Principles of Risk Management for schools ISO 31000:2009 Risk Management

By Outback Safety / 1 July 2015

Risk management (RM) is:

  • a systematic process of threat identification, assessment and control
  • which seeks to prevent or minimise the potential consequences to school activities
  • without diminishing the curriculum’s intent.


Principle 1: Risk management creates and protects value.

Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation.

Principle 2: Risk management is an integral part of all organizational processes.

Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.

Principle 3: Risk management is part of decision making.

Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.

Principle 4: Risk management explicitly addresses uncertainty.

Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed.

Principle 5: Risk management is systematic, structured and timely.

A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results.

Principle 6: Risk management is based on the best available information.

The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement.

However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts.

Principle 7: Risk management is tailored.

Risk management is aligned with the school’s external and internal context and risk profile.

Principle 8: Risk management takes human and cultural factors into account.

Risk management recognises the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the school’s objectives.

Principle 9: Risk management is transparent and inclusive.

Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the school, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.

Principle 10: Risk management is dynamic, iterative and responsive to change.

Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear.

Principle 11: Risk management facilitates continual improvement of the school.

Schools should develop and implement strategies to improve their risk management maturity alongside all other aspects of their school.

Read More

5 Steps to introducing risk management for the Northern Territory based business

By Outback Safety / 21 June 2015

Step 1- Communicate and Consult

A consultative approach may:

  • help establish the context appropriately;
  • ensure that the interests of stakeholders are understood and considered;
  • help ensure that risks are adequately identified;
  • bring different areas of expertise together for analysing risks;
  • ensure that different views are appropriately considered when defining risk criteria and in evaluating risks;
  • secure endorsement and support for a treatment plan;
  • enhance appropriate change management during the risk management process; and
  • develop an appropriate external and internal communication and consultation plan.

Step 2 – Establish the Context Internal

The risk management process should be aligned with the school’s culture, processes, structure and strategy. Internal context is anything within the organisation that can influence the way in which it will manage risk. It should be established because:

  • risk management takes place in the context of the objectives of the organisation;
  • objectives and criteria of a particular project, process or activity should be considered in the light of objectives of the organisation as a whole; and
  • some organisations fail to recognise opportunities to achieve their strategic, project or business objectives, and this affects ongoing organisational commitment, credibility, trust and value.

Step 2 – Establish the Context Internal

It is necessary to understand the internal context. This can include, but is not limited to:

  • governance, organizational structure, roles and accountabilities;
  • policies, objectives, and the strategies that are in place to achieve them;
  • capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);
  • the relationships with and perceptions and values of internal stakeholders;
  • the organisational culture;
  • information systems, information flows and decision making processes (both formal and informal);
  • standards, guidelines and models adopted by the NT business; and
  • form and extent of contractual relationships.

Step 2 – Establish the Context External

The external context can include, but is not limited to:

  1. the social and cultural, political, legal, regulatory, financial, technological, economic, natural and
  2. competitive environment, whether international, national, regional or local;
  3. key drivers and trends having impact on the objectives of the business; and
  4. relationships with, perceptions and values of external stakeholders.

Step 3.1 – Risk Identification

Identify sources of risk, areas of impacts, events (including changes in circumstances) and their causes and their potential consequences. It is important to identify the risks associated with not pursuing an opportunity.

Include risks whether or not their source is under the control of the school, even though the risk source or cause may not be evident. Identification should include examination of the knock-on effects of particular consequences, including cascade and cumulative effects.

Apply risk identification tools and techniques that are suited to its objectives and capabilities, and to the risks faced. Relevant and up-to-date information is important in identifying risks.

Step 3.2 – Risk analysis

Risk analysis provides an input to risk evaluation and to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods. Risk analysis can also provide an input into making decisions where choices must be made and the options involve different types and levels of risk.

Risk analysis and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur. Factors that affect consequences and likelihood should be identified. Existing controls and their effectiveness and efficiency should also be taken into account.

The way in which consequences and likelihood are expressed and the way in which they are combined to determine a level of risk should reflect the type of risk, the information available and the purpose for which the risk assessment output is to be used..

Step 3.3 – Risk Evaluation

The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation.

Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. Based on this comparison, the need for treatment can be considered.

Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk. Decisions should be made in accordance with legal, regulatory and other requirements.

In some circumstances, the risk evaluation can lead to a decision to undertake further analysis. The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls. This decision will be influenced by the organization’s risk attitude and the risk criteria that have been established.

Step 4 – Risk Treatment

Risk treatment involves a cyclical process of:

assessing a risk treatment;

deciding whether residual risk levels are tolerable;

if not tolerable, generating a new risk treatment; and

assessing the effectiveness of that treatment.

Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. The options can include the following:

  1. avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
  2. taking or increasing the risk in order to pursue an opportunity;
  3. removing the risk source;
  4. changing the likelihood;
  5. changing the consequences;
  6. sharing the risk with another party or parties (including contracts and risk financing); and
  7. retaining the risk by informed decision.

The purpose of risk treatment plans is to document how the chosen treatment options will be implemented. The information provided in treatment plans should include:

  • the reasons for selection of treatment options, including expected benefits to be gained;
  • those who are accountable for approving the plan and those responsible for implementing the plan;
  • proposed actions;
  • resource requirements including contingencies;
  • performance measures and constraints;
  • reporting and monitoring requirements; and
  • timing and schedule.

Treatment plans should be integrated with the management processes of the business and discussed with appropriate stakeholders.

Should be documented and subjected to monitoring, review and, where appropriate, further treatment.

Step 5 – Monitor and Review

Both monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance. It can be periodic or ad hoc.

Monitoring and review processes should encompass all aspects of the risk management process for the purposes of:

  1. ensuring that controls are effective and efficient in both design and operation;
  2. obtaining further information to improve risk assessment;
  3. analysing and learning lessons from events (including near-misses), changes, trends, successes and failures;
  4. detecting changes in the external and internal context, including changes to risk criteria and the risk itself which can require revision of risk treatments and priorities; and
  5. identifying emerging risks.

Read More

Why bother with operational risk management in the Northern Territory?

By Outback Safety / 15 June 2015

We are in the Territory, we do not need risk management? We love the danger, right? Here are some reasons and quotes why you might change your mind and help convince others:

  • Increase risk awareness – What could affect the achievement of objectives? What could change? What could go wrong? What could go right?
  • Increase under standing of risk – sensitivities. What makes my risks increase/decrease/disappear?
  • Promote a “healthy” risk culture – It’s safe to talk about risk. Open and transparent.
  • Develop a common and consistent approach to risk across the organisation. Not intuition-based.
  • Allows intelligent “informed” risk-taking.
  • Focuses efforts –helps prioritize. Top 10 list. Or top 3. Or…
  • Is proactive…. not reactive – Prepare for risks before they happen. Identify risks and develop appropriate risk mitigating strategies.
  • Improve outcomes – achievement of objectives (corporate, school-based, etc)
  • Really comes to down to simple good management
  • Enables accountability, transparency and responsibility
  • And maybe even mean survival

The only alternative to risk management is crisis management — and crisis management is much more expensive, time consuming and embarrassing.

JAMES LAM, Enterprise Risk Management, Wiley Finance 2003

Without good risk management practices, government cannot manage its resources effectively. Risk management means more than preparing for the worst; it also means taking advantage of opportunities to improve services or lower costs.      

Sheila Fraser, Auditor General of Canada

 Risk comes from not knowing what you’re doing.

Warren Buffet, Berkshire Hathaway Chairman & CEO

 Insanity: doing the same thing over and over again and expecting different results.

Albert Einstein

Read More