STRATEGICPLANNING GROUP
ESTABLISH THE CONTEXTThe Strategic Context
The Organisational ContextThe Risk Management Context
DevelopAssessment
Criteria
Mo
nito
r and
Review
IDENTIFY RISKSWhat can happen?
How can it happen?
Decide the structure
ANALYSE RISKSDetermine existing Controls
Determine LikelihoodDetermine ConsequenceEstablish Level of Risk
ASSESS RISKSCompare against Criteria
Set Priorities
TREAT RISKIdentify Treatment StrategiesEvaluate Treatment Options
Prepare Implementation PlansImplement PlansGOAL STRATEGIES PREFERRED
STRATEGYACTION PLAN
DEFINEDRISK
To reduce this risk …” Courses of Action
Benefits RisksTimetable
Responsible Officer
Performance Issues
1 Major Steps
2 Action Officer
3 Timetable
4 Costs
5 Other IssuesLIST 1
Left over issues
to resolve
LIST 2
Good ideas
not explored
Reference Manual
RISK MANAGEMENTFOR COMMUNITY GROUPS
2© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
This workbook was prepared by Strategic Planning Group as an in-house document for the use of the organisation. Thisworkbook is not to be distributed or reproduced outside of this organisation without written permission from the publishersas it contains some proprietary planning methodology copyrighted to Strategic Planning Group Pty Ltd, PO Box 371,Miranda NSW 1490, Australia. Phone (612) 9524-0077. Email: [email protected]. James Crown, Managing Director.
Contents
Managing Risk as a Way of Life ................................................................................... 3
Risk Management Standard AS/NZS 4360 .................................................................. 3
Benefits of Risk Management ........................................................................................ 5
Some Definitions ........................................................................................................... 5
Holistic Risk Management ............................................................................................. 6
The Risk Management Process ..................................................................................... 6
Quantifying and Qualifying Risks ................................................................................... 9
Controls in Place ......................................................................................................... 10
Determining Likelihood and Consequence .................................................................. 10
Analysing Likelihood/ Consequence for Risk Rating ................................................... 11
Identify Risk Mitigation Strategy Options ................................................................... 14
Action Plans — Implementing the Strategy ................................................................. 16
Risk Management Forms ............................................................................................. 17
How to Do a Risk Assessment .................................................................................... 23
3© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Managing Risk as a Way of Life
Our objective should be that our organisation embraces risk management as a way of
life, a way of protecting and improving the way we plan and carry out our activities..
We should follow the Australia and New Zealand Risk Management Standard AS/
NZS 4360. This risk management standard is easy to understand and is suitable for
almost any type of organisation or activity. It provides a robust methodology for risk
identification, discussion and an appropriate treatment to reduce the risk.
ESTABLISH THE CONTEXTThe Strategic Context
The Organisational ContextThe Risk Management Context
DevelopAssessment
Criteria
Mo
nito
r and
Review
IDENTIFY RISKSWhat can happen?How can it happen?
Decide the structure
ANALYSE RISKSDetermine existing Controls
Determine LikelihoodDetermine ConsequenceEstablish Level of Risk
ASSESS RISKSCompare against Criteria
Set Priorities
TREAT RISKIdentify Treatment StrategiesEvaluate Treatment Options
Prepare Implementation PlansImplement Plans
Risk Management Standard AS/NZS 4360
This risk management process takes you through some simple steps. . .
4© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Risk Management is not difficult but it does require rigour and discipline in applying the
method. The sequence involves:
1 Preparation and understanding of the context in which the risk assessment is being
carried out (what are we trying to accomplish? What areas of concern will we be
looking at?)
2 Identification of potential risks and outcomes (What could happen and what would
be the result if it did happen?)
3 Identification and valuing of controls in place which have a mitigating effect on the
risk (What’s in place now that reduces either the likelihood of the risk occurring or
the consequence if the risk does occur?)
4 Analysis of the risk in terms of its likelihood to occur and consequence if it does occur
thus producing a risk that is either acceptable or unacceptable. (Determined by using
the Risk Likelihood/Consequence Matrix.)
5 Development and implementation of an appropriate strategy and action plan to
reduce the unacceptable risks. (What action can we take to reduce either the
Likelihood or Consequence of the risk?)
6 Appropriate monitoring and reporting of both the treatment strategy and overall
effectiveness of the risk management process.
Risk management is only a tool. How well it works for us is determined by how much
effort we put in and how diligent we are in following the processes.
There are two other basic principles we should remember about Risk Management.
• 1 — Manage risk where risk occurs — across the whole organisation, all of its
activities, indoors, outdoors, projects, programs, age groups, administration, assets
and equipment, publicity, fundraising, financial management.
• 2 — Establish some priorities — what do we see as the most important types of
risks when confronted with a number of Unacceptable Risks. There will often be
more risks than you can manage. Some risks are more important than others.
5© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
For example, our risk prioritisation might cover these areas:
• Priority Level 1
• Injury to Fatality outcomes • Damage to Image, Reputation, Credibility
• Priority Level 2
• Damage to Private Property • Damage to Organisational Assets
• Damage to the Environment
Benefits of Risk Management
• Effective activities
• A reduction in the need for crisis management
• A universal application — can be used by any organisation
• Proactive (we are looking for problems and opportunities in advance)
• Cost Effective (easy and inexpensive to do, reduces costs associated with
problems)
• Compliance (following whatever rules may be in place)
Some Definitions
What is RISK?Risk is the chance of somethinghappening that will have an impactupon objectives.
