Professional Documents
Culture Documents
Risk Analysis Template 15
Risk Analysis Template 15
Risk Analysis Template 15
INFRASTRUCTURE
RISK MANAGEMENT PLAN
Version
1. INTRODUCTION........................................................................................................................ 1
1.1 Aim................................................................................................................................. 1
1.2 Objectives......................................................................................................................... 1
1.3 Scope.............................................................................................................................. 1
1.4 Risk Management Model...................................................................................................... 1
1.5 Risk Model Description......................................................................................................... 1
1.5.1 Establish the Context.................................................................................................. 1
1.5.2 Develop risk evaluation criteria......................................................................................2
1.5.3. Risk Identification....................................................................................................... 2
1.5.4 Risk Analysis............................................................................................................. 2
1.5.5 Risk Evaluation.......................................................................................................... 2
1.5.6 Manage the Risks...................................................................................................... 3
1.5.7 Risk Treatment Plans.................................................................................................. 3
1.5.8 Monitoring and Review................................................................................................ 3
2. COMMUNICATION AND CONSULTATION.......................................................................................4
3 ESTABLISHING THE CONTEXT................................................................................................... 5
3.1 The External Context........................................................................................................... 5
3.2 The Internal Context............................................................................................................ 5
3.3 The Risk Management Context.............................................................................................. 5
4. RISK EVALUATION CRITERIA...................................................................................................... 6
5. RISK IDENTIFICATION............................................................................................................... 6
5.1 GENERAL........................................................................................................................ 6
6. RISK ANALYSIS........................................................................................................................ 8
6.1 GENERAL........................................................................................................................ 8
6.2 Likelihood......................................................................................................................... 8
6.3 Consequences................................................................................................................... 8
6.4 Method............................................................................................................................. 8
6.4.1 Likelihood................................................................................................................. 8
6.4.2 Consequences.......................................................................................................... 8
6.4.3 Risk Assessment........................................................................................................ 9
6.4.4 Indicator of Risk Treatment........................................................................................... 9
6.4.5 Analysis of Risk......................................................................................................... 9
7. RISK EVALUATION................................................................................................................... 11
7.1 General.......................................................................................................................... 11
7.2 Risk Evaluation................................................................................................................. 11
7.3 Risks Requiring Further Action............................................................................................. 11
8. RISK TREATMENT PLANS........................................................................................................ 13
8.1 General.......................................................................................................................... 13
8.2 Risk Treatment Process..................................................................................................... 13
8.3 Risk Treatments............................................................................................................... 13
8.4 Risk Treatment Plans......................................................................................................... 13
9. MONITORING AND REVIEW...................................................................................................... 17
10. REFERENCES........................................................................................................................ 17
1
-1-
1. INTRODUCTION
1.1 Aim
1.2 Objectives
1.3 Scope
It is an analysis and problem solving technique designed to Establish Risk Management Context,
provide a logical process for the selection of treatment Determine Risk Evaluation Criteria,
plans and management actions to protect the community Identify Risks,
against unacceptable risks. Analyse Risks
Evaluate Risks,
The process is based on the New Zealand / Australian Treat Risks,
Standard AS/NZS 4360:2004, Risk Management. Monitor and Review
Fig 1.4. Risk Management Process – Detail The context is established in three stages, external,
Source: AS/NZS 4360:2004, Fig 3.1 p 13 internal and risk management
identifying the relationship between the council and its What can happen? The aim is to generate an
environment, identifying the council’s strengths, comprehensive list of events which might affect each
weaknesses, opportunities and threats. The context element of the City.
includes the financial, operational, competitive, political How and why it can happen? It is necessary to
(public perception/image), social, client and legal consider possible causes and scenarios. There are
aspects of the council’s functions; and many ways and event can be initiated. It is important
identifying the stakeholders. that no significant causes are omitted.
Are risks credible? An assessment of credibility of all
This is to determine the crucial elements which might risk is undertaken to ensure that credible risks receive
support or impair its ability to manage the risks associated proper and due consideration.
with its operation.
