BSBOPS504 Student Guide (Ver. 1) PDF

STUDENT
GUIDE
BSBOPS504
MANAGE BUSINESS RISK
First published 2020
RTO Works
www.rtoworks.com.au
hello@rtoworks.com.au
0452 157 557
© 2020 RTO Works
This resource is copyright. Apart from any fair dealing for the purposes of private study, research, criticism or review
as permitted under the Copyright Act 1968, no part may be reproduced by any process without written permission as
expressed in the RTO Works License Agreement.
The information contained in this resource is, to the best of the project team’s and publisher’s knowledge true and
correct. Every effort has been made to ensure its accuracy, but the project team and publisher do not accept
responsibility for any loss, injury or damage arising from such information.
While every effort has been made to achieve strict accuracy in this resource, the publisher would welcome
notification of any errors and any suggestions for improvement. Readers are invited to write to us at
hello@rtoworks.com.au.
Business Works is a series of training and assessment resources developed for qualifications within the Business
Services Training Package.
Contents
Overview 4
Topic 1: Overview of risk management 5
Topic 2: Establishing risk management in an organisation 17
Topic 3: Addressing risks in an organisation 33
Hilton Academy: Level 6, 250 Collins Street, Melbourne, VIC. 3000, Australia.
Email: info@hilton.edu.au | Website: www.hilton.edu.au
BSBOPS504 Manage business risk | 3
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Version 1.0 – Updated on 01 March 2021
Overview
The Student Guide should be used in conjunction with the recommended reading and any further
course notes or activities given by the trainer/assessor.
Application of the unit

This unit describes skills and knowledge required to manage business risks in a range of contexts
across an organisation or for a specific business unit or area in any industry setting.
The unit applies to individuals who are working in positions of authority and who are approved to
implement change across the organisation, business unit, program or project area. They may or
may not have responsibility for directly supervising others.
No licensing, legislative or certification requirements apply to this unit at the time of publication.
Learning goals
Learning goals include:
 You are able to establish the risk context to manage risk in a work area or organisation.
 You are able to identify and analyse risks within a pre-determined scope.
 You are able to select and implement risk treatments and monitor and evaluate the risk
management process.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Topic 1: Overview of risk management
What does “risk management” mean?

Life is full of risk – the chance of something going wrong or not as planned. No outcome is ever
one hundred percent certain. In fact, any attempt you make at anything has the potential to
succeed or fail. In business, risk involves the possibility of financial and/or operational difficulties.
Managing risk in business is about using sound judgement and decision-making skills to reduce
the consequences of risk while still making the most of the opportunities available to you.
It is not about completely eliminating risks, as they are inevitable in business (and life!). It is
about establishing, mitigating and responding to risks and setting up a plan to deal with them.
Activity: Reflect
Think about some of the risks in your personal and work/study life.
 Have you deliberately taken any risks that have been a success?
 Have you taken any risks that have caused you to fail?
 Have you taken any steps to avoid or manage any of the risks you’ve thought
about?
Image by Gladson Xavier on Pexels
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
What is risk?
Before we continue, make sure you understand what risk is.
A risk in business management can be seen as anything that:
 could prevent the organisation from achieving goals it has set for itself.
 could result in a negative outcome for the enterprise.
Examples of goals that may be involved with risk can relate to service delivery standards,
production specification of items, sales and/or revenue budgets, safety targets and attainment of
workplace objectives.
Examples of negative outcomes of a risk eventualising may be financial loss, damage to the
reputation of the company, loss of property, cash or data and breach of legislated obligations.
Risks come in different forms and in business, there are different types of risks. The risks for your
business or organisation will depend on:
 the size of the business/organisation
 the industry
 the people you work with.

As you manage risks for your organisation, it’s helpful to know what type of risk you are dealing
with. A risk may be direct (specific to a business and its objectives) or indirect (don't directly impact
the business but still affects operations such as a natural disaster impacting suppliers).
There are four main types of business risk: strategic risk, compliance risk, financial risk and
operational risk.
Image by Suzy on Pexels
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Take a look at the next table to understand more about these risks.
Type of risk Description Example Key responsibility
Strategic risk These risks can occur at A business sells  CEO

any time and are related natural sunscreen in
 Managing director
to the business or lotion form but over
organisation’s strategy. time people’s  Board of directors
preference for lotion
 Owner
declines and more
people want a spray
form of sunscreen.
Compliance These risks involve Complying to all  Head of safety

risk having to comply with regulations due to
 Head of operations
rules set by government COVID-19 and having
or regulatory bodies. a COVID Safe plan  Managers/supervisors
that meets
requirements.
Financial risk These risks affect the Customers not paying  CFO
financial health of a on time (or paying in
 Financial controller
business (cash flow, instalments).
liquidity, financial  Managers/supervisors
position, debt burden
etc.)
Operational These risks are Targets not being met  Head of operations
risk associated with a because a machine
 Managers/supervisors
business or breaks down.
organisations’ systems
and processes.
Table 1: Types of business risk
Activity: Brainstorm
In small groups:
 brainstorm more examples for each type of risk.
 explain what their impact might be on an organisation.
 say whether the risks are direct or indirect.

