manage risk (bsbrsk501)

Manage riskBSBRSK501

Student Workbook

1st Edition

Student Workbook BSBRSK501 Manage risk

1st Edition 2015

Part of a suite of support materials for the

BSB Business Services Training Package

Copyright and Trade Mark Statement

© 2015 Innovation and Business Industry Skills Council Ltd

All rights reserved. Apart from any use permitted under the Copyright Act 1968, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, or otherwise, without written permission from the publisher, Innovation and Business Industry Skills Council Ltd (‘IBSA’).

Use of this work for purposes other than those indicated above, requires the prior written permission of IBSA. Requests should be addressed to Product Development Manager, IBSA, Level 11, 176 Wellington Pde, East Melbourne VIC 3002 or email [email protected].

‘Innovation and Business Skills Australia’, ‘IBSA’ and the IBSA logo are trade marks of IBSA.

Disclaimer

Care has been taken in the preparation of the material in this document, but, to the extent permitted by law, IBSA and the original developer do not warrant that any licensing or registration requirements specified in this document are either complete or up-to-date for your State or Territory or that the information contained in this document is error-free or fit for any particular purpose. To the extent permitted by law, IBSA and the original developer do not accept any liability for any damage or loss (including loss of profits, loss of revenue, indirect and consequential loss) incurred by any person as a result of relying on the information contained in this document.

The information is provided on the basis that all persons accessing the information contained in this document undertake responsibility for assessing the relevance and accuracy of its content. If this information appears online, no responsibility is taken for any information or services which may appear on any linked websites, or other linked information sources, that are not controlled by IBSA. Use of versions of this document made available online or in other electronic formats is subject to the applicable terms of use.

To the extent permitted by law, all implied terms are excluded from the arrangement under which this document is purchased from IBSA, and, if any term or condition that cannot lawfully be excluded is implied by law into, or deemed to apply to, that arrangement, then the liability of IBSA, and the purchaser’s sole remedy, for a breach of the term or condition is limited, at IBSA’s option, to any one of the following, as applicable:

(a) if the breach relates to goods: (i) repairing; (ii) replacing; or (iii) paying the cost of repairing or replacing, the goods; or

(b) if the breach relates to services: (i) re-supplying; or (ii) paying the cost of re-supplying, the services.

Published by: Innovation and Business Industry Skills Council Ltd Level 11 176 Wellington Pde East Melbourne VIC 3002 Phone: +61 3 9815 7000 Fax: +61 3 9815 7001 email: [email protected] www.ibsa.org.au

1st edition published: April 2015

1st edition version: 1

Release date: April 2015

ISBN: 978-1-925123-76-0

Stock code: BSBRSK5011D

mailto:[email protected]

mailto:[email protected]

http://www.ibsa.org.au/

Table of Contents

Introduction ...........................................................................................................................1

Features of the training program ...................................................................................1

Structure of the training program ...................................................................................1

Recommended reading ...................................................................................................1

Section 1 – Introduction to Risk ..........................................................................................3

What skills will you need? ...............................................................................................3

Understand risk and risk management .........................................................................3

Establish the context .................................................................................................... 14

Understand importance of relevant legislation .......................................................... 22

Section summary .......................................................................................................... 38

Further reading ............................................................................................................. 38

Section checklist........................................................................................................... 38

Section 2 – Identify Risk ................................................................................................... 39

What skills will you need? ............................................................................................ 39

Review the external environment ................................................................................ 40

Determine strengths and weaknesses ....................................................................... 43

Review and document objectives ................................................................................ 45

Identify risks .................................................................................................................. 46

Research ....................................................................................................................... 57

Involve others in risk identification ............................................................................. 62

Section summary .......................................................................................................... 64

Further reading ............................................................................................................. 64


Section 3 – Analyse and Evaluate Risk ............................................................................ 65


Analyse risk ................................................................................................................... 65

Evaluate risk ................................................................................................................. 70

Types of analysis .......................................................................................................... 72

Determine risk treatment options ............................................................................... 74

Develop an action plan for treating risks .................................................................... 81

Section summary .......................................................................................................... 95

Further reading ............................................................................................................. 95


BSBRSK501 Manage risk 1st edition version: 1 © 2015 Innovation and Business Industry Skills Council Ltd

Section 4 – Treat Risk ....................................................................................................... 96


Implement the risk action plan .................................................................................... 96

Monitor the risk action plan ....................................................................................... 105

Evaluate the risk management process ................................................................... 112

Section summary ........................................................................................................ 113

Further reading ........................................................................................................... 113

Section checklist......................................................................................................... 113

Glossary ............................................................................................................................ 114

Appendices ....................................................................................................................... 116

Appendix 1: Risk action plan template ..................................................................... 116

Appendix 2: MacVille’s risk management policy ...................................................... 117

Appendix 3: MacVille’s risk management strategy .................................................. 122

Appendix 4: Scenario – Shoez ................................................................................... 124

1st edition version: 1 BSBRSK501 Manage risk © 2015 Innovation and Business Industry Skills Council Ltd

Student Workbook Introduction

Introduction

Features of the training program

The key features of this program are:

● Student Workbook – Self-paced learning activities to help you to understand key concepts and terms. The Student Workbook is broken down into several sections.

● Facilitator-led sessions – Challenging and interesting learning activities that can be completed in the classroom or by distance learning that will help you consolidate and apply what you have learned in the Student Workbook.

● Assessment Tasks – Summative assessments where you can apply your new skills and knowledge to solve authentic workplace tasks and problems.

Structure of the training program

This training program introduces you to the concepts of identifying risk and how to then apply the appropriate risk management strategies. You will develop the skills and knowledge in the following topic areas.

1. Introduction to risk.

2. Identifying risk.

3. Analysing and evaluating risk.

4. Treating risk.

Your facilitator may choose to combine or split sessions. For example, in some cases, this training program may be delivered in two or three sessions, or in others, as many as eight sessions.

Recommended reading

Some recommended reading for this unit includes:

● Anderson, E., 2014, Business risk management: models and analysis, John Wiley & Sons, Chichester, UK.

● Queensland Government, 2014, ‘Preparing a risk management plan and business impact analysis’, Business and industry portal, viewed January 2015, <http://www.business.qld.gov.au/business/running/risk-management/risk-management-plan-business-impact-analysis>.

● Standards Australia, 2009, AS/NZS ISO 31000:2009 risk management – principles and guidelines, SAI global, Sydney.

● Worksafe ACT, 2012, Risk management of public events, available online, Worksafe ACT, viewed January 2015, <http://www.worksafe.act.gov.au/ publication/view/1138>.

BSBRSK501 Manage risk 1st edition version: 1 © 2015 Innovation and Business Industry Skills Council Ltd Page 1 of 126

Introduction Student Workbook

Please note that any URLs contained in the recommended reading, learning content and learning activities of this publication were checked for currency during the production process. Note, however, that IBSA cannot vouch for the ongoing currency of URLs.

Every endeavour has been made to provide a full reference for all web links. Where URLs are not current we recommend using the reference information provided to search for the source in your chosen search engine.

1st edition version: 1 BSBRSK501 Manage risk Page 2 of 126 © 2015 Innovation and Business Industry Skills Council Ltd

Student Workbook Section 1 – Introduction to Risk

Section 1 – Introduction to Risk Before you can undertake risk management, there a number of key concepts that you must understand. This chapter will define risk and risk management, and help you to establish the context in which risk management takes place.

Scenario: Preparing for risk management

You are the new Operations Manager for a chain of shoe repair stores with ten outlets. Your previous experience was in sales management; specifically, departmental areas of management. You have never had this kind of role before.

You note that one of your specific responsibilities is to manage the risks that are likely to pose a threat to this particular organisation. Before attempting to identify the organisation’s risks, you first take time to review the concepts of risks, risk management and the organisational context.

From your previous roles, you are very aware of the risks of non-compliance with relevant laws, and so you decide to also review the legislative environment in which this organisation operates.

What skills will you need? In order to work effectively as a risk manager you must be able to:

explain risk and risk management

establish the context for risk management

explain the importance of relevant legislation.

Understand risk and risk management

What is risk? Risk is a natural part of our physical, social, financial and competitive environments. It is defined as the chance of something happening that will have an impact on the achievement of objectives or goals in an organisation. Organisations must frequently decide whether various risks are or are not worth taking. For example, risk is considered when making decisions regarding investment or the health and safety of employees. For some organisations, the ability to manage risk better than competitors is a valuable resource that they use to their advantage.

In business, there is a strong correlation between risk and reward. For example, investing in the share market is riskier than investing in government bonds. As a consequence of the risks involved, share markets traditionally offer higher returns than government bonds.


Section 1 – Introduction to Risk Student Workbook

The concept of risk is incorporated into all types of industries – from insurance to engineering to financial investment. Therefore, definitions of risk may vary. Risk is often defined as a combination of the consequence of an event and the likelihood it may occur. Risk may also be defined, as in the relevant risk management standard for this unit, AS/NZS ISO 31000:2009 risk management – principles and guidelines, as simply the ‘effect of uncertainty on objectives’.1

In this workbook, we will combine the above definitions and take the broad view that risk is an event or action that will cause a loss to an organisation’s valuable resources and adversely affect the goals and objectives of that organisation if the event or action occurs.

Risk is the estimated likelihood of occurrence of an uncertain event, and its impact on organisational objectives should it occur.

As shown in the diagram above, either the likelihood (probability) of an event occurring, and the consequence or impact of that event, have an effect on the objectives of the organisation. The combination of these two factors give an organisation an indication of the risk they will be exposed to if the event should occur.

Learning activity: Risk consultants

Many consultants can work with your organisation to identify risk and help in developing and implementing processes to assist in the management of business risk.

PricewaterhouseCoopers is one organisation that actively manages risk. Look at their resource:

● PricewaterhouseCoopers, 2008, Being smart about the risks you take, available online, PWC, viewed January 2015, <http://www.pwc.com/gx/en/consulting-services/pdfs/get_up_to_speed2.pdf>.

1 Standards Australia, 2009, AS/NZS ISO 31000:2009 risk management – principles and guidelines, SAI global, Sydney.

Organisational objectives

Likelihood Consequence



Why do PricewaterhouseCoopers believe some risk management systems implemented in companies have made the companies more vulnerable?

Valuable resources Financial risk is not the only type of threat to organisations. In today’s business environment, the loss of reputation or brand value can have far greater impact on the organisation’s viability than the loss of some investment funds.

Learning activity: The business of lard

It was once the case that lard – animal fat – was used in place of butter and olive oil in cooking. The use of lard decreased after a book was written that described the unsavoury process of producing lard.

Read more details on the Planet Money blog entry:

● R. Smith, 2012, ‘Who killed lard?’, Planet money, viewed January 2015, <http://www.npr.org/blogs/money/2012/02/03/146356117/who-killed-lard>.

This story illustrates how the loss of a product or an organisation’s good reputation can represent a serious threat to business. What other factors contributed to the decreased use of lard in cooking?



Other valuable resources that need to be considered in any loss evaluation caused by risk are detailed below.

• workers, intellectual capital, skills, experience and capabilities, levels of trust, managerial skills, organisation-specific practices and procedures, innovation and creativity technical and scientific skills

Human

• cash, investments, shares, capacity to raise equity, borrowing capacity

Financial

• plant, equipment, state-of-the-art machinery, equipment and electronics, land, buildings, vehicles, furniture, facilities

Physical

• patents, copyrights, trademarks , trade secrets, software

Intellectual property

• evaluation and control systems, effective strategic planning processes, outstanding customer service, excellent product development capabilities, innovativeness of products and services, ability to hire, motivate, and retain human capital, innovative production processes, favourable manufacturing locations, innovation capacities, effective strategic planning processes, excellent evaluation and control systems

Organisational excellence

• information, reputation, brand value, goodwill.

Intangible



Learning activity: Resources

Review the scenario provided in Appendix 3 and make note of any resources mentioned. Rank them in terms of what you consider to be high priority resources that should be protected.

Strategic resources Many people understand the impact of an unfavourable event on tangible assets, but often overlook the impact that adverse events can have on the organisation’s intangible assets. All the resources listed above are valuable, but some resources take on an even more important role in an organisation because they become strategic. They are classified as being strategic because they give the business its competitive advantage. To qualify as strategic they need to be:

• That is, unique or in very short supply. For example, personnel who are leading experts in their field, and bring knowledge or skills that are not widely available.

Rare

• That is, hard to copy due to expense or time required to acquire, For example, the brand recognition associated with a long-established organisation or product.

Difficult to imitate

• That is, cannot easily be replicated using alternative sources. For example, long term relationships or working partnerships between specific individuals or organisations that generates high levels of creativity and innovation.

Difficult to substitute



Many of these resources are intangible, and are in many cases the most important ones to risk manage.

Learning activity: Strategic resource

Think about your own work skill sets. Most of what you know or are good at is of value to a workplace environment. Write down the skill sets or owned items that you have that could be called rare, difficult to copy and difficult to substitute. These are your strategic resources.

Risk types Risk identification is proactive. If you’re looking for risks, you will soon find them when discussing activities with team members, observing the workplace environment, reading reports and analysing results. Over the broad spectrum, risks can be categorised in various ways, for example:

Risks can be grouped into two types:

● Certain – those risks that will definitely occur at some point in time, for example, employee sick days.

● Uncertain – those that may occur at some point in time, for example, an employee being injured in the workplace.

Rare

Difficult to imitate

Difficult to substitute



Risk can also be categorised by expected impact:

● Speculative risk – where there are potential opportunities.

● Pure risk – where there are only negative or unfavourable outcomes for the organisation.

Learning activity: Types of risk

Review the scenario in Appendix 4 under the heading ‘Research findings’ and select three issues. Then identify the type of risk/s that these scenarios represent.

Identified issue Risk type

1.

2.

3.

What is risk management? Risk management is an essential part of good management and corporate governance. It is a set of tools and processes that are used to avoid, reduce or control the risks that are likely to adversely affect the valuable and strategic resources of an organisation. Basically, it is the process of identifying and categorising potential risk and then defining actions to mitigate these risks.

