Manage risk BSBRSK501Adocshare02.docshare.tips/files/28736/287363817.pdf · 2017-01-10 ·...
Transcript of Manage risk BSBRSK501Adocshare02.docshare.tips/files/28736/287363817.pdf · 2017-01-10 ·...
Manage riskBSBRSK501A
Student Workbook
Part of a suite of support materials for the
BSB07 Business Services Training Package
Student Workbook BSBRSK501A Manage risk
1st Edition 2010
Acknowledgment
Innovation and Business Industry Skills Council (IBSA) would like to acknowledge Equip Grow Lead for their assistance with the development of this resource.
Writers: Shane MacDonald, Emily Logan and Peter Baskerville
Industry reviewer: Rod Peters, David Parry and Greg Field
Copyright and Trade Mark Statement
© 2010 Innovation and Business Industry Skills Council Ltd
All rights reserved. Apart from any use permitted under the Copyright Act 1968, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, or otherwise, without written permission from the publisher, Innovation and Business Industry Skills Council Ltd (‘IBSA’).
Use of this work for purposes other than those indicated above, requires the prior written permission of IBSA. Requests should be addressed to Products and Services Manager, IBSA, Level 11, 176 Wellington Pde, East Melbourne VIC, 3002 or email [email protected].
‘Innovation and Business Skills Australia’, ‘IBSA’ and the IBSA logo are trade marks of IBSA.
Disclaimer
Care has been taken in the preparation of the material in this document, but, to the extent permitted by law, IBSA and the original developer do not warrant that any licensing or registration requirements specified in this document are either complete or up-to-date for your State or Territory or that the information contained in this document is error-free or fit for any particular purpose. To the extent permitted by law, IBSA and the original developer do not accept any liability for any damage or loss (including loss of profits, loss of revenue, indirect and consequential loss) incurred by any person as a result of relying on the information contained in this document.
The information is provided on the basis that all persons accessing the information contained in this document undertake responsibility for assessing the relevance and accuracy of its content. If this information appears online, no responsibility is taken for any information or services which may appear on any linked websites, or other linked information sources, that are not controlled by IBSA. Use of versions of this document made available online or in other electronic formats is subject to the applicable terms of use.
To the extent permitted by law, all implied terms are excluded from the arrangement under which this document is purchased from IBSA, and, if any term or condition that cannot lawfully be excluded is implied by law into, or deemed to apply to, that arrangement, then the liability of IBSA, and the purchaser’s sole remedy, for a breach of the term or condition is limited, at IBSA’s option, to any one of the following, as applicable:
(a) if the breach relates to goods: (i) repairing; (ii) replacing; or (iii) paying the cost of repairing or replacing, the goods; or
(b) if the breach relates to services: (i) re-supplying; or (ii) paying the cost of re-supplying, the services.
Published by: Innovation and Business Industry Skills Council Ltd Level 11 176 Wellington Pde East Melbourne VIC 3002 Phone: +61 3 9815 7000 Fax: +61 3 9815 7001 e-mail: [email protected] www.ibsa.org.au
First published: June 2010
Print version: 1.0
Release date: June 2010
Printed by: Fineline Printing 130 Browns Road Noble Park VIC 3174
ISBN: 978-1-921749-76-6
Stock code: RSK501ACL
Table of Contents
Introduction .............................................................................................................1
Features of the training program .....................................................................1
Structure of the training program ....................................................................1
Recommended reading ....................................................................................1
Section 1 – Introduction to Risk ............................................................................2
What skills will you need? ................................................................................2
Understand risk and risk management ...........................................................2
Establish the context ..................................................................................... 10
Understand importance of relevant legislation ............................................ 13
Section summary ........................................................................................... 27
Further reading ............................................................................................... 27
Section checklist ............................................................................................ 27
Section 2 – Identifying Risk ................................................................................. 28
What skills will you need? ............................................................................. 28
Review the external environment ................................................................. 29
Determine strengths and weaknesses ......................................................... 32
Review and document objectives ................................................................. 34
Identify risks ................................................................................................... 35
Research ......................................................................................................... 42
Involve others in risk identification ............................................................... 46
Section summary ........................................................................................... 48
Further reading ............................................................................................... 48
Section checklist ............................................................................................ 48
Section 3 – Analysing and Evaluating Risk ........................................................ 49
What skills will you need? ............................................................................. 49
Determine likelihood of risk .......................................................................... 50
Assess consequence of risk .......................................................................... 52
Evaluate and prioritise risk ............................................................................ 54
Determine risk treatment options ................................................................. 57
Develop an action plan for treating risks ..................................................... 64
Section summary ........................................................................................... 78
Further reading ............................................................................................... 78
Section checklist ............................................................................................ 78
Section 4 – Treating Risk .................................................................................... 79
What skills will you need? ............................................................................. 79
Implement the risk action plan ..................................................................... 79
Monitor the risk action plan .......................................................................... 88
Evaluate the risk management process ....................................................... 93
Section summary ........................................................................................... 94
Further reading ............................................................................................... 94
Section checklist ............................................................................................ 94
Glossary ................................................................................................................ 95
Appendices ........................................................................................................... 96
Appendix 1: Risk action plan template ......................................................... 96
Appendix 2: MacVille risk management policy ............................................ 97
Appendix 3: Scenario – Shoez ...................................................................... 99
Student Workbook Introduction
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 1 of 100
Introduction Features of the training program
The key features of this program are:
Student Workbook (SW) – Self paced learning activities to help you to understand key concepts and terms. The Student Workbook is broken down into several sections.
Facilitator-led sessions (FLS) – Challenging and interesting learning activities that can be completed in the classroom or by distance learning that will help you consolidate and apply what you have learned in the Student Workbook.
Assessment Tasks – Summative assessments where you can apply your new skills and knowledge to solve authentic workplace tasks and problems.
Structure of the training program
This Training Program introduces you to the concepts of identifying risk and how to then apply the appropriate risk management strategies. You will develop the skills and knowledge in the following topic areas.
1. Introduction to Risk (SW Section 1/FLS Session 1).
2. Identify Risk (SW Section 2/FLS Session 2).
3. Analyse and Evaluate Risk (SW Section 3/FLS Session 3).
4. Treat Risk (SW Section 4/FLS Session 4).
Note: The Student Workbook sections and Session numbers are listed next to the topics above.
Your facilitator may choose to combine or split sessions. For example, in some cases, this Training Program may be delivered in two or three sessions, or in others, as many as eight sessions.
Recommended reading
Some recommended reading for this unit includes:
Australian Capital Territory Insurance Authority, 2004, Australian Government, Guide to Risk Management, viewed May 2010, <http://www.treasury.act.gov.au/actia/Guide.doc>.
Risk Management Institute of Australasia, 2010, Realising Opportunity, viewed May 2010, <http://www.rmia.org.au/>.
Section 1 – Introduction to Risk Student Workbook
BSBRSK501A Manage risk Page 2 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Section 1 – Introduction to Risk Before you can undertake risk management, there a number of key concepts that you must understand. This chapter will define risk and risk management, and help you establish the context in which risk management takes place.
Scenario: Preparing for risk management
You have recently been successful in securing the job of operations manager for a chain of shoe repair stores with ten outlets. Your previous experience was in sales management and more departmental areas of management but never as the operations manager of a chain of stores.
You note that one of your specific responsibilities is to manage the risks that are likely to happen in this particular organisation. Before attempting to identify the organisation’s risks, you first take time to review the concepts of risks, risk management and the context that risk will be applied to. From your previous roles, you are very aware of the risks of non-compliance with relevant laws, and so you decide to also review the legislative framework in which this organisation operates.
What skills will you need?
In order to work effectively as a risk manager you must be able to:
understand risk and risk management
establish the context for risk management
understand the importance of relevant legislation.
Understand risk and risk management
What is risk?
Risk is inevitable. It is a natural part of our physical, social, financial and competitive environments. It is defined as the chance of something happening that will have an impact on objectives or goals being achieved. It is measured in terms of consequence and likelihood. Organisations must decide on a daily basis whether various risks are or are not worth taking, for example, when making decisions regarding investment or the health and safety of employees. For some, the ability to manage risk better than anyone else becomes a valuable resource that they use for their own advantage.
In business, there is a strong correlation between risk and reward. For example, investing in the share market is riskier than investing in Government Bonds, so as a consequence of the risks involved, share markets traditionally offer the higher returns.
Only an estimated 10% of all risks are actually unforeseeable.
Student Workbook Section 1 – Introduction to Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 3 of 100
Definition of risk
The concept of risk is incorporated into so many different business disciplines from insurance to engineering to financial investment, so each of them have developed their own definition of the concept of risk.
In this workbook, we will take the view that risk is an event or action, where if it occurs, will cause a loss to an organisation’s valuable resources and adversely affect the goals and objectives of that organisation.
Risk is the estimated likelihood of occurrence of an uncertain event, and its impact on organisational objectives should it occur.
Figure 1: What is risk?
As shown in the diagram above, either the probability or likelihood of an event occurring, and the consequence or impact of that event, have an effect on the objectives of the organisation. The combination of these two factors give an organisation an indication of the risk they are exposed to should the event occur.
Learning activity: Risk consultants
Many consultants can work with your organisation to identify risk and help in developing and implementing processes to assist in the management of business risk.
PricewaterhouseCoopers is one organisation that actively manages risk. Look at their website at <http://www.pwc.com/gx/en/risk-management/> and explain why PricewaterhouseCooper believe some risk management systems implemented in companies have made the company more vulnerable.
Organisational objectives
Probability Consequence
Section 1 – Introduction to Risk Student Workbook
BSBRSK501A Manage risk Page 4 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Valuable resources
Valuable resources that can be affected by risk are not just financial. In today’s business environment, the loss of reputation or brand value can have far greater impact on the organisation’s viability than the loss of some investment funds. Other valuable resources that need to be considered in any loss evaluation caused by risk are detailed below.
•workers, intellectual capital, skills, experience and capabilities, levels of trust, managerial skills, firm‐specific practices and procedures, innovation and creativity technical and scientific skills
Human
• cash, investments, shares, capacity to raise equity, borrowing capacity
Financial
•plant, equipment, state‐of‐the‐art machinery, equipment and electronics, land, buildings, vehicles, furniture, facilities
Physical
•patents, copyrights, trademarks , trade secrets, software
Intellectual property
•evaluation and control systems, effective strategic planning processes, outstanding customer service, excellent product development capabilities, innovativeness of products and services, ability to hire, motivate, and retain human capital, innovative production processes, favourable manufacturing locations, innovation capacities, effective strategic planning processes, excellent evaluation and control systems
Organisational excellence
• information, reputation, brand value, goodwill.
Intangible
Student Workbook Section 1 – Introduction to Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 5 of 100
Learning activity: Resources
Review the scenario provided in Appendix 3 and make note of any resources mentioned. Rank them in terms of what you consider to be high priority resources that should be protected.
Strategic resources
Many people understand the impact of an unfavourable event on tangible assets, but often overlooked is the impact that adverse events can have on the organisation’s intangible assets. All the resources listed above are valuable, but some resources take on an even more important role in an organisation because they become strategic. They are classified as being strategic because they give the business its competitive advantage. To qualify as strategic they need to be:
• That is, unique or in very short supply. For example, personnel who are leading experts in their field, and bring knowledge or skills that are not widely available.
Rare
• That is, hard to copy due to expense or time required to acquire, For example, the brand recognition associated with a long‐established organisation or product.
Difficult to imitate
• That is, cannot easily be replicated using alternative sources. For example, long term relationships or working partnerships between specific individuals or organisations that generates high levels of creativity and innovation.
Difficult to substitute
Section 1 – Introduction to Risk Student Workbook
BSBRSK501A Manage risk Page 6 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Figure 2: Strategic resources
Many of these resources are intangible, and are in many cases the most important ones to risk manage.
Learning activity: Strategic resource
Think about your own work skill sets. Most of what you know or are good at is of value to a workplace environment. Write down the skill sets or owned items that you have that could be called rare, difficult to copy and difficult to substitute. These are your strategic resources.
Risk types
Risk identification is proactive. If you’re looking for them you will soon find them when discussing activities with team members, observing the workplace environment, reading reports and analysing results. Over the broad spectrum, risks can be categorised in various ways, for example:
Risks can be grouped into two types:
Certain – those risks that will definitely occur at some point in time, for example, employee sick days.
Uncertain – those that may occur at some point in time, for example, an employee being injured in the workplace.
Rare
Difficult to imitate
Difficult to substitute
Student Workbook Section 1 – Introduction to Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 7 of 100
Risk can also be categorised by expected impact:
Speculative risk – where there are potential opportunities.
