BSBRSK401

BSBRSK401
Identify risk and apply

risk management
processes
Student’s Workbook
1
Identify risk and apply risk management processes BSBRSK401
Student’s Personal Details
Student Name: SATISH SINGH
Student ID Number: AV-314
Contact number: 0449927875
Email: Satish.shira2013@gmail.com
2
BSBRSK401
BSBRSK401 - Identify risk and apply risk

management processes Id
Contents en
tify
Application of the Unit:....................................................................................................................................7
Pre requisite Units:...........................................................................................................................................7
Co requisite Units:............................................................................................................................................7
Introduction......................................................................................................................................................7
This Learning Guide covers:.............................................................................................................................7 ris
k
Learning Program............................................................................................................................................8
Additional Learning Support............................................................................................................................8
Facilitation.......................................................................................................................................................8
Flexible Learning..............................................................................................................................................9
Space................................................................................................................................................................9
an
Study Resources...............................................................................................................................................9
Time................................................................................................................................................................10
Study Strategies.............................................................................................................................................10
d
Using this learning guide:..............................................................................................................................10
THE ICON KEY.............................................................................................................................................. 11
ap
How to get the most out of your learning guide...........................................................................................12 ply
Additional research, reading and note taking...............................................................................................12
PERFORMANCE EVIDENCE............................................................................................................................ 13 ris
ELEMENTS AND PERFORMANCE CRITERIA.................................................................................................... 14
FOUNDATION SKILLS.................................................................................................................................... 16
k
KNOWLEDGE EVIDENCE............................................................................................................................... 18 m
an
ASSESSMENT CONDITIONS........................................................................................................................... 18
1. IDENTIFY RISKS........................................................................................................................................ 19
1.1
Unit overview.................................................................................................................................................19
IDENTIFY THE CONTEXT FOR RISK MANAGEMENT............................................................................................20 ag
e
Identify risks...................................................................................................................................................20
Case study................................................................................................................................................................. 20
.................................................................................................................................................................................. 21
Definitions................................................................................................................................................................. 21
Stakeholders.............................................................................................................................................................. 21
Risk............................................................................................................................................................................ 21
m
Risk event.................................................................................................................................................................. 22
Risk management......................................................................................................................................................22 en
t
1.2 IDENTIFY RISKS USING TOOLS, ENSURING ALL REASONABLE STEPS HAVE BEEN TAKEN TO IDENTIFY ALL RISKS................23
Risk identification tools.............................................................................................................................................23
Learning Assessment 1...................................................................................................................................23
.......................................................................................................................................................................25
Table 1: Informal risk identification tools......................................................................................................25 pr
oc
Table 2 Formal risk identification tools..........................................................................................................26
Types of risk...................................................................................................................................................27
Internal/external categorisation................................................................................................................................27
Learning Assessment 2:..................................................................................................................................28
Operational categorisation............................................................................................................................30 es
se
Figure 3: Attributes of a SWOT analysis.........................................................................................................30
.......................................................................................................................................................................31
3
s
Table 4: ‘SWOT ‘ Analysis example for Woolworths......................................................................................31
.......................................................................................................................................................................32
Table 5: Types of risks (Internally).................................................................................................................32
Table 6: Types of risks (Externally)................................................................................................................33
Figure 7: Stakeholders Risk Map....................................................................................................................34
.......................................................................................................................................................................34
Stakeholder risk map.....................................................................................................................................34
Project stage categorisation..........................................................................................................................35
Figure 8: Project lifecycle..............................................................................................................................35
Concept..................................................................................................................................................................... 35
Planning.................................................................................................................................................................... 35
Management and control..........................................................................................................................................35
Closeout.................................................................................................................................................................... 36
Table 9: Project risks.....................................................................................................................................36
1.3 DOCUMENT IDENTIFIED RISKS IN ACCORDANCE WITH RELEVANT POLICIES, PROCEDURES, LEGISLATION AND
STANDARDS............................................................................................................................................................37
Risk documentation.......................................................................................................................................37
Summary........................................................................................................................................................37
Figure 10: Risk register...................................................................................................................................38
2. ANALYSE AND EVALUATE RISKS................................................................................................................ 41
2.1 ANALYSE AND DOCUMENT RISKS IN CONSULTATION WITH RELEVANT STAKEHOLDERS.............................................41
Case study......................................................................................................................................................41
Causes of risk.................................................................................................................................................42
Figure 11: Risk Event Example......................................................................................................................43
Figure 12: Cause and effect of fishbone diagram..........................................................................................44
Risk impacts...................................................................................................................................................46
2.2 UNDERTAKE RISK CATEGORISATION AND DETERMINE LEVEL OF RISK....................................................................47
Risk prioritisation...........................................................................................................................................47
Figure 13: Impact-likelihood matrix...............................................................................................................47
2.3 DOCUMENT ANALYSIS PROCESSES AND OUTCOMES.........................................................................................52
Risk analysis...................................................................................................................................................52
Table 14: Impact Rating.................................................................................................................................53
.......................................................................................................................................................................53
Table 15: Likelihood Rating............................................................................................................................53
Table 16: Risk rating example with two measures........................................................................................54
Table 17: Exposure rating..............................................................................................................................54
Table 18: Risk rating example with three measures......................................................................................55
Risk analysis documentation..........................................................................................................................55
Table 19: Risk plan.........................................................................................................................................56
The Risk..................................................................................................................................................................... 57
Summary........................................................................................................................................................57
3. TREAT RISKS............................................................................................................................................. 58
Introduction....................................................................................................................................................58
3.1 DETERMINE APPROPRIATE CONTROL MEASURES FOR RISKS AND ASSESS FOR STRENGTHS AND WEAKNESSES................59
Case study......................................................................................................................................................59
Risk-handling approaches..............................................................................................................................60
Table 20: Treatment strategies......................................................................................................................60
3.2 IDENTIFY CONTROL MEASURES FOR ALL RISKS.................................................................................................62
Risk control measures....................................................................................................................................62
.......................................................................................................................................................................62
4
BSBRSK401
Table 21: Treatment strategy and control measures....................................................................................62

Control measure analysis...............................................................................................................................63
.......................................................................................................................................................................63
3.3
Table 22: Control measure strengths and weaknesses..................................................................................63
REFER RISKS RELEVANT TO WHOLE OF ORGANISATION OR HAVING AN IMPACT BEYOND OWN WORK
Id
RESPONSIBILITIES AND AREA OF OPERATION TO OTHERS AS PER ESTABLISHED POLICIES AND PROCEDURES.............................64
Risk monitoring..............................................................................................................................................64
en
3.4
Table 23: Risk Monitoring Methods...............................................................................................................65
CHOOSE AND IMPLEMENT CONTROL MEASURES FOR OWN AREA OF OPERATION AND/OR RESPONSIBILITIES................66
tify
Control measure selection and implementation............................................................................................66
Figure 24. Heirarchy of controls.....................................................................................................................67 ris
3.5 PREPARE AND IMPLEMENT TREATMENT PLANS...............................................................................................69
Treatment planning.......................................................................................................................................69
Figure 25: Risk treatment plan.......................................................................................................................70
k
Summary........................................................................................................................................................71
Learning Assessment 10:................................................................................................................................71 an
d
.......................................................................................................................................................................74
Figure 26: Risk Register..................................................................................................................................74
ap
4. MONITOR AND REVIEW EFFECTIVENESS OF RISK TREATMENT/S...............................................................75
4.1 REGULARLY REVIEW IMPLEMENTED TREATMENT/S AGAINST MEASURES OF SUCCESS..............................................76
ply
Case study......................................................................................................................................................76
4.2 USE REVIEW RESULTS TO IMPROVE THE TREATMENT OF RISKS...........................................................................77
Risk treatment review....................................................................................................................................77
4.3
Figure 27: Risk Review checklist.....................................................................................................................78
PROVIDE ASSISTANCE TO AUDITING RISK IN OWN AREA OF OPERATION...............................................................79 ris
k
Prepare Recommendations............................................................................................................................79
Document the risk audit report......................................................................................................................79
4.4 MONITOR AND REVIEW MANAGEMENT OF RISK IN OWN AREA OF OPERATION......................................................79
Risk management review...............................................................................................................................79
Figure 28: The Risk Management Process.....................................................................................................80
m
Key questions.................................................................................................................................................80
Risk identification......................................................................................................................................................80
Risk treatment........................................................................................................................................................... 81
an
Learning Assessment 11:................................................................................................................................81
Summary........................................................................................................................................................81 ag
e
Learning Assessment 12:................................................................................................................................82
RESOURCE EVALUATION FORM.................................................................................................................... 83
m
en
t
pr
oc
es
se
5
s
BSBRSK401 - Identify risk and apply

risk management processes
Application of the Unit:
This unit describes the skills and knowledge required to identify risks and to
apply established risk management processes to a defined area of
operations that are within the responsibilities and obligations of the role.
It applies to individuals with a broad knowledge of risk analysis or project
management who contribute well developed skills in creating solutions to
unpredictable problems through analysis and evaluation of information from
a variety of sources. They may have responsibility to provide guidance or
to delegate aspects of these tasks to others.
In this unit, risks applicable within own work responsibilities and area of
operation, may include projects being undertaken individually or by a team,
or operations within a section of the organisation.
No licensing, legislative or certification requirements apply to this unit at the
time of publication.
Pre requisite Units:
Nil
Co requisite Units:
Nil
Introduction
As a worker, a trainee or a future worker you want to enjoy your work and
become known as a valuable team member. This unit of competency will
help you acquire the knowledge and skills to work effectively as an
individual and in groups. It will give you the basis to contribute to the goals
of the organisation which employs you.
It is essential that you begin your training by becoming familiar with the
industry standards to which organisations must conform.
This unit of competency introduces you to some of the key issues and
responsibilities of workers and organisations in this area. The unit also
provides you with opportunities to develop the competencies necessary for
employees to operate as team members.
This Learning Guide covers:
 Identify risks
 Analyse and evaluate risks
 Treat risks
 Monitor and review effectiveness of risk treatment/s
6
BSBRSK401
Learning Program
As you progress through this unit you will develop skills in locating and
understanding an organisations policies and procedures. You will build up
a sound knowledge of the industry standards within which organisations
must operate. You should also become more aware of the effect that your
Id
own skills in dealing with people has on your success, or otherwise, in the
workplace. en
Knowledge of your skills and capabilities will help you make informed
choices about your further study and career options. tify
Additional Learning Support
To obtain additional support you may:
ris
 Search for other resources in the Learning Resource Centres of your k
learning institution. You may find books, journals, videos and other
materials which provide extra information for topics in this unit. an

d
Search in your local library. Most libraries keep information about
government departments and other organisations, services and
programs.
 Contact information services such as Infolink, Equal Opportunity ap
Commission, and Commissioner of Workplace Agreements. Union
organisations, and public relations and information services provided by
various government departments. Many of these services are listed in
ply