Risk management processes should enhance decision-making and facilitate continuous improvement in performance of the organisation. Studying and identifying risk should not inhibit action, but instead help you turn risk into a growth and development opportunity through the application of the risk management process.



Learning activity: Electronic risk management tools

Use the internet to find two electronic tools or software programs that can facilitate and assist in risk management. Describe the tools and compare key functions, and make a recommendation about the type of organisation or project each tool would be most suited for use in.

AS/NZS ISO 31000:2009 Risk management – Principles and guidelines The Australian/New Zealand Standard AS/NZS ISO 31000:2009 risk management – principles and guidelines provides a guide for managing risk. Many tools, standards and methodologies have existed across different industries and countries in the approach to risk management in the past. The purpose of this standard is to provide a conventional method of using risk management processes that can be applied internationally and across all industries.

The objective of this standard is to provide guidance to enable organisations to:

● increase the likelihood of achieving objectives

● encourage proactive management

● be aware of the need to identify and treat risk throughout the organisation

● improve the identification of opportunities and threats

● achieve compatible risk management practices between organisations and nations

● comply with relevant legal and regulatory requirements and international norms

● improve financial reporting



● improve governance

● improve stakeholder confidence and trust

● establish a reliable basis for decision-making and planning

● improve controls

● effectively allocate and use resources for risk treatment

● improve operational effectiveness and efficiency

● enhance health and safety performance as well as environmental protection

● improve loss prevention and incident management

● minimise losses

● improve organisational learning

● improve organisational resilience.2

This Student Workbook will outline an approach to risk management that is consistent with AS/NZS ISO 31000:2009 risk management – principles and guidelines standards and will closely follow the processes outlined in it for the management of risk.

Risk management principles In order for risk management to be effective, according to AS/NZS ISO 31000:2009, organisations should ensure that risk management:

● creates and protects value

● is an integral part of all organisational processes

● is a part of decision-making

● explicitly address uncertainty

● is systematic, structured and timely

● is based on the best available information

● is tailored

● takes human and cultural factors into account

● is transparent and inclusive

● is dynamic iterative and responsive to change

● facilitates continual improvement of the organisation.3

2 Standards Australia, 2009, AS/NZS ISO 31000:2009 risk management – principles and guidelines, SAI global, Sydney. 3 Standards Australia, 2009, AS/NZS ISO 31000:2009 risk management – principles and guidelines, SAI global, Sydney.



Learning activity: Risk management principles

Consider your organisation or an organisation you are familiar with.

Describe how risk management practices in the organisation adhere or do not adhere to the principles listed above.

How could practices be improved?



The risk management process For the purpose of this workbook, the risk management process will be shown in the following way.

AS/NZS ISO 31000:2009 views the analysis and evaluation of risk as two separate elements and so outlines seven elements in the risk management process.

● Establish the context – Determine the criteria by which a risk may be evaluated. Note that criteria are characterised by internal and external factors as well as organisational objectives.

● Identify risks – Recognise potential hazards, which may prevent, diminish, or delay the organisational or project objectives.

● Analyse risks – Identify the consequence and likelihood of the risk taking place.

● Evaluate risks – Compare the potential rewards with the potential adverse outcomes including the likelihood of each. This allows decisions to be made regarding the priority and action required to manage the risk.

● Treat risks – The process of selecting which risks are to be managed and taking measures to limit the result of highest priority.

● Monitor and review – Critically observe or measure the progress of the risk management process and make changes where beneficial.

● Communicate and consult – Ensure stakeholders are aware of information applicable to them and appropriate to the risk level and the stage of risk management.

For the remainder of this chapter, we will look at establishing the context for risk management. The other stages will be addressed in the following chapters.

Establish the context

Identify risks

Analyse and evaluate risk

Treat risk

Com

mun

icat

ion

and

cons

ulta

tion

Monitor and review



Establish the context

Scope When you begin the process of risk management, you must be able to define the scope within which risks must be managed. This requires you to know what needs to be achieved through the risk managed activities undertaken.

An organisation is defined by its goals and objectives, therefore the aim of the risk management process must be to ensure that the organisation is able to achieve those goals while balancing costs, benefits and opportunities. This provides the overall context in which risk management takes place. It is also essential that you understand the nature of any decisions that need to be made so that your process can inform and implement those decisions effectively.

In practical terms, the scope of a risk management process can apply to:

● the whole organisation

● a specific business unit/department

● a particular project

● a particular business function (e.g. finance, manufacturing).

Risk management can be applied to the internal or external environments of an organisation, or both. The internal environment encompasses the operations and inner workings of the organisation, while the external environment includes the political, economic, social, legal, and technological factors affecting the business. These are explored in more detail in Section 2 of this workbook.

Learning activity: Risk process scope

Review the Shoez scenario in Appendix 4 and identify the three criteria defining the scope of the risk management task assigned by Jeff Harding to you as the newly appointed operations manager.

1.

2.

3.



Describe how identifying the scope of a risk project is important to the management of it?

Policies and procedures No matter the scope of risk management, be it project-related or organisation wide, you must follow organisational policies and procedures. Organisational documents provide essential support for managing risk in the context of an organisation.

Organisational policies inform employees of the overall aims of the organisation, such as reducing risk, achieving legal compliance, or adhering to a standard or code of practice. Procedures support policy by providing employees with specific guidance on how to actually implement policy and perform particular functions. Procedures can take several forms: they may be sets of principles, instructions, numbered lists, flowcharts, etc. Procedures for particular areas, such as financial procedures, may appear together in manuals.

Policies and procedures should be consistent with strategic directions, mission, vision, and organisational values. Policies and procedures for risk management should also be integrated with, or share common purpose with, other organisational policies and procedures dealing with other specific aspects of business operations. For example, financial management or work health and safety (WHS)4 policies and procedures may reference risk management policy or take an approach to risk management applicable to their specific areas that is consistent with the risk management policy and procedures.

Examples of risk management policies and procedures are provided in the appendices of this Student Workbook.

4 Previously referred to as ‘occupational health and safety (OHS)’



Risk management strategy Given the particular risks that exist for an organisation with regard to its strategic directions and legal and ethical obligations, organisations should have in place a risk management strategy. The risk management strategy ensures that the risk management policy is implemented in a way that is most likely to achieve stated goals at the least cost to the organisation. Effective risk management strategies demonstrate, support or contain:

● a strategic focus

● forward thinking and active approaches to management

● balance between the cost of managing risk and the anticipated benefits

● contingency planning in the event that critical threats are realised.

A risk management strategy should also include a management framework for the effective management of risk within an organisation. According to AS/NZS ISO 31000:2009, such a management ‘framework ensures that information about risk … is adequately reported and used as a basis for decision-making and accountability at all relevant organisational levels’.5

An example of a risk management strategy, including a management framework is provided in Appendix 3 of this Student Workbook.

Learning activity: Examine risk management documentation

Consider your organisation or an organisation you are familiar with.

Examine organisational documentation:

● strategic directions, mission, vision, statements of organisational values

● risk management policies and procedures

● risk management strategy.

Do the organisation’s risk management policies and procedures consistently reflect organisational values, mission, and vision and support strategic goals? How?

5 Standards Australia, 2009, AS/NZS ISO 31000:2009 risk management – principles and guidelines, SAI global, Sydney.



How do the organisation’s risk management policies and procedures provide practical guidance to employees to reduce and control risk that is applicable to the particular work environment and organisational aims?

How does the organisation’s risk management strategy address the identification and control of risk?



Stakeholders To undertake effective risk management, you must identify the stakeholders – individuals, a group of people, or an organisation – that can be affected by the risks or implementation of the risk management process.

Identification of stakeholders is an essential step in risk management. It determines who should be involved in the formulation of the risk management plan, and who you should communicate with regarding implementation of risk management strategies and actions.

Identification of stakeholders includes identifying anyone impacted by the risk, and documenting relevant information regarding their interests, involvement, and impact

on the effectiveness of the risk management process.

In the book ‘The Handbook of Program Management6’ Dr James T Brown gives the following advice for identifying stakeholders.

● Follow the money. Whoever is paying is definitely a stakeholder. Also, if a program produces savings or additional costs for an organisation then the organisation is also a stakeholder for that program.

● Follow the resources. Every entity that provides resources, whether internal or external, labour or facilities, and equipment, is a stakeholder. Line managers and functional managers providing resources are stakeholders.

● Follow the deliverables. Whoever is the recipient of the product or service the organisation is providing is considered a stakeholder.

● Follow the signatures. The individual who signs off on completion of the final product or service is a stakeholder.

● Examine programs’ stakeholder lists. Include active programs and completed projects.

● Review the organisational chart to asses which parts of the organisation may be stakeholders.

● Ask team members, customers, and any other confirmed stakeholder to help you identify additional stakeholders.

● Look for the ‘unofficial people of influence’. These may be people who are trusted by high-level leaders or who wield a lot of power through influence and not position.

Once you have identified your stakeholders, you will need to communicate your plans with them. This may be to obtain support or approval for your activities, or just to keep them appraised.

6 Brown, J.T., 2007, The Handbook of Program Management, McGraw-Hill, Australia.



In order to undertake an effective and constructive consultation process, you should first develop a plan for how you will go about this. This stakeholder communication plan should include reference to:

● who the stakeholders are

● who has responsibility for what when implementing the plan

● timeframes for implementation

● methods of communication

● opportunities for consultation with stakeholders.

Probably the best way to gain support for your risk management activities (and increase the chance of success) is to consult. Stakeholders who are unaware of the reasons behind your activities or feel excluded from consultation will be unlikely to support activities. They may not see how risk management activities relate to organisational success as a whole or to success in their area of operations. Importantly, such stakeholders may uniquely possess the power or knowledge to implement policy effectively.

Without a consultative process, you run the risk of proceeding with risk management activities without adequate information. You may also run the risk of not complying with relevant legislation. For example, as discussed in the following topic, WHS Acts and Regulations mandate consultation with workers who are affected by health and safety risk management processes in their workplace.

Learning activity: Stakeholders

From the scenario provided at the beginning of this section, ‘preparing for risk management’, identify the internal and external stakeholders and the types of input each of them are likely to provide.

Stakeholder Internal/External? Type of input



Learning activity: Stakeholders in the risk process

Review the scenario in Appendix 4 and identify three stakeholders, their role and their primary concerns in regard to the risk management process.

Stakeholder Role Risk concerns

Describe briefly the attributes that qualifies a person as a stakeholder in the risk management process?



Describe how you would take a consultative approach to risk management to obtain support and, (where relevant) achieve legal compliance.

Learning activity: Communicating with stakeholders

Jeff Harding, CEO of Shoez (See scenario in Appendix 4), believed that it would be useful to involve the store managers in gathering information about risks associated with their stores and has asked you to prepare an email. Complete an email in the space below making sure that you stay within the scope of the task.



Understand importance of relevant legislation

You cannot afford to ignore the role of legislation in the risk management process. Arguably, the greatest risk for an organisation is to be non-compliant with relevant Acts or Regulations as this can incur significant penalties. The risk management process must therefore use legislative guidelines as a criteria against which risk is assessed. Some key areas of legislation affecting businesses are listed below.

WHS legislation Under WHS law, everyone has a responsibility to help provide a safe work environment. Persons conducting a business or undertaking (PCBUs) must provide a safe place of work. Workers must act responsibly to perform work tasks safely and avoid harm to self and others.

PCBUs (employers) are required to:

● ensure that work is performed in a safe manner and does not have any negative effect on workers’ health

● ensure sufficient information and education is provided so that the work can be undertaken safely

● ensure workers have a say in the safety of their own workplace by recognising and acting on risks and hazards in the workplace

● implement audit and control measures that verify the effectiveness of WHS activities

● ensure equipment and machinery is maintained in a safe condition.

As a manager or supervisor with some responsibility for the health and safety of others in the workplace, you should be aware of recent changes to the legislative environment. These changes may affect your organisation’s approach to work health and safety.

The Commonwealth and state and territory governments have committed to harmonise health and safety legislation by enacting laws that reflect the model Work Health and Safety Act developed by Safe Work Australia. In 2011, the Work Health and Safety (WHS) Act, based on the model WHS Act, was enacted by the Commonwealth. Many other jurisdictions have since followed suit with their own mirror legislation.

One of the main benefits of harmonised legislation is that it provides for a nationally consistent legal framework of work health and safety standards and obligations. Businesses and undertakings, especially those operating across state borders, will be able to apply one set of workplace standards nationally and enjoy more certainty in understanding their health and safety obligations in different state jurisdictions.

In jurisdictions that have not yet enacted mirror legislation, pre-existing legislative frameworks and terms remain in effect. For more information about the model Work Health and Safety Act, and the progress of implementation, visit the Safe Work Australia website.



Learning activity: WHS legislation, standards and codes of conduct

Consider your organisation or an organisation you are familiar with or wish to research.

Use the internet to research WHS legislation, standards and codes of conduct in Australia (relevant to your business sector), and describe how you think these influence risk management processes for your organisation.

Privacy Act 1988 The Privacy Act 1988 regulates the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information, and access to and correction of that information. The Privacy Act includes 13 Australian Privacy Principles (APPs) that apply to the handling of personal information by most Australian Government agencies and some private sector organisations. The principles, as stated by the Office of the Australian Information Commissioner, are as follows. 7

1. Open and transparent management of personal information

Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.

2. Anonymity and pseudonymity

Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.

3. Collection of solicited information

Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.

7 Australian Government, 2014, ‘APP quick reference tool’, Office of the Australian Information Commissioner, viewed January 2015, <http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/app-quick-reference-tool>.



4. Dealing with unsolicited personal information

Outlines how APP entities must deal with unsolicited personal information.

5. Notification of the collection of personal information

Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.

6. Use or disclosure of personal information

Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.

7. Direct marketing An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.

8. Cross-border disclosure of personal information

Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.

9. Adoption, use or disclosure of government related identifiers

Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.

10. Quality of personal information

An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.

11. Security of personal information

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.



12. Access to personal information

Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.

13. Correction of personal information

Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.

There are several key obligations around information collection:

Whenever possible collect information directly from

the person.

Only collect information that is necessary.

Collect information by fair means.

Take reasonable steps to let people know that

personal information has been collected and what is

going to be done with it.

Do not disclose information about the

person to a third party that you are collecting information from.

