Selecting and Implementing Treatments

There are many different options for treating risk and different risk resources use different terminology. In this section we will examine risk responses and risk controls as well as examining the role of insurance in risk management.

Risk Response

Risk response is defined as the “development and implementation of measures to modify risk” (Hopkin, 2017). Risk response is a generic term used to describe a range of responses to risk. The risk response used will depend on the relative priority of the risk as determined by its likelihood and impact. Risk responses may involve tolerating, treating, transferring or terminating a risk and are sometimes referred to as the 4Ts of risk response.

• Tolerating - when a risk is unlikely and has a small impact, it is known as a low priority risk. In most cases the organisation will decide to tolerate low priority risks. Other circumstances where an organisation may tolerate risk are when risks may lead to profit or when the process is essential to the organisation (Hopkin, 2017).
• Treating - when a risk is likely or almost certain and has a small to moderate impact it is considered a medium priority risk. Most organisations choose to treat these kinds of risks. Seatbelts, airbags, smoke alarms and security systems are all examples of risk treatments (Hopkin, 2017).
• Transferring - when a risk is unlikely but has a severe or catastrophic impact that risk is considered a medium priority. It is common for organisation to transfer medium priority risk such has these. Risk transfer is sometimes also known as risk sharing to highlight the fact that no risk can be entirely transferred to another party. Methods of transferring risk may include insurance, contractual agreement, partnership or joint ventures (Hopkin, 2017).
• Terminating - when a risk is both likely to occur and will have a severe or catastrophic impact it is considered a high priority risk. Usually an organisation will try to terminate high priority risks by “stopping the process or activity, substituting an alternative activity or outsourcing the activity that is associated with the risk” (Hopkin, 2017). It sometimes happens that high risks are associated with a fundamental process or procedure; in which case the organisation usually adopts a combination of the risk treatment and risk transfer approach (Hopkin, 2017).

The matrix below (adapted from Hopkin 2017) depicts the primary response to each risk type.

Risk control

Once the most appropriate response has been determined, the next step is to apply the correct risk control technique. Risk controls can be classified into preventative, corrective, directive or detective controls. Each of these controls will now be discussed in more detail with examples.

• Preventative controls, as the name suggests, are designed to prevent, eliminate, substitute or remove a risk before it occurs. Preventative controls align with the terminate risk response discussed earlier as they both aim to remove or reduce the risk before it occurs (Hopkin, 2017). Preventative controls may include guard rails, physical barriers, lifting equipment or harnesses. They may also include passwords, separation of duties and adequate training. Preventative controls can also involve substituting a risk with a lesser risk, for example using safer cleaning products. Preventative controls remove or reduce the possibility of a risk occurring however they sometimes cause a significant cost to the organisation in time, manpower, resources or productivity. Each organisation has to find a balance between the costs of preventative controls and the benefits in terms of risk reduction (Hopkin, 2017).
• Corrective controls align with the treatment risk response as both approaches seek to reduce the impact if and when a risk occurs. Helmets, airbags, seatbelts, smoke alarms, sprinklers and security alarms are all examples of corrective controls because they seek to reduce the impact of the risk after it has occurred. Some experts include insurance in corrective controls however for the purpose of this unit we shall discuss insurance separately. As with preventative controls there is much debate as to whether the costs of corrective controls outweigh the benefits, however each organisation will need to determine that for themselves, especially given that many corrective controls are legally required (Hopkin, 2017).
• Directive controls involve directing people to act in a particular way. Directive controls may include information, training, policies and procedures. Instructing employees to wear personal protective equipment, communication, incentives, emergency procedures and other policies and procedures are all examples of directive control. Directive controls are considered to be one of the weakest control measures however they usually form part of a combined approach with the other forms of control (Hopkin, 2017).
• The last type of risk control is detective control. Detective controls can only be used after a risk has occurred. The purpose of detective controls is to identify the number of times a risk has occurred. These measures can then be used to identify and prevent risks in the future. Detective controls may include stock take, bank reconciliation, medical records, complaints or incident reports (Hopkin, 2017).

There are three main categories of business insurance – mandatory insurance, balance sheet protection and employee benefit. There are several types of insurance which fall into these three categories.

• Mandatory insurance - mandatory, compulsory or legally required insurance is designed to compensate third parties for damage caused by the organisation. Mandatory insurance includes employer liability (also known as workers compensation), public liability, product liability, and professional indemnity
• Balance sheet protection - balance sheet or profit and loss protection is designed to compensate the organisation for lost profits caused by adverse events. Balance sheet protection may include business premises, business interruption, asset protection, motor vehicle, terrorism, and personnel insurance
• Employee benefit - employee benefit or protection of employee assets includes life insurance, health insurance and directors/officers liability. Benefits may include; “life cover, critical illness cover, income protection, private medical costs, permanent health cover, personal accident and travel injury/losses” (Hopkin, 2017) as well as legal and compensation costs to directors or officers.