Risk is measured in terms of
likelihood and consequences.AS/NZS 4360 - Risk Management Standard
RISK MANAGEMENT PROCESSRisk Management Process is the systematic
application of management policies,procedures and practices to the tasks of
identifying, analysing, evaluating,treating and monitoring risk.AS/NZS 4360 - Risk Management Standard
6© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Holistic Risk Management
Another thing to have in place in our minds is that we are talking here about holistic risk
management. Holistic — the whole organisation. We can look at that in a number of
ways.
The Risk Management Process
This step is an important activity in the AS/NZS 4360 risk management standard but
for the organisation it should not be difficult. It requires the team to recognise what its
aims and goals are. What are your objectives? What does your organisation exist for?
What are your services or deliverables? Who are your members, customers or clients?
This shared understanding is important because it provides you with the boundaries or
context for your risk assessments.
• Establish the Context• Identify Risks• Analyse and Evaluate Risks• Develop Risk Treatment Strategies• Monitor & Review
AREAS &SOURCESOF RISK
Finan
cial Operational
Legal
HazardUnstable People
Unsafe Practices Regulations
State & Federal Action
Duty of care
Contracts
Accidents
Natural Disasters
Fundraising
Cash Flow Issues
Accounting & Taxation
Fraudulent Acts
Debt management Data
Assets
Personnel/Key People
Consequential
Special Events
7© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Here’s how to put it all together . . .
Have a simple system for defining Areas and Sources of Risk.
Start with the Area of Risk that you want to work with. In this example it is the big topic
of Financial Management. But that Area is too big for effective assessment. So, break
it down. Look at the sub-topic of Funding. That sub-topic can be broken down into
more manageable topics — Funding is Late, Funding is Terminated. Notice how,
under Funding is Late, we are down to a level — Cash Flow Issues — where the real
risks are easier to see, analyse and manage.
There is value in dealing with groups of similar risks, rather than one risk at a time. And
There is also value in resources and funding, in looking for strategies that will mitigate
more than one risk at a time. So handle groups of similar risks at the same time. It
becomes very efficient and cost effective.
A SIMPLE, PRACTICAL METHODThree steps to work through1 An exercise on a whiteboard/butcher paper2 Some forms to fill in3 Some ACTION to take place
OUTCOMES• Unable to supply some• of our services• Damage to our reputation
if we can’t supply someservices
Secondary Outcomes• Financial • Social• Legal • Political
FINANCIAL MANAGEMENT
FUNDING MEMBERSHIP FEES
FUND-RAISING
FUNDINGIS LATE
FUNDING IS TERMINATED
CASH FLOWISSUES
MAJORPROJECTS
PAYROLL
AR
EA
SO
UR
CE
S
RISKS1 Not enough money to
meet our needs2 Not enough money to
buy supplies3 Program delays
4
CONTROLS IN PLACE• Budget done (ME)• Bank Overdraft (IE)• Competent Leaders (HE)• Financial Reports (ME)
RATING1 B 4 H U
2 C 3 S U
3 B 4 H U
8© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
A Second Example
TRAINING PROJECT
AssessmentAdministration& Management
Delivery
Location &Mode ofDelivery
Course(support)Material &
Design
LearningOutcomes
EndorsedTrainingPackage
Online(Distance)
Face to Face Distance(off-campus)
Mixed Mode(bit of each)
Workplace(on the job)
Site Learning
Home
Community Centre
Telecentre
Classroom (Institutional)
Industry Training Room
Library
OUTCOMES• Clients do not achieve
package competencies• RTO reputation damaged• Qualifications not
recognised• Trainees not employableSecondary Outcomes• Financial • Social• Legal • Political
TRAINING PROJECT
DELIVERY ADMINISTRATION& MANAGEMENT
ASSESSMENT
LOCATION &DELIVERY MODE
COURSE SUPPORTMATERIAL & DESIGN
RISKS1 Failure to usematerials relevant toand supportive of thetraining package oraccredited course.
2 Failure to employcompetent, qualifiedstaff to design, produceand evaluate supportmaterials.
CONTROLS IN PLACE• Quality system to
ensure relevance• Library of related
materials foradaptation
• Policy for versioncontrols
• Qualified,competent staff
RATING1 C4HU
2 D4SU
3
LEARNINGOUTCOMES
9© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Quantifying and Qualifying Risks
I believe that if risk is defined as the chance of something happening that will have an
impact on objectives, measured in terms of likelihood and consequences, (Risk
Management Standard AS/NZS 4360), then we have to have four things in place:
• A clear understanding of our Organisation’s Goals (which we have from planning)
• A clear understanding of the likelihood of something happening
• A clear understanding of the consequences of something happening
• Some form of matrix allowing us to combine likelihood and consequence and arrive
at a risk rating which allows us to separate Unacceptable from Acceptable Risk
(We will examine the Matrix in detail later.)
And that brings me to another fundamental concept:
Fundamental: Unacceptable risk is truly ‘unacceptable’ and must be mitigated or
reduced, even if that mitigation is to merely monitor and be ready to react as necessary.
