Risk.com.au

Risk Solutions Overview

It is not possible to completely remove risk – the aim of risk management is to mange the level of risk to an acceptable level. Using the list of risks identified during the evaluation process, risk treatment involves identifying the range of options for treating the risks, evaluating the options and preparing for and implementing risk treatment plans. 

Risk Treatment Options

The options for treating risk include risk avoidance, risk reduction, risk sharing and risk retention or acceptance.

Risk avoidance
Risk avoidance is sometimes adopted when an activity or situation involves a high level of risk which cannot be adequately managed to an acceptable level. The risk is deemed to be too high against the potential benefits associated with the activity. A decision is made not to become involved in, or to withdraw from a risk activity or risk situation.

Risk reduction  
Risk reduction is one of the most common options in treating risk. A decision is made to develop and implement risk treatment strategies to lessen the likelihood of a risk event occurring and or, reduce the negative consequences associated with a risk, should it be realised.

Risk sharing     
Also a common option, risk sharing or risk transfer involves a decision to distribute the potential for loss (and potential for gain) to another party. The most common forms of risk sharing include sub-contracting, outsourcing and insurance. It is important to note that some risks cannot be transferred in their entirety, such as an organisations duty of care. In addition, transferring risk can result in the nature of the risk changing and or the creation of new risks.

Risk retention
Risk retention is where a decision is made to accept the potential for loss, as balanced with the potential benefits, without attempting to reduce the level of risk involved.

Developing Risk Treatments

Define risk treatment objectives
The purpose of establishing risk treatment objectives is to ensure that development of risk control options meet organisational needs, will effectively manage the risk and will be sustainable.
The design of risk treatment strategies is only effective when based on a sound understanding of the source of risk and how each risk could arise. A sound understanding of the causes of each risk event and the underlying factors that influence the effectiveness of risk treatment measures are the keys to developing a successful risk treatment strategy.

Risk treatment objectives address:

1. Risks that are to be treated.
2. The causes, sources or events being targeted for risk treatment.
3. The aim of the risk treatment measures – what each risk control must do, when it must do it, where it is applied and how it controls the risk.
4. Performance requirements in terms of effectiveness, efficiency, reliability and availability.

Determine performance requirements
The objectives establish what the risk treatment strategy is required to achieve.  It may also be useful and appropriate to include certain performance requirements and how performance will be monitored, measured and reported.

Conduct gap analysis
A gap analysis will include a review of existing risk treatment strategies, specific risk controls and identified vulnerabilities in light of the risk, its sources and potential risk events.
Develop risk treatment options

Identification and development of risk treatment options involves making decisions on the high level risk management approach (to avoid, reduce, share or retain) and the risk control measures most effective in achieving risk treatment objectives, thereby reducing the level of risk. Legislation and standards can often dictate minimum risk treatment requirements for particular types of risk, such as safety. In such circumstances, a review of existing guides and regulatory requirements will be required.

Evaluate treatment options
A common cause of failure or ineffectiveness of risk treatment strategies is the approach of treating each risk in isolation. The treatment of a risk in one area may significantly increase the exposure to risk in another area. Consideration of the causal factors of risks and the interaction of risks with each other is paramount in evaluating risk treatment strategies. When evaluating risk treatment options, questions should be asked for each option under consideration to investigate conflicts in this regard.

Cost Benefit Analysis
Cost benefit analysis provides an objective process for comparing the costs and benefits of the risk without treatment and the comparable costs and benefits of the risk once treated. It informs the prioritising of feasible risk treatment options. Consideration may be taken of the:

1. Benefits arising from the reduction in likelihood and or consequences of the risk.
2. Benefits such as reduced insurance premiums, improved management and staff confidence and enhanced reputation.
3. Costs of implementing and maintaining the risk control.
4. Costs arising if the risk was to be realised including direct costs and indirect costs. Indirect costs are often overlooked and may comprise loss of productivity, business disruption, increase in staff attrition, diversion of management attention, damage to reputation and loss of brand value.

Complete detailed design
Both the practicality and maintainability of risk treatments is considered during the detailed design stage. Involving those who will ultimately be affected by the control (end users) in the design of risk treatment strategies is the most effective way to achieve practical and sustainable risk solutions. This process ensures risk treatment options are ‘fit for purpose’, are acceptable to those who will be ultimately responsible for, or involved in implementation (end users) and increases the likely effectiveness and sustainability of the risk controls.

Design Review
The purpose of the design review is to verify the detailed design of the risk treatments are ‘fit for purpose’ prior to implementation. It can be a simple checking process or a formal and structured multi-disciplinary review.  The review will verify the design of the risk treatments:

1. Satisfy the risk treatment objectives.
2. Satisfy performance requirements.
3. Can be implemented within the current environment and with currently available resources.
4. Provides for maintenance and sustainability.
5. Do not introduce new risks or create vulnerability in other existing or proposed risk controls.

Communicate and implement
Successful implementation of risk treatment strategies will depend to a large extent on the level of consultation and communication carried out throughout the risk assessment process, in particular the risk treatment design stage. Dependent on the level of change imposed by the introduction of the new or modified risk controls, a change management plan and or communications plan may be required.

Risk Treatment Plans

A Risk Treatment Plan may include the following elements:

• Identification and description of the risks for which the risk treatment has been designed to control.
• Risk treatment objectives and performance measures.
• Detailed actions and a clear map, including the timing for development and implementation of the risk treatment strategies. A project plan may be useful for large scale risk treatment.
• Resource requirements such as capital, equipment, people and responsibilities / accountabilities for delivery.
• Key performance measures and the monitoring and reporting processes that will be utilised.
• A communications plan identifying key stakeholders, methods of engagement, key messages and timelines.