Finalising Your Risk Management Plan

Submitted by coleen.yan@edd… on Wed, 08/24/2022 - 15:21

Now that the risks to the organisation have been identified, you now need to analyse, evaluate and prioritise each risk so that appropriate controls can be put in place to manage them. This will all need to be documented on the organisation’s Risk Management Plan.

This section will take you through the key components of a Risk Management Plan, as well as how to work through each risk that has been identified to assess the level of risk it presents to the organisation so you can put in place appropriate controls.

By the end of this chapter, you will understand:

  • What a Risk Management Plan is
  • How to analyse risks and use a risk matrix
  • How to evaluate and prioritise risks
  • What a Risk Register is and when to use it
  • How to treat and control risks
  • How to develop a Risk Treatment Schedule
  • Strategies for monitoring risk.
Tip

Once you know the level of each risk, the next step is to use the Risk Rating Table to evaluate each risk and assign a Risk Rating.

Sub Topics
workers posting with sticky notes stickers reminders creative brainstorming at board

A Risk Management Plan is a document that puts your risk identification and risk analysis, that we’ll cover in this chapter, all together in one place. There are many ways to lay out and present a Risk Management Plan. Your organisation may already have in place its own Risk Management Plan format, but sometimes as a manager you might need to introduce this to an organisation if there is not a system in place already, so it’s important to know the key components.

A Risk Management Plan should include the following essential components:

  • Information about the scope of the risk assessment
  • Details of the risks identified
  • Risk register
  • Risk matrix
  • Details of the risk analysis and controls put in place to manage the risks.
Note

What is a Risk Register?

A risk register will be discussed further in the topic, but it forms part of the Risk Management Plan and is a place to record each risk that has been identified, the level of risk it presents to the organisation and the controls that have been put in place to manage the risk.

Example

Visit the following links to find some examples of different Risk Management Plan formats.

people brainstorming use sticky notes to share idea on table

From your brainstorming and information gathering techniques used during the risk identification phase from the previous chapter, you will have a list of the risks to the organisation and an understanding of the impacts of each one.

You will now be able to analyse each risk.

There are two types of risk analysis: quantitative and qualitative.

types of risk analysis
Tip

Quantitative data is numbers-based, countable, or measurable. Qualitative data is interpretation-based, descriptive, and relating to language. Quantitative data tells us how many, how much, or how often in calculations. Qualitative data can help us to understand why, how, or what happened behind certain behaviors.

Quantitative risk analysis relies on data and numbers and is objective. Whereas qualitative risk analysis is subjective and relies on the risk assessor forming an opinion about the level of risk based on the likelihood and consequences of the event occurring.

Qualitative risk analysis can be used to assess risks to budget, financial indicators, completion time, staff time usage, logistics and so on.

Website

'Qualitative risk analysis vs Quantitative Risk Analysis: What is the difference?'

Read more about the Qualitative versus Quantitative Risk.

Using a Risk Matrix

A Risk Matrix is used to analyse each risk to determine the level of risk it represents to the organisation. To analyse each risk, you will need to determine the likelihood of each one occurring – that is, the frequency or probability that it will occur. You will also need to determine the consequences or impact it would have on the organisation, project or activity if it did occur.

Level of Risk = Likelihood x Consequence

See an example of a Risk Matrix below which includes the Risk Likelihood on one axis and the Risk Consequence on the other axis.

Risk Matrix
Likelihood Consequences
  Negligible

1

Minor

2

Moderate

3

Major

4

Catastrophic

5

Very Likely

5

Low-Medium Medium Extreme Extreme Extreme
Likely

4

Low Medium High Extreme Extreme
Possible

3

Low Low-Medium Medium High Extreme
Unlikely

2

Low Low Low-Medium Medium Medium
Very Unlikely

1

Low Low Low Low Low-Medium

Determine Likelihood of Risk

As it sounds, this is the likelihood the event may actually take place. Think of this as the chance that the event will occur. The example provided uses a Likelihood Scale of Very Likely to Very Unlikely but your organisation may use a different scale. If you are designing a scale, you need to choose one that is appropriate for the risks that are to be rated.

