StudentWorkbook(6)

Manage riskBSBRSK501A

Student Workbook

Part of a suite of support materials for the

BSB07 Business Services Training Package

Student Workbook BSBRSK501A Manage risk

1st Edition 2010

Acknowledgment

Innovation and Business Industry Skills Council (IBSA) would like to acknowledge Equip Grow Lead for their assistance with the development of this resource.

Writers: Shane MacDonald, Emily Logan and Peter Baskerville

Industry reviewer: Rod Peters, David Parry and Greg Field

Copyright and Trade Mark Statement

© 2010 Innovation and Business Industry Skills Council Ltd

All rights reserved. Apart from any use permitted under the Copyright Act 1968, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, or otherwise, without written permission from the publisher, Innovation and Business Industry Skills Council Ltd (‘IBSA’).

Use of this work for purposes other than those indicated above, requires the prior written permission of IBSA. Requests should be addressed to Products and Services Manager, IBSA, Level 11, 176 Wellington Pde, East Melbourne VIC, 3002 or email [email protected].

‘Innovation and Business Skills Australia’, ‘IBSA’ and the IBSA logo are trade marks of IBSA.

Disclaimer

Care has been taken in the preparation of the material in this document, but, to the extent permitted by law, IBSA and the original developer do not warrant that any licensing or registration requirements specified in this document are either complete or up-to-date for your State or Territory or that the information contained in this document is error-free or fit for any particular purpose. To the extent permitted by law, IBSA and the original developer do not accept any liability for any damage or loss (including loss of profits, loss of revenue, indirect and consequential loss) incurred by any person as a result of relying on the information contained in this document.

The information is provided on the basis that all persons accessing the information contained in this document undertake responsibility for assessing the relevance and accuracy of its content. If this information appears online, no responsibility is taken for any information or services which may appear on any linked websites, or other linked information sources, that are not controlled by IBSA. Use of versions of this document made available online or in other electronic formats is subject to the applicable terms of use.

To the extent permitted by law, all implied terms are excluded from the arrangement under which this document is purchased from IBSA, and, if any term or condition that cannot lawfully be excluded is implied by law into, or deemed to apply to, that arrangement, then the liability of IBSA, and the purchaser’s sole remedy, for a breach of the term or condition is limited, at IBSA’s option, to any one of the following, as applicable:

(a) if the breach relates to goods: (i) repairing; (ii) replacing; or (iii) paying the cost of repairing or replacing, the goods; or

(b) if the breach relates to services: (i) re-supplying; or (ii) paying the cost of re-supplying, the services.

Published by: Innovation and Business Industry Skills Council Ltd Level 11 176 Wellington Pde East Melbourne VIC 3002 Phone: +61 3 9815 7000 Fax: +61 3 9815 7001 e-mail: [email protected] www.ibsa.org.au

First published: June 2010

Print version: 1.0

Release date: June 2010

Printed by: Fineline Printing 130 Browns Road Noble Park VIC 3174

ISBN: 978-1-921749-76-6

Stock code: RSK501ACL

Table of Contents

Introduction .............................................................................................................1

Features of the training program .....................................................................1

Structure of the training program ....................................................................1

Recommended reading ....................................................................................1

Section 1 – Introduction to Risk ............................................................................2

What skills will you need? ................................................................................2

Understand risk and risk management ...........................................................2

Establish the context ..................................................................................... 10

Understand importance of relevant legislation ............................................ 13

Section summary ........................................................................................... 27

Further reading ............................................................................................... 27

Section checklist ............................................................................................ 27

Section 2 – Identifying Risk ................................................................................. 28

What skills will you need? ............................................................................. 28

Review the external environment ................................................................. 29

Determine strengths and weaknesses ......................................................... 32

Review and document objectives ................................................................. 34

Identify risks ................................................................................................... 35

Research ......................................................................................................... 42

Involve others in risk identification ............................................................... 46

Section summary ........................................................................................... 48

Further reading ............................................................................................... 48


Section 3 – Analysing and Evaluating Risk ........................................................ 49


Determine likelihood of risk .......................................................................... 50

Assess consequence of risk .......................................................................... 52

Evaluate and prioritise risk ............................................................................ 54

Determine risk treatment options ................................................................. 57

Develop an action plan for treating risks ..................................................... 64

Section summary ........................................................................................... 78

Further reading ............................................................................................... 78


Section 4 – Treating Risk .................................................................................... 79


Implement the risk action plan ..................................................................... 79

Monitor the risk action plan .......................................................................... 88

Evaluate the risk management process ....................................................... 93

Section summary ........................................................................................... 94

Further reading ............................................................................................... 94


Glossary ................................................................................................................ 95

Appendices ........................................................................................................... 96

Appendix 1: Risk action plan template ......................................................... 96

Appendix 2: MacVille risk management policy ............................................ 97

Appendix 3: Scenario – Shoez ...................................................................... 99

Student Workbook Introduction

BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 1 of 100

Introduction Features of the training program

The key features of this program are:

Student Workbook (SW) – Self paced learning activities to help you to understand key concepts and terms. The Student Workbook is broken down into several sections.

Facilitator-led sessions (FLS) – Challenging and interesting learning activities that can be completed in the classroom or by distance learning that will help you consolidate and apply what you have learned in the Student Workbook.

Assessment Tasks – Summative assessments where you can apply your new skills and knowledge to solve authentic workplace tasks and problems.

Structure of the training program

This Training Program introduces you to the concepts of identifying risk and how to then apply the appropriate risk management strategies. You will develop the skills and knowledge in the following topic areas.

1. Introduction to Risk (SW Section 1/FLS Session 1).

2. Identify Risk (SW Section 2/FLS Session 2).

3. Analyse and Evaluate Risk (SW Section 3/FLS Session 3).

4. Treat Risk (SW Section 4/FLS Session 4).

Note: The Student Workbook sections and Session numbers are listed next to the topics above.

Your facilitator may choose to combine or split sessions. For example, in some cases, this Training Program may be delivered in two or three sessions, or in others, as many as eight sessions.

Recommended reading

Some recommended reading for this unit includes:

Australian Capital Territory Insurance Authority, 2004, Australian Government, Guide to Risk Management, viewed May 2010, <http://www.treasury.act.gov.au/actia/Guide.doc>.

Risk Management Institute of Australasia, 2010, Realising Opportunity, viewed May 2010, <http://www.rmia.org.au/>.

Section 1 – Introduction to Risk Student Workbook

BSBRSK501A Manage risk Page 2 of 100 © 2010 Innovation & Business Industry Skills Council Ltd

Section 1 – Introduction to Risk Before you can undertake risk management, there a number of key concepts that you must understand. This chapter will define risk and risk management, and help you establish the context in which risk management takes place.

Scenario: Preparing for risk management

You have recently been successful in securing the job of operations manager for a chain of shoe repair stores with ten outlets. Your previous experience was in sales management and more departmental areas of management but never as the operations manager of a chain of stores.

You note that one of your specific responsibilities is to manage the risks that are likely to happen in this particular organisation. Before attempting to identify the organisation’s risks, you first take time to review the concepts of risks, risk management and the context that risk will be applied to. From your previous roles, you are very aware of the risks of non-compliance with relevant laws, and so you decide to also review the legislative framework in which this organisation operates.

What skills will you need?

In order to work effectively as a risk manager you must be able to:

understand risk and risk management

establish the context for risk management

understand the importance of relevant legislation.

Understand risk and risk management

What is risk?

Risk is inevitable. It is a natural part of our physical, social, financial and competitive environments. It is defined as the chance of something happening that will have an impact on objectives or goals being achieved. It is measured in terms of consequence and likelihood. Organisations must decide on a daily basis whether various risks are or are not worth taking, for example, when making decisions regarding investment or the health and safety of employees. For some, the ability to manage risk better than anyone else becomes a valuable resource that they use for their own advantage.

In business, there is a strong correlation between risk and reward. For example, investing in the share market is riskier than investing in Government Bonds, so as a consequence of the risks involved, share markets traditionally offer the higher returns.

Only an estimated 10% of all risks are actually unforeseeable.

Student Workbook Section 1 – Introduction to Risk


Definition of risk

The concept of risk is incorporated into so many different business disciplines from insurance to engineering to financial investment, so each of them have developed their own definition of the concept of risk.

In this workbook, we will take the view that risk is an event or action, where if it occurs, will cause a loss to an organisation’s valuable resources and adversely affect the goals and objectives of that organisation.

Risk is the estimated likelihood of occurrence of an uncertain event, and its impact on organisational objectives should it occur.

Figure 1: What is risk?

As shown in the diagram above, either the probability or likelihood of an event occurring, and the consequence or impact of that event, have an effect on the objectives of the organisation. The combination of these two factors give an organisation an indication of the risk they are exposed to should the event occur.

Learning activity: Risk consultants

Many consultants can work with your organisation to identify risk and help in developing and implementing processes to assist in the management of business risk.

PricewaterhouseCoopers is one organisation that actively manages risk. Look at their website at <http://www.pwc.com/gx/en/risk-management/> and explain why PricewaterhouseCooper believe some risk management systems implemented in companies have made the company more vulnerable.

Organisational objectives

Probability Consequence



Valuable resources

Valuable resources that can be affected by risk are not just financial. In today’s business environment, the loss of reputation or brand value can have far greater impact on the organisation’s viability than the loss of some investment funds. Other valuable resources that need to be considered in any loss evaluation caused by risk are detailed below.

•workers, intellectual capital, skills, experience and capabilities, levels of trust, managerial skills, firm‐specific practices and procedures, innovation and creativity technical and scientific skills

Human

• cash, investments, shares, capacity to raise equity, borrowing capacity

Financial

•plant, equipment, state‐of‐the‐art machinery, equipment and electronics, land, buildings, vehicles, furniture, facilities

Physical

•patents, copyrights, trademarks , trade secrets, software

Intellectual property

•evaluation and control systems, effective strategic planning processes, outstanding customer service, excellent product development capabilities, innovativeness of products and services, ability to hire, motivate, and retain human capital, innovative production processes, favourable manufacturing locations, innovation capacities, effective strategic planning processes, excellent evaluation and control systems

Organisational excellence

• information, reputation, brand value, goodwill.

Intangible



Learning activity: Resources

Review the scenario provided in Appendix 3 and make note of any resources mentioned. Rank them in terms of what you consider to be high priority resources that should be protected.

Strategic resources

Many people understand the impact of an unfavourable event on tangible assets, but often overlooked is the impact that adverse events can have on the organisation’s intangible assets. All the resources listed above are valuable, but some resources take on an even more important role in an organisation because they become strategic. They are classified as being strategic because they give the business its competitive advantage. To qualify as strategic they need to be:

• That is, unique or in very short supply. For example, personnel who are leading experts in their field, and bring knowledge or skills that are not widely available.

Rare

• That is, hard to copy due to expense or time required to acquire, For example, the brand recognition associated with a long‐established organisation or product.

Difficult to imitate

• That is, cannot easily be replicated using alternative sources. For example, long term relationships or working partnerships between specific individuals or organisations that generates high levels of creativity and innovation.

Difficult to substitute



Figure 2: Strategic resources

Many of these resources are intangible, and are in many cases the most important ones to risk manage.

Learning activity: Strategic resource

Think about your own work skill sets. Most of what you know or are good at is of value to a workplace environment. Write down the skill sets or owned items that you have that could be called rare, difficult to copy and difficult to substitute. These are your strategic resources.

Risk types

Risk identification is proactive. If you’re looking for them you will soon find them when discussing activities with team members, observing the workplace environment, reading reports and analysing results. Over the broad spectrum, risks can be categorised in various ways, for example:

Risks can be grouped into two types:

Certain – those risks that will definitely occur at some point in time, for example, employee sick days.

Uncertain – those that may occur at some point in time, for example, an employee being injured in the workplace.

