Now that the risks to the organisation have been identified, you now need to analyse, evaluate and prioritise each risk so that appropriate controls can be put in place to manage them. This will all need to be documented on the organisation’s Risk Management Plan.
This section will take you through the key components of a Risk Management Plan, as well as how to work through each risk that has been identified to assess the level of risk it presents to the organisation so you can put in place appropriate controls.
By the end of this chapter, you will understand:
- What a Risk Management Plan is
- How to analyse risks and use a risk matrix
- How to evaluate and prioritise risks
- What a Risk Register is and when to use it
- How to treat and control risks
- How to develop a Risk Treatment Schedule
- Strategies for monitoring risk.
Tip
Once you know the level of each risk, the next step is to use the Risk Rating Table to evaluate each risk and assign a Risk Rating.
A Risk Management Plan is a document that puts your risk identification and risk analysis, that we’ll cover in this chapter, all together in one place. There are many ways to lay out and present a Risk Management Plan. Your organisation may already have in place its own Risk Management Plan format, but sometimes as a manager you might need to introduce this to an organisation if there is not a system in place already, so it’s important to know the key components.
A Risk Management Plan should include the following essential components:
- Information about the scope of the risk assessment
- Details of the risks identified
- Risk register
- Risk matrix
- Details of the risk analysis and controls put in place to manage the risks.
Note
What is a Risk Register?
A risk register will be discussed further in the topic, but it forms part of the Risk Management Plan and is a place to record each risk that has been identified, the level of risk it presents to the organisation and the controls that have been put in place to manage the risk.
Example
Visit the following links to find some examples of different Risk Management Plan formats.
From your brainstorming and information gathering techniques used during the risk identification phase from the previous chapter, you will have a list of the risks to the organisation and an understanding of the impacts of each one.
You will now be able to analyse each risk.
There are two types of risk analysis: quantitative and qualitative.
Tip
Quantitative data is numbers-based, countable, or measurable. Qualitative data is interpretation-based, descriptive, and relating to language. Quantitative data tells us how many, how much, or how often in calculations. Qualitative data can help us to understand why, how, or what happened behind certain behaviors.
Quantitative risk analysis relies on data and numbers and is objective. Whereas qualitative risk analysis is subjective and relies on the risk assessor forming an opinion about the level of risk based on the likelihood and consequences of the event occurring.
Qualitative risk analysis can be used to assess risks to budget, financial indicators, completion time, staff time usage, logistics and so on.
Website
'Qualitative risk analysis vs Quantitative Risk Analysis: What is the difference?'
Read more about the Qualitative versus Quantitative Risk.
Using a Risk Matrix
A Risk Matrix is used to analyse each risk to determine the level of risk it represents to the organisation. To analyse each risk, you will need to determine the likelihood of each one occurring – that is, the frequency or probability that it will occur. You will also need to determine the consequences or impact it would have on the organisation, project or activity if it did occur.
Level of Risk = Likelihood x Consequence
See an example of a Risk Matrix below which includes the Risk Likelihood on one axis and the Risk Consequence on the other axis.
| Risk Matrix | |||||
|---|---|---|---|---|---|
| Likelihood | Consequences | ||||
| Negligible
1 |
Minor
2 |
Moderate
3 |
Major
4 |
Catastrophic
5 |
|
| Very Likely
5 |
Low-Medium | Medium | Extreme | Extreme | Extreme |
| Likely
4 |
Low | Medium | High | Extreme | Extreme |
| Possible
3 |
Low | Low-Medium | Medium | High | Extreme |
| Unlikely
2 |
Low | Low | Low-Medium | Medium | Medium |
| Very Unlikely
1 |
Low | Low | Low | Low | Low-Medium |
Determine Likelihood of Risk
As it sounds, this is the likelihood the event may actually take place. Think of this as the chance that the event will occur. The example provided uses a Likelihood Scale of Very Likely to Very Unlikely but your organisation may use a different scale. If you are designing a scale, you need to choose one that is appropriate for the risks that are to be rated.
