Beruflich Dokumente
Kultur Dokumente
Student’s Workbook
1
Identify risk and apply risk management processes BSBRSK401
Email: Satish.shira2013@gmail.com
2
BSBRSK401
1.1
Unit overview.................................................................................................................................................19
IDENTIFY THE CONTEXT FOR RISK MANAGEMENT............................................................................................20 ag
e
Identify risks...................................................................................................................................................20
Case study................................................................................................................................................................. 20
.................................................................................................................................................................................. 21
Definitions................................................................................................................................................................. 21
Stakeholders.............................................................................................................................................................. 21
Risk............................................................................................................................................................................ 21
m
Risk event.................................................................................................................................................................. 22
Risk management......................................................................................................................................................22 en
t
1.2 IDENTIFY RISKS USING TOOLS, ENSURING ALL REASONABLE STEPS HAVE BEEN TAKEN TO IDENTIFY ALL RISKS................23
Risk identification tools.............................................................................................................................................23
Learning Assessment 1...................................................................................................................................23
.......................................................................................................................................................................25
Table 1: Informal risk identification tools......................................................................................................25 pr
oc
Table 2 Formal risk identification tools..........................................................................................................26
Types of risk...................................................................................................................................................27
Internal/external categorisation................................................................................................................................27
Learning Assessment 2:..................................................................................................................................28
Operational categorisation............................................................................................................................30 es
se
Figure 3: Attributes of a SWOT analysis.........................................................................................................30
.......................................................................................................................................................................31
3
s
Identify risk and apply risk management processes BSBRSK401
Table 4: ‘SWOT ‘ Analysis example for Woolworths......................................................................................31
.......................................................................................................................................................................32
Table 5: Types of risks (Internally).................................................................................................................32
Table 6: Types of risks (Externally)................................................................................................................33
Figure 7: Stakeholders Risk Map....................................................................................................................34
.......................................................................................................................................................................34
Stakeholder risk map.....................................................................................................................................34
Project stage categorisation..........................................................................................................................35
Figure 8: Project lifecycle..............................................................................................................................35
Concept..................................................................................................................................................................... 35
Planning.................................................................................................................................................................... 35
Management and control..........................................................................................................................................35
Closeout.................................................................................................................................................................... 36
Table 9: Project risks.....................................................................................................................................36
1.3 DOCUMENT IDENTIFIED RISKS IN ACCORDANCE WITH RELEVANT POLICIES, PROCEDURES, LEGISLATION AND
STANDARDS............................................................................................................................................................37
Risk documentation.......................................................................................................................................37
Summary........................................................................................................................................................37
Figure 10: Risk register...................................................................................................................................38
Learning Assessment 3:..................................................................................................................................39
2. ANALYSE AND EVALUATE RISKS................................................................................................................ 41
2.1 ANALYSE AND DOCUMENT RISKS IN CONSULTATION WITH RELEVANT STAKEHOLDERS.............................................41
Case study......................................................................................................................................................41
Causes of risk.................................................................................................................................................42
Figure 11: Risk Event Example......................................................................................................................43
Figure 12: Cause and effect of fishbone diagram..........................................................................................44
Learning Assessment 4:..................................................................................................................................45
Risk impacts...................................................................................................................................................46
2.2 UNDERTAKE RISK CATEGORISATION AND DETERMINE LEVEL OF RISK....................................................................47
Risk prioritisation...........................................................................................................................................47
Figure 13: Impact-likelihood matrix...............................................................................................................47
Learning Assessment 5...................................................................................................................................48
Learning Assessment 6...................................................................................................................................49
2.3 DOCUMENT ANALYSIS PROCESSES AND OUTCOMES.........................................................................................52
Risk analysis...................................................................................................................................................52
Table 14: Impact Rating.................................................................................................................................53
.......................................................................................................................................................................53
Table 15: Likelihood Rating............................................................................................................................53
Table 16: Risk rating example with two measures........................................................................................54
Table 17: Exposure rating..............................................................................................................................54
Table 18: Risk rating example with three measures......................................................................................55
Risk analysis documentation..........................................................................................................................55
Table 19: Risk plan.........................................................................................................................................56
The Risk..................................................................................................................................................................... 57
Summary........................................................................................................................................................57
3. TREAT RISKS............................................................................................................................................. 58
Introduction....................................................................................................................................................58
3.1 DETERMINE APPROPRIATE CONTROL MEASURES FOR RISKS AND ASSESS FOR STRENGTHS AND WEAKNESSES................59
Case study......................................................................................................................................................59
Risk-handling approaches..............................................................................................................................60
Table 20: Treatment strategies......................................................................................................................60
Learning Assessment 7:..................................................................................................................................61
3.2 IDENTIFY CONTROL MEASURES FOR ALL RISKS.................................................................................................62
Risk control measures....................................................................................................................................62
.......................................................................................................................................................................62
4
BSBRSK401
3.3
Table 22: Control measure strengths and weaknesses..................................................................................63
REFER RISKS RELEVANT TO WHOLE OF ORGANISATION OR HAVING AN IMPACT BEYOND OWN WORK
Id
RESPONSIBILITIES AND AREA OF OPERATION TO OTHERS AS PER ESTABLISHED POLICIES AND PROCEDURES.............................64
Risk monitoring..............................................................................................................................................64
Learning Assessment 9...................................................................................................................................64
en
3.4
Table 23: Risk Monitoring Methods...............................................................................................................65
CHOOSE AND IMPLEMENT CONTROL MEASURES FOR OWN AREA OF OPERATION AND/OR RESPONSIBILITIES................66
tify
Control measure selection and implementation............................................................................................66
Figure 24. Heirarchy of controls.....................................................................................................................67 ris
3.5 PREPARE AND IMPLEMENT TREATMENT PLANS...............................................................................................69
Treatment planning.......................................................................................................................................69
Figure 25: Risk treatment plan.......................................................................................................................70
k
Summary........................................................................................................................................................71
Learning Assessment 10:................................................................................................................................71 an
d
.......................................................................................................................................................................74
Figure 26: Risk Register..................................................................................................................................74
ap
4. MONITOR AND REVIEW EFFECTIVENESS OF RISK TREATMENT/S...............................................................75
4.1 REGULARLY REVIEW IMPLEMENTED TREATMENT/S AGAINST MEASURES OF SUCCESS..............................................76
ply
Case study......................................................................................................................................................76
4.2 USE REVIEW RESULTS TO IMPROVE THE TREATMENT OF RISKS...........................................................................77
Risk treatment review....................................................................................................................................77
4.3
Figure 27: Risk Review checklist.....................................................................................................................78
PROVIDE ASSISTANCE TO AUDITING RISK IN OWN AREA OF OPERATION...............................................................79 ris
k
Prepare Recommendations............................................................................................................................79
Document the risk audit report......................................................................................................................79
4.4 MONITOR AND REVIEW MANAGEMENT OF RISK IN OWN AREA OF OPERATION......................................................79
Risk management review...............................................................................................................................79
Figure 28: The Risk Management Process.....................................................................................................80
m
Key questions.................................................................................................................................................80
Risk identification......................................................................................................................................................80
Risk treatment........................................................................................................................................................... 81
an
Learning Assessment 11:................................................................................................................................81
Summary........................................................................................................................................................81 ag
e
Learning Assessment 12:................................................................................................................................82
RESOURCE EVALUATION FORM.................................................................................................................... 83
m
en
t
pr
oc
es
se
5
s
Identify risk and apply risk management processes BSBRSK401
6
BSBRSK401
Learning Program
As you progress through this unit you will develop skills in locating and
understanding an organisations policies and procedures. You will build up
a sound knowledge of the industry standards within which organisations
must operate. You should also become more aware of the effect that your
Id
own skills in dealing with people has on your success, or otherwise, in the
workplace. en
Knowledge of your skills and capabilities will help you make informed
choices about your further study and career options. tify
Additional Learning Support
To obtain additional support you may:
ris
Search for other resources in the Learning Resource Centres of your k
learning institution. You may find books, journals, videos and other
materials which provide extra information for topics in this unit. an
d
Search in your local library. Most libraries keep information about
government departments and other organisations, services and
programs.