Your trainer will facilitate a group discussion to create a complete list of examples.
Take notes and keep them for future reference.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Activity: Reflect
Do you have any personal experience of any of the types of risks listed above?
What are common sources of business risk?

Regardless of the type of business risk you are identifying, there are common sources of risk.
These can either be internal or external sources.
Activity: Research and discuss
Work in a group and answer the questions:
 What is meant by “internal” sources of risk in a business or organisation?

Provide examples.
 What is meant by “external” sources of risk in a business or organisation?

Provide examples.
Your trainer will facilitate a discussion to summarise your research. Take notes and
keep them for future reference.
The three most common categories of business risk sources are:
 natural causes (e.g., flooding disrupts a delivery service, dust storm causes a truck driver to
have an accident, pandemic results in extended business closure)
 human causes (e.g., strikes result in unfilled customer orders, mistake when manually entering
invoices into the accounting system, spillage in the office kitchen results in someone slipping
and hurting themselves).
 economic causes (price of raw materials increases making product manufacture more
expensive, labour costs increase with new regulations, rising interest rates affect a business or
organisation’s ability to repay debt).
Activity: Practical
Look at the examples of risk sources and answer the questions that follow.
bushfires, contractual breaches, terrorist attack, computer network failure, online
security, staff conflict, consumer preference changes, power failure, WHS
1. Classify each risk as internal or external.
2. Which category does each risk fall into (natural, human, economic)?
3. Who would be responsible for the risk?
Work in pairs to compare your answers.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Why is risk management important?
Activity: Discuss
Consider the quote:

“Take risks: if you win, you will be happy; of you lose, you will be wise” (unknown
author).
In a group, discuss this quote.
 Do you agree with it?
 How is right? How is it wrong?
Did you know that the cost of risk management is often less than the costs associated with a risk
eventualising (such as fines, lawsuits, loss, reputational harm and the potential for business
closure)?
Depending on the consequences of the risk, risks should be taken or avoided. When the
consequences of risks we take are negative, we can learn from the outcome and plan for the
future.
Managers are under a legal obligation to:
 demonstrate to the workforce they are effectively managing the business through the risk
management actions they take – giving workers a sense of reassurance and confidence in
management.
 discharge a common law “Duty of Care” to take action to avoid allowing foreseeable harm to
impact individuals or the company.
 demonstrate responsible corporate governance in the way they run the organisation.
Risk management ensures the ongoing viability of a business by making sure its goals and
objectives can be achieved regardless of the obstacles that get in their way.
Risk management has become even more important over recent years as a result of:
 an increasingly volatile and competitive business environment where there are more
competitors and their capacity to compete has massively increased due to inexpensive and
pervasive digital marketing options.
 greater awareness among the business community that risks can be identified and actively
managed rather than simply be allowed to happen.
 realisation that unmanaged risks can seriously impact a business if they materialise, and can
even bring about an end to the company – and that managed risks provide the business with
plans to exploit opportunities that arise rather than see them slip by.
 changes to a raft of legislation that has placed obligations on senior managers carrying with
those responsibilities sever penalties of hundreds of thousands of dollars and imprisonment.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
What process should I follow to management risk?
Given the importance of risk management (including the legal obligations), a deliberate and
consistent approach is required to identify, mitigate and respond to risk. In many businesses a risk
management team is put together and charged with heading up the process.
The typical risk management process essentially comprises of four steps or stages. The names
given to the four steps/stages can differ but the basics of the model remain the same. The steps
(shown in the next figure) are:
 risk identification
 risk analysis
 risk mitigation (or control)
 monitoring implemented risk control measures.
Identify Analyse Control Monitor
Figure 1: Risk management process
The process is an ongoing one in that regular and scheduled evaluation and reviews of risks and
the associated risk management occur.
What sources of information should I consider for risk

management?
Activity: Reflect
In the ICT industry “Garbage in, garbage out” (GIGO) is the concept that flawed or
incorrect input data produces flawed or incorrect output or "garbage".
Reflect on how this concept applies to sourcing reliable information when managing
risk in a variety of contexts in an organisation.
In order to successfully manage risk, a variety of information sources should be consulted

throughout the risk management process.
Relevant information sources are described in the table below.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Learning Description
opportunity
Stakeholders All people who are involved in identify, mitigating and responding to risk.
Stakeholders can be seen as any person or body who:
 is able to shed light on or assist with risk identification, risk analysis

and/or risk control.
 is likely to be impacted by an adverse risk event.