To ignore unacceptable risk is to court severe danger nowadays.
Now the hard part — Qualitative or Quantitative?
That’s only a hard question until you think about it for a moment or two. Sure, we would
all like quantitative measures upon which to rest our risk assessment questions. But we
don’t have that information very often, and we’re not likely to get the budgets and
resources necessary to get quantitative data upon which we can have a high level of
confidence. If we wait for that we will never get our risk management programs off the
ground. That’s a reality. That’s a practicality. Now let’s get on with what we do have.
IDENTIFY THE RISKS• What can happen?• What is the real effect?
IDENTIFY THE OUTCOMES• Risk occurs — so what?• What is the real effect?
10© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Controls in Place
What is a Risk Control?
A control measure is something already in place — it already exists and is not merely on
someone’s wish list. It may be an existing management policy and procedure, or some
technical system, or some training program which reduces the risk — usually through
impacting on likelihood or consequence. For example:
• a training program • a work procedure (work practice)
• a policy • contract management planning guidelines
Control Values
Code Description
HE The control is highly effective because it reduces the likelihood of therisk occurring and/or it reduces the consequences if the risk does occur.
ME
IE
The control is moderately effective because it only partially reduces thelikelihood of the risk occurring and/or partially reduces theconsequences if the risk does occur. The control needs to be reviewed,abolished, amended, or replaced to make it a highly effective control.
The control is ineffective because it does not reduce the likelihood ofthe risk occurring and/or it does not reduce the consequences if the riskdoes occur. The control needs to be reviewed, abolished, amended, orreplaced to make it a highly effective control.
Determining Likelihood and Consequence
A difficult, but important, task when building the consequence and likelihood matrix is
to determine what constitutes an Almost Certain and what constitutes a Rare; what is
a consequence rated Significant and what rates a Catastrophic.
The answers may come from a number of sources, some subjective and qualitative,
some objective and quantitative. With rising costs and diminishing budgets, it is not
always within an organisation’s ability to carry out scientific and technical
measurements and studies. There is a growing body of evidence that suggests that a
group of experienced people, armed with some history, some local knowledge – their
own or by adding some selected stakeholders – working in good faith and within their
training, skills, and knowledge can deliver a credible analysis.
11© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Analysing Likelihood/Consequence for Risk Rating
Risk analysis is concerned with determining the likelihood of events, the magnitude of
their consequences and the mitigating factors that would reduce the nature, frequency
or deleterious effects of the consequences.
By this point you have a well defined risk with a definable outcome. You also know
and have considered the value of existing controls on that risk. Combining that
information you are ready to analyse the risk from the two key perspectives of
likelihood and consequence.
In assessing likelihood and consequences, (with your assessment of the value of the
existing controls in mind) ask the question:
• How likely is this risk to occur?
• If this risk does occur, what will be the consequences?
• What is the overall risk level?
• Is the risk Acceptable or Unacceptable?
LIKELIHOOD + CONSEQUENCE
- CONTROLS IN PLACE
= VULNERABILITY
The matrix is easy to use, and the formula is simple.
12© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Likelihood and Consequence Matrix
B 4 H UUnacceptableHighMajorLikely
Acceptable /
Unacceptable
Rating
Consequence
Likelihood
They mean different things in different contexts, they mean different things and thus
must be measured in terms of different values. A Major consequence may be a high
dollar value, or it may mean High Profile Adverse Media coverage without any dollars
attached? What is unacceptable to your organisation, and whether it is directly related
to dollars and cents is not always the question — particularly in operational risk.
Let’s keep a simple risk sentence as our basic method of communicating risk. The
sentence should look like this wherever we go in the organisation.
Unacceptable RisksH = a High Risk, Attention, Time and Resources requiredS = a Significant Risk, Attention requiredAcceptable RisksM = a Moderate Risk, MonitorL = a Low Risk, Standard Operating Procedures to handle
AAlmostCertain
BLikely
CPossible
DUnlikely
ERare
S S H
M S S
L M S
L L M
L L M
H
H
H
S
S
H
H
H
H
S
5Catastrophic
4Major
3Moderate
2Minor
1Insignificant
Consequences
Likelihood
13© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Likelihood and Consequences
Level Descriptor Description
Almost Certain The event is expected to occur in most circumstances.A
B
C
D
E
Likely
Possible
Unlikely
Rare
The event will probably occur in most circumstances.
The event should occur at some time.
The event could occur at some time.
The event may occur only in exceptional circumstances.
LIKELIHOOD
Insignificant
Catastrophic
Level Descriptor Description
1
5Abolition of the organisation, dismissal of executive,significant irreparable impact on members’ prospects throughmismanagement. Impact on staff, members and morale severe.
High financial loss, products and services curtailed due tofailure to deliver, serious external criticism (eg keystakeholders, high profile media). Substantial impact onoverall staff, members and morale with performance affected.Measurable increase in stress related issues.
Minimal financial loss, no impact on overall program orfunctional outcomes (eg Confined to very small number ofproducts, services or members), no adverse external criticismor publicity, no impact on staff.
Small financial loss, small impact on overall program orfunctional outcomes (eg Confined to a substantial minority ofproducts, services to members), criticism by directly affectedmanagers or customers, minimal impact on staff, members oroverall morale.
