Risk management plan template

This is the first step in a seven stage process of successfully tackling risk management in your organisation. The seven stages follow the Australian Standard for Risk Management (AS/NZS 4360:2004) published by Standards Australia.

The seven stages are:

This document is a guiding risk management plan template to assist you in creating your own risk management plan

Establishing a Context for Risk Management in Your Organisation
Communicating Risk Management to Your Organisation
Identifying Risks in Your Organisation
Analysing Risks in Your Organisation
Evaluating Risks in Your Organisation
Treating Risks in Your Organisation
Monitoring and Reviewing Risks in Your Organisation

Risk Management may sound daunting but, to a large extent, this is just plain common sense. In some organisations there may be varied services that are provided or several locations that we need to ensure are properly managed.

The task requires that you walk before you crawl; by following the process, it minimises the chance that you may miss something.

Remember that insurers are looking at the organisation’s level of risk and anything that we can do to minimise risk may lead to reduced premiums in the longer term.

To be able to recognise a risk it is important to know what a risk is. While some risks may apply to everyone, some will be specific to your organisation. To be able to identify and deal with risks, you need to establish a base from which to work.

This will involve taking into account your organisation’s objectives and capabilities as well as external factors, such as the changing legal environment and shifting social standards.

At the end of this step you should be able to detail your organisation’s objectives, determine who will have an impact or be affected by your risk management process, and set out a number of areas which can be allocated for attention. These can then be used to prioritize the order in which you attack the next task.

So how do you go about establishing a context for risk management This could be the job of a risk management committee or tackled in meetings and brainstorming sessions. If one person has been with the organisation for a long time or has a particularly good grasp of the way that your organisation functions, they may be able to answer the following questions and bring them to a risk management committee for discussion.

If you decide to hold a brainstorming session to identify risks in your organisation as the next step in forming a risk management strategy (which is a good idea, and is detailed on the Identifying Risks in Your Organisation Help Sheet), start by asking some questions about what your organisation does and why (ie put the risk management process in context).

Committee members could then have the task of fleshing out the finer details (such as legislation) and documenting them, but a session like this allows your organisation to clarify its position, ensures everyone is on the same wavelength and will set the scene for the brainstorm to follow.

The key point to gain from this step is to place risk management in the context of effort; a high risk organisation will have to exert more effort that one with a lower risk.

Questions to ask can be broken down into two areas:

1. The Organisational Context

Many people in your organisation should be able to assist with defining the organisational context – your organisation’s aims, activities, structure, employees and method of operation.

This document is a guiding risk management plan template to assist you in creating your own risk management plan

As way of beginning the process, the following questions may be asked;

What are the aims and objectives of your organisation
In addition to returning a profit, what social or community aims does the organisation have

What are your organisation’s core activities
Manufacturing and selling a product may be the main activity but don’t forget research, investment etc.

Who is involved with your organisation – both internally and externally

The list might be quite long and include employees, casual staff, contractors, suppliers, transport companies etc.

One way of getting a clearer picture of all the people involved in your organisation is to draw a simple diagram, starting with a small circle in the centre in which you can list the employees. In a larger circle are other people directly involved, such as sub-contractors.

The next circle contains the names of people or companies that have a significant stake in your activities such as advertising agencies, accountants etc. and so on. The circles gradually getting larger as you come up with people and organisations that are, to some degree, involved in, or affected by your enterprise.

What facilities do you have and/or use
This is an easier task but you should remember to include, car parks, leased storage and remote offices and work sites.

To establish a context for your risk management strategy, the answers to these questions will also help determine how you tackle the process; how is your organisation currently tackling risk management, either formally or informally

2. The Strategic Context

This is the environment in which your organisation operates, and to establish this may involve research.

Some questions you should look at are:

What relationships does your organisation have and how important are these
It is important for your organisation to recognise the relationships that it has established with other organisations and that are necessary for it to operate. For example, franchise agreements or manufacturing a product under licence.

What laws, regulations, rules or standards apply to your organisation

Apart from the normal business legislation, employment awards etc., there may be specific legislation and controls that govern the operation of your business. These may be environmental controls, privacy legislation or legal requirements for working with children or people at risk.

Liability

An organisation is liable when it is found to have breached a duty it owes by acting improperly or not acting. Financial penalties may attach to the liability.

A successful claim alleging negligence has to prove that:

A duty exists – An organisation cannot be found negligent unless it first had a duty to exercise care
The duty is breached – An organisation that does not meet its duty of care may be found negligent
An injury occurs – Negligence will not be found unless someone is hurt or something is damaged (physically, mentally or financially)
The breach of duty causes the injury – In order for an organisation to be found negligent, the injury must be tied directly to the entity’s breach of its own duty of care

If those four elements exist in a particular case, a court may hold your organisation liable for damages. Your failure to provide the requisite level of care required under the circumstances will have exposed your organisation to very serious consequences.

What, then is my duty, and what constitutes negligence Unfortunately, the answer is that it all depends on the circumstances of the matter or activity at hand. The required standard of care varies with the situation, the people involved, the nature of your work and the community in which the incident takes place. Non-profits serving children or other vulnerable populations must exercise a higher level of care than if the agency services adults.

A circus school teaching students to juggle with chain saws will have to meet a higher standard than a meditation class. As a general rule, take a pessimistic view; assume the standard is very tough, then add some. Ask yourself: “What’s the worst that can happen” “Have we got a risk management strategy in place”; “If I could foresee the future, would I be able to sleep tonight”

To establish a context in which to consider risks, your organisation must identify its duty of care, and accept it.

DISCLAIMER

While all care has been taken in the preparation of this material, no responsibility is accepted by the author(s), Cornstalk Software P/L or its staff, for any errors, omissions or inaccuracies. The material provided in this document has been prepared to provide general information only. It is not intended to be relied upon or be a substitute for legal or other professional advice.

No responsibility can be accepted by the author(s) or Cornstalk Software P/L for any known or unknown consequences that may result from reliance on any information provided in this publication.

Communicating risk management to your organisation

Overview

This is the second step in a seven-stage process of successfully tackling risk management in your organisation. Whilst this step is notional the second in the process it is, in fact, an ongoing step. In this regard you need to continually communicate throughout the process with your organisation and others who may be impacted.