1.5.4 Risk Analysis
The second stage is the internal context
Risk is analysed by combining estimates of likelihood and
The purpose of this stage is to develop an understanding consequences in the context of existing control measures.
of the council and its capabilities, as well as its goals and The objective of a risk analysis is to separate the minor
objectives and the strategies that are in place to achieve acceptable risks from the major risks and to provide data to
them. assist in assessment and treatment of risk.
The final stage of context development is the risk The level of risk is determined by considering two aspects
management context. This stage includes setting the against existing controls:
goals, objectives, strategies, scope and parameters of the
services to which the risk management process is being how likely it is that things may happen (likelihood ,
applied, should be established. The process should be frequency of probability); and
undertaken with the need to balance costs, benefits and the possible consequences (impact or magnitude of
opportunities. The resources required and records to be the effect) if they do occur.
kept should also be required.
The risk analysis process is to:
Setting the scope and boundaries of an application of the
risk management process involves: identify the existing management controls, technical
systems and procedures to control risk;
(a) Defining the project or activity and establishing its evaluate the likelihood of events occurring and their
goals and objectives; consequences in the context of these existing controls;
(b) Defining the extent of the project in time and location; combine the evaluation of likelihood and consequences
(c) Identifying any studies needed and their scope, to produce a level of risk.
objectives and resources required;
(d) Defining the extent and comprehensiveness of the 1.5.5 Risk Evaluation
risk management activities to be carried out.
Risk evaluation involves comparing the level of risk found
1.5.2 Develop risk evaluation criteria during the analysis process with previously established risk
evaluation criteria and deciding whether the risks can be
The purpose of this stage is to develop the criteria against accepted.
which risk is to be evaluated. This may depend on
operational, technical, financial, legal, social, humanitarian, Options should be evaluated on the basis of the extent of
or other criteria. This may depend on the council’s goals, risk reduction and the extent of benefits or opportunities
objectives, and the interests of stakeholders. created, taking into account the criteria developed in
Section 3.
1.5.3. Risk Identification
In general, the adverse impact of risks should be made as
Risk identification seeks to identify the risks to be low as reasonably practicable irrespective of any absolute
managed. A well structured systematic process is crucial, criteria. A combination of options may give the optimum
because a potential risk not identified at this stage is risk reduction outcome.
excluded from further analysis. All risks should be
identified, whether or not they are under the control of the If the risks fall into the acceptable or low categories, they
council. may be accepted with minimal further treatment.
Acceptable or low risks should be monitored and
The risks are identified in three stages: periodically reviewed to ensure they remain acceptable.
If the risks do not fall into the acceptable or low category, bears the consequences if the event occurs. Risks
they should be managed using one of the options below. should be allocated to the party which can exercise the
most effective control over those risks.
The output of risk evaluation is a prioritised list of risks for Accept and retain the risks within the organisation
further action. where they cannot be avoided, reduced or reduced or
transferred, or where the cost to avoid or transfer the
1.5.6 Manage the Risks risk is not justified, usually because the risk is
acceptable or low. Risks can be retained by default, ie.
Risks need to be managed appropriately to the significance Where there is a failure to identify and/or appropriately
of the risk and importance of the affected item/asset to the transfer or otherwise manage risks
council’s service delivery. As a general guide:
The cost of managing risks needs to be commensurate
low levels of risk can be accepted and additional action with the benefits obtained, the significance of the event and
may not be needed; these risks should be monitored, the risks involved.
major or significant levels of risk should be managed
with actions to reduce or eliminate the risk, 1.5.7 Risk Treatment Plans
high levels of risk require close management and the
preparation of a formal plan to manage the risks. Plans should document how the chosen options are to be
implemented. The plan should identify responsibilities,
Options for managing risk are shown below. The optimum schedules, the expected outcomes of treatment, budgeting,
solution may involve a combination of options. performance measures and the review process to be set in
place.