Take care about the type of information contained

in messages left on answering machines.

Generally, personal information should only be used and disclosed for the purpose that it was collected.

Learning activity: Application of Australian Privacy Principles

Considering the privacy laws, identify which of the Australian Privacy Principles should be applied in the following circumstances?

A sales person from your organisation asks for the number for an employee’s partner’s mobile phone.



Your organisation’s website asks for personal details but does not have a displayed privacy statement.

A customer approaches you at work and asks for personal contact details of a work colleague who he says owes him money.

Contract law Contract law is any law or Regulation with the objective of enforcing certain promises that relate to contracts. A contract is an agreement between two parties – either individuals or entities – that is intended to be legally binding. Contract law governs the formation; scope and content; avoidance; performance and termination; and remedies of contracts. This is important in risk management, as contracts hold the potential for risk, and breach of contract may have repercussions not only with the other party/s but may be in breach of legislation.

Australian contract law can be broken into five key sections detailed in the table below.

Formation A contract is a promise or a set of promises that is legally binding. This requires there to be an agreement between the parties and the intention to create a legal relationship. The parties must demonstrate legal capacity to contract, and compliance with any legal requirements must be ensured.

Scope and content A contract is generally only able to be enforced by and against the parties to the contract. The content of a contract must allow the parties to determine what the terms of the contract are, and how they should be interpreted where ambiguous.



Avoidance A valid contract may still be avoided as a result of a number of factors, which usually involve unfair or unconscionable action by one of the parties.

Performance and termination

Most contracts come to a natural end when the parties have performed their respective obligations. A contract may also come to an end by mutual agreement between parties, as a result of the breach of contract by one of the parties, or due to events that might prevent parties from performing their obligations as planned.

Remedies When the terms of a contract are breached by one party, the other party is entitled to remedies; in particular, damages.

Learning activity: Contracts

What risks might be presented to an organisation when entering into a contract?



Company law A corporation, or company, is a legal group of individuals who finance a business. The group cannot become a company until it is registered with the Australian Securities and Investment Commission (ASIC). ASIC will issue the new company with a certificate of incorporation and an Australian Company Number (ACN) which is used to identify the entity.

Key features of a company include the following.

● Under Australian law a company, as a separate entity, is given all the legal rights and liabilities of a natural person, including the ability to sue others and be sued themselves.

● A company is established with the assumption of a continuous life, this means while its owners may change the company will continue to remain in existence unless it is liquidated.

● A company has limited liability for shareholders, meaning that if the company fails, then only the amount of shareholder investment in the company can be claimed against, and not other investments that a shareholder may have.

● A separate legal entity from its owners, i.e. the financial affairs of the owners must be separated from that of the company, and unless personal guarantees of the owners have been secured, an entity can only sue the company for damages and not the owners.

There are two types of companies that in Australia: proprietary and public. The diagram below shows some major differences between the two types.

Cannot sell shares to public.

Are classified as large or small.

Less reporting requirements.

ProprietaryCan sell shares to public.

Generally large companies.

Greater compliance reporting requirements.

Public

Separate legal entity

Continuous life

Limited shareholder liability

Separate entity from owner



Under section 45A of the Corporations Act 2001, a proprietary company is currently classified as ‘large’ if it satisfies at least two of the following criteria:

the consolidated gross operating revenue of the company and any entities it controls is $10 million or more

the value of the consolidated gross assets at the end of the financial year of the company and any entities it controls is $5 million or more

the company and any entities it controls have more than 50 employees at the end of the financial year.8

If a proprietary company is classified as large, then it is required to submit annual financial and directors’ reports. Small proprietary companies do not have to prepare either of these reports except in the circumstance that ASIC or shareholders with at least 5% of the company request it to.

Learning activity: ASIC

Access the ASIC website at <http://www.asic.gov.au> and review the section on running a company (in the dropdown list under the ‘for companies’ tab. Under the heading ‘Change of details’, review the checklist provided for company officers and describe three risks for an organisation if compliance is not maintained.

1.

2.

3.

The Australian Securities and Investments Commission (ASIC) ASIC is Australia’s corporate, markets and financial services regulator. It is an independent Commonwealth Government Body with most of its work being carried out under the Corporations Act.

8 Corporations Act 2001, ‘Sect. 45A ‘Proprietary companies’, p. 90.



ASIC regulates Australian companies, financial markets, financial services organisations and professionals who deal and advise in investments, superannuation, insurance, deposit taking and credit. ASIC’s main role to consider in relation to this unit is its responsibility for ensuring that company directors and officers carry out their duties honestly, diligently and in the best interest of their company.

Although ASIC administers many Acts or parts of Acts, as well as relevant Regulations made under them, the main two are the:

● Corporations Act 2001

● Australian Securities and Investments Commission Act 2001.

The other Acts involve insurance, superannuation and medical indemnity.

The Corporations Act sets much of the legislative framework for the conduct of companies and their directors in relation to corporate governance. Internal controls need to be implemented and maintained to ensure compliance with the legislation administered by the delegated authority, ASIC.

The Australian Securities and Investments Commission Act makes provision for ASIC to ensure the performance of the financial system and entities in it, to assist investors and consumers in the financial system with appropriate information, and to administer and enforce the law effectively.

Learning activity: Director’s responsibilities

Search the ASIC website <http://www.asic.gov.au> using the search term ‘your company and the law’. Name two directors’ responsibilities listed under the heading ‘What does the law expect of you personally?’, and for each describe a process or mechanism that you could put in place to help ensure compliance with this directive.

1.

2.

Company records compliance Under the Corporations Law, directors are personally responsible for keeping proper company records. These could be grouped into financial records and company housekeeping records.



Up-to-date financial records must be kept so that they can:

● accurately record and justify the company’s transaction

● illustrate the financial position of the company and its performance.

Companies should maintain current and accurate financial records in order to ensure that:

● it is able to prepare accurate financial statements of the company

● these financial statements may be properly audited

● the company is compliant to tax laws.

Financial statements a company would regularly prepare

Statement of Financial Performance

Shows the company’s revenue and expenses for a set period and the resulting profit or loss.

Statement of Financial Position

Shows the company’s assets and liabilities at a certain point in time.

Statement of Cash Flow

Summarises the company’s influx and efflux of cash for a set period of time.

Financial records may be kept electronically, provided they are capable of being converted into hard copy to anyone entitled to inspect them.

Note: a small proprietary company (as defined by the Corporations Act) generally is not required to lodge formal financial reports to ASIC. On the other hand, large proprietary companies, public companies and non-profit public companies must produce, audit and lodge financial reports to ASIC.

Basic financial records that companies may be required to keep by law

General ledger Records all transactions and balances (revenue, expenses, assets, liabilities). Otherwise, summarises these balances detailed in other records.

Cash records For example, deposit books, cheque butts, petty cash records and bank statements.

Debtor and sales records

Outlines the money made or owing to the company, for example, delivery dockets, invoices and statements issued, debtors and their balances.



Creditors and purchase records

Outlines the money spent or owed by the company, for example, purchase orders, invoices and statements received creditors and their balances.

Wage and superannuation records

Funds paid to employees.

A register of property, plant and equipment

Shows the transactions and balances relating to individual items.

Inventory records Value of the items that makes up the company’s inventory.

Investment records For example, certificates and notices related to dividends or interest.

Tax returns and calculations

For example, goods and services tax returns and statements, income tax, and fringe benefits.

Deeds, contracts and agreements

Legal documentation.

Learning activity: Financial record-keeping

Both tax law and corporation law require that financial records are kept between five and seven years, which can present logistics problems for an organisation if there is a large amount of physical records. Search the ATO website to determine if past records can be kept electronically and, if so, how they recommend that it can be managed?



The Fair Work Act 2009 Sweeping changes have been made to workplace legislation in the years 2005 to 2009, beginning with the introduction of the Workplace Relations Amendment (Work Choices) Act 2005, followed by its replacement, the Fair Work Act 2009. The Fair Work Act sets out to offer:

● a fair and comprehensive safety net of minimum employment conditions

● a system that has, at its heart, bargaining in good faith at the enterprise level

● protections from unfair dismissal for all employees

● protection for the low paid

● a balance between work and family life

● the right to be represented in the workplace.

Below are some key elements of the Fair Work Act. The organisation should be aware of these regulations to ensure its compliance. Compliance will decrease the likelihood of risk to the organisation regarding workplace relations.

Fair Work Australia (FWA)

Overlooks workplace relations.

Has the power to vary awards, make orders relating to minimum wage and settle unfair dismissal claims.

Unfair dismissal Employees may lodge unfair dismissal claims to FWA within seven days if they were employed for six months or longer (twelve months if the business employs fifteen people or less).

Safetynet Minimum standards protect workers’ rights through, for example:

● flexible working arrangements after 12 months

● 12 months unpaid parental leave

● contracts, agreements and policies between employers and employees that reflects the Nation Employment Standards (NES).

Discrimination Prohibition of discrimination based on: race, colour, sex, sexual preferences, age, physical, mental disability, marital status, religion or pregnancy.

Increased union right of entry

Unions may enter a workplace in which they have a member who works on the premises, to investigate any suspected breaches of legislation.



Enterprise bargaining FWA will grant approval to enterprise agreements (either single enterprise or multi enterprise) if they consider ‘that each employee is 'better off overall' under the agreement, compared to an applicable modern award.’

Transfer of business After the transfer of assets, employees (between related companies), outsourcing or insourcing, the work is not to be significantly different after the transfer, compared to that pre-transfer.

The Fair Work system The Fair Work system, created under the Fair Work Act, covers the majority of Australian workplaces. At present, with the exception of Western Australia, all states and territories have referred their industrial relations powers to the federal government and are therefore covered under this system.

The system is administered and enforced by three statutory authorities:

● Fair Work Australia

● Fair Work Ombudsman

● Fair Work Federal Divisions of the Federal Court and the Federal Magistrates Court.



Learning activity: Unfair dismissal

What risks are there for an organisation in regards to unfair dismissal legislation? How can the organisation manage against the occurrence of these risks?

Awards – industrial instruments Under the Fair Work Act, new National Employment Standards (NES) have been developed to underpin any award conditions and pay rates. In general, the NES sets out the following.

Minimum rates of pay, such as hourly rates and

annual salaries.

Ordinary hours of work.

Annual leave and leave loading.



Long service leave.

Personal or carer’s leave.

Notice to be given on termination.

Rest periods. Loadings for overtime,

casual work and shift work.

Anti-discrimination provisions.

Learning activity: Awards

Go the Fair Work Ombudsman website and research The Fair Work system. Then answer the following questions.

To continuously ensure your organisation’s compliance, where on the site would you find out about:

● awards

● leave entitlements

● relevant legislation or changes to legislation?



Imagine you worked in the retail industry and wanted to ensure your organisation’s pay rates were consistence with legal requirements. Locate and download the applicable modern award.

What other useful information is available on the Fair Work Ombudsman website?



Section summary

You should now understand the risk management process and how to establish the context for risk management activity, including the scope within which risks must be managed, the stakeholders involved, and relevant legislation. In the next chapter, we will look at Stage 1 of the risk management process: identifying risks.

Further reading

● AIRMIC, ALARM and IRM, 2002, A risk management standard, available online, viewed January 2015, <http://www.oat.ethz.ch/education/Autumn_term_09/ Material_on_Psychological_Aspects/AIRMIC_Risk-Management-Standard_1_.pdf>.

● Australian Government, 2014, ‘Privacy fact sheet 17: Australian Privacy Principles’, Office of the Australian Information Commissioner, viewed January 2015, <http://www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/other/privacy-fact-sheet-17-australian-privacy-principles>.

● Damodaran, A., 2008, ‘Chapter 1 – what is risk?’, Strategic risk taking: a framework for risk management, Prentice Hall, New Jersey.

Section checklist

Before you proceed to the next section, make sure that you are able to:

explain risk and risk management

establish the context for risk management

explain the importance of relevant legislation.


Student Workbook Section 2 – Identify Risk

Section 2 – Identify Risk Risk identification is a vital stage of risk management as it develops the basis for the steps of analysing and controlling risks. Thorough and correct risk identification ensures effective risk management. If a risk is not first identified, how can it be managed? The organisation will be unable to account for such risks and so their consequences may be highly damaging to the organisation’s goals.

In this section, we will look at reviewing the organisation and factors affecting it, in order to identify risks.

Scenario: Identifying risks

Having reviewed risk management processes and the legislative environment in which the organisation operates, you now prepare for the job of identifying the risks for the chain of shoe repair stores.

You quickly realise that risk management, like most forms of management, requires input and feedback from stakeholders who affect and are affected by the risks to the organisation. With their help you will use various techniques to identify the scope of risks that could affect the organisation and set the objectives for your risk management function.

In the process of identifying risks, you will assess the internal strengths and weaknesses of the organisation and the opportunities and threats from the external environment which can arise from the social, technological, economic and political spheres in which the organisation operates.

What skills will you need?

In order to work effectively as a risk manager you must be able to:

review the external environment

determine strengths and weaknesses

review and document objectives

identify risks

involve others in risk identification.


Section 2 – Identify Risk Student Workbook

Review the external environment

To thoroughly identify risks, we must examine the external environment surrounding an organisation. This includes the political, economic, social, legal, and technological factors affecting the business.

A PEST analysis is an effective tool for investigating external environmental factors. PEST stands for the following.

* Includes changes in legislation

It is a used when conducting an environmental analysis for strategic planning or as a framework for market research. The analysis gives an overview of big picture factors that the organisation should take into consideration.

This is a useful tool in the risk management process as it can aid in not only the identification of risks, but may be used as a factor in the analysis of those risk identified. Examples of factors which may come to light via a PEST analysis are below.

Learning activity: PEST analysis

Review the scenario in Appendix 4 under the heading ‘internal and external environment’ and identify one item for each of the following in the PEST analysis.

Political

Political*

PEconomic

ESocial

STechnological

T

Political

•proposed laws that may affect organisation

• taxation policy•merit/demerit

goods•employment

regulations.

Economic

• interest rates•economic

growth•exchange rates• inflation rates.

Social

•population growth

•demographics•health

consciousness•social trends.