Medium financial loss, substantial impact on overall programor functional outcomes (eg Many products and servicesaffected), some external criticism directed at executive, Board(eg by members and key stakeholders, low key media).Impact on staff noticeable, degree of change in morale.
Major4
Moderate3
Minor2
Insignificant
Catastrophic
CONSEQUENCE
Insignificant
Level Descriptor Description
1Minimal financial loss, no impact on overall program orfunctional outcomes (eg Confined to very small number ofproducts, services or customers), no adverse externalcriticism or publicity, no impact on staff.
Insignificant
CONSEQUENCE
Insignificant
Level Descriptor Description
1Minimal financial loss, no impact on overall program orfunctional outcomes (eg Confined to very small number ofproducts, services or customers), no adverse externalcriticism or publicity, no impact on staff.
Insignificant
CONSEQUENCE
Insignificant
• Injury to Fatality• Damage to Organisation’s Assets• Damage to Private Property• Damage to Environment• Damage to Reputation/Credibility
PRIORITY CRITERIA
14© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Identify Risk Mitigation Strategy Options
Risk mitigation or treatment options that may be considered include:
• Risk avoidance
An informed decision is made to eliminate risk or to opt for another level of risk.
Examples include cancelling a project or seeking alternative methods of service
delivery.
• Risk transfer
The responsibility or burden for loss is shifted to another party through legislative or
contractual arrangements, insurance or other means. For example, an organisation
may transfer the risk of providing some specific service to a contractor.
• Risk reduction
Appropriate techniques and management principles are selectively applied to
reduce (mitigate) either the likelihood or consequences (or both) of identified risks.
For example, including a back-up diesel generator for a key function to reduce the
likelihood of being out of action during a power outage, or moving an activity from
one location to another because the second location is safer.
Evaluating Risk Mitigation Strategies
Risk treatment options should be evaluated on the basis of the extent of risk reduction
achieved and the benefits or opportunities created. The evaluation should take into
account the organisation’s risk acceptance criteria as well as how risk is perceived by
affected parties or stakeholders. Selection of the most appropriate option involves
balancing the cost of implementing each against the benefits derived from each. A
number of options may be applied, individually or in combination.
Where large reductions in risk can be obtained with relatively lower expenditure, such
options should be implemented. However, careful consideration should be given to rare
(but severe) risks which may justify risk reduction measures not justifiable against
economic criteria alone.
Strategies are detailed statements of process which outline how the Goal is to be
achieved. A Goal can have one or many Strategies. A question which might be asked
when developing Strategies is:
How are you going to achieve the Goal?
15© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
GOAL STRATEGIES PREFERREDSTRATEGY
ACTION PLAN
DEFINEDRISK
“To reduce this risk …” Courses of Action
Benefits RisksTimetable
Responsible Officer
Performance Issues
1 Major Steps
2 Action Officer
3 Timetable
4 Costs
5 Other IssuesLIST 1
Left over issues
to resolve
LIST 2
Good ideas
not explored
RISK MITIGATION STRATEGY DEVELOPMENT
STRATEGY SOURCES• Communication (Internal/External)
• Training• Documentation• Resourcing• Systems• Planning (Additional)
Because Risk Management is something that has to be done relatively quickly — so as
not to hold up the project or activity — simple sources of effective strategies should be
found.
In these six words, you can usually find something that can help lower the level of risk.
Not always, but most of the time.
For example:
For communications: Can I open up the line of communications in some way? Will
that help people understand the risk and thus be better positioned to manage that risk?
For training: Can I develop a short training activity which will help mitigate the risk?
For documentation: Can I provide a checklist, or a step-by-step process document
that will help overcome the likelihood of the risk occurring?
There are other words that could be on this list, but these are the main ones which
provoke our thinking.
16© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Action Plans — Implementing the Strategy
What we will actually do to carry out the strategy.
It must be precisely defined, include timetables, and so forth.
That is, the WHAT, WHO, WHEN.
The Action Planning Rule(what level of detail?)
Something Executable (But not Trivial)Something Measurable (In Time and/or in Cost)
Group: Leader:Area/Source of Risk:
Risk # IDENTIFIED RISK
IMPLEMENTATION PLAN
When ID’d(date)
Rating(H/S)
ActionOfficer
Completedby
Done(date)
CommentsAction#
1
2
3
4
MITIGATION STRATEGY
Risk Mitigation Plan
17© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Risk Management Forms
RIS
K M
AN
AG
EM
EN
T —
AS
SE
SS
ME
NT
FO
RM
— A
reas
an
d S
ou
rces
of
Ris
kN
ame
of G
roup
:___
____
____
____
____
__ L
eade
r:__
____
____
____
____
___
Dat
e A
sses
smen
t C
ompl
eted
: __
____
_A
sses
smen
t Tea
m:
Are
a o
f R
isk
So
urc
es o
f R
isk
AR
EA
:__
____
____
____
____
____
____
____
____
____
SO
UR
CE
: ___
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
DA
TE
:__
____
____
____
____
____
_
①①①① ① I
den
tifi
ed R
isk(
s)__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__
②②②② ②
Ou
tco
mes
____
____
____
____
____
____
____
____
③③③③ ③ C
on
tro
ls in
Pla
ce__
____
____
____
____
___
Rat
ing
(ti
ck o
ne)
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
_�
HE
� M
E �
IE__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
___�
HE
� M
E �
IE__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
___�
HE
� M
E �
IE__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
___�
HE
� M
E �
IE__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__�
HE
� M
E �
IE__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
___�
HE
� M
E �
IE__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__�
HE
� M
E �
IE__
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
___�
HE
� M
E �
IE
④④④④ ④
Rat
ing
L
C
R
A/U
1 __
___
___
___
_2
___
___
___
___
3 __
___
___
___
_4
___
___
___
___
5 __
___
___
___
_6
___
___
___
___
7 __
___
___
___
_8
___
___
___
___
9 __
___
___
___
_10
___
__
__
__
__
_
⑤⑤⑤⑤ ⑤
Str
ateg
ies
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
20© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Code Description
HE The control is highly effective because it reduces the likelihood of therisk occurring and/or it reduces the consequences if the risk does occur.