Avoid the risk by deciding not to proceed with the
activity that would incur the risk, or choose an The successful implementation of the risk treatment plan
alternative course of action that achieves the same requires an effective management system which specifies
outcome, the methods chosen, assigns responsibilities and individual
Reduce the level of risk by reducing the likelihood of accountabilities for actions and monitors them against
occurrence or the consequences, or both; specified criteria.
the likelihood may be reduced through
management controls, organisational or other 1.5.8 Monitoring and Review
arrangements which reduce the frequency of, or
opportunity for errors, such as alternative Monitoring and review is an essential and integral step in
procedures, quality assurance, testing, training, the process of managing risk. It is necessary to monitor
supervision, review, documented policy and risks, the effectiveness of any plans, strategies and
procedures, research and development. management systems that have been established to
the consequences may be reduced by ensuring that control implementation of risk management actions.
management or other controls, or physical barriers,
are in place to minimise any adverse Risks need to be monitored periodically to ensure changing
consequences, such as contingency planning, circumstances do not alter the risk priorities.
contract conditions or other arrangements.
Transfer the risk by shifting the responsibility to
another party (such as an insurer), who ultimately
2
HB 436:2004, Sec 3.1, p 20
This step aims to understand the background of the [ Type stakeholder ] [ Click & type their objective ]
organisation and its risks, scoping the risk management
activities being undertaken and developing a structure for [ Type stakeholder ] [ Click & type their objective ]
the risk management tasks to follow.
This section defines the relationship between the The purpose of this section is to gain an understanding of
organisation and its external environment. the council organisation.
[ Click here & type brief history of the area ] Council’s vision for the council area is:-
[ Click here & type commentry on population and trends ] “[ Click here & type council vision statement ].
[ Click here & type commentary on topography ] [ Click here & type commentary on culture ]
[ Click here & type commentary on climate ] [ Click here & type commentary on internal stakeholders ]
[ Click here & type commentary on transport links ] [ Click here & type commentary on services structure ]
[ Click here & type commentary on industry base ] [ Click & type commentary on capabilities, resources, etc. ]
[ Click here & type commentary on service centre ] [ Click & type comment on goals/objectives & strategies ]
[ Click here & type commentary on government services ] 3.3 The Risk Management Context
The council’s strengths, weaknesses, opportunities and Council has implemented many management practices
threats in the provision of services to the community are and procedures to identify and manage risks associated
shown below. with providing services from infrastructure assets. These
include:
[ Click here & type comment on organisation's strengths ]
operating a reactive maintenance service for all assets
[ Click & type comment on weaknesses ] and services;
operating a planned maintenance system for key
[ Click & type comment on opportunities ] assets;
monitoring condition and remaining service life of
[ Click here & type comment on threats ] assets nearing the end of their service life;
renewing and upgrading assets to maintain service
Stakeholders involved with council in providing services delivery; and
from infrastructure to the community and their objectives acquiring or constructing new assets to provide new
are shown in Table 2.1. and improved services.
Table 2.1. Stakeholders and their Objectives [ Click here & type comment on service delivery practices ]
Stakeholder Objective [ Click here & type comment on service delivery practices ]
[ Type stakeholder ] [ Click & type their objective ] Council has assigned responsibilities for managing risks
associated with assets and service delivery to the following
[ Type stakeholder ] [ Click & type their objective ] departments.
[ Type stakeholder ] [ Click & type their objective ] [ Click here & type department and responsibility ]
[ Type stakeholder ] [ Click & type their objective ] [ Click here & type department and responsibility ]
INSERT ROWS WITH DATA FROM WORKSHEET ‘RISK IDENTIFICATION’ OF ‘RISK REGISTER’ SPREADSHEET
6. RISK ANALYSIS The qualitative descriptors for each assessment are shown
below.