Determine Consequence of Risk

The risk consequence considers the potential impact caused by the event taking place which might be quantitative – based on money lost – or qualitative – based on a descriptive scale – or a mix of both. The Consequence Scale used in the example is Negligible to Severe but again this can be changed to suit the organisation’s specific needs. Likelihood and Consequence Scales can be customised based on the context in which they are used which may be operational performance, injury, financial implications, reputation, or other factors.

Example scales are:

Likelihood Consequences
  • Very unlikely - may only occur in exceptional situations.
  • Unlikely - could occur at some time.
  • Possible - may occur at some time.
  • Likely - will probably occur in most situations.
  • Very likely - is expected to occur in most situations.
  • Negligible - operational performance would not be affected.
  • Minor - slight inconvenience to, or difficulty in, operational performance.
  • Moderate - operational performance would be compromised.
  • Significant - effects would be felt across the entire organisation.
  • Severe - operational performance is compromised to the fullest extent and extremely detrimental to the organisation.

Professional Explaining Graph To Coworkers

Assigning a Risk Rating

Once you know the level of each risk, the next step is to use the Risk Rating Table to evaluate each risk and assign a Risk Rating. Evaluating a risk means deciding how severe the risk is and making a decision about how quickly actions need to be taken to rectify the risk. The Risk Rating is assigned based on the scores of the Risk Matrix. See below for an example of a Risk Rating Scale.

Risk Rating Scale Example
Risk Rating Description Action
15-25 Extreme Needs immediate corrective action
11-14 High Needs corrective action within 1 month
7-10 Medium Needs corrective action within 3 months
5-6 Low-Medium Determine whether corrective actions are required, consider risk monitoring
1-4 Low Does not currently require corrective action

Prioritising Risks

Once each risk has a risk rating, you now need to know which are the most important risks for the organisation to deal with first, ranking each risk with its importance to the organisation. Your risk ratings help to prioritise them.

When evaluating risks consider:

  • The risk rating.
  • The amount of control the organisation can have over the risk. }
  • The importance to the business or project.
  • Potential losses caused by the risk occurring.
man is sitting in office in front of laptops, using digital tablet, making notes on chart

This is where your Risk Register that forms part of your Risk Management Plan can start to take shape.

The Risk Register is a record of everything you have recorded throughout the risk identification and analysis so far.

A Risk Register should record:

  • The risk identified
  • The consequence and likelihood of the risk
  • The existing controls in place
  • Level of risk
  • Risk priority

Example

The example below shows the start of a completed risk register.

Risk Identification
Risk Identified Potential Impact Consequence Likelihood Existing Controls Level of Risk Risk Priority
Fire or flood Potential for injury, risk to buildings, assets, shutdown operations Extreme (5) Possible (3)
  • Insurance
  • Evacuation plan out of date
  • Evacuation procedures
Extreme (15) 1
Loss of power for more than one day Shutdown operations, inability to service customers Moderate (3) Possible (3)
  • Backup generator
  • Insurance
Medium (9) 3
Loss of water for more than one day Staff unable to attend offices, loss of wages Moderate (3) Possible (3)
  • Insurance
Medium (9) 3
Invoices not paid for more than 60 days Unpaid invoices, profit and loss margins affected, cashflow affected Significant (4) Possible (3)
  • Statements sent out on an ad- hoc basis only. Overdue invoices not always actively followed up.
  • Bookkeeper follow ups as required but not systematically.
High (12) 2
Brand fatigue Lack of engagement by customers, failure to attract new customers Significant (4) Possible (3)
  • Marketing department approvals not centralised. Sometimes same image used
High (12) 2
Not able to meet supplier payments and pay obligations when they become due Poor cashflow Severe (5) Unlikely 2 (3)
  • Management have regular meetings to manage cash flow. Back up funds.
  • Back up funds.
Medium (10) 3
Staff not providing the right information to customers Low customer satisfaction Significant (4) Likely (4)
  • Training at induction.
  • Customer service training and support as required
  • Some resources available but not centralised.
Extreme (15) 1
Low customer satisfaction due to poor quality of product Loss of business, fail to attract repeat business Significant (4) Unlikely (2)
  • Quality assurance procedures
  • Customer service feedback regularly monitored
  • Escalated when scores less than 5
Medium (8) 3
Machinery failure or breakdown Unable to continue work for the entire department, loss of wages and productivity Moderate (3) Likely (4)
  • Insurance
  • Backup up supplies held in stock
Extreme (5) 2

