Organisations have an obligation to identify risks and ensure that all the appropriate people in the organisation are made aware of them. Once identified, preventive measures can be taken and put in place to control the risks. What are the risks in your organisation?
In determining this consider:
- global risks that would or could impact your organisation and similar organisations
- risks within and outside your span of control
- risks associated with activities conducted outside your premises
- risks associated with outsourced or contracted services
- risks associated with the use by external organisations of your goods and services
How do you identify risk? There are many methods of risk identification. Whatever the method, ensure that it enables a comprehensive identification of risks, as unidentified risks cannot be planned for and treated. 'Brainstorm' potential risk exposures.
In considering approaches to identifying risks, consider using:
- personal experience or lessons from the past
- results of audits or physical inspections
- records of prior losses, (ie. claims, financial or property losses, data/record loss, lost time incidents/occupational health and safety reports)
- judgment consensus, speculative/conjecture, intuition
- results of benchmarking for perceived performance deficiencies
- gap analysis distinguishing between existing practice and business plan objectives
It is critical in the identification of risk, that two key elements of actual or potential exposure are identified, namely:
- the cause of an exposure (ie. failure of
, lack of..., loss of..., injury to....)
- the effect of the exposure - the effects may include financial impact, impact on staff, and other stakeholders, impact on reputation and probity, impact on operational management and impact on the delivery of programs
The most commonly used method of identification is an effective inspection program. An effective inspection program should detect most emerging risk issues.
Forms of inspection
An inspection program should be flexible. There are no hard and fast rules about this. It should be a combination of routine and non-routine inspection and includes:
- routine inspection of all risks
- routine inspection of a particular or area of risk
- specific inspections resulting from recommendations, complaints, reports or advice from staff, users, stakeholders and others -This includes investigations and/or inspections recommended by the risk management or health and safety committee
- inspections as a result of incidents or accidents
How often should inspections be undertaken?
Routine inspections should be carried out on a regular basis. The regularity depends on the nature of the risks and the circumstances affecting it. It could be monthly or quarterly. It should be more regular if circumstances warrant it. For example, if there is a high risk of injury through slips and falls, it is necessary to carry out more regular and diligent inspections to identify the causes of these slips and falls.
All risks that are reported even if you consider the source to be dubious should be treated seriously and inspected. Only then can you be confident about discounting them as possible risks.
What are you inspecting?
Make a list of all possible areas of risk including physical and non physical risks. There may be records of previous incidents and accidents logged in a database somewhere. Injury and incident reports are also valuable sources of information.
The following example relates to the inspection of physical risks:
- To identify physical risks, you should obtain plans of the premises if you do not already have them
- Keep the outdoor areas separate from the indoor
- For a big facility, it is advisable to properly divide it into distinct and manageable portions
- Prepare a standard checklist that can be used for the inspection. For example, you are interested in inspecting the following:
- physical condition of facilities
- lighting
- ventilation
- noise emission
- gas and electrical supply
- safety devices
- storage of goods especially dangerous goods like chemicals
- location and adequacy of first aid facilities
- emergency management procedures
- conformity with current standards and regulations
Everyone involved in the inspection process can then use this checklist to identify areas of risks that they are responsible for.
Who should conduct the inspection?
- Larger organisations would already have either a risk management and/or health and safety committee
- For smaller occupiers it may be the case of one person being the 'Jack of all trades'
- The committee should coordinate the process
- Inspections should be carried out by those responsible for the management of the different work areas from which the risk emanates
- The committee is then responsible for conducting regular audits to gauge the adequacy of the inspection programs
- In the event of specialist or expert advice being required, the assistance of relevant experts should be sought
How to conduct an inspection
- Procedures should be developed for all the different types of inspections
- These procedures should be made known to all relevant parties
- The inspection team should have properly clarified all procedures and developed a checklist before any inspection begins
- As a next step in the process, it is necessary to develop standard reporting documents that correspond with the checklist so that the results of inspections and remedial actions (both immediate and future) to be taken are properly documented
- Documentation is a key issue, as it would assist with any future audit or legal process
- The ability to provide documentary evidence is of paramount importance when defending a claim of negligence
- Any dangerous risks should be treated immediately
Categorising risk types
There are many sources of risk. The major challenge when analysing the risks to an organisation is finding a meaningful way to categorise them.
However, there is no definitive way to do this. Different people find some methods for categorising the sources of risk more useful or accessible than others. This may be related to experience, the industry that they operate in or it may be an organisational culture issue.