Insurance provides a number of benefits to the organisation such as indemnity against loss, reduced uncertainty, financial benefits, and access to addition services. However, there are some downsides to insurance that organisations should consider before making a final decision. Oftentimes it can be difficult to put a precise figure on or prove how much damage has been caused. Settlement of insurance claims can also take months or even years to complete after the initial claim. Finally, disagreements can arrive between the insurer and the organisation over the terms and conditions of the policy and the extent of cover purchased (Hopkin, 2017).

When purchasing business insurance, it can be difficult to decide how much or what type of insurance to purchase. The table below, adapted from Hopkin (2017) lists common features of an organisation and the type of insurance used to protect them.

The insurance market in Australia is generally divided into life insurance and non-life insurance products. The non-life insurance market in Australia is made up of a relatively small number of corporations each with their own portfolio of insurance brands. The largest, Insurance Australia Group, owns brands such as NRMA, SGIC, SCIO, RACV, The Buzz and Swann. The second largest corporation, Suncorp Insurance Group, is made up of the brands AAMI, GIO, Suncorp, Vero, APIA and Shannons. Together these two corporations make up almost half of the non-life insurance market. The next three largest Australian insurers are QBE, RACQ and The Commonwealth Bank owned Comminsure. Of the foreign groups operating in the Australian insurance market, the five largest are Allianz, Zurich, Chartis, ACE and Chubb (Business Monitor International 2014).

We will now return to the case study in which Wendy, the production manager of a small manufacturing business, selects the most appropriate risk response and risk control technique for the various risks in her department.

Another kind of risk treatment is an adjustment made to accommodate employees with disabilities. Occasionally it may be necessary to make certain adjustments in the workplace to accommodate workers with a disability. Adjustments may need to be made to the selection process, work environment, job design, equipment technology, or training. Adjustments may include but are not limited to:

• Raising or lowering benches
• Rearranging furniture
• Installing ramps
• Allowing a support person to attend interviews
• Providing a sign language interpreter
• Providing voice to text software
• Flexible working arrangements
• Adjusting role descriptions

Each person’s needs are different, and employees should be consulted before any adjustments are made to the workplace. The Australian Government provides financial assistance to organisations that employ people with a disability in the form of the Employment Assistance Fund. The fund helps organisations pay for a variety of workplace modifications, additional equipment, and services (Australian Government, 2022).

An action plan is a document that outlines the specific steps which need to be taken in order to implement risk treatments. A risk management action plan should include:

• What actions are required
• Who is responsible for each action
• When each action should be completed
• How will progress be monitored

An action plan should be developed for each risk that falls above the level of tolerance for the organisation.

An action plan should be developed for each risk that falls above the level of tolerance for the organisation. The length and complexity of the action plan will depend on the relative priority of the risk being addressed. Action plans should be developed in consultation with relevant stakeholders such as managers and supervisors, relevant employees and risk management specialists.

When developing an action plan, it may be worthwhile to first develop a standard template and glossary of terms. As you may have already noticed there is much debate and confusion in the field of risk management over terminology and many common terms can have two or more different interpretations. Developing a standard format and terminology for risk action plans makes them easier to develop, monitor, evaluate, and implement.

We will again return to the case study to see how Wendy develops an action plan for implementing risk treatment.

Developing Actions to Mitigate Risks

Once you have identified, assessed and prioritised the risks facing your coaching business, you will then need to develop actions to mitigate those risks. These actions are called risk controls and can be classified into four different categories known as preventative, corrective, directive, and detective controls:

• Preventative controls. Preventative controls, as the name suggests, are designed to prevent, eliminate, substitute or remove a risk before it occurs. Common preventative controls that you should be familiar with and have come across in your own life include guard rails, physical barriers, lifting equipment or harnesses. They may also include passwords, separation of duties and adequate training. Preventative controls can also involve substituting a risk with a lesser risk, for example using safer cleaning products. Preventative controls remove or reduce the possibility of a risk occurring however they sometimes cause a significant cost to the organisation in time, manpower, resources or productivity. Each business has to find a balance between the costs of preventative controls and the benefits in terms of risk reduction.
• Corrective controls. Corrective controls seek to reduce the impact if and when a risk occurs. Helmets, airbags, seatbelts, smoke alarms, sprinklers and security alarms are all examples of corrective controls because they seek to reduce the impact of the risk after it has occurred. Some experts include insurance in corrective controls however for the purpose of this unit we shall discuss insurance separately. As with preventative controls there is much debate as to whether the costs of corrective controls outweigh the benefits, however each business will need to determine that for themselves, especially given that many corrective controls are legally required.
• Directive controls. Directive controls involve directing people to act in a particular way. Directive controls may include information, training, policies and procedures, instructing employees to wear personal protective equipment, communication, incentives, emergency procedures and other policies and procedures are all examples of directive control. Directive controls are considered to be one of the weakest control measures; however, they usually form part of a combined approach with the other forms of control.
• Detective controls. The last type of risk control is detective control. Detective controls can only be used after a risk has occurred. The purpose of detective controls is to identify the number of times a risk has occurred. These measures can then be used to identify and prevent risks in the future. Detective controls may include stock take, bank reconciliation, complaints procedures or incident reports.