Contact information services such as Infolink, Equal Opportunity ap
Commission, and Commissioner of Workplace Agreements. Union
organisations, and public relations and information services provided by
various government departments. Many of these services are listed in
ply
the telephone directory.
Contact your local shire or council office. Many councils have a
ris
community development or welfare officer as well as an information and
referral service.
k
Contact the relevant facilitator by telephone, mail or facsimile. m
Facilitation
Your training organisation will provide you with a flexible learning facilitator. an
ag
Your facilitator will play an active role in supporting your learning, will make
regular contact with you and if you have face to face access, should
arrange to see you at least once. After you have enrolled your facilitator
will contact you by telephone or letter as soon as possible to let you know: e
How and when to make contact
What you need to do to complete this unit of study m
What support will be provided
Here are some of the things your facilitator can do to make your study
en
easier. t
Give you a clear visual timetable of events for the semester or term in
which you are enrolled, including any deadlines for assessments. pr
oc
Check that you know how to access library facilities and services.
Conduct small ‘interest groups’ for some of the topics.
Use ‘action sheets’ and website updates to remind you about tasks you
need to complete.
es
se
7
s
Identify risk and apply risk management processes BSBRSK401
8
BSBRSK401
Time
It is important to plan your study time. Work out a time that suits you and
plan around it. Most people find that studying in short, concentrated blocks
of time (an hour or two) at regular intervals (daily, every second day, once
a week) is more effective than trying to cram a lot of learning into a whole
Id
day. You need time to “digest” the information in one section before you
move on to the next, and everyone needs regular breaks from study to en
avoid overload. Be realistic in allocating time for study. Look at what is
required for the unit and look at your other commitments. tify
Make up a study timetable and stick to it. Build in “deadlines” and set
yourself goals for completing study tasks. Allow time for reading and
completing assessments. Remember that it is the quality of the time you
ris
spend studying rather than the quantity that is important. k
Study Strategies
Different people have different learning 'styles'. Some people learn best by an
listening or repeating things out loud. Some learn best by 'doing', some by
reading and making notes. Assess your own learning style, and try to
identify any barriers to learning which might affect you. Are you easily
d
distracted? Are you afraid you will fail? Are you taking study too seriously?
Not seriously enough? Do you have supportive friends and family? Here
ap
are some ideas for effective study strategies:
Make notes. This often helps you to remember new or unfamiliar
ply
information. Do not worry about spelling or neatness, as long as you can
read your own notes. Keep your notes with the rest of your study materials ris
and add to them as you go. Use pictures and diagrams if this helps.
Underline key words when you are reading the materials in this learning k
guide. (Do not underline things in other people's books.) This also helps
you to remember important points. m
Talk to other people (fellow workers, fellow Students, friends, family, your
facilitator) about what you are learning. As well as helping you to clarify and an
understand new ideas, talking also gives you a chance to find out extra
information and to get fresh ideas and different points of view ag
Using this learning guide:
A learning guide is just that, a guide to help you learn. A learning guide is e
m
not a text book. This learning guide will
describe the skills you need to demonstrate to achieve competency for
this unit
provide information and knowledge to help you develop your skills
en
provide you with structured learning assessments to help you absorb
the knowledge and information and practice your skills
t
direct you to other sources of additional knowledge and information pr
about topics for this unit.
oc
es
se
9
s
Identify risk and apply risk management processes BSBRSK401
Example
Illustrates the concept or competency by providing examples
Learning Assessment
Provides learning assessment activities to reinforce understanding
of the action. This is called formative assessment
Formative assessment
The goal of formative assessment is to monitor your learning to
provide ongoing feedback that can be used by your trainer to
improve their teaching and so you can improve your learning.
More specifically, formative assessments:
help you identify your strengths and weaknesses and target
areas that need work
help your trainer recognise where you are struggling and
address problems immediately
Chart
Provides images that represent data symbolically. They are used
to present complex information and numerical data in a simple,
compact format.
Intended Outcomes or Objectives
Statements of intended outcomes or objectives are descriptions of
the work that will be done. These are also known as your
Performance Criteria
Assessment
Strategies with which information will be collected in order to
validate each intended outcome or objective. This is called
summative assessment.
Summative assessment
The goal of summative assessment is to evaluate your learning at
the end of an instructional (learning) unit by comparing it against
some standard or benchmark.
10
BSBRSK401
Performance Evidence
Evidence of the ability to apply organisational policies, procedures and
processes to:
identify risks
consult with relevant stakeholders to analyse and evaluate risks
identify and evaluate control measures
develop and implement treatment plans for own area or responsibility
refer risks that are beyond own area of responsibility to others
maintain risk management documentation.
Note: If a specific volume or frequency is not stated, then evidence must be
provided at least once.
12
BSBRSK401
14
BSBRSK401
Foundation Skills
Id
Skill Performance Criteria Description
Get the work done 1.1, 1.2, 2.1, 2.2, 3.1, Determines job sequence
3.2, 3.4, 3.5, 4.1, 4.2, and works logically and
4.3, 4.4 systematically to
undertake defined tasks
Uses analysis and
consultative processes to
inform decisions about
selection and
implementation of risk
control measures
Evaluates effectiveness of
plans and results to inform
improvement decisions
Uses familiar digital
technologies and systems
to access information,
prepare plans and
communicate with others
16
BSBRSK401
Knowledge Evidence
To complete the unit requirements safely and effectively, the individual
Id
must:
outline techniques for identifying and evaluating risks
en
outline organisational policies, procedures or processes for risk
management
tify
give examples of areas where risks are commonly identified in an
organisation
ris
outline the purpose and key elements of current risk management k
standards
outline the legislative and regulatory context of the organisation in an
relation to risk management
describe the organisation's auditing requirements relating to risk
d
management.
ap
Assessment Conditions ply
Assessment must be conducted in a safe environment where evidence ris
gathered demonstrates consistent performance of typical activities
experienced in the regulation, licensing and risk - risk management field of
work and include access to:
k
relevant legislation, regulations, standards and codes m
relevant workplace documentation and resources
case studies and, where possible, real situations
an
interaction with others. ag
Assessors must satisfy NVR/AQTF assessor requirements.
e
m
en
t
pr
oc
es
se
17
s
Identify risk and apply risk management processes BSBRSK401
1. Identify risks
1.1 Identify the context for risk management
Unit overview
Often a business is taken aback when unpleasant surprises happen late in
a project, when in fact they should have come as no surprise at all. In some
cases these same problems have arisen previously in similar projects. In
other cases someone has suspected that they could occur but has not said
anything. The business has failed to identify potential surprises, otherwise
known as risks. Without knowing what could potentially go wrong, the
business is unable to devise strategies to manage those problems.