Pure risk – where there are only negative or unfavourable outcomes for the organisation.
Learning activity: Types of risk
Review the scenario in Appendix 3 under the heading ‘Research findings’ and select three issues. Then identify the type of risk/s that could impact on the organisation as a result of these issues.
Identified issue Risk type
1.
2.
3.
What is Risk Management?
Risk management is an essential part of good management and corporate governance. It is a set of tools and processes that are used to avoid, reduce or control the risks that are likely to adversely affect the valuable and strategic resources of an organisation. Basically it is the process of identifying and categorising potential risk and then defining actions to mitigate these risks.
Risk management processes should enhance decision-making and facilitate continuous improvement in performance of the organisation. Studying and identifying risk should not inhibit action, but instead help you turn risk into a growth and development opportunity through the application of the risk management process.
Risk management refers to the culture, processes and structure that are directed towards the effective management of potential opportunities and adverse effects.
AS/NZ 4360: 2004
Section 1 – Introduction to Risk Student Workbook
BSBRSK501A Manage risk Page 8 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Learning activity: Electronic risk management tools
Use the internet to find two electronic tools or software programs that can facilitate and assist in risk management. Describe the tools and compare key functions, and make a recommendation about the type of organisation or project each tool would be most suited for use in.
AS/NZS 4360:2004 – Risk Management
The Australian/New Zealand Standard AS/NZS 4360:2004 – Risk Management provides a guide for managing risk.
The objective of this standard is to provide guidance to enable public, private or community enterprises, groups and individuals to achieve:
a more confident and rigorous basis for decision-making and planning
better identification of opportunities and threats
gaining value from uncertainty and variability
pro-active rather than re-active management
more effective allocation and use of resources
improved incident management and reduction in loss and the
cost of risk, including commercial insurance premiums
improved stakeholder confidence and trust
improved compliance with relevant legislation
better corporate governance.1
1 Quality Improvement Council, 2010, ‘Introducing Risk Management Standard AS / NZS 4360: 2004’, GPDV, viewed April 2010, <www.gpv.org.au/files/...files/.../riskmanagementstandardsAS_march05.ppt>.
Student Workbook Section 1 – Introduction to Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 9 of 100
Establish the context
Identify risks
Analyse and evaluate risk
Treat risk
Com
mun
icat
ion
and
cons
ulta
tion
Monitor and review
Throughout this workbook we will be referring to AS/NZS 4360:2004 – Risk Management Standards and following the processes outlined in it for the management of risk.
The risk management process For the purpose of this workbook, the risk management process will be shown in the following way.
Figure 3: Risk management process
AS/NZ 4360: 2004 views the analysis and evaluation of risk as two separate elements and so outlines seven elements in the risk management process.
Establish the context – Determine the scope of the project, both internally and externally. Establish the criteria by which a risk may be evaluated.
Identify risks – Recognise potential hazards, which may prevent, diminish, or delay the organisational or project objectives.
Analyse risks – Identify what the consequence and likelihood of the risk taking place.
Evaluate risks – Compare the potential rewards with the potential adverse outcomes including the likelihood of each. This allows decisions to be made regarding the priority and action required to manage the risk.
Treat risks – The process of selecting which risks are to be managed and taking measures to limit the result of highest priority.
Monitor and review – Critically observe or measure the progress of the risk management process and make changes where beneficial.
Communicate and consult – Ensure stakeholders are aware of information applicable to them and appropriate to the risk level and the stage of risk management.
For the remainder of this chapter, we will look at establishing the context for risk management. The other stages will be addressed in the following chapters.
Section 1 – Introduction to Risk Student Workbook
BSBRSK501A Manage risk Page 10 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Establish the context
Scope
When you begin the process of risk management, you must be able to define the scope within which risks must be managed. This requires you to know what needs to be achieved through the risk managed activities undertaken.
An organisation is defined by its goals and objectives, therefore the aim of the risk management process must be to ensure that the organisation is able to achieve those goals while balancing costs, benefits and opportunities. This provides the overall context in which risk management takes place. It is also essential that you understand the nature of any decisions that need to be made so that your process can inform and implement those decisions effectively.
In practical terms, the scope of a risk management process can apply to:
the whole organisation
a specific business unit/department
a particular project
a particular business function (e.g. finance, manufacturing).
Risk management can be applied to the internal or external environments of an organisation, or both. The internal environment encompasses the operations and inner workings of the organisation, while the external environment includes the political, economic, social, legal, and technological factors affecting the business. These are explored in more detail in Section 2 of this workbook.
Learning activity: Risk process scope
Review the scenario in Appendix 3 and identify the three criteria defining the scope of the risk management task assigned by Jeff Harding to you as the newly appointed operations manager.
1.
2.
3.
Student Workbook Section 1 – Introduction to Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 11 of 100
Describe how identifying the scope of a risk project is important to the management of it?
Stakeholders
Once you have identified the scope of risk analysis and management, you must identify the stakeholders: individuals, a group of people, or an organisation, that can be affected by the risks or implementation of the risk management process.
Identification of stakeholders is an essential step in risk management. It determines who should be involved in the formulation of the risk management plan, and who you should communicate with regarding implementation of risk management strategies and actions.
Identification of stakeholders includes identifying anyone impacted by the risk, and documenting relevant information regarding their interests, involvement,
and impact on the effectiveness of the risk management process.
Learning activity: Communicating with stakeholders
Jeff believed that it would be useful to involve the store managers in gathering information about risks associated with their stores and has asked you to prepare an email. Complete an email in the space below making sure that you stay within the scope of the task.
Section 1 – Introduction to Risk Student Workbook
BSBRSK501A Manage risk Page 12 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
In the book ‘The Handbook of Program Management2’ Dr James T Brown gives the following advice for identifying stakeholders.
Follow the money! Whoever is paying is definitely a stakeholder. Also, if a program produces savings or additional costs for an organisation then the organisation is also a stakeholder for that program.
Follow the resources. Every entity that provides resources, whether internal or external, labour or facilities, and equipment, is a stakeholder. Line managers and functional managers providing resources are stakeholders.
Follow the deliverables. Whoever is the recipient of the product or service the organisation is providing is considered a stakeholder.
Follow the signatures. The individual who signs off on completion of the final product or service is a stakeholder.
Examine programs’ stakeholder lists. Include active programs and completed projects.
Review the organisational chart to asses which parts of the organisation may be stakeholders.
Ask team members, customers, and any other confirmed stakeholder to help you identify additional stakeholders.
Look for the ‘Unofficial People of Influence’. These may be people who are trusted by high-level leaders or who wield a lot of power through influence and not position.
Learning activity: Stakeholders
From the scenario provided at the beginning of this section, identify the internal and external stakeholders and the types of input each of them are likely to provide.
Stakeholder Internal/External? Type of input
2 Brown, J T, 2007, ‘The Handbook of Program Management’, McGraw-Hill, Australia.
Student Workbook Section 1 – Introduction to Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 13 of 100
Learning activity: Stakeholders in the risk process
Review the scenario in Appendix 3 and identify three stakeholders, their role and their primary concerns in regard to the risk management process.
Stakeholder Role Risk concerns
Describe briefly the attributes that qualifies a person as a stakeholder in the risk management process?
Understand importance of relevant legislation
You cannot afford to ignore the role of legislation in the risk management process. Arguably, the greatest risk for an organisation is to be non-compliant with relevant regulations as this can incur significant penalties. The risk management process must therefore use legislative guidelines as a criteria against which risk is assessed. Some key areas of legislation affecting businesses are listed below.
Section 1 – Introduction to Risk Student Workbook
BSBRSK501A Manage risk Page 14 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
OHS regulations
OHS (Occupational health and safety) laws vary throughout Australia according to the state parliament that passed the Act. For example, in Queensland it is the Workplace Health and Safety Act 1995. While states have different names to their acts covering the workplace, they all prescribe a similar set of requirements for all managers including supervisors of projects. These are:
to ensure that work is performed in a safe manner and does not have any negative effect on the worker’s health
to ensure sufficient information and education was provided so that the work could be undertaken safely
to ensure workers have a say in the safety of their own workplace by recognising and acting on risks and hazards in the workplace
to implement audit and control measures that verifies the effectiveness of OHS activities
to ensure equipment and machinery is maintained in a safe condition.
Learning activity: Legislation, standards and codes of conduct
Use the internet to research a duty of care legislation, standards and codes of conduct in Australia (relevant to the business sector), and describe how you think these influence risk management processes for organisations.
Privacy Act 1988
The National Privacy Principles regulate the way information is handled by private sector organisations such as creditors and debt collectors. The principles, as stated by the Office of the Privacy Commissioner3 are as follows.
3 Australian Government, 2001, ‘National Privacy Principles,’ Office of the Privacy Commissioner, viewed April 2010, <http://www.privacy.gov.au/materials/types>.
Student Workbook Section 1 – Introduction to Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 15 of 100
•Organisations must ensure that individuals are aware their personal information is being collected, why, who it might be passed on to and that they can ask the organisation what personal information it holds about them.
Collection
•Personal information may not be collected unless it is necessary for an organisations activities and must only be used for the purpose it was collected. Many direct marketing mailers will now have to offer the recipient the opportunity to elect not to receive further mailings.
Use
•Organisations must take steps to ensure personal information they collect is accurate, complete and up‐to‐date.
Data quality
•An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
Data security
•An organisation must have a policy document outlining its information handling practices and make this available to anyone who asks.
Openness
•Generally, an organisation must give an individual access to personal information it holds about the individual on request.
Access and correction
•Generally, an organisation must not adopt, use or disclose an identifier that has been assigned by a Commonwealth government agency.
Identifiers
•Organisations must give people the option to interact anonymously whenever it is lawful and practicable to do so.
Anonymity
•An organisation can only transfer personal information to a recipient in a foreign country in circumstances where the information will have appropriate protection.
Transborder data flows
•Sensitive information (such as about someone's health, political opinions or sexual preference), may only be collected with the consent of the individual (unless a public interest exception applies).
Sensitive information
Section 1 – Introduction to Risk Student Workbook
BSBRSK501A Manage risk Page 16 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Whenever possible collect information directly from the
person.
Only collect information that is
necessary.
Collect information by fair means.
Take reasonable steps to let people know that personal information has been collected and what is going to be
done with it.
Do not disclose information about the person to a third party that you are collecting information from.
Take care about the type of information
contained in messages left on answering
machines.
There are several key obligations around information collection:
Generally, personal information should only be used and disclosed for the purpose that it was collected.
Learning activity: Application of National Privacy Principles
Considering the privacy laws, identify what National Privacy Principles are being tested in the following circumstances?
A sales person from your organisation asks for information about someone’s partner’s mobile phone?
Your organisation’s website asks for personal details but does not have a displayed privacy statement.
A person approaches you at work and asks about a work colleague who he says owes him money?
Contract law
Contract law is any law or regulation with the objective of enforcing certain promises, namely, their formation, scope and content, avoidance, performance and termination and remedies. This is important in risk management, as contracts hold the potential for risk, and breach of contract may have repercussions not only with the other party/s but may be in breach of legislation.
Student Workbook Section 1 – Introduction to Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 17 of 100
Australian contract law can be broken into five key sections detailed in the table below.
Formation A contract is a promise or a set of promises that is legally binding. This requires there to be an agreement between the parties and the intention to create a legal relationship. The parties must demonstrate legal capacity to contract, and compliance with any legal requirements must be ensured.
Scope and content
A contract is generally only able to be enforced by and against the parties to the contract. The content of a contract must allow the parties to determine what the terms of the contract are, and how they should be interpreted where ambiguous.
Avoidance A valid contract validly may still be avoided as a result of a number of factors, which usually involve unfair or unconscionable action by one of the parties.
Performance and termination
Most contracts come to a natural end when the parties have performed their respective obligations. A contract may also come to an end by mutual agreement between parties, as a result of the breach of contract by one of the parties, or due to events that might prevent parties from performing their obligations as planned.
Remedies When the terms of a contract are breached by one party, the other party is entitled to remedies; in particular, damages.
Learning activity: Contracts
What risks might be presented to an organisation when entering into a contract?
Section 1 – Introduction to Risk Student Workbook
BSBRSK501A Manage risk Page 18 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Separate legal entity
Continuous life
Limited shareholder liability
Separate entity from owner
Company law
A corporation, or company, is a legal group of individuals who finance a business. The group cannot become a company until it is registered with the Australian Securities and Investment Commission (ASIC). ASIC will issue the new company with a certificate of incorporation and an Australian Company Number (ACN) which is used to identify the entity.
Key features of a company include the following.
Under Australian law a company, as a separate entity, is given all the legal rights and liabilities of a natural person, including the ability to sue others and be sued themselves.