Rare

Difficult to imitate

Difficult to substitute



Risk can also be categorised by expected impact:

Speculative risk – where there are potential opportunities.

Pure risk – where there are only negative or unfavourable outcomes for the organisation.

Learning activity: Types of risk

Review the scenario in Appendix 3 under the heading ‘Research findings’ and select three issues. Then identify the type of risk/s that could impact on the organisation as a result of these issues.

Identified issue Risk type

1.

2.

3.

What is Risk Management?

Risk management is an essential part of good management and corporate governance. It is a set of tools and processes that are used to avoid, reduce or control the risks that are likely to adversely affect the valuable and strategic resources of an organisation. Basically it is the process of identifying and categorising potential risk and then defining actions to mitigate these risks.

Risk management processes should enhance decision-making and facilitate continuous improvement in performance of the organisation. Studying and identifying risk should not inhibit action, but instead help you turn risk into a growth and development opportunity through the application of the risk management process.

Risk management refers to the culture, processes and structure that are directed towards the effective management of potential opportunities and adverse effects.

AS/NZ 4360: 2004



Learning activity: Electronic risk management tools

Use the internet to find two electronic tools or software programs that can facilitate and assist in risk management. Describe the tools and compare key functions, and make a recommendation about the type of organisation or project each tool would be most suited for use in.

AS/NZS 4360:2004 – Risk Management

The Australian/New Zealand Standard AS/NZS 4360:2004 – Risk Management provides a guide for managing risk.

The objective of this standard is to provide guidance to enable public, private or community enterprises, groups and individuals to achieve:

a more confident and rigorous basis for decision-making and planning

better identification of opportunities and threats

gaining value from uncertainty and variability

pro-active rather than re-active management

more effective allocation and use of resources

improved incident management and reduction in loss and the

cost of risk, including commercial insurance premiums

improved stakeholder confidence and trust

improved compliance with relevant legislation

better corporate governance.1

1 Quality Improvement Council, 2010, ‘Introducing Risk Management Standard AS / NZS 4360: 2004’, GPDV, viewed April 2010, <www.gpv.org.au/files/...files/.../riskmanagementstandardsAS_march05.ppt>.



Establish the context

Identify risks

Analyse and evaluate risk

Treat risk

Com

mun

icat

ion

and

cons

ulta

tion

Monitor and review

Throughout this workbook we will be referring to AS/NZS 4360:2004 – Risk Management Standards and following the processes outlined in it for the management of risk.

The risk management process For the purpose of this workbook, the risk management process will be shown in the following way.

Figure 3: Risk management process

AS/NZ 4360: 2004 views the analysis and evaluation of risk as two separate elements and so outlines seven elements in the risk management process.

Establish the context – Determine the scope of the project, both internally and externally. Establish the criteria by which a risk may be evaluated.

Identify risks – Recognise potential hazards, which may prevent, diminish, or delay the organisational or project objectives.

Analyse risks – Identify what the consequence and likelihood of the risk taking place.

Evaluate risks – Compare the potential rewards with the potential adverse outcomes including the likelihood of each. This allows decisions to be made regarding the priority and action required to manage the risk.

Treat risks – The process of selecting which risks are to be managed and taking measures to limit the result of highest priority.

Monitor and review – Critically observe or measure the progress of the risk management process and make changes where beneficial.

Communicate and consult – Ensure stakeholders are aware of information applicable to them and appropriate to the risk level and the stage of risk management.

For the remainder of this chapter, we will look at establishing the context for risk management. The other stages will be addressed in the following chapters.




Scope

When you begin the process of risk management, you must be able to define the scope within which risks must be managed. This requires you to know what needs to be achieved through the risk managed activities undertaken.

An organisation is defined by its goals and objectives, therefore the aim of the risk management process must be to ensure that the organisation is able to achieve those goals while balancing costs, benefits and opportunities. This provides the overall context in which risk management takes place. It is also essential that you understand the nature of any decisions that need to be made so that your process can inform and implement those decisions effectively.

In practical terms, the scope of a risk management process can apply to:

the whole organisation

a specific business unit/department

a particular project

a particular business function (e.g. finance, manufacturing).

Risk management can be applied to the internal or external environments of an organisation, or both. The internal environment encompasses the operations and inner workings of the organisation, while the external environment includes the political, economic, social, legal, and technological factors affecting the business. These are explored in more detail in Section 2 of this workbook.

Learning activity: Risk process scope

Review the scenario in Appendix 3 and identify the three criteria defining the scope of the risk management task assigned by Jeff Harding to you as the newly appointed operations manager.

1.

2.

3.



Describe how identifying the scope of a risk project is important to the management of it?

Stakeholders

Once you have identified the scope of risk analysis and management, you must identify the stakeholders: individuals, a group of people, or an organisation, that can be affected by the risks or implementation of the risk management process.

Identification of stakeholders is an essential step in risk management. It determines who should be involved in the formulation of the risk management plan, and who you should communicate with regarding implementation of risk management strategies and actions.

Identification of stakeholders includes identifying anyone impacted by the risk, and documenting relevant information regarding their interests, involvement,

and impact on the effectiveness of the risk management process.

Learning activity: Communicating with stakeholders

Jeff believed that it would be useful to involve the store managers in gathering information about risks associated with their stores and has asked you to prepare an email. Complete an email in the space below making sure that you stay within the scope of the task.



In the book ‘The Handbook of Program Management2’ Dr James T Brown gives the following advice for identifying stakeholders.

Follow the money! Whoever is paying is definitely a stakeholder. Also, if a program produces savings or additional costs for an organisation then the organisation is also a stakeholder for that program.

Follow the resources. Every entity that provides resources, whether internal or external, labour or facilities, and equipment, is a stakeholder. Line managers and functional managers providing resources are stakeholders.

Follow the deliverables. Whoever is the recipient of the product or service the organisation is providing is considered a stakeholder.

Follow the signatures. The individual who signs off on completion of the final product or service is a stakeholder.

Examine programs’ stakeholder lists. Include active programs and completed projects.

Review the organisational chart to asses which parts of the organisation may be stakeholders.

Ask team members, customers, and any other confirmed stakeholder to help you identify additional stakeholders.

Look for the ‘Unofficial People of Influence’. These may be people who are trusted by high-level leaders or who wield a lot of power through influence and not position.

Learning activity: Stakeholders

From the scenario provided at the beginning of this section, identify the internal and external stakeholders and the types of input each of them are likely to provide.

Stakeholder Internal/External? Type of input

2 Brown, J T, 2007, ‘The Handbook of Program Management’, McGraw-Hill, Australia.



Learning activity: Stakeholders in the risk process

Review the scenario in Appendix 3 and identify three stakeholders, their role and their primary concerns in regard to the risk management process.

Stakeholder Role Risk concerns

Describe briefly the attributes that qualifies a person as a stakeholder in the risk management process?

Understand importance of relevant legislation

You cannot afford to ignore the role of legislation in the risk management process. Arguably, the greatest risk for an organisation is to be non-compliant with relevant regulations as this can incur significant penalties. The risk management process must therefore use legislative guidelines as a criteria against which risk is assessed. Some key areas of legislation affecting businesses are listed below.



OHS regulations

OHS (Occupational health and safety) laws vary throughout Australia according to the state parliament that passed the Act. For example, in Queensland it is the Workplace Health and Safety Act 1995. While states have different names to their acts covering the workplace, they all prescribe a similar set of requirements for all managers including supervisors of projects. These are:

to ensure that work is performed in a safe manner and does not have any negative effect on the worker’s health

to ensure sufficient information and education was provided so that the work could be undertaken safely

to ensure workers have a say in the safety of their own workplace by recognising and acting on risks and hazards in the workplace

to implement audit and control measures that verifies the effectiveness of OHS activities

to ensure equipment and machinery is maintained in a safe condition.

Learning activity: Legislation, standards and codes of conduct

Use the internet to research a duty of care legislation, standards and codes of conduct in Australia (relevant to the business sector), and describe how you think these influence risk management processes for organisations.

Privacy Act 1988

The National Privacy Principles regulate the way information is handled by private sector organisations such as creditors and debt collectors. The principles, as stated by the Office of the Privacy Commissioner3 are as follows.

3 Australian Government, 2001, ‘National Privacy Principles,’ Office of the Privacy Commissioner, viewed April 2010, <http://www.privacy.gov.au/materials/types>.



•Organisations must ensure that individuals are aware their personal information is being collected, why, who it might be passed on to and that they can ask the organisation what personal information it holds about them.

Collection

•Personal information may not be collected unless it is necessary for an organisations activities and must only be used for the purpose it was collected. Many direct marketing mailers will now have to offer the recipient the opportunity to elect not to receive further mailings.

Use

•Organisations must take steps to ensure personal information they collect is accurate, complete and up‐to‐date.

Data quality

•An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Data security

•An organisation must have a policy document outlining its information handling practices and make this available to anyone who asks.

Openness

•Generally, an organisation must give an individual access to personal information it holds about the individual on request.

Access and correction

•Generally, an organisation must not adopt, use or disclose an identifier that has been assigned by a Commonwealth government agency.

Identifiers

•Organisations must give people the option to interact anonymously whenever it is lawful and practicable to do so.

Anonymity

•An organisation can only transfer personal information to a recipient in a foreign country in circumstances where the information will have appropriate protection.

Transborder data flows

•Sensitive information (such as about someone's health, political opinions or sexual preference), may only be collected with the consent of the individual (unless a public interest exception applies).

Sensitive information



Whenever possible collect information directly from the

person.

Only collect information that is

necessary.

Collect information by fair means.

Take reasonable steps to let people know that personal information has been collected and what is going to be

done with it.

Do not disclose information about the person to a third party that you are collecting information from.

Take care about the type of information

contained in messages left on answering

machines.

There are several key obligations around information collection:

Generally, personal information should only be used and disclosed for the purpose that it was collected.

Learning activity: Application of National Privacy Principles

Considering the privacy laws, identify what National Privacy Principles are being tested in the following circumstances?

A sales person from your organisation asks for information about someone’s partner’s mobile phone?

Your organisation’s website asks for personal details but does not have a displayed privacy statement.

A person approaches you at work and asks about a work colleague who he says owes him money?

Contract law

Contract law is any law or regulation with the objective of enforcing certain promises, namely, their formation, scope and content, avoidance, performance and termination and remedies. This is important in risk management, as contracts hold the potential for risk, and breach of contract may have repercussions not only with the other party/s but may be in breach of legislation.



Australian contract law can be broken into five key sections detailed in the table below.

Formation A contract is a promise or a set of promises that is legally binding. This requires there to be an agreement between the parties and the intention to create a legal relationship. The parties must demonstrate legal capacity to contract, and compliance with any legal requirements must be ensured.

Scope and content

A contract is generally only able to be enforced by and against the parties to the contract. The content of a contract must allow the parties to determine what the terms of the contract are, and how they should be interpreted where ambiguous.

Avoidance A valid contract validly may still be avoided as a result of a number of factors, which usually involve unfair or unconscionable action by one of the parties.

Performance and termination

Most contracts come to a natural end when the parties have performed their respective obligations. A contract may also come to an end by mutual agreement between parties, as a result of the breach of contract by one of the parties, or due to events that might prevent parties from performing their obligations as planned.

Remedies When the terms of a contract are breached by one party, the other party is entitled to remedies; in particular, damages.

Learning activity: Contracts

What risks might be presented to an organisation when entering into a contract?



Separate legal entity

Continuous life

Limited shareholder liability

Separate entity from owner

Company law

A corporation, or company, is a legal group of individuals who finance a business. The group cannot become a company until it is registered with the Australian Securities and Investment Commission (ASIC). ASIC will issue the new company with a certificate of incorporation and an Australian Company Number (ACN) which is used to identify the entity.

Key features of a company include the following.

Under Australian law a company, as a separate entity, is given all the legal rights and liabilities of a natural person, including the ability to sue others and be sued themselves.

