African Think Tank
Risk Management Framework & Manual
October
2007
Table of Contents
2. Overview of ATT Risk
Management Process
2.5 Communication
& Consultation
3. Maintaining and Reporting
on Risk Assessments
4. Risk Management Worksheet
Templates
4.1 Risk
Assessment Worksheet Template
4.2 Risk
Treatment Worksheet Template
4.3 Risk
Rating Matrix Template
List of Figures
Figure 1: Risk
Management Key Elements
Figure 2: ATT Risk Assessment Matrix
Figure 3: ATT Risk Management Framework
Figure 4: Risk Management Process Flow
Chart
Risk: The chance of something happening that will have an impact on objectives. Risk is often specified in terms of an event or circumstance and the consequences that may flow from it. Risk is measured in terms of a combination of the consequences of an event and their likelihood. Risk may have a positive or negative impact.
Residual risk: Risk remaining after implementation of risk treatment.
Risk analysis: The systematic process to understand the nature of and to deduce the level of risk. Risk analysis provides the basis for risk evaluation and decisions about risk treatment.
Risk assessment: The overall process of risk
identification, risk analysis and risk evaluation.
Risk avoidance: A decision not to become involved in, or to withdraw from, a risk situation.
Risk criteria: Terms of reference by which the significance of risk is assessed. Risk criteria can include associated cost and benefits, legal and statutory requirements, socioeconomic and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assessment.
Risk evaluation: Process of comparing the level of risk against risk criteria. Risk evaluation assists in decisions about risk treatment.
Risk identification: The process of determining what, where, when, why and how something could happen
Risk management: The culture, processes and structures that are directed towards realizing potential opportunities whilst managing adverse effects
Risk management process:
The systematic application of management policies, procedures and practices to the tasks of: communicating; establishing the context; identifying; analysing; evaluating; treating; monitoring; and reviewing risk.
Risk management framework:
The set of elements of an organization’s management system concerned with managing risk. Management system elements can include strategic planning, decision making, and other strategies, processes and practices for dealing with risk. The culture of an organization is reflected in its risk management system.
Risk reduction: Actions taken to lessen the likelihood, negative consequences, or both, associated with a risk.
Risk retention: Acceptance of the burden of loss, or benefit of gain, from a particular risk. Risk retention includes the acceptance of risks that have not been identified. The level of risk retained may depend on risk criteria.
Risk sharing: Sharing with another party the burden of loss, or benefit of gain from a particular risk. Legal or statutory requirements can limit, prohibit or mandate the sharing of some risks. Risk sharing can be carried out through insurance or other agreements. Risk sharing can create new risks or modify an existing risk.
Risk treatment: Process of selection and implementation of measures to modify risk. The term ‘risk treatment’ is sometimes used for the measures themselves. Risk treatment measures can include avoiding, modifying, sharing or retaining risk.
The African Think Tank, as a newly developing organisation, has established a risk management process utilising this Framework as developed by their contracted consultant. This Framework will be used in coming months to undertake a full risk management analysis of its current and planned future operations. This will include an analysis of how it will undertake the Department of Immigration Project should it be successful. This analysis will be presented to the ATT Board for approval. It has been developed with the future in mind, in terms of an anticipated expansion of the organisation and an increase in the range of services offered.
Delivering an effective approach to risk management is viewed by ATT as an important component of quality improvement which assists in creating and maintaining safe work environments and practices so that all staff are confident and empowered to achieve quality outcomes for consumers and the organisation. The Australia/New Zealand Standard (2004) identifies risk management as:
“…managing to achieve an appropriate balance between realising
opportunities for gains while minimising losses. It is an integral part of good management practice and an
essential element of good corporate governance.”
ATT acknowledges that effective risk management is embedded into an organisations daily life and culture and is reflected in philosophical statements, practices and business processes.
The ATT Risk Management Framework and Manual
is for use by all those involved with ATT – Board, contracted staff,
volunteers. It describes the Risk Management framework used at ATT including
the risk management process and key elements.
2.
Overview of ATT Risk Management Process
Based on the Australia/New Zealand Risk Management Standard (2004) the risk management process at ATT consists of the following five key elements:
- Establishing the Context.
- Identifying Risk.
- Analysing Risk.
- Evaluating Risk.
- Treating Risk.