A company is established with the assumption of a continuous life, this means while its owners may change the company will continue to remain in existence unless it is liquidated.
A company has limited liability for shareholders, meaning that if the company fails, then only the amount of shareholder investment in the company can be claimed against, and not other investments that a shareholder may have.
A separate legal entity from its owners, i.e. the financial affairs of the owners must be separated from that of the company, and unless personal guarantees of the owners have been secured, an entity can only sue the company for damages and not the owners.
There are two types of companies that in Australia: proprietary and public. The diagram below shows some major differences between the two types.
Cannot sell shares to public.
Are classified as large or small.
Less reporting requirements.
Proprietary
Can sell shares to public.
Generally large companies.
Greater compliance reporting requirements.
Public
Student Workbook Section 1 – Introduction to Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 19 of 100
Under section 45A of the Corporations Act 2001, a proprietary company is currently classified as ‘large’ if it satisfies at least two of the following criteria.
The consolidated gross operating revenue of the company and any entities it controls is $10 million or more.
The value of the consolidated gross assets at the end of the financial year of the company and any entities it controls is $5 million or more.
The company and any entities it controls have more than 50 employees at the end of the financial year.4
If a proprietary company is classified as large, then it is required to submit annual financial and directors’ reports. Small proprietary companies do not have to prepare either of these reports except in the circumstance that ASIC or shareholders with at least 5% of the company request it to.
Learning activity: ASIC
Access the ASIC website at <http://www.asic.gov.au> and review the section on running a company. Under the heading ‘Change of details’, review the checklist provided for company officers and describe three risks for an organisation if compliance is not maintained.
1.
2.
3.
The Australian Securities and Investments Commission (ASIC)
The Australian Securities and Investments Commission (ASIC) is Australia’s corporate, markets and financial services regulator. It is an independent Commonwealth Government Body with most of its work being carried out under the Corporations Act.
4 Australasian Legal Information Institute, 2001, ‘Corporations Act 2001 - Sect 45A,’ Commonwealth Consolidated Acts, viewed April 2010, <http://www.austlii.edu.au/au/legis/cth/consol_act/ca2001172/s45a.html>.
Section 1 – Introduction to Risk Student Workbook
BSBRSK501A Manage risk Page 20 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
ASIC regulates Australian companies, financial markets, financial services organisations and professionals who deal and advise in investments, superannuation, insurance, deposit taking and credit. ASIC’s main role to consider in relation to this unit is its responsibility for ensuring that company directors and officers carry out their duties honestly, diligently and in the best interest of their company.
Although ASIC administers many acts or parts of acts, as well as relevant regulations made under them, the main two are:
Corporations Act 2001
Australian Securities and Investments Commission Act 2001.
The other acts involve insurance, superannuation and medical indemnity.
The Corporations Act 2001 sets much of the legislative framework for the conduct of companies and their directors in relation to corporate governance. Internal controls need to be implemented and maintained to ensure compliance with the legislation administered by the delegated authority, ASIC.
The Australian Securities and Investments Commission Act 2001 makes provision for ASIC to ensure the performance of the financial system and entities in it, to assist investors and consumers in the financial system with appropriate information, and to administer and enforce the law effectively.
Learning activity: Director’s responsibilities
Search the ASIC website <http://www.asic.gov.au> using the search term ‘director’s responsibilities’. Name two of the director’s responsibilities listed under the heading ‘What does the law expect of you’, and for each describe a process or mechanism that you could put in place to help ensure compliance with this directive.
1.
2.
Company records compliance
Under the Corporations Law, directors are personally responsible for keeping proper company records. These could be grouped into financial records and company housekeeping records.
Student Workbook Section 1 – Introduction to Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 21 of 100
Up-to-date financial records must be kept so that they can:
accurately record and justify the company’s transaction
illustrate the financial position of the company and its performance.
Companies should maintain current and accurate financial records in order to ensure that:
it is able to prepare accurate financial statements of the company
these financial statements may be properly audited
the company is compliant to tax laws.
Financial statements a company would regularly prepare
Statement of Financial Performance
Shows the company’s revenue and expenses for a set period and the resulting profit or loss.
Statement of Financial Position
Shows the company’s assets and liabilities at a certain point in time.
Statement of Cash Flow
Summarises the company’s influx and efflux of cash for a set period of time.
Financial records may be kept electronically, provided they are capable of being converted into hard copy to anyone entitled to inspect them.
Note: a small proprietary company (as defined by the Corporations Act) generally is not required to lodge formal financial reports to ASIC. On the other hand, large proprietary companies, public companies and non-profit public companies must produce, audit and lodge financial reports to ASIC.
Basic financial records that companies may be required to keep by law
General ledger Records all transactions and balances (revenue, expenses, assets, liabilities). Otherwise, summarises these balances detailed in other records.
Cash records For example, deposit books, cheque butts, petty cash records and bank statements.
Debtor and sales records
Outlines the money made or owing to the company, for example, delivery dockets, invoices and statements issued, debtors and their balances.
Creditors and purchase records
Outlines the money spent or owed by the company, for example, purchase orders, invoices and statements received, creditors and their balances.
Section 1 – Introduction to Risk Student Workbook
BSBRSK501A Manage risk Page 22 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Basic financial records that companies may be required to keep by law
Wage and superannuation records
Funds paid to employees.
A register of property, plant and equipment
Shows the transactions and balances relating to individual items.
Inventory records Value of the items that makes up the company’s inventory.
Investment records
For example, certificates and notices related to dividends or interest.
Tax returns and calculations
For example, goods and services tax returns and statements, income tax, and fringe benefits.
Deeds, contracts and agreements
Legal documentation.
Learning activity: Financial record keeping
Both tax law and corporation’s law require that financial records are kept between five and seven years, which can present logistics problems for an organisation if there is a large amount of physical records. Search the ATO website to determine if past records can be kept electronically and, if so, how they recommend that it can be managed?
Student Workbook Section 1 – Introduction to Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 23 of 100
Workplace legislation, awards and workplace enterprise agreements
Industrial Instruments (Awards) are laws passed by either the Commonwealth or State Parliaments that govern the rate of pay and working conditions of employees under their jurisdiction. Federally this act was called the Workplace Relations Act 1996 with the states having similar acts like the Queensland Industrial Relations Act 1999. The commonwealth and state parliaments have set up commissions to check and approve awards and agreements and prevent and resolve disputes.
The Fair Work Act 2009
Sweeping changes have been made to workplace legislation in the years 2005 to 2009, beginning with the introduction of the Workplace Relations Amendment (Work Choices) Act 2005, followed by its replacement, the Fair Work Act (Commonwealth) in 2009. This act set out to offer:
a fair and comprehensive safety net of minimum employment conditions
a system that has at its heart bargaining in good faith at the enterprise level
protections from unfair dismissal for all employees
protection for the low-paid
a balance between work and family life
the right to be represented in the workplace.
Below are some key elements of the Fair Work Act. The organisation should be aware of these regulations to ensure its compliance. Compliance will decrease the likelihood of risk to the organisation regarding workplace relations.
Fair Work Australia (FWA)
Overlooks workplace relations.
Has the power to vary awards, make orders relating to minimum wage and settle unfair dismissal claims.
Unfair dismissial
Employees may lodge unfair dismissal claims to FWA within seven days if they were employed for six months or longer (twelve months if the business employs fifteen people or less).
Safetynet
Examples of rights are minimum standards:
flexible working arrangements after 12 months
12 months unpaid parental leave
contracts, agreements and policies between employers and employees that reflects the Nation Employment Standards (NES).
Discrimination
Prohibition or discrimination based on: race, colour, sex, sexual preferences, age, physical, mental disability, marital status, religion or pregnancy.
Section 1 – Introduction to Risk Student Workbook
BSBRSK501A Manage risk Page 24 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Increased union right of entry
Unions may enter a workplace in which they have a member who works on the premises, to investigate any suspected breaches of legislation.
Enterprise bargaining
FWA will grant approval to enterprise agreements (either single enterprise or multi enterprise) if they consider "that each employee is 'better off overall' under the agreement, compared to an applicable modern award."
Transfer of business
After the transfer of assets, employees (between related companies), outsourcing or insourcing, the work is not to be significantly different after the transfer, compared to that pre‐transfer.
Learning activity: Unfair dismissal
What risks are there for an organisation in regards to unfair dismissal legislation? How can the organisation manage against the occurrence of these risks?
Student Workbook Section 1 – Introduction to Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 25 of 100
Awards – Industrial Instruments
Under the new Fair Work Act 2009, new National Employment Standards (NES) have been developed to underpin any award conditions and pay rates. In general, the NES sets out the following.
Figure 4: National Employment Standards
Minimum rates of pay, such as hourly rates and annual salaries.
Ordinary hours of work.
Annual leave and leave loading.
Long service leave.
Personal or carer’s leave.
Notice to be given on termination.
Rest periods.
Loadings for overtime, casual work and shift work.
Anti‐discrimination provisions.
Section 1 – Introduction to Risk Student Workbook
BSBRSK501A Manage risk Page 26 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Learning activity: Awards
Visit the websites listed below and briefly describe the information that each one provides. How does this information assist organisations in risk management?
<http://www.workplaceauthority.gov.au>
<http://www.wo.gov.au>
For state legislation see the following departmental sites.
New South Wales: <http://www.industrialrelations.nsw.gov.au>
Queensland : <http://www.wageline.qld.gov.au>
South Australia: <http://www.safework.sa.gov.au>
Tasmania: <http://www.wst.tas.gov.au>
Western Australia: <http://www.docep.wa.gov.au>
Australian Capital Territory and the Northern Territory come under federal awards.
Student Workbook Section 1 – Introduction to Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 27 of 100
Section summary
You should now understand the risk management process and how to establish the context for risk management activity, including the scope within which risks must be managed, the stakeholders involved, and relevant legislation. In the next chapter, we will look at Stage 1 of the risk management process: identifying risks.
Further reading
Leonard N Stern School of Business, 2010, NYU Stern, What is Risk?, viewed May 2010, <http://pages.stern.nyu.edu/~adamodar/pdfiles/valrisk/ch1.pdf> ‘What is risk?>.
AIRMIC, ALARM and IRM, 2002, A Risk Management Standard, viewed May 2010, <http://www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf>.
Section checklist
Before you proceed to the next section, make sure that you are able to:
understand risk and risk management
establish the context for risk management
understand the importance of relevant legislation.
Section 2 – Identifying Risk Student Workbook
BSBRSK501A Manage risk Page 28 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Section 2 – Identifying Risk Risk identification is a vital stage of risk management as it develops the basis for the proceeding steps of analysing and controlling risks. Thorough and correct risk identification ensures effective risk management. If a risk is not first identified, how can it be managed? The organisation will be unable to account for such risks and so their consequences may be highly damaging to the organisation’s goals.
In this section, we will look at reviewing the organisation and factors affecting it, in order to identify risks.
Scenario: Identifying risks
Having reviewed risk management processes and the legislative framework in which the organisation operates, you now prepare for the job of identifying the risks for the chain of shoe repair stores.
You quickly realise that risk management, like most forms of management, requires input and feedback from stakeholders who affect and are affected by the risks to the organisation. With their help you will use various techniques to identify the scope of risks that could affect the organisation and set the objectives for your risk management function.
In the process of identifying risks you will assess the internal strengths and weaknesses of the organisation and the opportunities and threats from the external environment which can arise from the social, technological, economic and political spheres in which the organisation operates.
What skills will you need?
In order to work effectively as a risk manager you must be able to:
review the external environment
determine strengths and weaknesses
review and document objectives
identify risks
involve others in risk identification.
Student Workbook Section 2 – Identifying Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 29 of 100
Review the external environment
To thoroughly identify risks, we must examine the external environment surrounding an organisation. This includes the political, economic, social, legal, and technological factors affecting the business.
A PEST analysis is an effective tool for investigating external environmental factors. PEST stands for the following.
P Political (or political-legal)
E Economic
S Social
T Technological
It is a used when conducting an environmental analysis for strategic planning or as a framework for market research. The analysis gives an overview of big picture factors that the organisation should take into consideration.
This is a useful tool in the risk management process as it can aid in not only the identification of risks, but may be used as a factor in the analysis of those risk identified. Examples of factors which may come to light via a PEST analysis are below.
POLITICAL ECONOMIC
proposed laws that may affect organisation
taxation policy
merit/demerit goods
employment regulations.
interest rates
economic growth
exchange rates
inflation rates.
SOCIAL TECHNOLOGICAL
population growth
demographics
health consciousness
social trends.
current research and development
rate of technological change
automation
technology incentives.