A company is established with the assumption of a continuous life, this means while its owners may change the company will continue to remain in existence unless it is liquidated.

A company has limited liability for shareholders, meaning that if the company fails, then only the amount of shareholder investment in the company can be claimed against, and not other investments that a shareholder may have.

A separate legal entity from its owners, i.e. the financial affairs of the owners must be separated from that of the company, and unless personal guarantees of the owners have been secured, an entity can only sue the company for damages and not the owners.

There are two types of companies that in Australia: proprietary and public. The diagram below shows some major differences between the two types.

Cannot sell shares to public.

Are classified as large or small.

Less reporting requirements.

Proprietary

Can sell shares to public.

Generally large companies.

Greater compliance reporting requirements.

Public



Under section 45A of the Corporations Act 2001, a proprietary company is currently classified as ‘large’ if it satisfies at least two of the following criteria.

The consolidated gross operating revenue of the company and any entities it controls is $10 million or more.

The value of the consolidated gross assets at the end of the financial year of the company and any entities it controls is $5 million or more.

The company and any entities it controls have more than 50 employees at the end of the financial year.4

If a proprietary company is classified as large, then it is required to submit annual financial and directors’ reports. Small proprietary companies do not have to prepare either of these reports except in the circumstance that ASIC or shareholders with at least 5% of the company request it to.

Learning activity: ASIC

Access the ASIC website at <http://www.asic.gov.au> and review the section on running a company. Under the heading ‘Change of details’, review the checklist provided for company officers and describe three risks for an organisation if compliance is not maintained.

1.

2.

3.

The Australian Securities and Investments Commission (ASIC)

The Australian Securities and Investments Commission (ASIC) is Australia’s corporate, markets and financial services regulator. It is an independent Commonwealth Government Body with most of its work being carried out under the Corporations Act.

4 Australasian Legal Information Institute, 2001, ‘Corporations Act 2001 - Sect 45A,’ Commonwealth Consolidated Acts, viewed April 2010, <http://www.austlii.edu.au/au/legis/cth/consol_act/ca2001172/s45a.html>.



ASIC regulates Australian companies, financial markets, financial services organisations and professionals who deal and advise in investments, superannuation, insurance, deposit taking and credit. ASIC’s main role to consider in relation to this unit is its responsibility for ensuring that company directors and officers carry out their duties honestly, diligently and in the best interest of their company.

Although ASIC administers many acts or parts of acts, as well as relevant regulations made under them, the main two are:

Corporations Act 2001

Australian Securities and Investments Commission Act 2001.

The other acts involve insurance, superannuation and medical indemnity.

The Corporations Act 2001 sets much of the legislative framework for the conduct of companies and their directors in relation to corporate governance. Internal controls need to be implemented and maintained to ensure compliance with the legislation administered by the delegated authority, ASIC.

The Australian Securities and Investments Commission Act 2001 makes provision for ASIC to ensure the performance of the financial system and entities in it, to assist investors and consumers in the financial system with appropriate information, and to administer and enforce the law effectively.

Learning activity: Director’s responsibilities

Search the ASIC website <http://www.asic.gov.au> using the search term ‘director’s responsibilities’. Name two of the director’s responsibilities listed under the heading ‘What does the law expect of you’, and for each describe a process or mechanism that you could put in place to help ensure compliance with this directive.

1.

2.

Company records compliance

Under the Corporations Law, directors are personally responsible for keeping proper company records. These could be grouped into financial records and company housekeeping records.



Up-to-date financial records must be kept so that they can:

accurately record and justify the company’s transaction

illustrate the financial position of the company and its performance.

Companies should maintain current and accurate financial records in order to ensure that:

it is able to prepare accurate financial statements of the company

these financial statements may be properly audited

the company is compliant to tax laws.

Financial statements a company would regularly prepare

Statement of Financial Performance

Shows the company’s revenue and expenses for a set period and the resulting profit or loss.

Statement of Financial Position

Shows the company’s assets and liabilities at a certain point in time.

Statement of Cash Flow

Summarises the company’s influx and efflux of cash for a set period of time.

Financial records may be kept electronically, provided they are capable of being converted into hard copy to anyone entitled to inspect them.

Note: a small proprietary company (as defined by the Corporations Act) generally is not required to lodge formal financial reports to ASIC. On the other hand, large proprietary companies, public companies and non-profit public companies must produce, audit and lodge financial reports to ASIC.

Basic financial records that companies may be required to keep by law

General ledger Records all transactions and balances (revenue, expenses, assets, liabilities). Otherwise, summarises these balances detailed in other records.

Cash records For example, deposit books, cheque butts, petty cash records and bank statements.

Debtor and sales records

Outlines the money made or owing to the company, for example, delivery dockets, invoices and statements issued, debtors and their balances.

Creditors and purchase records

Outlines the money spent or owed by the company, for example, purchase orders, invoices and statements received, creditors and their balances.



Basic financial records that companies may be required to keep by law

Wage and superannuation records

Funds paid to employees.

A register of property, plant and equipment

Shows the transactions and balances relating to individual items.

Inventory records Value of the items that makes up the company’s inventory.

Investment records

For example, certificates and notices related to dividends or interest.

Tax returns and calculations

For example, goods and services tax returns and statements, income tax, and fringe benefits.

Deeds, contracts and agreements

Legal documentation.

Learning activity: Financial record keeping

Both tax law and corporation’s law require that financial records are kept between five and seven years, which can present logistics problems for an organisation if there is a large amount of physical records. Search the ATO website to determine if past records can be kept electronically and, if so, how they recommend that it can be managed?



Workplace legislation, awards and workplace enterprise agreements

Industrial Instruments (Awards) are laws passed by either the Commonwealth or State Parliaments that govern the rate of pay and working conditions of employees under their jurisdiction. Federally this act was called the Workplace Relations Act 1996 with the states having similar acts like the Queensland Industrial Relations Act 1999. The commonwealth and state parliaments have set up commissions to check and approve awards and agreements and prevent and resolve disputes.

The Fair Work Act 2009

Sweeping changes have been made to workplace legislation in the years 2005 to 2009, beginning with the introduction of the Workplace Relations Amendment (Work Choices) Act 2005, followed by its replacement, the Fair Work Act (Commonwealth) in 2009. This act set out to offer:

a fair and comprehensive safety net of minimum employment conditions

a system that has at its heart bargaining in good faith at the enterprise level

protections from unfair dismissal for all employees

protection for the low-paid

a balance between work and family life

the right to be represented in the workplace.

Below are some key elements of the Fair Work Act. The organisation should be aware of these regulations to ensure its compliance. Compliance will decrease the likelihood of risk to the organisation regarding workplace relations.

Fair Work Australia (FWA)

Overlooks workplace relations.

Has the power to vary awards, make orders relating to minimum wage and settle unfair dismissal claims.

Unfair dismissial

Employees may lodge unfair dismissal claims to FWA within seven days if they were employed for six months or longer (twelve months if the business employs fifteen people or less).

Safetynet

Examples of rights are minimum standards:

flexible working arrangements after 12 months

12 months unpaid parental leave

contracts, agreements and policies between employers and employees that reflects the Nation Employment Standards (NES).

Discrimination

Prohibition or discrimination based on: race, colour, sex, sexual preferences, age, physical, mental disability, marital status, religion or pregnancy.



Increased union right of entry

Unions may enter a workplace in which they have a member who works on the premises, to investigate any suspected breaches of legislation.

Enterprise bargaining

FWA will grant approval to enterprise agreements (either single enterprise or multi enterprise) if they consider "that each employee is 'better off overall' under the agreement, compared to an applicable modern award."

Transfer of business

After the transfer of assets, employees (between related companies), outsourcing or insourcing, the work is not to be significantly different after the transfer, compared to that pre‐transfer.

Learning activity: Unfair dismissal

What risks are there for an organisation in regards to unfair dismissal legislation? How can the organisation manage against the occurrence of these risks?



Awards – Industrial Instruments

Under the new Fair Work Act 2009, new National Employment Standards (NES) have been developed to underpin any award conditions and pay rates. In general, the NES sets out the following.

Figure 4: National Employment Standards

Minimum rates of pay, such as hourly rates and annual salaries.

Ordinary hours of work.

Annual leave and leave loading.

Long service leave.

Personal or carer’s leave.

Notice to be given on termination.

Rest periods.

Loadings for overtime, casual work and shift work.

Anti‐discrimination provisions.



Learning activity: Awards

Visit the websites listed below and briefly describe the information that each one provides. How does this information assist organisations in risk management?

<http://www.workplaceauthority.gov.au>

<http://www.wo.gov.au>

For state legislation see the following departmental sites.

New South Wales: <http://www.industrialrelations.nsw.gov.au>

Queensland : <http://www.wageline.qld.gov.au>

South Australia: <http://www.safework.sa.gov.au>

Tasmania: <http://www.wst.tas.gov.au>

Western Australia: <http://www.docep.wa.gov.au>

Australian Capital Territory and the Northern Territory come under federal awards.



Section summary

You should now understand the risk management process and how to establish the context for risk management activity, including the scope within which risks must be managed, the stakeholders involved, and relevant legislation. In the next chapter, we will look at Stage 1 of the risk management process: identifying risks.

Further reading

Leonard N Stern School of Business, 2010, NYU Stern, What is Risk?, viewed May 2010, <http://pages.stern.nyu.edu/~adamodar/pdfiles/valrisk/ch1.pdf> ‘What is risk?>.

AIRMIC, ALARM and IRM, 2002, A Risk Management Standard, viewed May 2010, <http://www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf>.

Section checklist

Before you proceed to the next section, make sure that you are able to:

understand risk and risk management

establish the context for risk management

understand the importance of relevant legislation.

Section 2 – Identifying Risk Student Workbook


Section 2 – Identifying Risk Risk identification is a vital stage of risk management as it develops the basis for the proceeding steps of analysing and controlling risks. Thorough and correct risk identification ensures effective risk management. If a risk is not first identified, how can it be managed? The organisation will be unable to account for such risks and so their consequences may be highly damaging to the organisation’s goals.

In this section, we will look at reviewing the organisation and factors affecting it, in order to identify risks.

Scenario: Identifying risks

Having reviewed risk management processes and the legislative framework in which the organisation operates, you now prepare for the job of identifying the risks for the chain of shoe repair stores.

You quickly realise that risk management, like most forms of management, requires input and feedback from stakeholders who affect and are affected by the risks to the organisation. With their help you will use various techniques to identify the scope of risks that could affect the organisation and set the objectives for your risk management function.

In the process of identifying risks you will assess the internal strengths and weaknesses of the organisation and the opportunities and threats from the external environment which can arise from the social, technological, economic and political spheres in which the organisation operates.



review the external environment

determine strengths and weaknesses

review and document objectives

identify risks

involve others in risk identification.

Student Workbook Section 2 – Identifying Risk


Review the external environment

To thoroughly identify risks, we must examine the external environment surrounding an organisation. This includes the political, economic, social, legal, and technological factors affecting the business.

A PEST analysis is an effective tool for investigating external environmental factors. PEST stands for the following.

P Political (or political-legal)

E Economic

S Social

T Technological

It is a used when conducting an environmental analysis for strategic planning or as a framework for market research. The analysis gives an overview of big picture factors that the organisation should take into consideration.

This is a useful tool in the risk management process as it can aid in not only the identification of risks, but may be used as a factor in the analysis of those risk identified. Examples of factors which may come to light via a PEST analysis are below.

POLITICAL ECONOMIC

proposed laws that may affect organisation

taxation policy

merit/demerit goods

employment regulations.

interest rates

economic growth

exchange rates

inflation rates.

SOCIAL TECHNOLOGICAL

population growth

demographics

health consciousness

social trends.

current research and development

rate of technological change

automation

technology incentives.



Learning activity: PEST analysis

Review the scenario in Appendix 3 under the heading ‘Internal and external environment’ and identify one item for each of the following in the PEST analysis.