Determine Consequence of Risk
The risk consequence considers the potential impact caused by the event taking place which might be quantitative – based on money lost – or qualitative – based on a descriptive scale – or a mix of both. The Consequence Scale used in the example is Negligible to Severe but again this can be changed to suit the organisation’s specific needs. Likelihood and Consequence Scales can be customised based on the context in which they are used which may be operational performance, injury, financial implications, reputation, or other factors.
Example scales are:
| Likelihood | Consequences |
|---|---|
|
|
Assigning a Risk Rating
Once you know the level of each risk, the next step is to use the Risk Rating Table to evaluate each risk and assign a Risk Rating. Evaluating a risk means deciding how severe the risk is and making a decision about how quickly actions need to be taken to rectify the risk. The Risk Rating is assigned based on the scores of the Risk Matrix. See below for an example of a Risk Rating Scale.
Risk Rating Scale Example
| Risk Rating | Description | Action |
|---|---|---|
| 15-25 | Extreme | Needs immediate corrective action |
| 11-14 | High | Needs corrective action within 1 month |
| 7-10 | Medium | Needs corrective action within 3 months |
| 5-6 | Low-Medium | Determine whether corrective actions are required, consider risk monitoring |
| 1-4 | Low | Does not currently require corrective action |
Prioritising Risks
Once each risk has a risk rating, you now need to know which are the most important risks for the organisation to deal with first, ranking each risk with its importance to the organisation. Your risk ratings help to prioritise them.
When evaluating risks consider:
- The risk rating.
- The amount of control the organisation can have over the risk. }
- The importance to the business or project.
- Potential losses caused by the risk occurring.
This is where your Risk Register that forms part of your Risk Management Plan can start to take shape.
The Risk Register is a record of everything you have recorded throughout the risk identification and analysis so far.
A Risk Register should record:
- The risk identified
- The consequence and likelihood of the risk
- The existing controls in place
- Level of risk
- Risk priority
Example
The example below shows the start of a completed risk register.
| Risk Identification | ||||||
|---|---|---|---|---|---|---|
| Risk Identified | Potential Impact | Consequence | Likelihood | Existing Controls | Level of Risk | Risk Priority |
| Fire or flood | Potential for injury, risk to buildings, assets, shutdown operations | Extreme (5) | Possible (3) |
|
Extreme (15) | 1 |
| Loss of power for more than one day | Shutdown operations, inability to service customers | Moderate (3) | Possible (3) |
|
Medium (9) | 3 |
| Loss of water for more than one day | Staff unable to attend offices, loss of wages | Moderate (3) | Possible (3) |
|
Medium (9) | 3 |
| Invoices not paid for more than 60 days | Unpaid invoices, profit and loss margins affected, cashflow affected | Significant (4) | Possible (3) |
|
High (12) | 2 |
| Brand fatigue | Lack of engagement by customers, failure to attract new customers | Significant (4) | Possible (3) |
|
High (12) | 2 |
| Not able to meet supplier payments and pay obligations when they become due | Poor cashflow | Severe (5) | Unlikely 2 (3) |
|
Medium (10) | 3 |
| Staff not providing the right information to customers | Low customer satisfaction | Significant (4) | Likely (4) |
|
Extreme (15) | 1 |
| Low customer satisfaction due to poor quality of product | Loss of business, fail to attract repeat business | Significant (4) | Unlikely (2) |
|
Medium (8) | 3 |
| Machinery failure or breakdown | Unable to continue work for the entire department, loss of wages and productivity | Moderate (3) | Likely (4) |
|
Extreme (5) | 2 |
Next watch a video explaining what is a risk register and what information you need to put into it.
Once risks have been identified and analysed, they need to be controlled or treated. This process involves working through the options to treat the unacceptable risks. These risks will range in severity, some will require immediate treatment and others can be treated later or monitored.
It is unlikely that an organisation will have all of the necessary resources to eliminate all identified risks, so you should use the organisation’s established framework when prioritising risks and choosing treatment options.
Treating Risks
Here are the options often used for risk treatment, however it will depend on the organisation’s risk management framework and associated policies and procedures.
Avoid the Risk
This means deciding to avoid the activity that creates the risk all together and choose an alternative route to achieve the same or similar outcome.
Factors to consider:
- What will happen if we do not proceed with the activity due to the risks involved?
- Is the cost higher than the benefits?
Reduce the Risk
Reduce the likelihood of the risk occurring or reduce the consequences of the occurrence.
The risk could be reduced by:
- Preventative maintenance.
- Quality control processes.
- Changes to systems and processes.
- Staff training procedures.
- Regular maintenance.
Transfer the Risk
Sharing or transferring the risk to another party may be another option for risk management. This might be through insurance, outsourcing, or partnerships.
Accept the Risk
You may decide to accept the risk if it can’t be avoided, reduced or transferred.
Hierarchy of Control
Hierarchy of controls is a system used to remove or reduce risks. Each step in the pyramid can be considered however the control measures at the top of the pyramid are the most effective and should be considered first before moving down the pyramid.
Elimination
Elimination involves physically removing risk - such as moving a piece of equipment to ground level to work on there, rather than the worker climbing up to work on it at height, or not going through with a business activity because it is too risky, therefore eliminating the risk.
Substitution
Substitution means removing a risk by replacing it with something that is either less likely to occur or less severe in consequences. An example of this might be to replace a piece of noisy machinery for a less noisy option or a toxic chemical with a less toxic chemical.
Isolation
Risk isolation is completed by placing a barrier between the risk and the organisation or the employee. A key difference between this step and risk elimination is that the risk is still present, however there is a barrier that shields the person from the hazard. An example of this would be to place dangerous equipment in another room or area from the rest of the employees.
Engineering Controls
This step involves designing additional safety measures and features to workplace equipment to reduce the risks. An example of this would be to install safety guards to prevent the risk of a hand or finger being cut off.
Administrative Controls
These measures involve policies, procedures and processes introduced to reduce the likelihood of a risk occurring. This might involve training, specific procedures targeted at reducing risks, signs and labels that create an awareness of hazards and so on.
Personal Protective Equipment
The final step on the hierarchy of control is the use of personal protective equipment. This includes wearing gloves, masks and protective clothing that can reduce the risk of injury.
Website
Read the article on The Top 50 Business Risk and How to Manage Them, for more ideas about common risks in a business.
A Risk Treatment Schedule is the section in your Risk Management Plan where you work through each risk and identify the potential treatment options. From your risk analysis, you will know what risk controls are currently in place, if there are any, and now you need to work out what additional measures (controls) you can put in place to help reduce or mitigate the risk.
Remember this is another important phase where consultation with your stakeholders is crucial. Gathering feedback on your Risk Register so far, and your possible treatment options will be vital to ensure you have all the available information to work with.
Once you know the possible treatment options, work with your stakeholders to work out what the preferred options are to move forward with. This may be based on the treatments that are most likely to succeed in reducing or mitigating the risk, or it might be due to budgetary constraints or other factors.
The Risk Treatment Schedule should record:
- The possible treatments for each risk
- The chosen treatments
- The Risk Rating before treatment
- The Risk Rating after treatment
- Who is responsible for putting the controls in place
- When the controls will be put in place
- How the risk will be monitored.
Example
Below is an example showing the number of completed entries on a Risk Treatment Schedule and Plan.
| Risk Treatment Schedule & Plan | |||||||
|---|---|---|---|---|---|---|---|
| Risk | Possible Treatments | Selected Treatments | Risk Rating Before Treatment | Risk Rating After Treatment | Responsibility | Timeframe | Plan for Monitoring |
| Fire or flood |
|
|
Extreme (10) | Extreme (10) | Henry Thomas | January 2022 |
|
| Loss of power for more than one day |
|
|
Medium (9) | Low (3) | Henry Thomas | April 2022 |
|
| Loss of water for more than one day |
|
|
Medium (9) | Low (3) | Henry Thomas | April 2022 |
|
| Invoices not paid for more than 60 days |
|
|
High (12) | Low-Medium (6) | Wi Zhang | March 2022 |
|
| Staff not providing the right information to customers |
|
|
Extreme (10) | Unlikely (8) | Henry Thomas | February 2022 |
|
Action plans are the final step of putting in place your risk controls and they help to ensure everything in the treatment plan is actually put into place effectively.
