| What is the typical risk analysis process? | 1. Establish the context.
2. Identify risks.
3. Analyse risks.
4. Evaluate risks.
5. Treat risks. |
| What is included in "establishing the context"? | The internal context; The external context; The risk management context, Develop criteria; Define the structure
(Many organisations have a risk management policy, identified priority risk categories and corresponding risk management strategies defined in a corporate framework document; AS ISO 31000:2018) |
| What is included in "identify risks"? | What can happen? When and where? How and why?
Best suited to a workshop environment. |
| What is included in "analyse risks"? | Identify existing controls.
Determine Consequences; Determine Likelihood; Determine level of risk |
| What is included in "evaluate risks"? | Compare against criteria; Set priorities |
| What is included in "treat risks"? | Identify options; Assess options; Prepare and implement treatment plans; Analyses and evaluate residual risk |
| What is a hazard? | An event, situation or state that may give rise to a risk. |
| What is a risk? | The chance of something happening that will have an impact an organisation or person’s ability to achieve business or personal objectives. |
| What is a control measure? | An action taken to reduce the frequency and/or the severity of a risk. |
| What is the consequence of a risk occurring quantified by? | -commercial terms (loss of $ value, replacement value),
-environmental terms(such as contamination of a wetlands),
-social terms (loss of amenity).
Monetising all consequences is useful for combining a total impact. However, some consequences are difficult to monetise. (such as loss of an ecological species). |
| How are risks ranked? | Using the likelihood and consequence of a risk occurring (each 1-5)
Rated from extreme, high, medium to low. |
| What is the hierarchy of control measures in order of effectiveness? | 1. Eliminate or avoid the hazard or issue that is creating the risk
2. Control the risk to an acceptable level & manage
3. Transfer the risk to another party who can better manage
the risk
4. Accept the risk and manage it closely |
| What does AS ISO 31000:2018 say about dealing with risk? | Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances.
Options for treating risk may involve one or more of the following:
– avoiding the risk by deciding not to start or continue with the activity
that gives rise to the risk;
– taking or increasing the risk in order to pursue an opportunity;
– removing the risk source;
– changing the likelihood;
– changing the consequences;
– sharing the risk (e.g. through contracts, buying insurance);
– retaining the risk by informed decision |
| What does ALARP stand for? | as low as reasonably practicable |
| What are the four risk ratings? | Active management,
Control critical,
Periodic monitoring,
No major concern |
| What is "active management"? | •Unsatisfactory controls in place.
•High likelihood & consequence ratings.
•Must have documented action plan. |
| What is "control critical"? | •Good controls in place.
•High likelihood & consequence ratings.
•Careful management to maintain controls effectiveness.
•Must have documented action plan. |
| What is "periodic monitoring"? | •Satisfactory to poor controls in place.
•Low likelihood & consequence ratings.
•May have documented action plan. |
| What does "no major concern" involve as a risk rating? | •Good controls in place.
•Low likelihood & consequence ratings.
•Documented action plan if other benefits accrue. |
| What does a risk register involve? | • It can be used to filter risks, track progress, document action plans;
• It is useful for risk owners, auditors, managers, directors;
• It can be tailored to a reader’s particular need for detail;
• Each business group within an organisation can have it’s own risk register, linked upwards to corporate policy level risks. |
| How are control measures classified? | “Proactive” (affect the likelihood of an event occurring), or “Reactive” ( affect the level or duration of consequences) |
| What resources can you use to undertake the risk analysis process? | •People with particular knowledge & previous relevant experience;
• Corporate policy, guidelines and manuals (context);
•Records of previous events or incidents (such as historical records, insurance reports, legal or governmental enquiries);
•Reports about the planning & implementation of similar projects;
• Outputs from brain-storming workshops using people with a wide range of expertise & experience. |
