Risk Management

Risk Management

The steps involved in managing risk

A. Establish Goals and Context

As outlined in the Risk Management process, the risk assessment is undertaken within the context of your goals. The identification / validation of your goals is therefore a critical first step in the risk management process.

Effective risk management requires a thorough understanding of the context in which your Department or Agency operates. The analysis of this operating environment enables you to define the parameters within which the risks to your outputs need to be managed.

The context sets the scope for the risk management process. The context includes strategic, organisational and risk management considerations. According to the Standard, strategic context defines the relationship between the organisations and its environment. Factors that influence the relationship include financial, operational, competitive, political (public perceptions / image), social, client, cultural and legal. The definition of the relationships is usually communicated through frameworks such as the SWOT (Organisational strengths, weaknesses, opportunities and threats) and PEST (Political, Economic, Societal, and Technological).

The organisational context provides an understanding of the organisation, its capability and goals, objectives and strategies. According to the Standard, organisational context is important because:

a) risk management occurs within the context of endeavouring to achieve the goals and objectives,

b) failure to achieve the objectives is one set of risks that need to be managed, and

c) the goals and strategies assist to define whether a risk is acceptable or unacceptable.

The risk management context defines that part of the organisation (goals, objectives, or project) to which the risk management process is to be applied.

B. Identify risks

Identify the risks most likely to impact on your outputs, together with their sources and impacts. It is important to be rigorous in the identification of sources and impacts as the risk treatment strategies will be directed to sources (preventive) and impacts (reactive).

C. Analyse risks

Identify the controls (currently in place) that deal with the identified risks and assess their effectiveness . Based on this assessment, analyse the risks in terms of likelihood and consequence. Refer to the Risk Matrix to assist you in determining the level of likelihood and consequence, and the current risk level (a combination of likelihood and consequence).

D. Evaluate risks

This stage of the risk assessment process determines whether the risks are acceptable or unacceptable. This decision is made by the person with the appropriate authority. A risk that is determined as acceptable should be monitored and periodically reviewed to ensure it remains acceptable. A risk deemed unacceptable should be treated (see below). In all cases the reasons for the assessment should be documented to provide a record of the thinking that led to the decisions. Such documentation will provide a useful context for future risk assessment.

E. Determine the treatments for the risks

Treatment strategies