A- Eliciting risk information -Communication and consultation may occur within the organization or between the organization and its stakeholders. -It is very rare that only one person will hold all the information needed to identify the risks to a business or even to an activity or project. -It therefore important to identify the range of stakeholders who will assist in making this information complete. 2
B-Managing stakeholder perceptions for management of risk 3
Tips for effective communication and consultation • Determine at the outset whether a communication strategy and/or plan is required • Determine the best method or media for communication and consultation • The significance or complexity of the issue or activity in question can be used as a guide as to how much communication and consultation is required: the more complex and significant to the organization, the more detailed and comprehensive the requirement. 4
Step 2. Establish the context provides a five-step process to assist with establishing the context within which risk will be identified. 1-Establish the internal context 2-Establish the external context 3-Establish the risk management context 4- Develop risk criteria 5- Define the structure for risk analysis 5
SWOT A widely used framework for organizing and using data and information gained from situation analysis Encompasses both internal and external environments One of the most effective tools in the analysis of environmental data and information
SWOT description A SWOT analysis generates information that is helpful in matching an organization’s or a group’s goals, programs, and capacities to the social environment in which they operate It is an instrument within strategic planning When combined with a dialogue, it is a participatory process
SWOT Factors affecting an organization can usually be classified as: Internal factors Strengths (S) Weaknesses (W) External factors Opportunities (O) Threats (T) Weaknesses Strengths Opportunities Threats
SWOT: internal factors Strengths Positive tangible and intangible attributes, internal to an organization. They are within the organization’s control Weaknesses Factors that are within an organization’s control that detract from its ability to attain the core goal. In which areas might the organization improve?
SWOT: external factors Opportunities External attractive factors that represent the reason for an organization to exist and develop. What opportunities exist in the environment which will propel the organization? Identify them by their “time frames” Threats External factors, beyond an organization’s control, which could place the organization’s mission or operation at risk. The organization may benefit by having contingency plans to address them should they occur Classify them by their “seriousness” and “probability of occurrence”
1- Establish the internal context -As previously discussed, risk is the chance of something happening that will impact on objectives. As such, the objectives and goals of a business, project or activity must first be identified to ensure that all significant risks are understood. This ensures that risk decisions always support the broader goals and objectives of the business. This approach encourages long-term and strategic thinking. 11
In establishing the internal context, the business owner may also ask themselves the following questions: - Is there an internal culture that needs to be considered? For example, are staff Resistant to change? Is there a professional culture that might create unnecessary risks for the business? - What staff groups are present? - What capabilities does the business have in terms of people, systems, processes, equipment and other resources? 12
2. Establish the external context This step defines the overall environment in which a business operates and includes an understanding of the clients’ or customers’ perceptions of the business. An analysis of these factors will identify the strengths, weaknesses, opportunities and threats to the business in the external environment. 13
A business owner may ask the following questions when determining the external context: • What regulations and legislation must the business comply with? • Are there any other requirements the business needs to comply with? • What is the market within which the business operates? Who are the competitors? • Are there any social, cultural or political issues that need to be considered? 14
Tips for establishing internal and external contexts -Determine the significance of the activity in achieving the organization's goals and objectives - Define the operating environment - Identify internal and external stakeholders and determine their involvement in the risk management process. 15
3- Establish the risk management context - Before beginning a risk identification exercise, it is important to define the limits, objectives and scope of the activity or issue under examination. - For example, in conducting a risk analysis for a new project, such as the introduction of a new piece of equipment or a new product line, it is important to clearly identify the parameters for this activity to ensure that all significant risks are identified. 16
Tips for establishing the risk management context • Define the objectives of the activity, task or function • Identify any legislation, regulations, policies, standards and operating procedures that need to be complied with • Decide on the depth of analysis required and allocate resources accordingly • Decide what the output of the process will be, e.g. a risk assessment, job safety analysis or a board presentation. The output will determine the most appropriate structure and type of documentation. 17
What Is a Stakeholder? Stakeholders are those who have a stake or claim in some aspect of a company’s products, operations, markets, industry and outcomes Customers – Investors Employees – Suppliers Government agencies – Communities Stakeholders can influence and are influenced by businesses
Topic 2 Identify risks
Legal Risk Price Risk Environmental Risk Financial Risk 5 D’s Risk- Death- Disability- Disagreement- Divorce- Disaster Family Goals Relationship/Public Relations Risk & Objectives Human Resources Risk Production Risk 11 Overall Categories of Risk
ESTABLISH THE CONTEXT IDENTIFY RISKS ANALYSE RISKS MONITOR AND REVIEW RISK ASSESSMENT COMMUNICATE AND CONSULT EVALUATE RISKS TREAT RISKS Today's Topic Identify risks Topic 1- Invite relevant parties to assist in the identification of risks Topic 2- Research risks that may apply to scope Topic 3 - Use tools and techniques to generate a list of risks that apply to the scope, in consultation with relevant parties Reference: AS/NZS 4360
Topic 1 Invite relevant parties to assist in the identification of risks
Government Employees Business Owners Community Consumers Who can assist in identifying Risk ?Business Stakeholders !
