Chapter 5: Risk Management Process

The following steps describe the risk management process. These steps align with the process outlined in ISO 31000 and are explained further in the following sections:

1. Establishing the context: defining the internal and external parameters to be considered when managing risk and setting the scope of the agency’s risk management process. This includes specifying the level and type of risk that it may or may not take, and defining the criteria used to evaluate the significance of risks.
2. The risk identification, analysis and evaluation stages are collectively known as risk assessment.
   1. Risk identification: finding, recognising and describing risks
   2. Risk analysis: understanding the nature and level of risks so you can make decisions about whether a risk needs to be treated
   3. Risk evaluation: deciding what action, if any, to take in relation to a risk
3. Risk treatment: identifying, selecting and implementing responses to risks that fall outside the levels the agency is prepared to accept or tolerate
4. Communication and consultation: exchanging information about risk management with internal and external stakeholders
5. Monitoring and review: continually checking each component of the risk management process is performing as desired
6. Recording and reporting: the risk management process and its outcomes should be documented and reported appropriately through the agency

Scope and context inform the other elements of the risk management process, including deciding what types of risk will be considered, how they will be measured, and establishing criteria to decide if a risk is acceptable or tolerable. The scope and context should be consistently referred to throughout a risk management framework and process. All risk conversations and decisions should aim to assist the agency in achieving its objectives.

To establish the scope and context of the risk management process an entity should consider both internal and external variables which may impact the risk environment:

• External variables are the environment or setting in which the agency operates. This includes political, economic, social, technological, legal, climate, and environmental settings.
• Internal variables are environments within the agency, such as culture, governance and other structures, processes, and accountabilities.

A risk appetite statement (RAS) specifies the level and type of risk that it is prepared to accept, relative to its objectives.

Criteria to evaluate identified risks

Defining your risk criteria helps you to ensure that you are consistent in deciding the significance of the risks that the agency is facing and supports effective decision-making. This includes a consistent approach to defining and measuring the consequences and likelihoods or risks, and the agency’s capacity to take risks.

The criteria that are needed to form an understanding of the level of a risk are:

• The consequence, or impact, of the risk
• The probability, or likelihood, of the risk occurring
• How probability and consequence combine to determine the overall risk rating.

Example risk criteria that you can adopt for the agency’s risk management process can be found in Appendix C.

Risk assessment is a structured approach consisting of three discrete stages: risk identification, risk analysis and risk evaluation.

Risk identification

Risk identification involves finding and recognising uncertainties that could impact the agency’s objectives. Both threats and opportunities should be considered, and existing controls identified. Risk identification must be ongoing, adapting as objectives and environments change. Current information is critical.

A variety of tools and techniques can be used to identify risks. You should select the methods best suited to the agency’s objectives, capabilities, risk management maturity, and the nature of risks faced. Possible approaches to risk identification include the following:

• Risk self-assessment: each division of the agency reviews its own activities, objectives and events that can influence achieving its objectives. Risk assessments may be conducted in formalised workshops facilitated by either the risk manager or a professional facilitator.
• Commissioned risk review: a team is established to review the operations and activities of the agency to articulate its objectives and identify potential events that could affect the achievement of the objectives.

Risk Analysis

Risk analysis is the process of coming to an understanding about the nature and level of risks so that a decision can be made about whether the risk can be accepted. It should be undertaken with stakeholder consultation. This analysis involves:

• Determining the level of each risk – The agency must use the consequences and likelihood tables alongside the risk matrices which they have developed (as discussed in 5.1.1) to determine the level of each risk. This is often called the ‘inherent risk rating’.

  Rules should be established for how to manage and rate risks which have more than one consequence. It is also good practice to analyse the level of risk in both current case and worst-case scenarios.

• Analysis of existing controls – Once a risk has been identified, any existing controls must be identified and assessed using the control effectiveness criteria that were established in the scope and context stage.
• Identifying and documenting uncertainties and sensitivities – These should be identified and documented when interpreting and communicating the results of the risk analysis. This information can also be included in the risk register.

