the criteria that drives assessment and analysis to suit the nature and business environment of their
operations.
![Page 31: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/31.jpg)
COMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
Compare against criteria?Set priorities
Treat risks NOYES
IDENTIFY RISKS
![Page 32: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/32.jpg)
Risk Evaluation
Comparing levels of risk found in analysis with previously established criteria
Consider• Objectives of project and opportunities
• Tolerability of risks to others
• Whether a risk needs treatment
• Deciding whether risk can be accepted
• Whether an activity should be undertaken
• Priorities for treatment
![Page 33: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/33.jpg)
AVOIDRISKS
REDUCELIKELIHOOD
REDUCE
ACCEPTABLEOR
TOLERABLELEVEL OF RISK
REDUCE CONSEQUENCES
ALMOST CERTAIN
LIKELY
MODERATE
UNLIKELY
RARE
0 INSIGNIFICANT MINOR MAJOR CRITICAL EXTREME
SEVERITY/IMPACT/CONSEQUENCES
FREQ
UENC
Y/LI
KELI
HOOD
Risk TolerabilityRISK TOLERABILITY
![Page 34: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/34.jpg)
Risk Tolerability
AVOIDRISKS
REDUCELIKELIHOOD
REDUCE
TOLERABLELEVEL OF RISK
REDUCECONSEQUENCES
CERTAIN 1
ALMOST CERTAIN
LIKELY
POSSIBLE
UNLIKELY
0 $1,000MILD
SEVERITY/IMPACT/CONSEQUENCES
FREQ
UENC
Y/LI
KELI
HOOD
NOT POSSIBLE$100,000
MODERATE$1M
SEVERE$100M
DISASTEROUS TOTAL
RISK TOLERABILITY
![Page 35: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/35.jpg)
Risk Tolerability
AVOIDRISKS
REDUCELIKELIHOOD
REDUCE
TOLERABLELEVEL
OF RISK
REDUCE CONSEQUENCES
SEVERITY/IMPACT/CONSEQUENCES
FREQ
UENC
Y/LI
KELI
HOOD
CERTAIN 1
ALMOST CERTAIN
LIKELY
POSSIBLE
UNLIKELY
0 $1,000MILD
NOT POSSIBLE$100,000
MODERATE$1M
SEVERE$100M
DISASTEROUS TOTAL
RISK TOLERABILITY
![Page 36: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/36.jpg)
Risk magnitude Intolerable Region
Risk cannot be justified except in extraordinarycircumstances
Tolerable only if risk reduction is impracticable or if its cost is greatlydisproportionate to the improvement gained
Broadly acceptable region “de minimus” risk
Necessary to maintain assurancethat the risk remains at this level
AsLowAsReasonablyPracticable
Tolerable if cost of reductionwould exceed the improvementsgained
LEVEL OF
RISK
![Page 37: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/37.jpg)
COMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
Identify options; Assess options;Prepare and Implement treatment options; Analyse & evaluate residual risk
Treat risksNOYES
IDENTIFY RISKS
![Page 38: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/38.jpg)
COST OF REDUCING RISK ($)
LEVE
L O
F R
ISK
(RIS
K V
ALU
E)
}
} }
}}
SATISFACTORY
MOST COST EFFECTIVE
ACCEPTED PRACTICE
ABSOLUTE MINIMUM
BEST ACHIEVABLE
THE TRADE-OFF BETWEEN LEVEL OF RISK AND COST OF REDUCING RISK B.F.Hough 1985
![Page 39: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/39.jpg)
OVERALL
LEVEL
OF
RISK CUMULATIVE COST OF RISK REDUCTION MEASURES
COST OF RISK REDUCTION MEASURES
IMPLEMENT
USEJUDGEMENT UNECONOMIC
![Page 40: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/40.jpg)
Risk Treatment• reduce
– likelihood– consequences
• business continuity management• sharing in full or in part (this creates a new risk)
• avoid (but not because of aversion)
• retain residual (but not by default)
![Page 41: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/41.jpg)
REDUCE LIKELIHOOD
Risk prevention• compliance programmes• inspection & process controls• security devices, alarms and
processes• preventive maintenance• training & education.
![Page 42: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/42.jpg)
REDUCE REDUCE CONSEQUENCES
Risk reduction• medical & first aid procedures• off site data & information storage• fraud control planning• fire suppression.
![Page 43: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/43.jpg)
Business Continuity Management
• emergency evacuation plans• off site data & information storage• business contingency plans• business relocation plans• business resumption plans• review, reassess and revise plans.
![Page 44: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/44.jpg)
SHARING RISKContractual transfer of legal
responsibility• sub contracting of hazardous processes• exclusion clauses• outsourcing• partnerships & joint venturesInsurance
![Page 45: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/45.jpg)
AVOIDReduce probability of loss to zero• cease activity• closure of facility• sell business.
![Page 46: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/46.jpg)
RETAIN RESIDUAL RISKS
Losses funded from general operating expenses
• vital to record all incidents• ensure retention is not due to
failure to identify.
![Page 47: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/47.jpg)
Treatment Options• Consider• Opportunities created by risk• Cost of implementation vs benefits • Extent of risk reduction vs benefits• Criteria of acceptability• Rare but severe risks• Risk perception and communication.