Risks are inherent in every business and every project. Effective risk
management attempts to recognise and manage potential problems that
may occur for a business or a project. It identifies as many risk events as
possible, analyses the effects of those risks, minimises their impact, and
determines how to treat those risk events.
Risk management is proactive - that is, you are anticipating a situation and
determining a response or a plan of action. The opposite is reactive
management, where a surprise situation occurs, usually negative, and you
respond. To respond you often need to set aside the work you are doing,
recruit others to your response team, and resolve the problem. This may
take hours, days or months. Many businesses use this kind of 'firefighting'
approach to problem solving, when if they had spent some resources
identifying and planning for risks it would have cost them far less in
downtime and missed opportunities.
18
BSBRSK401
Definitions
Different fields of study treat risk and risk management quite differently. They
also use separate terms for risk. For example:
In the occupational health and safety field, risk is usually considered in
terms of hazards to personal safety. These hazards are usually non-
speculative or pure risks. This area is dominated by engineering
approaches to risk management.
In the insurance industry, risk is speculative and considered in terms of
exposure when underwriting.
In the security industry, risk might be termed threat.
In the finance sector, risk typically refers to speculative risks
associated with investments.
In the government and public services, risk is often political.
Other sectors highly sensitive to risk, and heavily reliant on risk
management, are the economy and the environment.
This manual looks at business risk, which has elements of the other fields
of study but is a more generic kind of risk. Business risk uses terms such
as uncertainty, problems and surprises. We will explore the numerous
types of risk that fall under the category of business risk later in this
element.
First, let us look at some key definitions.
Stakeholders
This term is used throughout this manual, so it is best to get a clear
definition up front.
Stakeholders are the people and organisations that have an interest in the
business or project.
They may be employees, suppliers, customers, shareholders, end users,
industry bodies, external agencies engaged in the project, or anyone with
an interest who is likely to be affected by a risk event.
Risk
There are a number of definitions of risk. The following definition has been
chosen because it recognises the positive aspect of risk as well as the
negative. While risk is often a negative occurrence, it can also provide
opportunities that a business can exploit to its advantage.
Risk is the chance of something happening that will have an impact on
objectives.
Risk arises out of uncertainty and has two elements:
the likelihood of something happening
the severity of the consequences resulting from the event.
We will look at these two elements in more detail in the next element.
20
BSBRSK401
Risk event
This term will be used throughout this manual.
“A risk event is the occurrence of a particular set of circumstances that
present a risk.” Id
Risk management en
The Australian/New Zealand Risk Management Standard AS/NZS 4360:
2004 defines risk management as: tify
“the culture, processes and structures that are directed towards the
effective management of potential opportunities and adverse effects.” ris
Again, this definition recognises that risks can produce opportunities as
k
well problems. an
You will also notice this definition includes the word potential. This implies
that risk management is something that should be in place before a risk
event arises. It is not simply a process of managing problems after they
d
have occurred.
Risk management is a continuous process. Risks will change during each
ap
stage of a project and risk estimates will need to be refined. Some risks will
disappear and new ones will emerge. Your risk management treatments
ply
will need to be responsive and flexible.
ris
k
m
an
ag
e
m
en
t
pr
oc
es
se
21
s
Identify risk and apply risk management processes BSBRSK401
1.2 Identify risks using tools, ensuring all reasonable steps have been
taken to identify all risks
Learning Assessment 1
As part of your learning journey you are to think back to the case study at
the beginning of this element. Gail has realised that she has overlooked
risk management when preparing her project plan. She is a self-confessed
optimistic marketer, so how is she going to determine all the problems that
could arise during the course of her project?
22
BSBRSK401
Before we explore some of the tools available for identifying risk, write
down a couple of ways Gail might go about determining potential problems
for her project.
Id
en
tify
ris
k
an
d
ap
ply
ris
k
m
Once you have completed this learning assessment have your assessor or an
facilitator check your answer to see if you are on the right track.
ag
The comprehensive identification of all risks is critical to the project's
e
success. Any risk not identified at this early stage is automatically excluded
from further analysis and therefore an associated response or minimisation
m
strategy. So the objective of risk identification is to generate a list of as
many possible risks, or potential problems, as you can. It stands to reason, en
then, that getting a wide cross-section of the stakeholders to participate will
lead to a greater number and a greater variety of risks being identified. t
It is also important to focus on the risk events without getting caught up in
the consequences of those events. That comes later. At this stage you are
trying to identify what could occur that would result in a risk to the business.
pr
Let us start by thinking about all the informal ways in which you can identify oc
potential risks. You probably thought of a couple of these in the Learning
Assessment you just completed. Here is a list of the most common informal
risk identification tools.
es
se
23
s
Identify risk and apply risk management processes BSBRSK401
24
BSBRSK401
Id
Risk identification Description
en
tool
tify
Checklists A series of items that need to be checked or approved
before a project can start. For example, airline pilots must ris
work their way through a preflight checklist to ensure that
all is in working order before takeoff. k
Diagrammatic
techniques
You can use various types of diagrams (fishbone diagram,
process/environment, flowchart and so on) to inspire an
d
questions about possible risks. For example, you may
draw a fishbone diagram for one particular outcome of a
project.
This type of diagram shows all the inputs required to get ap
to this outcome. At each of these inputs you can ask
questions about what could go wrong. ply
Quantitative
modelling or
If you have lots of information/data about a project and
predetermined risk indicators you can model various ris
scenario building outcomes by developing scenarios.
k
Computer Sophisticated software can simulate your exposure to risk
simulations should certain circumstances occur. You need to
determine the likely circumstances.
m
an
The main difference between these formal and informal risk identification
tools is that the formal tools rely on a large amount of data and information.
ag
This data is usually gathered from lots of past experience with similar
projects, or from extensive testing or piloting of a project. While the formal
e
tools produce more accurate information enabling you to go forward to the
next stage of risk analysis, you should not allow the lack of good m
information/data to keep you from conducting systematic risk identification.
The informal tools can be used by anyone on any type of project and will
certainly produce a plethora of risk possibilities that you would not have
en
thought of yourself. Even better, if you are information poor, use several of
the informal tools and combine the results.
t
pr
oc
es
se
25
s
Identify risk and apply risk management processes BSBRSK401
Types of risk
Now that you have worked out how to identify potential risks to your busi-
ness or project, you should look more closely at those risks. Because there
are so many potential risks it is a good idea to group risks into different
types. This will help you when it comes to analysing your risks and
determining appropriate treatments.
There are many different ways to group or type potential risks. Every text
book on risk management will offer a different approach. Here are some of
the most common methods of categorising risks.
Internal/external categorisation
One broad way to categorise your risks is to determine which are internal
risks (that is, risks within your business or project) and which are external
risks (that is, risks outside of your business). This is a useful way of sorting
risks because it correlates with control.