the telephone directory.
Contact your local shire or council office. Many councils have a
ris
community development or welfare officer as well as an information and
referral service.
k
 Contact the relevant facilitator by telephone, mail or facsimile. m
Facilitation
Your training organisation will provide you with a flexible learning facilitator. an
ag
Your facilitator will play an active role in supporting your learning, will make
regular contact with you and if you have face to face access, should
arrange to see you at least once. After you have enrolled your facilitator
will contact you by telephone or letter as soon as possible to let you know: e
 How and when to make contact
 What you need to do to complete this unit of study m
 What support will be provided
Here are some of the things your facilitator can do to make your study
en
easier. t
 Give you a clear visual timetable of events for the semester or term in
which you are enrolled, including any deadlines for assessments. pr

oc
Check that you know how to access library facilities and services.
 Conduct small ‘interest groups’ for some of the topics.
 Use ‘action sheets’ and website updates to remind you about tasks you
need to complete.
es
se
7
s
 Set up a ‘chat line”. If you have access to telephone conferencing or

video conferencing, your facilitator can use these for specific topics or
discussion sessions.
 Circulate a newsletter to keep you informed of events, topics and
resources of interest to you.
 Keep in touch with you by telephone or email during your studies.
Flexible Learning
Studying to become a competent worker and learning about current issues
in this area, is an interesting and exciting thing to do. You will establish
relationships with other Students, fellow workers and clients. You will also
learn about your own ideas, attitudes and values. You will also have fun –
most of the time.
At other times, study can seem overwhelming and impossibly demanding,
particularly when you have an assignment to do and you aren’t sure how to
tackle it…..and your family and friends want you to spend time with
them……and a movie you want to watch is on television….and….
Sometimes being a Student can be hard.
Here are some ideas to help you through the hard times. To study
effectively, you need space, resources and time.
Space
Try to set up a place at home or at work where:
 You can keep your study materials
 You can be reasonably quiet and free from interruptions, and
 You can be reasonably comfortable, with good lighting, seating and a
flat surface for writing.
If it is impossible for you to set up a study space, perhaps you could use
your local library. You will not be able to store your study materials there,
but you will have quiet, a desk and chair, and easy access to the other
facilities.
Study Resources
The most basic resources you will need are:
 a chair
 a desk or table
 a reading lamp or good light
 a folder or file to keep your notes and study materials together
 materials to record information (pen and paper or notebooks, or a
computer and printer)
 reference materials, including a dictionary
Do not forget that other people can be valuable study resources. Your
fellow workers, work supervisor, other Students, your flexible learning
facilitator, your local librarian, and workers in this area can also help you.
8
BSBRSK401
Time
It is important to plan your study time. Work out a time that suits you and
plan around it. Most people find that studying in short, concentrated blocks
of time (an hour or two) at regular intervals (daily, every second day, once
a week) is more effective than trying to cram a lot of learning into a whole
Id
day. You need time to “digest” the information in one section before you
move on to the next, and everyone needs regular breaks from study to en
avoid overload. Be realistic in allocating time for study. Look at what is
required for the unit and look at your other commitments. tify
Make up a study timetable and stick to it. Build in “deadlines” and set
yourself goals for completing study tasks. Allow time for reading and
completing assessments. Remember that it is the quality of the time you
ris
spend studying rather than the quantity that is important. k
Study Strategies
Different people have different learning 'styles'. Some people learn best by an
listening or repeating things out loud. Some learn best by 'doing', some by
reading and making notes. Assess your own learning style, and try to
identify any barriers to learning which might affect you. Are you easily
d
distracted? Are you afraid you will fail? Are you taking study too seriously?
Not seriously enough? Do you have supportive friends and family? Here
ap
are some ideas for effective study strategies:
Make notes. This often helps you to remember new or unfamiliar
ply
information. Do not worry about spelling or neatness, as long as you can
read your own notes. Keep your notes with the rest of your study materials ris
and add to them as you go. Use pictures and diagrams if this helps.
Underline key words when you are reading the materials in this learning k
guide. (Do not underline things in other people's books.) This also helps
you to remember important points. m
Talk to other people (fellow workers, fellow Students, friends, family, your
facilitator) about what you are learning. As well as helping you to clarify and an
understand new ideas, talking also gives you a chance to find out extra
information and to get fresh ideas and different points of view ag
Using this learning guide:
A learning guide is just that, a guide to help you learn. A learning guide is e
m
not a text book. This learning guide will
 describe the skills you need to demonstrate to achieve competency for

this unit
provide information and knowledge to help you develop your skills
en
 provide you with structured learning assessments to help you absorb
the knowledge and information and practice your skills
t
 direct you to other sources of additional knowledge and information pr
about topics for this unit.
oc
es
se
9
s
The Icon Key

Key Points
Explains the actions taken by a competent person.
Example
Illustrates the concept or competency by providing examples
Learning Assessment
Provides learning assessment activities to reinforce understanding
of the action. This is called formative assessment
Formative assessment
The goal of formative assessment is to monitor your learning to
provide ongoing feedback that can be used by your trainer to
improve their teaching and so you can improve your learning.
More specifically, formative assessments:
 help you identify your strengths and weaknesses and target
areas that need work
 help your trainer recognise where you are struggling and
address problems immediately
Chart
Provides images that represent data symbolically. They are used
to present complex information and numerical data in a simple,
compact format.
Intended Outcomes or Objectives
Statements of intended outcomes or objectives are descriptions of
the work that will be done. These are also known as your
Performance Criteria
Assessment
Strategies with which information will be collected in order to
validate each intended outcome or objective. This is called
summative assessment.
Summative assessment
The goal of summative assessment is to evaluate your learning at
the end of an instructional (learning) unit by comparing it against
some standard or benchmark.
10
BSBRSK401
How to get the most out of your learning guide

1. Read through the information in the learning guide carefully. Make sure
you understand the material.
Some sections are quite long and cover complex ideas and information. If
you come across anything you do not understand:
Id
 talk to your facilitator en

tify
research the area using the books and materials listed under
Resources
 discuss the issue with other people (your workplace supervisor, fellow
workers, fellow Students) ris
 try to relate the information presented in this learning guide to your own
experience and to what you already know. k
Ask yourself questions as you go: For example “Have I seen this
happening anywhere?” “Could this apply to me?” “What if….?” This will an
help you to make sense of new material and to build on your existing
knowledge. d
2. Talk to people about your study.
Talking is a great way to reinforce what you are learning.
ap
3. Make notes. ply
4. Work through the assessments.
Even if you are tempted to skip some assessments, do them anyway. ris
They are there for a reason, and even if you already have the knowledge or
skills relating to a particular assessment, doing them will help to reinforce
what you already know. If you do not understand an assessment, think
k
carefully about the way the questions or instructions are phrased. Read
the section again to see if you can make sense of it. If you are still
m
confused, contact your facilitator or discuss the assessment with other
Students, fellow workers or with your workplace supervisor. an
Additional research, reading and note taking.
If you are using the additional references and resources suggested in the
ag
learning guide to take your knowledge a step further, there are a few
simple things to keep in mind to make this kind of research easier.
e
Always make a note of the author’s name, the title of the book or article,
the edition, when it was published, where it was published, and the name
m
of the publisher. If you are taking notes about specific ideas or information,
you will need to put the page number as well. This is called the reference en
information. You will need this for some assessment tasks and it will help
you to find the book again if needed. t
Keep your notes short and to the point. Relate your notes to the material in
your learning guide. Put things into your own words. This will give you a
better understanding of the material.
pr
Start off with a question you want answered when you are exploring oc
additional resource materials. This will structure your reading and save
you time. es
se
11
s
Performance Evidence
Evidence of the ability to apply organisational policies, procedures and
processes to:
 identify risks
 consult with relevant stakeholders to analyse and evaluate risks
 identify and evaluate control measures
 develop and implement treatment plans for own area or responsibility
 refer risks that are beyond own area of responsibility to others
 maintain risk management documentation.
Note: If a specific volume or frequency is not stated, then evidence must be
provided at least once.
12
BSBRSK401
Elements and Performance Criteria

BSBRSK401 - Identify risk and apply risk management processes Id
Element
en
1. Identify risks
tify
1.1 Identify the context for risk management
ris
Identify risks using tools, ensuring all reasonable steps have been
1.2 taken to identify all risks k
1.3
Document identified risks in accordance with relevant policies,
procedures, legislation and standards
an
2. Analyse and evaluate risks d
2.1
Analyse and document risks in consultation with relevant ap
stakeholders
2.2 Undertake risk categorisation and determine level of risk

ply
2.3 Document analysis processes and outcomes
ris
3. Treat risks
k
3.1
Determine appropriate control measures for risks and assess for m
strengths and weaknesses
an
3.2 Identify control measures for all risks
Refer risks relevant to whole of organisation or having an impact

ag
3.3 beyond own work responsibilities and area of operation to others as
per established policies and procedures
e
3.4
Choose and implement control measures for own area of operation m
and/or responsibilities
3.5 Prepare and implement treatment plans

en
t
pr
oc
es
se
13
s
4. Monitor and review effectiveness of risk treatment/s
Regularly review implemented treatment/s against measures of

4.1 success
4.2 Use review results to improve the treatment of risks
4.3 Provide assistance to auditing risk in own area of operation
4.4 Monitor and review management of risk in own area of operation
14
BSBRSK401
Foundation Skills
Id
Skill Performance Criteria Description
Reading 1.2  Comprehends documents

en
and texts of varying
complexity to extract and tify
analyse relevant information
ris
Writing 1.3, 2.1, 2.3, 3.5  Uses specific, industry
related
logical
terminology and
organisational
k
structure in workplace
documents that identify and an
d
analyse risk and report
management process
outcomes
Oral 2.1  Participates effectively in

ap
communication interactions
stakeholders by
with
using ply
ris
questioning and listening to
elicit opinions and clarify
understanding
Numeracy 1.2, 4.1  Uses numerical tools to

k
assess risk and uses
numerical data to review m
plans
Navigate the 1.1, 1.3, 3.3  Complies with organisational

an
world of work and legislative requirements ag
 Takes responsibility for
identification
management of risk within
and e
own work context and refers
matters to others as required m
Interact with 2.1  Selects appropriate en
others communication protocols
and conventions when
conferring with others to
t
establish risk management
requirements pr
oc
es
se
15
s
Skill Performance Criteria Description
Get the work done 1.1, 1.2, 2.1, 2.2, 3.1,  Determines job sequence
3.2, 3.4, 3.5, 4.1, 4.2, and works logically and
4.3, 4.4 systematically to
undertake defined tasks
 Uses analysis and
consultative processes to
inform decisions about
selection and
implementation of risk
control measures
 Evaluates effectiveness of
plans and results to inform
improvement decisions
 Uses familiar digital
technologies and systems
to access information,
prepare plans and
communicate with others
16
BSBRSK401
Knowledge Evidence
To complete the unit requirements safely and effectively, the individual
Id
must:
 outline techniques for identifying and evaluating risks
en
 outline organisational policies, procedures or processes for risk
management
tify
 give examples of areas where risks are commonly identified in an
organisation
ris
 outline the purpose and key elements of current risk management k
standards
 outline the legislative and regulatory context of the organisation in an

relation to risk management
describe the organisation's auditing requirements relating to risk
d
management.
ap
Assessment Conditions ply
Assessment must be conducted in a safe environment where evidence ris
gathered demonstrates consistent performance of typical activities
experienced in the regulation, licensing and risk - risk management field of
work and include access to:
k
 relevant legislation, regulations, standards and codes m


relevant workplace documentation and resources
case studies and, where possible, real situations
an
 interaction with others. ag
Assessors must satisfy NVR/AQTF assessor requirements.
e
m
en
t
pr
oc
es
se
17
s
1. Identify risks
Identify risks using tools, ensuring all reasonable steps