Before embarking on the risk management process it is worth reviewing the reasons for doing this. Apart from the obvious answer of wanting to protect the members of your organisation from injury or death, there are valid reasons why we should all look at developing a risk management process. These must be clearly communicated to everyone in your organisation in order that they are aware of the reasons for the process.

Protect your organisation from legal liability

Putting a risk management strategy in place will help protect your organisation from claims that could cost it hundreds of thousands of dollars.

Lower Insurance premiums

If you can provide evidence that you are effectively implementing safe practices and have moved to deal with major risks, insurers will be more likely to provide cover and to do so at a more reasonable cost.

Improved perception of your organisation by employees and partners

Implementing risk management principles enhances your organisation’s capacity to present a professional image and enables it to promote and market itself as an organisation that has strong standards of conduct. It also assists your organisation to structure itself to run effectively and efficiently.

Better information for decision making

The process that is undertaken for identifying, assessing and evaluating risks will highlight requirements that your organisation should review and prioritise. By stepping through the process and continually reviewing these decisions over time you will enhance the capacity for management to make decisions based on facts rather then speculation.

Better asset management and maintenance

Setting up a risk management register will assist you to list the physical assets owned by your organisation. It also encourages staff to report any problem as soon as it becomes a danger. Maintaining equipment of a regular basis is cheaper than waiting until things are falling apart before getting them fixed, and is much more likely to prevent potential injury.

Communication

Good communication is essential for any effective risk management strategy. Managing risks involves everyone in your organisation, from the chairman of the board to the most junior member of staff.

Therefore, it is vital that everybody in your organisation understands what risk management is and why it is important, and that they are involved in developing and implementing a risk management strategy. Use the points outlined in the seven stages to inform everyone why you are undertaking a risk management review.

It is important to involve everybody from the beginning in order that they are not afraid of the process and do not feel that decisions are being imposed from above. At the same time, members of the organisation should understand that senior management have a commitment to effective risk management.

Implementing risk management may be a significant culture shift in your organisation because it will effect the way that it operates at every level; therefore, effective communication is vital throughout the process. Initially, you should inform your organisation about the nature of the risk management process and why you are doing it. As the process unfolds, you should keep the communication lines open at every step, as described below. You should let people know what direction you are heading, what steps you are taking, the progress of risk management treatment and obtain feedback at each stage of the process.

You should also develop systems to ensure good communication between different levels of the organisation, and also amongst people on any particular level. Some mechanisms for this should be formalised to ensure they occur.

There are many possible ways of communicating risk management to members of your organisation, apart from merely keeping the lines open on the subject all the time. To achieve this, you should use as many of the following methods as you consider necessary;

Forming a risk management committee

While good risk management is the job of everybody in your organisation, having a core group of people dedicated to the task is a good idea – just as you would form a committee to tackle other important issues. It is important that strong communication links are established between this group and senior management and the group should report at regular intervals. The size of a committee will depend on the size of your organisation. Committees should also use the other communication methods outlined below.

Meetings

These meetings give people the opportunity to ask questions and provide input into the process. Regular briefings, meetings and workshops may also keep people informed of what stage of the process your organisation is at, what is happening and if it is making satisfactory progress. The meetings are also an ideal opportunity to receive feedback. As part of the continual monitoring and review of the strategy, meetings will continue to play an important role after the risk management strategy is in place.

Brainstorming sessions

Brainstorming is one of the simplest but most effective methods of communicating within your organisation. Essentially it involves everyone in the group, working to produce any answers they can think of to a particular question; these may have many answers. The easiest way to brainstorm is to have someone in front of the meeting who writes everything down on a white board or sheets of butchers’ paper. In these situations, there are no wrong answers – write everything down.

A brainstorming session is an excellent communication tool because it makes everyone feel that they are involved and will draw upon your best resource: your personnel.

Brainstorming sessions are beneficial in identifying risks in your organisation, with everyone contributing their ideas. In the end, it is the people who take an active role in your organisation are in the best position to know what risks they face.

Newsletters and Bulletins

Not everyone may attend every meeting, therefore it is useful to put down on paper, a summary of what is happening in risk management in your organisation and distribute this as a newsletter through e-mail or in the mail and/or by pinning a bulletin on your notice board.

You should include the results of any brainstorming session and decisions made at meetings, so that everyone is kept informed of developments.

At the start of the risk management process it may be a good idea to send out a questionnaire to people in your organisation to discover what risks they perceive exist in your organisation’s activities.

Produce a resource for staff or those associated with your organisation.

A risk management guide is an excellent tool for everyone involved with your organisation, to make them aware of risk management issues. It can be used to define key terms so that everyone is working towards the same end and can also serve as a reference throughout the risk management process, for information and as a reference point to ensure people stay on track.

A guide such as this can also include a component that invites feedback from your personnel.

Where to Start

If your organisation does not have a risk management strategy in place, you should create one; beginning by making sure everybody in your group knows what it is and why you’re doing it. An initial meeting, brainstorming session or special newsletter, which may include a questionnaire, are good places to begin.

After attending this meeting or receiving the newsletter personnel should understand what risk management is about and why it is important.

Two of the common myths about risk management are:

Risk management is not an important issue, or “it doesn’t apply to us”
Risk management is too difficult, complicated or expensive

Risk management is a crucial issue that applies to every organisation, from multi-national corporations self employed practitioners.

Although the risk management process may be intimidating at first, there are two very simple reasons why it isn’t as bad as many people think.

Firstly, your organisation must run an operation that is safe; it is in everybody’s interest. Secondly, much of risk management is common sense; in fact, you are probably doing a lot of it already without even realising it.

Consider these questions:

Do you have smoke alarms or fire extinguishers in your building
Do you have policies covering bullying and harassment
Do you keep dangerous items and materials in a safe place
Do you fix or replace faulty electrical equipment

If you answered “yes” to any of those questions, you are already practicing risk management.

Much of this process is about putting on paper, the things you are doing and then identifying other risks that you may not have thought of; developing a process to deal with them.

In fact, your organisation will see many benefits, from effective risk management, that have nothing to do with avoiding costly lawsuits. Less lost time due to accidents, increased productivity and higher staff morale.