Political –

Economic –

Technological –

Social –

Describe briefly how a PEST analysis can help identify risks for an organisation.



Learning activity: List of risks

Review the scenario in Appendix 3 under the heading ‘Internal and external environment’ and list three risks and describe which areas of the scope they belong to.

Risk Area

Describe a process you could introduce that could help you obtain information from stakeholders.



Determine strengths and weaknesses

The internal environment of an organisation must be examined to determine if it is exposed to risk through any of its operations or processes. This requires that you assess what the business is doing well, and what areas need improvement.

A SWOT analysis can be used to determine the strengths and weaknesses of an organisation. SWOT stands for the following.

S Strengths

W Weaknesses

O Opportunities

T Threats

Strengths and weaknesses are factors that are able to be controlled by the business. Strengths are the key elements that give an organisation advantage over its competitors. Weaknesses are the limitations faced by the business in achieving its objectives.

Opportunities and threats exist independent of the organisation, and are often beyond its control. Opportunities are the conditions of the environment in which the business operates which could benefit the organisation if acted upon. Threats are barriers that prevent the business from achieving its objectives.



As shown in the diagram above, an organisation should endeavour to match internal strengths with external opportunities to create the best competitive advantage. Action should be taken to turn internal weaknesses into strengths or minimise their effect on the business, and to convert threats into opportunities or avoid them.

Learning activity: SWOT analysis

Review the scenario in Appendix 3 under the heading ‘Internal and external environment’ and identify one item for each of the following in the SWOT analysis.

Strength –

Weakness –

Opportunity –

Threat –

Describe briefly how a SWOT analysis can help you to identify risks in an organisation.



Review and document objectives

As stated in the introduction, an organisation is defined by its goals and objectives. The greatest risk for an organisation is failure to achieve its strategic objectives therefore the risk management process must document the goals of the business and determine risks as those things which will prevent those goals being fulfilled.

The mission statement of an organisation will ordinarily outline the key objectives of the business, and these are generally detailed and implemented throughout the policies and procedures. Reviewing these documents will help define the risk management process. For example, if part of the organisation’s mission statement is to produce a quality product, a potential risk is the inability to find skilled staff, or to source quality resources required for production.

Learning activity: Goals of risk process

Review the scenario in Appendix 3 and identify two goals or objectives for the task you have been assigned by Jeff to complete.

1.

2.

Describe how having goals or objectives assists in carrying out the risk management process?



Identify risks

Risks must be identified in order to be analysed and treated. The Australian Standard categorises risk identification into two categories.

1. What, where and when? This aims at generating a comprehensive list of risks that may impact the objectives.

2. Why and how? Identify the circumstances in which this risk may be realised. What would be the cause of an exposure of resources (For example, failure of ..., lack of ..., loss of..., injury to... etc.)?

The process of identification can be aided by various tools and techniques, which should be selected based on the purpose and context of the risk management activities being undertaken. Some of these tools include:

checklists

brainstorming

fishbone diagrams

flowcharts.

Checklists

Checklists can be used to help in identifying risks by using targeted questions. When trying to identify the risks within a specific context, it is important to interrogate the components as much as possible. Some questions that could be asked include:

Where are the risks likely to come from?

Who is likely to pose a risk?

What situations are likely to increase the possibility of the risk actually occurring?

Just how large are the risks?

In order to ensure this is comprehensive, the following areas within differing contexts, for example legislative risk, environmental risk, and economic risk could be used to address these questions.

Financial risk factors

Premises – e.g. suitability, size, facilities available, location, health and safety risks to workers and others, financial concerns.

Product and services – e.g. organisation’s competitive position (and potential in the future), environmental issues that affect development, waste management, lifestyle trends and demographic changes.

Purchasing – e.g. use of recognised standards, government policy on standard, protection of workers etc.

People elements People – e.g. organisation of employees, ‘culture’, skills and competence of employees, training and supervision, OH&S (occupational health and safety), visitors to the site, wider public in the vicinity.



Actions or processes

Processes – e.g. techniques used and their associated risks, legislation requirements and skill level of employees.

Performance – e.g. stakeholder interest, health and safety, insurance claims and quality.

Management issues

Policy and strategy – OH&S, environmental and waste management, financial and purchasing control, accident investigation, reporting and rehabilitation.

Planning and organising.

Learning activity: Checklist

Use the categories outlined above, and for the Scenario provided in Appendix 3, develop a checklist of two target questions per category that could be used to identify risks.

Financial risks factors –

People elements –

Actions or processes –

Management issues –



Brainstorming

Brainstorming may be done around the following questions to attempt to identify risk to organisational objectives.

What:

o might happen

o is the impact

o are the existing controls?

How:

o could this arrive?

When:

o in the life of activity

o beyond the life of activity?

Who:

o is involved

o is affected?

Why will there be:

o changes and uncertainties

o causal factors and triggers?

Learning activity: Staff input to risk management

Brainstorm a list of approaches that you can use to encourage staff and stakeholders to provide input and participate in the development of risk management strategies for an organisation, and describe how each of these can be effective.



Fishbone diagrams

Fishbone diagrams are cause-and-effect diagrams. Use of the fishbone diagram encourages a systematic approach to identifying risks that looks beyond the obvious causes of a problem. The starting point for creating the diagram is identification of a problem. This is stated as the effect. The 'bones' show the types of variables that might play a part in the root cause.

Causes are usually grouped into major categories, which typically include the following.

People – anyone involved with the process.

Methods – how the process is performed and the specific requirements for doing it, such as policies, procedures, rules, regulations and laws.

Machines – any equipment, computers, tools etc. required to accomplish the job.

Materials – raw materials, parts, pens, paper, etc. used to produce the final product.

Measurements – data generated from the process that are used to evaluate its quality.

Environment – the conditions, such as location, time, temperature, and culture in which the process operates.

Causes can be generated from brainstorming activities, and then grouped and used as labels on the fishbone. Below is an example fishbone diagram showing the 8 P’s. The 8 P’s are factors affecting the service industry which have the potential to cause or contribute to problems and create risk. The smaller bones connect sub-causes to major causes and show the escalation of risk.

Figure 5: Fishbone diagram



Learning activity: The 8 P’s

Use the internet to find the 8 P’s of the service industry and create a fishbone diagram for them below. Ensure you include at least one variable for each category included on the ‘bones’ of the diagram. (You may find it easier to create the diagram using a separate piece of paper).

Flowcharts

A flowchart is a diagram commonly used to demonstrate the steps in a solution for a problem. They are frequently used to design, analyse, document and manage processes.

Flowcharts use various symbols and shapes to represent different facets of a process, and arrows to show flow of information, communication and control. Some of the symbols include the following.

Circles, ovals or rounded rectangles showing start and end points. The shape will usually contain the word ‘start’ or ‘end’, or a specific phrase that indicates the start or end of a process, such as ‘submit enquiry’.

Rectangles showing processing steps, for example ‘replace identified part’ or ‘save changes.’

Parallelograms showing input/output, for example ‘get feedback from the user.’

Diamonds representing conditional steps or decisions. These would usually contain a 'yes/no' or 'true/false' test.



Learning activity: Flowchart

Create a simple flowchart using the symbols above to show the process for dealing with a lamp that won’t function. You will need to think about reasons the lamp may not be working, and address these, and appropriate responses or actions, in your flowchart.



Learning activity: Risk management tools

Research the internet for tools or templates that you could use in risk management processes in an organisation. Identify three that you think you could use and describe why and how you think these could be helpful. Include a brief description of each tool as well as the web URL.

TOOL –

URL –

WHAT THE TOOL DOES –

HOW THE TOOL COULD BE HELPFUL –

TOOL –

URL –





TOOL –

URL –



Research

The process of risk identification is much aided, by the use of both internal and external research. This may be in the form of:

past records

data and statistical information

relevant published credible literature

the result of public consolation

market research.

To ensure a thorough risk analysis, several of these sources of information could be used. Information can be collected in many ways, some of which are listed below.

Primary data collection techniques

Primary data collection refers to data collected by the user. Data collected is unique to the organisation and is not publicly available unless the researcher chooses to publish it.

Some common methods of primary data collection include interviews, focus groups, surveys and questionnaires, observations, and diaries.



INTERVIEWS

Interviewing can be used to identify the underlying reasons and motivations for people’s attitudes, preferences or behaviour. They can be individual or group-based.

Advantages

Serious approach by respondent resulting in accurate information.

Good response rate.

Completed and immediate.

Possible in-depth questions.

Interviewer in control and can give help if there is a problem.

Can investigate motives and feelings.

Can use recording equipment.

Characteristics of respondent assessed – tone of voice, facial expression, hesitation, etc.

Can use props.

If one interviewer used, uniformity of approach.

Used to pilot other methods.

Disadvantages

Need to set up interviews.

Time consuming.

Geographic limitations.

Can be expensive.

Normally need a set of questions.

Respondent bias – tendency to please or impress, create false personal image, or end interview quickly.

Embarrassment possible if personal questions.

Transcription and analysis can present problems – subjectivity.

If many interviewers, training required.

FOCUS GROUPS

A focus group is an interview conducted by a trained moderator in a non-structured and natural manner with a small group of respondents. The moderator leads the discussion. The main purpose of focus groups is to gain insights by listening to a group of people from the appropriate target market talk about specific issues of interest.



QUESTIONNAIRES

Popular means of collecting data, but are difficult to design and often require many rewrites before an acceptable questionnaire is produced.

Advantages

Can be used as a method in its own right or as a basis for interviewing or a telephone survey.

Can be posted, emailed or faxed.

Can cover a large number of people or organisations.

Wide geographic coverage.

Relatively cheap.

No prior arrangements are needed.

Avoids embarrassment on the part of the respondent.

Respondent can consider responses.

Possible anonymity of respondent.

No interviewer bias.

Disadvantages

Design problems.

Questions have to be relatively simple.

Historically low response rate (although inducements may help).

Time delay whilst waiting for responses to be returned.

Require a return deadline.

Several reminders may be required.

Assumes no literacy problems.

No control over who completes it.

Not possible to give assistance if required.

Problems with incomplete questionnaires. Replies not spontaneous and independent of each other.

Respondent can read all questions beforehand and then decide whether to complete or not. For example, perhaps because it is too long, too complex, uninteresting, or too personal.

OBSERVATIONS

Observation involves recording the behavioural patterns of people, objects and events in a systematic manner.

Observational methods may be:

structured or unstructured

disguised or undisguised

natural or contrived

personal

mechanical

non-participant

participant, with the participant taking a number of different roles.



DIARIES

A diary is a way of gathering information about the way individuals spend their time on professional activities. They are not about records of engagements or personal journals of thought! Diaries can record either quantitative or qualitative data, and in management research can provide information about work patterns and activities.

Advantages

Useful for collecting information from employees.

Different writers compared and contrasted simultaneously.

Allows the researcher freedom to move from one organisation to another.

Researcher not personally involved.

Diaries can be used as a preliminary or basis for intensive interviewing.

Used as an alternative to direct observation or where resources are limited.

Disadvantages

Subjects need to be clear about what they are being asked to do, why and what you plan to do with the data.

Diarists need to be of a certain educational level.

Some structure is necessary to give the diarist focus, for example, a list of headings.

Encouragement and reassurance are needed as completing a diary is time-consuming and can be irritating after a while.

Progress needs checking from time-to-time.

Confidentiality is required as content may be critical.

Analyses problems, so you need to consider how responses will be coded before the subjects start filling in diaries.

Secondary data collection techniques

Secondary data is collected by someone other than the user. It can be sourced from existing survey results, databases, statistical research organisations, published reports, case studies and published texts.

It is important to ensure that data is obtained from trusted sources, to ensure it is valid and reliable. There are questions that you should consider when selecting existing data for use in your audit.

What was the researcher’s objective in collecting the data?

What data was collected and what is it supposed to measure?

When was the data collected?