Next watch a video explaining what is a risk register and what information you need to put into it.

woman leading business creative team working together

Once risks have been identified and analysed, they need to be controlled or treated. This process involves working through the options to treat the unacceptable risks. These risks will range in severity, some will require immediate treatment and others can be treated later or monitored.

It is unlikely that an organisation will have all of the necessary resources to eliminate all identified risks, so you should use the organisation’s established framework when prioritising risks and choosing treatment options.

Treating Risks

Here are the options often used for risk treatment, however it will depend on the organisation’s risk management framework and associated policies and procedures.

Avoid the Risk

This means deciding to avoid the activity that creates the risk all together and choose an alternative route to achieve the same or similar outcome.

Factors to consider:

  1. What will happen if we do not proceed with the activity due to the risks involved?
  2. Is the cost higher than the benefits?
Reduce the Risk

Reduce the likelihood of the risk occurring or reduce the consequences of the occurrence.

The risk could be reduced by:

  1. Preventative maintenance.
  2. Quality control processes.
  3. Changes to systems and processes.
  4. Staff training procedures.
  5. Regular maintenance.
Transfer the Risk

Sharing or transferring the risk to another party may be another option for risk management. This might be through insurance, outsourcing, or partnerships.

Accept the Risk

You may decide to accept the risk if it can’t be avoided, reduced or transferred.

Hierarchy of Control

hierarchy of control

Hierarchy of controls is a system used to remove or reduce risks. Each step in the pyramid can be considered however the control measures at the top of the pyramid are the most effective and should be considered first before moving down the pyramid.

Elimination

Elimination involves physically removing risk - such as moving a piece of equipment to ground level to work on there, rather than the worker climbing up to work on it at height, or not going through with a business activity because it is too risky, therefore eliminating the risk.

Substitution

Substitution means removing a risk by replacing it with something that is either less likely to occur or less severe in consequences. An example of this might be to replace a piece of noisy machinery for a less noisy option or a toxic chemical with a less toxic chemical.

Isolation

Risk isolation is completed by placing a barrier between the risk and the organisation or the employee. A key difference between this step and risk elimination is that the risk is still present, however there is a barrier that shields the person from the hazard. An example of this would be to place dangerous equipment in another room or area from the rest of the employees.

Engineering Controls

This step involves designing additional safety measures and features to workplace equipment to reduce the risks. An example of this would be to install safety guards to prevent the risk of a hand or finger being cut off.

Administrative Controls

These measures involve policies, procedures and processes introduced to reduce the likelihood of a risk occurring. This might involve training, specific procedures targeted at reducing risks, signs and labels that create an awareness of hazards and so on.

Personal Protective Equipment

The final step on the hierarchy of control is the use of personal protective equipment. This includes wearing gloves, masks and protective clothing that can reduce the risk of injury.

Website

Read the article on The Top 50 Business Risk and How to Manage Them, for more ideas about common risks in a business.

Stakeholder Map

woman working with to do list at a board

A Risk Treatment Schedule is the section in your Risk Management Plan where you work through each risk and identify the potential treatment options. From your risk analysis, you will know what risk controls are currently in place, if there are any, and now you need to work out what additional measures (controls) you can put in place to help reduce or mitigate the risk.

risk management plan and risk treatment schedule

Remember this is another important phase where consultation with your stakeholders is crucial. Gathering feedback on your Risk Register so far, and your possible treatment options will be vital to ensure you have all the available information to work with.