For example: employees, external consultants, suppliers, customers,
business owners, the Board and senior management, insurers, third party
contractors, creditors of the business, financiers, various government
agencies.
Legislation These are laws that have been made by the state and/or country and must be
followed. Legislation in Australia may be state-based or national (Federal).
Most businesses engage the services of legal practitioners to assist them in
identifying and understanding their legal obligations.
The government agencies or bodies responsible for enforcing the various
pieces of legislation can also provide valuable insight and have lots of
information freely available on their websites.
Failure to conform with these legislated obligations can lead to warnings,
fines or more dire consequences for serious, continued or intentional and
deliberate action (including imprisonment in some cases). It can also involve
negative media publicity when non-compliance becomes public especially in
terms of the impact of social media.
Where an individual (worker or customer or other) is wronged or injured by
the organisation they have the right to proceed against the business under
civil law.
This action is commonly taken against the business for negligence where
they have breached their Duty of Care.
Legislative examples include: Fair work Act, WHS Acts, Corporations Act,
Privacy Act, Environmental legislation, Discrimination legislation
Regulations and Regulations are directly related to legislation. They are the ongoing
codes of processes of monitoring and enforcing the law (in other words the very act of
practice enforcement through a regulatory authority).
Codes of practice provide information on a specific issue and help you
achieve legal standards. It is a practical guide on how to comply with legal
duties.
Regulatory authorities often provide information on codes of practice.
Examples include WHS codes of practice, Work health and safety regulations
2011
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Learning Description
opportunity
Industry Standards may be internationally accepted practices, government

standards requirements or industry regulations.
The AS/NZS ISO 31000:2018 Standard is useful in that it gives terms and
definitions relating to “risk management” and provides information and step-
by-step guidance on topics including:
 principles underlying risk management
 the risk management framework
 the risk management process.

Use of or adherence to this Standard is not mandatory but is considered ‘best
practice’ or the benchmark against which an organisation’s risk management
practices can be judged.
Organisational These are workplace documents created by management and are relevant to
documentation risk management. Organisational policies and procedures are put in place to
make sure everyone is as safe as possible and to ensure a successful
outcome for the business or organisation.
For example: Strategic plan, operational plan, policies and procedures (e.g.,
document storage, privacy, confidentiality, recruitment, performance
appraisal, work health and safety)
Best practice The concept of “best practice” refers to good practices, procedures or
examples guidelines that have been proven to achieve successful results.
For example: Literature reviews, case studies, analogy thinking (such as
“Uber of public transport”).
Table 2: Information sources
ntinuous improvement methods
Research legislation relevant to your workplace or industry of interest (such as

mining, manufacturing, transport, building, education or health) that may be
associated with risk management.
You may consider Consumer law, Fair Work Act, Public Service Act, Corporations
Act, Workplace Health and Safety Acts (industry specific), Privacy Acts, Equal
employment opportunity legislation, Discrimination (age, sex, disability) legislation,
Mandatory reporting legislation, Natural justice and procedural fairness.
Your trainer will facilitate a group discussion to summarise relevant legislation.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Activity: Research
Work together in small groups to:
 choose an industry or work area you work in or are interested in (e.g. mining,
ICT, finance, education, sales etc.).
 research any regulatory bodies and codes of practice associated with the work
area or industry.
 share your findings with the larger group (your trainer will provide guidance on
how to do this e.g. PowerPoint presentation or document sharing etc.).
Image by Pixabay on Pexels
Activity: Read
Read more about the AS/NZS ISO 31000:2018:

Website: https://infostore.saiglobal.com/preview/332265330632.pdf?sku=1134720_
SAIG_AS_AS_2680492
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Activity: Discuss
As a group discuss the purpose and key elements of the standard.

Activity: Explore
Explore a few of the policies and procedures that may apply to a risk management:
Website 1: https://dlb.sa.edu.au/tsftfmoodle/pluginfile.php/922/mod_imscp/content/
1/shared/resources/manual/confidentiality.htm
Website 2: https://www.oaic.gov.au/about-us/our-corporate-information/key-
documents/privacy-policy/
Website 3: https://www.rba.gov.au/about-rba/our-policies/risk-management-
policy.html
Website 4: https://www.servicesaustralia.gov.au/organisations/about-us/corporate-
publications-and-resources/work-health-and-safety-policies
Website 5: https://policy.vu.edu.au/document/view.php?id=3
How can risk management be supported in an organisation?