What methods were used?

How is the data organised?

What information is known about the success of that data collection? How consistent is the data with data from other sources?



Essential qualities of information

The aim of any data collection activity is always to aid in decision making. The decisions that are made will only be as good as the data collected. It is essential then that data is ‘quality tested’ to ensure it will produce the desired results.

Data should be as follows.

Accurate Information collected through audit activities should be precise and a true reflection of the relevant events, subjects and issues.

Relevant Data collected should be directly related to the intent and objectives of the audit or collection process.

Reliable Data must be verifiable and well supported by background information.

Learning activity: Risk research

Identify at least three different ways that risk in a business environment can be researched, and describe the types of information you are likely to gather from each approach.

Involve others in risk identification

Communication and consultation should take place at every step of the risk management process with both internal and external stakeholders. Therefore a communication plan for both these parties should be developed early in the process.



This plan should address issues relating to the risk itself, the likelihood of the risk, its potential consequences, and measures being taken to manage the risk. Communication is vital in risk management as it ensures that those accountable for implementing risk management, as well as other stakeholders, understand the reasoning behind decisions, and why particular actions are required.

Identification of risks should never be the responsibility of one individual. Consulting a team of people with different areas of expertise means that many viewpoints are represented and the identification process is thorough. Including stakeholders in the process also facilitates a sense of ‘ownership’ for risk management activities.

Some key skills that you will require for involving others and maintaining communication with stakeholders are described in the table below.

Active listening Keep the purpose in mind – know why you are listening and what you are listening for.

Listen to what’s not said – learn to read gestures and facial expressions, not just listen to words.

Give feedback – acknowledge and respond to what you hear, without interrupting.

Be sensitive – show that you listen to and understand the other person’s point of view, even though you may not agree with it.

Encouraging feedback

Value feedback – recognise that you need feedback to build an accurate picture of what is occurring.

Do not react – show respect for feedback even when it is critical.

Don’t point fingers – use feedback to diagnose and fix problems, without laying blame.

Facilitating discussion

Step back – establish the purpose or goal for the group, and then let the group continue the discussion.

Bring focus – ensure the discussion stays on track by reminding the group of the established purposed.

Be open – don’t voice personal opinions or make judgments about proposed ideas, just listen.

Be fair – make sure everyone has an opportunity to participate, express an opinion or contribute an idea.

Summarise – rephrase key points and bring clarification to any decisions or planned actions when needed.

Effective questioning

Directive questions – seek facts and concrete answers

Non-directive questions – deal with emotions, feelings and attitudes.

Reflective questions – clarifying information being provided, rephrasing, etc. (e.g. ‘Do you mean...’)

Closed questions – allow limited responses, such as ‘Yes’ or ‘No’.

Open questions – allow for unlimited response.

Probing questions – seek further response to a question already asked, often in response to the answer given.



Learning activity: Staff involved

In reference to the scenario provided, who would be most beneficial to involve in the process of risk identification, and why would you include them in gathering input to risk identification?

Section summary

You should now understand how to evaluate the internal and external environments of an organisation, review organisation objectives, identify risk and include stakeholders in the process.

Further reading

The University of New South Wales, 2010, UNSW Rick Consequence Assessment Tool, viewed May 2010, <http://www.fin.unsw.edu.au/files/forms/rmu/UNSW_Risk_Risk_Assessment_Tool.pdf>.

Australian Government, 2010, Risk Analysis, viewed May 2010, <http://www.ga.gov.au/image_cache/GA10820.pdf>.

Section checklist


review the external environment

determine strengths and weaknesses

review and document objectives

research risks

identify risks

involve others in risk identification.

Student Workbook Section 3 – Analysing and Evaluating Risk


Section 3 – Analysing and Evaluating Risk

It is not enough for an organisation to merely be aware of risks. Once they have been identified, risks must be analysed to determine the probability of occurrence and expected impact. This chapter looks at conducting this analysis, and using it to form an action plan to deal with risks.

Scenario: Preparing a risk action plan as the new operations manager for a shoe repair chain

With the help of stakeholders, and the use of other research methods, you have been able to create a list of all the perceivable risks that could impact on the shoe repair store chain.

You are already aware that compiling a list of risks is only the first part of the risk management story, because the second part being management, requires analysis, assessment, evaluation and prioritisation to determine the best use and allocation of an organisation’s resources.

You will use an approach that looks at each risk on a likelihood and consequence basis to determine the priority levels that each should be given. You will then consider the possible options for treating each risk starting with the highest priority and working to the lowest.

To assist you in this function you will prepare a risk management action plan that quite clearly shows your reasoning for establishing the risk priority levels, and the actions needed to manage the risks.



determine likelihood of risk

assess consequence of risk

evaluate and prioritise risk

determine risk treatment options

develop an action plan for treating risks.

Risk analysis is about developing an understanding of the risk. It provides an input to decisions on whether risks need to be treated and the most appropriate and cost-effective risk treatment strategies.

AS/NZA4360:2004

Section 3 – Analysing and Evaluating Risk Student Workbook


Determine likelihood of risk

The first step in risk analysis is to determine the likelihood of risks. Likelihood refers to the probability that a risk will occur, and is measured in terms of the following scale. Note that the classification of risks must take into account the specific circumstances, for example, the flooding of a warehouse may range from rare if it is located to a region that receives little rain to frequent if it is located in somewhere that is often subject to flooding.

Rare May occur only in exceptional circumstances, e.g. death of an employee at work.

Unlikely Event is unlikely to occur but is possible, e.g. an employee crashing a company car.

Possible Event could occur, e.g. rain on the day of an outdoor event.

Likely Event likely to occur once or more during the life of the project, e.g. first aid injury.

Frequent Event will occur many times during the life of the project, e.g. a busy street.

Figure 3: Likelihood of risk occurring

Learning activity: Board role for risk management

PricewaterhouseCooper believes that boards can play a vital role in improving the quality of risk management information provided to them to review and/or act on. A discussion paper published by them at <http://www.pwc.com.au/assurance/risk-controls/publications/information-gap.htm> describes five steps that can help boards get the information they require. Based on the likelihood scale above, describe which risks would be included in the statement ‘Be clear about what matters’, i.e. would you include all items on the scale, or just frequent risks? Identify the cut-off you would apply and explain why.



Learning activity: Risk likelihood

Review the scenario in Appendix 3 under heading ‘Research findings’ and select the issues you think would occur rarely and which is likely to occur almost certainly. Give your reasons.

Likelihood Reasons

Rare

Almost certain

Learning activity: Revised risks

Some organisations assess risk, and apply a control, and then reassess risk immediately (rather than waiting for a review period some time later). How could this provide relevant information for risk management to the organisation? State your reasons.



Research the internet for risk management tools that include two layers of assessment in this way. (Hint: some risk management organisations use the term ‘residual risk’). Briefly describe the tool, and include a copy in your workbook.

Assess consequence of risk

The next step in risk analysis is to assess the potential consequence or impact of the risk on the organisation and its objectives. The general levels of consequence are called as follows.

Catastrophic multiple injuries/death

regulatory intervention

net revenue loss or asset damage exceeds $x

damage to reputation at international level

long-term environmental damage (5 years or longer).

Major single stakeholder

breach of licenses, legislation, regulation or mandated standards

net revenue loss or asset damage between $xxxx

damage to reputation at national level

medium-term (1-5 yr) environmental damage.

Minor breach of internal procedures or guidelines

net revenue loss or asset damage between $x – $x

adverse news in local media

environmental damage, requiring up to $250,000.

Insignificant no breach of licenses, standards, guidelines or related audit findings

net revenue loss or asset damage $x

public awareness may exist, but there is little public concern

negligible environmental impact.



Learning activity: Risk consequence

Review the scenario in Appendix 3 under the heading ‘Research findings’ and select an issue you think would have an insignificant consequence and an issue you think would have catastrophic consequences. Give your reasons.

Consequences Reasons

Insignificant

Catastrophic

Learning activity: One of each

Think about your community or workplace and give an example of a each of the following risks.

Rare and catastrophic –

Frequent and insignificant –

Possible and moderate –



Evaluate and prioritise risk

Now that you have determined both the likelihood and consequence of risk, the two are combined to determine the rating. The most effective method of risk analysis is to generate a risk matrix. A risk matrix is shown below, where the identified consequence meets the identified likelihood, a risk rating is given.

CONSEQUENCE

Insignificant Minor Moderate Major Catastrophic

LIK

ELIH

OO

D

Almost certain HIGH HIGH EXTREME EXTREME EXTREME

Likely MEDIUM HIGH HIGH EXTREME EXTREME

Moderate LOW MEDIUM HIGH EXTREME EXTREME

Unlikely LOW LOW MEDIUM HIGH EXTREME

Rare LOW LOW MEDIUM HIGH HIGH

Learning activity: Risk evaluation

Nearly all organisations and systems use the same or a very similar risk evaluation tool as outlined above. Describe how you think the one illustrated below is different, and when it might be suitable to use.



The allocation of a risk rating should prompt a decision to be made about the action to be taken, as below.

Extreme IMMEDIATE senior management action

e.g. multiple deaths of employees.

High Action plan needed, allocated responsibilities

e.g. damage to valuable assets.

Medium Risk requires only monitoring and review

e.g. loss of assets due to staff theft.

Low Risk accepted - but not ignored

e.g. a paper cut.

Figure 4: risk rating and associated action

Risks can then be prioritised based on the level of action required.

Learning activity: Risk priorities

Review the scenario in Appendix 3 under the heading ‘Research findings’ and select an issue you think would be rated ‘Extreme’ and an issue you think be rated ‘Low’. Give your reasons.

Priorities Reasons

Extreme

Low

Types of analysis

Qualitative analysis may be useful as an initial screening to identify if further analyse of risk is required, when the analysis is appropriate for decisions, when numerical data or resources are inadequate. It uses descriptive scales to describe the potential consequences. So far throughout this section we have been using qualitative risk analysis. The risk matrix above is an example of this method.



Semi-quantitative analysis sets values to the risks in order to produce a more expanded ranking scale than that which is usually achievable from qualitative analyse. These values are not the predicted realistic figures calculated in quantitative analysis. It is important that the limitations of this form are recognised and it is combined with a formula or explanation.

Quantitative analyse of risks uses numerical values (as opposed to words) to analyse both the consequence and likelihood of risks. The quality of this analysis is dependent on the data from which it was initially sourced. The outcomes may be expressed in terms of monetary, technical, or human impact. Examples of quantitative risk analysis are as follows.

o Risk of financial loss:

o Fatality risk. This calculation gives a value of 0 – 1. The closer the value to one, the greater the risk.

Learning activity: Financial loss

Using the formula above for financial loss, calculate the expected loss for a car wash that loses $500 in wages for every day it rains. The car wash is located in Brisbane where it rains on average 122 days per year, and on days when it is not raining it makes $300.

If the same business with the same loss and profits was moved to Melbourne, with an average of 148 rainy days, explain what could happen to the business.



Learning activity: Extreme action

Name a situation at work or at home you would rate as ‘Extreme'.

List three things you would do in the first few minutes.

1.

2.

3.

Determine risk treatment options

Risk treatments

There are several ways by which to manage risk. The Australian Standards outlines the following.

Avoid the risk. This may be done by ending the activity that gives rise to the risk. Inappropriate risk avoidance may result in an increased significance of the risk or result in the loss of opportunity.

Reduce the likelihood of the risk, i.e. reduce the likelihood of a negative impact on objectives.

Reduce the consequences, that is, decrease the extent of the damage. An example of this is reducing the inventory or making continuity plans.

Share the risk. This involves other parties baring a portion of the risk (preferably by mutual consent). This may take place in the form of insurance arrangements, contractions, partnerships or joint ventures, all of which spread the responsibility and burden of the risk with another. This usually comes at both a financial expense (e.g. premiums paid for insurance, decrease in positive outcome of risk seen by the individual organisation) and creates another risk, namely that the parties with whom the risk is shared will not mange it effectively.