Once you know the possible treatment options, work with your stakeholders to work out what the preferred options are to move forward with. This may be based on the treatments that are most likely to succeed in reducing or mitigating the risk, or it might be due to budgetary constraints or other factors.

The Risk Treatment Schedule should record:

  • The possible treatments for each risk
  • The chosen treatments
  • The Risk Rating before treatment
  • The Risk Rating after treatment
  • Who is responsible for putting the controls in place
  • When the controls will be put in place
  • How the risk will be monitored.
Example

Below is an example showing the number of completed entries on a Risk Treatment Schedule and Plan.

Risk Treatment Schedule & Plan
Risk Possible Treatments Selected Treatments Risk Rating Before Treatment Risk Rating After Treatment Responsibility Timeframe Plan for Monitoring
Fire or flood
  • Ensure insurance covers fire and flood (1)
  • Ensure data is backed up (2)
  • Emergency plans are in place (3)
  • All staff are trained on evacuation plans (4)
  • Ensure insurance covers fire and flood (1)
  • Ensure data is backed up (2)
  • Emergency plans are in place (3)
  • All staff are trained on evacuation plans (4)
Extreme (10) Extreme (10) Henry Thomas January 2022
  • Ensure insurance cover is in place each year to cover fire and flood.
  • Emergency plans must be annually checked.
  • Health and safety policies and procedures must be reviewed annually.
  • Staff induction records must include sign off for evacuation.
Loss of power for more than one day
  • Buy generator (1)
  • Set up so staff are quickly able to mobilize to WFH (2)
  • Set up phones to VOIP (3)
  • Set up so staff are quickly able to mobilize to WFH (1)
  • Set up phones to VOIP (2)
Medium (9) Low (3) Henry Thomas April 2022
  • Ensure VOIP phones work for all staff.
  • Ensure staff have working home office space.
  • Complete home office safety checks for all staff.
Loss of water for more than one day
  • Set up so staff are quickly able to mobilize to WFH (1)
  • Set up phones to VOIP (2)
  • Set up so staff are quickly able to mobilize to WFH (1)
  • Set up phones to VOIP (2)
Medium (9) Low (3) Henry Thomas April 2022
  • Ensure VOIP phones work for all staff.
  • Ensure staff have working home office space.
  • Complete home office safety checks for all staff.
Invoices not paid for more than 60 days
  • Statements sent every 14 days (1)
  • Warnings and reminders sent after 20 days (2)
  • Phone call from bookkeeper at 30 days (3)
  • Debt collectors used at 40 days (4)
  • Phone call from bookkeeper at 40 days (5)
  • Debt collectors used at 60 days (6)
  • Statements sent every 14 days (1)
  • Warnings and reminders sent after 20 days (2)
  • Phone call from bookkeeper at 30 days (3)
  • Debt collectors used at 60 days (6)
High (12) Low-Medium (6) Wi Zhang March 2022
  • Check statements are being sent via Xero each quarter.
  • Check aged receivables reports at EOM.
Staff not providing the right information to customers
  • Performance management (1)
  • Additional resources for staff (2)
  • Monthly training sessions for client services staff (3)
  • Modify induction program for client services staff (4)
  • Monitor phone calls (5)
  • Additional resources for staff (2)
  • Monthly training sessions for client services staff (3)
  • Modify induction program for client services staff (4)
Extreme (10) Unlikely (8) Henry Thomas February 2022
  • Monitor feedback from customers every 3 months to ensure satisfaction about information.

Action plans are the final step of putting in place your risk controls and they help to ensure everything in the treatment plan is actually put into place effectively.

Action plans answer the following questions:

Key Questions Addressed in Action Plans

  1. What needs doing?
  2. Who is going to do it?
  3. How is it going to be done?
  4. By what date will it be done?
  5. What is the budget?

A Risk Action Plan may look similar to the following, but again your organisation may have its own way of recording the actions that need to be taken in relation to this.

Note

Remember to communicate with relevant stakeholders about the Risk Treatment Schedule and Action Plans so they know their role in helping implement the controls.