Section 2 – Identifying Risk Student Workbook
BSBRSK501A Manage risk Page 30 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Learning activity: PEST analysis
Review the scenario in Appendix 3 under the heading ‘Internal and external environment’ and identify one item for each of the following in the PEST analysis.
Political –
Economic –
Technological –
Social –
Describe briefly how a PEST analysis can help identify risks for an organisation.
Student Workbook Section 2 – Identifying Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 31 of 100
Learning activity: List of risks
Review the scenario in Appendix 3 under the heading ‘Internal and external environment’ and list three risks and describe which areas of the scope they belong to.
Risk Area
Describe a process you could introduce that could help you obtain information from stakeholders.
Section 2 – Identifying Risk Student Workbook
BSBRSK501A Manage risk Page 32 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Determine strengths and weaknesses
The internal environment of an organisation must be examined to determine if it is exposed to risk through any of its operations or processes. This requires that you assess what the business is doing well, and what areas need improvement.
A SWOT analysis can be used to determine the strengths and weaknesses of an organisation. SWOT stands for the following.
S Strengths
W Weaknesses
O Opportunities
T Threats
Strengths and weaknesses are factors that are able to be controlled by the business. Strengths are the key elements that give an organisation advantage over its competitors. Weaknesses are the limitations faced by the business in achieving its objectives.
Opportunities and threats exist independent of the organisation, and are often beyond its control. Opportunities are the conditions of the environment in which the business operates which could benefit the organisation if acted upon. Threats are barriers that prevent the business from achieving its objectives.
Student Workbook Section 2 – Identifying Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 33 of 100
As shown in the diagram above, an organisation should endeavour to match internal strengths with external opportunities to create the best competitive advantage. Action should be taken to turn internal weaknesses into strengths or minimise their effect on the business, and to convert threats into opportunities or avoid them.
Learning activity: SWOT analysis
Review the scenario in Appendix 3 under the heading ‘Internal and external environment’ and identify one item for each of the following in the SWOT analysis.
Strength –
Weakness –
Opportunity –
Threat –
Describe briefly how a SWOT analysis can help you to identify risks in an organisation.
Section 2 – Identifying Risk Student Workbook
BSBRSK501A Manage risk Page 34 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Review and document objectives
As stated in the introduction, an organisation is defined by its goals and objectives. The greatest risk for an organisation is failure to achieve its strategic objectives therefore the risk management process must document the goals of the business and determine risks as those things which will prevent those goals being fulfilled.
The mission statement of an organisation will ordinarily outline the key objectives of the business, and these are generally detailed and implemented throughout the policies and procedures. Reviewing these documents will help define the risk management process. For example, if part of the organisation’s mission statement is to produce a quality product, a potential risk is the inability to find skilled staff, or to source quality resources required for production.
Learning activity: Goals of risk process
Review the scenario in Appendix 3 and identify two goals or objectives for the task you have been assigned by Jeff to complete.
1.
2.
Describe how having goals or objectives assists in carrying out the risk management process?
Student Workbook Section 2 – Identifying Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 35 of 100
Identify risks
Risks must be identified in order to be analysed and treated. The Australian Standard categorises risk identification into two categories.
1. What, where and when? This aims at generating a comprehensive list of risks that may impact the objectives.
2. Why and how? Identify the circumstances in which this risk may be realised. What would be the cause of an exposure of resources (For example, failure of ..., lack of ..., loss of..., injury to... etc.)?
The process of identification can be aided by various tools and techniques, which should be selected based on the purpose and context of the risk management activities being undertaken. Some of these tools include:
checklists
brainstorming
fishbone diagrams
flowcharts.
Checklists
Checklists can be used to help in identifying risks by using targeted questions. When trying to identify the risks within a specific context, it is important to interrogate the components as much as possible. Some questions that could be asked include:
Where are the risks likely to come from?
Who is likely to pose a risk?
What situations are likely to increase the possibility of the risk actually occurring?
Just how large are the risks?
In order to ensure this is comprehensive, the following areas within differing contexts, for example legislative risk, environmental risk, and economic risk could be used to address these questions.
Financial risk factors
Premises – e.g. suitability, size, facilities available, location, health and safety risks to workers and others, financial concerns.
Product and services – e.g. organisation’s competitive position (and potential in the future), environmental issues that affect development, waste management, lifestyle trends and demographic changes.
Purchasing – e.g. use of recognised standards, government policy on standard, protection of workers etc.
People elements People – e.g. organisation of employees, ‘culture’, skills and competence of employees, training and supervision, OH&S (occupational health and safety), visitors to the site, wider public in the vicinity.
Section 2 – Identifying Risk Student Workbook
BSBRSK501A Manage risk Page 36 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Actions or processes
Processes – e.g. techniques used and their associated risks, legislation requirements and skill level of employees.
Performance – e.g. stakeholder interest, health and safety, insurance claims and quality.
Management issues
Policy and strategy – OH&S, environmental and waste management, financial and purchasing control, accident investigation, reporting and rehabilitation.
Planning and organising.
Learning activity: Checklist
Use the categories outlined above, and for the Scenario provided in Appendix 3, develop a checklist of two target questions per category that could be used to identify risks.
Financial risks factors –
People elements –
Actions or processes –
Management issues –
Student Workbook Section 2 – Identifying Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 37 of 100
Brainstorming
Brainstorming may be done around the following questions to attempt to identify risk to organisational objectives.
What:
o might happen
o is the impact
o are the existing controls?
How:
o could this arrive?
When:
o in the life of activity
o beyond the life of activity?
Who:
o is involved
o is affected?
Why will there be:
o changes and uncertainties
o causal factors and triggers?
Learning activity: Staff input to risk management
Brainstorm a list of approaches that you can use to encourage staff and stakeholders to provide input and participate in the development of risk management strategies for an organisation, and describe how each of these can be effective.
Section 2 – Identifying Risk Student Workbook
BSBRSK501A Manage risk Page 38 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Fishbone diagrams
Fishbone diagrams are cause-and-effect diagrams. Use of the fishbone diagram encourages a systematic approach to identifying risks that looks beyond the obvious causes of a problem. The starting point for creating the diagram is identification of a problem. This is stated as the effect. The 'bones' show the types of variables that might play a part in the root cause.
Causes are usually grouped into major categories, which typically include the following.
People – anyone involved with the process.
Methods – how the process is performed and the specific requirements for doing it, such as policies, procedures, rules, regulations and laws.
Machines – any equipment, computers, tools etc. required to accomplish the job.
Materials – raw materials, parts, pens, paper, etc. used to produce the final product.
Measurements – data generated from the process that are used to evaluate its quality.
Environment – the conditions, such as location, time, temperature, and culture in which the process operates.
Causes can be generated from brainstorming activities, and then grouped and used as labels on the fishbone. Below is an example fishbone diagram showing the 8 P’s. The 8 P’s are factors affecting the service industry which have the potential to cause or contribute to problems and create risk. The smaller bones connect sub-causes to major causes and show the escalation of risk.
Figure 5: Fishbone diagram
Student Workbook Section 2 – Identifying Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 39 of 100
Learning activity: The 8 P’s
Use the internet to find the 8 P’s of the service industry and create a fishbone diagram for them below. Ensure you include at least one variable for each category included on the ‘bones’ of the diagram. (You may find it easier to create the diagram using a separate piece of paper).
Flowcharts
A flowchart is a diagram commonly used to demonstrate the steps in a solution for a problem. They are frequently used to design, analyse, document and manage processes.
Flowcharts use various symbols and shapes to represent different facets of a process, and arrows to show flow of information, communication and control. Some of the symbols include the following.
Circles, ovals or rounded rectangles showing start and end points. The shape will usually contain the word ‘start’ or ‘end’, or a specific phrase that indicates the start or end of a process, such as ‘submit enquiry’.
Rectangles showing processing steps, for example ‘replace identified part’ or ‘save changes.’
Parallelograms showing input/output, for example ‘get feedback from the user.’
Diamonds representing conditional steps or decisions. These would usually contain a 'yes/no' or 'true/false' test.
Section 2 – Identifying Risk Student Workbook
BSBRSK501A Manage risk Page 40 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Learning activity: Flowchart
Create a simple flowchart using the symbols above to show the process for dealing with a lamp that won’t function. You will need to think about reasons the lamp may not be working, and address these, and appropriate responses or actions, in your flowchart.
Student Workbook Section 2 – Identifying Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 41 of 100
Learning activity: Risk management tools
Research the internet for tools or templates that you could use in risk management processes in an organisation. Identify three that you think you could use and describe why and how you think these could be helpful. Include a brief description of each tool as well as the web URL.
TOOL –
URL –
WHAT THE TOOL DOES –
HOW THE TOOL COULD BE HELPFUL –
TOOL –
URL –
WHAT THE TOOL DOES –
HOW THE TOOL COULD BE HELPFUL –
Section 2 – Identifying Risk Student Workbook
BSBRSK501A Manage risk Page 42 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
TOOL –
URL –
WHAT THE TOOL DOES –
HOW THE TOOL COULD BE HELPFUL –
Research
The process of risk identification is much aided, by the use of both internal and external research. This may be in the form of:
past records
data and statistical information
relevant published credible literature
the result of public consolation
market research.
To ensure a thorough risk analysis, several of these sources of information could be used. Information can be collected in many ways, some of which are listed below.
Primary data collection techniques
Primary data collection refers to data collected by the user. Data collected is unique to the organisation and is not publicly available unless the researcher chooses to publish it.
Some common methods of primary data collection include interviews, focus groups, surveys and questionnaires, observations, and diaries.
Student Workbook Section 2 – Identifying Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 43 of 100
INTERVIEWS
Interviewing can be used to identify the underlying reasons and motivations for people’s attitudes, preferences or behaviour. They can be individual or group-based.
Advantages
Serious approach by respondent resulting in accurate information.
Good response rate.
Completed and immediate.
Possible in-depth questions.
Interviewer in control and can give help if there is a problem.
Can investigate motives and feelings.
Can use recording equipment.
Characteristics of respondent assessed – tone of voice, facial expression, hesitation, etc.
Can use props.
If one interviewer used, uniformity of approach.
Used to pilot other methods.
Disadvantages
Need to set up interviews.
Time consuming.
Geographic limitations.
Can be expensive.
Normally need a set of questions.
Respondent bias – tendency to please or impress, create false personal image, or end interview quickly.
Embarrassment possible if personal questions.
Transcription and analysis can present problems – subjectivity.
If many interviewers, training required.
FOCUS GROUPS
A focus group is an interview conducted by a trained moderator in a non-structured and natural manner with a small group of respondents. The moderator leads the discussion. The main purpose of focus groups is to gain insights by listening to a group of people from the appropriate target market talk about specific issues of interest.
Section 2 – Identifying Risk Student Workbook
BSBRSK501A Manage risk Page 44 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
QUESTIONNAIRES
Popular means of collecting data, but are difficult to design and often require many rewrites before an acceptable questionnaire is produced.
Advantages
Can be used as a method in its own right or as a basis for interviewing or a telephone survey.
Can be posted, emailed or faxed.
Can cover a large number of people or organisations.
Wide geographic coverage.
Relatively cheap.
No prior arrangements are needed.
Avoids embarrassment on the part of the respondent.
Respondent can consider responses.
Possible anonymity of respondent.
No interviewer bias.
Disadvantages
Design problems.
Questions have to be relatively simple.
Historically low response rate (although inducements may help).
Time delay whilst waiting for responses to be returned.
Require a return deadline.
Several reminders may be required.
Assumes no literacy problems.
No control over who completes it.
Not possible to give assistance if required.
Problems with incomplete questionnaires. Replies not spontaneous and independent of each other.
Respondent can read all questions beforehand and then decide whether to complete or not. For example, perhaps because it is too long, too complex, uninteresting, or too personal.
OBSERVATIONS
Observation involves recording the behavioural patterns of people, objects and events in a systematic manner.
Observational methods may be:
structured or unstructured
disguised or undisguised
natural or contrived
personal
mechanical
non-participant
participant, with the participant taking a number of different roles.
Student Workbook Section 2 – Identifying Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 45 of 100
DIARIES
A diary is a way of gathering information about the way individuals spend their time on professional activities. They are not about records of engagements or personal journals of thought! Diaries can record either quantitative or qualitative data, and in management research can provide information about work patterns and activities.
Advantages
Useful for collecting information from employees.
Different writers compared and contrasted simultaneously.
Allows the researcher freedom to move from one organisation to another.
Researcher not personally involved.
Diaries can be used as a preliminary or basis for intensive interviewing.
Used as an alternative to direct observation or where resources are limited.
Disadvantages
Subjects need to be clear about what they are being asked to do, why and what you plan to do with the data.
Diarists need to be of a certain educational level.
Some structure is necessary to give the diarist focus, for example, a list of headings.