In order to successfully manage risk, a variety of information sources should be consulted
throughout the risk management process.
As the risk process is being established, time must be taken to ensure there is support for the
process and for the activities that will need to be undertaken.
This support may either need to be actively sought or may be implicitly provided through
statements in, for example, the organisation’s Risk management policy. Obtaining practical support
for risk management activities can include:
 being able to obtain constructive and meaningful input from stakeholders in a timely manner
 having management commit the necessary funds to risk management activities
 being allowed to take whatever time is necessary to engage in the required risk management
activities
 having permission to write or re-write operational procedures etc as the need to do so arises
to minimise or address risk.
 receiving input from management when undertaking any aspect of the process where their
contribution is essential
 gaining ready approval to spend money on any aspect of the process.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
While most times businesses and organisations take every step possible to mitigate risk,
sometimes it’s still not enough and consequences occur. At times like this, it’s vital to learn from
mistakes and to identify ways to minimise future risk.
The explosion in Beirut, Lebanon on 4 August 2020 is an example of a terrible tragedy that could
have been prevented with better risk management. After the Beirut explosion, an official of the
Lebanese Higher Defence Council quoted the Lebanon Prime Minister Diab saying:
“…because it isn’t acceptable that a shipment of ammonium nitrate — estimated to be 2,750 tons
— was in a depot for the past six years without precautionary measures being taken.”
(source: https://www.nytimes.com/2020/08/04/world/middleeast/beirut-explosion-blast.html)
Activity: Read
If you’re not familiar with the details of the explosion, read more in the news report
below.
News report: https://www.nytimes.com/2020/08/04/world/middleeast/beirut-
explosion-blast.html
Activity: Practical
Consider the article you’ve just read about the Beirut explosion. To complete this
activity, work in small groups.
1. Describe the importance of risk management for the warehouse involved in the
explosion.
2. What type of business risk was involved?
3. Identify any legislative and regulatory requirements that may have applied to the
warehouse safety (answer as if Australian law applies).
4. List the possible organisational policies and procedures related to risk
management that may have existed for the warehouse .
5. Think about the risk process discussed previously in this topic. How did (or did
not) the warehouse follow each step in the process?
Your trainer will facilitate a group discussion to summarise the group’s views and
answers.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Image by Pixabay on Pexels
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Topic 2: Establishing risk management in an
organisation
In the previous topic, we looked at the four general steps in a risk management process. This topic
addresses the first two steps in the process (identify and analyse risk).
Before you can identify risks however, you must determine the scope of the risk management
process by:
 understanding the risk context
 establishing goals and objectives for the area included in the scope
 setting up critical success factors.

Figure 2 explains the relationship between the risk management process and the context,
goals/objectives and critical success factors.
Figure 2: Risk management process – topic 2
What does “risk context” mean?

Risk context is the totality of the business environment (both internal and external) in which the
organisation operates.
It can be determined by a combination of:
 undertaking an internal protocols review
 defining the risk management scope
 identifying stakeholders and their related issues
 analysing the external environment of the business
 assessing internal conditions.

These are discussed in more detail in the table below.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Risk context Description
element
Undertaking In practice this means becoming familiar with:

an internal
 the risk management policy of the organisation
protocols
review  the personnel with responsibility allocated to them for managing risk
 the risk management standard/s used as for guiding the risk management
activities of the business
 the time and funding made available for the process
 template documents available to support the process
 previous risk management activities undertaken by the business and the

outcomes of same
 the risk management process and methodology used by the organisation
 the risk appetite of the business and their orientation to tolerance of risk –
some businesses are quite risk averse while others are prepared to take
certain risks.
Defining the Risk can be present across a range of areas for a business (such as record
risk keeping, recruitment and WHS) and can be both internal and external to the
management organisation.
scope
‘Risk management scope’ refers to the parameters of risk management the
business will address.
It is practically not feasible for a business to manage all risk it faces (this would
be too time consuming, too expensive and make the practical day-to-day
operation of the organisation impossible due to all the restrictions, checks and
precautions to be taken) so a decision must be taken about what risks are ‘in’
and will be managed, and those that are ‘out’ and will not be managed.
Scope can be viewed as:
 the structure and operations of the business (for example, projects they
are engaged in, departments in the organisation, different work sites
and/or the organisation as a whole)
 risks the business will and will not manage (for example, some businesses
will not manage risk for industrial relations or staff retention but will
manage it for WHS and finances).
Identifying Stakeholders are identified by understanding the possible risks facing the
stakeholders organisation. When all internal and external stakeholders have been identified,
and their action should be taken to:
related issues
 determine how they might provide input to the risk management process
(such as identifying possible risks, helping describe their impact and
suggesting ways to prevent or mitigate risks)
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
element
 assess the influence they have on risk management decisions based on

their relative and/or strategic importance to the business (for example,
contractors who can easily be replaced may have less weight or influence
than a supplier who is critical to the supply chain of the business)
 describe the possible issues they will/might have if a risk event occurs (for
example, employees will still want to be paid, customers may still need
your products or services and banks will still need to be paid for loans
etc).
Analysing the Analysis of the external environment will provide information to identify,
external analyse, prioritise and monitor risk. The analysis should include:
environment of
 the political context, including:
the business
o the state of political stability or unrest in the country, or state/territory
o the political will towards (for example) stimulating and supporting
businesses or taking action to rein in or control them.
 the economic context, such as:

o the state of the local economy
o the state of other economies on which the business largely depends
for customers and revenue
o interest rates, exchange rates, employment rates and the confidence
other businesses have in the economy.
 the social context, including:

o the values, beliefs and attitudes of society in general
o how they may have changed or be changing.
 the legal context, such as:

o the type and volume of legislation the business needs to comply with
o the regulatory framework it has to satisfy
o the potential for new laws to be introduced or existing ones to be
amended or rescinded.
 the technological context, including:

o the way technology is impacting the business
o the potential it has to help the organisation achieve its aims, save time
or money, enhance compliance levels, improve the standard or quality of
goods and services it provides
o assisting with identifying and controlling risks.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
element
 the policy context (this is allied strongly to the political and economic
contexts) for decisions that:
o governments make (such as decisions about tax rates, whether or not
to make grants, loans or subsides available, imposition of tariffs on certain
imported goods, and the support given for ‘Buy local’ or ‘Buy Australian’
campaigns).
o made by other businesses (which might be to move into or out of
certain markets, whether to expand or down-size, or take an aggressive,
price-centred focus on acquiring more sales or greater market share).
A tool such as PESTLE/PESTLE analysis can be used for undertaking this
analysis.
(Watch the video: https://www.youtube.com/watch?v=GFVKKTwkANY (03:17)
for more information)
Assessing This involves analysis of situations and arrangements within the organisation
internal that have the potential to create or impact risk. For example:
conditions
 the state or condition of buildings and physical resources owned or used
by the business
 the nature of the consultation and communication mechanisms that exist

in the business between departments, between workers and between
management and the workforce
 the previous effectiveness (success and failures) of its risk management

processes and actions
 the strategies it has in place to retain stop and stop/limit the flow of staff
(knowledge, expertise and intellectual property) from the company to an
opposition business
 the size and quality of the customer database the business has
 the type of organisational culture that exists in the enterprise
 the physical layout of the departments, workspaces and the structure of

the organisational chart for the business
 the amount of funds available to the business and the potential it has to
raise more or borrow money
 the state of any debts it has and its projected ability to repay them
 the number and nature of the strengths and weaknesses the business has
including:
o the capacity to capitalise on or exploit strengths and turn them into
opportunities.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
element
o the ability to address and convert weaknesses and threats into

strengths.
o the potential that weaknesses and threats have for causing negative
impacts.
o the plans the enterprise has developed for itself.
(Watch https://www.youtube.com/watch?v=EJ4uVsSqQ9k&feature=emb_logo
for more information on SWOT analysis).
Table 3: Establishing the risk context
ntinuous improvement methods

Activity: Practical
Think back to the practical activity you did at the end of Topic 1 (Beirut explosion -
https://www.nytimes.com/2020/08/04/world/middleeast/beirut-explosion-blast.html).
Assume the explosion has not yet occurred.
1. Analyse the external environment of the business
2. Analyse the internal environment of the business for strengths and weaknesses.
3. Define the scope for risk management at the warehouse.
answers.
How do I determine goals and objectives?

To establish the risk management goals and objectives, first review, identify and record the
strategic and operational goals and objectives of the organisation. These goals and objectives
should be used as the basis to inform and shape risk management. The figure below illustrates the
relationship between strategy, operations and risk management in more detail.
Figure 3: Strategy, operations and risk management
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Strategic and operational goals:
 help create the context of the risk to be managed (type, size, timing and topic)
 provide the basis for ensuring all areas within the determined scope have been addressed
 prevent ‘creep’ caused by non-scope risks being included in the risk management process
 give all those involved in the risk management process certainty about the focus of their
activities.
Activity: Reflect
How can the strategic and operational goals and objectives can be identified?
Hint: Look back to the section on “Sources of information” in topic 1.
Once strategic and operational goals and objectives have been established, specific risk
management goals and objectives can be created. Because it is impossible to address all risks in a
business, it is useful to set goals for the risk management plans that are developed.
These goals will:
 identify the types of risk to be addressed
 specify the type of protection appropriate (for example, by stating the amount of loss that
will be allowed, the contingency plan that will be implemented or quantifying the amount of
money that will be made available to offset a negative event that occurs).
In-keeping with standard practice, these goals are formulated in accordance with the SMART
acronym. This is further explained below:
S = Specific • They must state clearly what the organisation seeks to achieve.
• The outcomes must be able to be measured so the business can

M = Measurable
calculate and quantify its progress towards them.
• The objectives must be realistic such that everyone feels there is

A =Achievable
genuine belief the outcomes can be attained.
• The objectives must be realistic such that everyone feels there is

R = Relevant
genuine belief the outcomes can be attained.
T = Timely • The objectives need to have a start and finish date attached to them.
Figure 4: SMART goals
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
How do I establish critical success factors?
Critical success factors (CSF) are the things the business must do correctly or ‘get right’ in order for
the organisation to succeed. CSFs need to be comprehensively documented so that everyone
understands what success requires. Remember that a CSF is NOT the same as success criteria.
Activity: Watch
Watch the video about critical success factors.

Video: https://www.youtube.com/watch?v=0kApm47ClzQ (01:44)
Takes notes and keep them for future reference.
Examples of critical success factors include:
 good communication between all parties  capacity to monitor and measure

progress and outcomes achieved
 suitable structure and design of the
business  effective leadership
 participation of all stakeholders  provision of necessary resources
 an appropriate organisational culture  good resources and systems/IT
 trust between everyone  clear objectives and working guidelines
 support from management  appropriate staff training.
Activity: Practical
Think back to the practical activity you did previously in this topic (Beirut explosion -
Assume the explosion has not yet occurred:
1. List at least two possible strategic and/or operational goals of the warehouse.
2. For each strategic and/or operational goal, write a risk management goal or
objective.
3. What are potential CSFs for managing risk at the warehouse?
answers.
What does “identifying risks” involve?