Standards Australia has developed a simple and effective tool (database) to support the AS/NZS4360:1999 Risk Management. Based on the framework of this standard, the database helps you identify, prioritise and capture treatment options for your organisation's risks. The database is an automated tool that culminates in the production of reports to support your risk planning process and can be downloaded from the Standards Australia website.
Here are some selected examples of the sources of risk, or risk categories, to provide direction on how terminology can be different without losing the conceptual understanding of how broad enterprise-wide risk management can be.
The Australian standard AS/NZS 4360:1999 Risk Management, identifies eight generic sources of risk:
- Commercial and legal relationships
- Economic circumstances
- Human behaviour
- Natural events
- Political circumstances
- Technology and technical issues
- Management activities and controls
- Individual activities
In addition, Australian Standards has provided a list of 13 categories, some of which may be sub-sets of the generic eight mentioned above, to give a more detailed example of risks that may apply to enterprise-wide risk in an organisation. These are:
No.
|
Category |
Example |
| 1 |
Diseases |
Affecting humans, animals and plants |
| 2 |
Economic |
Currency fluctuations, interests rates, share market |
| 3 |
Environmental |
Noise, contamination, pollution |
| 4 |
Financial |
Contractual risks, misappropriation of funds, fraud, fines |
| 5 |
Human |
Riots, strikes, sabotage, error |
| 6 |
Natural hazards |
Climatic conditions, earthquakes, bushfires, vermin, volcanic activity |
| 7 |
Occupational health and safety |
Inadequate safety measures, poor safety management |
| 8 |
Product liability |
Design error, substandard quality control, inadequate testing |
| 9 |
Professional liability |
Wrong advice, negligence, design error |
| 10 |
Property damage |
Fire, water damage, earthquakes, contamination, human error |
| 11 |
Public liability |
Public access, egress and safety |
| 12 |
Security |
Cash arrangements, vandalism, theft, misappropriation of information, illegal entry |
| 13 |
Technological |
Innovation, obsolescence, explosions and dependability |
The Department of Natural Resources & Environment, Victoria, uses the following 10 categories:
- Asset management
- Change management
- Compliance
- Environment
- Financial
- General management
- Liability
- Personnel
- Service and product delivery
- Technology
Arthur Andersen uses the three broad categories of environment, process and information for decision making risk with the following sub-categories:
Environment risk:
- competitor
- catastrophic loss
- sensitivity
- sovereign / political
- shareholder relations
- legal
- regulatory
- industry
- capital availability
- financial mark
Process risk
- operations risk
- empowerment risk
- information processing/technology risk
- integrity risk
- financial risk
Information for decision making risk
- operational
- financial
- strategic
There are many other models in the marketplace. A simple approach is to divide the sources of risks in one of the following terms and then identify sub-categories that pertain to their organisation:
- Financial or non-financial
- Insurable or non-insurable risk
- Inherent or external risk
- Systematic or non-systematic risk
- Operational or non-operational risk
Each organisation may adopt different categories to suit their needs. However, a good check would be to compare your organisation's list against the Australian standard to ensure the range of potential risks is addressed.
The table below is an illustration of how you can match or align an organisation's individual or specific risk type against the categories presented in the Australian standard. To illustrate, CPA Australia has taken the Department of Natural Resources and Environment (DNRE) specific risk types and have adapted them to the Australian standard.
| DNRE risk type |
Australian standard risk categories and sub-sets |
| Asset management |
Management or maintenance of physical assets, building or equipment including:
resource planning
construction activity
fire detection and prevention
security |
| Change management |
Processes or consequences of organisational change including change in response to:
external factors such as the political and social environment
internal firm-driven factors |
| Compliance |
Non-compliance with legislation and regulation or internal policies or procedures, including:
directors and officers' liability
professional advice |
| Environment |
Management and integrity of the built or natural environment. |
| Financial |
Financial management or transactions including:
treasury and finance
purchasing contract management
project management
investments
foreign exchange |
| General management |
Operation of normal management policies or procedures including:
ethics and probity issues
reputation and image issues
contingency, disaster and emergency planning |
| Liability |
Provision of services, products or information that could result in legal action against the organisation or its officers including:
fraud prevention, detection and management
public risk |
| Personnel |
Safety, occupational health or well-being of staff |
| Service and product delivery |
Failure in the provisions of services or products including:
design and product liability
operations and maintenance systems |
| Technology |
Security, function or management of technological systems and processes, including information systems and computer networks. |
Categorising the sources of risk is one of the first steps to successfully completing a risk management exercise. The important thing is that whatever method is used, it should match the risk situation of your organisation and be agreed to by the organisation as meaningful and manageable.
Note: CPA Australia recommends that whatever categories are adopted, they should be measured and checked against AS/NZS4360:1999 categories for completeness.