Encouragement and reassurance are needed as completing a diary is time-consuming and can be irritating after a while.
Progress needs checking from time-to-time.
Confidentiality is required as content may be critical.
Analyses problems, so you need to consider how responses will be coded before the subjects start filling in diaries.
Secondary data collection techniques
Secondary data is collected by someone other than the user. It can be sourced from existing survey results, databases, statistical research organisations, published reports, case studies and published texts.
It is important to ensure that data is obtained from trusted sources, to ensure it is valid and reliable. There are questions that you should consider when selecting existing data for use in your audit.
What was the researcher’s objective in collecting the data?
What data was collected and what is it supposed to measure?
When was the data collected?
What methods were used?
How is the data organised?
What information is known about the success of that data collection? How consistent is the data with data from other sources?
Section 2 – Identifying Risk Student Workbook
BSBRSK501A Manage risk Page 46 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Essential qualities of information
The aim of any data collection activity is always to aid in decision making. The decisions that are made will only be as good as the data collected. It is essential then that data is ‘quality tested’ to ensure it will produce the desired results.
Data should be as follows.
Accurate Information collected through audit activities should be precise and a true reflection of the relevant events, subjects and issues.
Relevant Data collected should be directly related to the intent and objectives of the audit or collection process.
Reliable Data must be verifiable and well supported by background information.
Learning activity: Risk research
Identify at least three different ways that risk in a business environment can be researched, and describe the types of information you are likely to gather from each approach.
Involve others in risk identification
Communication and consultation should take place at every step of the risk management process with both internal and external stakeholders. Therefore a communication plan for both these parties should be developed early in the process.
Student Workbook Section 2 – Identifying Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 47 of 100
This plan should address issues relating to the risk itself, the likelihood of the risk, its potential consequences, and measures being taken to manage the risk. Communication is vital in risk management as it ensures that those accountable for implementing risk management, as well as other stakeholders, understand the reasoning behind decisions, and why particular actions are required.
Identification of risks should never be the responsibility of one individual. Consulting a team of people with different areas of expertise means that many viewpoints are represented and the identification process is thorough. Including stakeholders in the process also facilitates a sense of ‘ownership’ for risk management activities.
Some key skills that you will require for involving others and maintaining communication with stakeholders are described in the table below.
Active listening Keep the purpose in mind – know why you are listening and what you are listening for.
Listen to what’s not said – learn to read gestures and facial expressions, not just listen to words.
Give feedback – acknowledge and respond to what you hear, without interrupting.
Be sensitive – show that you listen to and understand the other person’s point of view, even though you may not agree with it.
Encouraging feedback
Value feedback – recognise that you need feedback to build an accurate picture of what is occurring.
Do not react – show respect for feedback even when it is critical.
Don’t point fingers – use feedback to diagnose and fix problems, without laying blame.
Facilitating discussion
Step back – establish the purpose or goal for the group, and then let the group continue the discussion.
Bring focus – ensure the discussion stays on track by reminding the group of the established purposed.
Be open – don’t voice personal opinions or make judgments about proposed ideas, just listen.
Be fair – make sure everyone has an opportunity to participate, express an opinion or contribute an idea.
Summarise – rephrase key points and bring clarification to any decisions or planned actions when needed.
Effective questioning
Directive questions – seek facts and concrete answers
Non-directive questions – deal with emotions, feelings and attitudes.
Reflective questions – clarifying information being provided, rephrasing, etc. (e.g. ‘Do you mean...’)
Closed questions – allow limited responses, such as ‘Yes’ or ‘No’.
Open questions – allow for unlimited response.
Probing questions – seek further response to a question already asked, often in response to the answer given.
Section 2 – Identifying Risk Student Workbook
BSBRSK501A Manage risk Page 48 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Learning activity: Staff involved
In reference to the scenario provided, who would be most beneficial to involve in the process of risk identification, and why would you include them in gathering input to risk identification?
Section summary
You should now understand how to evaluate the internal and external environments of an organisation, review organisation objectives, identify risk and include stakeholders in the process.
Further reading
The University of New South Wales, 2010, UNSW Rick Consequence Assessment Tool, viewed May 2010, <http://www.fin.unsw.edu.au/files/forms/rmu/UNSW_Risk_Risk_Assessment_Tool.pdf>.
Australian Government, 2010, Risk Analysis, viewed May 2010, <http://www.ga.gov.au/image_cache/GA10820.pdf>.
Section checklist
Before you proceed to the next section, make sure that you are able to:
review the external environment
determine strengths and weaknesses
review and document objectives
research risks
identify risks
involve others in risk identification.
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 49 of 100
Section 3 – Analysing and Evaluating Risk
It is not enough for an organisation to merely be aware of risks. Once they have been identified, risks must be analysed to determine the probability of occurrence and expected impact. This chapter looks at conducting this analysis, and using it to form an action plan to deal with risks.
Scenario: Preparing a risk action plan as the new operations manager for a shoe repair chain
With the help of stakeholders, and the use of other research methods, you have been able to create a list of all the perceivable risks that could impact on the shoe repair store chain.
You are already aware that compiling a list of risks is only the first part of the risk management story, because the second part being management, requires analysis, assessment, evaluation and prioritisation to determine the best use and allocation of an organisation’s resources.
You will use an approach that looks at each risk on a likelihood and consequence basis to determine the priority levels that each should be given. You will then consider the possible options for treating each risk starting with the highest priority and working to the lowest.
To assist you in this function you will prepare a risk management action plan that quite clearly shows your reasoning for establishing the risk priority levels, and the actions needed to manage the risks.
What skills will you need?
In order to work effectively as a risk manager you must be able to:
determine likelihood of risk
assess consequence of risk
evaluate and prioritise risk
determine risk treatment options
develop an action plan for treating risks.
Risk analysis is about developing an understanding of the risk. It provides an input to decisions on whether risks need to be treated and the most appropriate and cost-effective risk treatment strategies.
AS/NZA4360:2004
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 50 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Determine likelihood of risk
The first step in risk analysis is to determine the likelihood of risks. Likelihood refers to the probability that a risk will occur, and is measured in terms of the following scale. Note that the classification of risks must take into account the specific circumstances, for example, the flooding of a warehouse may range from rare if it is located to a region that receives little rain to frequent if it is located in somewhere that is often subject to flooding.
Rare May occur only in exceptional circumstances, e.g. death of an employee at work.
Unlikely Event is unlikely to occur but is possible, e.g. an employee crashing a company car.
Possible Event could occur, e.g. rain on the day of an outdoor event.
Likely Event likely to occur once or more during the life of the project, e.g. first aid injury.
Frequent Event will occur many times during the life of the project, e.g. a busy street.
Figure 3: Likelihood of risk occurring
Learning activity: Board role for risk management
PricewaterhouseCooper believes that boards can play a vital role in improving the quality of risk management information provided to them to review and/or act on. A discussion paper published by them at <http://www.pwc.com.au/assurance/risk-controls/publications/information-gap.htm> describes five steps that can help boards get the information they require. Based on the likelihood scale above, describe which risks would be included in the statement ‘Be clear about what matters’, i.e. would you include all items on the scale, or just frequent risks? Identify the cut-off you would apply and explain why.
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 51 of 100
Learning activity: Risk likelihood
Review the scenario in Appendix 3 under heading ‘Research findings’ and select the issues you think would occur rarely and which is likely to occur almost certainly. Give your reasons.
Likelihood Reasons
Rare
Almost certain
Learning activity: Revised risks
Some organisations assess risk, and apply a control, and then reassess risk immediately (rather than waiting for a review period some time later). How could this provide relevant information for risk management to the organisation? State your reasons.
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 52 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Research the internet for risk management tools that include two layers of assessment in this way. (Hint: some risk management organisations use the term ‘residual risk’). Briefly describe the tool, and include a copy in your workbook.
Assess consequence of risk
The next step in risk analysis is to assess the potential consequence or impact of the risk on the organisation and its objectives. The general levels of consequence are called as follows.
Catastrophic multiple injuries/death
regulatory intervention
net revenue loss or asset damage exceeds $x
damage to reputation at international level
long-term environmental damage (5 years or longer).
Major single stakeholder
breach of licenses, legislation, regulation or mandated standards
net revenue loss or asset damage between $xxxx
damage to reputation at national level
medium-term (1-5 yr) environmental damage.
Minor breach of internal procedures or guidelines
net revenue loss or asset damage between $x – $x
adverse news in local media
environmental damage, requiring up to $250,000.
Insignificant no breach of licenses, standards, guidelines or related audit findings
net revenue loss or asset damage $x
public awareness may exist, but there is little public concern
negligible environmental impact.
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 53 of 100
Learning activity: Risk consequence
Review the scenario in Appendix 3 under the heading ‘Research findings’ and select an issue you think would have an insignificant consequence and an issue you think would have catastrophic consequences. Give your reasons.
Consequences Reasons
Insignificant
Catastrophic
Learning activity: One of each
Think about your community or workplace and give an example of a each of the following risks.
Rare and catastrophic –
Frequent and insignificant –
Possible and moderate –
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 54 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Evaluate and prioritise risk
Now that you have determined both the likelihood and consequence of risk, the two are combined to determine the rating. The most effective method of risk analysis is to generate a risk matrix. A risk matrix is shown below, where the identified consequence meets the identified likelihood, a risk rating is given.
CONSEQUENCE
Insignificant Minor Moderate Major Catastrophic
LIK
ELIH
OO
D
Almost certain HIGH HIGH EXTREME EXTREME EXTREME
Likely MEDIUM HIGH HIGH EXTREME EXTREME
Moderate LOW MEDIUM HIGH EXTREME EXTREME
Unlikely LOW LOW MEDIUM HIGH EXTREME
Rare LOW LOW MEDIUM HIGH HIGH
Learning activity: Risk evaluation
Nearly all organisations and systems use the same or a very similar risk evaluation tool as outlined above. Describe how you think the one illustrated below is different, and when it might be suitable to use.
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 55 of 100
The allocation of a risk rating should prompt a decision to be made about the action to be taken, as below.
Extreme IMMEDIATE senior management action
e.g. multiple deaths of employees.
High Action plan needed, allocated responsibilities
e.g. damage to valuable assets.
Medium Risk requires only monitoring and review
e.g. loss of assets due to staff theft.
Low Risk accepted - but not ignored
e.g. a paper cut.
Figure 4: risk rating and associated action
Risks can then be prioritised based on the level of action required.
Learning activity: Risk priorities
Review the scenario in Appendix 3 under the heading ‘Research findings’ and select an issue you think would be rated ‘Extreme’ and an issue you think be rated ‘Low’. Give your reasons.
Priorities Reasons
Extreme
Low
Types of analysis
Qualitative analysis may be useful as an initial screening to identify if further analyse of risk is required, when the analysis is appropriate for decisions, when numerical data or resources are inadequate. It uses descriptive scales to describe the potential consequences. So far throughout this section we have been using qualitative risk analysis. The risk matrix above is an example of this method.
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 56 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Semi-quantitative analysis sets values to the risks in order to produce a more expanded ranking scale than that which is usually achievable from qualitative analyse. These values are not the predicted realistic figures calculated in quantitative analysis. It is important that the limitations of this form are recognised and it is combined with a formula or explanation.
Quantitative analyse of risks uses numerical values (as opposed to words) to analyse both the consequence and likelihood of risks. The quality of this analysis is dependent on the data from which it was initially sourced. The outcomes may be expressed in terms of monetary, technical, or human impact. Examples of quantitative risk analysis are as follows.
o Risk of financial loss:
o Fatality risk. This calculation gives a value of 0 – 1. The closer the value to one, the greater the risk.
Learning activity: Financial loss
Using the formula above for financial loss, calculate the expected loss for a car wash that loses $500 in wages for every day it rains. The car wash is located in Brisbane where it rains on average 122 days per year, and on days when it is not raining it makes $300.
If the same business with the same loss and profits was moved to Melbourne, with an average of 148 rainy days, explain what could happen to the business.
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 57 of 100
Learning activity: Extreme action
Name a situation at work or at home you would rate as ‘Extreme'.
List three things you would do in the first few minutes.
1.
2.
3.
Determine risk treatment options
Risk treatments
There are several ways by which to manage risk. The Australian Standards outlines the following.
Avoid the risk. This may be done by ending the activity that gives rise to the risk. Inappropriate risk avoidance may result in an increased significance of the risk or result in the loss of opportunity.
Reduce the likelihood of the risk, i.e. reduce the likelihood of a negative impact on objectives.
Reduce the consequences, that is, decrease the extent of the damage. An example of this is reducing the inventory or making continuity plans.