ME
IE
The control is moderately effective because it only partially reduces thelikelihood of the risk occurring and/or partially reduces theconsequences if the risk does occur. The control needs to be reviewed,abolished, amended, or replaced to make it a highly effective control.
The control is ineffective because it does not reduce the likelihood ofthe risk occurring and/or it does not reduce the consequences if the riskdoes occur. The control needs to be reviewed, abolished, amended, orreplaced to make it a highly effective control.
CONTROL VALUES
LIKELIHOOD/CONSEQUENCE MATRIX
Unacceptable RisksH = a High Risk, Attention, Time and Resources requiredS = a Significant Risk, Attention requiredAcceptable RisksM = a Moderate Risk, MonitorL = a Low Risk, Standard Operating Procedures to handle
AAlmostCertain
BLikely
CPossible
DUnlikely
ERare
S S H
M S S
L M S
L L M
L L M
H
H
H
S
S
H
H
H
H
S
5Catastrophic
4Major
3Moderate
2Minor
1Insignificant
Consequences
Likelihood
21© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
LIKELIHOOD & CONSEQUENCE
Level Descriptor Description
Almost Certain The event is expected to occur in most circumstances.A
B
C
D
E
Likely
Possible
Unlikely
Rare
The event will probably occur in most circumstances.
The event should occur at some time.
The event could occur at some time.
The event may occur only in exceptional circumstances.
LIKELIHOOD
Insignificant
Catastrophic
Level Descriptor Description
1
5Abolition of the organisation, dismissal of executive,significant irreparable impact on members’ prospects throughmismanagement. Impact on staff, members and morale severe.
High financial loss, products and services curtailed due tofailure to deliver, serious external criticism (eg keystakeholders, high profile media). Substantial impact onoverall staff, members and morale with performance affected.Measurable increase in stress related issues.
Minimal financial loss, no impact on overall program orfunctional outcomes (eg Confined to very small number ofproducts, services or members), no adverse external criticismor publicity, no impact on staff.
Small financial loss, small impact on overall program orfunctional outcomes (eg Confined to a substantial minority ofproducts, services to members), criticism by directly affectedmanagers or customers, minimal impact on staff, members oroverall morale.
Medium financial loss, substantial impact on overall programor functional outcomes (eg Many products and servicesaffected), some external criticism directed at executive, Board(eg by members and key stakeholders, low key media).Impact on staff noticeable, degree of change in morale.
Major4
Moderate3
Minor2
Insignificant
Catastrophic
CONSEQUENCE
Insignificant
Level Descriptor Description
1Minimal financial loss, no impact on overall program orfunctional outcomes (eg Confined to very small number ofproducts, services or customers), no adverse externalcriticism or publicity, no impact on staff.
Insignificant
CONSEQUENCE
Insignificant
Level Descriptor Description
1Minimal financial loss, no impact on overall program orfunctional outcomes (eg Confined to very small number ofproducts, services or customers), no adverse externalcriticism or publicity, no impact on staff.
Insignificant
CONSEQUENCE
Insignificant
• Injury to Fatality• Damage to Organisation’s Assets• Damage to Private Property• Damage to Environment• Damage to Reputation/Credibility
PRIORITY CRITERIA
Gro
up
:L
ead
er:
Are
a/S
ou
rce
of
Ris
k:
Strategic Planning Group
Ris
k #
IDE
NT
IFIE
D R
ISK
IMP
LE
ME
NT
AT
ION
PL
AN
Wh
en ID
’d(d
ate)
Rat
ing
(H/S
)
Act
ion
Off
icer
Co
mp
lete
db
yD
on
e(d
ate)
Co
mm
ents
Act
ion
# 1 2 3 4
MIT
IGA
TIO
N S
TR
AT
EG
Y
RIS
K M
ITIG
AT
ION
AC
TIO
N P
LA
N
23© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
How To Do A Risk Assessment
24© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
RISK MANAGEMENT — ASSESSMENT FORMS
Name of Unit: _____________________ Manager: ______________________________Date Assessment Completed:_____________
Assessment Team:
Risk Management Areas and Sources of Risk
The Forms
The graphic above shows the Risk Management Areas and Sources of Risk page. This
is where your recording starts.