Once you have established the context of risk management and set goals and objectives for the
risk management process, risks should be identified within in the pre-defined scope.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
All risks should be considered, regardless of how significant or insignificant they may seem.
As for all business processes, consultation with relevant stakeholders is necessary to create a
comprehensive risk management plan. This includes:
 communicating the risk management process to the stakeholders
 involving the stakeholders to identify as many risks within the scope as possible.
How do I communicate with stakeholders?

The method used for communication used Examples of appropriate methods are:
will depend on:
 face-to-face discussions
 the type/role of the stakeholder
 email exchanges
 the policies and procedures of the
 team meetings
organisation
 telephone calls
 geographic location of the stakeholder
 online discussion or chat forum.
 legislative requirements (e.g. written
notice may be required).
Look back to the list of stakeholders identified in Topic 1 (go to the “Sources of
information” section). Work together with a partner to brainstorm:
 how each stakeholder may contribute towards identifying risks.
 the best way to communicate with the stakeholder.

Your trainer will facilitate a group discussion to summarise your findings.
When you communicate, use appropriate, professional and friendly language and encourage
everyone to present their views. The figure below highlights a few general principles to consider as
you communicate.
Figure 5: Clear communication principles
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Remember to apply active listening and use questioning to check and confirm understanding.
Activity: Watch
Watch the video about questioning.

Video: https://www.youtube.com/watch?v=ImfU12epYcI (03:20)
As stakeholders cannot be expected to know when you need their input, invitations need to be
issued to them. These invitations may be issued verbally or via any digital option that is acceptable
to the stakeholder. The invitation may include:
 start time and expected duration
 date
 location
 names of other attendees
 matters to be discussed
 request to bring any relevant material or documentation
 whether refreshments will be provided
 whether the business is offering remuneration for participation.

In some cases there can also be a need to forward documentation for attendees to read prior to the
meeting. Standard practice is to send these by mail or courier in hard copy form rather than
electronically but organisational procedures should be followed in this regard.
How do I identity risks?

A structured and formal approach is needed to help ensure no risks are overlooked.
The approach may involve stakeholders or require research.

Options for identifying risks include:
 meetings featuring the risk management team
 conducting a series of meetings with the stakeholders you have identified and invited
 referencing previous risk management documentation to see what other risk management
teams considered
 distributing questionnaires and/or surveys to stakeholders (as an alternative to holding

meetings)
 referencing what has happened in similar local, national and overseas organisations
 noting the decisions of court cases where significant damages were awarded or serious
penalties issued
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
 discussing new obligations imposed by legislation with the company’s legal advisor
 reviewing internal risk-related reports
 employing the services of a fee-for-service risk consultant.
Activity: Discuss
As a group, discuss:
 which of the above methods involve stakeholders?
 which methods involve research?
 what sources of information can be used for the methods that involve research?
Activity: Read
Are you interested in industry specific risks? The links below provide helpful insight
for further reading.
https://www.business.qld.gov.au/running-business/employing/employee-
rights/personal-safety
https://www.business.qld.gov.au/running-business/whs
https://www.business.qld.gov.au/running-business/protecting-business/risk-
management/it-risk-management
https://www.business.qld.gov.au/running-business/protecting-business/risk-
management/environment-climate
Are there specific tools or techniques to help identify risks?
Activity: Read
Read the articles that explain tools and techniques to help identify risks.
Article 1: https://www.inconsult.com.au/risk-identification-made-simple/
Article 2: https://www.itmplatform.com/en/blog/a-dozen-techniques-to-identify-risks/
Article 3: https://www.greycampus.com/opencampus/certified-associate-in-project-
management/risk-identification-tools-and-techniques-in-capm
Take any notes keep them for future reference.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Work together in a small group. Choose ONE tool or technique that can be used to
identify risks in an organisation or work area. Do research to:
 explain the tool in more detail
 provide an example to show how the tool is applied to risk management
 present your work to the larger group.
Image by Ivan Samkov on Pexels
How can I learn more about the identified risks?

Once risks have been identified, find out as much as you can about the risk.
Risk research is helpful for:
 finding out information on the risks that have been identified
 further developing risk context
 obtaining information that can be used to establish a framework for addressing the risk
 identifying what others have done in regard to the same or similar risks.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Strategies for researching risk can include:
 talking to management from other organisations who can be expected to have similar risks or
who are known to have suffered an adverse event
 talking to anyone who has first-hand experience with the risk being considered
 asking for input from industry peak bodies
 reviewing relevant literature and information sources.
 reviewing previous internal risk analysis reports and risk control/treatment records of risks the
business has previously identified
 obtaining advice from inspectors and officials from government departments/authorities
 reading industry journals, reports and publications
 searching the internet.
Activity: Practical
Think back to the practical activity you did previously in this topic (Beirut explosion -
Assume the explosion has not yet occurred:
1. Identify stakeholders who may be involve in a risk management process.
2. Select one stakeholder and explain how they may provide input.
3. Invite the stakeholder to participate in identifying risks (e.g. email, draft
telephone conversation).
4. Use one tool or technique to identify all the risks for the warehouse.
Now assume the explosion has occurred.
5. Search the internet to find examples of similar explosions in the past.
6. How were these explosions managed?
7. List ways the tragedy in Beirut could have been avoided.
answers.
What happens after I’ve identified and researched all possible