Share the risk. This involves other parties baring a portion of the risk (preferably by mutual consent). This may take place in the form of insurance arrangements, contractions, partnerships or joint ventures, all of which spread the responsibility and burden of the risk with another. This usually comes at both a financial expense (e.g. premiums paid for insurance, decrease in positive outcome of risk seen by the individual organisation) and creates another risk, namely that the parties with whom the risk is shared will not mange it effectively.
Retain the risk. After the altering or sharing of a risk, there exist residual risks which are retained. This also may take place by default as a result of failure to identify or manage a risk.
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 58 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Hierarchy of control
The hierarchy of control for OHS risk management identifies the preferred option to the least preferred option. If possible, eliminate the risk. The least preferred option is for employees to be provided with personal protection in the management of risk. There are better options between the most preferred and the least preferred.
Can you eliminate the risk?
Yes – then eliminate the risk.
For example, repair damaged equipment.
Can you reduce the risk? Yes – then reduce the risk.
For example, hire a bus with seatbelts as opposed to one without.
Can you isolate the risk? Yes – then isolate the risk.
For example, a locked plant room for chemicals.
Can you reduce the risk by control?
Yes – then introduce administrative controls.
For example, occupational health and safety induction.
Then provide personal protection.
According to AS/NZ standard.
For example, gloves, safety googles, sunscreen.
Figure 5: Hierarchy of risk control – adapted from Cole (2005)
When managing risk, particularly OHS related risk, there are key questions that managers need to be able to answer. These are as follows.
1. Are there legislated activities or practices that must be done or implemented in relation to the specific hazard?
2. Is there a Code of Practice relating to the specific hazard?
3. Are there existing controls? If so:
a. are the controls as high as possible in hierarchy of control priorities
b. do controls protect everyone exposed to harm?
4. What additional controls are required?
The following table is from the Risk Management Code of Practice 2007 (Workplace Health and Safety Queensland) and gives some example of how control measures can be implemented.
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 59 of 100
Control measure Comment Examples of use
Elimination Control the hazard at the source. This is the most effective control measure and removes the risk by removing the hazard or changing the work processes.
Contract tasks out to specialists who have appropriate facilities.
Substitution Replace the hazard (e.g. plant or substance) with another that has a lower risk.
Use a machine with better guarding or use a less hazardous chemical that does the same job.
Isolation Remove or separate people from the source of the hazard.
Use rubber mats to lift workers off a concrete floor or segregating work processes.
Minimise by engineering means
Change the physical characteristics of the plant or workplace to remove or reduce the risk.
Modify a machine so it can be used by remote control.
Administrative measures
Use policies, procedures, signs and training to control risk.
Review systems of work so that nobody works alone at night or train workers in safe lifting techniques.
Personal protective equipment (PPE)
Provide equipment or clothing designed to protect the worker.
Provide hats and long shirts to protect outdoor workers against the sun.
Note: If there is a provision within the workplace health and safety regulation for your state about any hazards identified then they must be controlled in the way specified by the regulation. Similarly, if there is a Code of Practice about any of the hazards you have identified then you must do what the code of practice says or adopt and follow another way that gives the same level of protection against the risks – whilst the law does not demand compliance with codes of conduct, insurance providers do, and no-compliance with these will either result in significantly increased insurance premiums or voiding of the insurance cover.
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 60 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Learning activity: Risk treatment options
Review the scenario in Appendix 3 under the heading ‘Research findings’ and select an issue and then apply the hierarchy of control to develop options.
Issue ........................................................................................................................
Hierarchy of control Options
Can you eliminate the risk?
Can you reduce the risk? For example, by substitution.
Can you isolate the risk? For example, with guards and barriers.
Can you reduce the risk by control? For example, safe operating procedures.
Then provide personal protection according to AS/NZ standard.
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 61 of 100
Learning activity: Risk controls in a shop-environment
You have a retail store and you know you cannot always be in front of the till, so there is a risk that cash could be mishandled by store staff. Describe how you could:
reduce the risk
isolate the risk
introduce control of some form.
Reduce –
Isolate –
Control –
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 62 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Learning activity: Hierarchy of control
In reference to the hierarchy of control, decide which option is the best treatment for each of the risks you have identified in the earlier activity against the scenario.
Assessing risk treatment options
When selecting the most appropriate treatment options for risk, the costs and benefits of each treatment must be carefully considered. It is important to consider all direct and indirect costs associated with each treatment, and both tangible and intangible benefits.
However, the costs and benefits need to be considered in light of the risk rating. The cost of managing a potentially catastrophic risk cannot simply be evaluated in financial terms as the cost of failing to manage the risk could far outweigh the initial cost of actions required to prevent its occurrence.
The following needs to be considered when choosing an appropriate treatment for a risk:
acceptability to all
administration efficiency
capacity compatibility
continuity of effects
contracts
cost effectiveness
economic and social environment
equity
individual freedom
jurisdictional authority
objectives
regulatory
risk creation
timing.
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 63 of 100
Learning activity: Risk vs. freedom
Examine the list above and describe why you think equity and individual freedom are included in the above list. It may be best to describe a control that restricts a workers freedom in order to reduce risk in the workplace, and then describe why this should also be considered from the individual’s viewpoint.
Learning activity: Common business risks
Research the internet for common risks in the financial services sector and use the table below to list practical ways to manage identified risks.
Risk Control
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 64 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Learning activity: Common business risks
Develop an action plan for treating risks
Plan early
Experienced operators know that risk management is a proactive process. It is not the thing you do when a risk emerges because by then it may be too late. Effective risk action plans are those that are part of the operations of the organisation.
Problems that start small can escalate into large threats, or a risk may appear suddenly that threatens the reputation of the entire organisation. Having risk management processes and planning in place when these happen could stop the escalation and minimise the impact from the sudden disaster.
Learning activity: Risk timelines
Sketch a flow chart of a timeline for implementing a new product within an organisation and identify at what points or phases, risk assessment would take place.
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 65 of 100
Risk action plan
The risk action plan outlines how the risk is to be managed and a timeline for this process to take place. It should include:
the risk
risk rating
treatment activity or controls
roles and responsibilities for those involved
timeline
monitoring arrangements.
See Appendix 1 for an example risk action plan template.
Learning activity: Action plans
Volunteering Australia uses a one page risk action plan, which can be found at <http://www.volunteeringaustralia.org/files/NSJ4PVPMDM/Risk%20Action%20 Plan.pdf>.
Review the form, and describe when or how you could use a similar form in an organisation where you are the risk manager. The key issue to describe is whether you think this form is suitable for all risk planning and management process, including your reasoning.
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 66 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Completeness
Accuracy
Authorisation
Validity
Existence
Handling errors
Segregation of duties
Presentation and disclosure
Internal control procedures
Internal control processes are an effective form of risk treatment for an organisation.
When designing and implementing an internal control procedure it is important that these fulfil at least one of the following eight criteria.
Completeness – that all records and transactions are included in the reports of business.
Accuracy – the right amounts are recorded in the correct accounts.
Authorisation – the correct levels of authorisation are in place to cover such things as approval, payments, data entry and computer access.
Validity – that the invoice is for work performed or products received and the business has incurred the liability properly.
Existence – of assets and liabilities. Has a purchase been recorded for goods or services that have not yet been received? Do all assets on the books actually exist? Is there correct documentation to support the item?
Handling errors – errors in the system have been identified and processed.
Segregation of duties – to ensure certain functions are kept separate. For example, the person taking cash receipts does not also do the banking.
Presentation and disclosure – timely preparation of financial reports in conformity with generally accepted.
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 67 of 100
Learning activity: Internal controls
For each of the internal controls listed below, describe or give an example of what could go wrong if the control is not implemented correctly or thoroughly.
Completeness –
Accuracy –
Authorisation –
Physical controls
Physical controls relate to security devices and measures designed to eliminate unauthorised access to physical assets including the organisation’s sensitive documents and records. Preventing access ensures that the assets are not used, removed or destroyed without proper authority.
Examples of physical controls include the following.
Secured storeroom – usually a fire resistant, thick walled room that is lockable.
Having a stores clerk – a person that is responsible for the movement of supplies in and out of the store room, and ensuring that all movements are recorded and stock takes balance.
Placing permanent identification codes on valuable assets – this allows an asset register to be created and stock takes to be done to identify missing assets.
Using safety deposit boxes – very common security device in banks. Can be installed in businesses. Often require two people to open the box.
Password protection on electronic files – this can be set at all levels (logging on, into selected applications and access to selected files within applications). Without the password, you cannot gain access.
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 68 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Learning activity: Physical controls
As the operations manager, you have been asked to appoint a stores person to monitor the movement of supplies and make sure physical stock takes mirror the balances calculated from the source documentation of supply movement. Explain how having a stores person appointed to the supplies process creates a physical control over the supplies?
Insurance Insurance involves paying premiums to share certain risks with another organisation. Insurance should only be considered as a risk management option when other treatments have not been successful in reducing a risk to an acceptable level for the organisation. That being said, it is still an important part of many risk action plans.
Generally, there are two types of insurance.
Life insurance – management of the risk of death or disability.
General insurance – covers the sharing of all other risks, e.g. property damage, workers’ compensation, motor vehicle insurance.
Some insurance is required by legislation. For example, organisations that employ staff must have workers' compensation, those that own motor vehicles must take out compulsory third party motor vehicle insurance. Other insurances are purchased at the discretion of the organisation, according to its determined needs.
When investigating insurance you need to consider three things:
1. Which risks to insure against.
2. Which insurance company to insure with.
3. What level of insurance to obtain against the risk.
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 69 of 100
Choosing an insurance company
Your organisation can purchase insurance either directly from an insurance company, or alternatively, it may be acquired through an insurance broker. An insurance broker is often able to source insurance products that suit the specific needs of an organisation, and can assist you in getting the best product for the best price.
Always ensure that the broker or company you choose to deal with is known and has a good reputation. If the company or broker you choose is not well known, check the Australian Prudential Regulatory Authority to make sure they are registered.
Choosing a Policy
When evaluating and selecting an insurance product, you should consider the following questions.
What insurance do you need? Does the policy meet your requirements or are you paying for added extras that you don’t need?
Have you read the policy carefully, including the fine print? What is covered for and what is excluded from the policy?
Do you have to pay an excess on a claim? Under what circumstances?
What is the limit applied to individual claims? Does a limit apply to payouts in a single period?
Is the option of good replacement instead of cash available in the policy?
Is property insured for the present market value or is an ‘old for new’ replacement provided as part of the policy?
Is the value you have insured the product for sufficient?
Have you provided all the necessary information?
Have you done all that the policy requires in order to maintain coverage?
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 70 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Learning activity: Risk insurance 1
Research the internet for types of insurance available for business risks (e.g. theft, staff injury, compliance issues, fraud, fire, etc.) and briefly describe the different types of insurance available.
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 71 of 100
Types of insurance
In order to reduce the risk to your organisation and its stakeholders, there is a range of insurance policies available. The table following outlines some forms of insurance policies and what they cover.
Insurance Type Policy details
Workers’ compensation Covers against:
employee injury
employee sickness or
employee death regardless of employer’s negligence.
This is compulsory for all employers.
Motor vehicle comprehensive
Covers against your organisation’s vehicles and the damages they make to other’s property. This policy covers:
theft
fire
legal cost.
Motor vehicle third party
Covers against the damage made by your vehicles to other people’s property. The insured car is only covered against fire or theft.
Contents Insurance Protects against damage or destruction by:
the causes stated in the building insurance policy
theft.
It is important to identify if the policy provides compensation for only the depreciated value of insured items or reinstatement or replacement, in which case the new replacement cost will be paid.
Consequential Loss Covers against loss of profits follow the occurrence of a specified incident (e.g. fire) until it is able to resume business.
This type of policy must be regularly reviewed to ensure the amount of lost profits is up to date and takes into account inflation. The insured period during which payments are to be made should be long enough that it allows for the re-establishment of business.
Professional indemnity Insures against the legal liability arising from professional negligence when an organisation claims to provide reliable advice which proves detrimental to the person receiving it.
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 72 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Insurance Type Policy details
Building insurance Covers against damage to structures owned by the organisation. This may include damage caused by:
fire
storm
tempest
lightning
explosion
impact by vehicles
animals
aircraft
earthquakes
riots
malicious acts
flood.
This usually covers only the depreciated value of the building insured at the time of loss. It does not cover the cost replacement of the building as this requires reinstatement or replacement insurance.
Public liability Covers the organisation’s responsibility to pay compensation to persons and other than employees who:
suffer injury
damage to property
die.
This policy only covers the above incidents when they are due to the organisation’s negligence and take place either on its premises or due to its operations.
Manufacturer’s liability Covers manufacturers against claims arising from defective products, which are unfit for the purposes which they were sold (even to benefit charity).