Effective communication of risk management involves making sure that everyone involved understands key concepts that form part of this process.

What is risk

Risk is virtually anything that threatens or limits the ability of an organisation to achieve its goals.

It can be unexpected and unpredictable events such as the destruction of a building, the wiping of all your computer files or an injury to a staff member or visitor who slips on a slippery floor and sues the organisation. These and countless others can happen and have the potential to damage your organisation, cost you money or, in a worst-case scenario, cause your organisation to close.

What is risk management

Risk management is a process of thinking systematically about all possible risks, problems or disasters before they happen and setting up procedures to avoid the risk, minimise its effects or cope with its impact.

You cannot predict everything that could happen but, discussing risk management will make even the most unpredictable event easier to deal with.

You may not consider a semi-trailer crashing through the front of your premises as a likely risk for your organisation, but if you have plans to deal with other disasters and people are aware of risk management issues, they will be able to respond to such an event faster and more effectively, and your organisation will benefit.

Risk management begins with three basic questions:

What can go wrong
What will we do to prevent it
What will we do if it happens

Communication does not start and finish with a meeting to explain the risk management strategy. Communication must continue to explain what you are doing, and why you are doing it, at every step of the risk management process.

Treat feedback seriously and remember to ensure that you keep the context of your organisation in mind; do not aim to recreate the world through risk management. Instead, aim to ensure that you have risks identified and a process in place to treat them.

Remember to document your every step because committee members will need to refer back to what has taken place. Also remember to ensure that you keep documentary evidence of the risks you identify and any incidents that occur.

Feedback from group members and people that you come into contact with in the course of your activities should be taken into account in developing and managing your risk management strategy.

DISCLAIMER

No responsibility can be accepted by the author(s) or Cornstalk Software P/L for any known or unknown consequences that may result from reliance on any information provided in this publication

Identifying risks in your organisation

Overview

This is the third step in a seven-stage process of successfully tackling risk management in your organisation.

Identifying risks requires a broad approach – in fact, the broader, the better. This is an ideal opportunity to get everyone in your organisation involved in the risk management process. Perhaps you could begin with a organisation wide brainstorming session to identify any and all risks that could confront your organisation.

This may not be possible with every organisation; establishing a risk management committee or in smaller groups having one person responsible may be a better solution.

Brainstorming

In a meeting room, have someone up the front with a pen and a white board or sheets of butcher’s paper. Their job is simply to write down any risks that the others think of; such as slipping on the polished floorboards to being hit by a stray meteorite. Depending on the size of your organisation, you may want to break up into smaller groups to brainstorm ideas, then present them to the group – you may want to assign groups to different areas of potential risk.

In any case, whilst a scattergun approach may be useful, it is worth breaking down the potential risks into sub-headings to make sure all areas are covered.

Remember that it is important to document all the potential risks that you identify, in each step of the risk management process. The statute of limitations in public liability cases in quite broad; therefore complete documentation is vital.

A risk is anything that can cause harm, ranging from an overfilled urn to the smell of rotting food left in a cupboard in a lunch room. The classic test for identifying risks is to imagine a person entering your premises or working for the organsation; what would you warn them about or keep them away from

Some useful questions to ask when identifying risk include:

What can happen When, where, why and how might this occur
Who and what might be involved
Who will be affected if this happens

It is important to define risks in terms that are useful in figuring out how to treat that risk.

A risk usually comprises three parts:

A source
Something at risk
An effect

For example, just listing “fire” as a risk doesn’t provide enough information to properly evaluate or treat that risk. But if the risk is defined as “there is a risk that a heater in a process will catch fire and cause damage to the machinery” we have somewhere to start.

Every organisation will produce a long list of potential hazards. So, the question is, where do we start There are a number of ways of tackling the task of identifying all the risks in your organisation, but each involves breaking them down so you’re not trying to tackle the whole problem at once.

You might want to go through your premises room by room, or list your activities one by one, identifying areas of potential risk as you go.

Factory

Are benches at a safe height, are the surfaces appropriate for the application
Are there any trailing power cables
Are doors and windows fitted with locks to prevent break-ins
Are there adequate first aid kits available and trained staff to administer first aid

Toilets and Rest Rooms

Is the hot-water system regularly serviced and well maintained
What is the floor like Can it get wet and create the danger of slips or falls

Lunch Room and Meals area

Are there any electrical items that could create a fire hazard
Do you have cooking areas, hot food or boiling water that could cause burns
Do you have food handling measures in place

These are just a few of the questions that may arise – many others will present themselves as you walk through your premises taking a close look at everything and just thinking about what could happen. Remember to also think above and below your premises – the roof, basement, storage areas, car parks etc.

Going from room to room is one way of identifying risks, but it might not be suitable for every organisation. However, it is a good idea to attempt to break down hazards into particular topics.

It is your responsibility to make your organisation a safe environment for anybody who is likely to come into contact with it, including those who do not have permission to enter. A key point is to make sure you inspect your facilities, equipment and premises regularly.

Other ways to help complete a list of potential risks include:

Incident review – examine events that have occurred previously and are recorded or remembered, to help generate an image of the site or function you are examining.
Interviews – talk to locals, council risk managers, other professionals, people who know the area or function, staff, emergency personnel. Talk to people who run organisations similar to yours to find out what risks they have encountered.
Documentation – what maps, procedures, photographs, video, records, articles, signs, notes or reports are already in existence
Guidelines – eg. electrical safety standards, signage guidance manuals
Site visits – physical findings. Use a checklist. What should you look for
Checklists – numerous applications. These are tools that can help you structure your findings in a logical and consistent manner.
Experience – yours, others. Go back to incidents, interviews and brainstorming.
Scenario analysis – set up a scenario or “what if “and see what may be lacking. This could even be a live run through to see how your organisation reacts, emergency exercises, dummy runs, etc Ensure that processes are in place for these scenario’s prior to trialing to avoid any unforeseen circumstances; provide a warning to the organisation in advance that one of these scenarios is planned.

If your organisation is large it may well be that you need to hire a risk management consultant to assist you in your process.