• Write the Name of the Group
• Write the Leader’s name
• Write the date the assessment is completed
• Write the members of the assessment team
• Write the risk Area in the top empty box
• Write the Sources of risk (from that risk Area) in the lower boxes. (This is a sample.
Your combination of boxes will vary from subject to subject.)
How to Document the Risk Process
RISK MANAGEMENT — ASSESSMENT FORM — Areas and Sources of Risk
Area of Risk
Sources of Risk
Name of Group:_____________________ Leader:_____________________ Date Assessment Completed: _______
Assessment Team:
25© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
An Example
1 Id
enti
fied
Ris
k(s)
5 S
trat
egie
s
AR
EA
: P
rop
erty
an
d F
acili
ties
, Co
mm
un
ity
Hal
l
S
OU
RC
E:
Fir
e, B
ush
fire
, Sm
oke
DA
TE
: 8
Ap
ril 2
002
WO
RK
AR
EA
: P
rop
erty
an
d A
sset
s
LE
AD
ER
: R
ob
ert
Sm
ith
2 O
utc
om
es3
Co
ntr
ols
in P
lace
Rat
ing
4 R
atin
g
LC
RA
/U
#1B
4H
U (
bef
ore
)#2
C3
SU
#3A
4H
U
#1C
2M
A (
afte
r)
#1
Lac
k o
f fi
re s
pri
nkl
ers
in H
all a
nd
pre
sen
ce o
f h
igh
ly c
om
bu
stib
le m
ater
ials
sto
red
in e
qu
ipm
ent
roo
m.
#2
Bu
sh f
ire
dan
ger
no
rth
en
d o
f H
all f
rom
hea
vy c
on
cen
trat
ion
of
dry
un
der
gro
wth
.
#3
Sig
nif
ican
t sm
oke
fro
m a
nn
ual
bu
sh f
ires
nea
r H
all.
#1
Sig
nif
ican
t p
rop
erty
dam
age
po
ten
tial
an
d lo
ss o
feq
uip
men
t; lo
ss o
f lif
e
#2
Po
ten
tial
loss
of
pro
per
ty;
Tem
po
rary
lost
of
ven
ue
fro
mle
sser
dam
age
#3
Hea
lth
co
nce
rns;
Lo
st a
ctiv
ity
tim
e
Ris
k #1
- C
on
du
ct u
rgen
t re
view
of
the
Hal
l an
d d
evel
op
bu
sin
ess
case
, in
clu
din
g c
ost
, fo
rin
stal
lati
on
of
req
uir
ed s
pri
nkl
er s
yste
m. T
emp
ora
ry m
itig
atio
n o
f so
me
asp
ects
of
this
ris
k b
yre
loca
tin
g s
om
e o
f th
e co
mb
ust
ible
mat
eria
ls t
o a
pri
vate
co
ntr
acto
r’s
bu
sin
ess
wh
ich
has
spri
nkl
er s
yste
m in
pla
ce. M
on
ito
r th
is r
isk
and
ad
just
its
rati
ng
aft
er in
stal
lati
on
of
spri
nkl
ersy
stem
is c
om
ple
te a
nd
tes
ted
Ris
k #2
- O
rgan
ise
a w
ork
ing
par
ty f
or
the
lon
g w
eeke
nd
to
cle
ar b
ush
at
no
rth
en
d o
f H
all,
mak
ing
sure
bu
sh c
lear
ed b
y su
mm
er f
ire
seas
on
late
r th
is y
ear.
Ris
k #3
- R
etai
n t
he
risk
an
d c
lose
th
e H
all i
f sm
oke
can
no
t b
e cl
eare
d b
y th
e fa
n s
yste
m.
Bu
sh F
ire
Bri
gad
e w
ell t
rain
ed, a
vaila
ble
ME
Sec
uri
ty s
yste
ms
for
earl
y w
arn
ing
in p
lace
ME
Ove
rhea
d f
ans
in p
lace
in H
all
IE
26© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Running a Risk Assessment Session
The most successful general risk assessments will come from bringing together a group
of people with a shared understanding of the topics you are going to discuss. If you
have documented data or evidence, use it. If you do not have documented evidence,
use the power of the team. Discuss, argue, and arrive at a consensus.
If you have not requested a facilitator to assist you, have one of your own people act as
the facilitator. Brainstorm the general risks on a whiteboard following the forms in this
manual. As you complete your discussions have one of the team act as a scribe and
transfer the information from the whiteboard to the forms.
Do not hurry the process as you will gain from the detailed discussion and considered
opinions from around the team. We are estimating that small groups may complete the
assessments in one 4-hour session. Others might take two or three sessions. We
believe you will find the time well spent with a number of rewards for your efforts: a
more professional approach to the risks you take, an improved and shared
understanding among the participants of the work you do, the risks you face, and a
sense of achievement in having contributed to the good governance of the organisation.
Documenting the Risk Assessment Session
There should be a minute taker appointed for each session. This person will record the
wording of the risk and the details of the assessment of the risk on the forms provided
as mentioned above, as well as discussion on controls in place, treatment strategies for
unacceptable risks, future review dates for acceptable risks and any other relevant
data. The minutes should be validated by participants as soon as is practicable after the
session, and the minutes should be filed in a Risk Management folder.
27© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Identifying Risks
Step by Step
This is where you begin your risk identification.