1.2 have been taken to identify all risks
Document identified risks in accordance with relevant

1.3 policies, procedures, legislation and standards
Unit overview
Often a business is taken aback when unpleasant surprises happen late in
a project, when in fact they should have come as no surprise at all. In some
cases these same problems have arisen previously in similar projects. In
other cases someone has suspected that they could occur but has not said
anything. The business has failed to identify potential surprises, otherwise
known as risks. Without knowing what could potentially go wrong, the
business is unable to devise strategies to manage those problems.
Risks are inherent in every business and every project. Effective risk
management attempts to recognise and manage potential problems that
may occur for a business or a project. It identifies as many risk events as
possible, analyses the effects of those risks, minimises their impact, and
determines how to treat those risk events.
Risk management is proactive - that is, you are anticipating a situation and
determining a response or a plan of action. The opposite is reactive
management, where a surprise situation occurs, usually negative, and you
respond. To respond you often need to set aside the work you are doing,
recruit others to your response team, and resolve the problem. This may
take hours, days or months. Many businesses use this kind of 'firefighting'
approach to problem solving, when if they had spent some resources
identifying and planning for risks it would have cost them far less in
downtime and missed opportunities.
18
BSBRSK401

Identify risks
Risk identification can be challenging because it requires thinking that may
be seen as detrimental to a project. Good risk identification requires 'nega- Id
tive thinking' because you are looking for potential problems. This can be
seen as at odds with the 'can-do' attitude often expected in business today. en
On completion of this element you will be able to:
 define risk
tify
 name risk identification tools ris
 describe various types or categories of risk
 document risks in accordance with relevant policies, procedures and k
legislation.
an
Case study d
Gail had just completed the last bit of formatting on her project plan. It was ap
her very first plan since her promotion to Product Manager of a new line of
socks at the Fitzroy Falls Clothing Company. Gail was really pleased with
her efforts and thought that her very well researched and thorough
ply
document would be sure to impress her boss and ensure a timely start to
her project. She thought ahead to how fantastic it was going to be once the
ris
project got under way and she was finally in charge of a product line with
suppliers and customers, budgets and schedules. k
Neil, the Director of Logistics, popped his head into Gail's office. He was
like the old grandfather figure at the Fitzroy Falls Clothing Company. Neil m
was a wealth of experience and knowledge. He had been around forever
and took a keen interest in the work of the newer members of staff. an
ag
'How's that plan going, Gail?' asks Neil.
'I think I've nailed it, Neil. It took longer than I expected but I've covered
everything. I've recruited a great production team headed by Nathan and
secured some excellent prices from suppliers. The packaging concepts e
look great. The initial Clothing designs are fantastic and some have been
tested overseas and done really well. The marketing team tells me there's
a big market for this product. I think my forecasts look strong for sales and
m
profit. I really can't wait to get the boss's approval and get started.'
'Sounds great, Gail,' says Neil. 'But tell me what happens if Nathan gets
en
pulled from your production line - you know they're always stealing him for
the next great product development idea? Also, what happens if Jacobs & t
Co goes on 'stop supply' again at the critical buying time? Will that throw
your forecasts out or can you make it up with your other customers?' pr
The colour drained from Gail's face. She hadn't considered these things.
After all, she was a marketer and not trained to look at things oc
pessimistically.
es
se
19
s
Definitions
Different fields of study treat risk and risk management quite differently. They
also use separate terms for risk. For example:
 In the occupational health and safety field, risk is usually considered in
terms of hazards to personal safety. These hazards are usually non-
speculative or pure risks. This area is dominated by engineering
approaches to risk management.
 In the insurance industry, risk is speculative and considered in terms of
exposure when underwriting.
 In the security industry, risk might be termed threat.
 In the finance sector, risk typically refers to speculative risks
associated with investments.
 In the government and public services, risk is often political.
Other sectors highly sensitive to risk, and heavily reliant on risk
management, are the economy and the environment.
This manual looks at business risk, which has elements of the other fields
of study but is a more generic kind of risk. Business risk uses terms such
as uncertainty, problems and surprises. We will explore the numerous
types of risk that fall under the category of business risk later in this
element.
First, let us look at some key definitions.
Stakeholders
This term is used throughout this manual, so it is best to get a clear
definition up front.
Stakeholders are the people and organisations that have an interest in the
business or project.
They may be employees, suppliers, customers, shareholders, end users,
industry bodies, external agencies engaged in the project, or anyone with
an interest who is likely to be affected by a risk event.
Risk
There are a number of definitions of risk. The following definition has been
chosen because it recognises the positive aspect of risk as well as the
negative. While risk is often a negative occurrence, it can also provide
opportunities that a business can exploit to its advantage.
Risk is the chance of something happening that will have an impact on
objectives.
Risk arises out of uncertainty and has two elements:
 the likelihood of something happening
 the severity of the consequences resulting from the event.
We will look at these two elements in more detail in the next element.
20
BSBRSK401
Risk event
This term will be used throughout this manual.
“A risk event is the occurrence of a particular set of circumstances that
present a risk.” Id
Risk management en
The Australian/New Zealand Risk Management Standard AS/NZS 4360:
2004 defines risk management as: tify
“the culture, processes and structures that are directed towards the
effective management of potential opportunities and adverse effects.” ris
Again, this definition recognises that risks can produce opportunities as
k
well problems. an
You will also notice this definition includes the word potential. This implies
that risk management is something that should be in place before a risk
event arises. It is not simply a process of managing problems after they
d
have occurred.
Risk management is a continuous process. Risks will change during each
ap
stage of a project and risk estimates will need to be refined. Some risks will
disappear and new ones will emerge. Your risk management treatments
ply
will need to be responsive and flexible.
ris
k
m
an
ag
e
m
en
t
pr
oc
es
se
21
s
1.2 Identify risks using tools, ensuring all reasonable steps have been
taken to identify all risks
Risk identification tools

How do we work out what
the potential risks of a
project or business
situation might be? Like
most business analysis
there are formal and
informal methods or tools
that can be used
Learning Assessment 1
As part of your learning journey you are to think back to the case study at
the beginning of this element. Gail has realised that she has overlooked
risk management when preparing her project plan. She is a self-confessed
optimistic marketer, so how is she going to determine all the problems that
could arise during the course of her project?
22
BSBRSK401
Before we explore some of the tools available for identifying risk, write
down a couple of ways Gail might go about determining potential problems
for her project.
Id
en
tify
ris
k
an
d
ap
ply
ris
k
m
Once you have completed this learning assessment have your assessor or an
facilitator check your answer to see if you are on the right track.
ag
The comprehensive identification of all risks is critical to the project's
e
success. Any risk not identified at this early stage is automatically excluded
from further analysis and therefore an associated response or minimisation
m
strategy. So the objective of risk identification is to generate a list of as
many possible risks, or potential problems, as you can. It stands to reason, en
then, that getting a wide cross-section of the stakeholders to participate will
lead to a greater number and a greater variety of risks being identified. t
It is also important to focus on the risk events without getting caught up in
the consequences of those events. That comes later. At this stage you are
trying to identify what could occur that would result in a risk to the business.
pr
Let us start by thinking about all the informal ways in which you can identify oc
potential risks. You probably thought of a couple of these in the Learning
Assessment you just completed. Here is a list of the most common informal
risk identification tools.
es
se
23
s
Table 1: Informal risk identification tools

Some established 'formal' tools for identifying risks are as follows:
Risk identification Description

tool
 Brainstorming Gather a range of stakeholders (internal representatives

from each key functional area of the project, suppliers,
customers, end users, industry experts and so on) to
meet under the direction of a facilitator to generate as
many potential risks as possible. You can brainstorm
against each stage of the product/project lifecycle, or
against each type of risk category.
 Stakeholder Using interviews, surveys or questionnaires you can

consultation consult each stakeholder group to get their input about
possible risks.
 Benchmarking Review what happens in other like businesses working

on similar projects. Determine the risks that arose for
them.
 Document Published reports (secondary data) can provide

review information to identify possible risks. Sources could
include the Australian Bureau of Statistics, government,
local council, industry/professional groups, newspapers
and journals. The Internet now makes so much of this
data readily accessible.
 Reviewing This includes reviewing information from the current

project project (plans, analysis and designs) as well as
information reviewing information from past projects (plans, progress
reports, communication between stakeholders, final
report or audit) that can provide some insight into the
current project.
 Observation If your project involves a physical process (such as