Checking any guidelines that may have already been produced that relate to your organisation and its activities. For example, builders may need to consider the presence of asbestos and methods of removal when demolishing a building.

Users of laser equipment may need specialised eye protection; depending on the type of laser in operation.

A case example

Remember to keep your focus broad. In a 2001 court case in South Australia, a woman in her sixties was shopping in a supermarket when she slipped on a grape, or grapes, and fell to her knees, injuring her right knee permanently.

The supermarket argued that it had in place a system of inspection and cleaning, and that mats were on the floor to prevent people slipping. But the court found in favour of the woman because the cleaning was found to be poorly supervised and was not carried out as it had been claimed, and awarded her damages of almost $30,000.

Claims of well above this figure have been recorded. Although in this case the fall occurred at a supermarket, this type of event can and does happen in any business. You might not have grapes on the floor, but the same scenario could be written with slippery tiles, a badly-placed doormat or equipment left lying around for people to trip over or an uneven pathway.

This is also a lesson to carry out procedures you come up with for fixing hazards that you identify.

Another, similar, case illustrates the need to keep in mind when identifying potential hazards that risks might vary at different times of the day or year – the footpath might not be slippery now, but may well be on a wet winter night.

In Canberra, Australia a woman aged in her 50’s was awarded more than $86,000 after slipping outside the entrance to a supermarket (again, it could just as easily be your organisation’s premises) and sustaining injuries that eventually required a hip replacement.

The judge found non-slip mats were in place but were worn and no longer serving their purpose, and the situation was worsened by wet leaves and slippery cotton blown on the wind from a nearby cottonwood tree, a phenomenon well known in Canberra at that time of year. It is important to document all the risks that you identify, and a good way of doing this is on a risk register.

The aim of the register is to pro-actively, but without a major imposition on time and effort, begin to raise the profile of what risks exist within your organisation.

Leave spaces blank and ask employees and associates to add items that they feel could be a problem (e.g. the fraying electrical cord to the jug or urn, the slippery tiles at the entrance, the jagged wire on the fence). This is the first step along a detailed process.

The other columns on the risk register will allow you to document and monitor the process of analysing, evaluating and acting on these risks.

Circulate the risk register to all personnel. The list of potential risks will be longer for some organisations than others. For instance, the risks associated with a construction company would outweigh those for a solicitors office. Potential areas of risk might also include noise levels, regular or occasional maintenance work, harm from repetitive tasks or staring at computer screens.

DISCLAIMER

No responsibility can be accepted by the author(s) or Cornstalk Software P/L for any known or unknown consequences that may result from reliance on any information provided in this publication

Analysing risks in your organisation

Analysing risks

This is the fourth step in a seven-stage process of successfully tackling risk management in your organisation. The first step in the process is communication and consultation and this needs to occur regularly if you are to continue to keep risk management at the front of everyone’s mind. In this regard you need to continually communicate throughout the process with your organisation and others who may be impacted.

Before you can do anything about the risks that face your organisation – and you should now have a long list of them – the risks must be analysed to determine their potential to cause harm This will give you a basis for determining which risks are the most serious, which are treatable and which can be accepted.

If you haven’t followed the process as outlined above you may want to revisit these steps to ensure that you are not missing the whole context. This will give you a framework to assess your risk management priorities.

Otherwise, you could try to tackle the risk posed by a falling piece of space junk before replacing the heater that is throwing sparks into the wastepaper bin in the warehouse.

Depending on the size of your organisation, the job of analysing risks is probably best performed by your committee or a person responsible for risk management. It may be worthwhile getting the person or committee responsible to outline their reasons behind the analysis to a wider audience.

The analysis should also be open to review and the results circulated to staff as part of the communication and consultation process.

Analysis is based can best be undertaken on two simple criteria:

Likelihood – how likely is it the risk will occur
Severity (or Consequence) – How bad is it if the risk if it is realised

How seriously you take each risk is based on a combination of these factors. For instance, an outbreak of the Ebola Virus in your organisation would be disastrous if it happened, but isn’t all that likely. On the other hand, the consequences of banging your head on a low door frame aren’t so bad but may be much more likely to occur.

Whether the frequency and severity of potential losses is classed as high or low will depend on the size of your organisation and the activities that you are involved in. A foundry may have a serious injury every three months and may not regard this as frequent, but this same number would be unacceptable for a retail store.

Frequency

Estimating frequency is reasonably straightforward for risks that occur on a regular basis, but is more complicated for losses that occur rarely or may never have happened at all. But even with regular risks, you should consider any changes in your organisation or the environment in which it operates that could impact on how often the risk will arise.

For instance, looking at how often accidents have occurred in the past will help a scaffold erection company estimate how often they will happen in the future. However, bear in mind that the growth of the business and the techniques used might suggest that the incidence will increase or decease as the contributing factors change.

Look at situations from more than one point of view; who could be affected by your activities Ensure that you discuss, consult and check with your staff throughout this process.

For less frequent risks, you may be able to draw on specialist advice from federal, state or local government agencies, insurers, a similar organisation to yours, or someone with a connection to your organisation who has expertise in a particular field, such as a fire fighter, risk consultant etc.

You may also want to check with your local Occupational Health and Safety Authority who may have advice.

Questions that may assist you when estimating frequency include:

How often do people encounter the risk
Has it ever happened before – in your organisation or another one How often
Has this hazard caused any near-misses
Is there any level of training required to perform the risky activity If so, have people done it How complex is the training
Has the industry group experienced any similar problems

Severity or Consequences

Several factors need to be taken into account when assessing the severity of a potential risk and, again, many will be specific to your organisation and the work you do. For example, fire damage to a part of a building would be a bad thing for any company, but how bad it is will depend on how often you used that particular facility, whether other facilities are available to continue your activities and if it is adequately covered by insurance.

The public relations impact of a risk should also be considered, if people are falling off buildings or electrocuting themselves it is not the best advertisement for your organisation. An organisation with a poor safety record is regarded as a poor employer.

You should also look at the number of people likely to be affected by a risk. A large number of people getting cuts and bruises during a manufacturing process may be worse than one person breaking their arm.