Retain the risk. After the altering or sharing of a risk, there exist residual risks which are retained. This also may take place by default as a result of failure to identify or manage a risk.



Hierarchy of control

The hierarchy of control for OHS risk management identifies the preferred option to the least preferred option. If possible, eliminate the risk. The least preferred option is for employees to be provided with personal protection in the management of risk. There are better options between the most preferred and the least preferred.

Can you eliminate the risk?

Yes – then eliminate the risk.

For example, repair damaged equipment.

Can you reduce the risk? Yes – then reduce the risk.

For example, hire a bus with seatbelts as opposed to one without.

Can you isolate the risk? Yes – then isolate the risk.

For example, a locked plant room for chemicals.

Can you reduce the risk by control?

Yes – then introduce administrative controls.

For example, occupational health and safety induction.

Then provide personal protection.

According to AS/NZ standard.

For example, gloves, safety googles, sunscreen.

Figure 5: Hierarchy of risk control – adapted from Cole (2005)

When managing risk, particularly OHS related risk, there are key questions that managers need to be able to answer. These are as follows.

1. Are there legislated activities or practices that must be done or implemented in relation to the specific hazard?

2. Is there a Code of Practice relating to the specific hazard?

3. Are there existing controls? If so:

a. are the controls as high as possible in hierarchy of control priorities

b. do controls protect everyone exposed to harm?

4. What additional controls are required?

The following table is from the Risk Management Code of Practice 2007 (Workplace Health and Safety Queensland) and gives some example of how control measures can be implemented.



Control measure Comment Examples of use

Elimination Control the hazard at the source. This is the most effective control measure and removes the risk by removing the hazard or changing the work processes.

Contract tasks out to specialists who have appropriate facilities.

Substitution Replace the hazard (e.g. plant or substance) with another that has a lower risk.

Use a machine with better guarding or use a less hazardous chemical that does the same job.

Isolation Remove or separate people from the source of the hazard.

Use rubber mats to lift workers off a concrete floor or segregating work processes.

Minimise by engineering means

Change the physical characteristics of the plant or workplace to remove or reduce the risk.

Modify a machine so it can be used by remote control.

Administrative measures

Use policies, procedures, signs and training to control risk.

Review systems of work so that nobody works alone at night or train workers in safe lifting techniques.

Personal protective equipment (PPE)

Provide equipment or clothing designed to protect the worker.

Provide hats and long shirts to protect outdoor workers against the sun.

Note: If there is a provision within the workplace health and safety regulation for your state about any hazards identified then they must be controlled in the way specified by the regulation. Similarly, if there is a Code of Practice about any of the hazards you have identified then you must do what the code of practice says or adopt and follow another way that gives the same level of protection against the risks – whilst the law does not demand compliance with codes of conduct, insurance providers do, and no-compliance with these will either result in significantly increased insurance premiums or voiding of the insurance cover.



Learning activity: Risk treatment options

Review the scenario in Appendix 3 under the heading ‘Research findings’ and select an issue and then apply the hierarchy of control to develop options.

Issue ........................................................................................................................

Hierarchy of control Options

Can you eliminate the risk?

Can you reduce the risk? For example, by substitution.

Can you isolate the risk? For example, with guards and barriers.

Can you reduce the risk by control? For example, safe operating procedures.

Then provide personal protection according to AS/NZ standard.



Learning activity: Risk controls in a shop-environment

You have a retail store and you know you cannot always be in front of the till, so there is a risk that cash could be mishandled by store staff. Describe how you could:

reduce the risk

isolate the risk

introduce control of some form.

Reduce –

Isolate –

Control –



Learning activity: Hierarchy of control

In reference to the hierarchy of control, decide which option is the best treatment for each of the risks you have identified in the earlier activity against the scenario.

Assessing risk treatment options

When selecting the most appropriate treatment options for risk, the costs and benefits of each treatment must be carefully considered. It is important to consider all direct and indirect costs associated with each treatment, and both tangible and intangible benefits.

However, the costs and benefits need to be considered in light of the risk rating. The cost of managing a potentially catastrophic risk cannot simply be evaluated in financial terms as the cost of failing to manage the risk could far outweigh the initial cost of actions required to prevent its occurrence.

The following needs to be considered when choosing an appropriate treatment for a risk:

acceptability to all

administration efficiency

capacity compatibility

continuity of effects

contracts

cost effectiveness

economic and social environment

equity

individual freedom

jurisdictional authority

objectives

regulatory

risk creation

timing.



Learning activity: Risk vs. freedom

Examine the list above and describe why you think equity and individual freedom are included in the above list. It may be best to describe a control that restricts a workers freedom in order to reduce risk in the workplace, and then describe why this should also be considered from the individual’s viewpoint.

Learning activity: Common business risks

Research the internet for common risks in the financial services sector and use the table below to list practical ways to manage identified risks.

Risk Control



Learning activity: Common business risks

Develop an action plan for treating risks

Plan early

Experienced operators know that risk management is a proactive process. It is not the thing you do when a risk emerges because by then it may be too late. Effective risk action plans are those that are part of the operations of the organisation.

Problems that start small can escalate into large threats, or a risk may appear suddenly that threatens the reputation of the entire organisation. Having risk management processes and planning in place when these happen could stop the escalation and minimise the impact from the sudden disaster.

Learning activity: Risk timelines

Sketch a flow chart of a timeline for implementing a new product within an organisation and identify at what points or phases, risk assessment would take place.



Risk action plan

The risk action plan outlines how the risk is to be managed and a timeline for this process to take place. It should include:

the risk

risk rating

treatment activity or controls

roles and responsibilities for those involved

timeline

monitoring arrangements.

See Appendix 1 for an example risk action plan template.

Learning activity: Action plans

Volunteering Australia uses a one page risk action plan, which can be found at <http://www.volunteeringaustralia.org/files/NSJ4PVPMDM/Risk%20Action%20 Plan.pdf>.

Review the form, and describe when or how you could use a similar form in an organisation where you are the risk manager. The key issue to describe is whether you think this form is suitable for all risk planning and management process, including your reasoning.



Completeness

Accuracy

Authorisation

Validity

Existence

Handling errors

Segregation of duties

Presentation and disclosure

Internal control procedures

Internal control processes are an effective form of risk treatment for an organisation.

When designing and implementing an internal control procedure it is important that these fulfil at least one of the following eight criteria.

Completeness – that all records and transactions are included in the reports of business.

Accuracy – the right amounts are recorded in the correct accounts.

Authorisation – the correct levels of authorisation are in place to cover such things as approval, payments, data entry and computer access.

Validity – that the invoice is for work performed or products received and the business has incurred the liability properly.

Existence – of assets and liabilities. Has a purchase been recorded for goods or services that have not yet been received? Do all assets on the books actually exist? Is there correct documentation to support the item?

Handling errors – errors in the system have been identified and processed.

Segregation of duties – to ensure certain functions are kept separate. For example, the person taking cash receipts does not also do the banking.

Presentation and disclosure – timely preparation of financial reports in conformity with generally accepted.



Learning activity: Internal controls

For each of the internal controls listed below, describe or give an example of what could go wrong if the control is not implemented correctly or thoroughly.

Completeness –

Accuracy –

Authorisation –

Physical controls

Physical controls relate to security devices and measures designed to eliminate unauthorised access to physical assets including the organisation’s sensitive documents and records. Preventing access ensures that the assets are not used, removed or destroyed without proper authority.

Examples of physical controls include the following.

Secured storeroom – usually a fire resistant, thick walled room that is lockable.

Having a stores clerk – a person that is responsible for the movement of supplies in and out of the store room, and ensuring that all movements are recorded and stock takes balance.

Placing permanent identification codes on valuable assets – this allows an asset register to be created and stock takes to be done to identify missing assets.

Using safety deposit boxes – very common security device in banks. Can be installed in businesses. Often require two people to open the box.

Password protection on electronic files – this can be set at all levels (logging on, into selected applications and access to selected files within applications). Without the password, you cannot gain access.



Learning activity: Physical controls

As the operations manager, you have been asked to appoint a stores person to monitor the movement of supplies and make sure physical stock takes mirror the balances calculated from the source documentation of supply movement. Explain how having a stores person appointed to the supplies process creates a physical control over the supplies?

Insurance Insurance involves paying premiums to share certain risks with another organisation. Insurance should only be considered as a risk management option when other treatments have not been successful in reducing a risk to an acceptable level for the organisation. That being said, it is still an important part of many risk action plans.

Generally, there are two types of insurance.

Life insurance – management of the risk of death or disability.

General insurance – covers the sharing of all other risks, e.g. property damage, workers’ compensation, motor vehicle insurance.

Some insurance is required by legislation. For example, organisations that employ staff must have workers' compensation, those that own motor vehicles must take out compulsory third party motor vehicle insurance. Other insurances are purchased at the discretion of the organisation, according to its determined needs.

When investigating insurance you need to consider three things:

1. Which risks to insure against.

2. Which insurance company to insure with.

3. What level of insurance to obtain against the risk.



Choosing an insurance company

Your organisation can purchase insurance either directly from an insurance company, or alternatively, it may be acquired through an insurance broker. An insurance broker is often able to source insurance products that suit the specific needs of an organisation, and can assist you in getting the best product for the best price.

Always ensure that the broker or company you choose to deal with is known and has a good reputation. If the company or broker you choose is not well known, check the Australian Prudential Regulatory Authority to make sure they are registered.

Choosing a Policy

When evaluating and selecting an insurance product, you should consider the following questions.

What insurance do you need? Does the policy meet your requirements or are you paying for added extras that you don’t need?

Have you read the policy carefully, including the fine print? What is covered for and what is excluded from the policy?

Do you have to pay an excess on a claim? Under what circumstances?

What is the limit applied to individual claims? Does a limit apply to payouts in a single period?

Is the option of good replacement instead of cash available in the policy?

Is property insured for the present market value or is an ‘old for new’ replacement provided as part of the policy?

Is the value you have insured the product for sufficient?

Have you provided all the necessary information?

Have you done all that the policy requires in order to maintain coverage?



Learning activity: Risk insurance 1

Research the internet for types of insurance available for business risks (e.g. theft, staff injury, compliance issues, fraud, fire, etc.) and briefly describe the different types of insurance available.



Types of insurance

In order to reduce the risk to your organisation and its stakeholders, there is a range of insurance policies available. The table following outlines some forms of insurance policies and what they cover.

Insurance Type Policy details

Workers’ compensation Covers against:

employee injury

employee sickness or

employee death regardless of employer’s negligence.

This is compulsory for all employers.

Motor vehicle comprehensive

Covers against your organisation’s vehicles and the damages they make to other’s property. This policy covers:

theft

fire

legal cost.

Motor vehicle third party

Covers against the damage made by your vehicles to other people’s property. The insured car is only covered against fire or theft.

Contents Insurance Protects against damage or destruction by:

the causes stated in the building insurance policy

theft.

It is important to identify if the policy provides compensation for only the depreciated value of insured items or reinstatement or replacement, in which case the new replacement cost will be paid.

Consequential Loss Covers against loss of profits follow the occurrence of a specified incident (e.g. fire) until it is able to resume business.

This type of policy must be regularly reviewed to ensure the amount of lost profits is up to date and takes into account inflation. The insured period during which payments are to be made should be long enough that it allows for the re-establishment of business.

Professional indemnity Insures against the legal liability arising from professional negligence when an organisation claims to provide reliable advice which proves detrimental to the person receiving it.



Insurance Type Policy details

Building insurance Covers against damage to structures owned by the organisation. This may include damage caused by:

fire

storm

tempest

lightning

explosion

impact by vehicles

animals

aircraft

earthquakes

riots

malicious acts

flood.

This usually covers only the depreciated value of the building insured at the time of loss. It does not cover the cost replacement of the building as this requires reinstatement or replacement insurance.

