Establishing Risk Context

Understanding potential risks and their impact, is achieved through analysis and planning.

Types of risk include:

• direct risk — a threat to the business that is within your control
• indirect risk — a threat to the business that is out of your control
• internal risk — risks you have the power to prevent or mitigate within the business
• external risk — risks you have no control over.

Let’s take a look at risks and its potential impact to the business, the table below will provide you with a clear overview of this.

Watch

Before we begin, it is important to understand what risk management actually is. The following extract from Oliveira et al., (2021), provides an excellent definition of both risk and risk management.

“Risk can be defined as the effect of uncertainty on the objective of organisations. Uncertainty, in turn, is the probability of occurrence of an even and its consequences. Therefore, detecting, understanding and managing risks has directly contributed to the success of organisations by increasing their competitiveness, reducing losses and accidents. Risk management on the other hand, enables organisations to achieve their objectives through assertive decision making based on information derived from existing data analysis.

^{(Oliveira et al., 2021)}

Watch

Risks can relate to, or arise from, a number of areas such as:

• Commercial relationships
• Economic circumstances and scenarios
• Human behaviour
• Individual activities
• Legislation
• Management activities and controls
• Natural events
• Political circumstances

According to the International Organisation for Standardisation (ISO) risk management is a process involving five stages:

• Establishing the Context
• Risk Identification
• Risk Analysis
• Risk Evaluation
• Risk Treatment

The AS/NZS ISO 31000:2018 Risk Management – Guidelines details Australian standards on risk management processes. It outlines the general guidelines and principles that businesses should consider when developing risk management frameworks and programs.

The following image adapted from AS/NZS ISO 31000:2018 Risk Management – Guidelines depicts the risk management process:

This module will help you to better understand risk management and develop sound risk management processes within a business.

Watch

The first stage of risk management is to establish the context. To do so, we must first review the organisation’s existing arrangements for managing risk. Existing arrangements are the organisational processes, procedures and requirements put in place to manage and control risks (Hopkin 2017). Existing arrangements for undertaking risk management may include:

• Organisational strategy
• Goals and objectives
• Operational plans
• Projects
• Organisational policies and procedures
• Organisational structure
• Accountability arrangements

The extract below is an example of one type of existing arrangement. The extract is taken from the New South Wales Department of Planning and Environment – Risk Management Policy which addresses the need for risk management as well as the importance of implementation, training and monitoring.

Risk Management Policy

This policy applies across all departmental operations and to all departmental staff, consultants and contractors. It also applies to the operations and staff, consultants and contractors of all department Cluster entities who have staff employed in or through the department Risk is the effect of uncertainty on our objectives. The Department of Planning and Environment (department) aims to create a positive organisational culture that promotes risk management as part of effective corporate governance which supports informed and well-judged decision making. Every function has a degree of risk, and the department recognises that identifying risks and managing them is critical to the achievement of our goals.

All department staff are responsible for contributing to an enterprise-wide risk management process by:

• Understanding that risk management is a hands-on process. It is the recognition of risks, and the coordinated and economical application of resources to reduce the likelihood of them occurring or minimising their impact;
• Identifying, reporting and/or managing risks in a timely manner;
• Encouraging and supporting other staff in identifying, reporting and managing risks; and
• Complying with the department’s policies and procedures designed to address particular types of risk.

This policy outlines the department’s approach to risk management and prescribes a minimum set of risk management standards for all business areas across the department Cluster. 

^{(Department of Planning and Environment, 2022)}

When reviewing existing arrangements, like the policy above, we should consider their respective strengths and weaknesses to determine which arrangements are adequate and which need to be updated. The best yardstick against which to review the strengths and weaknesses of existing risk management arrangements is the AS/NZS ISO 31000:2018 Risk Management – Guidelines. As previously mentioned, this standard (developed by the International Organisation for Standardisation), outlines the risk management standard used in Australia and proposes the following core principles of risk management:

• Creates value - Good risk management contributes to the achievement of an agency’s objectives through the continuous review of its processes and systems.
• Integral part of organisational processes - Risk management needs to be integrated with an agency’s governance framework and become a part of its planning processes, at both the operational and strategic level.
• Part of decision making - The process of risk management assists decision makers to make informed choices, identify priorities and select the most appropriate action.
• Explicitly addresses uncertainty - by identifying potential risks, agencies can implement controls and treatments to maximise the chance of gain while minimising the chance of loss
• Systematic, structured and timely - the process of risk management should be consistent across an agency to ensure efficiency, consistency and the reliability of results.
• Based on the best available information - To effectively manage risk it is important to understand and consider all available information relevant to an activity and to be aware that there may be limitation on that information. It is then important to understand how all this information informs the risk management process.
• Tailored - An agency’s risk management framework needs to include its risk profile, as well as take into consideration its internal and external operating environment.
• Takes human and cultural factors into account - Risk management needs to recognise the contribution that people and culture have on achieving an agency’s objectives.
• Transparent and inclusive - Engaging stakeholders, both internal and external, throughout the risk management process recognises that communication and consultation is key to identifying, analysing and monitoring risk.
• Dynamic, iterative and responsive to change - The process of managing risk needs to be flexible. The challenging environment we operate in requires agencies to consider the context for managing risk as well as continuing to identify new risks that emerge and make allowances for those risks that no longer exist.
• Facilitates continual improvement and enhancement of the organisation - Agencies with a mature risk management culture are those that have invested resources over time and are able to demonstrate the continual achievement of their objectives.