Internal risks are usually within your control. Internal risks, such as
communication bottlenecks, lack of staff and machinery breakdown, can be
influenced by changes to business operations or forward planning.
External risks however, are generally out of your control and so are
harder to manage and plan for. For instance, external risks such as
economic downturn and competitor activities are impossible to influence.
You can only acknowledge their possibility and prepare a contingency plan
in case they do happen.
26
BSBRSK401
Learning Assessment 2:
As part of your learning journey you are to think about your own project or
business, or use the case study at the beginning of this element as your Id
base. Write down five internal and five external risks.
en
tify
ris
k
an
d
ap
ply
ris
k
m
an
ag
e
Think about the internal risks. Could you stop any from happening? You
can probably already think of solutions or strategies to minimise their effect.
m
en
t
pr
oc
es
se
27
s
Identify risk and apply risk management processes BSBRSK401
What about the external risks? Do they appear more difficult to solve?
Usually there is not much you can do to prevent them occurring, so it is a
matter of working out how to deal with them if and when they do occur.
Once you have completed this learning assessment have your assessor or
facilitator check your answer to see if you are on the right track.
So, categorising internal and external risks is a very useful but fairly broad
measure when you are dealing with a lot of risks. You might, therefore,
want to further refine your categorisation of risks.
28
BSBRSK401
Operational categorisation
One way to further categorise risks under the broad internal and external
headings is by grouping against the type of business or external operation.
If you are familiar with situation analysis or SWOT (Strengths,
Weaknesses, Opportunities and Threats) analysis you will know that
Id
strengths and weaknesses are internal business measures and
opportunities and threats are external. Under each of these headings are a en
number of subheadings that you analyse against. Operational
categorisation is very similar. tify
ris
Figure 3: Attributes of a SWOT analysis
k
an
d
ap
ply
ris
k
m
an
ag
e
m
en
t
pr
oc
es
se
29
s
Identify risk and apply risk management processes BSBRSK401
STRENGT WEAKNESSES
HS With increased
Powerful retail growth, it may
brand with great result in decreased
buying power control within
some areas such
Reputation for as the quality of
value for money product
Wide range of
products
OPPORTUNI THREATS
TIES
Competition from
To take over, overseas chain
merge with, or grocery stores, eg
form strategic Aldi
alliances with
other global Local competition
retailers with great prices
Expand globally,
eg Europe or
China
30
BSBRSK401
Id
INTERNAL
en
Risk category Types of risk tify
Manufacturing Inadequate supply of raw materials ris
EXTERNAL
Machinery breakdown
k
Marketing and sales Launch campaign delayed
Risk category Types of risk
Failure to secure sales with major customers an
Economic Product
Interest rate change
oversold
Currency change
d
Finance Funding changes
Employment rate change
Unanticipated cost fluctuations
ap
Political Cashflow
Changeproblems
of political party in power ply
Regulation or legal changes
Distribution Lack of storage space on site
Funding change
ris
New channels requiring redesigned methods
Human resources
Change in policy with supplying country
Lack of appropriately skilled staff
k
Environmental Natural disasters
No skills training in place
Unseasonal weather
m
Technological
Communication problems
Key
New
staffbreakthroughs
leaving affecting market
an
Information
E-commerce uptake
Software or system problem
ag
technology
Competitor lostMerger or acquisition
information
Price fluctuations
e
WHS Accidents or incidents
New offerings m
Legal Patent
and copyright issues
Marketing/advertising
Public liability claim
activity
en
Enters liquidation
t
Customer
Buys from competitors first
Insists on exclusivity pr
Supplier
Fails to deliver raw materials on time
Faulty materials
oc
Price rise es
se
31
s
Identify risk and apply risk management processes BSBRSK401
Table 6: Types of risks (Externally)
32
Figure 7: Stakeholders Risk Map
FINANCE DEPT
SUPPLIERS Budget cuts MANAGEMENT
Responsiveness User pays Change in
Price External $ priority
Scheduling New products Loss of Key Staff
Reliability Approval
Stability Merger/
Quality acquisition
FACTORY
WORK TEAM
WHS
Loss of Key Staff
Fire/disaster
Unions BUSINESS Training
Downsizing
Scheduling
Succession plan
Equipment
Sabotage
Staffing
CUSTOMERS COMPETITORS
Knowledge of GOVERNMENT Speed to market
offer Funding Response to offer
Brand loyalty Tariffs New products
Price sensitivity Competitive Capacity
tendering Costings
33
Project stage categorisation
The final way of categorising risk we are going to look at here is specific to
project work. The common method used to identify and categorise risk in
project management is against each stage of the project lifecycle. You
determine risks at the stage of scoping or planning a project right through
to risks that could arise on project termination or closure.
The following figure shows a generic project lifecycle.
Closeout
Concept
Planning
Time
There are four main stages of any project:
Concept
The project brief is determined. An outline of the project is prepared from
which feasibility studies can be undertaken. The project is then either
approved, put on hold or cancelled.
Planning
At this stage all facets of the project are scoped, with deadlines and
budgets assigned.
Management and control
The project is now under way, with control procedures in place to manage
any discrepancies.
34
Closeout
The project is complete and is reviewed and evaluated to inform future
projects.
Let us now examine some risks that may arise at each stage.
Again, getting all stakeholders to inform this method of risk generation and
categorisation is more likely to lead to more risks being identified, analysed
and planned for.
35
1.3 Document identified risks in accordance with relevant policies,
procedures, legislation and standards
Risk documentation
This is the final stage of risk identification. It is pointless to go through
elaborate risk identification and categorisation if you do not fully document,
or record, each risk in a manner that can be later analysed and allocated
with a treatment plan.
One way to clearly document each risk is in a risk register. The risk register
is a log or database that is opened at the beginning of a project or activity.
It is an evolving document where all risks are tracked from identification to
closure.
Once Identify risks using tools, ensuring all reasonable steps have been
taken to identify all risks they are written in and assigned an ID number or
reference. From this risk register each risk can be analysed and actioned.
We will look at the analysis stage in the next element.
The risk register often forms the basis of more complex documents that
need to be prepared later in the risk management process. Documents
such as a risk profile, risk plans and risk treatment plans all draw
information from the risk register that you begin at this risk identification
stage.
There may be other risk documentation that a particular organisation or
industry requires. For example, there may be legal, contractual or safety
agreements that require associated risks be documented and
communicated in a certain way.
Figure 10 on the next page shows the layout of a risk register.
Summary
Risk identification is a proactive way of solving problems. Rather than waiting
for the problems to happen, you are anticipating what could happen so that
you are better prepared and better resourced.
In this element we defined the main terms you are going to come across
throughout this manual. We first determined the difference between business
risks and other kinds of risks. We defined stakeholders, risk, risk event and
risk management.
Next we looked at the tools used for identifying risk. We distinguished between
informal and formal tools and briefly looked at several types of each,
recognising that the formal tools required more data to be effective.
Once tools for risk identification were in place we looked at the endless risks
that could occur in businesses or particular projects. To properly assess these
risks it is easier if they are grouped. We looked at a number of ways to group
or categorise risks such as internal/external, operational, stakeholder and
project stage.
Finally we looked at the documentation required to record risks. We deter-
mined that a risk register was a good document because it tracked risks from
initial identification right through to the closure of the project or business
activity and kept an account of the risk impact and actions taken.