On top of the control measures, you might also need to work out the following to help treat the risk:

• A timeframe for each control measure
• The individuals responsible for specific parts of each control measure
• Resources required to implement the control measure such as financial resources, human resources, and external help, if necessary
• Future action such as regular checks and updating of risks, if necessary

Adding on, not all risks need to be treated as soon as possible or necessarily require treatment. As the business owner, you have to understand that risk management is not just only about identifying and treating risks, you have to learn what are some risks that you can accept and when to accept these. As mentioned, some specific risks may bring potential opportunities or benefits to your business. Some other reasons that might prompt you to accept the risk includes the cost of treatment is much higher than the potential consequences of the risk and the benefit of taking the risk far outweighs the possible damage (Business Australia, n.d.).

Risk management processes are often more keenly associated with big businesses than small businesses. At this stage in your business planning, you may find some of these risk management concepts and procedures confusing, or not see how they relate to a small business such as the one you plan on running. However, it is important to remember that small businesses should also engage in risk management. If you are finding the above process confusing, remember that it essentially boils down to using your knowledge and common sense to identify likely risks that your business may face and coming up with sensible solutions for managing these risks.

Once risk management processes have been developed, they need to be communicated to all relevant stakeholders. Risk management communication is important because it provides assurance to stakeholders, enhances organisational decision making, facilitates risk management training, and can be used to improve the risk management process. When developing risk management communications, risk professionals should consider:

• Who will receive risk information?
• What information will they receive?
• How will it be communicated?

Most stakeholders will receive some form of risk information. The type and amount of information they receive will vary depending on the stakeholder and their expectations. Some risk communication is mandatory – for example some industries or organisations may be required to undergo external auditing, submit performance reports to regulators, or keep detailed records.

There is a wide range of risk management information which may need to be developed and communicated to relevant stakeholders. Risk management information may include:

• Risk management strategy
• Risk management policies and procedures
• Risk register
• Action plans
• Investigations
• Performance reports
• Incident reports
• Business continuity plans
• Risk management training
• Risk management committees

The final consideration when preparing risk management communications is the method of communication. The method of communication will vary depending on the organisation; however, all risk management communication should be easily accessible and understandable by the relevant stakeholders. Risk management information intended for internal stakeholders can be uploaded to the staff intranet or emailed. If certain employees don’t regularly use a computer, risk management information should also be printed out and distributed or displayed in common areas around the workplace. Information for consumption by the general public or the media can be uploaded to the organisation’s website. Extra precautions however will need to be taken with confidential or classified information. As well as being easy to access, risk management information should also be easy to understand. Risk management information should be written in plain English avoiding jargon wherever possible. If certain stakeholders do not speak English, risk management information should be provided in other languages.

Ensure documentation is in order

All organisations should try to keep accurate and up to date records of risk management activities. Once risk management documentation is created it should be continuously reviewed and updated. Risk management documentation improves the decision-making process, provides information for managers, and provides confirmation for auditors that the risk management process is being carried out to an acceptable standard. One method of ensuring that documentation is up to date is by implementing document management procedures. Document management has several benefits including:

• Increased efficiency
• Information is easy to locate
• Information can be easily shared
• Less replication of documents
• Less double handling
• Consistency across documents and departments
• Adherence to correct archival timeframes
• Improved legal admissibility
• Supports risk identification, analysis and treatment

Document management systems are used to collect, retain, and supply risk management information for the organisation. Document management systems can be paper based filing systems, documents held on a computer, or more comprehensive integrated systems such as a database of risk information, files or databases accessed via the organisation’s intranet or an integrated risk management information system (RMIS). Whichever method is used, the document management system should be integrated with the other systems of the organisation.

Each risk and its corresponding action plan should be assigned to a specific person who will take responsibility for ensuring that the action plan is successfully implemented. Action plans are made up of a number or individual tasks required to implement the chosen risk treatment. At any time, those tasks may be either not started, behind schedule, on schedule, ahead of schedule, or completed. It is the risk professional’s responsibility to monitor the progress of any action plans they develop or are responsible for in order to ensure they are implemented successfully.

It is a common mistake for risk professionals to assume that an action plan has been implemented once one or two of the steps have been started. In reality all the steps in an action plan need to be completed for an action plan to be fully implemented.

Evaluate Risk Management

It is important to remember that risk management is an ongoing process, as you can see from the diagram below. As such, the risk management process should be continuously evaluated

Evaluating risk management can lead to improved risk management processes by monitoring and evaluating risk management processes, identifying risks and their treatments, and promoting improved risk management processes throughout the organisation.

In the extract below, DeLoach (2022) suggests some important questions to consider when evaluating risk management:

This section of the module, has focused on selecting and implementing risk treatments. In this section you have learned how to determine the most appropriate risk treatment, develop and implement an action plan, and communicate risk management processes and procedures. You also learned about the importance of risk management documentation and evaluating risk management.