Technological

•current research and development

• rate of technological change

•automation• technology

incentives.



Economic

Technological

Social

Describe briefly how a PEST analysis can help identify risks for an organisation.



Learning activity: List of risks

Review the scenario in Appendix 4 under the heading ‘internal and external environment’ and list three risks and describe which areas of the scope they belong to.

Risk Area

Describe a process you could introduce that could help you obtain information from stakeholders.



Determine strengths and weaknesses

The internal environment of an organisation must be examined to determine if it is exposed to risk through any of its operations or processes. This requires that you assess what the business is doing well, and what areas need improvement.

A SWOT analysis can be used to determine the strengths and weaknesses of an organisation. SWOT stands for the following.

Strengths and weaknesses are factors that are able to be controlled by the business. Strengths are the key elements that give an organisation advantage over its competitors. Weaknesses are the limitations faced by the business in achieving its objectives.

Opportunities and threats exist independent of the organisation, and are often beyond its control. Opportunities are the conditions of the environment in which the business operates which could benefit the organisation if acted upon. Threats are barriers that prevent the business from achieving its objectives.

Strengths

SWeaknesses

WOpportunities

OThreats

T



As shown in the diagram above, an organisation should endeavour to match internal strengths with external opportunities to create the best competitive advantage. Action should be taken to turn internal weaknesses into strengths or minimise their effect on the business, and to convert threats into opportunities or avoid them.

Learning activity: SWOT analysis

Review the scenario in Appendix 4 under the heading ‘internal and external environment’ and identify one item for each of the following in the SWOT analysis.

Strength

Weakness

Opportunity

Threat

Describe briefly how a SWOT analysis can help you to identify risks in an organisation.



Review and document objectives

As stated in the introduction, an organisation is defined by its goals and objectives. The greatest risk for an organisation is failure to achieve its strategic objectives; therefore the risk management process must document the goals of the business and determine risks as those things which will prevent those goals being fulfilled.

The mission statement of an organisation will ordinarily outline the key objectives of the business. Product quality may be seen as critical. For example, if part of the organisation’s mission statement is to produce a quality product, a potential risk is the inability to find skilled staff, or to source quality resources required for production. Critical success factors are the achievement of (or inability to achieve) goals, objectives and targets associated with fulfilling each resourcing requirement and ensuring the success of the organisation’s mission.

Whatever the scope of each individual risk management activity you undertake, goals for the activity should relate in some way or support organisational mission – critical goals. For example, if quality is critical to the mission of the organisation, each manager responsible for a particular aspect of production will determine quality goals for their area and identify and control risks to the achievement of these goals.

Learning activity: Goals of risk process

Review the scenario in Appendix 4 and identify two goals or objectives for the task you have been assigned by Jeff to complete.

1.

2.

Describe how having goals or objectives assists in carrying out the risk management process?



How do the goals relate to the organisation’s strategic directions?

Why is it important to ensure that risk management is integrated with all organisational aims and objectives?

Identify risks

Risks must be identified in order to be analysed and treated. The Australian Standard categorises risk identification into two categories.

1. What, where and when? This aims at generating a comprehensive list of risks that may impact the objectives.

2. Why and how? Identify the circumstances in which this risk may be realised. What would be the cause of an exposure of resources (For example, failure of ..., lack of ..., loss of ..., injury to ... etc.)?

The process of identification can be aided by various tools and techniques, which should be selected based on the purpose and context of the risk management activities being undertaken. Some of these tools include:

● checklists

● brainstorming

● fishbone diagrams

● flowcharts.

Checklists Checklists can be used to help in identifying risks by using targeted questions. When trying to identify the risks within a specific context, it is important to interrogate the components as much as possible. Some questions that could be asked include:

● Where are the risks likely to come from?

● Who is likely to pose a risk?

● What situations are likely to increase the possibility of the risk actually occurring?

● Just how large are the risks?



In order to ensure this is comprehensive, the following areas within differing contexts, for example legislative risk, environmental risk, and economic risk could be used to address these questions.

Financial risk factors

● Premises – e.g. suitability, size, facilities available, location, health and safety risks to workers and others, financial concerns.

● Product and services – e.g. organisation’s competitive position (and potential in the future), environmental issues that affect development, waste management, lifestyle trends and demographic changes.

● Purchasing – e.g. use of recognised standards, government policy on standard, protection of workers etc.

People elements ● People – e.g. organisation of employees, ‘culture’, skills and competence of employees, training and supervision, WHS (work health and safety), visitors to the site, wider public in the vicinity.

Actions or processes

● Processes – e.g. techniques used and their associated risks, legislation requirements and skill level of employees.

● Performance – e.g. stakeholder interest, health and safety, insurance claims and quality.

Management issues

● Policy and strategy – WHS, environmental and waste management, financial and purchasing control, accident investigation, reporting and rehabilitation.

● Planning and organising.

Learning activity: Checklist

Use the categories outlined above, and for the Scenario provided in Appendix 4, develop a checklist of two target questions per category that could be used to identify risks.

Financial risks factors



People elements

Actions or processes

Management issues

Brainstorming Brainstorming is a tried-and-true way to come up with ideas in a group. The method is simple. The problem is stated, and the recorder stands in front of a room with a flip chart or a whiteboard. People in the group say whatever ideas pop into their minds. The recorder writes down all of the comments made. Brainstorming – a rapid noting of alternatives, no matter how silly – is an excellent discovery process.

There are some important things to remember about brainstorming:

1. Quantity is wanted

The whole point of brainstorming is that you don’t stop the flow of ideas to separate good and bad ones. Obviously, your chances of finding good ones go up if you have a really long list of ideas to choose from. In a ten-minute brainstorm you should generate at least 10 to 20 ideas.



2. Free-wheeling is necessary

You can’t generate a good number of ideas if you restrict them in any way. Don’t worry about saying something ‘silly’. Silly ideas may not be so silly, or may inspire you or someone else to say something less silly. So say anything that pops into your head; say variations on what other people have said; just say things!

3. Defer judgement

Don’t judge or shoot down other people’s ideas. Saying things like ‘yes, but we’ve tried that and it didn’t work’ goes against the principles of brainstorming. The purpose of brainstorming is to get all of the ideas out on the table and then start sifting through them.

4. Tag on

If you start slowing down, take a previous idea and change it a little. For example, if you have already said ‘Pay people to pick up litter,’ you can add to it to make ‘Give free balloons to people to pick up litter’ or ‘Punish people for not picking up litter’ or ‘Have volunteers hand out certificates to people they see picking up litter’. As you can see, there are many variations to any idea.

Brainstorming in the context of risk management may be targeted using the following questions to attempt to identify risk to organisational objectives.

● What:

o might happen

o is the impact

o are the existing controls?

● Who:

o is involved

o is affected?

● How:

o could this arrive?

● When:

o in the life of activity

o beyond the life of activity?

● Why will there be:

o changes and uncertainties

o causal factors and triggers?

Affinity diagrams An affinity diagram is a special type of brainstorming process that is used for organising large groups of information into meaningful categories. It helps to clarify and make sense of a large or complex problem.

1. Define the problem or issue to be explored.

2. Brainstorm for ideas, but instead of everyone shouting out ideas, everyone silently writes down their ideas on ‘Post-it’ notes.

3. When the brainstorm is complete, mix up all the notes and stick them on a wall.



4. Arrange the notes or cards into related groups as follows:

a. take two notes that are related in some way and put them together

b. find other notes that belong to this group and put them with the first two

c. build other groups of notes in the same way until all of the notes have been grouped (about 10 groups maximum).

5. Now you can decide what to call each grouping. Header notes are created and placed at the top of each grouping. The header note should clearly define the common thread that ties all of the notes in the group together (usually a three-to-five-word description).

6. You may now find that some notes do not belong to a group. If so, continue sorting until everyone is satisfied with the final picture.

See the example below, of a documented affinity diagram.

Solution to maintaining successful process

Customer requirement

Understand requirement

Consult customer

Interpret customer

needs

Provide operational

output

Identify customer

Provide Training Know quality improvement

tools

Investigate efforts

Communications Access to

information Employee

involvement Break down

barriers

Controls Establish

measurement systems

Develop corrective

action system

Determine process

capability Define process

Project improvement

Management Establish

reward system Provide job

security Staff support

Clear program goals

Create steering committee.



Learning activity: Staff input to risk management

Brainstorm a list of approaches that you can use to encourage staff and stakeholders to provide input and participate in the development of risk management strategies for an organisation, and describe how each of these can be effective.



Fishbone diagrams Fishbone diagrams are cause-and-effect diagrams. Use of the fishbone diagram encourages a systematic approach to identifying risks that looks beyond the obvious causes of a problem. The starting point for creating the diagram is identification of a problem. This is stated as the effect. The ‘bones’ show the types of variables that might play a part in the root cause.

Causes are usually grouped into major categories, which typically include the following.

● People – anyone involved with the process.

● Methods – how the process is performed and the specific requirements for doing it, such as policies, procedures, rules, regulations and laws.

● Machines – any equipment, computers, tools, etc. required to accomplish the job.

● Materials – raw materials, parts, pens, paper, etc. used to produce the final product.

● Measurements – data generated from the process that are used to evaluate its quality.

● Environment – the conditions, such as location, time, temperature, and culture in which the process operates.

Causes can be generated from brainstorming activities, and then grouped and used as labels on the fishbone. Below is an example fishbone diagram showing factors affecting the service industry which have the potential to cause or contribute to problems and create risk. The smaller bones connect sub-causes to major causes and show the escalation of risk.



Learning activity: The 8 P’s

Use the internet to find the 8 P’s of the service industry and create a fishbone diagram for them below. Ensure you include at least one variable for each category included on the ‘bones’ of the diagram. (You may find it easier to create the diagram using a separate piece of paper).



Flowcharts A flowchart is a diagram commonly used to demonstrate the steps in a solution for a problem. They are frequently used to design, analyse, document and manage processes.

Flowcharts use various symbols and shapes to represent different facets of a process, and arrows to show flow of information, communication and control. Some of the symbols include the following.

● Circles, ovals or rounded rectangles showing start and end points. The shape will usually contain the word ‘start’ or ‘end’, or a specific phrase that indicates the start or end of a process, such as ‘submit enquiry’.

● Rectangles showing processing steps, for example ‘replace identified part’ or ‘save changes.’

● Parallelograms showing input/output, for example ‘get feedback from the user.’

● Diamonds representing conditional steps or decisions. These would usually contain a ‘yes/no’ or ‘true/false’ test.



Learning activity: Flowchart

Create a simple flowchart using the symbols above to show the process for dealing with a lamp that won’t function. You will need to think about reasons the lamp may not be working, and address these, and appropriate responses or actions, in your flowchart.



Learning activity: Risk management tools

Research online tools or templates that you could use in risk management processes in an organisation. Identify three that you think you could use and describe why and how you think these could be helpful. Include a brief description of each tool as well as the web URL.

Tool URL

What the tool does

How the tool could be helpful

Tool URL

What the tool does




Tool URL

What the tool does


Research

The process of risk identification is much aided, by the use of both internal and external research. This may be in the form of:

● past records

● data and statistical information

● relevant published credible literature

● results of public consultation

● market research.

To ensure a thorough risk analysis, several of these sources of information could be used. Information can be collected in many ways, some of which are listed below.

Primary data collection techniques Primary data collection refers to data collected by the user. Data collected is unique to the organisation and is not publicly available unless the researcher chooses to publish it.

Some common methods of primary data collection include interviews, focus groups, surveys and questionnaires, observations, and diaries.



Interviews Interviewing can be used to identify the underlying reasons and motivations for people’s attitudes, preferences or behaviour. They can be individual or group-based.

Advantages ● Serious approach by respondent

resulting in accurate information.

● Good response rate.

● Completed and immediate.

● Possible in-depth questions.

● Interviewer in control and can give help if there is a problem.

● Can investigate motives and feelings.

● Can use recording equipment.

● Characteristics of respondent assessed – tone of voice, facial expression, hesitation, etc.

● Can use props.

● If one interviewer used, uniformity of approach.

● Used to pilot other methods.

Disadvantages ● Need to set up interviews.

● Time consuming.

● Geographic limitations.

● Can be expensive.

● Normally need a set of questions.

● Respondent bias – tendency to please or impress, create false personal image, or end interview quickly.

● Embarrassment possible if personal questions.

● Transcription and analysis can present problems – subjectivity.

● If many interviewers, training required.

Focus groups A focus group is an interview conducted by a trained moderator in a non-structured and natural manner with a small group of respondents. The moderator leads the discussion. The main purpose of focus groups is to gain insights by listening to a group of people from the appropriate target market talk about specific issues of interest.

Observations

Observation involves recording the behavioural patterns of people, objects and events in a systematic manner.

Observational methods may be:

● structured or unstructured

● disguised or undisguised

● natural or contrived

● personal

● mechanical

● non-participant

● participant, with the participant taking a number of different roles.



Questionnaires Popular means of collecting data, but are difficult to design and often require many rewrites before an acceptable questionnaire is produced.

Advantages ● Can be used as a method in its own

right or as a basis for interviewing or a telephone survey.

● Can be posted, emailed or faxed.

● Can cover a large number of people or organisations.

● Wide geographic coverage.

● Relatively cheap.

● No prior arrangements are needed.

● Avoids embarrassment on the part of the respondent.

● Respondent can consider responses.

● Possible anonymity of respondent.

● No interviewer bias.

Disadvantages ● Design problems.

● Questions have to be relatively simple.

● Historically low response rate (although inducements may help).

● Time delay whilst waiting for responses to be returned.

● Require a return deadline.

● Several reminders may be required.

● Assumes no literacy problems.

● No control over who completes it.

● Not possible to give assistance if required.

● Problems with incomplete questionnaires. Replies not spontaneous and independent of each other.

● Respondent can read all questions beforehand and then decide whether to complete or not. For example, perhaps because it is too long, too complex, uninteresting, or too personal.

Diaries A diary is a way of gathering information about the way individuals spend their time on professional activities. They are not about records of engagements or personal journals of thought! Diaries can record either quantitative or qualitative data, and in management research can provide information about work patterns and activities.



Advantages ● Useful for collecting information from

employees.