manufacturing) you could observe the process and note
any possible sources of risk.
24
BSBRSK401
Table 2 Formal risk identification tools
Id
Risk identification Description
en
tool
tify
 Checklists A series of items that need to be checked or approved
before a project can start. For example, airline pilots must ris
work their way through a preflight checklist to ensure that
all is in working order before takeoff. k
 Diagrammatic
techniques
You can use various types of diagrams (fishbone diagram,
process/environment, flowchart and so on) to inspire an
d
questions about possible risks. For example, you may
draw a fishbone diagram for one particular outcome of a
project.
This type of diagram shows all the inputs required to get ap
to this outcome. At each of these inputs you can ask
questions about what could go wrong. ply
 Quantitative
modelling or
If you have lots of information/data about a project and
predetermined risk indicators you can model various ris
scenario building outcomes by developing scenarios.
k
 Computer Sophisticated software can simulate your exposure to risk
simulations should certain circumstances occur. You need to
determine the likely circumstances.
m
an
The main difference between these formal and informal risk identification
tools is that the formal tools rely on a large amount of data and information.
ag
This data is usually gathered from lots of past experience with similar
projects, or from extensive testing or piloting of a project. While the formal
e
tools produce more accurate information enabling you to go forward to the
next stage of risk analysis, you should not allow the lack of good m
information/data to keep you from conducting systematic risk identification.
The informal tools can be used by anyone on any type of project and will
certainly produce a plethora of risk possibilities that you would not have
en
thought of yourself. Even better, if you are information poor, use several of
the informal tools and combine the results.
t
pr
oc
es
se
25
s
Types of risk
Now that you have worked out how to identify potential risks to your busi-
ness or project, you should look more closely at those risks. Because there
are so many potential risks it is a good idea to group risks into different
types. This will help you when it comes to analysing your risks and
determining appropriate treatments.
There are many different ways to group or type potential risks. Every text
book on risk management will offer a different approach. Here are some of
the most common methods of categorising risks.
Internal/external categorisation
One broad way to categorise your risks is to determine which are internal
risks (that is, risks within your business or project) and which are external
risks (that is, risks outside of your business). This is a useful way of sorting
risks because it correlates with control.
Internal risks are usually within your control. Internal risks, such as
communication bottlenecks, lack of staff and machinery breakdown, can be
influenced by changes to business operations or forward planning.
External risks however, are generally out of your control and so are
harder to manage and plan for. For instance, external risks such as
economic downturn and competitor activities are impossible to influence.
You can only acknowledge their possibility and prepare a contingency plan
in case they do happen.
26
BSBRSK401
Learning Assessment 2:
As part of your learning journey you are to think about your own project or
business, or use the case study at the beginning of this element as your Id
base. Write down five internal and five external risks.
en
tify
ris
k
an
d
ap
ply
ris
k
m
an
ag
e
Think about the internal risks. Could you stop any from happening? You
can probably already think of solutions or strategies to minimise their effect.
m
en
t
pr
oc
es
se
27
s
What about the external risks? Do they appear more difficult to solve?
Usually there is not much you can do to prevent them occurring, so it is a
matter of working out how to deal with them if and when they do occur.
Once you have completed this learning assessment have your assessor or
So, categorising internal and external risks is a very useful but fairly broad
measure when you are dealing with a lot of risks. You might, therefore,
want to further refine your categorisation of risks.
28
BSBRSK401
Operational categorisation
One way to further categorise risks under the broad internal and external
headings is by grouping against the type of business or external operation.
If you are familiar with situation analysis or SWOT (Strengths,
Weaknesses, Opportunities and Threats) analysis you will know that
Id
strengths and weaknesses are internal business measures and
opportunities and threats are external. Under each of these headings are a en
number of subheadings that you analyse against. Operational
categorisation is very similar. tify
ris
Figure 3: Attributes of a SWOT analysis
k
an
d
ap
ply
ris
k
m
an
ag
e
m
en
t
pr
oc
es
se
29
s
Table 4: ‘SWOT ‘ Analysis example for Woolworths
 STRENGT WEAKNESSES
HS  With increased
 Powerful retail growth, it may
brand with great result in decreased
buying power control within
some areas such
 Reputation for as the quality of
value for money product
 Wide range of
products
 OPPORTUNI THREATS
TIES
 Competition from
 To take over, overseas chain
merge with, or grocery stores, eg
form strategic Aldi
alliances with
other global  Local competition
retailers with great prices
 Expand globally,
eg Europe or
China
30
BSBRSK401
Table 5: Types of risks (Internally)
Id
INTERNAL
en
Risk category  Types of risk tify
Manufacturing  Inadequate supply of raw materials ris
EXTERNAL
 Machinery breakdown
k
Marketing and sales  Launch campaign delayed
Risk category  Types of risk
 Failure to secure sales with major customers an
Economic  Product
Interest rate change
oversold
 Currency change
d
Finance  Funding changes
 Employment rate change
 Unanticipated cost fluctuations
ap
Political  Cashflow
Changeproblems
of political party in power ply
 Regulation or legal changes
Distribution  Lack of storage space on site
 Funding change
ris
 New channels requiring redesigned methods
Human resources
 Change in policy with supplying country
 Lack of appropriately skilled staff
k
Environmental  Natural disasters
 No skills training in place
 Unseasonal weather
m
Technological
 Communication problems
 Key
New
staffbreakthroughs
leaving affecting market
an
Information 
 E-commerce uptake
Software or system problem
ag
technology
Competitor  lostMerger or acquisition
information
 Price fluctuations
e
WHS  Accidents or incidents
 New offerings m
Legal  Patent

and copyright issues
Marketing/advertising
Public liability claim
activity
en
 Enters liquidation
t
Customer
 Buys from competitors first
 Insists on exclusivity pr
Supplier 

Fails to deliver raw materials on time
Faulty materials
oc
 Price rise es
se
31
s
Table 6: Types of risks (Externally)
32
Figure 7: Stakeholders Risk Map
FINANCE DEPT
SUPPLIERS Budget cuts MANAGEMENT
Responsiveness User pays Change in
Price External $ priority
Scheduling New products Loss of Key Staff
Reliability Approval
Stability Merger/
Quality acquisition
FACTORY
WORK TEAM
WHS
Loss of Key Staff
Fire/disaster
Unions BUSINESS Training
Downsizing
Scheduling
Succession plan
Equipment
Sabotage
Staffing
CUSTOMERS COMPETITORS
Knowledge of GOVERNMENT Speed to market
offer Funding Response to offer
Brand loyalty Tariffs New products
Price sensitivity Competitive Capacity
tendering Costings
Stakeholder risk map

A method of categorising risk similar to the one just described is a
stakeholder risk map. This type of risk grouping does not separate internal
and external risks, but simply looks at all stakeholders to the business or
project. Each stakeholder or stakeholder group is identified as a source of
risk and then possible risks are assigned to each.
A stakeholder risk map, as the name would suggest, is often represented in
diagrammatic form. The preceding figure is an example.
One excellent opportunity to prepare a stakeholder risk map is during a
brainstorming session with representatives from each stakeholder group.
33
Project stage categorisation
The final way of categorising risk we are going to look at here is specific to
project work. The common method used to identify and categorise risk in
project management is against each stage of the project lifecycle. You
determine risks at the stage of scoping or planning a project right through
to risks that could arise on project termination or closure.
The following figure shows a generic project lifecycle.
Figure 8: Project lifecycle
Managing and Control

Level of Activity
Closeout
Concept
Planning
Time
There are four main stages of any project:
Concept
The project brief is determined. An outline of the project is prepared from
which feasibility studies can be undertaken. The project is then either
approved, put on hold or cancelled.
Planning
At this stage all facets of the project are scoped, with deadlines and
budgets assigned.
Management and control
The project is now under way, with control procedures in place to manage
any discrepancies.
34
Closeout
The project is complete and is reviewed and evaluated to inform future
projects.
Let us now examine some risks that may arise at each stage.
Table 9: Project risks
Project stage Concept Planning Management Closeout

and control
Types of  Managemen  Raw  Manufacturin  Inadequate

risks t support materials g delays reporting to
supply inform other
 Funding  Machinery
projects
source  Estimation breakdown
errors
 Staff losses
Again, getting all stakeholders to inform this method of risk generation and
categorisation is more likely to lead to more risks being identified, analysed
and planned for.
35
1.3 Document identified risks in accordance with relevant policies,
procedures, legislation and standards
Risk documentation
This is the final stage of risk identification. It is pointless to go through
elaborate risk identification and categorisation if you do not fully document,
or record, each risk in a manner that can be later analysed and allocated
with a treatment plan.
One way to clearly document each risk is in a risk register. The risk register
is a log or database that is opened at the beginning of a project or activity.
It is an evolving document where all risks are tracked from identification to
closure.
Once Identify risks using tools, ensuring all reasonable steps have been
taken to identify all risks they are written in and assigned an ID number or
reference. From this risk register each risk can be analysed and actioned.
We will look at the analysis stage in the next element.
The risk register often forms the basis of more complex documents that
need to be prepared later in the risk management process. Documents
such as a risk profile, risk plans and risk treatment plans all draw
information from the risk register that you begin at this risk identification
stage.
There may be other risk documentation that a particular organisation or
industry requires. For example, there may be legal, contractual or safety
agreements that require associated risks be documented and
communicated in a certain way.
Figure 10 on the next page shows the layout of a risk register.
Summary
Risk identification is a proactive way of solving problems. Rather than waiting
for the problems to happen, you are anticipating what could happen so that
you are better prepared and better resourced.
In this element we defined the main terms you are going to come across
throughout this manual. We first determined the difference between business
risks and other kinds of risks. We defined stakeholders, risk, risk event and
risk management.
Next we looked at the tools used for identifying risk. We distinguished between
informal and formal tools and briefly looked at several types of each,
recognising that the formal tools required more data to be effective.
Once tools for risk identification were in place we looked at the endless risks
that could occur in businesses or particular projects. To properly assess these
risks it is easier if they are grouped. We looked at a number of ways to group
or categorise risks such as internal/external, operational, stakeholder and
project stage.
Finally we looked at the documentation required to record risks. We deter-
mined that a risk register was a good document because it tracked risks from
initial identification right through to the closure of the project or business
activity and kept an account of the risk impact and actions taken.
36
Date Risk Overall Priority Action Action Date
ID Risk Impact Preventative actions Contingency actions
Raised Owner risk rating rating date date closed
Figure 10: Risk register
37
Define the following terms:

 Stakeholders
 Risk
 Risk event
 Risk management.
Why is it so important to identify as many risks as possible at the outset of

a project or activity?
38
Describe two formal and two informal risk identification tools and when you
might use them. Give real life examples.
Explain three ways in which you might group or categorise a large number
of risks generated at a staff brainstorming session. Give real life examples
Why is a formal method of documenting risk a good business practice?

Give real life examples in your answer.
39
2. Analyse and evaluate risks
Analyse and document risks in consultation with
2.1 relevant stakeholders
Undertake risk categorisation and determine level of

2.2 risk
In the previous element we looked at identifying, categorising and docu-

menting risks. In this element we will look at analysing and evaluating
those risks.
Not all risks are equally significant. Good risk identification can lead to hun-
dreds, perhaps even thousands, of risks coming to light. It is rarely prudent
to formulate treatment plans for all identified risks. You need a way to
separate the risks that are really significant and deserve attention, from
those that are trivial and can be ignored. This is where risk analysis and
evaluation comes in.
On completion of this element you will be able to:
 determine causes of risk;
 estimate the impact of certain risks;
 estimate the likelihood of certain risks occurring;
 categorise and prioritise the risk events from your calculations;
 document the risk analysis process and outcomes.
2.1 Analyse and document risks in consultation with relevant

