Having analysed the risks, evaluating and prioritising these risks would be fairly straightforward. The results of the analysis are evaluated. This evaluation will generate a list of risks into categories of low, medium and high risks. This list will create an order of priority so that an occupier can make decisions about how best to treat these risks.
Risk profile is a commonly used term in risk management although it is not a term that is defined in the Australian standard. A risk profile, or risk prioritisation/evaluation, is a representation or outline of how risk varies across an organisation at different levels. Risk profiling is the process involved in identifying, assessing and prioritising all of the categories of risks that face an organisation. An organisation's risk profile can be visually depicted in the form of a chart or a graph.
Management and staff would be in the best position to determine and evaluate the risk profile of an organisation, operation, program, project or individual. Before implementing a risk management strategy, it is a useful exercise to spend a moment determining what you believe your risk profile to be.
The profile that you have established at this stage of the process will be under constant review throughout the risk management process. At the completion of the first risk management cycle, you should be able to compare your findings with the initial risk profile that you created.
Risk profiling can be conducted at different levels within the organisation. Typically, in a larger organisation risk profiling would be conducted at strategic, operational (divisional, unit) and project levels. The categories of risks would be applicable similarly to each of these levels. At the strategic level, the risks that are captured would be the high level risks that the organisation as a whole is exposed to. At this level you are concerned with establishing a top-level risk profile that will form part of the organisation's risk management framework. This then becomes the framework for the rest of the organisation.
A further example of evaluation is available.
At the operational and project levels, the risk profile would be narrower in its focus on lower level risks that affect a particular division, unit or project.
When developing the risk profile, it is important to adopt a methodology that is capable of identifying both tangible and intangible risks. Risks that occur within and between organisational silos should also be identified. In addition, it is important to consider the impact of outside factors on the organisation, operation or project. These factors may include supply chain, outsourced functions, contractual arrangements and so on.
The profile that you have established at this stage of the process will be under constant review throughout the risk management process. At the completion of the first risk management cycle, you should be able to compare your findings with the initial risk profile that you created.
Low or acceptable risks are risks that require minimal or no treatment. There is no need to devote too much time to these risks but it is important to periodically review them to ensure that they remain low or acceptable risks. Medium or high risks will have to be treated. Unacceptable risks should be given the highest priority.