• Write in the Area of Impact
• Write in the Source of the Risk
• Write in the Date of the risk assessment
• Write in the Identified Risks with enough detail to make it clear what you are
assessing as a risk
• If there are more than ten identified risks, use photocopies of the form page to list
the rest
A R E A :
1 Identified Risk(s)
2 Outcomes
4 R ating 5 Strategies
3 C ontrols in Place Value (t ick one)
S O U R C E : D AT E :
1__ __ __ __2__ __ __ __3__ __ __ __4__ __ __ __5__ __ __ __6__ __ __ __7__ __ __ __8__ __ __ __9__ __ __ __10_ __ __ __
H E
H E
H E
H E
H E
H E
H E
M E
M E
M E
M E
M E
M E
M E
IE
IE
IE
IE
IE
IE
IE
Identifying the Risks
Identifying Outcomes
Step by Step
Identifying the Outcomes
• Write in the Outcome(s) for each risk in detail
• If you have more than ten identified risks, photocopy as many copies of the form
needed to write the outcomes for the risks.
A R E A :
1 Identified Risk(s)
2 Outcomes
4 R ating 5 Strategies
3 C ontrols in Place Value (t ick one)
S O U R C E : D AT E :
1__ __ __ __2__ __ __ __3__ __ __ __4__ __ __ __5__ __ __ __6__ __ __ __7__ __ __ __8__ __ __ __9__ __ __ __10_ __ __ __
H E
H E
H E
H E
H E
H E
H E
M E
M E
M E
M E
M E
M E
M E
IE
IE
IE
IE
IE
IE
IE
28© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Identifying and Assessing the Controls
• On the next section of the form, write the Control in place for each risk
• Tick the Value of the control as the group assess it (Is the control highly effective at
minimising the risk, moderately effective or ineffective? HE, ME or IE? see
definitions on page 20)
Identifying Controls and then Values
Step by Step A R E A :
1 Identified Risk(s)
2 Outcomes
4 R ating 5 Strategies
3 C ontrols in Place Value (t ick one)
S O U R C E : D AT E :
1__ __ __ __2__ __ __ __3__ __ __ __4__ __ __ __5__ __ __ __6__ __ __ __7__ __ __ __8__ __ __ __9__ __ __ __10_ __ __ __
H E
H E
H E
H E
H E
H E
H E
M E
M E
M E
M E
M E
M E
M E
IE
IE
IE
IE
IE
IE
IE
A R E A :
1 Identified Risk(s)
2 Outcomes
4 R ating 5 Strategies
3 C ontrols in Place Value (t ick one)
S O U R C E : D AT E :
1__ __ __ __2__ __ __ __3__ __ __ __4__ __ __ __5__ __ __ __6__ __ __ __7__ __ __ __8__ __ __ __9__ __ __ __10_ __ __ __
H E
H E
H E
H E
H E
H E
H E
M E
M E
M E
M E
M E
M E
M E
IE
IE
IE
IE
IE
IE
IE
Assigning the Risk Rating
If the risk falls in the acceptable categories (Moderate or Low), document the
assessment meeting, and file the risk to be reviewed at a future date.
Unacceptable risks must be treated by developing options and strategies and
incorporated within the Risk Control Statement to lower the level of risk.
• Using the matrix, assess the likelihood and consequence of the risk occurring
• Write those values (ie the Rating) from the matrix onto the form
• Under L write the letter corresponding to the likelihood (C = Possible)
• Under C write the number corresponding to the consequence (4 = Major)
• Under R write the letter in the square on the matrix where the likelihood and
consequence meet (for example, C + 4 = H)
• Under U/A write either U for unacceptable risk (white squares on the matrix) or A
for acceptable risk (black squares)
Rating the Risk
Step by Step
29© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Developing Strategies for Risk Mitigation
Step by Step
Mitigation Strategies
• On page 2 of the form set, write the Mitigation Strategies for dealing with the
unacceptable risks only
A R E A :
1 Identified Risk(s)
2 Outcomes
4 R ating 5 Strategies
3 C ontrols in Place Value (t ick one)
S O U R C E : D AT E :
1__ __ __ __2__ __ __ __3__ __ __ __4__ __ __ __5__ __ __ __6__ __ __ __7__ __ __ __8__ __ __ __9__ __ __ __10_ __ __ __
H E
H E
H E
H E
H E
H E
H E
M E
M E
M E
M E
M E
M E
M E
IE
IE
IE
IE
IE
IE
IE
30© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Implementing the Risk Mitigation Action Plan
Step by Step
Risk Mitigation Action Plan
This page is for recording unacceptable risks only
• On this form write the Group, the Leader’s name and Area or Source of the risk
• Write the Risk Number and Description (from page 2 of the form set)
• Write the Date the risk was identified at When Id’d (date) (from page 2 of the form
set) and the letter corresponding to the Risk Rating (H for high or S for significant)
• Write the Mitigation Strategy in the form of a full description
• Write the steps under Action
• Write the name of the person who will do the action under Action Officer
• Write the date you want the action completed under Completed by
• Write the actual date the action was completed under Done (date)
• Write any useful comments in the last column
Group:__________________ Leader:______________________
Area / Source of Risk: _________________________________
Risk # IDENTIFIED RISK
IMPLEMENTATION PLAN
When ID’d(date)
Rating(H/S)
ActionOfficer
Completedby
Done(date)
CommentsAction#
1
2
3
4
MITIGATION STRATEGY
31© Strategic Planning Group 2002 Risk Management for Community Groups — GM V1
Risk Management
Ris
k #
IDE
NT
IFIE
D R
ISK
IMP
LE
ME
NT
AT
ION
Wh
en ID
’d(d
ate)
Rat
ing
(H/S
)
Act
ion
Off
icer
Co
mp
lete
db
yD
on
e(d
ate)
Co
mm
ents
Act
ion
# 1 2 3 4
MIT
IGA
TIO
N S
TR
AT
EG
Y
#1P
ote
nti
al f
or
a fi
re in
th
e H
all a
nd
lack
of
spri
nkl
ers,
as
wel
l as
pre
sen
ce o
f h
igh
ly c
om
bu
stib
lem
ater
ials
sto
red
th
ere
may
res
ult
in s
ign
ific
ant
fire
dam
age
and
loss
of
ven
ue.
