The Risk Management Process
Risk Management is "the systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, assessing, treating, monitoring and communicating" (AS/NZS ISO 31000:2009).
It is an iterative process that, with each cycle, can contribute progressively to organisational improvement by providing management with a greater insight into risks and their impact.
Risk management should be applied to all levels of the University, in both the strategic and operational contexts, to specific projects, decisions and recognised risk areas. Risk is 'the chance of something happening that will have an impact on objectives'. It is, therefore, important to understand the objectives of the University, work unit, project or your position, prior to attempting to analyse the risks.
A simple process
Risk analysis is often best done in a group with each member of the group having a good understanding of the objectives being considered.
- Identify the Risks: What might inhibit the ability to meet objectives? E.g. loss of a key team member; prolonged IT network outage; delayed provision of important information by another work unit/individual; failure to seize a commercial opportunity, etc. Consider also things that might enhance the ability to meet objectives e.g. a fund-raising commercial opportunity.
- Identify the Causes: What might cause these things to occur e.g. the key team member might be disillusioned with their position, might be head hunted to go elsewhere; the person upon whom you are relying for information might be very busy, going on leave or notoriously slow in supplying such data; the supervisor required to approve the commercial undertaking might be risk averse and need extra convincing before taking the risk, etc.
- Identify the Controls: Identify all the things (Controls) that you have in place that are aimed at reducing the Likelihood of your risks from happening in the first place and, if they do happen, what you have in place to reduce their impact (Consequence). Examples include: providing a friendly work environment for your team; multi-skilling across the team to reduce the reliance on one person; stressing the need for the required information to be supplied in a timely manner; sending a reminder before the deadline; and provide additional information to the supervisor before he/she asks for it, etc.
- Establish your Likelihood and Consequence Descriptors: The likelihood descriptors are fairly generic however the consequence descriptors may depend upon the context of your analysis. I.e. if your analysis relates to your work unit, any financial loss or loss of a key staff member (for example) will have a greater impact on that work unit than it will have on the University as a whole so those descriptors used for the whole-of-University (strategic) context will generally not be appropriate for the Faculty, other work unit or the individual. The idea is analogous to how a loss of $300,000 would have less impact on the University than it would for an individual work unit. You will need to establish these parameters in consultation with the head of the work unit.
- Establish your Risk Rating Descriptors: I.e. what is meant by a Low, Moderate, High or Extreme Risk needs to be decided upon from the outset.
- Add Other Controls: Generally, any risk rated High or Extreme should have additional controls applied to it to reduce the rating to an acceptable level. What the additional controls might be, whether they are affordable, what priority might be placed on them etc is something for the group to determine in consultation with the Head of the work unit.
- Make a Decision: Once the above process is complete, if there are still some risks that are rated as High or Extreme, a decision has to be made as to whether the activity will go ahead. Sometimes risks are higher than preferred but there may be nothing more that can be done to mitigate the risk i.e. they are out of the control of the work unit but the activity must still be carried out. In such situations, monitoring and regular review is essential.
- Monitor and Review: Monitoring of all risks and regular review of the risk profile is a key part of effective risk management.