Step 1- Communicate and Consult
A consultative approach may:
- help establish the context appropriately;
- ensure that the interests of stakeholders are understood and considered;
- help ensure that risks are adequately identified;
- bring different areas of expertise together for analysing risks;
- ensure that different views are appropriately considered when defining risk criteria and in evaluating risks;
- secure endorsement and support for a treatment plan;
- enhance appropriate change management during the risk management process; and
- develop an appropriate external and internal communication and consultation plan.
Step 2 – Establish the Context Internal
The risk management process should be aligned with the school’s culture, processes, structure and strategy. Internal context is anything within the organisation that can influence the way in which it will manage risk. It should be established because:
- risk management takes place in the context of the objectives of the organisation;
- objectives and criteria of a particular project, process or activity should be considered in the light of objectives of the organisation as a whole; and
- some organisations fail to recognise opportunities to achieve their strategic, project or business objectives, and this affects ongoing organisational commitment, credibility, trust and value.
Step 2 – Establish the Context Internal
It is necessary to understand the internal context. This can include, but is not limited to:
- governance, organizational structure, roles and accountabilities;
- policies, objectives, and the strategies that are in place to achieve them;
- capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);
- the relationships with and perceptions and values of internal stakeholders;
- the organisational culture;
- information systems, information flows and decision making processes (both formal and informal);
- standards, guidelines and models adopted by the NT business; and
- form and extent of contractual relationships.
Step 2 – Establish the Context External
The external context can include, but is not limited to:
- the social and cultural, political, legal, regulatory, financial, technological, economic, natural and
- competitive environment, whether international, national, regional or local;
- key drivers and trends having impact on the objectives of the business; and
- relationships with, perceptions and values of external stakeholders.
Step 3.1 – Risk Identification
Identify sources of risk, areas of impacts, events (including changes in circumstances) and their causes and their potential consequences. It is important to identify the risks associated with not pursuing an opportunity.
Include risks whether or not their source is under the control of the school, even though the risk source or cause may not be evident. Identification should include examination of the knock-on effects of particular consequences, including cascade and cumulative effects.
Apply risk identification tools and techniques that are suited to its objectives and capabilities, and to the risks faced. Relevant and up-to-date information is important in identifying risks.
Step 3.2 – Risk analysis
Risk analysis provides an input to risk evaluation and to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods. Risk analysis can also provide an input into making decisions where choices must be made and the options involve different types and levels of risk.
Risk analysis and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur. Factors that affect consequences and likelihood should be identified. Existing controls and their effectiveness and efficiency should also be taken into account.
The way in which consequences and likelihood are expressed and the way in which they are combined to determine a level of risk should reflect the type of risk, the information available and the purpose for which the risk assessment output is to be used..
Step 3.3 – Risk Evaluation
The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation.
Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. Based on this comparison, the need for treatment can be considered.
Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk. Decisions should be made in accordance with legal, regulatory and other requirements.
In some circumstances, the risk evaluation can lead to a decision to undertake further analysis. The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls. This decision will be influenced by the organization’s risk attitude and the risk criteria that have been established.
Step 4 – Risk Treatment
Risk treatment involves a cyclical process of:
assessing a risk treatment;
deciding whether residual risk levels are tolerable;
if not tolerable, generating a new risk treatment; and
assessing the effectiveness of that treatment.
Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. The options can include the following:
- avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
- taking or increasing the risk in order to pursue an opportunity;
- removing the risk source;
- changing the likelihood;
- changing the consequences;
- sharing the risk with another party or parties (including contracts and risk financing); and
- retaining the risk by informed decision.
The purpose of risk treatment plans is to document how the chosen treatment options will be implemented. The information provided in treatment plans should include:
- the reasons for selection of treatment options, including expected benefits to be gained;
- those who are accountable for approving the plan and those responsible for implementing the plan;
- proposed actions;
- resource requirements including contingencies;
- performance measures and constraints;
- reporting and monitoring requirements; and
- timing and schedule.
Treatment plans should be integrated with the management processes of the business and discussed with appropriate stakeholders.
Should be documented and subjected to monitoring, review and, where appropriate, further treatment.
Step 5 – Monitor and Review
Both monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance. It can be periodic or ad hoc.
Monitoring and review processes should encompass all aspects of the risk management process for the purposes of:
- ensuring that controls are effective and efficient in both design and operation;
- obtaining further information to improve risk assessment;
- analysing and learning lessons from events (including near-misses), changes, trends, successes and failures;
- detecting changes in the external and internal context, including changes to risk criteria and the risk itself which can require revision of risk treatments and priorities; and
- identifying emerging risks.