● Different writers compared and contrasted simultaneously.

● Allows the researcher freedom to move from one organisation to another.

● Researcher not personally involved.

● Diaries can be used as a preliminary or basis for intensive interviewing.

● Used as an alternative to direct observation or where resources are limited.

Disadvantages ● Subjects need to be clear about what

they are being asked to do, why and what you plan to do with the data.

● Diarists need to be of a certain educational level.

● Some structure is necessary to give the diarist focus, for example, a list of headings.

● Encouragement and reassurance are needed as completing a diary is time-consuming and can be irritating after a while.

● Progress needs checking from time-to-time.

● Confidentiality is required as content may be critical.

● Analyses problems, so you need to consider how responses will be coded before the subjects start filling in diaries.

Secondary data collection techniques Secondary data is collected by someone other than the user. It can be sourced from existing survey results, databases, statistical research organisations, published reports, case studies and published texts.

It is important to ensure that data is obtained from trusted sources, to ensure it is valid and reliable. There are questions that you should consider when selecting existing data for use in your audit.

● What was the researcher’s objective in collecting the data?

● What data was collected and what is it supposed to measure?

● When was the data collected?

● What methods were used?

● How is the data organised?

● What information is known about the success of that data collection? How consistent is the data with data from other sources?

Quality of information The aim of any data collection activity is always to aid in decision-making. The decisions that are made will only be as good as the data collected. It is essential then that data is ‘quality tested’ to ensure it will produce the desired results.



Data should be:

Accurate Information collected through audit activities should be precise and a true reflection of the relevant events, subjects and issues.

Relevant Data collected should be directly related to the intent and objectives of the audit or collection process.

Reliable Data must be verifiable and well supported by background information.

Learning activity: Risk research

Identify at least three different ways that risk in a business environment can be researched, and describe the types of information you are likely to gather from each approach.



Involve others in risk identification

Communication and consultation should take place at every step of the risk management process with both internal and external stakeholders. Therefore, a communication plan for both these parties should be developed early in the process.

This plan should address issues relating to the risk itself, the likelihood of the risk, its potential consequences, and measures being taken to manage the risk. Communication is vital in risk management as it ensures that those accountable for implementing risk management, as well as other stakeholders, understand the reasoning behind decisions, and why particular actions are required.

Identification of risks should never be the responsibility of one individual. Consulting a team of people with different areas of expertise means that many viewpoints are represented and the identification process is thorough. Including stakeholders in the process also facilitates a sense of ‘ownership’ for risk management activities.

Some key skills that you will require for involving others and maintaining communication with stakeholders are described in the table below.

Active listening ● Keep the purpose in mind – know why you are listening and what you are listening for.

● Listen to what’s not said – learn to read gestures and facial expressions, not just listen to words.

● Give feedback – acknowledge and respond to what you hear, without interrupting.

● Be sensitive – show that you listen to and understand the other person’s point of view, even though you may not agree with it.

Encouraging feedback

● Value feedback – recognise that you need feedback to build an accurate picture of what is occurring.

● Do not react – show respect for feedback even when it is critical.

● Don’t point fingers – use feedback to diagnose and fix problems, without laying blame.

Facilitating discussion

● Step back – establish the purpose or goal for the group, and then let the group continue the discussion.

● Bring focus – ensure the discussion stays on track by reminding the group of the established purpose.

● Be open – don’t voice personal opinions or make judgements about proposed ideas, just listen.

● Be fair – make sure everyone has an opportunity to participate, express an opinion or contribute an idea.

● Summarise – rephrase key points and bring clarification to any decisions or planned actions when needed.



Effective questioning

● Directive questions – seek facts and concrete answers.

● Non-directive questions – deal with emotions, feelings and attitudes.

● Reflective questions – clarifying information being provided, rephrasing, etc. (e.g. ‘Do you mean ...’)

● Closed questions – allow limited responses, such as ‘Yes’ or ‘No’.

● Open questions – allow for unlimited response.

● Probing questions – seek further response to a question already asked, often in response to the answer given.

Learning activity: Staff involved

In reference to the scenario provided at the beginning of this section of the workbook, who would be most beneficial to involve in the process of risk identification, and why would you include them in gathering input to risk identification?



Section summary

You should now understand how to evaluate the internal and external environments of an organisation, review organisation objectives, identify risk and include stakeholders in the process.

Further reading

● Australian Government, 2010, ‘Chapter 3 – risk analysis’, Natural hazards in Australia: identifying risk analysis requirements, available online, Geoscience Australia, viewed January 2015, <http://www.ga.gov.au/image_cache/ GA10820.pdf>.

Section checklist


review the external environment

determine strengths and weaknesses

review and document objectives

research risks

identify risks

involve others in risk identification.


Student Workbook Section 3 – Analyse and Evaluate Risk

Section 3 – Analyse and Evaluate Risk It is not enough for an organisation to merely be aware of risks. Once they have been identified, risks must be analysed to determine the probability of occurrence and expected impact. This chapter looks at conducting this analysis, and using it to form an action plan to deal with risks.

Scenario: Preparing a risk action plan

With the help of stakeholders, and the use of other research methods, you have been able to create a list of possible risks that could impact on the shoe repair store chain.

Compiling a list of risks is only the first part of the risk management story. Risk management, requires analysis, assessment, evaluation and prioritisation to determine the best use and allocation of an organisation’s resources.

You will use an approach that looks at each risk on a likelihood and consequence basis to determine the priority levels that each should be given. You will then consider the possible options for treating each risk starting with the highest priority and working to the lowest.

To assist you to carry out risk analysis and evaluation, you will prepare a risk management action plan that clearly shows your reasoning for establishing the risk priority levels, and the actions needed to manage the risks.



determine likelihood of risk

assess consequence of risk

evaluate and prioritise risk

determine risk treatment options

develop an action plan for treating risks.

Analyse risk

Risk analysis is a simple process used to rate the level of risk posed by a hazard. Risk analysis assists in defining the level of control required for the risk, which then leads to reducing the risk as far as practicable. The method used to rate the level risk combines the likelihood of it happening and the consequence if it does.


Section 3 – Analyse and Evaluate Risk Student Workbook

Likelihood (frequency) The first step in risk analysis is to determine the likelihood of risks. Likelihood refers to the probability that a risk will occur, and is measured in terms of the following scale:

Frequency Description Detail

1 Rare The event may occur only in exceptional circumstances.

2 Unlikely The event could occur at some time.

3 Moderate The event should occur at some time.

4 Likely The event will probably occur in most circumstances.

5 Almost certain The event is expected to occur in most circumstances.

Note that the classification of risks must take into account the specific circumstances, for example, the flooding of a warehouse may range from rare if it is located to a region that receives little rain to frequent if it is located in somewhere that is often subject to flooding.

Learning activity: Board role for risk management

PricewaterhouseCoopers believes that boards can play a vital role in improving the quality of risk management information provided to them to review and/or act on. A discussion paper published by them describes five steps that can help boards get the information they require.

● PricewaterhouseCoopers, 2006, Bridging the risk and control information gap, available online, PWC, viewed January 2015, <http://www.pwc.com.au/ assurance/assets/bridgingrisk06.pdf>.

Based on the likelihood scale above, describe which risks would be included in the statement ‘Be clear about what matters’, i.e. would you include all items on the scale, or just frequent risks? Identify the cut-off you would apply and explain why.



Learning activity: Risk likelihood

Review the scenario in Appendix 4 under the heading ‘Research findings’ and select the issues you think would occur rarely and which is likely to occur almost certainly. Give your reasons in the following space provided.

Likelihood Reasons

Rare

Almost certain

Learning activity: Revised risks

Some organisations assess risk, and apply a control, and then reassess risk immediately (rather than waiting for a review period some time later). How could this provide relevant information for risk management to the organisation? State your reasons.



Research the internet for risk management tools that include two layers of assessment in this way. (Hint: some risk management organisations use the term ‘residual risk’). Briefly describe the tool, and include a copy in your workbook.

Consequence (severity) Risk is defined as a situation that has the potential to cause damage; so the assessment of risk looks at how bad the realisation of the risk would be.

Again, a chart has been developed to guide the measure of a risk’s severity. Please note this is a guide only; measures of risk vary between organisations.

Severity Description Detail Potential cost

1 Insignificant No breach of licenses, standards, guidelines or related audit findings, no damage, no pollution, no adverse impact.

Nil

2 Minor Breach of internal procedures or guidelines; public awareness may exist, but there is little public concern; negligible environmental impact.

Less than $1,000

3 Moderate Breach of internal procedures or guidelines; adverse news in local media; environmental damage.

Less than $5,000

4 Major Single stakeholder; breach of licenses, legislation, regulation or mandated standards; damage to reputation at national level; medium-term (1–5 years) environmental damage.

Less than $50,000

5 Catastrophic Multiple injuries or death; regulatory intervention; damage to reputation at international level; long-term environmental damage (5 years or longer).

More than $50,000



Learning activity: Risk consequence

Review the scenario in Appendix 4 under the heading ‘Research findings’ and select an issue you think would have an insignificant consequence and an issue you think would have catastrophic consequences. Give your reasons.

Consequences Reasons

Insignificant

Catastrophic

Learning activity: One of each

Think about your community or workplace and give an example of each of the following risks.

Rare and catastrophic

Frequent and insignificant

Possible and moderate



Evaluate risk

Now that you have determined both the likelihood and consequence of risk, the two are combined to determine the rating, that is, the level of risk. The most effective method of risk analysis is to generate a risk matrix. A risk matrix is shown below, where the identified consequence meets the identified likelihood, a risk rating is given.

The risk assessment matrix can be used to place the risk into a low, medium or high risk category. Generally, as the risk score increases the level of required control increases and may even become mandatory.

Likelihood

1 2 3 4 5

Cons

eque

nce

1 1 2 3 4 5

2 2 4 6 8 10

3 3 6 9 12 15

4 4 8 12 16 20

5 5 10 15 20 25

Likelihood x Consequence =

1–3 Low risk

4–6 Medium risk

5 Potential high risk

8 High risk threshold

9–25 High risk

Within this risk matrix, the risk calculation score of 8 is considered the median. This means that this score is the threshold at which medium risk turns to high risk.

The allocation of a risk rating should prompt a decision to be made about the priority and action to be taken, as below.

High risk or high risk threshold

IMMEDIATE senior management action, e.g. multiple deaths of employees.

Medium risk

Risk requires only monitoring and review, e.g. loss of assets due to staff theft.

Potential high risk

Action plan needed, allocated responsibilities, e.g. damage to valuable assets.

Low risk

Risk accepted – but not ignored, e.g. a paper cut.



Learning activity: Risk evaluation

Nearly all organisations and systems use the same or a very similar risk evaluation tool as outlined above. Describe how you think the one illustrated below is different, and when it might be suitable to use.

Learning activity: Risk priorities

Review the scenario in Appendix 4 under the heading ‘research findings’ and select an issue you think would be rated ‘Extreme’ and an issue you think be rated ‘low’. Give your reasons.

Priorities Reasons

Extreme



Low

Types of analysis

● Qualitative analysis may be useful as an initial screening to identify if further analyse of risk is required, when the analysis is appropriate for decisions, when numerical data or resources are inadequate. It uses descriptive scales to describe the potential consequences. So far throughout this section we have been using qualitative risk analysis. The risk matrix above is an example of this method.

● Semi-quantitative analysis sets values to the risks in order to produce a more expanded ranking scale than that which is usually achievable from qualitative analyse. These values are not the predicted realistic figures calculated in quantitative analysis. It is important that the limitations of this form are recognised and it is combined with a formula or explanation.

● Quantitative analyse of risks uses numerical values (as opposed to words) to analyse both the consequence and likelihood of risks. The quality of this analysis is dependent on the data from which it was initially sourced. The outcomes may be expressed in terms of monetary, technical, or human impact. Examples of quantitative risk analysis are as follows.

Risk of financial loss:

Financial Loss x Annual Frequency of Loss = Expected Loss

Fatality risk: This calculation gives a value of 0 – 1. The closer the value to one, the greater the risk.

Number of Deaths per Annum from Activity = Fatality Risk

Exposed Population



Learning activity: Financial loss

Using the formula above for financial loss, calculate the expected loss for a car wash that loses $500 in wages for every day it rains. The car wash is located in Brisbane where it rains on average 122 days per year, and on days when it is not raining it makes $300.

If the same business with the same loss and profits was moved to Melbourne, with an average of 148 rainy days, explain what could happen to the business.

Learning activity: Extreme action

Name a situation at work or at home you would rate as ‘Extreme’.



List three things you would do in the first few minutes.

Determine risk treatment options

Risk treatments There are several ways to manage risk. The Australian Standard outlines the following.

● Avoid the risk. This may be done by ending the activity that gives rise to the risk. Inappropriate risk avoidance may result in an increased significance of the risk or result in the loss of opportunity.

● Reduce the likelihood of the risk, i.e. reduce the likelihood of a negative impact on objectives.

● Reduce the consequences, that is, decrease the extent of the damage. An example of this is reducing the inventory or making continuity plans.

● Share the risk. This involves other parties baring a portion of the risk (preferably by mutual consent). This may take place in the form of insurance arrangements, contracts, partnerships or joint ventures, all of which spread the responsibility and burden of the risk with another. This usually comes at both a financial expense (e.g. premiums paid for insurance, decrease in positive outcome of risk seen by the individual organisation) and creates another risk, namely that the parties with whom the risk is shared will not manage it effectively.

● Retain the risk. After the altering or sharing of a risk, residual risks are retained. This also may take place by default as a result of failure to identify or manage a risk.



Hierarchy of control The hierarchy of hazard control measures is the fundamental tool used to effectively determine hazard control options. The hierarchy is as follows:

1. Elimination The elimination of the hazard or elimination of the associated risk.

2. Substitution Use a less hazardous substitute.

3. Engineering control

Provide a barrier (guard) around the hazard to reduce the associated risks.

4. Administrative control

Provide procedures or instructions to control the use or exposure to the hazard and thus reduce the risk.

5. Personal Protective Equipment (PPE)

Provide a hazard specific personal barrier by way of protective equipment to reduce the risk of injury to an individual.