risks?
Once risks have been researched, a detailed analysis of each risk is required to determine:
 potential outcomes
 the likelihood of the potential outcome occurring
 the impact or consequence if the outcome occurs
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
 prioritising risks
 establishing potential risk treatments.
How do I determine the likelihood of a risk occurring?

For all risks the business elects to manage, the likelihood of each risk occurring must be estimated.
This may be done using words or numbers, for example:
Words Numbers
Rare 1
Unlikely 2
Likely 3
Very likely 4
Establishing the likelihood of the risk occurring requires the risk management team to decide
how likely or probable it is that the risk will materialise into an actual negative event.
Making these decisions requires the exercise of personal judgement using as many legitimate
reference points as possible. Keys to making this decision include:
 examining internal historical records about the occurrence and timing of similar scenarios
 referencing industry-wide records relating to the occurrence and timing of similar scenarios
 asking managers in professional networks of contacts how they rate the same or similar
likelihoods and what they base their ratings on
 working with government bodies to determine if they have any guidelines in this regard
 being as realistic and objective as possible (striving to be neither optimistic nor pessimistic)
 seeking qualitative and quantitative input from stakeholders and other professionals and
experts
 realising some risks will be more difficult to decide probability to than others (some require
more detailed analysis or consideration).
Activity: Read
If you’re interested in a more detailed explanation of calculating likelihood, read the

article below:
Article: https://www.dummies.com/careers/project-management/assessing-the-
likelihood-of-a-risk-in-your-project/
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
How do I establish the impact or consequence of a risk
eventuating?
The ‘likelihood’ and ‘impact’ are normally worked out at the same time. The same principles
described above for deciding ‘likelihood’ apply again here. An example of descriptive words and
numbers that may be used to describe the impact of the risk are:
Words Numbers
Minor 1
Moderate 2
significant 3
Catastrophic 4
Activity: Read
If you’re interested in a more detailed explanation of developing consequences, read

the article below:
Article: https://paladinrisk.com.au/risk-tip-3-developing-consequence-matrix/
How do I prioritise risks?

Once the likelihood and impact have been establishing, a risk rating can be calculated by
multiplying them together.
Risk = impact x likelihood
Take a look at the example and make sure you understand how risk is calculated.
Risk Potential outcomes Likelihood (0 – Impact rating (0 Risk

4) – 4)
Dust storm Truck needs to be repaired 3 2 6

causes a truck
driver to have an Driver injured 2 4 8
accident.
Other vehicles damaged 1 3 3
Once a risk has been analysed, you can choose to address the higher rated risks first (see the risk
matrix below).
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
A risk matrix is the graphical representation of the risk impact and likelihood for each of the risks
that have been addressed. It:
 allows everyone to quickly and easily see the level of risk presented by each risk.
 provides information to help prioritise the risk for treatment.
 indicates what action may need to be taken on terms of treatment.

A sample risk matrix is shown below:
Figure 6: Risk matrix (adapted from Source: http://www.arriscar.com.au/services/risk-assessment/)
The risk matrix can be used to assist with prioritisation for example in the following way:
Extreme risks are treated immediately – some sort of action

to reduce this risk level needs to take place straight away.
High risks are treated Moderate risks are Low risks are treated
within 24 hours. treated within a week. within 30 days.
Figure 7: Using a matrix to prioritise risks
Other factors that may be considered to prioritise risks are:
 any controls that are already in place
 the potential cost to the business if the risk is allowed to continue un-treated ‘as is’ in the event
that the risk actually occurs
 available resources and cost to address the risk
 legislated obligations
 the amount of risk the business is prepared to accept/carry.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Activity: Practical
Continue working on the practical activity you did previously in this topic (Beirut
explosion - https://www.nytimes.com/2020/08/04/world/middleeast/beirut-explosion-
blast.html).
1. Establish the potential outcomes for two of the risks you identified risk.
2. Assess the likelihood of each risk occurring.
3. Assess the impact if each risk occurs.
4. Calculate each risk (likelihood x impact).
5. How will you prioritise the two risks?
answers.
Image by ELEVATE on Pexels
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Topic 3: Addressing risks in an organisation
In the previous topic, we looked at the first two steps in the risk management process. This topic
explores the last two steps: control and monitor (Figure 8).
Figure 8: Risk management process – Topic 3
Which actions can I take to address risks?

