Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of BusinessTeacher.org.
According to Loosemore et al. (2006, p.199) the creation of a formal risk management system involves three main steps:
- Creating and communicating a risk management policy
- Creating and implementing a risk management system
- Building a risk management ethic into corporate culture.
Effective risk management is explained further in AS ISO 31000 (2018, pp.3-4) as:
- Integrated – Risk management is an integral part of all organisational activities
- Structured and Comprehensive – A structured and comprehensive approach to risk management contributes to consistent and comparable results.
- Customised – The risk management system and procedure is customised and proportionate to the organisation’s external and internal context related to its objectives
- Inclusive – Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk management.
- Dynamic – Risks can emerge, change or disappear as an organisation’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner.
- Best available information – The inputs to risk management are based on historical and current information, as well as on future expectations. Risk management explicitly considers any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to relevant stakeholders.
- Human and Cultural Factors – Human behaviour and culture significantly influence all aspects of risk management at each level and stage.
- Continuous Improvement – Risk management is continuously improved through learning and experience.
The following risk management procedure has been developed in accordance with AS ISO 31000:2018 Risk management guidelines. It has been established to create and implement a risk management system for a project management consulting company. The intent of the procedure is to build risk management into the ethics of the company’s corporate culture.
Purpose and Scope
The purpose of this risk management procedure is to define the systematic process for ensuring that opportunities are maximised and risks are appropriately managed to minimise adversity. In particular, the means for recording risks, assigning risks and escalating risks are defined.
This procedure is applicable to all staff and to all aspects of the company. It may be applied at any stage in a life cycle and it should be applied on a periodic basis throughout that life cycle.
All risk management shall follow the process defined in this procedure.
This procedure applies to all activities undertaken by company employees.
This risk management procedure is to be read in conjunction with the company’s:
- Risk Management Policy
- Risk Criteria Guide
- Delegations of Authority
This risk management procedure is to be implemented on:
- Initiation of a new project
- Commencement of a new cycle for a continuous business system
- Requirement for periodic reviews and monitoring of risks.
Adherence to this procedure and use of the following risk management and decision-making outcomes demonstrates conformance to the company’s Risk Management Policy:
- Risks are identified and characterised
- The probabilities and consequences of risks are quantified
- Risks are evaluated to provide a basis for decision-making
- Alternative courses of action to treat each risk are defined
- A preferred course of action is selected
- Risks that are unacceptable are acted upon
- The resolution, decision rationale and assumptions will be captured and reported
- Risk status is available and communicated.
Risk Management Process
The risk management process adapted from AS ISO 31000 (2018, p.4) is shown in Figure 1. The process has six activities that contain tasks. The activities will be performed iteratively until the risk is avoided or the residual risk is accepted. The six activities are detailed in the following pages.
Figure 1 – Risk Management Process
Communication and Consultation
Assign actions regarding the management of risks to the entities responsible for relevant business functions. These include investigating treatment options and implementing risk controls.
Escalate action requests regarding risks that:
- Have exceeded the agreed timeframe for action
- Require risk acceptance approval at a higher level of authority.
Communicate with stakeholders so that:
- Contexts are appropriately defined
- Risks are identified and analysed effectively
- Individual differences are catered for in terms of risk perception
- Risk treatments can be optimised.
Facilitate peer to peer sharing of information so that risks are managed effectively.
Establish Scope, Context and Criteria
Define the Internal Context
Consider factors such as:
- Organisational policies
- Strategic, business and project objectives
- The life cycle stage within which risk management is conducted.
Define the External Context
Consider factors such as:
- Business environment including competitors
- Regulatory environment
- Political environment
- Social and cultural considerations
- Environmental considerations.
Identify the stakeholders associated with both the internal and external contexts.
Establish Risk Management Context
Define the scope and boundaries for application of the risk management process. This includes defining the terms of the application regarding:
- The target project or activity
- The nature of the decisions that will have to be made
- Time frames
- Depth and breadth
- Abnormal, normal and emergency operation conditions.
Assign responsibilities for risk management and identify interdependencies with other projects, activities and organisations. Select the terms of reference for estimating the significance of a risk as defined in the company’s Risk Criteria Guide. If the circumstances warrant the use of other risk criteria, define these using the same structure.
Identify and characterise risks in terms of the perception of the stakeholder(s) who identified them. This is performed by:
- Listing sources of risk
- Listing possible events associated with the sources
- Stating the risk perception in a subjective form for each so that the risk for the stakeholder can be easily communicated to others and retained for the purposes of comparison.
- The objectives of analysis are to separate the minor acceptable risks from the major risks and to provide data to assist in the evaluation and treatment of risks. Risk analysis involves consideration of the sources of risk, their consequences and the likelihood that those consequences may occur. Risk is analysed by combining estimates of consequences and likelihood in the context of existing control measures.
- Review the Risk Criteria Guide (extended as required for the context) as the basis for determining the consequence of the risk according to the definition that best fits the situation. Select the consequence by mapping the most appropriate risk criterion description into the consequence. Where multiple risk criteria are applicable, choose the highest consequence.
- Select the likelihood that best fits the chosen level of consequence by mapping the most
appropriate description into the likelihood.
- Risk is automatically calculated as the product of probability and consequence. Where a standardised risk analysis is performed, the summation of the individual risks can be used as the basis of quantitative comparison for different risk management contexts.