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 73 of 100
Learning activity: Drivers vs. insurance
An organisation has insurance for damage to vehicles, so long as the registered staff drivers are licensed, over 25, and have not been the responsible party in an accident within the last three years. Outline/draft a simple checklist-based form that could be used within the organisation for potential drivers to complete each time they collect company vehicle keys form the administration office.
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 74 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Learning activity: Credit card risk
Most banks and financial institutions offer some kind of fraud or misuse of credit card insurance for card-holders, with a few provisos. Describe some common requirements (i.e. risk management controls for the financial institution) that are expected of card-holders in order to qualify for the insurance cover. You should come up with at least two simple requirements, but may come up with more, by reviewing the ANZ Security Centre at the URL below.
<http://www.anz.com/auxiliary/security-centre/fraud-security-centre/protect-yourself/online-security-tips/>
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 75 of 100
l
Learning activity: Risk insurance 2
Research the internet for Australian insurance providers that would suit the scenario provided. Identify three that you think you could use, and explain why each is suitable.
INSURANCE PROVIDER –
HOW PROVIDER IS SUITBALE –
INSURANCE PROVIDER –
HOW PROVIDER IS SUITBALE –
INSURANCE PROVIDER –
HOW PROVIDER IS SUITBALE –
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 76 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Workplace adjustment
Sometimes it can be necessary to make adjustments in the workplace to accommodate people with a disability. Adjustments can be undertaken in a number of different ways, some of which are outlined below.
Selection process
discuss potential changes to non-core requirements of position
applicants may ask a friend to attend to interview
prove a signing interpreter for hearing impaired employees if needed.
Work area design
make physical changes to workplace, for example:
o movement or adjustment of furniture
o adjustment of lighting
o lowering benches.
Job design exchange certain tasks to aid people with disabilities:
o e.g. telephone duties may be exchanged for filing duties for someone with hearing impairment.
Flexible work practices
flexible work hours
regular breaks
working from home.
Workplace access
unobstructed access needs to be provided to all public use areas . This may involve:
o the installation of ramps
o clear markings on steps
o provision of dedicated parking spaces near a wheelchair accessible entrance
o lowered control panels
o accessible emergency phones in elevators.
Providing equipment
a telephone typewriter (TTY)
voice recognition software
speech synthesiser.
Ensure the individual is insulted before purchasing equipment as even people with similar disabilities may have different needs.
Training and development
Access to training and development opportunities needs to be ensured for people with disabilities. This may be done by:
o conducting courses in accessible areas
o proving a signing interpreter.
Student Workbook Section 3 – Analysing and Evaluating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 77 of 100
Workplace Modifications Scheme
While the majority of employees with a disability won’t require any workplace modifications, for some the barrier preventing them from doing a job is that a workplace doesn’t accommodate them. Some might only need minor adjustments to the workplace that can easily be made at minimal cost. Sometimes what’s needed is an adjustment to the work environment or some special tool or technology that will enable them to perform a job to their full potential.
For employers, the Workplace Modifications Scheme (WMS) aims to make accommodating workers with disability in your workplace easier. It’s a pool of funds available to pay for the cost of any special equipment or adjustments that are needed to accommodate an employee in a job.
Sometimes the help needed by an employee may be as simple as providing them with an alarm wristwatch to remind them of when they need to do certain tasks. Other times more complex solutions are needed to accommodate them, such as building a wheelchair ramp to a workstation or installing special lighting in the workplace.
The amount of funding available for each workplace modification usually isn’t limited, which means that there’s flexibility to provide workplace solutions that really meet the individual needs of both employers and employees.
Funding is available to help employers accommodate both new and existing employees with disability. To be eligible, an employee must be employed for at least eight hours a week in a job that’s reasonably expected to last 13 weeks or more.
Extract from ‘An employer’s guide to employing someone with disability’, <www.workplace.gov.au>.
Learning activity: Risk management and workplace modifications
Research the internet to find an example of a disability within a work environment, and an adjustment that was made to allow for the disability.
Section 3 – Analysing and Evaluating Risk Student Workbook
BSBRSK501A Manage risk Page 78 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Section summary
You should now understand how to analyse and evaluate risk specifically, the concepts of probability and consequence as well as risk acceptance.
Further reading
The University of New South Wales, 2010, UNSW Rick Consequence Assessment Tool, viewed May 2010, <http://www.fin.unsw.edu.au/files/forms/rmu/UNSW_Risk_Risk_Assessment_Tool.pdf>.
Australian Government, 2010, Risk Analysis, viewed May 2010, <http://www.ga.gov.au/image_cache/GA10820.pdf>.
Work Place, Australian Government, 2010, An employer’s guide to employing someone with disability, viewed May 2010, <www.workplace.gov.au>.
Section checklist
Before you proceed to the next section, make sure that you are able to:
determine likelihood of risk
assess consequence of risk
evaluate and prioritise risk
determine risk treatment options
develop an action plan for treating risks.
Student Workbook Section 4 – Treating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 79 of 100
Section 4 – Treating Risk This section is looks at the implementation of the risk action plan developed in the previous section.
Scenario: Treating, monitoring and evaluating the risk management process as the new operations manager for the shoe repair chain
From the options developed previously, and in consultation with key stakeholders, you determined the most appropriate risk management strategy and actions for each risk. You then presented your risk management action plan to the CEO who after consultation and discussion about monitoring the plan made some adjustments. You were then asked to implement the plan.
Accepting the fact that all good plans need constant monitoring and evaluation, you build control measures into the plan to help signal when actions are delayed, ineffective or not being actioned. You rely on these control measures to inform you when things are not going according to plan. You also instigate internal and external audits to provide an extra dimension to the monitoring and evaluation process.
What skills will you need?
In order to work effectively as a risk manager you must be able to:
implement the risk action plan
monitor the risk action plan
evaluate the risk management process.
Implement the risk action plan
Implementation of the risk action plan requires participation from the organisation, and therefore should involve the following stages.
communicating the plan
documenting procedures
training.
Communicating the plan
A good starting point for implementation of the action plan is the communication of the risk management process and strategies. It is essential that everyone in the organisation understands the importance of risk management, who the key people are and how they can contribute to the process.
Stakeholders make judgments on risk based on their perception. Their viewpoints can significantly affect decisions made, so it is important that their perceptions and opinions are documented and considered.
Section 4 – Treating Risk Student Workbook
BSBRSK501A Manage risk Page 80 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
A communication plan should:
facilitate the exchange of information between stakeholders
be transparent, accurate and understandable
be useful.
Learning activity: Communicating the plan
Having developed your risk management action plan for the case study in Appendix 3, describe an effective way to communicate it to the relevant stakeholders.
Senior Management Support
For the risk management plan to be successful it is important to ensure the support of senior management. This may be accomplished by:
obtaining the active ongoing support of the organisation’s directors and senior management
appointing a senior manager or similar champion to lead the initiative
obtaining the commitment and support of all senior managers.
Student Workbook Section 4 – Treating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 81 of 100
Learning activity: Gaining staff support
Describe three different ways that the support of staff in an organisation for risk management practices can be obtained, that you would use as a manager responsible for risk management in the workplace.
Communication with internal stakeholders
The organisation should ensure that its internal communication and reporting mechanisms:
include processes to consolidate risk information from a variety of sources within the organisation, taking into account their likelihood and consequence
ensures all relevant parties are informed as to the key components of the risk management framework, including any subsequent modifications
provide adequate internal reporting on the effectiveness and outcomes of the framework
make relevant information derived from the application of the risk management process available to appropriate levels of management in a structured and timely manner
include processes for consultation with internal stakeholders.
Section 4 – Treating Risk Student Workbook
BSBRSK501A Manage risk Page 82 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Communication with external stakeholders
The organisation should develop a plan as to how it will communicate with its external stakeholders. This should include:
engaging appropriate external stakeholders and ensuring effective exchange of information
making legally required disclosures and other reporting to comply with legal, regulatory and corporate governance requirements
providing feedback on prior communication and consultation
the use of communication and information to build confidence in the organisation
communicating with stakeholders in the event of a crisis or contingency.
Learning activity: Communicating plans
Brainstorm a list of approaches that you can use to communicate risk management processes to staff and stakeholders in an organisation, and describe how each of these can be effective.
Student Workbook Section 4 – Treating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 83 of 100
Documenting procedures
Your action plan will have identified areas where written procedures need to be developed and documented. To effectively implement the plan, staff, volunteers and management committee members need to work together to develop these procedures. Existing and new procedures should be reviewed to ensure that they are consistent.
Implementation of the risk management process will often require new policies to be developed that include monitoring, evaluation and continuous improvement. Every organisation needs to have a risk management policy framework to document the processes and procedures required. This policy will become a key document in the life of an organisation.
In general, when writing policy, you should keep in mind the size and specific needs of the organisation. Policy should be clear and concise and should not include lengthy processes or procedures that will be difficult to maintain or comply with.
The structure for policy documents will vary from organisation to organisation, but some common elements included are as follows.
• The context of the policy, why it is required.
Purpose statement
• The application of the policy (particular location, workgroup, etc.).
Scope
• How the policy is implemented.
Procedure
• Who is responsible for what in the implementation of the policy.
Roles and responsibilities
• Reference any legislation that the policy specifically complies with.
Legislation
Section 4 – Treating Risk Student Workbook
BSBRSK501A Manage risk Page 84 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Learning activity: Risk management policy
Identify a risk management policy or procedure for your training organisation and describe how it assists the management of risk for the organisation.
POLICY –
ASSISTS WITH RISK MANAGEMENT –
A sample risk management policy can be found in Appendix 2.
Naming and securing documents
All documents produced in the workplace should be saved for future use and reference. Commonly used formats should be saved as templates for efficient access and creation of documents in the future.
Documents should be saved in accordance with organisational requirements which may include protocols for naming documents to make their content identifiable, and locations where particular documents should be stored for future access.
Documents can also be saved with security measures implemented such as password protection to prevent unwanted editing.
Ensure you know what the requirements are so that your document can be safely stored and easily located again when required.
Student Workbook Section 4 – Treating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 85 of 100
Learning activity: Organisational requirements for storage
What benefits are there in establishing protocols for naming documents? What factors should be considered when storing documents, both electronically and in printed format?
Training
It is highly likely your action plan will involve the introduction of new practices, or changes to existing activities, so this will require training. It is a good idea to ensure that this is carried out through the structures and processes that already exist to facilitate training in your organisation.
Learning activity: Risk-reduction training
As the manager of risk for an organisation, you are responsible for ensuring that new organisational activities are assessed for risk, and training is delivered to affected staff to ensure that identified risks are managed as effectively as possible. Describe ways that you could make training available to new staff in the organisation to ensure that all staff have the same awareness of the required safe work practices and risk management processes within the organisation.
Section 4 – Treating Risk Student Workbook
BSBRSK501A Manage risk Page 86 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Responsibility
It is important that there is responsibility and authority within the organisation when it comes to managing risks, including the implementation and continuation of the risk management process and making sure that risks are competently controlled. This may be done by:
placing specific people who are to be accountable for the development, implementation and maintenance of the risk management process
specifying individuals with the role of implementing risk treatment, maintaining risk controls and reporting relevant information
providing appropriate levels of recognition, reward, approval and authority.
Learning activity: Risk management responsibilities
Review the scenario in Appendix 3 under and then study the options outlined below to determine who would best be suited to take responsibility for the task. Briefly describe why you think they are most suited.
Task Responsibility and why.
Prepare a new policy and procedures on leather knife storage.
Taking out insurance to cover money kept overnight on the premises.
Training staff on new cash register procedures.
Fixing the broken tiles and eliminating the trip points.
Issuing chain-mail gloves for use with the leather knife.
Student Workbook Section 4 – Treating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 87 of 100
Resources
The organisation should make sure that it allocates appropriate resources for risk management. Examples of resources to be considered are as follows.
people, skills, experience and competences
resources specific to stages of the risk management process
information and knowledge
documented process and procedures.
Learning activity: Professional development
Another resource for risk managers in organisations is the use of professional development, training and/or induction activities to assist staff to understand their role and responsibilities in the workplace.
Identify two areas of development that you might outsource professional development training for, and describe why.
Professional development activity –
Reason –
Professional development activity –
Reason –
Section 4 – Treating Risk Student Workbook
BSBRSK501A Manage risk Page 88 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Monitor the risk action plan
Monitoring and review are integral to the risk management process. Factors that affect the likelihood and consequence of risk may change over time, as may the costs of treatment options, so it is important to repeat the risk management process cycle regularly.