8 A
pri
l 200
2B
- 4
- H
- U
Ris
k #1
- C
on
du
ct a
n u
rgen
t r
evie
w o
f th
e H
all a
nd
dev
elo
p b
usi
nes
s ca
se, i
ncl
ud
ing
co
st,
for
intr
od
uct
ion
of
req
uir
ed s
pri
nkl
ersy
stem
. Mea
nw
hile
, tem
po
rary
mit
igat
ion
of
som
e as
pec
ts o
f th
is r
isk
by
relo
cati
ng
so
me
of
the
com
bu
stib
le m
ater
ials
to
a c
on
trac
tor’
sb
usi
nes
s w
hic
h h
as s
pri
nkl
er s
yste
m in
pla
ce.
Dev
elo
p p
lan
fo
r re
view
of
the
Hal
l an
dm
ove
men
t o
f co
mb
ust
ible
mat
eria
ls f
rom
loca
tio
n.
RS
15 A
pri
l20
02
Co
nsu
lt w
ith
DC
(C
lean
ing
Co
ntr
acto
r), F
R (
Hal
l Man
ager
) an
dT
R (
Co
mm
un
ity
Lia
iso
n O
ffic
er).
Dev
elo
p s
pec
s an
d g
ain
qu
ote
s fo
r re
qu
ired
spri
nkl
er s
yste
m.
JF20
Ap
ril
2002
See
loca
l pro
vid
ers
for
assi
stan
cew
ith
qu
ote
s.
Rem
ove
(te
mp
ora
rily
) as
mu
ch c
om
bu
stib
lem
ater
ial a
s p
oss
ible
.K
L15
Ap
ril
2002
Wo
rk w
ith
FR
(H
all M
gr)
an
d t
eam
to
carr
y o
ut
this
tas
k.
Dev
elo
p b
usi
nes
s ca
se t
o s
ell l
oca
l Co
un
cil
on
sp
rin
kler
inst
alla
tio
n, b
ased
on
ris
ks.
JF25
Ap
ril
2002
Aim
fo
r p
rese
nta
tio
n a
t C
ou
nci
lM
anag
emen
t M
eeti
ng
on
25
Ap
ril.
Incl
ud
e co
st-b
enef
it a
nal
ysis
as
wel
las
HR
issu
es a
nd
saf
ety.
5O
n a
pp
rova
l of
case
, iss
ue
a co
nta
ct f
or
inst
alla
tio
n.
RS
10 M
ay20
02U
se s
imila
r co
ntr
act
form
s to
oth
erco
ntr
acte
d s
ervi
ces.
6 7
JF KL
30 J
un
2002
10 J
ul
2002
Su
per
vise
inst
alla
tio
n a
nd
wh
en c
om
ple
te,
revi
se r
isk
reg
iste
r.
Arr
ang
e re
turn
of
com
bu
stib
les
to t
he
Hal
l.
JF t
o s
up
ervi
se c
on
trac
tors
. KL
will
do
JF
’s d
uti
es d
uri
ng
th
is t
ime.
Wo
rk w
ith
FR
(H
all M
gr)
on
tea
m t
oca
rry
ou
t th
is t
ask.
WO
RK
AR
EA
: P
rop
erty
an
d F
acili
ties
, Co
mm
un
ity
Hal
lL
ead
er:
Ro
ber
t S
mit
h
Dat
e: 8
Ap
ril 2
002
AR
EA
/SO
UR
CE
: P
rop
erty
an
d A
sset
s —
Fir
e/B
ush
fire
/Sm
oke
✯✯ ✯✯✯
Our Mission
Our mission is to strive for excellence in partneringour clients. We achieve this through our focus on
leadership, corporate and business planning,operational and strategic risk management,
policy and procedure documentation,and associated activities.
James CrownManaging Director
Strategic Planning Group (NSW) Pty Ltd#15 Southpoint Tower, 19 Central Road, Miranda NSW 2228
PO Box 371 Miranda NSW 1490 AustraliaPhone: (612) 9524 0077
Email: [email protected]
Visit our website www.stratplan.com.au
STRATEGIC PLANNING GROUP
LEADERSHIPORGANISING
EVALUATING COMMUNICATING
PLANNING
CONTROLLING