36
Date Risk Overall Priority Action Action Date
ID Risk Impact Preventative actions Contingency actions
Raised Owner risk rating rating date date closed
Figure 10: Risk register
37
Learning Assessment 3:
Risk
Risk event
Risk management.
38
Describe two formal and two informal risk identification tools and when you
might use them. Give real life examples.
Explain three ways in which you might group or categorise a large number
of risks generated at a staff brainstorming session. Give real life examples
Once you have completed this learning assessment have your assessor or
facilitator check your answer to see if you are on the right track.
39
2. Analyse and evaluate risks
Analyse and document risks in consultation with
2.1 relevant stakeholders
Case study
Gail scheduled a meeting and invited at least one person (stakeholder)
from every section of her project. She determined that these stakeholders
needed to represent suppliers, product design, production planning,
manufacturing, marketing, sales, distribution, finance, management,
customers and end users.
Gail thought through the various tools available to identify risks. She didn't
have a lot of data from previous projects, as the Fitzroy Falls Clothing
Company didn't carry out a formal closeout of projects, where audits are
performed and project outcomes inform future projects. So Gail's options to
identify risks were limited to informal methods.
40
Gail settled on a facilitated brainstorming session with as many of the
stakeholders who could attend. Those that couldn't were to be surveyed
later.
Preparation for the meeting included taking the detailed project lifecycle
that Gail had prepared as part of her project plan, and enlarging this so that
it filled one wall of the meeting room. This lifecycle was broken into various
project stages marked with milestones. Each stakeholder was issued with
sticky notes and pens. The idea was that all the potential risks would be
written on the sticky notes and placed on the corresponding section of the
project lifecycle.
The session was professionally run by a facilitator from a business
consultancy. Even though it ran for over four hours, everyone was still
buzzing when it was complete. Most of the stakeholders offered to provide
further advice if Gail needed it. At the conclusion, Gail sat alone in the
meeting room facing a wall covered in hundreds of sticky notes. She had a
big wad of notes about each identified risk. They had explored the causes
of each risk and the possible impacts.
Gail was overwhelmed. She counted the risks. There were 168. She now
had more potential risks than she had ever dreamed possible. How was
she going to incorporate these into her project plan and still get it to her
boss in time for the product launch? Developing contingency plans for each
of these 168 risks would take weeks and create an enormous document
that she didn't think anyone would ever read, let alone put into practice.
Gail needed a way to find the real risks - those that were likely to happen
and would cause a major problem if they did - and weed out the minor risks
that may never happen, or would only cause a little blip in the project. Gail
needed to get analytical.
Causes of risk
Risk analysis is sometimes called risk assessment. It is a step-by-step
process. The very first step is to determine the causes of the risks you have
identified. Risks are a bit like medical symptoms. They need to be treated,
but to treat them effectively you must determine their cause so that you are
treating the root of the problem rather than the symptom that appears on
the surface.
Let us use an example from the case study featured at the beginning of this
element. One risk event that may have been identified is that the new
Clothing order is late for shipment to its retail customers. There could be a
number of causes of this risk event. It may be that machinery breaks down
and the repairs cause production delays. Or perhaps the yarn is delivered
late from the overseas supplier. Or perhaps a strike occurs in the factory,
shutting it down for two days during the critical stage of production. You can
see that each cause of this risk event would need a different treatment or
risk management plan.
41
The tools used to determine causes of risks are very similar to those used
in the risk identification stage. Informal tools such as brainstorming,
stakeholder consultation, benchmarking and observation can all help to find
the root causes of each risk event. For this reason you might want to
structure cause identification into your risk identification session. For
instance, if using brainstorming with stakeholders to identify as many risks
as possible extend the session or schedule another to explore the possible
causes of each identified risk.
42
Some other tools that can be used to effectively determine the causes of
risks are diagrammatic techniques. The cause and effect diagram, also
called the fishbone diagram, is a way looking at all the activities that feed
into an outcome. It forces you to consider each area of the business that
could possibly be the root cause of a risk event. The following figure shows
the possible causes of the risk event mentioned earlier.
43
Learning Assessment 4:
Here are two different risks identified in Gail's brainstorming session. As
part of your learning journey you are to think of three possible causes of
each risk.
Risk 1: The first batch of clothing has an unusually high faulty rate.
Risk 2: Three of the major customers cancel their large indent orders.
Once you have completed this learning assessment have your assessor or
facilitator check your answer to see if you are on the right track.
44
Can you see that depending on the cause of the risk, a different treatment
or contingency plan would be needed?
Once you have the causes of risk events you may want to go back to your
risk register and flesh out the description of your risks or categorise them
into root cause risks. It is worth the time now to properly list and describe
all risks, as this forms the basis of your analysis. Any risks not
documented, or not properly documented, will cause errors in the risk
analysis scores, which may lead to risks being overlooked, underestimated
or overestimated.
Risk impacts
Once you have reworked your risk register so that all risks are clearly
expressed, including their cause, you should extend the risk description to
include a description of the possible impact of that risk event occurring. The
impact is the consequence that could result if the risk event occurred.
Sometimes there are several consequences from a particular risk event. All
consequences, or impacts, should be documented in the risk register.
Let us use that example again from the case study. The risk event is that
the new Clothing order is late for shipment to customers. The impact of this
risk event could be that certain customers cancel their orders. Or perhaps
you have to discount the stock in order for the customers to take delivery.
Or perhaps instead of shipping to a central retailer warehouse, you need to
individually deliver to each store to eliminate the delay from warehouse to
outlet.
Again, this stage of risk analysis can benefit from the broad input of stake-
holders. You may want to add this stage to your risk identification brain-
storming session.
45
2.2 Undertake risk categorisation and determine level of risk
Risk prioritisation
By completing a quantitative risk analysis you are essentially ranking, or
prioritising, your risks from most important, or serious, to least important.
You could give each risk a score and rank it in priority order, but it may be
easier to work out cut-off points for action by putting your risks into groups.
You could have any number of groups, but it is common to sort into three
groups - high risk, medium risk and low risk.
Generally you will consider the low risk category as acceptable risks
that can be excluded from further analysis or planning. The high risk
category represents unacceptable risks that take top priority and need
preventative measures in place or treatment plans for their eventuality.
Medium category risks are more difficult to plan for. You need some
sense of awareness about them, but it may not be cost or time effective
to put preventative measures or treatment plans into place for all of
them. It really depends on the resources available to you whether or not
you action them or ignore them.
One way of graphically representing and sorting your data is with an
impact-likelihood matrix. This matrix, along with shading representing
the three risk categories, is shown in the following figure.
Extr
eme 5
High
4
Im Medi
pact um 3
Low
2
Insig
nificant 1
1 2 3 4 5
Likelihood
Where:
46
= Low Risk. No action required unless risk occurs
Learning Assessment 5
Let us revisit the risk rating example with two measures shown previously.
Use the figures provided to plot the four given risks on the following impact-
likelihood matrix.
Extreme
5
High
4
I Medium
mpact 3
Low
2
Insignificant
1
1 2 3 4 5
Likelihood
Now you can easily see which action group each risk falls into.