stakeholders
Case study
Gail scheduled a meeting and invited at least one person (stakeholder)
from every section of her project. She determined that these stakeholders
needed to represent suppliers, product design, production planning,
manufacturing, marketing, sales, distribution, finance, management,
customers and end users.
Gail thought through the various tools available to identify risks. She didn't
have a lot of data from previous projects, as the Fitzroy Falls Clothing
Company didn't carry out a formal closeout of projects, where audits are
performed and project outcomes inform future projects. So Gail's options to
identify risks were limited to informal methods.
40
Gail settled on a facilitated brainstorming session with as many of the
stakeholders who could attend. Those that couldn't were to be surveyed
later.
Preparation for the meeting included taking the detailed project lifecycle
that Gail had prepared as part of her project plan, and enlarging this so that
it filled one wall of the meeting room. This lifecycle was broken into various
project stages marked with milestones. Each stakeholder was issued with
sticky notes and pens. The idea was that all the potential risks would be
written on the sticky notes and placed on the corresponding section of the
project lifecycle.
The session was professionally run by a facilitator from a business
consultancy. Even though it ran for over four hours, everyone was still
buzzing when it was complete. Most of the stakeholders offered to provide
further advice if Gail needed it. At the conclusion, Gail sat alone in the
meeting room facing a wall covered in hundreds of sticky notes. She had a
big wad of notes about each identified risk. They had explored the causes
of each risk and the possible impacts.
Gail was overwhelmed. She counted the risks. There were 168. She now
had more potential risks than she had ever dreamed possible. How was
she going to incorporate these into her project plan and still get it to her
boss in time for the product launch? Developing contingency plans for each
of these 168 risks would take weeks and create an enormous document
that she didn't think anyone would ever read, let alone put into practice.
Gail needed a way to find the real risks - those that were likely to happen
and would cause a major problem if they did - and weed out the minor risks
that may never happen, or would only cause a little blip in the project. Gail
needed to get analytical.
Causes of risk
Risk analysis is sometimes called risk assessment. It is a step-by-step
process. The very first step is to determine the causes of the risks you have
identified. Risks are a bit like medical symptoms. They need to be treated,
but to treat them effectively you must determine their cause so that you are
treating the root of the problem rather than the symptom that appears on
the surface.
Let us use an example from the case study featured at the beginning of this
element. One risk event that may have been identified is that the new
Clothing order is late for shipment to its retail customers. There could be a
number of causes of this risk event. It may be that machinery breaks down
and the repairs cause production delays. Or perhaps the yarn is delivered
late from the overseas supplier. Or perhaps a strike occurs in the factory,
shutting it down for two days during the critical stage of production. You can
see that each cause of this risk event would need a different treatment or
risk management plan.
41
The tools used to determine causes of risks are very similar to those used
in the risk identification stage. Informal tools such as brainstorming,
stakeholder consultation, benchmarking and observation can all help to find
the root causes of each risk event. For this reason you might want to
structure cause identification into your risk identification session. For
instance, if using brainstorming with stakeholders to identify as many risks
as possible extend the session or schedule another to explore the possible
causes of each identified risk.
Figure 11: Risk Event Example
42
Some other tools that can be used to effectively determine the causes of
risks are diagrammatic techniques. The cause and effect diagram, also
called the fishbone diagram, is a way looking at all the activities that feed
into an outcome. It forces you to consider each area of the business that
could possibly be the root cause of a risk event. The following figure shows
the possible causes of the risk event mentioned earlier.
Figure 12: Cause and effect of fishbone diagram
43
Here are two different risks identified in Gail's brainstorming session. As
part of your learning journey you are to think of three possible causes of
each risk.
Risk 1: The first batch of clothing has an unusually high faulty rate.
Risk 2: Three of the major customers cancel their large indent orders.
44
Can you see that depending on the cause of the risk, a different treatment
or contingency plan would be needed?
Once you have the causes of risk events you may want to go back to your
risk register and flesh out the description of your risks or categorise them
into root cause risks. It is worth the time now to properly list and describe
all risks, as this forms the basis of your analysis. Any risks not
documented, or not properly documented, will cause errors in the risk
analysis scores, which may lead to risks being overlooked, underestimated
or overestimated.
Risk impacts
Once you have reworked your risk register so that all risks are clearly
expressed, including their cause, you should extend the risk description to
include a description of the possible impact of that risk event occurring. The
impact is the consequence that could result if the risk event occurred.
Sometimes there are several consequences from a particular risk event. All
consequences, or impacts, should be documented in the risk register.
Let us use that example again from the case study. The risk event is that
the new Clothing order is late for shipment to customers. The impact of this
risk event could be that certain customers cancel their orders. Or perhaps
you have to discount the stock in order for the customers to take delivery.
Or perhaps instead of shipping to a central retailer warehouse, you need to
individually deliver to each store to eliminate the delay from warehouse to
outlet.
Again, this stage of risk analysis can benefit from the broad input of stake-
holders. You may want to add this stage to your risk identification brain-
storming session.
45
2.2 Undertake risk categorisation and determine level of risk
Risk prioritisation
By completing a quantitative risk analysis you are essentially ranking, or
prioritising, your risks from most important, or serious, to least important.
You could give each risk a score and rank it in priority order, but it may be
easier to work out cut-off points for action by putting your risks into groups.
You could have any number of groups, but it is common to sort into three
groups - high risk, medium risk and low risk.
 Generally you will consider the low risk category as acceptable risks
that can be excluded from further analysis or planning. The high risk
category represents unacceptable risks that take top priority and need
preventative measures in place or treatment plans for their eventuality.
Medium category risks are more difficult to plan for. You need some
sense of awareness about them, but it may not be cost or time effective
to put preventative measures or treatment plans into place for all of
them. It really depends on the resources available to you whether or not
you action them or ignore them.
 One way of graphically representing and sorting your data is with an
impact-likelihood matrix. This matrix, along with shading representing
the three risk categories, is shown in the following figure.
Figure 13: Impact-likelihood matrix
  Extr      
eme 5
  High      
4
 Im  Medi      
pact um 3
  Low      
2
  Insig      
nificant 1
   1 2 3 4 5
    Likelihood
Where:
46
= Low Risk. No action required unless risk occurs
= Medium Risk. Plan for but limit resources
= High Risk. Action Immediately
Let us revisit the risk rating example with two measures shown previously.
Use the figures provided to plot the four given risks on the following impact-
likelihood matrix.
 Extreme      
5
 High      
4
 I Medium      
mpact 3
 Low      
2
 Insignificant      
1
   1  2  3  4  5
   Likelihood
Now you can easily see which action group each risk falls into.
We should also look at how we can group risks when using all three risk
measures - impact, likelihood and exposure. Remember that this schema
gave us a score between 1 and 125. You can break these scores down to
the same three categories used earlier.
So:
Below 27 = Low risk. No action required unless risk occurs.
27-74 = Medium risk. Plan for, but limit resources.
75+ = High risk. Action immediately.
Regardless of how many measures you use to analyse your risks and the
range of scores your risks fall into, businesses with an established risk
47
management process may have predetermined categories with actions
already assigned. For instance, using the three risk measures schema (1-
125) your business may determine that any risk with a score below the
threshold of 30 is simply not addressed. Or your business may have
determined that it only plans for the top five risks and will not allocate risk
treatment plans for any risks below these.
48
Explain, with an example, how one risk event may have a number of
causes.
Why is it important to determine the underlying causes of risk events?
Explain, with an example, how one risk event may have a number of
impacts.
49
Define the three measures of risk:
 impact
 likelihood
 exposure
Describe how these measures can be used to calculate an overall risk

rating.
50
Why is it important to categorise and/or prioritise risks?
Describe two ways of categorising or prioritising risks.
Why is it a good idea to prepare a risk plan for your most important risks?
51

Risk analysis
It is time to explore the measures used to analyse risk more closely. There
are many highly technical quantitative methods of analysing risks, but
without immense data and modelling software these are difficult to
implement. There are also qualitative methods of analysing risks where
simply 'low' and 'high' are assigned against risk events.
Often these judgments are inaccurate and unreliable because they rely
only on the knowledge and experience of the estimator. Different
estimators would almost certainly evaluate risks in different ways. There is
also optimism bias to consider. This reflects the human tendency toward
optimism. In our case study Gail overcame her optimism bias by getting as
many other opinions as possible.
We will now examine a risk analysis method that is essentially qualitative,
and very easy to use if you have a lot of data. However, it does use
numerical scores against various components of risk - making it a more
reliable and accurate risk analysis tool. Just like in the risk identification
stage, accuracy and reliability will be enhanced, and optimism bias will be
reduced if more than one estimator is used.
Common to most risk management texts and theories you will find two
measures used in risk analysis:
 impact - the potential severity of the consequences of the risk event.
Impacts could be cost, time, people, quality or danger. Interchangeable
terms for impact are consequences, effect and severity.
 likelihood - the probability of the risk event happening. Interchangeable
terms for likelihood are probability and sometimes frequency.
An overall risk rating is determined by multiplying impact by likelihood. So
the equation is:
Overall risk rating (R) = impact (I) x likelihood (L). Each risk is considered
and scored against both measures. The following tables describe how this
works.
52
Table 14: Impact Rating
Rating Score Description
Insignificant 1 Negligible loss. Consequences easily dealt with.
Low 2 Noticeable impact. Minimal damage.
Medium 3 Moderate damage. Manageable scale of loss.
High 4 Large-scale damage. Significant loss or restriction.
Extreme 5 Widespread damage. Business objectives severely

compromised. Huge financial loss.
Table 15: Likelihood Rating
Very unlikely 1 Only in exceptional circumstances. Not likely in

short to medium term.
Unlikely 2 Slight possibility in short to medium term.
Possible 3 Reasonable to consider that it could occur.
Very likely 4 Will probably occur.
Inevitable 5 Is expected to occur in most circumstances.
By assessing each risk against the impact and likelihood scales and
assigning a score, you can then multiply these scores and determine an
overall risk rating for each risk. This will give you a score between 1 and
25.
The table below provides an example from the case study.
53
Table 16: Risk rating example with two measures
Risk Impac Likelihood Overall

t rating risk
rating rating
Major customers cancel indent 4 1 4

orders
Production delays first delivery 4 3 12
High faulty rate in first delivery 3 2 6
Competitors reduce price of 2 3 6

competing style
While impact and likelihood are the two most common measures used in
risk analysis, there is another measure that can be added into the equation
to give a more accurate analysis:
 exposure - the frequency of occurrences or duration of the risk event.
Interchangeable terms for exposure are frequency and duration.
The reason this measure is not always singled out for consideration is
because it can be considered inherent in the impact and/or likelihood
measures.
Let us consider it as a separate measure here.
Table 17: Exposure rating
Rare/never 1 Rarely or never happens.
Infrequent 2 Does not occur often or for very long.
54
Occasional 3 Likely to occur during project. Perhaps likely to
last a significant amount of time.
Frequent 4 Will occur at least once, probably more often. May

endure.
Constant 5 Will occur regularly and will endure.
Using all three measures, the equation for determining overall risk rating
now becomes:
Overall risk rating (R) = impact (I) x likelihood (L) x exposure (E) This gives
each risk an overall risk rating from 1 to 125 points.
The table below extends the earlier example from the case study.
Table 18: Risk rating example with three measures
Risk Impact Likelihood Exposur Overall

rating rating e rating risk
rating
Major customers cancel

4 1 2 8
indent orders
Production delays first

4 3 3 36
delivery
High faulty rate in first

3 2 3 18
delivery
Competitors reduce price

2 3 4 24
of competing style
The kinds of rating systems we have examined here allow you to sort your
risks into categories and priorities for action.
Risk analysis documentation
It is time again to take out your risk register and update it. You can now
allocate an overall risk rating to each risk and a priority rating. This priority
may be assigned individually from priority 1 for the most serious risk right
through to priority 168 for the least important risk (the 168 risks are taken
from the case study). Or you may have grouped your risks into the three
categories - high, medium and low.
55
You may want to close the lower, or lesser priority, risks. If you have
decided to give them no further attention, then close them in the register so
that no resources are allocated to preventative or contingency measures.
It is really important to now consider who should own each of the risks. The
risk owner is allocated the risk to manage throughout the project. Unless a
risk is owned, it is unlikely treatment plans will be prepared and should the
risk occur and no plans are in place it will always be considered someone
else's fault. So take the time now to allocate an owner for each of the risks
you are going to plan for. You might also want to consider allocating an
owner for the lower level risks. This could simply be to monitor them and
raise awareness if any are likely to occur, or cause a significant problem.
56
The risk register only holds summary information about each risk. It is
worthwhile now to produce a more thorough risk document for your top
priority risks. One way you can do this is with a risk plan. A risk plan is used
to identify and describe a major risk to the project or business. It is the
basis of your risk treatment plan. We will look at risk treatment plans in the
next element. The following figure provides a template for a risk plan.
Table 19: Risk plan
PROJECT DETAILS
Project Name of the project to which the risk relates

name:
Project Name of the project manager responsible for the project
manager:
RISK DETAILS
Risk ID Unique identifier assigned to this task