Monitoring activities can include risk reviews, team meetings and progress reports, which should be conducted regularly. Regular monitoring ensures that mistakes made and lessons learned throughout the implementation of the risk management process are incorporated into ongoing activities.
The progress of the risk treatment plans should be incorporated into the continuous improvement system of the organisation as a key indicator of performance. Continuous improvement refers to the ongoing efforts of an organisation to improve processes.
Once your risk management process is in place, there are four elements to maintaining the effectiveness of your risk management practices.
Identify one person responsible for risk management.
‘If it's everybody's responsibility, then it's nobody's responsibility’
It is essential that one person be given responsibility for risk management within your organisation. This person is usually known as the ‘risk manager’. In smaller organisations, the risk manager will also have many other responsibilities, while very large organisations may have someone who’s only responsibility is risk management.
Learning activity: Monitoring risk
Mossman municipal council has a risk management action plan which outlines that managers and supervisors are required to record and review risk. Go to <http://www.mosman.nsw.gov.au/file_download/149/risk-management-action.pdf>, read pages 4 and 5 and describe how they are to involve others in this process.
Student Workbook Section 4 – Treating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 89 of 100
If you were a manager in this organisation, outline procedural steps you could set-up and follow to help you fulfil your role in reviewing and reporting risk.
Keep procedures up to date
Circumstances change and therefore so should your risk management plan. Experience gained from implementing risk management procedures can be used to further refine those procedures.
Learning activity: Risk management documentation
Describe the typical documentation required in risk management, and explain how it can be stored or saved for an organisation.
Section 4 – Treating Risk Student Workbook
BSBRSK501A Manage risk Page 90 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Re-assess risks
It is likely that the risks identified in the risk management process will change over time, making it important to review the changes. To keep your risk action plan up to date, you do the following.
Review it on a regular basis. At a minimum, this should be done at least once a year.
Evaluate changes within your organisation and its environment. This may include new legislation relevant to your organisation, taking on new roles, acquisition of new equipment, or creation of new positions.
Learning activity: Risk management review
Mossman Municipal Council has a risk management action plan which outlines a review structure for a list of risk areas identified. View pages 5 and 6 of the document, which can be found at <http://www.mosman.nsw.gov.au/file_download/149/risk-management-action.pdf>. Based on the plan, estimate the review period you would put in place for each of the items listed below, and state your reasoning.
Risk area Review period Reason
Assets & infrastructure – footpaths
Assets & infrastructure – street furniture
Legislative compliance
New projects and special events
Student Workbook Section 4 – Treating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 91 of 100
Report on risk management
The risk management process should include reporting as its final step, to ensure it is current. Reporting on risk should include:
identification of any new risks
the effectiveness of existing risk management process
the occurrence of risks during the reporting period.
Risk reports should be filed and used in regular reviews of risks and procedures.
Risk reporting can occur in different formats and at different points in the risk management cycle. The table below provides details of different reports that can be produced by organisations to assist the risk management process.
Risk profile This report offers a quick reference point to determine an organisation’s overall risk exposure. It can be used to track risks and the factors the can cause risks to change, as well as the effectiveness of treatment activities. This report should include:
description of risk
risk rating (current and previous where applicable)
changes that have occurred and reasons for them
improvements or changes to treatment actions required.
Risk treatment report
This report provides information about the status of a prescribed risk treatment action or activity and its effectiveness. It should include:
description of risk
risk rating
description of treatment action or activity
assigned timelines/completion dates
person/s responsible
current status.
Emerging risk report This report is used to highlight anticipated risks or add new risks to the risk register, which assists in keeping the risk register current in between formal risk review processes. It should include:
description of risk
risk rating
causes of risk
expected impact or consequence
treatment action plan.
Section 4 – Treating Risk Student Workbook
BSBRSK501A Manage risk Page 92 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Learning activity: Risk management reporting
Consider you are in a role as a manager of risk management processes. In the course of your work you identify a risk to the organisation and eliminate the risk entirely. Describe what benefits there are to your organisation in reporting the risk, even though it has now been eliminated.
Learning activity: Organisational risk management
Research the internet (Australian university and government organisations usually have policy documents online) for an organisational risk management policy and procedure document. Describe who is responsible for the enactment of the risk control strategies in place in the document, and how you think it is monitored. Include a copy of the policy document in your workbook.
PERSON/POSITION RESPONSIBLE –
MONITORING PROCESS –
Student Workbook Section 4 – Treating Risk
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 93 of 100
Learning activity: Risk management monitoring approaches
Research three different approaches that can be taken to monitoring risk management strategies and describe the positives and negatives of each for the business environment.
Monitoring approach Positives Negatives
Evaluate the risk management process
So, what are measures of success in a well managed risk process? Here are some things to look for:
A decline in residual risk values.
Progress towards a specific project objective.
The extent of implementations of risk treatments.
Decline in total cost of risk.
Senior management are understanding and supportive.
Section 4 – Treating Risk Student Workbook
BSBRSK501A Manage risk Page 94 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
The various risk reports mentioned earlier, if produced well, should provide great insight into the success of the risk management process. Your evaluation should include a review of these reports, and take note of any repeated issues, inadequate treatment actions or significant variances in expected impact of risk as opposed to the actual impact.
Learning activity: Success
Name some metrics that you think would identify a successful implementation and monitoring of the risk management process.
Section summary
You should now understand how to implement and monitor a risk action plan, and evaluate the risk management process.
Further reading
NT WorkSafe , 2010, Northern Territory Government, Risk Management Plans, viewed May 2010, <http://www.worksafe.nt.gov.au/corporate/bulletins/pdf/06-10/09.01.11.pdf>.
Turbit, N., 2010, Project Perfect, Risk Management Basics, viewed May 2010, < http://www.projectperfect.com.au/info_risk_mgmt.php>.
Section checklist
Before you proceed to the next section, make sure that you are able to:
implement the risk action plan
monitor the risk action plan
evaluate the risk management process.
Student Workbook Glossary
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 95 of 100
Glossary
Term Definition
Consequence The outcome or impact of an event.
Control A process, policy, device, practice or other action that acts to minimise negative risk.
Event Occurrence of a particular set of circumstances.
Hazard Source of potential harm.
Likelihood The extent to which an event is likely to occur.
Loss Any negative consequence or affect.
Monitor Check, supervise or measure the progress of an activity, action or system on a regular basis.
Risk The chance of something happening that will have an impact on objectives.
Risk analysis Systematic process to understand the nature of and determine the level of risk.
Risk assessment The overall process of risk identification, risk analysis and risk evaluation.
Risk evaluation The process of comparing the level of risk against risk criteria.
Risk identification
The process of determining what, where, when, why and how something could happen.
Risk management
The culture, process and structures that are directed towards realising potential opportunities whilst managing adverse affects.
Risk management process
The systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysis, evaluating, treating, monitoring and reviewing risk.
Risk reduction Actions taken to lessen the likelihood and/or negative consequences associated with a risk.
Risk retention Acceptance of the burden or loss, or benefit of gain, from a particular risk.
Risk sharing Sharing with another party the burden or loss, or benefit of gain, from a particular risk.
Stakeholders Those people and organisations who may affect, be affected by or perceive themselves to be affected by a decision, activity or risk.
Treatment The process of selection and implementation of measures to modify risk.
Appendices Student Workbook
BSBRSK501A Manage risk Page 96 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Appendices
Appendix 1: Risk action plan template
Risk Assess Risk (L, M, H, E) Controls Monitoring Timelines Responsible
Student Workbook Appendices
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 97 of 100
Appendix 2: MacVille risk management policy
Purpose
Risk is inherent in all business activities. The aim of this policy is not to eliminate risk, rather to manage the risks involved in all MacVille activities to maximise opportunities and minimise adversity.
Effective risk management requires:
a strategic focus
forward thinking and active approaches to management
balance between the cost of managing risk and the anticipated benefits
contingency planning in the event that mission critical threats are realised.
Policy
MacVille will maintain procedures to provide a systematic view of the risks faced in the course of our business activities.
Establish a context: The strategic, organisational and risk management context against which the rest of the risk management process in MacVille will take place. Criteria against which risk will be evaluated should be established and the structure of the risk analysis defined.
Identify Risks: Identification of what, why and how events arise as the basis for further analysis.
Analyse Risks: The determination of existing controls and the analysis of risks in terms of the consequence and likelihood in the context of those controls. The analysis should consider the range of potential consequences and how likely those consequences are to occur. Consequence and likelihood are combined to produce a priority rating for the risk.
Treat Risks: For higher priority risks, MacVille is required to develop and implement specific risk management plans including funding considerations. Lower priority risks may be accepted and monitored.
Monitor and Review: Oversight and review of the risk management system and any changes that might affect it. Monitoring and reviewing occurs concurrently throughout the risk management process.
Communication and Consultation: Appropriate communication and consultation with internal and external stakeholders should occur at each stage of the risk management process as well as on the process as a whole.
Appendices Student Workbook
BSBRSK501A Manage risk Page 98 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Establish the context
Identify risks
Analyse and evaluate risk
Treat risk
Com
mun
icat
ion
and
cons
ulta
tion
Monitor and review
Student Workbook Appendices
BSBRSK501A Manage risk © 2010 Innovation & Business Industry Skills Council Ltd Page 99 of 100
Appendix 3: Scenario – Shoez
Review
Shoez, a shoe repair chain, operates 10 stores in the CBD and suburbs of Brisbane, Queensland. The CEO Jeff Harding has appointed you as the operations manager. You are no stranger to management but mostly at departmental level for international organisations, with some time spent in sales and marketing management. One role specifically required in your job description is to manage the risks that could impact on the Shoez operations.
A meeting with Jeff in the first week confirmed his requirement of you to review, analyse, plan and monitor the risks of the Shoez organisation. Jeff wants you to report directly to him on the risk management process but also encouraged you to also speak with the stores liaison person Jenny Clerk and the accountant Sue Lee. Jeff thought it may also be beneficial to contact his accountant Brown and Davis and of course the store managers, although they were only really concerned about achieving their sales budgets and getting their commissions.
Jenny was constantly reminding the store employees about the OHS issues relating to other staff and customers. Sue did the payrolls and was constantly pushing the managers to provide the appropriately authorised paperwork. Jeff said that the accountants were keen to see safe guards instigated for cash control.
Jeff wanted you to undertake this task so that you could get significant insight into the Shoez operations and develop and implement a plan to reduce the risk exposure of the organisation. He also said that he needed an ongoing risk monitoring process instigated as well.
According to Jeff, the areas that had been underperforming and were primary areas of risks concern were the human resources management, financial operations and OHS. These are the areas he wanted you to focus on in your management.
Internal and external environment
After discussing Shoez with the key stakeholders and doing some external research you identify the following significant issues.
Jeff spoke about a new law that was being introduced by the Federal Government that will impact on the way that he has been paying his staff with some of their pay earned on commission.
Jeff showed a report from a survey where people rated their shoes as the second most important dress item for the successful business person and that business people were choosing the high quality shoes that they would repair rather than replace.
Brown and Davis spoke about the latest Point of Sale cash registers that would improve stock and cash control in the Shoez stores.
You noticed that the location of the Shoez stores was always in the prominent and highly trafficked parts of the shopping centres.
Sue said that she was not able to get all the staff records for pays and employees details from the store managers and this made processing difficult and meant that they were not compliant.
Appendices Student Workbook
BSBRSK501A Manage risk Page 100 of 100 © 2010 Innovation & Business Industry Skills Council Ltd
Brown and Davis explained that the old cash registers did not have the features that could help eliminate fraud.
Jenny spoke about the flooring where the staff worked and customers were sometimes required to access. The ceramic tiles were broken and covered up with a thin mat, but still presented a trip point to customers and staff alike.
Brown and Davis had spoken about a large chain in New South Wales that were planning to expand into Brisbane in the next 12 months.
Jeff said that while 10 stores was a good number, there is another 20 good locations in Brisbane that want Shoez as part of the shopping centre assortment.
You noticed that the stores were looking old and the decor has been out of fashion for over five years.
Brown and Davis explained that the growth in the older age portions of the Brisbane population was a positive indicator for the Shoez business.
Research findings
Store manager reports, together with your interviews with the other key stakeholders identifies the following risks.
Broken floor tiles creating a trip point for staff and customers.
Wet floors on rainy days making it slippery for staff and customers.
The store has extremely sharp knives used to cut the leather.
Banking not always done every day leaving cash on the premises.
The staff member balancing the cash registers also prepared the bank deposit book and banked the cash.
Some stores had sizable banking amounts that were banked by the junior staff member.
Staff records were kept in the individual stores in the bottom drawer of an unlocked filing cabinet.
One question on the staff records asked for a full medical history of the employee.
Timesheets sent to head office were not always authorised.