In general Costs of managing risk commensurate with benefits Adverse impacts As Low As Reasonably Achievable
![Page 48: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/48.jpg)
Treatment PlansDocument how options implemented
Responsibilities
Schedules
Expected outcomes
Budgeting
Performance measures
Review processes
![Page 49: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/49.jpg)
COMMUNICATE
&
CONSULT
MONITOR&REVIEW
ESTABLISH THE CONTEXT
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
The External ContextThe Internal ContextThe Risk Management ContextDevelop Criteria & Define the Structure
Identify optionsAssess optionsPrepare and Implement treatment optionsAnalyse & evaluate residual risk
Identify existing controlsDetermineLikelihood
DetermineConsequences
Determine Level of Risk
Compare with criteria?Set priorities
Treat Risks NOYES
What can happen, when, where, how & whyIDENTIFY RISKS
![Page 50: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/50.jpg)
AS/NZS 4360:2004Extending The Process
• The role of assurance activity, not just as a risk control, but as part of ‘Monitor and Review’ should be developed.
• This should go further than just audit.
Other interested stakeholders can also benefit from the risk process, such as quality assurance, safety &
environment management. The latest update is facilitating linkages between different stakeholders.
![Page 51: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/51.jpg)
MONITOR & REVIEW• RM is a journey not a destination• What may be of minor significance
today may be the disaster of tomorrow
• Review is an integral part of the risk management process
![Page 52: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/52.jpg)
AS/NZS 4360:2004Role Of Assurance Activity
![Page 53: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/53.jpg)
Recording the Risk Management Process
• demonstrates process conducted properly
• provides a record of risks• provides decision makers with plan for
approval and implementation• provides accountability tool• facilitates monitoring and review• provides an audit trail• enables sharing and communication of
information.
![Page 54: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/54.jpg)
Establishing Effective Risk Management
• Board & Management commitment• Risk management planning• Culture change• Accountability & authority• Customise to organisational paradigm• Ensure adequate resources• Board monitoring and review of risk
management effectiveness
![Page 55: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/55.jpg)
POLICY DEVELOPMENT
• NO MORE THAN ONE PAGE• MUST BE SIMPLE, ACHIEVABLE,
UNDERSTANDABLE & AUDITABLE• THE RISK MAKERS AND THE RISK
TAKERS MUST BE THE RISK MANAGERS• SERVES AS A PLATFORM FOR
ORGANISATIONAL GUIDELINES
![Page 56: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/56.jpg)
RISK MANAGEMENT FRAMEWORKRisk Management ProcessesThe framework will be implemented by each business unit in
accordance with the policy by:
• Maintaining documented business risk profiles using analytical techniques to identify, evaluate, and manage risks in compliance with AS/NZS 4360:2004
• Communication of risk management issues, where appropriate, to all relevant stakeholders
“The culture, processes and structures that are directed towards realising potential opportunities
whilst managing adverse effects.”
Processes
MONITOR
&
REVIEW
COMMUNICATE
CONSULT
1. Strategic Ct
2. Identify Threats
7. Manage the Risk
ASSESS
3. Analyze 4. Assess
5. Assess/
![Page 57: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/57.jpg)
RISK MANAGEMENT FRAMEWORK
Risk Management Structure & Responsibility
The Board approves the corporate risk management policy and framework.
The Board Risk Management Committee reviews the effectiveness of the policy.
All managers and staff are accountable for managing risk.
The Risk Management “Champion” is responsible for facilitating the risk management program and reporting to the Board Risk Management Committee.
“The culture, processes and structures that are directed towards realising potential opportunities
whilst managing adverse effects.”
Structure Direction
![Page 58: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/58.jpg)
“STRATEGIC MANAGEMENT OF RISK”
“Managing risk is a way of confidentlytaking the right risks
and then managing the outcomes for success”
RisksOpportunities
![Page 59: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/59.jpg)
Processes
Risk Management and the Strategic Planning Cycle
Review& Change
MonitorPerformance
• Performance• Capability• External Environment
Execution/Integration
• Manage Tactics• Manage Tasks• Manage Risks
Planning
• Future State/ End Vision• SWOT, Opportunities and Risks• Strategy & Tactics
• Strategic Learning• Strategic Alignment• Strategic Intelligence
![Page 60: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/60.jpg)
Jan
MaySep
Review performance
Conduct risk profiling
Strategic planning
Determine risk treatment actions
Budget and business planning
Implement and monitor treatment actions
The Operational Risk Management Cycle
![Page 61: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/61.jpg)
RISK MANAGEMENT BENEFITS • Fewer surprises• Exploitation of opportunities• Improved planning, performance and
effectiveness• Economy and efficiency• Improved stakeholder relationships• Improved information for decision making• Enhanced reputation• Director protection• Accountability, assurance and governance• Personal wellbeing.
![Page 62: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/62.jpg)
RISK MANAGEMENT OUTCOMES RM leads to• more informed decision making• business continuity planning• minimising disruptions• better utilisation of resources• strengthening of the culture of
continuous improvement• best practice• a quality organisation
![Page 63: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/63.jpg)
YOU DO NOT HAVE TO DO IT!!
SURVIVAL IS NOT
COMPULSORY
![Page 64: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/64.jpg)
The greatest risk of all
is to take no risk at all!
![Page 65: As-NZS 4360-2004 Risk Management](https://reader033.vdocuments.site/reader033/viewer/2022042422/5526ba8d4a7959c10b8b45f7/html5/thumbnails/65.jpg)
RisksOpportunities
Structure Direction
MONITOR
&
REVIEW
COMMUNICATE
CONSULT
1. Strategic Ct
2. Identify Threats
7. Manage the Risk
ASSESS
3. Analyze 4. Assess
5. Assess/
Processes Culture Communication
In pursuit of performanceA raceA journey ………. Building Value
The Journey Continues
AS/NZS 4360:2004 and its accompanying Handbook provide generic guidance on how to embed risk management, and introduces the concept of “positive” risk to help you on
the way.