The worst risks are those that result in death or severe harm to individuals or threaten your organisation’s ability to work profitably or, in a worst-case scenario, cause it to close down altogether. So how do you work out the severity and likelihood of risks

There are two main methods:

Quantitative analysis applies a numerical value to the level of risk. This method usually depends on reliable data and is best used when specific figures are available, such as accident or injury statistics. This method can be extremely accurate but is best suited to large organisations where there is enough evidence to provide useful analysis. Smaller organisations should avoid this like the plague.

Qualitative analysis is the easiest, and most commonly used, method of analysing risks, especially for smaller organisations. It applies a descriptive word to the level of risk and is based on knowledge, experience and anecdotal evidence. This method does have limitations, including a risk of subjectivity, but is useful in indicating which risks may be disregarded, those that require further attention, and management priorities.

Analysing a lot of the risks will involve estimation; even detailed police statistics will not tell you how likely it is that your company’s truck will be run off the highway during a road rage incident. But don’t be afraid to guess; it is better than waiting until you know for sure because then it could be too late.

A simple method of analysis is to draw up a simple grid:

High probability

Low impact

High Probability

High Impact

Low probability

Low impact

Low Probability

High Impact

Assign each of the risks to one of the four categories – the ones that you give highest priorities are the ones in the top right corner. A more detailed approach can be followed by scoring or rating on a scale. An example is provided below:

Likelihood rating

A – Frequent – Likely to occur frequently
B – Probable – Would occur but not frequently
C – Occasional – Could happen occasionally
D – Remote – Rare; not likely, but possible
E – Improbable – Highly unlikely but still possible

Severity/Consequence rating

A – Catastrophic – May result in death or loss of bodily functions
B – Critical – May cause severe injury, illness
C – Marginal – May cause injury or illness resulting in, for example, missing work
D – Negligible – May cause minor injury or illness

A rating table can then be developed that will assist in evaluating your risks in the next step. The table will look something like this:

	Frequent	Probable	Occasional	Remote	Improbable
Catastrophic	High	High	High	High	High
Critical	High	High	High	Medium	Low
Marginal	High	Medium	Medium	Low	Low
Negligible	Medium	Low	Low	Low	Low

Placing each risk into its category will give you a good starting point from which to approach the management of risks in some order.

Some examples of risk analysis might include:

Risk	Frequency	Severity
Packer receiving cuts to hands from staples in packing cartons.	Frequent	Marginal
Packer injured when struck by a forklift truck.	Occasional	Critical
Warehouse being broken into resulting in loss of computer equipment and files.	Remote	Critical
CEO and senior management being involved in fatal air crash on way to conference.	Improbable	Catastrophic
Slip on tiles in laboratory	Occasional	Critical

Remember that the frequency and severity of particular hazards will be different for different organisations. The idea is not to detail all the potential losses that may result if a risk does occur, but simply to assign a level of estimated risk that will provide a basis for managing those risks.

The frequency and severity you assign to each risk can be entered on your risk register, which might now look like this (you may want to give each of the levels of likelihood and frequency a letter-based rating. e.g: Frequent = A, Probable = B, Occasional = C, etc. These can be combined to give a risk rating. For example, Frequent and Catastrophic = A, Frequent and Critical = B, etc)

What have you Identified as a Potential hazard For your Organisation	Likelihood	Severity	Risk Rating
Lights in car park not working	B	C	H

Analysing risks in your organisation is the fourth step in a seven-stage process of successfully tackling risk management in your organisation. The next stage is to evaluate your risks.

DISCLAIMER

No responsibility can be accepted by the author(s) or Cornstalk Software P/L for any known or unknown consequences that may result from reliance on any information provided in this publication

Evaluating risks in your organisation

Evaluating risks

This is the fifth step in a seven-stage process of successfully tackling risk management in your organisation. The first step in the process is communication and consultation and this needs to occur regularly if you are to continue to keep risk management at the front of everyone’s mind.

In this regard you need to continually communicate throughout the process with your organisation and others who may be impacted.

By now you should have undertaken a detailed identification of risks that your organisation faces and you then would have analysed these risks (or hazards). Now we look at how we evaluate these.

By working together your organisation can review the results of your analysis and objectively assess each of the risks in turn. Again, this is probably a job for your risk management committee but it is important to keep everyone involved in the process.

The evaluation of risk will enable priorities to be established that equate to an appropriate level of risk. This will allow you to decide what is an appropriate action for treating each risk. A major decision you will have to make before looking at how to treat risks is whether a risk is acceptable or unacceptable. This decision will depend on the activities of your organisation and should be made according to set criteria that you are confident to stand by.

These criteria should be documented so that they can be reviewed and monitored over time and to ensure that there is a record for future committees to follow and understand.

Criteria

Criteria for acceptable and unacceptable risks can be listed under frequency and severity/consequences.

For example, in terms of severity, your organisation may deem the following consequences unacceptable:

Injuries resulting in hospitalization
Financial losses of more than $500 for one incident
Any bad publicity
Any legal action against the organisation
A broken window from a fallen tree limb

In terms of frequency, these may be unacceptable:

Frequent minor injuries
Events that frequently interrupt your organisation’s activities
Frequent small financial losses

Although these criteria will reduce some of the indecision, ultimately the decision on whether a risk is acceptable or unacceptable rests with those responsible for the evaluation. It is subjective and that is why we suggest that you may want to take this step with more than one person looking at it.

The answers will depend on knowledge and experience and you should also ensure the integrity and credibility of your decisions.

When weighing up whether a risk is acceptable or not, consider how you defined your organisation, the aims and activities when you established a context for risk management. For example, most people would consider frequent minor injuries in a metal fabrication shop as acceptable and unavoidable.

But if this is occurring through poor work practices or training then this should be attended to.

Many companies will be based around activities that involve some inherent level of risk, for example, heavy manufacturing, mining and construction. Only you can decide what is an acceptable level of risk for your organisation, but remember that a judge may have an entirely different perspective so bear this in mind.

Do not discount something because it has never happened.

If you decide a risk is unacceptable, you will have to decide how to treat it. If the risk is minor or the cost of avoiding it is beyond your capacity to pay you may need to consider accepting the risk if it is core to your organisation’s existence.