6.1 GENERAL
6.4.1 Likelihood
Credible risks which have been identified during the risk
identification stage are now to be analysed by the risk
management team. This process takes into account the Likliehood Descriptor Probability of
‘likelihood’ and the ‘consequences’ of the event. The occurrence
objective of the analysis is to separate the minor
acceptable risks from the major risks and to provide data to Rare May occur only in More than 20
assist in the assessment and management of risks. exceptional years
circumstances
The risk analysis process is applied to all credible risks to Unlikely Could occur at some Within 10-20
determine levels of risk. The process acts as a filter by time years
applying a reasoned and consistent process, minor risks Possible Might occur at some Within 3-5 years
can be eliminated from further consideration and dealt with time
within standard operating procedures. Likely Will probably occur in Within 2 years
most circumstances
The remaining risks will therefore be of such significance Almost Expected to occur in Within 1 year
as to require evaluation against the risk evaluation criteria certain most circumstances
determined in Section 4 and risk treatment options
developed.
6.4.2 Consequences
6.2 Likelihood
Risk Rating
Consequences
Likelihood Insignificant Minor Moderate Major Catastrophic
Rare L L M M H
Unlikely L L M M H
Possible L M H H H
Likely M M H H VH
Almost Certain M H H VH VH
Ref: HB 436:2004, Risk Management Guidelines, Table. 6.6 p 55.
Using the example from Section 6.4.3, an event with a The credible risks and levels of risk are shown in Table
‘High Risk’ rating will require ‘Prioritised action’. This may 6.4.5.
include actions such as reducing the likliehood of the event
occurring by physical methods (limiting usage to within the
asset’s capacity, increasing monitoring and maintenance
practices, etc), reducing consequences (limiting speed of
use, preparing response plans, etc) and/or sharing the risk
with others (insuring the organisation against the risk).
INSERT ROWS WITH DATA FROM WORKSHEET ‘RISK ANALYSIS’ OF ‘RISK REGISTER’ SPREADSHEET
7. RISK EVALUATION
7.1 General
INSERT ROWS WITH DATA FROM WORKSHEET ‘RISK EVALUATION’ OF ‘RISK REGISTER’ SPREADSHEET
8. RISK TREATMENT PLANS
8.3 Risk Treatments
8.1 General
The risk treatments identified for non-acceptable risks
The treatment of risk involves identifying the range of shown in Table 7.2 are detailed in Table 8.3.
options for treating risk, evaluating those options, preparing
risk treatment plans and implementing those plans. 8.4 Risk Treatment Plans
This includes reviewing existing guides for treating that From each of the risk treatments identified in Table 8.3, risk
particular risk, such as Australian and State legislation and treatment plans were developed.
regulations, Australian Standards and Best Practise
Guides. The risk treatment plans identify for each non-acceptable
risk:-
Developing risk treatment options starts with understanding
how risks arise, understanding the immediate causes and 1. Proposed action
the underlying factors that influence whether the proposed 2. Responsibility
treatment will be effective. 3. Resource requirement/budget
4. Timing
One treatment option is to remove the risk completely by 5. Reporting and monitoring required
discontinuing the provision of the service.
The risk treatment plan is shown in Table 8.4.
Other options include risk reduction by reducing the
likliehood and/or the consequences of the risk.
INSERT ROWS WITH DATA FROM WORKSHEET ‘RISK TREATMENT’ OF ‘RISK REGISTER’ SPREADSHEET
Table 8.4 Risk Treatment Plan
INSERT ROWS WITH DATA FROM WORKSHEET ‘TREATMENT PLAN’ OF ‘RISK REGISTER’ SPREADSHEET
9. MONITORING AND REVIEW
10. REFERENCES
The plan will be monitored and reviewed as
follows. AS/NZS 4360:2004, Australian/New Zealand Standard,
Risk Management, Standards Australia, Sydney.
Activity Review Process
HB 436:2004, Risk Management Guidelines, Companion to
AS/NZS 4360:2004, Standards Australia,
Review of new risks and Annual review by team with Sydney.
changes to existing risks stakeholders and report to
council
International Infrastructure Management Manual, 2006,
Institute of Public Works Engineering Australia,
Review of Risk 3 yearly review and re-write Sydney, 2006 www.ipwea.org.au
Management Plan by team and report to
council INSERT OTHER APPLICABLE REFERENCES IN
ALPHABETICAL ORDER
Performance review of Risk Action plan tasks
Treatment Plan incorporated in council staff
performance criteria with 6
monthly performance
review.