Risk analysis can be difficult, especially when events are highly uncertain. Risk analysis can also be influenced by assumptions, the quality of information used, opinions and biases. These should be documented as part of the analysis.

Risk analysis is an input into risk evaluation and decision-making.

Risk evaluation

The evaluation process determines if the risk should be accepted or if additional actions are required to treat the risk and lower the residual risk rating. The residual risk rating is the level of risk that remains after controls have been put in place. This process is used to prioritise risks and to focus the attention of management. Evaluating a risk will lead to one of the following decisions:

• Treat - Reduce the risk using treatment actions and additional controls.
• Accept - Accept the risk and take no further action or controls to reduce the risk, reviews to ensure currency. The risk cannot be realistically reduced any further.
• Avoid - This means that no actions can reduce the risk to an acceptable level. Therefore, the objective must be reviewed and possibly changed or, if necessary and/or possible, abandoned.
• Share - Share the risk with another party e.g. by outsourcing or insurance

The proposed risk rating is the anticipated rating once all identified treatment actions have been implemented. This is not the desired rating, but a realistic predicted risk rating once any treatment activities have been completed.

Risk treatment is the process of identifying, selecting and implementing responses to the risks that have a higher risk rating than the agency finds acceptable. Whether a risk rating is ‘acceptable’ will depend on whether it exceeds the target ratings agreed by the agency. The evaluation of existing controls helps to determine whether these controls can be modified, or if new controls need to be introduced.

Risk treatment is cyclical. If the level of risk remains unacceptable after it has been treated then additional actions should be identified such as escalating the risk, before the risk is assessed again.

Treatment options include taking action to:

• change the consequence, or
• change the likelihood

Risk treatments should be developed by, or under the direction of, a risk owner. Stakeholders should be consulted during the development and implementation of risk treatments.

If there are no treatment options, or the options do not modify the risk to an acceptable level, the risk should be recorded and kept under review. Regular and careful monitoring is essential to ensuring the effectiveness of any risk treatment.

Example control design and implementation tables can be seen in Appendix D.

Each team in the agency will often only have control over certain aspects of a risk. It is therefore extremely important for leaders to collaborate by articulating the risk context and agreeing on ownership, responsibilities, and actions. These discussions should identify:

• Which senior leader is accountable for delivery of the objectives potentially impacted by the risk? This is usually the best indicator of risk ownership.
• Who is best placed for implementing and managing each control and treatment action, including their design, implementation, and management?
• The shared mechanisms and responses that need to be implemented if the risk materialises.

As well as monitoring and reviewing individual risks, it is important to monitor and review your overall risk management process to ensure that:

• it remains relevant as your external and internal context changes
• it is operating effectively
• the criteria you use to evaluate risks are still relevant
• you can capture lessons learnt from your risk management activities, including near misses and actual losses or gains, and
• the expected results of the agency’s risk management process are being achieved.

Monitoring and review can either be carried out formally or informally. It can include:

• management reviews - for example, the use of self-assessments
• independent reviews - for example, by internal or external audit
• continuous informal reviews - for example, discussing the progress of your risk management activities in workgroups or meetings.

The monitoring and review phase can be supported by using a process elements model to check each element of the process. A generic example has been included in Appendix D.

Recording and reporting the risk management process and its outcomes provides:

• information for decision making
• a way of communicating risk management activities and outcomes, and
• support for engagement with stakeholders

Reviews may indicate that your risk management process needs refinement. Any changes to the agency’s risk management process or your risk management framework should be formally documented and approved in accordance with your risk management policy.

The responsibility for monitoring and performing reviews of the elements of the risk management process within the agency should be clearly assigned when roles and responsibilities are defined in your risk management framework. You should document the outcomes of your monitoring and review and regularly report these to your AA and the ARC.