Risk Action Plan
Date 10 November 2021
Risk Staff not providing the right information to customers
Recommended Treatment and Impact
  • Additional resources for staff
  • Monthly training sessions for client services staff
  • Modify induction program for client services staff
Actions Required
  • Develop a slideshow with a summary of product and service information for client services staff so that all information is in one place
  • Update induction materials to ensure that client services staff spend at least two full days learning product and service information
  • Update induction checklist
  • Schedule 1 hour training session with client services and business development team every month to ensure sales and client services team are on same page
  • Develop feedback tool to monitor feedback from customers
Resources Required
  • 40 hours to update client services information and update induction materials
  • 1 hour per month for the client services and BD team
Responsibilities
  • Henry Thomas to coordinate actions
  • Glenda Williams to refine induction materials and checklist in conjunction with Henry Thomas
  • Henry Thomas to organise monthly training
Timeframe
  • All actions due by February 2022
Reporting/Monitoring
  • Monitor feedback from customers every three months to ensure satisfaction about information.
Completed? Henry Thomas
5th February 2021

Business team meeting and monitoring possible risk

Despite having identified all the risks; worked out the controls; and, put controls in place through the planned actions - the risk management process does not end here. We all know that businesses change every day, the operating environment can quickly change, and therefore risks need to be monitored.

Monitoring risk means tracking all the identified risks and ensuring that the risk mitigation actions – your controls – are still working. Part of having a framework for risk management means having a structure for how often you will review your risks, what to monitor and how changes will be reported.

monitoring risks

How and When to Monitor Risk

Many organisations will have a process in place to conduct a formal risk management process on a regular schedule. Often this is on an annual basis, sometimes it may need to be more often for more high-risk environments. Sometimes a risk assessment for processes or certain activities are carried out on a monthly, weekly or even daily occurrence.

Risk Triggers

However, we can’t always leave monitoring our risks to the annual risk assessment process. We also need to think about triggers that might cause the risk to occur, and any indicators within a business that signals that the risk event has occurred or is occurring.

For example, if you have identified that a risk would be that your customers are regularly told incorrect information by customer service staff, and there is no way to monitor if this risk actually starts to take place, it will be too late to find out when no one is calling the business anymore, or you start getting hundreds of negative reviews on your social media platforms. You will need some ways of monitoring this risk much earlier to find out if this is happening so additional controls can be put in place if the current controls are not working.

Changes to Risk

As identified in the above example, we can’t leave changes in the risk environment to an annual risk assessment either. Therefore it is important that risk identification, control implementation and monitoring is seen as an ongoing part of business activities and that managers and staff are trained on identifying risks and identifying if things have changed. If controls that have been put in place are not working, then they need to be addressed at the time this is identified, and not left for the annual review.

Reporting New Risks

Just as with changes to risks, new risks can enter the business environment at any time. This might be because of a new business activity being undertaken, a new competitor in the market, something that was missed in the original risk assessment or a change in the external environment. New risks should be identified and addressed at the time and strategies put in place to control the risk.

Evaluation of Risk Management Processes

Evaluating processes in risk management is different from evaluating risks. An evaluation or risk management process is not done frequently. However, periodically evaluating risk management will need to be undertaken as an audit.

Questions to be asked when making an evaluation of risk management processes include:

  1. Have objectives been met?
  2. Have risks decreased?
  3. Are processes sufficient?
  4. Has implementation gone according to plan?
  5. Are stakeholders happy?
  6. Have risk management costs decreased?
  7. Are measurements accurate?

Once an evaluation has been completed, improvements can be made to the current process.

Q1. Explain whether you always need to use the same Risk Matrix or not, and why?

Q2. At what stage of the risk analysis process is a Risk Matrix used?

Q3. What is meant by controlling and treating a risk?

Q4. Briefly summarise how the hierarchy of control can be used to help you manage risks.

Q5. In your own words, explain the difference between qualitative and quantitative risk analysis.

Q6. Describe three strategies you could use to monitor risks in an organisation.

Module Linking
Main Topic Image
employees listening to confident team leader, explaining project details
Is Study Guide?
Off
Is Assessment Consultation?
Off