- Risks are prioritised for treatment based on pre-defined rankings. Refer to Risk Criteria Guide for further details. The resulting priorities may be viewed in a variety of ways depending on the role of the user. Project teams will consider priorities within their own project context and company Directors will consider high priority risks on a strategic company basis.
- Risk grouping is important as it can provide the basis for holistic treatment and a potentially more effective solution as opposed to the risks in the group being treated on an individual basis. Grouping can lead to lateral solution approaches that may not have been obvious.
- In evaluating risks, consider how specific stakeholders as individuals or organisations, are affected by a risk. This is important in determining the treatment options and communication requirements for the risk. Consider also how interested parties as individuals or organisations having some interest in the success of the company, are affected by the risk.
- Each risk has an owner as the first point of contact in relation to decisions relating to that risk. The owner may or may not be able to make the final decision in relation to the risk depending on the authority levels for risk retention and risk financing. Refer to the Delegations of Authority. Company Directors and Project Manager’s may be the nominal owners of risks for the purpose of treatment.
- Risks may have existing controls particularly if the source and event have been included in a previous risk assessment. However, the adequacy and appropriateness of those controls to deal with the circumstances of a particular risk may be affected by both internal and external factors and impacted over time.
- Define any existing controls and provide details of their adequacy. This evaluation may
result in re-assessment of the risk, particularly if new information becomes available from stakeholders.
- Risks are ranked as an indicator of the order in which treatment should be performed.
Identify possible options for treating each risk. These may be neither mutually exclusive nor appropriate in all circumstances. In addition to a descriptive perspective, determine the cost of implementing each option so that a quantitative basis for comparison is available.
Avoidance is a simple option. It means that a decision is taken to avoid engaging with, or action is taken to withdraw from, the source of the risk, thus guaranteeing that any event in relation to that source cannot affect the company. It is important that risk avoidance does not result in inappropriate risk aversion, particularly where opportunities are involved. In the latter case, it may be appropriate to proceed but with stringent risk controls.
Options for optimisation include:
- Capitalising on opportunities with calculated risk controls to maximise the benefit.
- Minimising the negative affects of risks.
- This can be further characterised in terms of:
- risk reduction, i.e. reducing the probability and or consequences
- risk mitigation, i.e. reducing the consequences only.
- Identify and characterise suitable options. These may require investment to treat the risk and may also include behavioural and cultural changes.
Transfer involves sharing a risk with an external organisation such as an insurer or business partner. The transfer may be a partial or full transfer, however sharing itself will introduce new risks including failure of the other organisation. In other words, no risk is fully transferable in a practical sense.
Retention of a risk in full means that nothing is done to change the risk situation and the
risk as it stands is accepted. The estimated cost of retention compared with the estimated cost of financing action to address the risk, provides the basis for the fundamental decision-making that is required.
Trade-off Treatment Options
- Decide which options are in the best interests of the company in accordance with the Delegations of Authority. Multiple options may be applicable e.g. both risk transfer such as insurance and risk optimisation such as changed behaviour may be appropriate.
- Details of the decision maker and the decision rationale are key records that must be
retained for future reference.
Plan and Establish Risk Controls
Determine the source of risk financing where this is needed to implement the selected treatment option(s). This may involve the preparation of a business case to facilitate comparisons against other initiatives.
Apply Risk Mitigation
Implement selected risk controls in accordance with the decisions taken in the treatment options trade-off. Estimate the residual risk assuming successful implementation of the risk treatment and risk controls. If necessary, obtain approval for any residual risk that exceeds the tolerable risk level.
Monitoring and Review – Treatment and Process Effectiveness
Monitor the implementation of treatment including the risk controls. Where appropriate, actions should be taken to ensure the solution is permanent, e.g. through documented policies and procedures.
It may be appropriate to re-evaluate the risk controls after a suitable period of time. In some circumstances they can be relaxed and in others it will be necessary to adopt a more stringent approach. The latter can involve more frequent monitoring.
The monitoring of risks may result in new risks being identified. In this case the entire process recommences.
Monitor the effectiveness of the risk management process and forward any recommendations or observations to a company Director to be handled in accordance with the improvement process.
Recording and Reporting
Maintain a record and document the risk management process to ensure auditability and transparency, with the aim of improving communication and consultation with key stakeholders.
Reporting tools include:
- Risk register
- Risk management workshop minutes
- Quarterly company performance reports.
- Loosemore, M, Raftery, J, Reilly, C & Higgon, D 2006, Risk Management in Projects, 2nd edn, Tylor & Francis, Oxon.
- Standards Australia 2018, Risk Management – guidelines, (AS ISO 31000:2018), SAI Global Limited.
- file:///C:/Users/bartona2/Downloads/Risk_Management_System-Risk_Assessment_Frameworks_and_Techniques.pdf Accessed 12 September 2019
- https://bia.ca/risk-management-the-what-why-and-how/ Accessed 12 September 2019
- https://www.northam.wa.gov.au/assets/documents/document-centre/environmental-health/events/sample_risk_management_plan.pdf Accessed 12 September 2019
- https://myecosystem.aecom.com/ppf/pnp/Policies/Risk_Management_Procedure_R3AN_500_PR1.pdf Accessed 14 September 2019
- https://myecosystem.aecom.com/ppf/pnp/Policies/Risk_Management_Policy_R3AN_500_PL1.pdf Accessed 14 September 2019
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this assignment and no longer wish to have your work published on the UKDiss.com website then please: