In this topic, we look at the key principles and concepts of managing risks in a range of contexts and environments. We look at what is required to manage risk in these contexts and environments, from across an organisation, or for a specific business unit or area, in any kind of industry setting.
The techniques in this module apply to individuals who are working in positions of authority and are approved to implement changes across an organisation, business unit, or program area. They may or may not have responsibility for directly supervising others.
By the end of this topic, you will understand:
- Risk Management concepts
- Principles and frameworks of risk
- Roles and Responsibilities
It is important to note though that risk should not only be considered in a negative light because business is built upon risk. Without any risk whatsoever, there would be no ability to make a profit.
Business risk is the exposure an organisation has to factors that may cause it to fail to achieve its targets and objectives. These objectives usually have either an indirect or direct impact on the organisation's ability to meet its financial goals. Anything that threatens a company's ability to achieve its goals should be considered a business risk.
Tip
Business risk refers to anything that could impact your company's finances. In many cases, these financial risks could destroy your company. While there are many factors that can create a business risk, some include: Fire damage and Flooding.
It is important to note though that risk should not only be considered in a negative light because business is built upon risk. Without any risk whatsoever, there would be no ability to make a profit.
Think
Whenever a business is started, the business owner is taking a risk. They are laying out an initial investment because they believe they have the opportunity to make a profit. Whenever a business grows beyond its first few years of business, the business owner/s have likely taken a large number of risks to get the business to where it is. Same again for businesses going through growth. This is all based on the organisation taking a number of risks that are paying off.
There are many components that come together to create a business risk and not all business risks are equal. There are different types of risks and there are different degrees of risk. That is, some risks are considered low level risks and some risks are rated as high-level risks, either because of the likelihood of it happening, or the consequences it would have on the organisation if it did happen, or a combination of likelihood and consequences.
It is not possible for an organisation to protect itself completely from all risk as unexpected things happen every day in life and in business. Due to this, it is important for organisations to manage their risks by having a comprehensive risk management strategy in place.
Case study: Why Taking Risks is Important?
It is through taking risks that most businesses will grow. Amelia wants to start up a small niche social media marketing agency in Brisbane. She has $50,000 as her starting investment. She takes her first risk by quitting the job where she was earning good money to start her own company. She takes a risk by spending her first $3,000 to set up the company and pay for some accounting and legal advice.
She takes another risk by paying another $10,000 for a basic website and marketing costs. She then gets her first client and this is the first time the risks she has taken start paying off. The client is only paying $3,500 so she hasn’t yet earnt back the money she has spent, however Amelia knows that getting one client can lead to the next and she needs word of mouth referrals and testimonials.
It’s not the first time Amelia will need to take risks in her business as she’ll need to keep taking strategic risks to continue to attract clients and grow her business. To get her first client Amelia has taken a number of strategic risks by weighing up the potential reward against the risk she was taking by laying out her initial investment.
Why Manage Risk?
By managing risks, an organisation can reduce the impact of unexpected events and threats on its business as well as reaping a number of positive rewards. Examples of some of these rewards include:
- Increased likelihood of achieving its objectives and targets.
- Increased organisational efficiency.
- Improved confidence and trust of customers, suppliers, employees and the public as the organisation will have a better ability to meet their needs.
- Compliance with legal and regulatory requirements that may apply to the organisation.
- Framework for identifying opportunities in the marketplace.
- Reduce downtime when unexpected events do occur as the organisation will have a management plan they can refer to and put into action.
Next watch a Ted Talk explaining three simple, fun and effective tools to help you manage risk.
Legal Responsibilities
There are a range of risks all organisations are required by law to manage.
These include risks of:
- Accidents and injuries to ensure a safe workplace in accordance with Workplace Health and Safety legislation
- Customer complaints to ensure customers are treated fairly in line with Australian Consumer Law
- Causing damage to the environment in line with relevant environmental laws.
Make sure when working with risks that you understand what laws and regulations you must adhere to, for example: Let's quickly look at Work Health and Safety. The WHS Act and Regulations require persons who have a duty to ensure health and safety to 'manage risks' by eliminating health and safety risks so far as is reasonably practicable, and if it is not reasonably practicable to do so, to minimise those risks so far as is reasonably practicable.
Tip
For more information about legal responsibilities for Work Health and Safety, check out Safe Work Australia. Safe Work Australia have a resource 'How to manage work health a safety risks' Code of Practice you can check out for more information.
Understanding different types of Business Risk?
Understanding potential risks and their impact, is achieved through analysis and planning.
Types of risk include:
- Direct Risk — a threat to the business that is within your control
- Indirect Risk — a threat to the business that is out of your control
- Internal Risk — risks you have the power to prevent or mitigate within the business
- External Risk — risks you have no control over.
Let’s take a look at risks and its potential impact to the business, the table below will provide you with a clear overview of this.
| Risk | Type of Risk | Potential impact on business objectives |
|---|---|---|
| Natural disasters | It can be external, direct or indirect |
|
| Pandemic | External Direct |
|
| Global events | External Direct Indirect |
|
| Regulatory and government policy changes | External Direct Indirect |
|
| Work health and safety | Internal Direct |
|
| Environment | Internal Direct Indirect |
|
| Utilities disruption | External Direct |
|
| Legal | Internal Direct |
|
| Crime | External Internal Direct |
|
| Human resources | Internal Direct |
|
| Market, economic and financial | External Internal Direct Indirect |
|
There are many schools of thought on how to categorise the different types of business risk but in today’s modern world, breaking down risks into the following seven categories helps to remember all the different types of risks an organisation can face.
-
Strategic Risk
A strategic risk arises when a business does not operate in accordance with its intended business plan or business model. When this happens, its strategy becomes less effective over time, meaning the business may struggle to meet its goals. A business can have the most thoughtful, well-researched, smart business plan out there and still face strategic risk... this is because of the simple fact that things change. The business environment changes, and strategies that once worked become less effective.
-
Compliance Risk
Compliance risks arise in industries that are highly regulated. A compliance risk may be quite a high risk as there is the risk that the business could be shut down, have restrictions of trade placed on it or be open to legal battles if it is found to be non-compliant with its compliance requirements. Organisations that are highly regulated must have comprehensive measures in place to ensure it complies with the required regulations as well as ensuring it keeps up to date with evolving legislation over time as this creates compliance risk.
-
Operational Risk
An operational risk arises when something in the organisation that is expected to happen or perform, does not and the business loses continuity. This might be due to mistakes, technology breakdowns, employee turnover, poor procedures, poor communication and so on. All of these things create operational risk. Operational risks are also those that present a threat to property, assets and human life. This includes fire, theft, floods, natural disasters, pandemics, and medical emergencies. This type of risk will often lead to expenses in the form of repair, replacement or injury.
-
Financial Risk
Financial risks of an organisation are any risks that will threaten the financial viability, cashflow or liquidity of the organisation. This includes things like clients not paying their invoices on time, change in exchange rates and financial market fluctuations.
-
Reputational Risk
A reputational risk is any blow to a company’s reputation in the public eye. This might happen due to a failed product launch, product quality, word-of-mouth, product recall or negative publicity. In the age of social media, reputational risk in an important one to manage as an organisation’s reputation can be ruined quickly if this risk is not managed adequately.
-
Security and Fraud Risk
As more and more organisations now rely on the internet to store most, if not all, of their customer data, there are much larger risks to companies to the security of their private records.
-
Competition or Comfort Risk
This area of risk is when an organisation that may become so comfortable with their place in the market that they overlook what their competition is doing and lose customers to their competition because their competitors start offering something more attractive to their customers. This risk can come about if companies get used to doing business the way they have always done things and don’t move along with the market needs. This makes room for their competitors to either match what they have always been doing but do it better, or for new entrants to enter the market and offer products and services for cheaper prices.
Example
Kodak used to be the world leader in the photographic film industry. It was the dominant company in photographic film during most of the 20th century and almost everyone knew their tagline: ‘Capture a Kodak moment’. In the 1990s, Kodak struggled to survive financially due to a steady decline in sales of printed photos as everyone started relying on digital photos. Meanwhile the company stuck with their status quo and relied on customers to keep on coming like they always had. Despite Kodak being the first company to develop the first self-contained digital camera, it initially ignored the invention and focused on what they had always done – printed photos. This meant other companies had time to develop their own versions of digital cameras and took over Kodak’s dominance in the photography industry. Kodak later filed for bankruptcy and only much later recovered. Kodak didn’t recognise their Competition / Comfort risks early enough.
Example
Let’s take a look at the implications for Samsung when the Galaxy Note 7 was launched and was later found to be faulty. In 2016, Samsung Galaxy Note 7 phones began overheating, combusting, and exploding. The original devices had issues related to a design flaw in the battery size and third-party manufacturers. Though the company claims that the number of cases only amounted to 0.1% of total volume sold, the incident led to numerous investigations, and even aircraft carriers announcing that the devices couldn’t be powered on while flying. This led to the following risk management incidents:
| Reputation Damage | Financial Damage | Legal Issues |
|---|---|---|
|
|
|
Although Samsung has recovered from the financial and reputational damage this issue caused, the damage was extensive, and recovering from it was an enormous process that took some years.
Another way to think about risk is whether the risk is internal or external to the organisation. Internal risks are those that are faced from factors within the organisation. With internal risks the company has a good chance of controlling those risks if it puts appropriate controls in place. Internal risks include things related to human elements, technological failures or changes as well as physical risks.
External risks are those that arise from outside the organisation. These factors usually cannot be controlled or forecasted with any degree of certainty. It is often difficult to reduce these risks, however they can be planned for. External risks include things like natural events, economic factors and political events.
| Internal Risk Factors | External Risk Factors |
|---|---|
Human risk factors
|
Economic risk factors
|
Technological risk factors
|
Natural risk factors
|
Physical risk factors
|
Political risk factors
|
Note
Because there are so many risks in running an organisation, it is important that every organisation has processes in place to manage its risks.
There are some key terms and concepts you will need to know when it comes to managing risk. Let’s look at some of the key terms and their meanings.
ALARP
ALARP is an acronym for As Low as Reasonably Predictable and is a fundamental principle of risk management.
In the ALARP schema:
- Intolerable is where risks cannot be tolerated, regardless of the benefits and risk mitigation
- ALARP is the point at which they can be tolerated
- Tolerable is the point that risks can be managed by routine procedures
The principle is that all risks cannot be eliminated, therefore the cost involved in reducing the risk further would be disproportionate to the benefit gained. It’s basically a balancing point – finding the acceptable level of risk to the point that it has become as low as is reasonably practicable.
Note
It is important to note that ALARP needs to have some type of benchmark measurement involved.
Risk Appetite
Risk appetite is the amount of risk or types of risks an organisation is willing to accept to achieve its objectives before actions are taken to reduce or mitigate the risks. Risk appetite can be thought of as the balance between the potential benefits that come from conducting business that comes with a high level of risk, and the threats the risks pose. Some organisations outline their risk appetite in their risk management policy and may describe it at one of the following levels or in other similar terms:
-
Averse
Avoidance of risk is a key organisational objective.
-
Minimal
The organisation has a preference for ultra-safe options that are low risk even though the rewards are limited.
-
Cautious
The organisation has a preference for safe options that have a low degree of risk that may have a limited potential for some reward.
-
Open
The organisation is willing to consider all potential options and choose the one that is more likely to be successful and provide a high level of reward, as well as value for money.
-
Hungry
The organisation is eager to be innovative and choose options that offer high rewards, despite large risks.
Risk Assessment
A risk assessment is a systematic process to identify, analyse and control hazards and risks in an organisation.
Risk Consequences
The impact the risk would have on the organisation if it did occur.
Risk Culture
An organisation's risk culture is a term used to describe the shared values, beliefs, knowledge, attitudes and understanding about risk adopted by an organisation.
Read
You can read more about Risk Culture and download some additional resources by downloading the Institute of Risk Management’s Risk Culture: Resources for Practitioners at the following links.
chromeextension://efaidnbmnnnibpcajpcglclefindmkaj/https://qcgmedia.s3.amazonaws.com/media/uploads/116799/2021/06/20210615_474997_riskcultureresourcesforpractitioners.pdf
Risk Identification
This refers to the process of systematically analysing an organisation to identify what the threats are in each part of an organisation so the risks can be assessed. It is often one of the first parts of any risk management process, along with communication and consultation.
Risk Likelihood
The probability that the event that causes the risk will occur.
Risk Mitigation
Risk mitigation means lessening the negative impact of a risk. There are a number of different types of risk mitigation strategies. They can be used on their own or they can be used in combination with each other, depending on the organisation’s preferences for risk management and its risk appetite.
Risk Acceptance
Risk acceptance is accepting the risks because the opportunity outweighs the threat, or the risk is an acceptable risk for the organisation to take given the risk appetite of the organisation.
Risk Avoidance
This is when the consequences are considered too high to justify the cost of mitigating the threat. A simple example of risk avoidance is in the construction industry. Many construction sites are shut down in bad weather to avoid the risk that someone might get hurt. The cost of mitigating the threat of the weather – which might involve installing weather-proof temporary roofing – is too high.
Risk Control
Risk control is often used in an organisation when mitigating risks. This works by taking into account the risks and then taking actions to reduce the impacts of these risks.
Risk Transfer
This is where the risks are transferred between parties.
Risk Monitoring
As it sounds, risk monitoring is where the risk is monitored throughout a certain period or project with triggers for further actions to be taken if there are warning signs of the threat.
An example of risk monitoring is in project management where a risk to a project might be that either the project timeframes are not met, or the budget is not adhered to. By monitoring the project risk factors that would lead to these events occurring throughout the project, a project manager can act early if project milestone dates are not met or if there is an increase in costs in one part of the project, that might be able to be saved in other parts of the project later on.
Risk Profile
A risk profile is an evaluation of an organisation's exposure to and willingness to take threats.
The Australian/ New Zealand Standard on Risk Management ISO 3100:2009 Risk management – Principles and guidelines sets out the best practice approach, guiding principles and guidelines on managing risk. The Standards recommend that all organisations have a process for managing risk into an organisation’s overall management, its strategy and planning, policies, values and culture.
The Standards include in a broad sense:
Terms and Definitions
Principles:
Risk Management principles that all organisations should be guided by when managing risk.
Framework:
What's included in a risk management framework and guidance on how to establish, maintain and monitor a risk management framework.
Risk Management Process:
What the risk management process includes and details about what's involved at each step of the process.
Note
What is an Australian International Standard?
Standards are voluntary and there is no requirement for organisations to comply with standards. They are developed to ensure a safe, consistent and reliable approach. They can be considered a ‘best practice’ or common practice approach.
Organisations can be audited and accredited as compliant against these standards if they wish but can also use them to self-assess and ensure their risk management approach is best practice.
These Standards are not freely available to view. You can access a copy from SAI Global or Standards Australia.
Now that you have a good understanding of the core concepts of risk, lets dive a little deeper and look at how risk can be managed through guiding risk management principles. The Australian/ New Zealand Standard on Risk Management ISO 3100:2009 Risk management –Principles and guidelines state that for risk management to be effective, an organisation should be guided by the following risk management principles:
| Principle | Description |
|---|---|
| Risk management creates and protects value | It contributes to the achievement of objectives and performance across the organisation. |
| Risk management is an integral part of all organisational processes | It should not be considered a stand alone process from the main activities of an organisation. Risk management should be considered an important responsibility of management and all organisational processes. |
| Risk management is part of decision making | It helps decision makers make informed decisions and prioritise actions. |
| Risk management explicitly addresses uncertainty | It takes account of uncertainty, the nature of it and how it can be addressed. |
| Risk management is systematic, structured and timely | This ensures efficiency and consistent, comparable and reliable results. |
| Risk management is based on the best available information | It must be based on information such as historical data, experience, stakeholder feedback, observation, forecasts, and expert judgement. |
| Risk management is tailored | It should be aligned to the specific needs of the organisation's internal and external risk profile and operational context. |
| Risk management takes human and cultural factors into account | It must recognise the capabilities, perceptions, intentions of people that can facilitate or hinder achievement of the organisation's objectives. |
| Risk management is transparent and inclusive | Appropriate and timely involvement of stakeholders and decision makers at all levels of the organisation ensures that risk management is relevant and up to date. This involvement allows stakeholders to be appropriately represented. |
| Risk management is dynamic, iterative and responsive to change | It continually adapts and responds to change. As internal and external events occur, context and knowledge change, monitoring and review of risks take place or new risks arise, risk management approaches are adapted. |
| Risk management facilitates continual improvement of the organisation | Organisations should develop and implement strategies to improve their risk management approaches alongside other aspects of their organisation. |
Source: Adapted from the Australian/New Zealand Standard ISO 3100:2009 Risk management - Principles and guidelines.
Note
In short, risk management needs to be fully integrated into business strategy and company culture, highly adaptable and implemented in an organised way.
Risk Management Framework
The Risk Management Standards state that the success of risk management depends on the effectiveness of the risk management framework. Before implementing risk management processes, an organisation must design a framework for managing risk. This includes:
- Understanding the organisation and its context
- Establishing risk management policy
- Ensuring accountability, authority and appropriate competence for risk management
- Integrating risk management into processes
- Allocating appropriate resources
- Establishing internal and external communication and reporting mechanisms.
A risk management framework can be thought of as the program the organisation puts together to manage its risks. It is the policies, procedures and processes it adopts to manage its risks.
Example
Take a look at the City of Greater Geraldton’s Risk Management Framework from 2018 at the following link, referring particularly to page 2.
https://www.cgg.wa.gov.au/council-meetings/ordinary-council-meeting/25-september-2018/134/documents/24-ccs361a-attachment-2018-risk-management-framework-(v4).pdf
Note
A risk management framework includes the policies, procedures, approaches and processes adopted by an organisation to manage risk.
Part of any risk management framework must include a risk management process. There are a number of crucial parts of any risk management process, regardless of the framework that they sit within. These crucial parts are:
- Communication and consultation
- Establishing the context
- Identifying the risks
- Analysing the risks
- Evaluating the risks
- Treating the risks
- Monitoring and reviewing
Take a look at the following diagram to see how these parts of the risk management process interrelate and how not all parts of the process are linear.
Step 1: Communication and Consultation
A key part of any risk management process is communication and consultation with stakeholders. Your risk management plan will be far more useful if you get comprehensive feedback from a wide range and type of stakeholders. Your various stakeholder groups will have varying views and different areas of expertise that will offer great value in putting together your risk management plan. Stakeholders can include:
- Staff, including contractors and sub-contractors
- Clients, customers, and suppliers
- Government organisations you may deal with
- Local community organisations
- Business investors and financiers
- Company accountant and lawyers
- Insurance
Step 2: Establishing the Context
The context for the risk management process may also be referred to the risk management scope. Before a risk assessment can be carried out, the context in which the assessment is to be carried out must be established which means understanding the internal and external environment in which the risk assessment is to be conducted. This will be explored further in the next topic.
Step 3 Identifying the Risk
This phase of the risk assessment process involves using tools and techniques to conduct comprehensive analyses to identify the sources of risks within the business and the events that may lead to the risk occurring, the cause of each risk and their potential consequence.
Step 4: Analysing the Risk
This step includes assessing the consequences of each risk, the likelihood the incident will occur and the level of risk it presents to the business. This information informs the process of evaluation, which is the next step.
Step 5: Evaluating the Risks
In this step, the risks are rated to determine which are the most critical risks, and a priority list is created. To do this, the information gathered during the previous step of analysis is evaluated against a Risk Rating Scale. This step is part of the planning phase of risk management, as is the next step.
Step 6: Treating the Risks
Now that the risks are known, a treatment plan can now be put in place to treat and control the risks according to the priority list. It may not be necessary to actively treat all risks now, but they should be documented and, as soon as the priority list allows, be sufficiently planned for and properly managed.
Step 7: Monitoring and Reviewing&
This final step is about having a systematic process for monitoring and reviewing the risk assessment process to ensure that risks and their controls are monitored to ensure they are effective. This is done for as long as the risk exists.
Take a look at this video of Chris Davenport, a mountain climber. He integrates all parts of the risk assessment process into his climbs. How does his approach to mountain climbing exemplify the risk management process? What would his risk management plan look like?
Every person involved in a business is responsible for following the organisation’s risk management policies and procedures and for remaining aware of the risks they and the organisation might be exposed to and the risks to which they, themselves, might expose the organisation to. This includes:
- Directors
- Employees
- Contractors
- Senior Managers
While all employees are responsible, the board of directors and senior managers play a special role.
Board of Directors
Risk management is part of the overall duty of care and responsibility the organisation’s board of directors and senior managers owe to the organisation and its stakeholders and is part of the organisation’s larger corporate governance structure. The ultimate responsibility for identifying and managing risk and establishing a healthy risk culture lies with the board, which establishes the organisation’s risk appetite and risk management policies and monitors the effectiveness of the various programs and measures that flow from the policies.
Senior Managers
Board risk management and board audit committees oversee the organisation’s risk management procedures on behalf of the board. Their role is to satisfy themselves with the adequacy and appropriateness of the organisation’s entire risk management framework. The board risk management and audit committee monitors the organisation’s risk culture, considering the extent to which risk management is built into the organisation’s normal decision-making, planning, and reporting procedures and identifies areas where it is weak or unhealthy and how it could be improved. It ensures that all key strategic organisational objectives are mapped for risk and that early warning indicators are in place where appropriate.
Employees and Contractors
Every employee and contractor is responsible for following the organisation’s risk management policies and procedures and for remaining aware of the risks they and the organisation might be exposed to and the risks to which they, themselves, might expose the organisation.
Q1a. What are the seven categories of organisational risk?
Q1b. Choose three of these categories and provide an example for each one.
Q2. What are the five types of risk mitigation strategies? Provide an example of each.
Q3. What are the essential components of a risk management framework in an organisation?
Q4. Describe how the ISO risk standards are designed to be used in an organisation.
Q5. What phases of the risk identification process happen throughout the process of a risk assessment?