Who Are Business Stakeholders? Primary and Secondary Stakeholders
Primary stakeholders are those stakeholders that have a direct stake in the organization and its success
Secondary stakeholders are those that have a public or special interest stake in the organization
Class Activity Choose an organisation of your choice ? Identify major stakeholders who can assist the management in identifying the Risk ?
Class Activity Who Are Stakeholders ? Organization
Step 3. Identify the risks Risk cannot be managed unless it is first identified. Once the context of the business has been defined, the next step is to utilize the information to identify as many risks as possible.
The aim of risk identification is to identify possible risks that may affect, either negatively or positively, the objectives of the business and the activity under analysis. Answering the following questions identifies the risk:
Topic 2 Research risks that may apply to scope
There are two main ways to identify risk: 1- Identifying retrospective risks Retrospective risks are those that have previously occurred, such as incidents or accidents. Retrospective risk identification is often the most common way to identify risk, and the easiest. It’s easier to believe something if it has happened before. It is also easier to quantify its impact and to see the damage it has caused.
There are many sources of information about retrospective risk. These include: • Hazard or incident logs or registers • Audit reports • Customer complaints • Accreditation documents and reports • Past staff or client surveys • Newspapers or professional media, such as journals or websites.
2-Identifying prospective risks Prospective risks are often harder to identify. These are things that have not yet happened, but might happen some time in the future. Identification should include all risks, whether or not they are currently being managed. The rationale here is to record all significant risks and monitor or review the effectiveness of their control.
Topic 3 Use tools and techniques to generate a list of risks that apply to the scope, in consultation with relevant parties
Methods for identifying prospective risks include: •Observation Generate ideas requirecreativity Brainstorming with staffor external stakeholders • Researching the economic, political, legislative and operating environment- PEST Analysis • Conducting interviewswith relevant people and/or organizations • Undertaking surveys of staff or clientsto identify anticipated issues or problems • Flow charting a process- Fish bone diagram • Reviewingsystem design or preparing system analysis techniques.
Risks identification through: Observation
What do you see?
Are they moving?
Risk Identification tool : Observation Observation – viewing or witnessing workplace hazards – is one of two methods for collecting data
Observation As A Data Collection Tool to identify Risk Observation as a tool means either: Conducting a real time assessment (“on the spot”) OR Drawing on your experiences (using recent memories of a situation or workplace)
The Two Tests Reliability and Validity Reliability: how dependably or consistently an observation measures a characteristic. Validity: depends on the purpose of the analysis. Does your observation give an accurate and complete picture?
Maximizing Observation AAD – Appropriate, Adequate and Documented Use Appropriate samples of performance. Is your sample Adequate? Is there enough content to make a reasoned assessment? Document the assessment.
Be Creative for Risk Identification
Improving Creativity to identify Risk Left- and Right-Brain Functions- Class activity
Brainstorming Brainstorming is a lateral thinking process. Brainstorming encourages open and random thinking and communications
Brainstorming Brainstorming emphasizes right-brain activity. Rules for brainstorming: Put judgment and evaluation aside temporarily. Turn imagination loose, and start offering the results. Think of as many ideas as you can. Seek combination and improvement. Record all ideas in full view. Evaluate at a later session.
Conduct PEST Analysis to Identify Risks
PEST Analysis SUMMARY
Conduct Interview with expert To identify risks
Conduct Interviews with Experts Talk with peoplein the industry who understand the value chain, the markets and the customers.
Data Collection Tool 2: Interviewing Main types of interview for data collection: the informal conversational interview the interview guide approach the standardized open-ended interview the fixed-response interview
Conduct surveys to identify risks
Surveys Survey is the first step of market research. A survey collects information from a specific group of people or data on a specific subject: Forms of survey Includes : Face to face -Personal interview Telephone Mail Focus group and group interview
Cause & Effect/Fishbone/Ishikawa Diagramto identify Risks
Cause & Effect Diagram
Also known as a fishbone diagram (looks like a fish spine) & as the Ishikawa diagram (Japanese designer of this tool)
Used to identify the potential causes for an effect (problem) in the process
Identifies and organizes potential areas for improvement activities
Fishbone Diagram (cause and effect) Largest Influence 3rd Largest Cause Cause Cause Cause Cause Cause Factors and/or categories of factors Effect Cause Cause Cause Cause 2nd Largest Influence Least Influence
Tips for effective risk identification Select a risk identification methodology appropriate to the type of risk and the nature of the activity Involve the right people in risk identification activities Take a life cycle approach to risk identification and determine how risks change and evolve throughout this cycle.