Remember, however, a decision to accept a risk must be an informed and reasoned one because if something does go wrong and somebody gets hurt, you may well be asked why the risk was deemed acceptable. If you choose to accept a risk, do not forget about it. Be mindful of the consequences and do not ignore them in the hope it will never happen.

Monitor the risk and reassess it regularly; you may decide in the future that a risk you once thought was acceptable can no longer be accepted.

Documentation

Remember that this is an ongoing process and decisions that you make should be documented. Keep a record not just of what decisions were made, but why they were made. These reasons should be included in minutes for your meetings. This will ensure that future management or committees can understand what happened and what you were thinking at the time the decision was taken. They can also be used in defence of a claim taken out against your organisation.

Examples of records used to defend claims are:

Meeting minutes – any decision made at a meeting should be minuted to provide a record of what was decided and why. Significant decisions should be supported in some way by a record of the process used to arrive at the decision made. This may include decisions made at meetings through a consultative process. These should also be minuted.
File notes – conversations in person or on the phone where an action is agreed, advice is sought and/or provided, or information is provided, should be recorded. This can be done in a hard copy or electronic register. It provides traceability should a complaint be made or an incident occur
Incident records – notes taken or forms completed when a person reports an incident or injury. Organisations need to be consistent in the type of information they gather when recording an incident, and in investigating the surrounding circumstances. It is essential to have a specific form for this kind of record.
Training records – attendance by staff at any training should be recorded. These records may be requested by a court at some stage to make an assessment of the competency of the people concerned.

Keeping records such as these helps prove that decisions you have made have been reached systematically and that the rationale for a decision is sound.

DISCLAIMER

No responsibility can be accepted by the author(s) or Cornstalk Software P/L for any known or unknown consequences that may result from reliance on any information provided in this publication

Risk Management Checklist

Illustrate the market, pricing, product, and management risks as well as how you plan to overcome these risks.

Human Resource Related Risks

Risks	Plan to manage/minimise/overcome them by
Staff member lodges harassment/bully claim against another staff member	[e.g. …]
Union takes all staff out on strike	[e.g. …]
Staff member fails to work within guidelines	[e.g. …]
Fraudulent behaviour of one of senior partners or management	[e.g. …]
Employee lodges unfair dismissal action	[e.g. …]
add more as needed

Market Related Risks

Risks	Plan to manage/minimise/overcome them by
Interest rates rise causing downturn in market conditions	[e.g. …]
Oversupply of xxx causes prices to drop	[e.g. …]
New competitor offering prices under our cost	[e.g. …]
add more as needed

Production Related Risks

Risks	Plan to manage/minimise/overcome them by
Critical machinery breaks down	[e.g. …]
Raw materials delayed	[e.g. …]
Power supply problems	[e.g. …]
add more as needed

Financial Related Risks

Risks	Plan to manage/minimise/overcome them by
Partner leaves exposing heavier debt burden on remaining owners	[e.g. …]
Bad debts increasing	[e.g. …]
Cost of goods increase dramatically	[e.g. …]
add more as needed

Natural Disaster Related Risks

Risks	Plan to manage/minimise/overcome them by
Flooding of business	[e.g. …]
Fire	[e.g. …]
add more as needed

Management Related Risks

Risks	Plan to manage/minimise/overcome them by
Death of owner/partner	[e.g. …]
Fraudulent behaviour of one of senior partners or management	[e.g. …]
add more as needed

Treating risks in your organisation

Treating risks

This is the sixth step in a seven stage process for successfully tackling risk management in your organisation. The first step in the process is communication and consultation and this needs to occur regularly if you are to continue to keep risk management at the front of everyone’s mind.

In this regard you need to continually communicate throughout the process with your organisation and others who may be impacted.

Treating risks involves making a decision about what will be done about the risks faced by your organisation, now that you have identified, analysed and evaluated them; in other words, you know what they are and how they could impact on your organisation.

You should now have a list of priorities; treat the highest risks first.

Treatment should be appropriate to the level of identified risk and generally any cost of treatment should be commensurate with the potential benefits. If you have decided a risk is unacceptable, there are several options for treating it.

Deciding which is most appropriate could be the job of your risk management committee or a designated risk manager.

These are important decisions and weighing them all up will take a while.

An accident is the product of a chain of factors. Consider someone slipping on a wet floor; the accident is the slip. The outcome is the injury. The severity of the injury will be determined by a host of factors, including the age, size, fitness and clothing of the person involved, where and how they land and what they land on, and how long it takes to get medical attention.

Factors contributing to the accident include:

the area must be accessible
the person must be walking over that area at that time
the floor must be wet in the area at that time

It isn’t hard to see that if just one of these factors was removed, the accident may not have happened. You need to think about what actions you can take to avoid these factors in each risk you have identified. For example:

If the person wasn’t there, the accident wouldn’t have happened

Put up a warning sign, rope off areas that are wet
If the floor did not become slippery when it was wet, the accident would not have happened

Choose floor and cleaning products that prevent the surface becoming slippery

The task of actually treating the risks will involve everyone; perhaps you could stage a clean-up day at your premises when dangerous items are moved or replaced and everybody tackles jobs to make the place as safe as possible.

Following this, it will probably be necessary to assign specific tasks to individuals. Ask one of your regular drivers if they can get a road worthy check on the delivery truck, or another person to contact your state government about food handling regulations.

Remember to have a system in place to monitor what everybody is doing, perhaps by holding regular meetings when they can report their progress. It could be the job of your risk management committee to assign tasks and keep informed of the progress of each one, and then report back to your committee.

Good communication is essential because some actions will take longer than others and different tasks will involve different people. For example, Finance Manager will have to approve any spending to buy a new heater or fix the tiles on the roof of the office.

So how do you decide the best way to treat a particular risk

Consider these factors:

The balance between risk and benefit
You may be able to avoid the risk of truck accidents, for example, by using sub-contract carriers but this may substantially reduce the level of customer service offered by your organisation. Advanced driver training using a simulator and a skid pan may reduce the risks to acceptable levels.

The balance between risk and cost or convenience
You may be able to reduce the risk of falling down stairs by moving to a new building, but that could divert all your funds away from more important work. Putting up handrails, warning signs and non-slip strips may lessen the risk.