Action plans answer the following questions:
- What needs doing?
- Who is going to do it?
- How is it going to be done?
- By what date will it be done?
- What is the budget?
A Risk Action Plan may look similar to the following, but again your organisation may have its own way of recording the actions that need to be taken in relation to this.
Note
Remember to communicate with relevant stakeholders about the Risk Treatment Schedule and Action Plans so they know their role in helping implement the controls.
| Risk Action Plan | |
|---|---|
| Date | 10 November 2021 |
| Risk | Staff not providing the right information to customers |
| Recommended Treatment and Impact |
|
| Actions Required |
|
| Resources Required |
|
| Responsibilities |
|
| Timeframe |
|
| Reporting/Monitoring |
|
| Completed? | Henry Thomas 5th February 2021 |
Despite having identified all the risks; worked out the controls; and, put controls in place through the planned actions - the risk management process does not end here. We all know that businesses change every day, the operating environment can quickly change, and therefore risks need to be monitored.
Monitoring risk means tracking all the identified risks and ensuring that the risk mitigation actions – your controls – are still working. Part of having a framework for risk management means having a structure for how often you will review your risks, what to monitor and how changes will be reported.
How and When to Monitor Risk
Many organisations will have a process in place to conduct a formal risk management process on a regular schedule. Often this is on an annual basis, sometimes it may need to be more often for more high-risk environments. Sometimes a risk assessment for processes or certain activities are carried out on a monthly, weekly or even daily occurrence.
Risk Triggers
However, we can’t always leave monitoring our risks to the annual risk assessment process. We also need to think about triggers that might cause the risk to occur, and any indicators within a business that signals that the risk event has occurred or is occurring.
For example, if you have identified that a risk would be that your customers are regularly told incorrect information by customer service staff, and there is no way to monitor if this risk actually starts to take place, it will be too late to find out when no one is calling the business anymore, or you start getting hundreds of negative reviews on your social media platforms. You will need some ways of monitoring this risk much earlier to find out if this is happening so additional controls can be put in place if the current controls are not working.
Changes to Risk
As identified in the above example, we can’t leave changes in the risk environment to an annual risk assessment either. Therefore it is important that risk identification, control implementation and monitoring is seen as an ongoing part of business activities and that managers and staff are trained on identifying risks and identifying if things have changed. If controls that have been put in place are not working, then they need to be addressed at the time this is identified, and not left for the annual review.
Reporting New Risks
Just as with changes to risks, new risks can enter the business environment at any time. This might be because of a new business activity being undertaken, a new competitor in the market, something that was missed in the original risk assessment or a change in the external environment. New risks should be identified and addressed at the time and strategies put in place to control the risk.
Evaluation of Risk Management Processes
Evaluating processes in risk management is different from evaluating risks. An evaluation or risk management process is not done frequently. However, periodically evaluating risk management will need to be undertaken as an audit.
Questions to be asked when making an evaluation of risk management processes include:
- Have objectives been met?
- Have risks decreased?
- Are processes sufficient?
- Has implementation gone according to plan?
- Are stakeholders happy?
- Have risk management costs decreased?
- Are measurements accurate?
Once an evaluation has been completed, improvements can be made to the current process.
Q1. Explain whether you always need to use the same Risk Matrix or not, and why?
Q2. At what stage of the risk analysis process is a Risk Matrix used?
Q3. What is meant by controlling and treating a risk?
Q4. Briefly summarise how the hierarchy of control can be used to help you manage risks.
Q5. In your own words, explain the difference between qualitative and quantitative risk analysis.
Q6. Describe three strategies you could use to monitor risks in an organisation.