We should also look at how we can group risks when using all three risk
measures - impact, likelihood and exposure. Remember that this schema
gave us a score between 1 and 125. You can break these scores down to
the same three categories used earlier.
So:
Below 27 = Low risk. No action required unless risk occurs.
27-74 = Medium risk. Plan for, but limit resources.
75+ = High risk. Action immediately.
Regardless of how many measures you use to analyse your risks and the
range of scores your risks fall into, businesses with an established risk
47
management process may have predetermined categories with actions
already assigned. For instance, using the three risk measures schema (1-
125) your business may determine that any risk with a score below the
threshold of 30 is simply not addressed. Or your business may have
determined that it only plans for the top five risks and will not allocate risk
treatment plans for any risks below these.
48
Learning Assessment 6
Explain, with an example, how one risk event may have a number of
causes.
Explain, with an example, how one risk event may have a number of
impacts.
49
Define the three measures of risk:
impact
likelihood
exposure
50
Why is it important to categorise and/or prioritise risks?
Why is it a good idea to prepare a risk plan for your most important risks?
51
Once you have completed this learning assessment have your assessor or
facilitator check your answer to see if you are on the right track.
52
Table 14: Impact Rating
By assessing each risk against the impact and likelihood scales and
assigning a score, you can then multiply these scores and determine an
overall risk rating for each risk. This will give you a score between 1 and
25.
The table below provides an example from the case study.
53
Table 16: Risk rating example with two measures
While impact and likelihood are the two most common measures used in
risk analysis, there is another measure that can be added into the equation
to give a more accurate analysis:
exposure - the frequency of occurrences or duration of the risk event.
Interchangeable terms for exposure are frequency and duration.
The reason this measure is not always singled out for consideration is
because it can be considered inherent in the impact and/or likelihood
measures.
Let us consider it as a separate measure here.
54
Occasional 3 Likely to occur during project. Perhaps likely to
last a significant amount of time.
Using all three measures, the equation for determining overall risk rating
now becomes:
Overall risk rating (R) = impact (I) x likelihood (L) x exposure (E) This gives
each risk an overall risk rating from 1 to 125 points.
The table below extends the earlier example from the case study.
Table 18: Risk rating example with three measures
The kinds of rating systems we have examined here allow you to sort your
risks into categories and priorities for action.
Risk analysis documentation
It is time again to take out your risk register and update it. You can now
allocate an overall risk rating to each risk and a priority rating. This priority
may be assigned individually from priority 1 for the most serious risk right
through to priority 168 for the least important risk (the 168 risks are taken
from the case study). Or you may have grouped your risks into the three
categories - high, medium and low.
55
You may want to close the lower, or lesser priority, risks. If you have
decided to give them no further attention, then close them in the register so
that no resources are allocated to preventative or contingency measures.
It is really important to now consider who should own each of the risks. The
risk owner is allocated the risk to manage throughout the project. Unless a
risk is owned, it is unlikely treatment plans will be prepared and should the
risk occur and no plans are in place it will always be considered someone
else's fault. So take the time now to allocate an owner for each of the risks
you are going to plan for. You might also want to consider allocating an
owner for the lower level risks. This could simply be to monitor them and
raise awareness if any are likely to occur, or cause a significant problem.
56
The risk register only holds summary information about each risk. It is
worthwhile now to produce a more thorough risk document for your top
priority risks. One way you can do this is with a risk plan. A risk plan is used
to identify and describe a major risk to the project or business. It is the
basis of your risk treatment plan. We will look at risk treatment plans in the
next element. The following figure provides a template for a risk plan.
PROJECT DETAILS
RISK DETAILS
57
RISK TREATMENT
(To be discussed)
APPROVAL
Supporting documentation:
Reference any supporting documentation used to substantiate the risk and its
treatment
The Risk
The Risk
Register and risk plans are generic risk documentation. There may be other
risk analysis and evaluation documentation required by your particular
organisation or industry. For instance, you may need to submit paperwork
for funds approval to prepare treatment plans for each risk.
Summary
Successful risk identification leads to a great number of risks being
generated. It is not practical or economically viable to treat all of these
risks, so you need to analyse, categorise and prioritise them.
In this element we looked at causes of risk. You cannot plan treatment for
risks without fully understanding what has caused the risk. The tools used
during the risk identification stage are often helpful when determining the
underlying risk causes. We looked particularly at the cause and effect or
fishbone diagram.
Next we explored the impacts of risk events and found that some risk
events can produce a number of impacts. Again, the risk identification tools
are helpful when determining possible impacts.
Risk analysis was undertaken. We assigned numerical scores to various
risk measures. We looked at two-measure and three-measure models
using risk impact, risk likelihood and risk exposure. This analysis gave us
an overall risk rating for each risk event.
These risk ratings were used to group or categorise risks and to prioritise
them for action.
Finally we looked at documenting this risk analysis and evaluation process
and information in the risk register. We also looked at how to prepare risk
58
plans for the most important risks and how these form the basis of the risk
treatment plans we will need in the next element.
3. Treat risks
3.1 Determine appropriate control measures for risks and
assess for strengths and weaknesses
Introduction
In the previous element you saw how risk identification enables you to
determine the good and bad things you might encounter on a project or
business activity. Then how conducting a risk analysis allows you to sort
those risks into categories of importance. The next stage is to plan for and
treat those risks most likely to have a major impact on the project or
business.
Some types of risks can be completely eliminated by making changes in
the organisation or project. Other risks cannot be eliminated, but their
impact can be significantly reduced through various controls. Further risks
may not be able to be controlled, but planning for their eventuality may
mean that more carefully considered action is taken if the risk arises. Each
of these approaches will produce a better result than going without a risk
management strategy.
You must be mindful that many risks can be identified before a project
starts and so can be planned for and managed proactively with treatment
plans. However, some risks are chance events that could never be
anticipated. For these you must be reactive, treating them if and when they
occur.
59
3.1 Determine appropriate control measures for risks and assess for
strengths and weaknesses
Case study
Through an extensive analysis of all 168 identified risks, Gail determined that
there were two main risks that posed a major threat to the launch of her new
line of clothing.
1. The most serious risk were the delays to deliveries caused during
production. Further investigation of this risk found that the delivery delay
risk could be caused by the following:
equipment problems
staff problems
raw material problems
high rate of faulty product.
2. The second most serious risk came from competitor activity. Possible com-
petitor actions that could affect Gail's sales were determined to be:
copying product designs and positioning
price reduction on competing products
offers to customers to bulk purchase.
3. Gail also found a second level of risk that was less important than these
two, but could pose a problem big enough to warrant some forward
planning
4. Customer action was causing a drop in projected sales. This risk could be
the result of:
customers cancelling orders
customers' poor financial position placing them on 'stop supply'.
Gail's thorough risk identification and analysis processes had whittled her
168 risks down to these three serious risks. The risks no longer seemed
insurmountable. However, now that Gail had a really good idea about the
most serious and most likely threats to the success of her Clothing launch,
she didn't know quite what to do to make sure that these risks didn't
happen. Was it feasible to take action to eliminate each and every risk?
Was it even possible? What was she going to do about the risks she
couldn't eliminate?
Gail needed some mechanisms to monitor her project and alert her when
risks were beginning to develop. She also needed clear plans telling her
what action to take if and when the risks did develop.