Step 4. Analyze the risks During the risk identification step, a business owner may have identified many risks and it is often not possible to try to address all those identified. The risk analysis step will assist in determining which risks have a greater consequence or impact than others.
Types of RiskBusiness Related Financial – includes cash flow, budgetary requirements, tax obligations, creditor and debtor management, remuneration and other general account management concerns. Equipment – extends to equipment used to conduct the business and includes everyday use, maintenance, depreciation, theft, safety and upgrades. Organisational – relates to the internal requirements of a business, extending to the cultural, structural and human resources of the business. Security – includes the business premises, assets and people. Also extends to security of company information, intellectual property, and technology. Legal & regulatory compliance – includes legislation, regulations, standards, codes of practice and contractual requirements. Also extends to compliance with additional ‘rules’ such as policies, procedures or expectations, which may be set by contracts, customers or the social environment.
Types of RiskBusiness Related Reputation – entails the threat to the reputation of the business due to the conduct of the entity as a whole, the viability of products/services, or the conduct of employees or others associated with the business. Operational – covers the planning, daily operational activities, resources (including people) and support required within the a business that results in the successful development and delivery of products/services. Contractual – meeting obligations required in a contract including delivery, product/service quality, guarantees/warranties, insurance and other statuatory requirements, non-performance. Service delivery – relates to the delivery of services, including the quality of service provided, or the manner in which a product is delivered. Includes customer interaction and after-sales service.
Types of RiskBusiness Related Commercial – includes risks associated with market placement, business growth, product development, diversification and commercial success. Also to the commercial viability of products/services, extending through establishment, retention, growth of a customer base and return. Project – includes the management of equipment, finances, resources, technology, timeframes and people involved in the management of projects. Extends to internal operational projects, business development and external projects such as those undertaken for clients. Safety – including everyone associated with the business: individual, workplace and public safety. Also applies to the safety of products/services delivered by the business. Workplace safety - Every business has a duty of care underpinned by State and Federal legislation. This means that all reasonable steps must be taken to protect the health and safety of everyone at the workplace. Occupational health and safety is integrated with the overall risk management strategy to ensure that risks and hazards are always identified and reported. Measures must also be taken to reduce exposure to the risks as far as possible.
Types of RiskBusiness Related Stakeholder management – includes identifying, establishing and maintaining the right relationships with both internal and external stakeholders. Client-customer relationship – potential loss of clients due to internal and external factors. Strategic – includes the planning, scoping, resourcing and growth of the business. Technology – includes the implementation, management, maintenance and upgrades associated with technology. Extends to recognising critical IT infrastructure and loss of a particular service/function for an extended period of time. It further takes into account the need and cost benefit associated with technology as part of a business development strategy.
Classification of Risk Reference :http://www.madrid.org/cs/StaticFiles/Emprendedores/Analisis_Riesgos/pages/pdf/metodologia/3IdentificaciondelosRiesgos_en.pdf
Class Exercise Trainer will give you a scenario Using the templates Identify Risks Assess Risks
Widespread industrial action (months)
Majority of stakeholders severely disadvantaged (months)
Measuring Likelihood Risk is occurring now, or is extremely likely to happen within current circumstances Almost Certain Balance of probability will occur Likely May occur but against short term probabilities Possible Could occur but not anticipated Unlikely Occurrence requires exceptional circumstance and/or over a long period of time Rare
Risk Rating Consequence Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) Likelihood Almost Certain (A) Significant High Extreme Extreme Significant Likely (B) Medium Significant Significant High Extreme Possible (C) Low Medium Significant High High Unlikely (D) Low Low Medium Significant High Rare (E) Low Low Medium Significant Significant
Increasing risk Intolerable Level of risk e.g. ‘HIGH’ Tolerable Evaluation
The need for action Intolerable Treat immediately Treat in the near future Treat in the longer term Monitor Tolerable
Risk Treatment Risk Treatment for Business Risk Treatment for OHS
Above risk tolerance
Need improved controls
Further mitigation is practicable
No feasible mitigation
Below risk tolerance
Very low probability
Further mitigation not practicable
Need new direction
Benefit > cost
Treat the intolerable risks-Business Treatment Options
Above risk tolerance
Internal mitigation not practicable/ affordable
Avoid Share Exploit Accept Reduce
Stress Risk Assessment Work Organisation Resources R oles and relationships I ndividual Environment Demands
Topic 3-Analyze risks
Four Rules of Risk Management. Integrate risk management into planning.It’s easier to integrate risk management early in the life cycle of any operation (training).
