Office of the Vice-Chancellor

 

Shortcuts

 

Quick Links

 

Printer Friendly Version of this Document

Risk Management 'Getting Started Guide '

The Risk Management & Audit Office, in consultation with the broader ANU community, has prepared a risk management assessment tool to assist ANU staff in undertaking a qualitative risk assessment. It is predicated on the basis that the analyst is applying the Australian & NZ Risk Management Standard 4360:2004, but needs practical guidance on documenting the analysis. Note further helpful information is contained in the Risk Management Guidelines – Companion to AZ/NZS 4360:2004, also available through ANU’s online library. 

The Example Risk Tool - Qualitative Assessment, is based on an Microsoft Excel Workbook so that once tolerance levels have been established, risk rankings are automatically applied. However the principles can be applied irrespective of the medium used to document the analysis (e.g. Microsoft word, whiteboard, paper).  Note the workbook should never be used as a substitute for a written risk report. It is designed only to aid the analysis and evaluation of risks.

Step 1:  Review the consequence levels appropriate to the context of the risk analysis. In particular note the financial criteria and change as required.

Step 2:  Review the likelihood criteria. Change these as required. Utilise probability percentages to calculate the likelihood of single events and frequency when analysing multiple events. The workbook allows you to choose from either type when you undertake the risk assessment. 

Step 3Based on the likelihood and consequence criteria you have developed you now want to define your risk classes and your risk tolerance level specific to your context.  Where:-         

  • Class A: Risks that significantly exceed the risk acceptance threshold and need urgent and immediate attention.
  • Class B: Risks that exceed the risk acceptance threshold and require proactive management. 
  • Class C: Risks that lie on the risk acceptance threshold and require active monitoring. 
  • Class D: Risks that are below the risk acceptance threshold and do not require active management.  

Articulate your tolerance levels based on the associated likelihood and consequence criteria that you have specified, so that you are clear in your mind (and for use in your report) as to what risks are considered acceptable and what you consider unacceptable. Examples are provided in the draft worksheet. NOTE: some tolerance levels (e.g. with respect to OHS) are prescribed by legislation. If you are unsure seek expert advice.

Step 4:  Now that you have identified on what basis you are going to prioritise risks and identify those that you consider unacceptable, define what action should be taken and who within the ANU should be notified of them. Consider relevant delegations!

Step 5:  You need to be able to take existing or proposed controls into account when assessing risks. Controls will impact on the likelihood of an event occurring or the consequence if it occurs. You may wish to assess controls individually or as a suite of controls. There are many tools that help you analyse the effect controls have on identified risks. The workbook provides a simple example where a suite of controls relevant to a particular risk are ranked based on their effectiveness. This is referred to as Risk Control Effectiveness (RCE). Determine if this is suitable for your context. Do you need a more sophisticated approach? 

NOTE - Steps 1 to 5: simply document the criteria based on which indentified risks will be prioritised. Commonly these steps are skipped resulting in analysis based on tolerance levels that have no relevance to a particular context. 

Step 6:  To aid the risk analyst the next worksheet in the workbook, poses three focusing questions to assist the risk analyst (and or team) in identifying relevant risks:

  • What are the objectives?
  • What makes them challenging?
  • What can be done to overcome these challenges? 

The term “challenges” is used rather than “risks”, to align the identification discussions more easily with our everyday conversations. 

This approach may be useful, however more sophisticated risk identification techniques such as those listed below, should be applied depending on the context. 

Different risk identification techniques[1]:

  • Team based brainstorming
  • Structured techniques such as flow charting, system design review, Hazard and Operability studies, operation modelling
  • Scenario analysis
Step 7:  The first step in this new worksheet is to formally document the identified risks.

Step 8: The columns leading up to Step 8 then allow the analyst, preferably through a facilitated multidisciplinary workshop (relevant to the context), to assess the inherent values of likelihood and consequence by excluding any impact of organisational controls. That is controls which the ANU directs should be excluded. Simply stated this is an assessment of risk as it is initially faced by the ANU before it has attempted any mitigation.

Step 9: The columns leading up to Step 8 then allow the analyst, to identify relevant controls and by focusing on whether these are the right controls (i.e. how appropriate are they?) and how well are they working (how effective are they?). Based on an assessment of this suite of controls (refer step 5), the risk ranking can be revised and is considered as the residual risk faced by the ANU.

Step 10:  For those risks outside of the nominated risk tolerance levels (refer step 4); further treatments should be considered. To validate any proposed recommendations, the envisaged controls should be assessed and the estimated residual risk evaluated. This is what the final columns in the worksheet document. Clearly if the risk level remains unchanged then the proposed mitigations should be reviewed. 


[1] Risk Management Guidelines – Companion to AZ/NZS 4360:2004