Establishing A Context For Risk Management
Establishing a context
This is the first step in a seven stage process of successfully tackling risk management in your organisation. The seven stages follow the Australian Standard for Risk Management (AS/NZS 4360:2004) published by Standards Australia.
The seven stages are:
- Establishing a Context for Risk Management in Your Organisation
- Communicating Risk Management to Your Organisation
- Identifying Risks in Your Organisation
- Analysing Risks in Your Organisation
- Evaluating Risks in Your Organisation
- Treating Risks in Your Organisation
- Monitoring and Reviewing Risks in Your Organisation
Risk Management may sound daunting but, to a large extent, this is just plain common sense. In some organisations there may be varied services that are provided or several locations that we need to ensure are properly managed.
The task requires that you walk before you crawl; by following the process, it minimises the chance that you may miss something.
Remember that insurers are looking at the organisation’s level of risk and anything that we can do to minimise risk may lead to reduced premiums in the longer term.
To be able to recognise a risk it is important to know what a risk is. While some risks may apply to everyone, some will be specific to your organisation. To be able to identify and deal with risks, you need to establish a base from which to work.
This will involve taking into account your organisation’s objectives and capabilities as well as external factors, such as the changing legal environment and shifting social standards.
At the end of this step you should be able to detail your organisation’s objectives, determine who will have an impact or be affected by your risk management process, and set out a number of areas which can be allocated for attention. These can then be used to prioritize the order in which you attack the next task.
So how do you go about establishing a context for risk management This could be the job of a risk management committee or tackled in meetings and brainstorming sessions. If one person has been with the organisation for a long time or has a particularly good grasp of the way that your organisation functions, they may be able to answer the following questions and bring them to a risk management committee for discussion.
If you decide to hold a brainstorming session to identify risks in your organisation as the next step in forming a risk management strategy (which is a good idea, and is detailed on the Identifying Risks in Your Organisation Help Sheet), start by asking some questions about what your organisation does and why (ie put the risk management process in context).
Committee members could then have the task of fleshing out the finer details (such as legislation) and documenting them, but a session like this allows your organisation to clarify its position, ensures everyone is on the same wavelength and will set the scene for the brainstorm to follow.
The key point to gain from this step is to place risk management in the context of effort; a high risk organisation will have to exert more effort that one with a lower risk.
Questions to ask can be broken down into two areas:
1. The Organisational Context
Many people in your organisation should be able to assist with defining the organisational context – your organisation’s aims, activities, structure, employees and method of operation.
As way of beginning the process, the following questions may be asked;
What are the aims and objectives of your organisation
In addition to returning a profit, what social or community aims does the organisation have
What are your organisation’s core activities
Manufacturing and selling a product may be the main activity but don’t forget research, investment etc.
Who is involved with your organisation – both internally and externally
The list might be quite long and include employees, casual staff, contractors, suppliers, transport companies etc.
One way of getting a clearer picture of all the people involved in your organisation is to draw a simple diagram, starting with a small circle in the centre in which you can list the employees. In a larger circle are other people directly involved, such as sub-contractors.
The next circle contains the names of people or companies that have a significant stake in your activities such as advertising agencies, accountants etc. and so on. The circles gradually getting larger as you come up with people and organisations that are, to some degree, involved in, or affected by your enterprise.
What facilities do you have and/or use
This is an easier task but you should remember to include, car parks, leased storage and remote offices and work sites.
To establish a context for your risk management strategy, the answers to these questions will also help determine how you tackle the process; how is your organisation currently tackling risk management, either formally or informally
2. The Strategic Context
This is the environment in which your organisation operates, and to establish this may involve research.
Some questions you should look at are:
What relationships does your organisation have and how important are these
It is important for your organisation to recognise the relationships that it has established with other organisations and that are necessary for it to operate. For example, franchise agreements or manufacturing a product under licence.
What laws, regulations, rules or standards apply to your organisation
Apart from the normal business legislation, employment awards etc., there may be specific legislation and controls that govern the operation of your business. These may be environmental controls, privacy legislation or legal requirements for working with children or people at risk.
An organisation is liable when it is found to have breached a duty it owes by acting improperly or not acting. Financial penalties may attach to the liability.
A successful claim alleging negligence has to prove that:
- A duty exists – An organisation cannot be found negligent unless it first had a duty to exercise care
- The duty is breached – An organisation that does not meet its duty of care may be found negligent
- An injury occurs – Negligence will not be found unless someone is hurt or something is damaged (physically, mentally or financially)
- The breach of duty causes the injury – In order for an organisation to be found negligent, the injury must be tied directly to the entity’s breach of its own duty of care
If those four elements exist in a particular case, a court may hold your organisation liable for damages. Your failure to provide the requisite level of care required under the circumstances will have exposed your organisation to very serious consequences.
What, then is my duty, and what constitutes negligence Unfortunately, the answer is that it all depends on the circumstances of the matter or activity at hand. The required standard of care varies with the situation, the people involved, the nature of your work and the community in which the incident takes place. Non-profits serving children or other vulnerable populations must exercise a higher level of care than if the agency services adults.
A circus school teaching students to juggle with chain saws will have to meet a higher standard than a meditation class. As a general rule, take a pessimistic view; assume the standard is very tough, then add some. Ask yourself: “What’s the worst that can happen” “Have we got a risk management strategy in place”; “If I could foresee the future, would I be able to sleep tonight”
To establish a context in which to consider risks, your organisation must identify its duty of care, and accept it.
While all care has been taken in the preparation of this material, no responsibility is accepted by the author(s), Cornstalk Software P/L or its staff, for any errors, omissions or inaccuracies. The material provided in this document has been prepared to provide general information only. It is not intended to be relied upon or be a substitute for legal or other professional advice.
No responsibility can be accepted by the author(s) or Cornstalk Software P/L for any known or unknown consequences that may result from reliance on any information provided in this publication.
- Analysing Risks In Your Organisation
- Communicating Risk Management To Your Organisation
- Evaluating Risks In Your Organisation
- Identifying Risks In Your Organisation
- Monitoring and Reviewing Risks In Your Organisation
- How to use bottlenecks in your business to help you write effective standard operating procedures (SOP)
- SOP Software to help you manage your standard operating procedures (SOP)
* Please read our disclaimer before downloading any of our documents