Public liability Covers the organisation’s responsibility to pay compensation to persons and other than employees who:

suffer injury

damage to property

die.

This policy only covers the above incidents when they are due to the organisation’s negligence and take place either on its premises or due to its operations.

Manufacturer’s liability Covers manufacturers against claims arising from defective products, which are unfit for the purposes which they were sold (even to benefit charity).



Learning activity: Drivers vs. insurance

An organisation has insurance for damage to vehicles, so long as the registered staff drivers are licensed, over 25, and have not been the responsible party in an accident within the last three years. Outline/draft a simple checklist-based form that could be used within the organisation for potential drivers to complete each time they collect company vehicle keys form the administration office.



Learning activity: Credit card risk

Most banks and financial institutions offer some kind of fraud or misuse of credit card insurance for card-holders, with a few provisos. Describe some common requirements (i.e. risk management controls for the financial institution) that are expected of card-holders in order to qualify for the insurance cover. You should come up with at least two simple requirements, but may come up with more, by reviewing the ANZ Security Centre at the URL below.

<http://www.anz.com/auxiliary/security-centre/fraud-security-centre/protect-yourself/online-security-tips/>



l

Learning activity: Risk insurance 2

Research the internet for Australian insurance providers that would suit the scenario provided. Identify three that you think you could use, and explain why each is suitable.

INSURANCE PROVIDER –

HOW PROVIDER IS SUITBALE –







Workplace adjustment

Sometimes it can be necessary to make adjustments in the workplace to accommodate people with a disability. Adjustments can be undertaken in a number of different ways, some of which are outlined below.

Selection process

discuss potential changes to non-core requirements of position

applicants may ask a friend to attend to interview

prove a signing interpreter for hearing impaired employees if needed.

Work area design

make physical changes to workplace, for example:

o movement or adjustment of furniture

o adjustment of lighting

o lowering benches.

Job design exchange certain tasks to aid people with disabilities:

o e.g. telephone duties may be exchanged for filing duties for someone with hearing impairment.

Flexible work practices

flexible work hours

regular breaks

working from home.

Workplace access

unobstructed access needs to be provided to all public use areas . This may involve:

o the installation of ramps

o clear markings on steps

o provision of dedicated parking spaces near a wheelchair accessible entrance

o lowered control panels

o accessible emergency phones in elevators.

Providing equipment

a telephone typewriter (TTY)

voice recognition software

speech synthesiser.

Ensure the individual is insulted before purchasing equipment as even people with similar disabilities may have different needs.

Training and development

Access to training and development opportunities needs to be ensured for people with disabilities. This may be done by:

o conducting courses in accessible areas

o proving a signing interpreter.



Workplace Modifications Scheme

While the majority of employees with a disability won’t require any workplace modifications, for some the barrier preventing them from doing a job is that a workplace doesn’t accommodate them. Some might only need minor adjustments to the workplace that can easily be made at minimal cost. Sometimes what’s needed is an adjustment to the work environment or some special tool or technology that will enable them to perform a job to their full potential.

For employers, the Workplace Modifications Scheme (WMS) aims to make accommodating workers with disability in your workplace easier. It’s a pool of funds available to pay for the cost of any special equipment or adjustments that are needed to accommodate an employee in a job.

Sometimes the help needed by an employee may be as simple as providing them with an alarm wristwatch to remind them of when they need to do certain tasks. Other times more complex solutions are needed to accommodate them, such as building a wheelchair ramp to a workstation or installing special lighting in the workplace.

The amount of funding available for each workplace modification usually isn’t limited, which means that there’s flexibility to provide workplace solutions that really meet the individual needs of both employers and employees.

Funding is available to help employers accommodate both new and existing employees with disability. To be eligible, an employee must be employed for at least eight hours a week in a job that’s reasonably expected to last 13 weeks or more.

Extract from ‘An employer’s guide to employing someone with disability’, <www.workplace.gov.au>.

Learning activity: Risk management and workplace modifications

Research the internet to find an example of a disability within a work environment, and an adjustment that was made to allow for the disability.



Section summary

You should now understand how to analyse and evaluate risk specifically, the concepts of probability and consequence as well as risk acceptance.

Further reading

The University of New South Wales, 2010, UNSW Rick Consequence Assessment Tool, viewed May 2010, <http://www.fin.unsw.edu.au/files/forms/rmu/UNSW_Risk_Risk_Assessment_Tool.pdf>.

Australian Government, 2010, Risk Analysis, viewed May 2010, <http://www.ga.gov.au/image_cache/GA10820.pdf>.

Work Place, Australian Government, 2010, An employer’s guide to employing someone with disability, viewed May 2010, <www.workplace.gov.au>.

Section checklist


determine likelihood of risk

assess consequence of risk

evaluate and prioritise risk

determine risk treatment options

develop an action plan for treating risks.

Student Workbook Section 4 – Treating Risk


Section 4 – Treating Risk This section is looks at the implementation of the risk action plan developed in the previous section.

Scenario: Treating, monitoring and evaluating the risk management process as the new operations manager for the shoe repair chain

From the options developed previously, and in consultation with key stakeholders, you determined the most appropriate risk management strategy and actions for each risk. You then presented your risk management action plan to the CEO who after consultation and discussion about monitoring the plan made some adjustments. You were then asked to implement the plan.

Accepting the fact that all good plans need constant monitoring and evaluation, you build control measures into the plan to help signal when actions are delayed, ineffective or not being actioned. You rely on these control measures to inform you when things are not going according to plan. You also instigate internal and external audits to provide an extra dimension to the monitoring and evaluation process.



implement the risk action plan

monitor the risk action plan

evaluate the risk management process.

Implement the risk action plan

Implementation of the risk action plan requires participation from the organisation, and therefore should involve the following stages.

communicating the plan

documenting procedures

training.

Communicating the plan

A good starting point for implementation of the action plan is the communication of the risk management process and strategies. It is essential that everyone in the organisation understands the importance of risk management, who the key people are and how they can contribute to the process.

Stakeholders make judgments on risk based on their perception. Their viewpoints can significantly affect decisions made, so it is important that their perceptions and opinions are documented and considered.

Section 4 – Treating Risk Student Workbook


A communication plan should:

facilitate the exchange of information between stakeholders

be transparent, accurate and understandable

be useful.

Learning activity: Communicating the plan

Having developed your risk management action plan for the case study in Appendix 3, describe an effective way to communicate it to the relevant stakeholders.

Senior Management Support

For the risk management plan to be successful it is important to ensure the support of senior management. This may be accomplished by:

obtaining the active ongoing support of the organisation’s directors and senior management

appointing a senior manager or similar champion to lead the initiative

obtaining the commitment and support of all senior managers.



Learning activity: Gaining staff support

Describe three different ways that the support of staff in an organisation for risk management practices can be obtained, that you would use as a manager responsible for risk management in the workplace.

Communication with internal stakeholders

The organisation should ensure that its internal communication and reporting mechanisms:

include processes to consolidate risk information from a variety of sources within the organisation, taking into account their likelihood and consequence

ensures all relevant parties are informed as to the key components of the risk management framework, including any subsequent modifications

provide adequate internal reporting on the effectiveness and outcomes of the framework

make relevant information derived from the application of the risk management process available to appropriate levels of management in a structured and timely manner

include processes for consultation with internal stakeholders.



Communication with external stakeholders

The organisation should develop a plan as to how it will communicate with its external stakeholders. This should include:

engaging appropriate external stakeholders and ensuring effective exchange of information

making legally required disclosures and other reporting to comply with legal, regulatory and corporate governance requirements

providing feedback on prior communication and consultation

the use of communication and information to build confidence in the organisation

communicating with stakeholders in the event of a crisis or contingency.

Learning activity: Communicating plans

Brainstorm a list of approaches that you can use to communicate risk management processes to staff and stakeholders in an organisation, and describe how each of these can be effective.



Documenting procedures

Your action plan will have identified areas where written procedures need to be developed and documented. To effectively implement the plan, staff, volunteers and management committee members need to work together to develop these procedures. Existing and new procedures should be reviewed to ensure that they are consistent.

Implementation of the risk management process will often require new policies to be developed that include monitoring, evaluation and continuous improvement. Every organisation needs to have a risk management policy framework to document the processes and procedures required. This policy will become a key document in the life of an organisation.

In general, when writing policy, you should keep in mind the size and specific needs of the organisation. Policy should be clear and concise and should not include lengthy processes or procedures that will be difficult to maintain or comply with.

The structure for policy documents will vary from organisation to organisation, but some common elements included are as follows.

• The context of the policy, why it is required.

Purpose statement

• The application of the policy (particular location, workgroup, etc.).

Scope

• How the policy is implemented.

Procedure

• Who is responsible for what in the implementation of the policy.

Roles and responsibilities

• Reference any legislation that the policy specifically complies with.

Legislation



Learning activity: Risk management policy

Identify a risk management policy or procedure for your training organisation and describe how it assists the management of risk for the organisation.

POLICY –

ASSISTS WITH RISK MANAGEMENT –

A sample risk management policy can be found in Appendix 2.

Naming and securing documents

All documents produced in the workplace should be saved for future use and reference. Commonly used formats should be saved as templates for efficient access and creation of documents in the future.

Documents should be saved in accordance with organisational requirements which may include protocols for naming documents to make their content identifiable, and locations where particular documents should be stored for future access.

Documents can also be saved with security measures implemented such as password protection to prevent unwanted editing.

Ensure you know what the requirements are so that your document can be safely stored and easily located again when required.



Learning activity: Organisational requirements for storage

What benefits are there in establishing protocols for naming documents? What factors should be considered when storing documents, both electronically and in printed format?

Training

It is highly likely your action plan will involve the introduction of new practices, or changes to existing activities, so this will require training. It is a good idea to ensure that this is carried out through the structures and processes that already exist to facilitate training in your organisation.

Learning activity: Risk-reduction training

As the manager of risk for an organisation, you are responsible for ensuring that new organisational activities are assessed for risk, and training is delivered to affected staff to ensure that identified risks are managed as effectively as possible. Describe ways that you could make training available to new staff in the organisation to ensure that all staff have the same awareness of the required safe work practices and risk management processes within the organisation.



Responsibility

It is important that there is responsibility and authority within the organisation when it comes to managing risks, including the implementation and continuation of the risk management process and making sure that risks are competently controlled. This may be done by:

placing specific people who are to be accountable for the development, implementation and maintenance of the risk management process

specifying individuals with the role of implementing risk treatment, maintaining risk controls and reporting relevant information

providing appropriate levels of recognition, reward, approval and authority.

Learning activity: Risk management responsibilities

Review the scenario in Appendix 3 under and then study the options outlined below to determine who would best be suited to take responsibility for the task. Briefly describe why you think they are most suited.

Task Responsibility and why.

Prepare a new policy and procedures on leather knife storage.

Taking out insurance to cover money kept overnight on the premises.

Training staff on new cash register procedures.

Fixing the broken tiles and eliminating the trip points.

Issuing chain-mail gloves for use with the leather knife.



Resources

The organisation should make sure that it allocates appropriate resources for risk management. Examples of resources to be considered are as follows.

people, skills, experience and competences

resources specific to stages of the risk management process

information and knowledge

documented process and procedures.

Learning activity: Professional development

Another resource for risk managers in organisations is the use of professional development, training and/or induction activities to assist staff to understand their role and responsibilities in the workplace.

Identify two areas of development that you might outsource professional development training for, and describe why.

Professional development activity –

Reason –

Professional development activity –

Reason –



Monitor the risk action plan

Monitoring and review are integral to the risk management process. Factors that affect the likelihood and consequence of risk may change over time, as may the costs of treatment options, so it is important to repeat the risk management process cycle regularly.

Monitoring activities can include risk reviews, team meetings and progress reports, which should be conducted regularly. Regular monitoring ensures that mistakes made and lessons learned throughout the implementation of the risk management process are incorporated into ongoing activities.