^{(AS/NZS ISO 13000:2018)}

The next step in establishing the risk context is to determine the scope of the risk management process. In other words, what will be included in risk management and what won’t. The scope of risk management may include:

• A given project
• A specific business unit or area
• A specific function
• The external environment
• The internal environment
• The whole organisation

Risk management can be applied to any of the above, however for the purposes of this unit we will be using the term organisation throughout.

Determine Goals and Critical Success Factors

Once the scope of risk management has been identified, you will then need to determine the goals and critical success factors of the area included in the scope. Goals are the things that an organisation would like to achieve. Many organisations use the SMART acronym for setting goals. SMART goals are specific, measurable, achievable, realistic and timed.

Critical success factors are the things inside or outside an organisation that must be present for it to achieve its goals. Critical success factors are sometimes also referred to as dependencies since the organisation depends on those factors to achieve its goals (Hopkin 2017). Critical success factors may include:

• Legislation
• Government regulation
• Incentives
• Market size
• Labour supply
• Wage levels
• Inflation
• New technology
• Demographics
• Safe work practices
• Executive commitment
• Operational efficiency
• Sufficient resources
• Performance measurement
• Training
• Quality control
• Communication
• Consultation
• Benchmarking

Identify Stakeholders

Stakeholders are any persons or groups who have a legitimate or perceived interest in an organisation. Stakeholders should be identified early because they are vital to the risk management process. You will need to consult and communicate with various stakeholders about the risk management process to gain their participation and support. Stakeholders can be internal or external and may include:

• Employees
• Unions
• Functional teams
• Business units
• Management
• Owners
• Shareholders
• Investors
• Banks
• Insurance providers
• Technical experts
• Local state or federal government
• Enforcement agencies
• Environmental groups
• Clients/customers
• Suppliers
• Neighbours
• The community

Once all stakeholders have been identified, the next step is to determine what information they need and the best way to provide it. To determine what information to provide a stakeholder, you first need to consider their expectations of the organisation. For example, employees expect to receive the highest wages possible, however shareholders expect an organisation to make as much profit as possible.

Any risk management activity requires the support and participation of senior management and other key stakeholders, without that support any risk management effort is bound to fail. The following extract from Hopkin (2017) provides some excellent guidelines for communicating with stakeholders to gain support and invite participation.

• Know the stakeholders, by identifying both external and internal stakeholders and finding out their interests and concerns
• Simplify the language and presentation, although not the content if complex issues need to be communicated
• Be objective in the information provided and differentiate between opinions and facts
• Communicate clearly and honestly, taking account of the level of understanding of the audience
• Deal with uncertainty and discuss situations where not all information is available and indicate what can be done to overcome these problems
• Be cautious when putting risks in perspective, although comparing an unfamiliar risk with a familiar one can be helpful
• Develop key messages that are clear, concise and to the point, with no more than three messages communicated at any one time
• Be prepared to answer questions and agree to provide further information if it is not currently available

^{(Hopkin 2017)}

So far, we have dealt mostly with the internal context of risk management, but it is equally important to be aware of the external context. The external context of risk management includes the political, economic, social, legal and technological environments. Each of these areas will now be discussed in more detail.

Political context

The political context refers to the risks that could arise due to changes in policy or government. Political factors that could influence organisational risk management activities may include taxation, government funding, infrastructure or trade policy.

Economic context

The economic context refers to the risks that could arise due to changes to the global economy or the local market. Economic conditions which could impact on risk management activities may include economic growth and decline, consumer spending, interest rates, inflation or unemployment.

Social context

The social context refers to the risk that could arise due to societal changes. The social context of risk management may include demographics, population growth, an aging population or social trends such as health consciousness.

Technological context

The technological context refers to the risks which could arise due to technological advancements. Technological factors which could influence risk management activities may include automation, research and development, and technological obsolescence.

Legal context

The legal context refers to the risks which could arise due to legislation or changes to legislation. Legislation that could affect risk management may include:

• The Model Work Health and Safety Act 2022, which outlines the duties of care held by persons conducting a business or undertaking, officers, workers and other people in the workplace.
• The Corporations Act 2001, administered by the Australian Securities and Investment Commission, which deals with the different types of companies, registering a company, meetings, shares and other company matters.
• The Environmental Protection and Biodiversity Conservation Act 1999, which was put in place to protect significant flora, fauna, ecologies and heritage. Each state also has its own environmental protection laws (Department of the Environment, n.d.).
• The Freedom of Information Act 1982, which gives everyone the right to access government documents in order to promote accuracy, transparency and participation in the democratic process (Office of the Australian Information Commissioner, 2022)
• The Fair Work Act 2009, which governs the employee, employer relationship in Australia. The Act sets out employees’ minimum entitlements in the 10 National Employment Standards. Employees can also be covered by an award, an agreement or a contract (Fair Work Ombudsman, 2023).
• The Privacy Act 1988, which contains 13 Australian Privacy Principles. The Privacy Principles deal with the collection, management, use, disclosure, maintenance, security, access and anonymity of personal information. (Office of the Australian Information Commissioner, 2022).

This section of the module has focused on establishing the context for risk management. You have learned about the importance of reviewing existing arrangements for risk management, determining the scope of risk management and identifying the stakeholders of risk management. You also learned about the need to review the external environment including the political, economic, social, technological and legal context of risk.