More than OH&S Definitions of Risk “Risk is virtually anything that threatens or limits the ability of a community or non-profit organisation to achieve its mission.” OR “Effect of uncertainty on objectives” Reference: AS/NZS/ISO 31000 Risk Management 2009 Definitions continued “It can be unexpected and unpredictable events such as destruction of a building, the wiping of all your computer files, loss of funds through theft or an injury to a member or visitor who trips on a slippery floor and decides to sue. Any of these or a million other things can happen, and if they do they have the potential to damage your organisation, cost you money, or in a worst case scenario, cause your organisation to close.” 5 Key steps in Risk Assessment 1. Establish the context 2. Identify risk/s 3. Analyse Risk (Likelihood and Consequence) 4. Evaluating Risk 5. Monitor and Review The Risk Management Process Establishing a context What relationships does the organisation have and how important are these? What laws, regulations, rules or standards apply to your organisation? What are the aims and objectives of the organisation? Who is involved with the organisation - internally and externally? What are your organisation's capabilities? What are you currently doing for risk management either formally or informally? Have you established some criteria for your organisation that defines what level of risk is acceptable? Identifying Risk Whole of organisation Brain Storm: What is at risk and what will the effect be? What can happen? When, where, why and how might this occur? Who and what might be involved? What and the effects and who is affected? What are we doing about this now? Analysing Risk What is the likelihood of the risk occurring and what is the consequence of that outcome? High probability /Low impact High Probability /High Impact Low probability /Low impact Low Probability /High Impact Likelihood rating A - Frequent - Likely to occur frequently B - Probable - would occur but not frequently C - Occasional - could happen occasionally D - Remote - Rare, not likely but possible E - Improbable - Highly unlikely but still possible Consequence/Severity rating A - Catastrophic - may result in death or loss of bodily functions B - Critical - may cause severe injury, illness C - Marginal - may cause injury or illness resulting in loss of work as an example D - Negligible - may cause minor injury or illness Evaluating Risk It’s about “determining whether the level of risk is acceptable or unacceptable”. It “enables priorities to be established that equate to an appropriate level of risk.” Options include: Treating, accepting, avoiding, reducing and/or transferring the risk Monitor and Review Monitoring = “Continual assessment of what has been implemented” Review = “A periodic assessment of the effectiveness and environment” E – Extreme risk – detailed action plan required H - High risk – needs senior management attention M – Medium risk – specify management responsibility L – Low risk – manage by routine procedures High or Extreme risks must be reported to Senior Management and require detailed treatment plans to reduce the risk to Low or Medium. Probability: Insignificant Minor Moderate Major Catastrophic 1 2 3 4 5 M H H E E Historical: Is expected to occur in >1 in 10 most 5 circumstanc Almost Certain es Will probably 1 in 10 - 100 occur 4 Likely M M H H E 3 Possible L M M H E 2 Unlikely L M M H H 1 Rare L L M M H Likelihood Might occur 1 in 100 – 1,000 1 in 1,000 – 10,000 at some time in the future Could occur but doubtful May occur but only in 1 in 10,000 – exceptional 100,000 circumstanc es Consequence Injuries or ailments not People requiring medical treatment. Reputation Internal Review Minor errors in systems or Business Process & Systems processes requiring corrective action, or minor delay without impact on overall schedule. Financial Minor injury or First Aid Treatment Case. Serious injury causing Life threatening injury or hospitalisation or multiple multiple serious injuries medical treatment cases. causing hospitalisation. Scrutiny required by Scrutiny required by external internal committees or committees or ACT Auditor internal audit to prevent General’s Office, or inquest, escalation. etc. Policy procedural rule occasionally not met or services do not fully meet needs. One or more key accountability requirements not met. Inconvenient but not client welfare threatening. Death or multiple life threatening injuries. Intense public, political and Assembly inquiry or media scrutiny. Eg: front Commission of inquiry or page headlines, TV, etc. adverse national media. Strategies not consistent Critical system failure, bad with Government’s agenda. policy advice or ongoing Trends show service is non-compliance. Business degraded. severely affected. 1% of Budget 2.5% of Budget > 5% of Budget > 10% of Budget >25% of Budget or <$5K or <$50K or <$500K or <$5M or >$5M An example of risk assessment not solely focussed on OHS Identifying and Analysing Risks THE RISK SOURCE IMPACT CURRENT CONTROL STRATEGIES WHAT CAN HAPPEN? HOW CAN THIS HAPPEN FROM EVENT HAPPENING AND THEIR EFFECTIVENESS CURRENT RISK LEVEL (A) –Adequate ACCEPTABILITY (A/U) CURRENT RISK LEVEL CONSEQUENCE (I) – Indadequate LIKELIHOOD RISK REFERENCE (M) – Moderate Risk Treatment Schedule and Action Plan POTENTIAL TREATMENT OPTIONS COSTS & BENEFITS IS THE TREATMENT TO BE TARGET RISK IMPLEMENTED RESPONSIBLE PERSON LEVEL (Y/N) TIMETABLE MONITORING For strategies to implementation measure TARGET LEVEL CONSEQUENCE Treatments LIKELIHOOD RISK REFERENCE effectiveness of Risk