Underpinning these elements are two further processes: communication and consultation; and monitoring and review. These ensure that all stakeholders are involved in the process of identifying, describing, analysing and evaluating risks and that the risk management system is consistently monitored and reviewed in line with quality improvement practices. Figure 1 (below) illustrates the risk management process:
Figure 1: Risk Management Key Elements
The risk register will be reviewed and the manual updated on a regular basis.
Risks are identified using a range of methods including (but not necessarily limited to) the following:
- Annual program planning and review
- Staff training
- Risk identification process
- Annual review of risks
- Research
- Complaints/feedback
- Client and staff surveys
- Document & site audits (internal and external)
- Hazard checking and incident reporting
The key questions that are asked in the process of identifying risks include:
- What, when, where, why and how are the risks likely to occur and who might be involved?
- What is the source and potential consequence of each risk?
- What are the external and internal obligations of the organisation?
- Is there a need for further research in to the risk and/or is there scope for benchmarking with peer organisations?
- What is the reliability of the information?
Risk analysis helps all staff to develop an appropriate and informed understanding of the risks that they face in their daily work practice and how these risks should be managed. The analysis of risk provides input to decisions on whether risks need to be treated and the most appropriate and cost-effective risk treatment strategies. Risk analysis involves consideration of the sources of risk, their positive and negative consequences and the likelihood that those consequences may occur. Factors that affect consequences and likelihood are also identified.
Risk is analysed by combining consequences and their likelihood. In some cases similar risks are combined or low-impact risks are excluded from the detailed list. However all excluded risks are listed separately to demonstrate the completeness of the risk analysis. The risk assessment matrix illustrated in figure 3 (below) outlines how identified risks are analysed and rated.
Figure 2: ATT Risk Assessment Matrix
|
Likelihood |
Consequence |
||||
|
Insignificant (1) |
Minor (2) |
Moderate (3) |
Major (4) |
Catastrophic (5) |
|
|
Rare (1) |
Low |
Low |
Low |
Medium |
Medium |
|
Unlikely (2) |
Low |
Low |
Medium |
Medium |
High |
|
Possible (3) |
Low |
Medium |
Medium |
High |
High |
|
Likely (4) |
Low |
Medium |
High |
High |
Extreme |
|
Almost certain (5) |
Medium |
High |
High |
Extreme |
Extreme |
Conducting
the risk analysis involves the use of the ATT Risk Assessment Worksheet which
identifies the key questions to be answered within each step of the process for
evaluating all identified risks:
|
Issue
/ Identified
Risk |
Risk
analysis – Describe
likelihood |
Assess
Adequacy of Existing Controls |
Risk
analysis – Describe
consequences |
Risk
rating (L/M/H/E) |
Risk
Evaluation (accept / treat / eliminate) |
|
Name of
the actual risk: - What can happen? - How can it happen? |
Assess
Likelihood: - Rare=1 - Unlikely=2 - Possible=3 - Likely=4 -
Almost Certain=5 |
Identify Existing Controls &
Assess Adequacy: - Totally Inadequate=1 - Mostly Inadequate=2 - Marginally adequate=3 -
Adequate to deal with risk=4 |
Describe likely consequences: - Insignificant=1 - Minor=2 - Moderate=3 - Major=4 -
Catastrophic=5 |
Assess overall risk rating: - Low=1 - Medium=2 - High=3 -
Extreme=4 |
Identify options: - Accept the risk & manage the consequences=1 - Treat the risk & document outcomes=2 -
Eliminate the risk/ stop the activity=3 |
After completing the Risk Assessment Worksheet and allocating an appropriate rating to each identified risk (using the risk assessment matrix), a choice is then made to either:
- Accept the risk and manage the consequences;
- Treat the risk and use the Clinical Risk Treatment pro-forma to document actions arising; or
- Eliminate the risk and stop the activity.
Decisions take account of the wider context of the risk and include consideration of the tolerability of the risks borne by parties other than the organization itself. In some circumstances, the risk evaluation may lead to a decision to undertake further analysis.