The progress of the risk treatment plans should be incorporated into the continuous improvement system of the organisation as a key indicator of performance. Continuous improvement refers to the ongoing efforts of an organisation to improve processes.

Once your risk management process is in place, there are four elements to maintaining the effectiveness of your risk management practices.

Identify one person responsible for risk management.

‘If it's everybody's responsibility, then it's nobody's responsibility’

It is essential that one person be given responsibility for risk management within your organisation. This person is usually known as the ‘risk manager’. In smaller organisations, the risk manager will also have many other responsibilities, while very large organisations may have someone who’s only responsibility is risk management.

Learning activity: Monitoring risk

Mossman municipal council has a risk management action plan which outlines that managers and supervisors are required to record and review risk. Go to <http://www.mosman.nsw.gov.au/file_download/149/risk-management-action.pdf>, read pages 4 and 5 and describe how they are to involve others in this process.



If you were a manager in this organisation, outline procedural steps you could set-up and follow to help you fulfil your role in reviewing and reporting risk.

Keep procedures up to date

Circumstances change and therefore so should your risk management plan. Experience gained from implementing risk management procedures can be used to further refine those procedures.

Learning activity: Risk management documentation

Describe the typical documentation required in risk management, and explain how it can be stored or saved for an organisation.



Re-assess risks

It is likely that the risks identified in the risk management process will change over time, making it important to review the changes. To keep your risk action plan up to date, you do the following.

Review it on a regular basis. At a minimum, this should be done at least once a year.

Evaluate changes within your organisation and its environment. This may include new legislation relevant to your organisation, taking on new roles, acquisition of new equipment, or creation of new positions.

Learning activity: Risk management review

Mossman Municipal Council has a risk management action plan which outlines a review structure for a list of risk areas identified. View pages 5 and 6 of the document, which can be found at <http://www.mosman.nsw.gov.au/file_download/149/risk-management-action.pdf>. Based on the plan, estimate the review period you would put in place for each of the items listed below, and state your reasoning.

Risk area Review period Reason

Assets & infrastructure – footpaths

Assets & infrastructure – street furniture

Legislative compliance

New projects and special events



Report on risk management

The risk management process should include reporting as its final step, to ensure it is current. Reporting on risk should include:

identification of any new risks

the effectiveness of existing risk management process

the occurrence of risks during the reporting period.

Risk reports should be filed and used in regular reviews of risks and procedures.

Risk reporting can occur in different formats and at different points in the risk management cycle. The table below provides details of different reports that can be produced by organisations to assist the risk management process.

Risk profile This report offers a quick reference point to determine an organisation’s overall risk exposure. It can be used to track risks and the factors the can cause risks to change, as well as the effectiveness of treatment activities. This report should include:

description of risk

risk rating (current and previous where applicable)

changes that have occurred and reasons for them

improvements or changes to treatment actions required.

Risk treatment report

This report provides information about the status of a prescribed risk treatment action or activity and its effectiveness. It should include:

description of risk

risk rating

description of treatment action or activity

assigned timelines/completion dates

person/s responsible

current status.

Emerging risk report This report is used to highlight anticipated risks or add new risks to the risk register, which assists in keeping the risk register current in between formal risk review processes. It should include:

description of risk

risk rating

causes of risk

expected impact or consequence

treatment action plan.



Learning activity: Risk management reporting

Consider you are in a role as a manager of risk management processes. In the course of your work you identify a risk to the organisation and eliminate the risk entirely. Describe what benefits there are to your organisation in reporting the risk, even though it has now been eliminated.

Learning activity: Organisational risk management

Research the internet (Australian university and government organisations usually have policy documents online) for an organisational risk management policy and procedure document. Describe who is responsible for the enactment of the risk control strategies in place in the document, and how you think it is monitored. Include a copy of the policy document in your workbook.

PERSON/POSITION RESPONSIBLE –

MONITORING PROCESS –



Learning activity: Risk management monitoring approaches

Research three different approaches that can be taken to monitoring risk management strategies and describe the positives and negatives of each for the business environment.

Monitoring approach Positives Negatives

Evaluate the risk management process

So, what are measures of success in a well managed risk process? Here are some things to look for:

A decline in residual risk values.

Progress towards a specific project objective.

The extent of implementations of risk treatments.

Decline in total cost of risk.

Senior management are understanding and supportive.



The various risk reports mentioned earlier, if produced well, should provide great insight into the success of the risk management process. Your evaluation should include a review of these reports, and take note of any repeated issues, inadequate treatment actions or significant variances in expected impact of risk as opposed to the actual impact.

Learning activity: Success

Name some metrics that you think would identify a successful implementation and monitoring of the risk management process.

Section summary

You should now understand how to implement and monitor a risk action plan, and evaluate the risk management process.

Further reading

NT WorkSafe , 2010, Northern Territory Government, Risk Management Plans, viewed May 2010, <http://www.worksafe.nt.gov.au/corporate/bulletins/pdf/06-10/09.01.11.pdf>.

Turbit, N., 2010, Project Perfect, Risk Management Basics, viewed May 2010, < http://www.projectperfect.com.au/info_risk_mgmt.php>.

Section checklist


implement the risk action plan

monitor the risk action plan

evaluate the risk management process.

Student Workbook Glossary


Glossary

Term Definition

Consequence The outcome or impact of an event.

Control A process, policy, device, practice or other action that acts to minimise negative risk.

Event Occurrence of a particular set of circumstances.

Hazard Source of potential harm.

Likelihood The extent to which an event is likely to occur.

Loss Any negative consequence or affect.

Monitor Check, supervise or measure the progress of an activity, action or system on a regular basis.

Risk The chance of something happening that will have an impact on objectives.

Risk analysis Systematic process to understand the nature of and determine the level of risk.

Risk assessment The overall process of risk identification, risk analysis and risk evaluation.

Risk evaluation The process of comparing the level of risk against risk criteria.

Risk identification

The process of determining what, where, when, why and how something could happen.

Risk management

The culture, process and structures that are directed towards realising potential opportunities whilst managing adverse affects.

Risk management process

The systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysis, evaluating, treating, monitoring and reviewing risk.

Risk reduction Actions taken to lessen the likelihood and/or negative consequences associated with a risk.

Risk retention Acceptance of the burden or loss, or benefit of gain, from a particular risk.

Risk sharing Sharing with another party the burden or loss, or benefit of gain, from a particular risk.

Stakeholders Those people and organisations who may affect, be affected by or perceive themselves to be affected by a decision, activity or risk.

Treatment The process of selection and implementation of measures to modify risk.

Appendices Student Workbook


Appendices

Appendix 1: Risk action plan template

Risk Assess Risk (L, M, H, E) Controls Monitoring Timelines Responsible

Student Workbook Appendices


Appendix 2: MacVille risk management policy

Purpose

Risk is inherent in all business activities. The aim of this policy is not to eliminate risk, rather to manage the risks involved in all MacVille activities to maximise opportunities and minimise adversity.

Effective risk management requires:

a strategic focus

forward thinking and active approaches to management

balance between the cost of managing risk and the anticipated benefits

contingency planning in the event that mission critical threats are realised.

Policy

MacVille will maintain procedures to provide a systematic view of the risks faced in the course of our business activities.

Establish a context: The strategic, organisational and risk management context against which the rest of the risk management process in MacVille will take place. Criteria against which risk will be evaluated should be established and the structure of the risk analysis defined.

Identify Risks: Identification of what, why and how events arise as the basis for further analysis.

Analyse Risks: The determination of existing controls and the analysis of risks in terms of the consequence and likelihood in the context of those controls. The analysis should consider the range of potential consequences and how likely those consequences are to occur. Consequence and likelihood are combined to produce a priority rating for the risk.

Treat Risks: For higher priority risks, MacVille is required to develop and implement specific risk management plans including funding considerations. Lower priority risks may be accepted and monitored.

Monitor and Review: Oversight and review of the risk management system and any changes that might affect it. Monitoring and reviewing occurs concurrently throughout the risk management process.

Communication and Consultation: Appropriate communication and consultation with internal and external stakeholders should occur at each stage of the risk management process as well as on the process as a whole.




Identify risks

Analyse and evaluate risk

Treat risk

Com

mun

icat

ion

and

cons

ulta

tion

Monitor and review

Student Workbook Appendices


Appendix 3: Scenario – Shoez

Review

Shoez, a shoe repair chain, operates 10 stores in the CBD and suburbs of Brisbane, Queensland. The CEO Jeff Harding has appointed you as the operations manager. You are no stranger to management but mostly at departmental level for international organisations, with some time spent in sales and marketing management. One role specifically required in your job description is to manage the risks that could impact on the Shoez operations.

A meeting with Jeff in the first week confirmed his requirement of you to review, analyse, plan and monitor the risks of the Shoez organisation. Jeff wants you to report directly to him on the risk management process but also encouraged you to also speak with the stores liaison person Jenny Clerk and the accountant Sue Lee. Jeff thought it may also be beneficial to contact his accountant Brown and Davis and of course the store managers, although they were only really concerned about achieving their sales budgets and getting their commissions.

Jenny was constantly reminding the store employees about the OHS issues relating to other staff and customers. Sue did the payrolls and was constantly pushing the managers to provide the appropriately authorised paperwork. Jeff said that the accountants were keen to see safe guards instigated for cash control.

Jeff wanted you to undertake this task so that you could get significant insight into the Shoez operations and develop and implement a plan to reduce the risk exposure of the organisation. He also said that he needed an ongoing risk monitoring process instigated as well.

According to Jeff, the areas that had been underperforming and were primary areas of risks concern were the human resources management, financial operations and OHS. These are the areas he wanted you to focus on in your management.

Internal and external environment

After discussing Shoez with the key stakeholders and doing some external research you identify the following significant issues.

Jeff spoke about a new law that was being introduced by the Federal Government that will impact on the way that he has been paying his staff with some of their pay earned on commission.

Jeff showed a report from a survey where people rated their shoes as the second most important dress item for the successful business person and that business people were choosing the high quality shoes that they would repair rather than replace.

Brown and Davis spoke about the latest Point of Sale cash registers that would improve stock and cash control in the Shoez stores.

You noticed that the location of the Shoez stores was always in the prominent and highly trafficked parts of the shopping centres.

Sue said that she was not able to get all the staff records for pays and employees details from the store managers and this made processing difficult and meant that they were not compliant.



Brown and Davis explained that the old cash registers did not have the features that could help eliminate fraud.

Jenny spoke about the flooring where the staff worked and customers were sometimes required to access. The ceramic tiles were broken and covered up with a thin mat, but still presented a trip point to customers and staff alike.

Brown and Davis had spoken about a large chain in New South Wales that were planning to expand into Brisbane in the next 12 months.

Jeff said that while 10 stores was a good number, there is another 20 good locations in Brisbane that want Shoez as part of the shopping centre assortment.

You noticed that the stores were looking old and the decor has been out of fashion for over five years.

Brown and Davis explained that the growth in the older age portions of the Brisbane population was a positive indicator for the Shoez business.

Research findings

Store manager reports, together with your interviews with the other key stakeholders identifies the following risks.

Broken floor tiles creating a trip point for staff and customers.

Wet floors on rainy days making it slippery for staff and customers.

The store has extremely sharp knives used to cut the leather.

Banking not always done every day leaving cash on the premises.

The staff member balancing the cash registers also prepared the bank deposit book and banked the cash.

Some stores had sizable banking amounts that were banked by the junior staff member.

Staff records were kept in the individual stores in the bottom drawer of an unlocked filing cabinet.

One question on the staff records asked for a full medical history of the employee.

Timesheets sent to head office were not always authorised.

StudentWorkbook(6)

Documents

liability of ibsa

ibsa logo

trade marks of ibsa

business skills australia

linked information sources

acknowledgment innovation

services manager

applicable terms of