60
Risk-handling approaches
Before looking at risk controls, monitoring and treatment we need to under-
stand the different approaches to handling risk. These are often called
treatment strategies.
When you are confronted with a possible risk there are usually a number of
options available. You could actively change the way you work or operate to
prevent the risk from ever occurring, or you could employ tactics to reduce the
risk, or you could choose to just accept the outcome of the risk if and when it
does occur. The following table explores the five main approaches to handling
risk, or treatment strategies.
Risk Actions are taken to reduce the likelihood the risk will
mitigation/reduction develop or to limit the impact of the risk to more
acceptable levels. This also includes sharing the risk
with others or diffusing the risk between locations.
61
Learning Assessment 7:
Refer to the case study at the beginning of this element. Gail has identified
three main risks to her product launch. Take each risk and determine
possible handling approaches or treatment strategies that Gail could use to
manage each risk.
Delivery delay
Competitor activity
Customer action
Once you have completed this learning assessment have your assessor or
facilitator check your answer to see if you are on the right track.
Can you see that the internal risks causing the delivery delay have more
treatment options than the external competitor and customer risks? Also, it
may be possible to eliminate the internal risks, while it is rarely possible to
completely eliminate external risks.
62
3.2 Identify control measures for all risks
Risk control measures
According to the Australian/New Zealand Risk Management Standard
AS/NZA 4360:2004, risk treatment can be defined as:
a process of selection and implementation of measures to modify risk.
We often call these measures controls. Controls are the policies, practices
and processes used to treat, or manage, risks. There are many different
types of controls you can use. Control method selection depends on the
approach, or treatment strategy, you intend to use for each risk.
So let us take each of the treatment strategies we just explored and look at
examples of control measures you could use for each strategy.
63
Learning Assessment 8:
Taking the treatment strategies you assigned to each risk in assessment 5,
apply possible control measures to each risk. (Hint: You may need to break
the risks down to the root causes given in the case study. Match control
measures with each cause.) (Use tables where needed)
The following table takes each category of control measure and determines
some of the strengths and weaknesses of choosing that type of control.
64
3.3 Refer risks relevant to whole of organisation or having an impact beyond
own work responsibilities and area of operation to others as per
established policies and procedures
Risk monitoring
At the monitoring and control stage of risk management we leave behind
the speculative activities and move into the action phase. Up until this point
we have identified possible risks, analysed and sorted them and planned
what we could do if they occurred. Now it is time to actually take some
action against these risks.
Risk monitoring involves scanning the risk horizon to see what untoward
risk events are looming. You need active measures in place to report risk
triggers so that your controls can be implemented to ward off, lessen or
recover from the risk.
Risk monitoring should be a routine and ongoing process that is
established at the beginning of a project or business activity, and continues
until that project is complete. Risks are dynamic. They will change their
size, shape and intensity. You need continuous risk monitoring so that you
spot the risk triggers and are alerted to new risks.
Much of risk monitoring is informal. As people are doing their jobs they
notice that things are not right and report this to their supervisor. For
instance, a production line worker at the Fitzroy Falls Clothing Company
may notice that stock on the floor of lime green yarn is really low. She
knows that the lime green based.
Clothing is scheduled for production the next morning, so asks her
supervisor whether there is more stock stored elsewhere. Depending on
the stock situation the supervisor can head off this risk by having stored
stock transferred to the factory floor before the morning shift, or reschedule
the lime green Clothing production to a later date when yarn is delivered
from the supplier.
Learning Assessment 9.
Use your current or previous workplace as an example. Think carefully about
how low-level risks might be detected before they happen. Describe two or
three ways in which informal risk monitoring happens.
65
Informal risk monitoring occurs all the time. Organisations should encourage a
culture where staff are forward thinking and on the lookout for potential risks
as well as opportunities. However, informal risk monitoring usually only
detects imminent risks. Early triggers, or indicators, of risk are best detected
by formal methods of monitoring.
Some of the key formal risk monitoring methods are explained in the table
below.
Risk Explanation
monitoring
method
Issues logs These logs are usually divided into two sections –
pending issues and resolved issues. Issues logs, like
progress reports, are updated regularly. The pending
section lists possible sources of problems. The resolved
section itemises previous pending issues that have been
closed. These logs are a simple mechanism for staff to
communicate concerns. They are a way of displaying all
the issues and putting pressure on staff to take action to
resolve them. A growing pending list and a short
resolved list indicate poor risk management.
66
While you may have a number of elaborate risk monitoring mechanisms,
they will not, unfortunately, detect every risk. To ensure that you detect as
many risks as possible you must check you are:
focusing on the right source of information (for example, if the source of
risk is within the machinery, you are better doing regular maintenance
checks than surveying staff on what they think could go wrong)
getting timely information (for example, it is no use finding out about a
possible problem causing machinery to break down, after the machin-
ery has broken down)
understanding the information (for example, the person reviewing the
risk monitoring data needs to be able to determine which data shows
real risk triggers and which data is simply representing useless
anomalies).
3.4 Choose and implement control measures for own area of operation
and/or responsibilities
Control measure selection and implementation
Now that your risks have come to light through your monitoring mechanisms,
you must take action to handle, or treat, those risks. How do you determine
what sort of action to take, or controls to implement? Some businesses
choose to implement a hierarchy of controls model where control questions
are used to filter risks. This model is built on the treatment strategies or control
measure types discussed earlier in this element. The model you use may look
something like figure 24.
You will notice that some of these filter questions include the term cost
effectively. It is very often possible to reduce or entirely eliminate a risk, but
while possible it is also very expensive in monetary terms, time or resources.
In these instances if the costs outweigh the seriousness of the risk, then it is
not feasible to eliminate or reduce the risk. Instead, you would move through
the model to the next filter question.
As you can see, effective risk management is not free. It may be prudent to
cost, or forecast, in monetary terms, time and resources, each of the controls
you plan to implement. In fact, a costing stage is included in the risk treatment
plan at the end of this element.
The chosen monitoring mechanisms and control filter may highlight some risks
that are relevant to areas of your organisation or business other than just the
project or activity at hand. These risks may be relevant to the whole organi-
sation, or another section of the organisation. There may be established
policies and procedures to refer these risks. If not, they should not be ignored.
You must ensure that all relevant areas of your organisation or business are
aware of the risks that may impact them.
Once you have determined the most appropriate control measure type for your
risk event you need to select a specific control and implement it. You will have
already listed possible controls in the earlier analysis section of this element. It
is now a matter of matching those controls to particular risks that will give the
most satisfactory outcome.
67
Figure 24. Heirarchy of controls
68
We should also mention that while this process of risk monitoring and
control looks very planned, strategic and logical, there will always be a risk
event that will take you by surprise. It may not have been picked up in your
risk identification and so then missed analysis and planning. It may have
slipped under the radar of your risk monitoring, and so surfaces at some
stage of the project 'out of the blue'. If the risk is serious it requires crisis
management.
Managing crises is a special case of risk control. You will be sure to recall
many high-profile scandals and crises in the political arena that were
handled so poorly that they led to the downfall of political leaders.
Businesses, too, are guilty of inaction or inappropriate action in the face of
a crisis. Larger and more crisis-prone organisations often have a crisis
centre ready for action in such circumstances.