Remember that your liability if something goes wrong is going to be affected by whether or not people think that you’ve done all you reasonably could to avoid it.

Courts do however take into account what is reasonable and practicable for an organisation to implement. Not putting up a sign to warn people of a slippery surface because it costs $10 is a lot different from having to resurface an entire premises at a cost of $20,000.

The context of the organisation would be taken into account. As with all of the steps in risk management it is important to document these decisions.

Options for treating risk include:

Avoiding the Risk
The best thing you can do is to eliminate the risk completely. Fix what you can fix. This could mean removing trip hazards on the floor in the corridor, disposing of dangerous items or changing the way your organisation operates so a potential risk is avoided altogether.

Reducing the Risk
Look at alternative solutions that reduce risk. Initially focus on “industrial” solutions that do not require people to change their behaviour, such as improved lighting, safety barriers and resurfacing. Solutions such as rules, policies or training can then be looked at to reduce risk. Other options such as protective equipment can also assist.

Risk reduction strategies can reduce the frequency or severity of the losses resulting from a risk, usually by changing operations to reduce the likelihood of a risk, reducing the resulting damage if the risk does occur, or both.

There is a logical order to follow when looking for ways to reduce risk.

Often a combination of these will be needed.

1. Substitution
Replace something that is hazardous with something less hazardous. Change the bald tyres on your delivery truck, replace that 40-year-old heater, get a new doormat with non slip backing.

2. Engineering
Apply an engineering solution to minimise risk. For example, fit flashing lights in areas where forklift trucks operate, put up warning signs, improve lighting in the car park, put carpet on a slippery floor.

3. Isolation
Isolate the risk so it applies to less people, less often. Store any dangerous substances where only people who need them, and know how to use them safely, will have access, or use an enclosed spray booth for spray painting.

4. Administrative
Apply administrative measures that can reduce risk, such as implementing safe work procedures, policies or rules, rotating staff or training new staff.

5. Personal protective equipment
As a last resort, provide a personal barrier to the risk, such as gloves, helmets, goggles, respirators etc.

General precautions

Your organisation can take a number of general safety precautions and contingency measures to reduce the risk of an accident, or minimise the losses if something goes wrong.

These include:

Carrying out inspections at the end of each day to ensure all electrical appliances are turned off, doors and windows are locked and everything is where it should be.
Making a list of key contact numbers in case of emergency – keep it handy Keeping a list of contact numbers for staff members or clients in case of emergency
Keeping vital information stored on computer on “back-up disks” off the premises
Cleaning out gutters, down pipes and drains each summer
Familiarizing your staff with the location of the mains service isolation switches and valves for electricity, gas and water

Screening

The best way of reducing, and hopefully avoiding, the risk of harm to your clients and your organisation that may be caused by staff is to ensure you have staff who aren’t going to do the wrong thing.

This can be achieved by screening. Screening is a sensible process that is designed to find out if a prospective employee is suited to your organisation.

Effective screening is required by law in some industries and occupations and will also protect your existing staff, as well as members of the public that you come into contact with. Most people do not object to screening (even police checks) and it is better to find out now than wait until something goes wrong before discovering a staff member could have been seen to be a potential danger.

Screening involves five steps:

The position description
Advertisement
Application form (check references)
Interview
Police records check – if appropriate

Transferring the Risk

If you’re not able to remove or substantially reduce the risk;some activities such as high rise steel erection are inherently risky, you may be able to shift the burden of the risk on to someone else’s shoulders.

You may be able to hire subcontractors or share the job with another organisation.

Waivers

Another way of transferring risk is to ask people to sign a waiver before they undertake activities with your organisation. However, it is important to realise that waivers are not an excuse or protection for people or organisations that act in a negligent manner. And a waiver does not relieve your organisation from its duty of care to whoever signs it.

A waiver is valid only if all the possible foreseeable risks have been fully explained and that everything has been reasonably done to eliminate, minimise or control the risk. A waiver works only to cover inherent risks and does not cover negligence or excuse an organisation’s failure to act when it could or should have. This area is a legal minefield in itself and waivers tend not to hold much credence in courts.

However, it does make people think twice about suing if they have signed something saying that they were aware that they are participating in an activity and have been made aware of all the possible risks that activity could possibly entail.

Similarly, disclaimers – statements about what you’re accepting responsibility or not accepting responsibility for – also do not excuse you from your duty of care. Putting up a sign saying that you are not liable for people slipping on the rug is not a protection if you have acknowledged that the rug is dangerous, have had numerous complaints and still not done anything to remove the danger.

It is worth noting that the topic of waivers is currently under review and legislation in relation to waivers is being amended in some states.

You may wish to check with your local legal advisor to ensure that you are kept informed.

Insurance

Insurance is the most common method of risk transfer. Unfortunately, a risk management program cannot create 100 per cent protection from risk – it is a tool to reduce and manage risks, not eliminate them. It is essential that your organisation has relevant insurance policies to protect people working in or on behalf of that organisation.

Insurance policies you should include:

Property insurance (to cover damage to your premises and property from fire, storm, accidental damage or theft)
Public liability insurance (to protect your organisation against negligence claims made by a third party resulting from bodily injury or property damage arising out of the operation of your organisation’s business)
Directors and officers liability insurance (to protect individuals from claims resulting from acts of negligence)

Managing Risk

While your risk management program aims to reduce the chance of accidents happening, there will be times when things go wrong. It is important that you have procedures in place to deal with emergencies if they arise.

Ask these questions:

Do you have a first-aid kit Is it maintained Do people know where it is and how to use it
Are staff trained in first-aid and emergency procedures
Do you have an evacuation plan Do people know what it is Do you practice it
Do you have contact numbers for emergency services handy

You may not be able to prepare for every eventuality, but you will be able to deal with unforeseen emergencies much easier if procedures are already in place. For example, if you’ve planned for a flood and you get a fire, at least you will have an evacuation plan in place.

Remember, the extent of your liability is determined by whether you have done all you reasonably could in the circumstances.

Documenting this Step

As with all steps in the risk management process, it is important you keep records of what decisions you have made about treating risks, what actions need to be performed, by who, and what deadlines or criteria you have set for making sure they get done properly and on time. This can be done using a risk register.