By applying the hierarchy of control you maximise the likelihood of success. Eliminating a potential risk or engineering a solution would always be preferable to an administrative solution – such as training, putting up warning signs or providing protective equipment – as they don't rely on people following procedures.

When managing risk, particularly health and safety related risk, there are key questions that managers need to be able to answer. These are as follows.

1. Are there legislated activities or practices that must be done or implemented in relation to the specific hazard?

2. Is there a code of practice relating to the specific hazard?

3. Are there existing controls? If so:

a. are the controls as high as possible in hierarchy of control priorities

b. do controls protect everyone exposed to harm?

4. What additional controls are required?

The following table is from the Risk Management Code of Practice 2007 (Workplace Health and Safety Queensland) and gives some example of how control measures can be implemented.



Control measure Comment Examples of use

Elimination Control the hazard at the source. This is the most effective control measure and removes the risk by removing the hazard or changing the work processes.

Contract tasks out to specialists who have appropriate facilities.

Substitution Replace the hazard (e.g. plant or substance) with another that has a lower risk.

Use a machine with better guarding or use a less hazardous chemical that does the same job.

Isolation Remove or separate people from the source of the hazard.

Use rubber mats to lift workers off a concrete floor or segregating work processes.

Minimise by engineering means

Change the physical characteristics of the plant or workplace to remove or reduce the risk.

Modify a machine so it can be used by remote control.

Administrative measures

Use policies, procedures, signs and training to control risk.

Review systems of work so that nobody works alone at night or train workers in safe lifting techniques.

Personal protective equipment (PPE)

Provide equipment or clothing designed to protect the worker.

Provide hats and long shirts to protect outdoor workers against the sun.

Note: If there is a provision within the workplace health and safety regulation for your state about any hazards identified then they must be controlled in the way specified by the regulation. Similarly, if there is a Code of Practice about any of the hazards you have identified then you must do what the code of practice says or adopt and follow another way that gives the same level of protection against the risks – whilst the law does not demand compliance with codes of conduct, insurance providers do, and non-compliance with these will either result in significantly increased insurance premiums or voiding of the insurance cover.



Learning activity: Risk treatment options

Review the scenario in Appendix 4 under the heading ‘research findings’ and select an issue and then apply the hierarchy of control to develop options.

Issue:

Hierarchy of control Options

Can you eliminate the risk?

Can you reduce the risk? For example, by substitution.

Can you isolate the risk? For example, with guards and barriers.

Can you reduce the risk by administrative control? For example, safe operating procedures.

Then provide personal protection according to AS/NZ standard.



Learning activity: Risk controls in a shop-environment

You have a retail store and you know you cannot always be in front of the till, so there is a risk that cash could be mishandled by store staff. Describe how you could:

● reduce the risk

● isolate the risk

● introduce control of some form.

Reduce

Isolate

Control



Learning activity: Hierarchy of control

In reference to the hierarchy of control, decide which option is the best treatment for each of the risks you have identified in the earlier activity in relation to the scenario provided in Appendix 4.

Assessing risk treatment options When selecting the most appropriate treatment options for risk, the costs and benefits of each treatment must be carefully considered. It is important to consider all direct and indirect costs associated with each treatment, and both tangible and intangible benefits.

However, the costs and benefits need to be considered in light of the risk rating. The cost of managing a potentially catastrophic risk cannot simply be evaluated in financial terms as the cost of failing to manage the risk could far outweigh the initial cost of actions required to prevent its occurrence.

The following needs to be considered when choosing an appropriate treatment for a risk:

● acceptability to all

● administration efficiency

● capacity compatibility

● continuity of effects

● contracts

● cost effectiveness

● economic and social environment

● equity

● individual freedom

● jurisdictional authority

● objectives

● regulatory

● risk creation

● timing.



Learning activity: Risk vs. freedom

Examine the list above and describe why you think equity and individual freedom are included in the above list. It may be best to describe a control that restricts a worker’s freedom in order to reduce risk in the workplace, and then describe why this should also be considered from the individual’s viewpoint.

Learning activity: Common business risks

Research common risks in the financial services sector online and use the table below to list practical ways to manage identified risks.

Risk Control



Develop an action plan for treating risks

Plan early Experienced operators know that risk management is a proactive process. It is not the thing you do when a risk emerges because by then it may be too late. Effective risk action plans are those that are part of the operations of the organisation.

Problems that start small can escalate into large threats, or a risk may appear suddenly that threatens the reputation of the entire organisation. Having risk management processes and planning in place when these happen could stop the escalation and minimise the impact from the sudden disaster.

Learning activity: Risk timelines

Sketch a flow chart of a timeline for implementing a new product within an organisation and identify at what points or phases, risk assessment would take place.



Risk action plan The risk action plan outlines how the risk is to be managed and a timeline for this process to take place. It should include:

● the risk

● risk rating

● treatment activity or controls

● roles and responsibilities for those involved

● timeline

● monitoring arrangements.

See Appendix 1 for an example risk action plan template.

Learning activity: Action plans

Volunteering Australia uses a one page risk action plan, which can be found on page 48 of their risk management tool:

● Volunteering Australia, 2003, Running the risk? Risk management tool for volunteer involving organisations, available online, Volunteering Australia, viewed January 2015, <http://volunteeringaustralia.org/wp-content/files_mf/ 1377053059VAManagersrunningtherisk.pdf>.

Review the form, and describe when or how you could use a similar form in an organisation where you are the risk manager. The key issue to describe is whether you think this form is suitable for all risk planning and management process, including your reasoning.



Internal control procedures Internal control processes are an effective form of risk treatment for an organisation.

When designing and implementing an internal control procedure it is important that these fulfil at least one of the following eight criteria.

● Completeness – that all records and transactions are included in the reports of business.

● Accuracy – the right amounts are recorded in the correct accounts.

● Authorisation – the correct levels of authorisation are in place to cover such things as approval, payments, data entry and computer access.

● Validity – that the invoice is for work performed or products received and the business has incurred the liability properly.

● Existence – of assets and liabilities. Has a purchase been recorded for goods or services that have not yet been received? Do all assets on the books actually exist? Is there correct documentation to support the item?

● Handling errors – errors in the system have been identified and processed.

● Segregation of duties – to ensure certain functions are kept separate. For example, the person taking cash receipts does not also do the banking.

● Presentation and disclosure – timely preparation of financial reports in conformity with generally accepted practice.

Completeness

Accuracy

Authorisation

Validity

Existence

Handling errors

Segregation of duties

Presentation and disclosure



Learning activity: Internal controls

For each of the internal controls listed below, describe or give an example of what could go wrong if the control is not implemented correctly or thoroughly.

Completeness

Accuracy

Authorisation

Physical controls Physical controls relate to security devices and measures designed to eliminate unauthorised access to physical assets including the organisation’s sensitive documents and records. Preventing access ensures that the assets are not used, removed or destroyed without proper authority.

Examples of physical controls include the following.

● Secured storeroom – usually a fire resistant, thick walled room that is lockable.

● Having a stores clerk – a person that is responsible for the movement of supplies in and out of the store room, and ensuring that all movements are recorded and stock inventories balance.



● Placing permanent identification codes on valuable assets – this allows an asset register to be created and stock inventories to be done to identify missing assets.

● Using safety deposit boxes – very common security device in banks. Can be installed in businesses. Often require two people to open the box.

● Password protection on electronic files – this can be set at all levels (logging on, into selected applications and access to selected files within applications). Without the password, you cannot gain access.

Learning activity: Physical controls

As the operations manager, you have been asked to appoint a stores person to monitor the movement of supplies and make sure physical stock inventories mirror the balances calculated from the source documentation of supply movement. Explain how having a stores person appointed to the supplies process creates a physical control over the supplies?

Insurance Insurance involves paying premiums to share certain risks with another organisation. Insurance should only be considered as a risk management option when other treatments have not been successful in reducing a risk to an acceptable level for the organisation. That being said, it is still an important part of many risk action plans.

Generally, there are two types of insurance.

● Life insurance – management of the risk of death or disability.

● General insurance – covers the sharing of all other risks, e.g. property damage, workers’ compensation, motor vehicle insurance.



Some insurance is required by legislation. For example, organisations that employ staff must have workers' compensation, those that own motor vehicles must take out compulsory third party motor vehicle insurance. Other insurances are purchased at the discretion of the organisation, according to its determined needs.

When investigating insurance you need to consider three things:

1. Which risks to insure against.

2. Which insurance company to insure with.

3. What level of insurance to obtain against the risk.

Choosing an insurance company Your organisation can purchase insurance either directly from an insurance company, or alternatively, it may be acquired through an insurance broker. An insurance broker is often able to source insurance products that suit the specific needs of an organisation, and can assist you in getting the best product for the best price.

Always ensure that the broker or company you choose to deal with is known and has a good reputation. If the company or broker you choose is not well known, check the Australian Prudential Regulatory Authority to make sure they are registered.

Choosing a policy When evaluating and selecting an insurance product, you should consider the following questions.

Are you paying for added extras that you don’t need?

Have you read the policy carefully, including the fine print? What is covered for and what is excluded from the policy?

Do you have to pay an excess on a claim? Under what circumstances?

What is the limit applied to individual claims? Does a limit apply to payouts in a single period?

Is the option of good replacement instead of cash available in the policy?

Is property insured for the present market value or is an ‘old for new’ replacement provided as part of the policy?

Is the value you have insured the product for sufficient?

Have you provided all the necessary information?

Have you done all that the policy requires in order to maintain coverage?



Learning activity: Risk insurance 1

Research types of insurance available for business risks online (e.g. theft, staff injury, compliance issues, fraud, fire, etc.) and briefly describe the different types of insurance available.



Types of insurance In order to reduce the risk to your organisation and its stakeholders, there is a range of insurance policies available. The table following outlines some forms of insurance policies and what they cover.

Insurance type Policy details

Workers’ compensation Covers against:

● employee injury

● employee sickness or

● employee death regardless of employer’s negligence.

This is compulsory for all employers.

Motor vehicle comprehensive

Covers against your organisation’s vehicles and the damages they make to other’s property. This policy covers:

● theft

● fire

● legal cost.

Motor vehicle third party Covers against the damage made by your vehicles to other people’s property. The insured car is only covered against fire or theft.

Contents insurance Protects against damage or destruction by:

● the causes stated in the building insurance policy

● theft.

It is important to identify if the policy provides compensation for only the depreciated value of insured items or reinstatement or replacement, in which case the new replacement cost will be paid.

Consequential loss Covers against loss of profits follow the occurrence of a specified incident (e.g. fire) until it is able to resume business.

This type of policy must be regularly reviewed to ensure the amount of lost profits is up-to-date and takes into account inflation. The insured period during which payments are to be made should be long enough that it allows for the re-establishment of business.

Professional indemnity Insures against the legal liability arising from professional negligence when an organisation claims to provide reliable advice which proves detrimental to the person receiving it.



Insurance type Policy details

Building insurance Covers against damage to structures owned by the organisation. This may include damage caused by:

● fire

● storm

● tempest

● lightning

● explosion

● impact by vehicles

● animals

● aircraft

● earthquakes

● riots

● malicious acts

● flood.

This usually covers only the depreciated value of the building insured at the time of loss. It does not cover the cost replacement of the building as this requires reinstatement or replacement insurance.

Public liability Covers the organisation’s responsibility to pay compensation to persons and other than employees who:

● suffer injury

● damage to property

● die.

This policy only covers the above incidents when they are due to the organisation’s negligence and take place either on its premises or due to its operations.

Manufacturer’s liability Covers manufacturers against claims arising from defective products, which are unfit for the purposes which they were sold (even to benefit charity).



Learning activity: Drivers vs. insurance

An organisation has insurance for damage to vehicles, so long as the registered staff drivers are licensed, over 25, and have not been the responsible party in an accident within the last three years. Outline/draft a simple checklist-based form that could be used within the organisation for potential drivers to complete each time they collect company vehicle keys form the administration office.



Learning activity: Credit card risk

Most banks and financial institutions offer some kind of fraud or misuse of credit card insurance for card-holders, with a few provisos. Describe some common requirements (i.e. risk management controls for the financial institution) that are expected of card-holders in order to qualify for the insurance cover. You should come up with at least two simple requirements, but may come up with more, by reviewing the ANZ ‘online security tips’ at the URL below.

● ANZ, 2015, ‘Online security tips’, ANZ, viewed January 2015, <http://www.anz.com/auxiliary/security-centre/fraud-security-centre/protect-yourself/online-security-tips/>.

l



Learning activity: Risk insurance 2

Research Australian insurance providers online that would suit the scenario provided. Identify three that you think you could use, and explain why each is suitable.

Insurance provider

How provider is suitable

Insurance provider


Insurance provider




Workplace adjustment Sometimes it can be necessary to make adjustments in the workplace to accommodate people with a disability. Adjustments can be undertaken in a number of different ways, some of which are outlined below.

Selection process

● Discuss potential changes to non-core requirements of position.

● Applicants may ask a friend to attend the interview.

● Provide a signing interpreter for hearing impaired persons if needed.

Work area design

● Make physical changes to workplace, for example:

○ movement or adjustment of furniture

○ adjustment of lighting

○ lowering benches.

Job design ● Exchange certain tasks to aid people with disabilities, for example:

○ telephone duties may be exchanged for filing duties for someone with hearing impairment.

Flexible work practices

● For example:

○ flexible work hours

○ regular breaks

○ working from home.

Training and development

● Access to training and development opportunities needs to be ensured for people with disabilities. This may be done by:

○ conducting courses in accessible areas

○ providing a signing interpreter.

Workplace access

● Unobstructed access needs to be provided to all public use areas. This may involve:

○ the installation of ramps

○ clear markings on steps

○ provision of dedicated parking spaces near a wheelchair accessible entrance

○ lowered control panels

○ accessible emergency phones in elevators.



Providing equipment

● Such as:

○ a telephone typewriter (TTY)

○ voice recognition software

○ speech synthesiser.

Ensure the individual is consulted before purchasing equipment as even people with similar disabilities may have different needs.