For the smaller organisation there is not a great deal of advice other than
the following golden rules:
It is usually better to communicate clearly and honestly.
Act sooner rather than later.
Do your best not to panic. It breeds panic in others.
Consider your longer term needs as well as the short-term situation.
Get advice from professionals.
69
3.5 Prepare and implement treatment plans
Treatment planning
Now you have gathered all the risk information and made decisions about
measures you will use to monitor and control your risks, it is time to write it
all up. A good structure for this information is a risk treatment plan.
A risk treatment plan is a document defining how risk monitors and controls
are to be implemented to treat particular risks or risk events.
The risk treatment plan builds on the risk plan developed in the previous
element. The treatment plan should extend the risk description by providing
a section on risk treatment. This section should describe the treatment
approach to be taken and the monitoring and control measures to be used.
It should also have a section for estimated cost and expected outcomes of
the treatment.
Figure 25 provides a template for a risk treatment plan.
Now that you have full treatment plans completed for all your major, or
more serious, risks. You should take this opportunity to return to your risk
register (shown again in figure 26) started at the risk identification stage of
the risk management process (element 1). You can now fill in the
monitoring method and control/treatment columns with corresponding
action dates. You may also need to change the risk owner if a different
person is responsible for the implementation of the treatment plan.
You may now be able to close many of the risks. At the completion of your
project or business activity you will want to see all of your risks closed in
the risk register. Each risk must meet one of the following criteria to be
closed:
The risk was successfully prevented from occurring.
The risk did not occur.
The risk occurred and was treated.
70
Figure 25: Risk treatment plan
PROJECT DETAILS
Project name: Name of the project to which the risk relates
Project Name of the project manager responsible for the project
manager:
RISK DETAILS
Risk ID Unique identifier assigned to this task
Raised By; Name of the person who raised the risk
Date Raised: Date on which this risk was raised
Risk Owner: Name of the person assigned to monitor and manage the risk
Risk Priority: Overall risk rating score and priority rating
Risk description:
Include a brief description of the risk identified and its underlying causes.
Control measure:
Describe the selected measure/s of control to be used to treat the risk
Monitoring measure:
Describe how the risk will be monitored and triggers idnetified
Estimated cost:
Provide an estimate of the cost of treatment (monitoring and control) in monetary
terms, time spent and resources required.
Expected outcome:
Describe the expected outcome of implementation of the treatment plan.
APPROVAL
Supporting documentation:
Reference any supporting documentation used to substantiate the risk and its
treatment
Signature: Date: ___ / ____ / _____
71
Summary
The most important or serious risks need fully detailed risk treatment plans
to implement if and when the risk arises.
The first step in developing a treatment plan is to determine the most
appropriate approach to handling the risk. In this element you looked at five
approaches: risk acceptance, risk elimination, risk transfer, risk mitigation
and risk contingency.
The next step you took was to consider the possible control measures that
could be used for each approach. You evaluated the strengths and
weaknesses of these control measures.
Risk monitoring is necessary to report on risk triggers so that you have
advance warning of a risk event. In this element you examined informal risk
monitoring and reviewed a number of formal risk monitoring methods.
You then looked at how to select the correct control measure for each risk
using a hierarchy of control model. Control implementation issues were dis-
cussed, including costing, referring broader risks, unexpected risks and
crisis management.
Finally you explored the contents of treatment plans and the additions
required to the risk register.
72
3. Provide a strength and a weakness for each of the control measures
you provided in the previous question.
73
7. What sections should be fully covered in a risk treatment plan as
opposed to a risk
Once you have completed this learning assessment have your assessor or
facilitator check your answer to see if you are on the right track.
74
BSBRSK401
ID Date Risk Risk Impact Overall Priority Preventative actions Action Contingency actions Action Date
Raised Owner risk rating date date closed
rating
Ide
ntif
y
ris
k
an
d
ap
ply
ris
k
ma
Document Name:
Document No:
495432569.docx
Once the risk management cycle of risk identification, risk analysis and risk
treatment is complete, you will want to review your performance. If you are
monitoring the effectiveness of risk treatments for an ongoing project or
business activity, then you will use the results to improve those treatments.
If this is the end of a project, then reviewing the effectiveness of risk treat-
ments allows you to inform future projects or ventures. This will make risk
management of new projects more efficient and successful.
76
BSBRSK401
78
BSBRSK401
The person given responsibility for the risk treatment is also usually
responsible for the treatment monitoring and review. This person should
also be responsible for communicating the results of the review to the
wider organisation, concerned stakeholders and other areas that could
benefit from this knowledge.
80
BSBRSK401
stage?
If not, could another risk identification tool have worked better?
e
Did you formally document your risks for later analysis? Risk analysis m
Did you adequately identify the source or cause of your risks?
Did you accurately determine the impact of your risks?
en
Were your impact, likelihood and exposure ratings accurate? t
Were your risk priorities correct?
Did you prepare comprehensive risk plans for your key risks?
pr
oc
es
81
se
s
Identify risk and apply risk management processes BSBRSK401
Risk treatment
Did you use the correct risk handling approach?
Did your risk monitoring methods alert you to the risks that arose?
Did your risk treatments (control measures) achieve their objectives?
Did you prepare and follow comprehensive risk treatment plans?
Did you complete a review of risk treatment?
The questions that have just been asked are only a fraction of what could
be used in a review of the total risk management process. As part of your
learning journey you are to go back through the three previous elements
now and add some more questions of your own to this list.
It is important to remember that larger and more complex or risk-sensitive
organisations may have a formal method and standardised documents for
reviewing their projects. Usually a component of these reviews evaluates
the risk management process.
Once you have completed this learning assessment have your assessor or
facilitator check your answer to see if you are on the right track.
Summary
This final element focused on reviewing and evaluating risk management
performance.
The first review you looked at was a detailed examination of the success of
risk treatments. You explored the importance of monitoring treatment
performance during a project and evaluating the results at the project's
conclusion. These findings could be used to modify and improve current
and future risk treatments, as well to inform risk audits.
The final review you considered was an evaluation of the total risk
management process from risk identification, to risk analysis, to risk
treatment. You considered and added some key questions to include in
such a review. You also considered why these reviews are an essential
component of project and risk management.
82
BSBRSK401
Once you have completed this learning assessment have your assessor or
facilitator check your answer to see if you are on the right track.
Under Australia’s Copyright Act 1968 (the Act), except for any fair dealing
for the purposes of study, research, criticism or review, no part of this book
may be reproduced, stored in a retrieval system, or transmitted in any form
or by any means without prior written permission from John N. Bailey. All
inquiries should be directed in the first instance to the publisher at the
address below.
Copying for Education Purposes
The Act allows a maximum of one chapter or 10% of this book, whichever
is the greater, to be copied by an education institution for its educational
purposes provided that that educational institution (or the body that
administers it) has given a remuneration notice to John N. Bailey.
Disclaimer
All reasonable efforts have been made to ensure the quality and accuracy
of this publication. John N. Bailey assumes no responsibility for any errors
or omissions and no warranties are made with regard to this publication.
Neither John N. Bailey nor any authorised distributors shall be held
responsible for any direct, incidental or consequential damages resulting
from the use of this publication.
84