Raised Name of the person who raised the risk
By;
Date Date on which this risk was raised
Raised:
Risk Name of the person assigned to monitor and manage the risk
Owner:
Risk Overall risk rating score and priority rating
Priority:
Risk description:
Include a brief description of the risk identified and its underlying causes.
Risk Score Risk Score Risk Score

Impact Likelihood Exposure
Describe the impact of Describe the likelihood of Describe the frequency

the risk of the project the risk eventuating of occurrences or
duration of the risk event
57
RISK TREATMENT
(To be discussed)
APPROVAL
Supporting documentation:
Reference any supporting documentation used to substantiate the risk and its
treatment
Signature: Date: ___ / ____ / _____
The Risk
The Risk
Register and risk plans are generic risk documentation. There may be other
risk analysis and evaluation documentation required by your particular
organisation or industry. For instance, you may need to submit paperwork
for funds approval to prepare treatment plans for each risk.
Summary
Successful risk identification leads to a great number of risks being
generated. It is not practical or economically viable to treat all of these
risks, so you need to analyse, categorise and prioritise them.
In this element we looked at causes of risk. You cannot plan treatment for
risks without fully understanding what has caused the risk. The tools used
during the risk identification stage are often helpful when determining the
underlying risk causes. We looked particularly at the cause and effect or
fishbone diagram.
Next we explored the impacts of risk events and found that some risk
events can produce a number of impacts. Again, the risk identification tools
are helpful when determining possible impacts.
Risk analysis was undertaken. We assigned numerical scores to various
risk measures. We looked at two-measure and three-measure models
using risk impact, risk likelihood and risk exposure. This analysis gave us
an overall risk rating for each risk event.
These risk ratings were used to group or categorise risks and to prioritise
them for action.
Finally we looked at documenting this risk analysis and evaluation process
and information in the risk register. We also looked at how to prepare risk
58
plans for the most important risks and how these form the basis of the risk
treatment plans we will need in the next element.
3. Treat risks
3.1 Determine appropriate control measures for risks and
assess for strengths and weaknesses
Refer risks relevant to whole of organisation or having

an impact beyond own work responsibilities and area
3.3 of operation to others as per established policies and
procedures
Choose and implement control measures for own area

3.4 of operation and/or responsibilities
Introduction
In the previous element you saw how risk identification enables you to
determine the good and bad things you might encounter on a project or
business activity. Then how conducting a risk analysis allows you to sort
those risks into categories of importance. The next stage is to plan for and
treat those risks most likely to have a major impact on the project or
business.
Some types of risks can be completely eliminated by making changes in
the organisation or project. Other risks cannot be eliminated, but their
impact can be significantly reduced through various controls. Further risks
may not be able to be controlled, but planning for their eventuality may
mean that more carefully considered action is taken if the risk arises. Each
of these approaches will produce a better result than going without a risk
management strategy.
You must be mindful that many risks can be identified before a project
starts and so can be planned for and managed proactively with treatment
plans. However, some risks are chance events that could never be
anticipated. For these you must be reactive, treating them if and when they
occur.
59
3.1 Determine appropriate control measures for risks and assess for
strengths and weaknesses
Case study
Through an extensive analysis of all 168 identified risks, Gail determined that
there were two main risks that posed a major threat to the launch of her new
line of clothing.
1. The most serious risk were the delays to deliveries caused during
production. Further investigation of this risk found that the delivery delay
risk could be caused by the following:
 equipment problems
 staff problems
 raw material problems
 high rate of faulty product.
2. The second most serious risk came from competitor activity. Possible com-
petitor actions that could affect Gail's sales were determined to be:
 copying product designs and positioning
 price reduction on competing products
 offers to customers to bulk purchase.
3. Gail also found a second level of risk that was less important than these
two, but could pose a problem big enough to warrant some forward
planning
4. Customer action was causing a drop in projected sales. This risk could be
the result of:
 customers cancelling orders
 customers' poor financial position placing them on 'stop supply'.
Gail's thorough risk identification and analysis processes had whittled her
168 risks down to these three serious risks. The risks no longer seemed
insurmountable. However, now that Gail had a really good idea about the
most serious and most likely threats to the success of her Clothing launch,
she didn't know quite what to do to make sure that these risks didn't
happen. Was it feasible to take action to eliminate each and every risk?
Was it even possible? What was she going to do about the risks she
couldn't eliminate?
Gail needed some mechanisms to monitor her project and alert her when
risks were beginning to develop. She also needed clear plans telling her
what action to take if and when the risks did develop.
60
Risk-handling approaches
Before looking at risk controls, monitoring and treatment we need to under-
stand the different approaches to handling risk. These are often called
treatment strategies.
When you are confronted with a possible risk there are usually a number of
options available. You could actively change the way you work or operate to
prevent the risk from ever occurring, or you could employ tactics to reduce the
risk, or you could choose to just accept the outcome of the risk if and when it
does occur. The following table explores the five main approaches to handling
risk, or treatment strategies.
Table 20: Treatment strategies
Treatment strategy Explanation
Risk acceptance The risk is accepted because it is not serious or is

unlikely to occur. The organisation can afford to deal
with the anticipated consequences.
Risk elimination/ Countermeasures used to stop the threat or problem

avoidance/prevention from arising, or to prevent it from having any impact.
Risk transfer The risk, and its consequences, is transferred to a

third party.
Risk Actions are taken to reduce the likelihood the risk will
mitigation/reduction develop or to limit the impact of the risk to more
acceptable levels. This also includes sharing the risk
with others or diffusing the risk between locations.
Risk contingency This risk can only be managed by switching to an

alternative or contingency course of action once the
risk occurs.
We will examine matching risks to different strategies later in this element.
61
Refer to the case study at the beginning of this element. Gail has identified
three main risks to her product launch. Take each risk and determine
possible handling approaches or treatment strategies that Gail could use to
manage each risk.
Delivery delay
Competitor activity
Customer action
Can you see that the internal risks causing the delivery delay have more
treatment options than the external competitor and customer risks? Also, it
may be possible to eliminate the internal risks, while it is rarely possible to
completely eliminate external risks.
62
Risk control measures
According to the Australian/New Zealand Risk Management Standard
AS/NZA 4360:2004, risk treatment can be defined as:
a process of selection and implementation of measures to modify risk.
We often call these measures controls. Controls are the policies, practices
and processes used to treat, or manage, risks. There are many different
types of controls you can use. Control method selection depends on the
approach, or treatment strategy, you intend to use for each risk.
So let us take each of the treatment strategies we just explored and look at
examples of control measures you could use for each strategy.
Table 21: Treatment strategy and control measures
Treatment strategy Possible control measures
Risk acceptance Monitoring mechanisms

Progress reporting
Allowances built into estimates
Risk Operational restructure

elimination/avoidance/prevention Security
Training
Staffing
Delay the activity
Risk transfer insurance policies

Subcontractors
Contracts
Warranties
Risk mitigation/reduction Joint venture

Expand business
Contract business
Modify objectives
Maintenance agreement
Quality control
Standards
Legislative compliance
Diversification
Hedging
Risk contingency Contingency plan

Public relations strategy
Backup
63
Taking the treatment strategies you assigned to each risk in assessment 5,
apply possible control measures to each risk. (Hint: You may need to break
the risks down to the root causes given in the case study. Match control
measures with each cause.) (Use tables where needed)
Control measure analysis

Each of the categories of control measures we have just looked at has its
upside (strength) and its downside (weakness). When, later in this element,
we implement a control measure for each of our main risks we will want to
know the benefits and the costs of using that particular measure.
The following table takes each category of control measure and determines
some of the strengths and weaknesses of choosing that type of control.
Table 22: Control measure strengths and weaknesses
Control measure type Strengths Weaknesses
Risk acceptance (e.g.  No cost in dollars,  Impact may be more

monitoring and time or resources serious than
reporting) anticipated
Risk elimination (e.g.  Permanent business  Expense - dollars,

restructure, staff improvement time, resources
training)
 Difficult to
implement
Risk transfer (e.g.  Third party  Transfer success as

insurance, completely well as risk
subcontractor) responsible for risk
 Dollar expense
and its treatment
Risk mitigation/reduction  Permanent business  Expense - dollars,

(e.g. quality control, joint improvement time, resources
venture, process
improvements)
Risk contingency (e.g.  Proactive strategy  Wasted time and

alternative plan, backup) offers a more effort to plan for a risk
considered approach that never occurs
to risk management
64
3.3 Refer risks relevant to whole of organisation or having an impact beyond
own work responsibilities and area of operation to others as per
established policies and procedures
Risk monitoring
At the monitoring and control stage of risk management we leave behind
the speculative activities and move into the action phase. Up until this point
we have identified possible risks, analysed and sorted them and planned
what we could do if they occurred. Now it is time to actually take some
action against these risks.
Risk monitoring involves scanning the risk horizon to see what untoward
risk events are looming. You need active measures in place to report risk
triggers so that your controls can be implemented to ward off, lessen or
recover from the risk.
Risk monitoring should be a routine and ongoing process that is
established at the beginning of a project or business activity, and continues
until that project is complete. Risks are dynamic. They will change their
size, shape and intensity. You need continuous risk monitoring so that you
spot the risk triggers and are alerted to new risks.
Much of risk monitoring is informal. As people are doing their jobs they
notice that things are not right and report this to their supervisor. For
instance, a production line worker at the Fitzroy Falls Clothing Company
may notice that stock on the floor of lime green yarn is really low. She
knows that the lime green based.
Clothing is scheduled for production the next morning, so asks her
supervisor whether there is more stock stored elsewhere. Depending on
the stock situation the supervisor can head off this risk by having stored
stock transferred to the factory floor before the morning shift, or reschedule
the lime green Clothing production to a later date when yarn is delivered
from the supplier.
Learning Assessment 9.
Use your current or previous workplace as an example. Think carefully about
how low-level risks might be detected before they happen. Describe two or
three ways in which informal risk monitoring happens.
65
Informal risk monitoring occurs all the time. Organisations should encourage a
culture where staff are forward thinking and on the lookout for potential risks
as well as opportunities. However, informal risk monitoring usually only
detects imminent risks. Early triggers, or indicators, of risk are best detected
by formal methods of monitoring.
Some of the key formal risk monitoring methods are explained in the table
below.
Table 23: Risk Monitoring Methods
Risk Explanation
monitoring
method
Status/progress Updated weekly, fortnightly or monthly, these reports

