Standard Tools for
Risk Management
The basics: a practitioner's guide
First of all....What is Risk?
Quite simply, "risk" is the chance of something bad happening.
​
Other definitions which include the concept of "Positive Risk" (or "Opportunity" in earlier iterations) are generally unhelpful in this context, and require a different mindset and approach.
​
There are different forms of risk, e.g. Safety risk, financial impact, reputation risk, or risks which may affect the outcome of your project, in terms of delay, cost or outcomes.
​
In relation to safety risk, a "hazard" is a potential source of harm, e.g. a naked flame.
A "risk" requires a cause, with a likelihood (or probability) of leading to an adverse event, which may result in undesirable consequences.
In this example, the hazard of a naked flame becomes a cause, where the possibility of coming into contact with it (the event) may result in the consequence of an injury.
​
Taken together, the cause, event and consequence represent a risk.
​
Once identified, the risk needs to be assessed. What are the worst case consequences that may credibly occur, and how likely are they?
​
Consequence may be expressed as a range of outcomes, usually in a range of categories, e.g. financial impact, delay, reputation, injury.​​
The likelihood may be expressed in qualitative terms (e.g. "likely", "possible", "probable", etc) or quantitatively, e.g. "a 65% probability".
It may also be expressed as an expected frequency, e.g. once per day, once per month, once per year, etc.​
Risk Management is an Ongoing Cycle
There are many variations.
For other examples, try: risk management - Google Search and select "images"
​
​
We can use a Risk Matrix to assess risks
It's normally best to start with consequences: what's the worst than can conceivably happen?
Criteria for consequences need to be defined specifically for your business, organisation or project.
Likelihoods can be defined in qualitative terms, frequencies (e.g. once every 100 years) or as probabilities (e.g. 10%).
Examples are included in the template.
Normally, the initial assessment should be done with existing controls in place.
​
Again, there are many examples of the risk matrix. Try googling!
​
In the example shown above, the combination of likelihood and consequence gives you a risk level, or ranking: A, B, C or D.
​
The organisation or project must then have a set response to each level, depending on the type of risk, and the "risk appetite".
For example, in the case of safety-related risk, it might be as follows:
Having identified and assessed our risks, we need to think about controlling them.
For safety risks, the "Hierarchy of Controls" is useful.
Here's an example:
The aim is to eliminate the risk, or, if this is not possible, to reduce the risk to levels which are low, So Far As Is Reasonably Practicable (SFAIRP).
​
References:
1. NSW Work Health and Safety Act, Part 2, Subdivision 2, para. 18
2. Rail Safety National Law, Part 3, Division 1, para. 47.
How can we keep track of the risk management process?
Use a Risk Register
Here's an example:
Note: Filling in the risk register is not "mission accomplished"!
It's just a tool to keep track of what you're doing.
You can buy a copy of this template from this site for AUD $7.50. Click here