Employment Assistance Fund

While the majority of employees with a disability won’t require any workplace modifications, for some the barrier preventing them from doing a job is that a workplace doesn’t accommodate them. Some might only need minor adjustments to the workplace that can easily be made at minimal cost. Sometimes what’s needed is an adjustment to the work environment or some special tool or technology that will enable them to perform a job to their full potential.

For employers, the Employment Assistance Fund aims to make accommodating workers with disability in your workplace easier. It’s a pool of funds available to pay for the cost of any special equipment or adjustments that are needed to accommodate an employee in a job.

Sometimes the help needed by an employee may be as simple as providing them with an alarm wristwatch to remind them of when they need to do certain tasks. Other times more complex solutions are needed to accommodate them, such as building a wheelchair ramp to a workstation or installing special lighting in the workplace.

The amount of funding available for each workplace modification usually isn’t limited, which means that there’s flexibility to provide workplace solutions that really meet the individual needs of both employers and employees.

Funding is available to help employers accommodate both new and existing employees with disability. To be eligible, an employee must be employed for at least eight hours a week in a job that’s reasonably expected to last 13 weeks or more.

For more information, see ‘An employer’s guide to employing someone with disability’, available at <http://jobaccess.gov.au/publications_list>.

Learning activity: Risk management and workplace modifications

Conduct online research to find an example of a disability within a work environment, and an adjustment that was made to allow for the disability.



Section summary

You should now understand how to analyse and evaluate risk specifically, the concepts of probability and consequence as well as risk acceptance.

Further reading

● Australian Government, 2010, ‘Chapter 3 – risk analysis’, Natural hazards in Australia: identifying risk analysis requirements, available online, Geoscience Australia, viewed January 2015, <http://www.ga.gov.au/image_cache/ GA10820.pdf>.

● JobAccess, 2014, An employer’s guide to employing someone with disability, available in the publications list, JobAccess, viewed January 2015, <http://jobaccess.gov.au/publications_list>.

● University of New South Wales, 2014, HS329 risk management procedure, viewed January 2015, <https://www.ohs.unsw.edu.au/hs_procedures_forms/ procedures/HS329_Risk_Management_Procedure.pdf>.

Section checklist


determine likelihood of risk

assess consequence of risk

evaluate and prioritise risk

determine risk treatment options

develop an action plan for treating risks.


Section 4 – Treat Risk Student Workbook

Section 4 – Treat Risk This section is looks at the implementation of the risk action plan developed in the previous section.

Scenario: Treating, monitoring and evaluating the risk management process

From the options developed previously, and in consultation with key stakeholders, you determined the most appropriate risk management strategy and actions for each risk. You then presented your risk management action plan to the CEO who, after consultation and discussion about monitoring the plan, made some adjustments. You were then asked to implement the plan.

Knowing that all good plans need constant monitoring and evaluation, you build control measures into the plan to help signal when actions are delayed, ineffective or not being actioned. You rely on these control measures to inform you when things are not going according to plan. You also instigate internal and external audits to provide an extra dimension to the monitoring and evaluation process.



implement the risk action plan

monitor the risk action plan

evaluate the risk management process.

Implement the risk action plan

Implementation of the risk action plan requires participation from the organisation, and therefore should involve the following stages.

● communicating the plan

● documenting procedures

● training.

Communicating the plan A good starting point for implementation of the action plan is the communication of the risk management process and strategies. It is essential that everyone in the organisation understands the importance of risk management, who the key people are and how they can contribute to the process.


Student Workbook Section 4 – Treat Risk

Stakeholders make judgements on risk based on their perception. Their viewpoints can significantly affect decisions made, so it is important that their perceptions and opinions are documented and considered.

A communication plan should:

● facilitate the exchange of information between stakeholders

● be transparent, accurate and understandable

● be useful.

Learning activity: Communicating the plan

Having developed your risk management action plan for the case study in Appendix 4, describe an effective way to communicate it to the relevant stakeholders.



Senior management support For the risk management plan to be successful it is important to ensure the support of senior management. This may be accomplished by:

● obtaining the ongoing support of the organisation’s directors and senior management

● appointing a senior manager or similar champion to lead the initiative

● obtaining the commitment and support of all senior managers.

Learning activity: Gaining staff support

Describe three different ways that the support of staff in an organisation for risk management practices can be obtained, that you would use as a manager responsible for risk management in the workplace.



Communication with internal stakeholders The organisation should ensure that its internal communication and reporting mechanisms:

● include processes to consolidate risk information from a variety of sources within the organisation, taking into account their likelihood and consequence

● inform all relevant parties as to the key components of the risk management framework, including any subsequent modifications

● provide adequate internal reporting on the effectiveness and outcomes of the framework

● make relevant information derived from the application of the risk management process available to appropriate levels of management in a structured and timely manner

● include processes for consultation with internal stakeholders.

Communication with external stakeholders The organisation should develop a plan as to how it will communicate with its external stakeholders. This should include:

● engaging appropriate external stakeholders and ensuring effective exchange of information

● making legally required disclosures and other reporting to comply with legal, regulatory and corporate governance requirements

● providing feedback on prior communication and consultation

● the use of communication and information to build confidence in the organisation

● communicating with stakeholders in the event of a crisis or contingency.

Learning activity: Communicating plans

Brainstorm a list of approaches that you can use to communicate risk management processes to staff and stakeholders in an organisation, and describe how each of these can be effective.



Documenting procedures Your action plan will have identified areas where written procedures need to be developed and documented. To effectively implement the plan, staff, volunteers and management committee members need to work together to develop these procedures. Existing and new procedures should be reviewed to ensure that they are consistent.

Implementation of the risk management process will often require new policies to be developed that include monitoring, evaluation and continuous improvement. Every organisation needs to have a risk management policy framework to document the processes and procedures required. This policy will become a key document in the life of an organisation.

In general, when writing policy, you should keep in mind the size and specific needs of the organisation. Policy should be clear and concise and should not include lengthy processes or procedures that will be difficult to maintain or comply with.

The structure for policy documents will vary from organisation to organisation, but some common elements included are as follows.

• The context of the policy, why it is required.

Purpose statement

• The application of the policy (particular location, workgroup, etc.).

Scope

• How the policy is implemented.

Procedure

• Who is responsible for what in the implementation of the policy.

Roles and responsibilities

• Reference any legislation that the policy specifically complies with.

Legislation



Learning activity: Risk management policy

Identify a risk management policy or procedure for your training organisation and describe how it assists the management of risk for the organisation.

Policy

How it assists with risk management

A sample risk management policy can be found in Appendix 2.

Naming and securing documents All documents produced in the workplace should be saved for future use and reference. Commonly used formats should be saved as templates for efficient access and creation of documents in the future.

Documents should be saved in accordance with organisational requirements which may include protocols for naming documents to make their content identifiable, and locations where particular documents should be stored for future access.

Documents can also be saved with security measures implemented such as password protection to prevent unwanted editing.

Ensure you know what the requirements are so that your document can be safely stored and easily located again when required.



Learning activity: Organisational requirements for storage

What benefits are there in establishing protocols for naming documents? What factors should be considered when storing documents, both electronically and in printed format?

Training It is highly likely your action plan will involve the introduction of new practices, or changes to existing activities, so this will require training. It is a good idea to ensure that this is carried out through the structures and processes that already exist to facilitate training in your organisation.

Learning activity: Risk reduction training

As the manager of risk for an organisation, you are responsible for ensuring that new organisational activities are assessed for risk, and training is delivered to affected staff to ensure that identified risks are managed as effectively as possible. Describe ways that you could make training available to new staff in the organisation to ensure that all staff have the same awareness of the required safe work practices and risk management processes within the organisation.



Responsibility It is important that there is responsibility and authority within the organisation when it comes to managing risks, including the implementation and continuation of the risk management process and making sure that risks are competently controlled. This may be done by:

● placing specific people who are to be accountable for the development, implementation and maintenance of the risk management process

● specifying individuals with the role of implementing risk treatment, maintaining risk controls and reporting relevant information

● providing appropriate levels of recognition, reward, approval and authority.

Learning activity: Risk management responsibilities

Review the scenario in Appendix 4 under and then study the options outlined below to determine who would best be suited to take responsibility for the task. Briefly describe why you think they are most suited.

Task Responsibility and why.

Prepare a new policy and procedures on storage of sharp knives that are used to cut leather.

Taking out insurance to cover money kept overnight on the premises.

Training staff on new cash register procedures.

Fixing the broken tiles and eliminating the trip points.

Issuing chain-mail gloves for use with the leather knife.



Resources The organisation should make sure that it allocates appropriate resources for risk management. Examples of resources to be considered are as follows.

● people, skills, experience and competences

● resources specific to stages of the risk management process

● information and knowledge

● documented process and procedures.

Learning activity: Professional development

Another resource for risk managers in organisations is the use of professional development, training and/or induction activities to assist staff to understand their role and responsibilities in the workplace.

Identify two areas of development that you might outsource professional development training for, and describe why.

Professional development activity

Reason

Professional development activity

Reason



Monitor the risk action plan

Monitoring and review are integral to the risk management process. Factors that affect the likelihood and consequence of risk may change over time, as may the costs of treatment options, so it is important to repeat the risk management process cycle regularly.

Monitoring activities can include risk reviews, team meetings and progress reports, which should be conducted regularly. Regular monitoring ensures that mistakes made and lessons learned throughout the implementation of the risk management process are incorporated into ongoing activities.

The progress of the risk treatment plans should be incorporated into the continuous improvement system of the organisation as a key indicator of performance. Continuous improvement refers to the ongoing efforts of an organisation to improve processes.

Once your risk management process is in place, there are four elements to maintaining the effectiveness of your risk management practices.

Identify one person responsible for risk management

‘If it’s everybody’s responsibility, then it’s nobody’s responsibility’

It is essential that one person be given responsibility for risk management within your organisation. This person is usually known as the ‘risk manager’. In smaller organisations, the risk manager will also have many other responsibilities, while very large organisations may have someone whose only responsibility is risk management.

Learning activity: Monitoring risk

Clarence Valley Council has a risk management action plan which outlines that managers and supervisors are required to record and review risk. Read pages 5 to 8 and describe how they are to involve others in this process.

● Clarence Valley Council, 2012, Risk management plan, available online, Clarence Valley Council, viewed January 2015, <http://www.clarence.nsw.gov.au/ page.asp?f=RES-TRV-45-30-11>.



If you were a manager in this organisation, outline procedural steps you could set-up and follow to help you fulfil your role in reviewing and reporting risk.

Keep procedures up-to-date Circumstances change and therefore so should your risk management plan. Experience gained from implementing risk management procedures can be used to further refine those procedures.

Learning activity: Risk management documentation

Describe the typical documentation required in risk management, and explain how it can be stored or saved for an organisation.



Reassess risks It is likely that the risks identified in the risk management process will change over time, making it important to review the changes.

To keep your risk action plan up-to-date, review it on a regular basis. At a minimum, this should be done at least once a year.

You also need to evaluate changes within your organisation and its environment. This may include new legislation relevant to your organisation, taking on new roles, acquisition of new equipment, or creation of new positions.

Learning activity: Risk management review

Clarence Valley Council has a risk management action plan which outlines a review structure for a list of risk areas identified. View pages 5 and 6 of the document, which can be found at <http://www.clarence.nsw.gov.au/page.asp?f=RES-TRV-45-30-11> Based on the plan, estimate the review period you would put in place for each of the items listed below, and state your reasoning.



Risk area Review period Reason

Assets and infrastructure – footpaths

Assets and infrastructure – street furniture

Legislative compliance

New projects and special events

Report on risk management The risk management process should include reporting as its final step, to ensure it is current. Reporting on risk should include:

● identification of any new risks

● the effectiveness of existing risk management process

● the occurrence of risks during the reporting period.

Risk reports should be filed and used in regular reviews of risks and procedures.



Risk reporting can occur in different formats and at different points in the risk management cycle. The table below provides details of different reports that can be produced by organisations to assist the risk management process.

Risk profile This report offers a quick reference point to determine an organisation’s overall risk exposure. It can be used to track risks and the factors the can cause risks to change, as well as the effectiveness of treatment activities. This report should include:

● description of risk

● risk rating (current and previous where applicable)

● changes that have occurred and reasons for them

● improvements or changes to treatment actions required.

Risk treatment report This report provides information about the status of a prescribed risk treatment action or activity and its effectiveness. It should include:


● risk rating

● description of treatment action or activity

● assigned timelines/completion dates

● person/s responsible

● current status.

Emerging risk report This report is used to highlight anticipated risks or add new risks to the risk register, which assists in keeping the risk register current in between formal risk review processes. It should include:


● risk rating

● causes of risk

● expected impact or consequence

● treatment action plan.



Learning activity: Risk management reporting

Consider you are in a role as a manager of risk management processes. In the course of your work you identify a risk to the organisation and eliminate the risk entirely. Describe what benefits there are to your organisation in reporting the risk, even though it has now been eliminated.



Learning activity: Organisational risk management

Research organisational risk management policy and procedure documents online (Australian university and government organisations usually have policy documents online). Describe who is responsible for the enactment of the risk control strategies in place in the document, and how you think it is monitored. Include a copy of the policy document in your workbook.

Person/position responsible

Monitoring process



Learning activity: Risk management monitoring approaches

Research three different approaches that can be taken to monitoring risk management strategies and describe the positives and negatives of each for the business environment.

Monitoring approach Positives Negatives

Evaluate the risk management process

So, what are measures of success in a well managed risk process? Here are some things to look for:

● a decline in residual risk values

● progress towards a specific project objective

● the extent of implementations of risk treatments

● decline in total cost of risk

● senior management are understanding and supportive.

The various risk reports mentioned earlier, if produced well, should provide great insight into the success of the risk management process. Your evaluation should include a review of these reports, and take note of any repeated issues, inadequate treatment actions or significant variances in expected impact of risk as opposed to the actual impact.



Learning activity: Success

Name some performance metrics that you think would identify a successful implementation and monitoring of the risk management process.

Section summary

You should now understand how to implement and monitor a risk action plan, and evaluate the risk management process.

Further reading

● Australian Government, 2010, ‘Risk management – a tool for small-to-medium sized businesses’, Australian Transaction Reports and Analysis Centre, viewed January 2015, <http://www.austrac.gov.au/risk_management.html>.