reports are the most commonly used mechanism to assess
progress and detect discrepancies in a project. These
reports focus on variances from the plan. These
variances flag risks. Managers must determine what
these variances are likely to do and implement
appropriate controls.
Issues logs These logs are usually divided into two sections –
pending issues and resolved issues. Issues logs, like
progress reports, are updated regularly. The pending
section lists possible sources of problems. The resolved
section itemises previous pending issues that have been
closed. These logs are a simple mechanism for staff to
communicate concerns. They are a way of displaying all
the issues and putting pressure on staff to take action to
resolve them. A growing pending list and a short
resolved list indicate poor risk management.
Evaluations These are exercises in periodic stocktaking. Evaluations

are used to see whether the fundamental objectives of a
project or activity are being achieved. Each type of
evaluation has a list of criteria to evaluate against.
Examples are technical evaluations, audits,
compliance/accreditation evaluation, management by
objectives (MBO) reviews and performance appraisals.
Risk audits These specialist audits are conscious, systematic

attempts to examine the organisation's risk
management processes and procedures. They are high-
level evaluations usually conducted by external risk
specialists. These would only normally occur in large
organisations, or highly risk sensitive industries.
66
While you may have a number of elaborate risk monitoring mechanisms,
they will not, unfortunately, detect every risk. To ensure that you detect as
many risks as possible you must check you are:
 focusing on the right source of information (for example, if the source of
risk is within the machinery, you are better doing regular maintenance
checks than surveying staff on what they think could go wrong)
 getting timely information (for example, it is no use finding out about a
possible problem causing machinery to break down, after the machin-
ery has broken down)
 understanding the information (for example, the person reviewing the
risk monitoring data needs to be able to determine which data shows
real risk triggers and which data is simply representing useless
anomalies).
3.4 Choose and implement control measures for own area of operation
and/or responsibilities
Control measure selection and implementation
Now that your risks have come to light through your monitoring mechanisms,
you must take action to handle, or treat, those risks. How do you determine
what sort of action to take, or controls to implement? Some businesses
choose to implement a hierarchy of controls model where control questions
are used to filter risks. This model is built on the treatment strategies or control
measure types discussed earlier in this element. The model you use may look
something like figure 24.
You will notice that some of these filter questions include the term cost
effectively. It is very often possible to reduce or entirely eliminate a risk, but
while possible it is also very expensive in monetary terms, time or resources.
In these instances if the costs outweigh the seriousness of the risk, then it is
not feasible to eliminate or reduce the risk. Instead, you would move through
the model to the next filter question.
As you can see, effective risk management is not free. It may be prudent to
cost, or forecast, in monetary terms, time and resources, each of the controls
you plan to implement. In fact, a costing stage is included in the risk treatment
plan at the end of this element.
The chosen monitoring mechanisms and control filter may highlight some risks
that are relevant to areas of your organisation or business other than just the
project or activity at hand. These risks may be relevant to the whole organi-
sation, or another section of the organisation. There may be established
policies and procedures to refer these risks. If not, they should not be ignored.
You must ensure that all relevant areas of your organisation or business are
aware of the risks that may impact them.
Once you have determined the most appropriate control measure type for your
risk event you need to select a specific control and implement it. You will have
already listed possible controls in the earlier analysis section of this element. It
is now a matter of matching those controls to particular risks that will give the
most satisfactory outcome.
67
Figure 24. Heirarchy of controls
68
We should also mention that while this process of risk monitoring and
control looks very planned, strategic and logical, there will always be a risk
event that will take you by surprise. It may not have been picked up in your
risk identification and so then missed analysis and planning. It may have
slipped under the radar of your risk monitoring, and so surfaces at some
stage of the project 'out of the blue'. If the risk is serious it requires crisis
management.
Managing crises is a special case of risk control. You will be sure to recall
many high-profile scandals and crises in the political arena that were
handled so poorly that they led to the downfall of political leaders.
Businesses, too, are guilty of inaction or inappropriate action in the face of
a crisis. Larger and more crisis-prone organisations often have a crisis
centre ready for action in such circumstances.
For the smaller organisation there is not a great deal of advice other than
the following golden rules:
 It is usually better to communicate clearly and honestly.
 Act sooner rather than later.
 Do your best not to panic. It breeds panic in others.
 Consider your longer term needs as well as the short-term situation.
 Get advice from professionals.
69
Treatment planning
Now you have gathered all the risk information and made decisions about
measures you will use to monitor and control your risks, it is time to write it
all up. A good structure for this information is a risk treatment plan.
A risk treatment plan is a document defining how risk monitors and controls
are to be implemented to treat particular risks or risk events.
The risk treatment plan builds on the risk plan developed in the previous
element. The treatment plan should extend the risk description by providing
a section on risk treatment. This section should describe the treatment
approach to be taken and the monitoring and control measures to be used.
It should also have a section for estimated cost and expected outcomes of
the treatment.
Figure 25 provides a template for a risk treatment plan.
Now that you have full treatment plans completed for all your major, or
more serious, risks. You should take this opportunity to return to your risk
register (shown again in figure 26) started at the risk identification stage of
the risk management process (element 1). You can now fill in the
monitoring method and control/treatment columns with corresponding
action dates. You may also need to change the risk owner if a different
person is responsible for the implementation of the treatment plan.
You may now be able to close many of the risks. At the completion of your
project or business activity you will want to see all of your risks closed in
the risk register. Each risk must meet one of the following criteria to be
closed:
 The risk was successfully prevented from occurring.
 The risk did not occur.
 The risk occurred and was treated.
70
Figure 25: Risk treatment plan
PROJECT DETAILS
Project name: Name of the project to which the risk relates
Project Name of the project manager responsible for the project
manager:
RISK DETAILS
Risk ID Unique identifier assigned to this task
Raised By; Name of the person who raised the risk
Date Raised: Date on which this risk was raised
Risk Owner: Name of the person assigned to monitor and manage the risk
Risk Priority: Overall risk rating score and priority rating
Risk description:
Include a brief description of the risk identified and its underlying causes.
Risk Impact score Risk Likelihood score Risk Exposure score

Describe the impact of Describe the likelihood of Describe the frequency
the risk of the project the risk eventuating of occurences or duration
of the risk event
RISK TREATMENT
Treatment approach:
Describe the risk handling approach for example, acceptance, elimination, transfer,
mitigation or contingency
Control measure:
Describe the selected measure/s of control to be used to treat the risk
Monitoring measure:
Describe how the risk will be monitored and triggers idnetified
Estimated cost:
Provide an estimate of the cost of treatment (monitoring and control) in monetary
terms, time spent and resources required.
Expected outcome:
Describe the expected outcome of implementation of the treatment plan.
APPROVAL
Supporting documentation:
Reference any supporting documentation used to substantiate the risk and its
treatment
Signature: Date: ___ / ____ / _____
71
Summary
The most important or serious risks need fully detailed risk treatment plans
to implement if and when the risk arises.
The first step in developing a treatment plan is to determine the most
appropriate approach to handling the risk. In this element you looked at five
approaches: risk acceptance, risk elimination, risk transfer, risk mitigation
and risk contingency.
The next step you took was to consider the possible control measures that
could be used for each approach. You evaluated the strengths and
weaknesses of these control measures.
Risk monitoring is necessary to report on risk triggers so that you have
advance warning of a risk event. In this element you examined informal risk
monitoring and reviewed a number of formal risk monitoring methods.
You then looked at how to select the correct control measure for each risk
using a hierarchy of control model. Control implementation issues were dis-
cussed, including costing, referring broader risks, unexpected risks and
crisis management.
Finally you explored the contents of treatment plans and the additions
required to the risk register.

As part of your learning journey you are to:
1. Explain the five approaches to handling risk (treatment strategies).
2. Provide an example of a possible control measure for each of the five

treatment strategies.
72
3. Provide a strength and a weakness for each of the control measures
you provided in the previous question.
4. Give an example of informal risk monitoring in the workplace.
5. Why is it important to have formal risk monitoring in place?
6. Why is it important to consider the cost of particular risk controls?

Could these costs alter your control selection?
73
7. What sections should be fully covered in a risk treatment plan as
opposed to a risk
74
BSBRSK401
Figure 26: Risk Register
ID Date Risk Risk Impact Overall Priority Preventative actions Action Contingency actions Action Date
Raised Owner risk rating date date closed
rating
Ide
ntif
y
ris
k
an
d
ap
ply
ris
k
ma
Document Name:
Document No:
495432569.docx
© John Bailey 2010, 2012, 2015

Release No: 1
Created Date:
Last Modified Date:
Page Sequence:
18 Oct. 20
18-Oct-20
Page 75 of 84
na
ge
4. Monitor and review effectiveness

of risk treatment/s
4.1 Regularly review implemented treatment/s against
measures of success
Use review results to improve the treatment of

4.2 risks
Provide assistance to auditing risk in own area of

4.3 operation
Monitor and review management of risk in own area

4.4 of operation
Once the risk management cycle of risk identification, risk analysis and risk
treatment is complete, you will want to review your performance. If you are
monitoring the effectiveness of risk treatments for an ongoing project or
business activity, then you will use the results to improve those treatments.
If this is the end of a project, then reviewing the effectiveness of risk treat-
ments allows you to inform future projects or ventures. This will make risk
management of new projects more efficient and successful.
76
BSBRSK401
4.1 Regularly review implemented treatment/s against measures of

success
Case study Id
Gail's project plan, including a very thorough section on risk management,
en
was approved and her new line of clothing was launched. Six months on
from the launch date Gail reflected on all that had happened. As the design tify
and marketing teams had predicted, sales were strong. The range was
also now showing a profit after a bit of a bumpy start. The project was
declared a success. Gail could thank her risk management plan for much
ris
of that success.
As predicted, Gail lost Nathan, the head of her production team, to a new
k
project. She had a contingency plan in place and a staff member had been
trained to take over at short notice. Production hardly missed a beat. Two
an
of the Clothing designs experienced a high rate of faults. Gail had
anticipated that these more complex designs could pose a problem during d
a pilot production run she had instigated to try to eliminate this risk.
Planning for this risk saw these two designs allocated more production
time and a higher cost structure. These risks could have potentially caused
ap
a significant delivery delay, but through careful risk management they did
not. ply
New security measures meant that there were no design leaks to
competitors. All customers were offered incentives to buy the new range in
ris
large quantities with follow-up orders. This reduced the chance that they
would succumb to counteroffers from competitors. These new control k
measures worked.
Finally there was one major customer who experienced a period of m
financial difficulty and Fitzroy Falls put them on 'stop supply'. Gail worried
that she would be unable to shift this stock to other customers, but with a
bit of effort, and discounting, Gail sold all the stock. It helped that the
an
clothing were so popular that they were literally walking off the shelves.
ag
Gail had become a true convert to formal risk management. She also knew
that implementing the final treatment was not the end of the process. To
really evaluate the success of a project you must monitor and review your
e
risk treatments and you must also review your performance over the whole
risk management process. Gail was determined to do this review m
en
thoroughly. She wanted a strong basis for the risk management of future
projects. After all, she had just been promoted and offered the
management of an even bigger product launch!
t
pr
oc
es
77
se
s
4.2 Use review results to improve the treatment of risks
Risk treatment review

