How is risk managed?
Risk management is recognised as an integral component of good management and governance. It is an iterative process consisting of steps, which, when undertaken in sequence, enable continual improvement in decision making.
Risk management is the term applied to a logical and systematic method of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organisations to minimise losses and maximize opportunities.
Risk management is as much about identifying opportunities as avoiding or mitigating losses.
The main elements of the risk management process are listed below.
- Establish the context
- Establish the context in which the rest of the process will take place
- Criteria against which risk will be evaluated should be established and the structure of the analysis defined
- Identify risks
- Identify what, why and how things can arise as the basis for further analysis
- Analyse risks
- Determine the existing controls and analyse risks in terms of consequence and likelihood in the context of those controls
- The analysis should consider the range of potential consequences and how likely those consequences are to occur
- Evaluate risks
- Compare estimated levels of risk against the pre-established criteria so risks can be ranked and management priorities identified
- Treat risks
- Low-priority risks should be monitored and reviewed
- For higher consequence risks, develop and implement a specific management plan or procedure that includes consideration of all aspects required to mitigate the risk to an acceptable level
- Monitor and review
- Monitor and review the performance of the risk management system and changes that might affect it
- Communicate and consult
- Communicate and consult with internal and external stakeholders as appropriate at each stage of the risk management process as well as the process as a whole
How can risk management be improved?
To ensure changing circumstances do not alter risk profiles, it is necessary to monitor:
- the effectiveness of control measures, including
- the risk treatment plan
- the management system set up to control implementation.
Few risks remain static. Factors that affect the likelihood and consequences of an outcome can change, as may the factors that affect the suitability or cost of the various treatment options. Ongoing review is essential to ensure the risk management treatment plan remains relevant.
Communicate the plan and consult those affected
Communication and consultation are important considerations at each step of the risk management process.
It is important to develop a communication plan for both internal and external stakeholders at the earliest stage of the process. This plan should address issues relating to both the risk itself and the process to manage it.
Effective internal and external communication is important to ensure that those responsible for implementing risk management, and those with a vested interest, understand the basis on which decisions are made and why particular actions are required. Seeking their input will facilitate the process.
Below is the list of documents and links that you may find useful.
Safe Work Australia has produced How to manage work health and safety risks - Model Code of Practice.
AS/NZS ISO 31000 Risk management - Principles and guidelines is available from Standards Australia.
The International Council on Mining & Metals has produced a good practice guide to Health and safety critical control management.