The Risk Management Process
Risk Management is defined in the standard (AS/NZS 4360:2004) as "the systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, assessing, treating, monitoring and communicating".
It is an iterative process that, with each cycle, can contribute progressively to organisational improvement by providing management with a greater insight into risks and their impact.
Risk management can be applied to all levels of an organisation, in both the strategic and operational contexts, to specific projects, decisions and recognised risk areas.
Risk is defined as 'the chance of something happening that will have an impact on objectives'. It is, therefore, important to understand what the objectives of the University, Faculty, work unit or your position, are, prior to attempting to analyse the risks.
A simple process
Risk analysis is best done in a group with each member of the group having a good understanding of the tasks and objectives of the area being analysed.
1. Identify the Risks: as a group, list the things that might inhibit your ability to meet your objectives. You can even look at the things that would actually enhance your ability to meet those objectives eg. a fund-raising commercial opportunity. These are the risks that you face eg. loss of a key team member; prolonged IT network outage; delayed provision of important information by another work unit/individual; failure to seize a commercial opportunity etc.
2. Identify the Causes: try to identify what might cause these things to occur eg. the key team member might be disillusioned with his/her position, might be head hunted to go elsewhere; the person upon whom you are relying for information might be very busy, going on leave or notoriously slow in supplying such data; the supervisor required to approve the commercial undertaking might be risk averse and need extra convincing before taking the risk etc etc.
3. Identify the Controls: identify all the things (Controls) that you have in place that are aimed at reducing the Likelihood of your risks from happening in the first place and, if they do happen, what you have in place to reduce their impact (Consequence) eg. providing a friendly work environment for your team; multi-skill across the team to reduce the reliance on one person; stress the need for the required information to be supplied in a timely manner; send a reminder before the deadline; provide additional information to the supervisor before he/she asks for it etc.
4. Establish your Likelihood and Consequence Descriptors, remembering that these depend upon the context of your analysis ie. if your analysis relates to your work unit, any financial loss or loss of a key staff member, for example, will have a greater impact on that work unit than it will have on the University as a whole so those descriptors used for the whole-of-University (strategic) context will generally not be appropriate for the Faculty, other work unit or the individual eg. a loss of $300000 might be considered Insignificant to the University, but it could very well be Catastrophic to your work unit.
You will need to establish these parameters in consultation with the Head of the work unit.
5. Establish your Risk Rating Descriptors: ie. what is meant by a Low, Moderate, High or Extreme Risk needs to be decided upon ahead of time. Because these are more generic in terminology though, you might find that the University's Strategic Risk Rating Descriptors are applicable.
6. Add other Controls: generally speaking, any risk that is rated as High or Extreme should have additional controls applied to it in order to reduce it to an acceptable level. What the appropriate additional controls might be, whether they can be afforded, what priority might be placed on them etc etc is something for the group to determine in consultation with the Head of the work unit who, ideally, should be a member of the group doing the analysis in the first place.
7. Make a Decision: once the above process is complete, if there are still some risks that are rated as High or Extreme, a decision has to be made as to whether the activity will go ahead. There will be occasions when the risks are higher than preferred but there may be nothing more that can be done to mitigate that risk ie. they are out of the control of the work unit but the activity must still be carried out. In such situations, monitoring the circumstances and regular review is essential.
8. Monitor and Review: the monitoring of all risks and regular review of the unit's risk profile is an essential element for a successful risk management program.
Updated: 27 March 2012