It is vital to continuously monitor the effectiveness of your risk treatments
as well as monitoring the risks themselves. It is also important to review, or
evaluate, the success of completed treatments.
Consider the following:
 Some risk treatments lose their effectiveness through the life of a pro-
ject, and so they need adjustments or new treatments to be overlaid.
 Treatments you had expected to resolve risks may not have worked at
all, or not as effectively as you would have hoped. Again, adjustments
or new treatments are needed.
 Emergency, or reactive, treatments used for unexpected risks may
have been very effective, or perhaps not effective at all. These need to
be documented to inform the treatment of similar risks in the future.
 The expense of the treatment was greater than the potential loss
caused by the risk. This needs to be documented so it does not occur
again.
 Treatments may create secondary risks, which require analysis,
planning and further treatment implementation.
It is important to monitor your risk treatments for the lifecycle of the project
so that, if they are not working as effectively as expected, you can modify
them or replace them with new treatments.
It is important to review your risk treatments once they are complete so
that you can determine whether to use that particular treatment against
that type of risk in the future. It is also important to include a cost
evaluation in your review.
How do you review risk treatments? One way is to establish measures of
success for each treatment plan and compare the outcome against those
measures. Examples of possible measures of success are:
 The treatment eliminated the risk.
 The treatment substantially reduced the risk.
 The cost of treatment was less than the potential loss caused by the
risk.
A simple way to complete a review of the effectiveness of risk treatments is
to use a checklist. Sometimes this checklist informs, or feeds into, a wider
organisational risk audit. As an employee responsible for a project or
particular business activity you will be expected to provide input into the
auditing of the organisation. Risk, and its treatment, is a major feature of
any audit reporting.
78
BSBRSK401
The following figure shows an example of a possible checklist for reviewing

treatment effectiveness. Where you cannot 'check' a particular component,
you need to provide an explanation. This explanation informs this project and
new projects. Id
Figure 27: Risk Review checklist
en
Risk review checklist tify
Yes
ris
k
The chosen monitoring method was implemented as planned.
☐ No, explain
☐ The chosen monitoring method pre-warned of an impending risk. an

☐
No, explain
d
The chosen risk treatment was implemented as planned.
No, explain ap
☐ The chosen control measure eliminated the risk. ply
☐
No, explain
The chosen control measure reduced the risk.

ris
No, explain k
☐ There were no unplanned risk treatments required. m
No, explain
☐ No new risks resulted from risk treatments.

an
No, explain ag
☐ The actual cost of treatment matched the estimated cost.
No, explain
e
☐ The actual cost of treatment was less than the loss from the risk.
m
No, explain en
☐ The expected outcome of the treatment was achieved.
No, explain
t
pr
oc
es
79
se
s
The person given responsibility for the risk treatment is also usually
responsible for the treatment monitoring and review. This person should
also be responsible for communicating the results of the review to the
wider organisation, concerned stakeholders and other areas that could
benefit from this knowledge.
4.3 Provide assistance to auditing risk in own area of operation

Prepare Recommendations
After collecting the information, get with a few of your key team members
to recommend how the risk management plan, risk identification, risk
analysis, and risk response processes could be enhanced or improved.
Determine what went well-because you’ll want to repeat those elements on
future projects-and determine what could be done better next time. Make
certain you include specific recommendations on how to improve the
processes next time. For example, perhaps not enough time waas spent
during project status review meetings to talk about risk status, so the
recommendation should state that the project meeting agandas should
include time to review risk status.
Document the risk audit report
In keeping with all good project management processes, document the risk
audit process and the questions, answers, and recommendations, and file
this with your lessons learned documentation on the project.
4.4 Monitor and review management of risk in own area of operation

Risk management review
Continuous monitoring and review are vital components of an effective risk
management process. The primary purpose of monitoring and review is to
determine whether risks still exist, whether new risks have arisen, whether
the likelihood or impact of risks have changed and to reassess the risk
priorities within the internal and external context of the agency.
The review process can only be completed with a review of the entire risk
management process. This kind of thorough evaluation must be made
after a project or business activity is fully complete. Its purpose is to
evaluate the success of the risk management measures so that successes
can be repeated in future projects, and failures can inform future projects
to ensure that they are not repeated.
80
BSBRSK401
Let us revisit the risk management processes we have explored
Figure 28: The Risk Management Process

Id
en
Risk Identification
tify
ris
Risk
Analysis k
an
Risk
Treatment
d
ap
ply
ris
k
You can complete a review of your risk management by asking some key
questions at each stage of the process. Some examples of key questions
follow.
m
Key questions an
ag
Risk identification
 Were all the risks that occurred during the project identified at this

stage?
If not, could another risk identification tool have worked better?
e
 Did you formally document your risks for later analysis? Risk analysis m


Did you adequately identify the source or cause of your risks?
Did you accurately determine the impact of your risks?
en
 Were your impact, likelihood and exposure ratings accurate? t
 Were your risk priorities correct?
 Did you prepare comprehensive risk plans for your key risks?
pr
oc
es
81
se
s
Risk treatment
 Did you use the correct risk handling approach?
 Did your risk monitoring methods alert you to the risks that arose?
 Did your risk treatments (control measures) achieve their objectives?
 Did you prepare and follow comprehensive risk treatment plans?
 Did you complete a review of risk treatment?
The questions that have just been asked are only a fraction of what could
be used in a review of the total risk management process. As part of your
learning journey you are to go back through the three previous elements
now and add some more questions of your own to this list.
It is important to remember that larger and more complex or risk-sensitive
organisations may have a formal method and standardised documents for
reviewing their projects. Usually a component of these reviews evaluates
the risk management process.
Summary
This final element focused on reviewing and evaluating risk management
performance.
The first review you looked at was a detailed examination of the success of
risk treatments. You explored the importance of monitoring treatment
performance during a project and evaluating the results at the project's
conclusion. These findings could be used to modify and improve current
and future risk treatments, as well to inform risk audits.
The final review you considered was an evaluation of the total risk
management process from risk identification, to risk analysis, to risk
treatment. You considered and added some key questions to include in
such a review. You also considered why these reviews are an essential
component of project and risk management.
82
BSBRSK401
1. Why is it important to monitor risk treatments while a project is

ongoing?
Id
en
tify
ris
2. Why is it important to evaluate risk treatments once a project is
k
complete?
an
d
ap
ply
ris
k
m
3. Name four possible measures of success for risk treatments. an
ag
e
m
4. Why is it important to evaluate the total risk management process?
en
t
pr
oc
es
83
se
s
BSBRSK401 - Identify risk and apply risk management processes

Student’s Workbook
Editor: Olivia Twilley
Author: [Author]
Copyright
Text copyright © 2014, 2015 by John N. Bailey

Illustration, layout and design copyright © 2014, 2015 by John N. Bailey.
Under Australia’s Copyright Act 1968 (the Act), except for any fair dealing
for the purposes of study, research, criticism or review, no part of this book
may be reproduced, stored in a retrieval system, or transmitted in any form
or by any means without prior written permission from John N. Bailey. All
inquiries should be directed in the first instance to the publisher at the
address below.
Copying for Education Purposes
The Act allows a maximum of one chapter or 10% of this book, whichever
is the greater, to be copied by an education institution for its educational
purposes provided that that educational institution (or the body that
administers it) has given a remuneration notice to John N. Bailey.
Disclaimer
All reasonable efforts have been made to ensure the quality and accuracy
of this publication. John N. Bailey assumes no responsibility for any errors
or omissions and no warranties are made with regard to this publication.
Neither John N. Bailey nor any authorised distributors shall be held
responsible for any direct, incidental or consequential damages resulting
from the use of this publication.
Published in Australia by:

John N. Bailey
PO Box 6214
Yatala, QLD, 4207
Australia
84

BSBRSK401 - Student Workbook Safety Management

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

BSBRSK401 - Student Workbook Safety Management

Hochgeladen von

Copyright:

Verfügbare Formate

Identify risk and apply

Student’s Personal Details

Student Name: SATISH SINGH

Student ID Number: AV-314

Contact number: 0449927875

BSBRSK401 - Identify risk and apply risk

Table 21: Treatment strategy and control measures....................................................................................62

BSBRSK401 - Identify risk and apply

 Set up a ‘chat line”. If you have access to telephone conferencing or

The Icon Key

How to get the most out of your learning guide

Elements and Performance Criteria

2.2 Undertake risk categorisation and determine level of risk

Refer risks relevant to whole of organisation or having an impact

3.5 Prepare and implement treatment plans

4. Monitor and review effectiveness of risk treatment/s

Regularly review implemented treatment/s against measures of

4.2 Use review results to improve the treatment of risks

4.3 Provide assistance to auditing risk in own area of operation

4.4 Monitor and review management of risk in own area of operation

Reading 1.2  Comprehends documents

Oral 2.1  Participates effectively in

Numeracy 1.2, 4.1  Uses numerical tools to

Navigate the 1.1, 1.3, 3.3  Complies with organisational

Skill Performance Criteria Description

Identify risks using tools, ensuring all reasonable steps

Document identified risks in accordance with relevant

1.1 Identify the context for risk management

Risk identification tools

Table 1: Informal risk identification tools

Risk identification Description

 Brainstorming Gather a range of stakeholders (internal representatives

 Stakeholder Using interviews, surveys or questionnaires you can

 Benchmarking Review what happens in other like businesses working

 Document Published reports (secondary data) can provide

 Reviewing This includes reviewing information from the current

 Observation If your project involves a physical process (such as

Table 2 Formal risk identification tools

Table 4: ‘SWOT ‘ Analysis example for Woolworths

Table 5: Types of risks (Internally)

Stakeholder risk map

Figure 8: Project lifecycle

Managing and Control

Table 9: Project risks

Project stage Concept Planning Management Closeout

Types of  Managemen  Raw  Manufacturin  Inadequate

Define the following terms:

Why is it so important to identify as many risks as possible at the outset of

Why is a formal method of documenting risk a good business practice?

Undertake risk categorisation and determine level of

2.3 Document analysis processes and outcomes

In the previous element we looked at identifying, categorising and docu-

2.1 Analyse and document risks in consultation with relevant

Figure 11: Risk Event Example

Figure 12: Cause and effect of fishbone diagram

Figure 13: Impact-likelihood matrix

= Medium Risk. Plan for but limit resources

= High Risk. Action Immediately

Why is it important to determine the underlying causes of risk events?

Describe how these measures can be used to calculate an overall risk

Describe two ways of categorising or prioritising risks.

2.3 Document analysis processes and outcomes

Signature: Date: _ / / ___