Four Rules of Risk Management. Accept no unnecessary risks. The key word is “unnecessary”. An unnecessary risk is a risk that does not contribute meaningfully to the mission. Leaders who take unnecessary risks are gambling.
Four Rules of Risk Management. Make risk decisions at the proper level. The “ proper level” is the level where the decision maker has the maturity and experience to make a good decision. Normally, this would be the leader responsible for the mission. Decisions should be made at the lowest possible level as long as the decision maker has the experience and maturity to make a good decision.
Four Rules of Risk Management. Accept risks if the benefit outweighs the cost.Army leaders are in the risk-taking business. There is always risk, and where there is risk, sooner or later there will be an accident, risk management minimizes these accidents.
Levels of Risk Management. Hasty Risk Management. A quick, often mental, consideration of the risk management process during an operational assessment.
Levels of Risk Management. Deliberate Risk Management. Application of the safety risk management process using worksheets and the core elements of the process, e.g. operations analysis, preliminary hazard assessment (PHA), risk control options, training realism assessment (TRA), implementation procedures, and sustained monitoring.
Levels of Risk Management. In-depth Risk Management. Working group application of more detailed qualitative and quantitative techniques, especially in the hazard identification, hazard assessment, and risk control options phases.
Hazard Probability of a Risk. A risk assessment matrix is an effective tool that can be used to determine how risky an identified hazard is. Standard terms associated with risk assessment matrices include: Probability. How likely an is an event to occur. Effect. Consequences if the event occurs.
Key Definitions. Safety Risk Management - the application of systematic thinking to the problem of making job safer (enhancing protection) and more effective. Hazard - a condition with the potential of causing injury to personnel, damage to equipment or structures, loss of material, or reduction of ability to perform a prescribed function.
Risk - an expression of possible loss over a specific period of time or number of operational cycles. Risk Assessment - the process of detecting hazards and systematically assessing their overall risk. It involves the first two steps of the Risk Management process.
Risk Management - a process whereby management decisions are made and actions implemented to reduce the effects of identified hazards. Gambling - Making non-systematic risk decisions.
Assessment of quality of risk management Management information Attitude of management Governance structure Corporate culture People Approach to decision making Risk management processes Quality of implementation ILLUSTRATIVE
Risk Response Planning After identifying and quantifying risks, you must decide how to respond to them. Four main response strategies for negative risks: Risk avoidance Risk acceptance Risk transference Risk mitigation
The basic process steps are: Establish the context Identify the risks Analyze the risks Evaluate the risks Treat the risks Next
Environment - business, social, regulatory, cultural, competitive, financial and political situation. SWOT - organisation's strengths, weaknesses, opportunities and threats. Stakeholders - objectives and expectations of individuals, groups and organisations with a significant interest in the business. Establish the context
To identify risk, you need to consider two key questions: Brainstorm ideas and group under appropriate risk headings. Consider the effects on people (staff, students and other people), information, physical assets and finances, reputation. Write the final list onto the table (risk assessment summary). Identify the risks
Risk Category (Check your Handouts) Identify the risks
Ask Simple Questions What might happen? How might it happen? Will it be serious if it happens? How likely is it to happen? And finally, what is the risk? Analyze the risks
Probability The likeliness that an event will occur. Almost Certain (Frequent)-occurs often. Likely - Occurs several times. Occasional) - occurs sporadically. Possible (Seldom) – Unlikely, but could occur. Unlikely – Probably won’t occur. Analyze the risks
Consequences (Severity) Severity is the expected result of an event (degree of injury, property damage or other mission impairing factors. Critical Major Moderate Minor Analyze the risks
Assess the Risk Consequences Likelihood Risk
5 Impact Categories Minor Disruptive Serious Critical Catastrophic
General Likelihood definitions and examples Impact definitions against each impact category Matrix purpose designed for application to military activities Specified Risk Tolerance Thresholds
Topic 4 Select and implement treatments
Potential risk treatments Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories: Avoidance (eliminate, withdraw from or not become involved) Reduction (optimize - mitigate) Sharing (transfer - outsource or insure) Retention (accept and budget)
Step 3: Control of Risk THE HIERARCHY OF CONTROL: ELIMINATE (E) Stop the process immediately SUBSTITUTE (S) Use another product Outsource the process ENGINEER (En) Isolate the hazard (Is) Install guarding around the hazard (G) ADMINISTRATE (A) Document safe work procedures (SWP) Provide training (T) Perform inspections (I) PERSONAL PROTECTIVE EQUIPMENT (PPE) The final frontier!!!
Hierarchy of Controls Eliminate if possible, otherwise a combination of these in this order of preference: Substitute Isolate risk Engineer out Information, instruction & training Provide Personal Protective equipment