Section checklist


implement the risk action plan

monitor the risk action plan

evaluate the risk management process.


Glossary Student Workbook

Glossary

Term Definition

Consequence The outcome or impact of an event.

Control A process, policy, device, practice or other action that acts to minimise negative risk.

Event Occurrence of a particular set of circumstances.

Hazard Source of potential harm.

Likelihood The extent to which an event is likely to occur.

Loss Any negative consequence or affect.

Monitor Check, supervise or measure the progress of an activity, action or system on a regular basis.

Risk The chance of something happening that will have an impact on objectives.

Risk analysis Systematic process to understand the nature of and determine the level of risk.

Risk assessment The overall process of risk identification, risk analysis and risk evaluation.

Risk evaluation The process of comparing the level of risk against risk criteria.

Risk identification

The process of determining what, where, when, why and how something could happen.

Risk management

The culture, process and structures that are directed towards realising potential opportunities whilst managing adverse affects.

Risk management process

The systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysis, evaluating, treating, monitoring and reviewing risk.

Risk reduction Actions taken to lessen the likelihood and/or negative consequences associated with a risk.

Risk retention Acceptance of the burden or loss, or benefit of gain, from a particular risk.

Risk sharing Sharing with another party the burden or loss, or benefit of gain, from a particular risk.


Student Workbook Glossary

Term Definition

Stakeholders Those people and organisations who may affect, be affected by or perceive themselves to be affected by a decision, activity or risk.

Treatment The process of selection and implementation of measures to modify risk.


Appendices Student Workbook

Appendices

Appendix 1: Risk action plan template

Risk Assess Risk (L, M, H, E) Controls Monitoring Timelines Responsible


Student Workbook Appendices

Appendix 2: MacVille’s risk management policy

Introduction MacVille recognises that risk management is an essential component of good management practice and is committed to ensuring the implementation of risk management processes that focus on the proactive management of risks across the organisation.

This risk management policy forms part of MacVille's internal controls and corporate governance arrangements. The risk management policy is designed to:

● identify, evaluate, control and manage risks

● ensure potential threats and opportunities are identified and managed

● inform directors, senior management and staff members about their roles, responsibilities and reporting procedures with regards to risk management

● ensure risk management is an integral part of planning at all levels of the organisation.

Policy MacVille is committed to achieving its vision, business objectives and quality objectives by the proactive management of risk at all levels of the organisation.

MacVille will identify, evaluate, control and manage risk throughout the organisation in accordance with the ‘MacVille Risk Management Framework’. See risk management strategy for framework details.

Responsibility and Authority Directors, management and employees of MacVille have responsibility for implementing aspects of this policy.

Role of the Directors The directors have a governance responsibility in the management of risk. This includes:

● determining what types of risk are acceptable and which are not

● setting the standards and expectations of staff with respect to conduct

● approving major decisions affecting MacVille’s risk profile or exposure

● monitoring the management of significant risks to reduce the likelihood of potential organisational risks and threats or failure

● being satisfied that risks are being actively managed, with the appropriate controls in place and working effectively

● annual review of MacVille’s approach to risk management and approval of changes or improvements to key elements of its processes and procedures.



Role of the Senior Management Team and Store Managers Key roles of the senior management team are to:

● implement policies on risk management and internal control where this is deemed appropriate

● identify and evaluate areas of significant risks potentially faced by MacVille for consideration by the directors

● identify areas where risk management is not adequately addressed and advise the directors accordingly

● review and update the risk management strategy

● undertake an annual review of the effectiveness of systems of internal control and provide an annual report to the directors, including a summary review and respective recommendations.

Role of Cafe Employees Key roles of the employees are to:

● familiarise themselves with the content of the risk management policy and clarify any aspects necessary with a senior team member

● consider any risks they feel could impact on them meeting their objectives and either manage the risk if it is in their control to do so, or inform a management team member of their concerns.

Advise senior management, in the first instance, or the board, if concerned about any fraud or unethical behaviour.

MacVille Risk Management Framework This framework encompasses a number of elements that together facilitate an effective and efficient operation, enabling MacVille to respond to a variety of operational, financial, commercial and strategic risks. These elements include the following.

Policies and procedures – A series of policies underpin the internal control process. These policies are endorsed by the directors and are implemented and communicated by the senior management team to all staff. These policies include:

● Human Resources Policies

○ Staff Travel Policy

○ Harassment Policy

○ WHS Policy

○ Return to Work Policy

○ Work/Life Balance Policy

○ Equity/Discrimination/Diversity Policy

○ Parental Leave Policy

○ Organisational Culture Policy



● Financial Policies

○ Bad Debt Policy

○ Cash Reserving Policy

○ Revenue/Expenditure Recognition Policy

○ Finance, Audit and Risk Management (FARM) Committee Terms of Reference including delegations

● Corporate Governance Policies

○ Board Protocol

○ Sitting Fees Policy

○ Directors Remuneration Policy

Monthly reporting – Decisions to rectify problems are made at regular meetings of the Senior Management Team. Comprehensive reporting at board and sub-committee meetings is designed to monitor key risks and their controls.

Business planning and budgeting – The business planning and budgeting process is used to set objectives, agree on action plans, and allocate resources. Progress towards meeting business plan objectives is monitored regularly by the senior management team and by directors at board meetings.

Risk Management review – The Finance, Audit and Risk Management (FARM) Committee are required to report at board meetings on internal controls. The Finance and Audit Committee pay particular attention to risk management. It is the CEO’s responsibility to brief the directors periodically and as appropriate on the development of policies and procedures to ensure effective and efficient operations, risk management strategies and implementation. In addition, the FARM committee oversees internal audit, external audit and management as required in its review of internal controls. The committee is therefore well placed to provide advice to the board on the effectiveness of the internal control system, including MacVille’s strategy for the management of risk.

Procedure: Development of a Risk Management Profile The following outlines the process for developing a risk management profile.

1. Establish the context

Define and identify the environment, characteristics and stakeholders, their goals and objectives, and the scope of the specific risk management process.

Develop criteria against which risks are evaluated and identify the structure for risk management.

2. Identify and describe risks

Risks are best identified through a collaborative approach involving a cross section of stakeholders.

All conceivable risks must be considered. Ensure any certainties are identified as problems and addressed in the risk management profile.



3. Conduct current risk analysis

An analysis of the risks is conducted to determine their causes, and estimate their probability and consequences. This analysis provides the basis for working on the ‘right’ risks.

4. Conduct risk evaluation

Risks are considered and prioritised according to their potential impact, and each risk is assessed to determine its level of acceptability.

5. Develop and implement proposed risk treatments

a. Risk treatments are developed to cost-effectively reduce, contain and control risk.

b. Formal risk management reporting mechanisms are defined and documented.

c. Categorise the risk likelihood.

6. Monitor, report, update and manage risks

As risks change constantly, the risk profile is continuously monitored, reviewed and updated by management. New risks may be identified as more information becomes available and existing risks may be eliminated through the effectiveness of the risk treatments/actions. Record risks identified through regular audit on the risk audit log. Record risk management activities on the risk management register.

MacVille’s Risk Areas The following are four broad areas where potential for risk to MacVille has been identified. Under each area, examples of possible risks are detailed.

Operational/Organisational ● Legal and regulatory compliance

● Technology

● Insurance

● Resources: human, physical

● Logistics

● Marketing

● Product quality

● Communications

● Infrastructure, plant and equipment

● Customer interaction

● Market needs



Financial ● Accountability

● Fraud or theft

● Capital investment

● Interest rates

● Loss of income, funding/finance

Governance ● Conduct of board

● Conflict of interest

Project Management ● Procedures and tools for project management

● Stakeholders – strength of relationships/conflict of interest

● Human resources

● Financial resources



Appendix 3: MacVille’s risk management strategy

Introduction MacVille recognises that risk management is an essential component of good management practice and is committed to the proactive management of risks across the organisation. The strategy is designed to:

● identify, evaluate, control and manage risks

● ensure potential threats and opportunities are identified and managed

● inform directors, senior management and staff members about their roles, responsibilities and reporting procedures with regards to risk management

● ensure risk management is an integral part of planning at all levels of the organisation.

Guiding Principles ● MacVille is committed to achieving its vision, business objectives and quality

objectives by the proactive management of risk at all levels of the organisation, acknowledging that embracing innovative ideas and practices carries with it risks, but that these are identifiable and measurable and therefore capable of being subject to realistic risk mitigation processes.

Responsibility and Authority ● The directors have responsibility for ensuring that risk management is in place.

● The Finance, Audit and Risk Management (FARM) Committee has the responsibility of reviewing the risk action plan on a six-monthly basis.

● The CEO and the senior management team have responsibility for managing risk and advising the board on appropriate controls.

● The CEO and the senior management team support and implement policies approved by the directors.

● Key risk indicators will be identified, closely monitored and action taken where necessary, by the staff and directors.

MacVille Risk Management Framework This framework encompasses a number of elements that together facilitate an effective and efficient operation, enabling MacVille to respond to a variety of operational, financial, commercial and strategic risks. These elements include:

● Policies and procedures: A series of policies underpin the internal control process.

● Reporting: Decisions to rectify problems are made at regular meetings of the Senior Management Team.



● Business planning and budgeting: The business planning and budgeting process is used to set objectives, agree on action plans and allocate resources. Progress towards meeting business plan objectives is monitored regularly by the Senior Management Team and by Directors at Board meetings. Contingency planning is undertaken as required

● Risk Management review: The Finance, Audit and Risk Management (FARM) committee is required to report at Board meetings on internal controls.

● CEO: The CEO has responsibility to brief the Directors periodically and as appropriate on the development of policies and procedures to ensure effective and efficient operations, risk management strategies and implementation.

● External audit: The final audit of financial statements is controlled by an external chartered accountant who provides feedback to the Board through the FARM Committee.

Definitions Risks are identified on a scale of likelihood of occurring in the next 12 months and assigning an impact or consequence to the risk as high, medium or low, where high includes either a significant shortfall of around 40% in achieving budget or a significant reduction in ability to function, medium includes either a shortfall of budget of between 10% and 20% or some reduction in function, and low indicates minor reductions in achieving budget or minimal reduction in performance.



Appendix 4: Scenario – Shoez

Review Shoez, a shoe repair chain, operates ten stores in the CBD and suburbs of Brisbane, Queensland. The CEO, Jeff Harding, has appointed you as the operations manager. You are no stranger to management but mostly at departmental level for international organisations, with some time spent in sales and marketing management. One role specifically required in your job description is to manage the risks that could impact on the Shoez operations.

A meeting with Jeff in the first week confirmed his requirement of you to review, analyse, plan and monitor the risks of the Shoez organisation. Jeff wants you to report directly to him on the risk management process but also encouraged you to speak with the stores’ liaison person, Jenny Clerk, and the accountant, Sue Lee. Jeff thought it may also be beneficial to contact his accountant Brown and Davis and of course the store managers, although they were only really concerned about achieving their sales budgets and getting their commissions.

Shoez business plan FY 2011/12

Mission

To achieve the highest quality standards in shoe repair and customer service.

Vision

To establish, within five years, the reputation of Shoez as the leader in shoe repair and customer value in the Brisbane area.

Values

● Customer-focus.

● Actively encourage excellence, innovation and continuous improvement.

● Work collaboratively and consultatively with integrity, professionalism and teamwork.

● Recognise the diversity and expertise of Shoez employees.

Strategic directions

The strategic context in which Shoez will achieve its mission and vision is through:

● engaging with customers

● developing and improving products and quality

● creating a high-performing organisation.



Jenny was constantly reminding the store employees about the WHS issues relating to other staff and customers. Sue did the payrolls and was constantly pushing the managers to provide the appropriately authorised paperwork. Jeff said that the accountants were keen to see safe guards instigated for cash control.

Jeff wanted you to undertake this task so that you could get significant insight into the Shoez operations and develop and implement a plan to reduce the risk exposure of the organisation. He also said that he needed an ongoing risk monitoring process implemented as well.

According to Jeff, the areas that had been underperforming and were primary areas of risks concern were the human resources management, financial operations and WHS. These are the areas he wanted you to focus on in your management.

Internal and external environment After discussing Shoez with the key stakeholders and doing some external research you identify the following significant issues.

● Jeff spoke about a new law that was being introduced by the Commonwealth Government that will impact on the way that he has been paying his staff with some of their pay earned on commission.

● Jeff showed a report from a survey where people rated their shoes as the second most important dress item for the successful business person and that business people were choosing the high quality shoes that they would repair rather than replace.

● Brown and Davis spoke about the latest point-of-sale cash registers that would improve stock and cash control in the Shoez stores.

● You noticed that the location of the Shoez stores was always in the prominent and highly trafficked parts of the shopping centres.

● Sue said that she was not able to get all the staff records for pays and employees details from the store managers and this made processing difficult and meant that they were not compliant.

● Brown and Davis explained that the old cash registers did not have the features that could help eliminate fraud.

● Jenny spoke about the flooring where the staff worked and customers were sometimes required to access. The ceramic tiles were broken and covered up with a thin mat, but still presented a trip point to customers and staff alike.

● Brown and Davis had spoken about a large chain in New South Wales that were planning to expand into Brisbane in the next 12 months.

● Jeff said that while ten stores was a good number, there is another 20 good locations in Brisbane that want Shoez as part of the shopping centre assortment.

● You noticed that the stores were looking old and the decor has been out-of-date for over five years.

● Brown and Davis explained that the growth in the older age portions of the Brisbane population was a positive indicator for the Shoez business.



Research findings Store manager reports, together with your interviews with the other key stakeholders identifies the following risks.

● Broken floor tiles creating a trip point for staff and customers.

● Wet floors on rainy days making it slippery for staff and customers.

● The store has extremely sharp knives used to cut the leather.

● Banking not always done every day leaving cash on the premises.

● The staff member balancing the cash registers also prepared the bank deposit book and banked the cash.

● Some stores had sizable banking amounts that were banked by the junior staff member.

● Staff records were kept in the individual stores in the bottom drawer of an unlocked filing cabinet.

● One question on the staff records asked for a full medical history of the employee.

● Timesheets sent to head office were not always authorised.