DISCLAIMER

It is not intended to be relied upon or be a substitute for legal or other professional advice.

No responsibility can be accepted by the author(s) or Cornstalk Software P/L for any known or unknown consequences that may result from reliance on any information provided in this publication

Monitoring and reviewing risks in your organisation

Monitoring and reviewing risks

This is the seventh step in a seven stage process of successfully tackling risk management in your organisation.

The first step in the process is communication and consultation and this needs to occur regularly if you are to continue to keep risk management at the front of everyone’s mind.

In this regard you need to continually communicate throughout the process with your organisation and others who may be impacted.

It is highly recommended that your organisation establish a process to monitor and review your risk management strategy. This is vital because risk is not static. Your risk management strategy should be a fluid document that is regularly updated to take account of changes in your organisation. New risks will emerge and existing risks will disappear.

Risks that you have already acknowledged may become more or less frequent, severe or relevant to your organisation.

These changes will result from changes in your organisation and from changes in the outside world that you have no control over.

There are a number of useful ways to ensure effective monitoring and reviewing of your risk management strategy.

They include:

Set time lines for reviewing different aspects of your organisation’s activities. The regularity of the review will depend on the activity in question. For example, smoke detectors may only need to be checked once a year but lifting slings for the forklift may need to be inspected at the start of each shift.
Write down when things need to be checked and tick them off when they are. This can be done on your risk register.

For example:

When should this problem be fixed	Who and when fixed the problem
Prior to next meeting – July 12, 2009	June 10, 2009, by maintenance officer

You may also want to make a note of when that area should be reviewed again.

Keep records

It is important that you investigate and record any accidents or near-misses to help you avoid similar incidents happening again. Investigate the incident – what went wrong Why What could have prevented it

Document the details of the incident and the answers to those questions for future reference. And act on the information.

Records can also be called upon in court if an action is brought against your organisation. Records you should keep include:

Minutes of meetings – noting important decisions and the reasons for them
File notes – a record of important conversations in person or on the phone
Training records – documenting any training undertaken by staff or associates
Incident records -notes taken or forms completed in the event of any injury or incident. You should be consistent in the type of information you gather in relation to an incident and any investigation of the surrounding circumstances. It is essential to have a specific form for this kind of record

Your records should also include regular reviews of the effectiveness of the risk management strategy itself.

Ask questions such as:

How effective is your risk management strategy
Are measures working the way they are supposed to
How accurate is the risk assessment process Are all risks being identified
Have risk treatment methods made your organisation safer
Are safety procedures being followed
Are safety records accurate and up-to-date

The process of monitoring and reviewing your risk management strategy may result in documented administrative procedures such as policies, guidelines, codes of practice and rules.

Documentation of safe practices and regular maintenance inspections can be used in court proceedings as evidence that reasonable care was being taken.

Produce a resource for staff/members/volunteers

If you produced a risk management guide at the start of the process it could include sections that invite feedback from your staff on whether the risk management strategy is working.

Often it will be people “on the ground” who can see what works and what doesn’t, and who will be the first to notice any changes in the nature of risks faced by your organisation – new risks arising, existing risks disappearing or changing.

Adopt and follow procedures

“Good procedures, regularly followed” should be the risk management mantra for all organisations. Several policies and procedures can be invaluable to management as it strives to fulfil its legal duties and risk management responsibilities.

These include the use of position descriptions for all staff members and an annual self-evaluation process, and the adoption of conflict of interest policies, attendance policies, and management minute procedures.

You should also have a process in place for dealing with complaints, suggestions and other feedback from your staff and the general public.

It is important that the monitoring and reviewing of your risk management strategy is open and inclusive so that everyone connected with your organisation feels a part of the continual process of risk management, in its development, implementation and evaluation.

This goes hand in hand with effective communication, which you should be working on through every step of the risk management process.

A final question on risk management:

What happens if we have an incident that could lead to a claim

Your first responsibility is to whoever has been injured or distressed. Provide assistance and support and seek medical advice and treatment where required. Do so immediately and where there is some concern expressed by the injured person, express your concern and ensure that where there is any doubt, medical opinion is sought.
This is to protect both the injured person and your organisation. Where there is a need to phone relative do so as soon as practical.
Stick to the facts in any conversation and avoid discussion on possible liability or blame.
If an incident does occur, record the incident. In doing so stick to the facts of what happened. Do not attempt to allocate blame on any person or piece of equipment and avoid making personal comments or opinions. Ensure that all staff are all aware of a recording process and who should be advised in the event of an incident.
Notify your insurer of all potential and actual claims as soon as possible.

Finally

Always make sure that your insurer is notified of any activities that you may wish to undertake outside of your normal operations as it may not be covered or may require an additional premium.

Monitoring and reviewing risks in your organisation is the seventh step in a seven stage process of successfully tackling risk management in your organisation.

Although it is the seventh stage, that doesn’t mean it is the last one. Your risk management strategy should be an evolving, dynamic thing and you will revisit all of the seven steps to some degree, at some stage – some more regularly than others.

For example

Communicating risk management to your organisation is a continual process while you have probably done the bulk of the work in identifying risks in your organisation and just need to ensure your list of risks is accurate and up-do-date.

This, of course, can be achieved through a successful process of monitoring and reviewing your risk management strategy.

DISCLAIMER

It is not intended to be relied upon or be a substitute for legal or other professional advice.

No responsibility can be accepted by the author(s) or Cornstalk Software P/L for any known or unknown consequences that may result from reliance on any information provided in this publication

Risk management summary

Summarise the key elements of your plan in this section.

You may want to use this to now develop a Strategic Plan for the next 5 years and an Operational Plan for the next twelve months.

These plans are very straightforward and involve you working through each element of your plan and developing some key milestones. From this point, you will then need to put a rough time line on your milestones for the next 5 years worth of business.

In your operations planning, you will then take the milestones you seek to achieve in the next twelve months and develop from them Actions, Dates Due, responsibility and maybe even costing’s.

DISCLAIMER

It is not intended to be relied upon or be a substitute for legal or other professional advice.

No responsibility can be accepted by the author(s) or Cornstalk Software P/L for any known or unknown consequences that may result from reliance on any information provided in this publication