Risk treatment involves identifying the range of options for treating risks, assessing these options and the preparation and implementation of treatment plans. The ATT Risk Treatment Worksheet is used to determine these outcomes including the actions and progress taken to treat risks, designated personnel who are responsible for the action/s, completion and review dates.
|
Issue / Identified Risk |
Risk Treatment |
Action / progress |
Person responsible |
Date Completed |
Review date |
|
Name of the actual risk |
Based on the outcomes of the Risk
Evaluation, decide to accept, treat or eliminate the risk |
What will be done to treat or eliminate the
risk? |
Whose responsibility is it to undertake
this action? |
When was the agreed action completed? |
When will the outcomes be reviewed? |
Treating risks with
positive outcomes
Treatment options for risks having positive outcomes (opportunities) which are not necessarily mutually exclusive or appropriate in all circumstances include:
- Actively seeking an opportunity by deciding to start or continue with an activity likely to create or maintain it (where this is practicable). Inappropriate pursuit of opportunities without consideration of potential negative outcomes may compromise other opportunities as well as resulting in unnecessary loss.
- Changing the likelihood of the opportunity, to enhance the likelihood of beneficial outcomes.
- Changing the consequences, to increase the extent of the gains.
- Sharing the opportunity involves another party or parties bearing or sharing some part of the positive outcomes of the risk, usually by providing additional capabilities or resources that increase the likelihood of the opportunity arising or the extent of the gains if it does. Mechanisms include the use of contracts and organizational structures such as partnerships and joint venture, arrangements. Sharing the positive outcomes usually involves sharing some of the costs involved in acquiring them. Sharing arrangements often introduce new risks, in that the other party or parties may not deliver the desired capabilities or resources effectively.
- Retaining the residual opportunity so that after opportunities have been changed or shared, any residual opportunities are retained without any specific immediate action being required.
Treating risks with
negative outcomes
Treatment options for risks having negative outcomes are similar in concept to those for treating risks with positive outcomes, although the interpretation and implications are clearly different. Options include:
- Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk (where this is practicable). Risk avoidance can occur inappropriately if individuals or organizations are unnecessarily risk-averse. Inappropriate risk avoidance may increase the significance of other risks or may lead to the loss of opportunities for gain.
- Changing the likelihood of the risk, to reduce the likelihood of the negative outcomes.
- Changing the consequences, to reduce the extent of the losses. This includes pre-event measures such as reduction in inventory or protective devices and post-event responses such as continuity plans.
- Sharing the risk involves another party or parties bearing or sharing some part of the risk, preferably by mutual consent. Mechanisms include the use of contracts, insurance arrangements and organizational structures such as partnerships and joint ventures to spread responsibility and liability. Generally there is some financial cost or benefit associated with sharing part of the risk with another organization, such as the premium paid for insurance. Where risks are shared in whole or in part, the organization transferring the risk has acquired a new risk, in that the organization to which the risk has been transferred may not manage the risk effectively.
- Retaining the risk so that after risks have been changed or shared the residual risks are retained. Risks can also be retained by default, e.g. when there is a failure to identify or appropriately share or otherwise treat risks.
2.5 Communication & Consultation
Communication and consultation are important components throughout each step of the risk management process. This involves an ongoing consultation process with all those involved at ATT, who in turn implement the risk management process in their program/service area. This approach aims to ensure that those responsible for implementing risk management, as well as those with a vested interest, understand the basis on which decisions are made, why particular actions are required and participate in the decision making process.
A consultative team approach is used to ensure that all possible risks are identified effectively and clearly. This also assists the analysis process by bringing different areas of expertise together so that a range of professional perspectives are considered in decision making. Risks that have been identified as ‘common’ and which cross over a range of operational areas are considered in the context of the whole organisation. While many of these also have common treatment options some need the development of additional actions to address specific risks that relate to particular program and/or service areas.
Factors that affect the likelihood and consequences of risks as well as treatment options that affect the suitability or cost of the required actions are reviewed regularly and in the context of broader organisational and program planning activities. Progress against all identified risks and their associated treatment plans are a required component of each Risk Treatment Worksheet. The Board oversees the implementation and maintenance of the risk management process, actions and outcomes in each program/service area. The ATT Risk Management Framework and Manual documents this process and the Risk Register provides all necessary details of risk in each operational area and the subsequent outcomes of actions and treatment plans.
Figure 3: ATT Risk Management Framework
3.
Maintaining and Reporting on Risk Assessments
The 2007 Risk Register will mark the first in-depth summary of risk management presented to the Board of ATT.
Figure 4: Risk Management Process Flow
Chart
4.
Risk Management Worksheet Templates