Once risks have been prioritised, address each risk according to the priority it was given.
Treatment of risk refers to the way the business will handle the risk.
Depending on the risk and its consequences, different actions can be taken to address it (in other
words mitigate the risk). These actions are usually one of the following:
 avoid the risk (for example, avoid the risk of employees being distracted by not allowing them
access to any social media sites during business hours)
 prevent the risk (for example, prevent data leakages by limiting the number of people who
have access to sensitive information)
 contain the risk (for example, contain the risk of hackers accessing data by installing a
stronger firewall)
 accept the risk (when the risk level is very low, when the treatment cost is much higher than
the cost of the damage or when the benefit of taking the risk far outweighs the potential
damage)
 transfer the risk (for example, seeking legal advice about employee contracts).
As a group, brainstorm risk examples of where each the actions “avoid risk”, “prevent
risk”, “contain risk” and “transfer risk” are applicable.
Can you think of any situations when you should accept a risk?
Your trainer will facilitate a group discussion to create a comprehensive list of
examples. Take notes and keep them for future reference.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Factors to consider when deciding on a risk treatment option include:
 acceptability of proposed decision/s to all
 the risk level and priority of the individual risk
 cost to address the risk
 continuity of effects
 contracts already in place
 cost effectiveness
 the economic and social environment surrounding the risk
 legislated obligations and compliance imperatives
 the possibility of the treatment creating another risk
 timing necessities
 sustainability of the proposed treatment.
Image by Norma Mortenson on Pexels
Activity: Reflect
Prior to COVID-19, most organisations would not have anticipated and planned for
the impact the pandemic has had.
How do you think COVID-19 has changed or shaped future risk management?
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Procedures that a company could use to minimise risk include:
 implementation of policies and procedures to ensure that staff understand and follow
appropriate procedures
 implementation of quality and compliance processes, for example, regular auditing to ensure
that risk management standards are met
 providing staff induction, ongoing training and performance management in relation to risk
management
 ongoing monitoring of risk through a range of measures such as historical data, team
meetings or performance reviews
 development and implementation of continuous improvement processes to ensure that risk

management processes are reviewed and monitored
 implementing quality assurance procedures and systems to ensure that risk management
processes are regularly checked, reviewed and monitored on an ongoing basis.
As you decide how to treat a specific risk, you may be required to consult and negotiate with
stakeholders.
Activity: Reflect
What do you think of when you hear the word “negotiation”?
Activity: Watch
Watch the video showing a negotiation scene.

Website: https://www.youtube.com/watch?v=0CdixDzE7I0 (01:00)
Activity: Discuss
As a group, discuss how the video you’ve just watched is similar AND dissimilar to
workplace negotiation.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Activity: Read
Read the articles on negotiation skills and techniques:

Article 1: https://www.skillsyouneed.com/ips/negotiation.html
Article 2: https://www.pon.harvard.edu/daily/negotiation-skills-daily/top-10-
negotiation-skills/
What documentation is required?

Once risks have been identified, researched, analysed and prioritised the risks that apply to the
scope should be documented according to the organisation’s policy and procedure. Keep in mind
that many software applications exist to help manage and document risk.
Activity: Read
Read the example of a sample risk management plan.

Website: https://www.northam.wa.gov.au/documents/708/sample-risk-management-
plan
Activity: Practical
Create a list of everything contained in a risk management plan.
Activity: Discuss
As a group discuss examples of situations where stakeholder consultation is

necessary before risks are documented.
How do I implement the chosen risk treatment?

Standard practice is to develop an action plan for every risk that has to be treated.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
An action plan will:
 name the risk the plan relates to
 explain the outcome the plan is seeking to achieve
 identify the action that needs to be taken
 prioritise actions or steps/stages within the plan
 allocate responsibility for action to a particular person
 identify the date/time by which action must be taken
 identify the budget and other resources available
 give performance measures that will be used to decide effectiveness of the plan
 specify monitoring protocols for actions identified in the plan
 identify reporting requirements (when reports to be made, how, to who and contents).
Implementation of risk action plans must be prearranged, intentional and scheduled.
Steps in the implementation process include:
 notify those involved/impacted about the plan (provide them with a copy, explain their roles
and responsibilities, highlight timelines to be observed and provide rationale)
 promote the plan/s (sell the benefits and emphasise impact on the business of failing to
implement the plan/s).
 provide the resources (as identified in the plan so those with responsibilities can take the
action necessary)
 actively manage implementation of the plan, including:

o verifying those involved understand what is expected of them and appreciate their roles
and responsibilities
o provide necessary training
o coordinate or facilitate required activities
o holding regular meetings with those involved
o be available for consultation by those with responsibilities under the plan/s
o check on work that has been identified as having been completed
o deal with problems and issues arising as a result of implementation activities
o be prepared to fine-tune original plan/s on the basis of issues arising
o re-order the priority ratings of risks as deemed necessary
o monitor risk management activities.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
What does the monitoring and evaluation of risk management
actions involve?
Work together in small groups. Make a list of data that may result from an action plan
being implemented and that is relevant for monitoring risk.
Your trainer will facilitate a group discussion to create a comprehensive list of data
that may be used to monitor risk management.
Action plans need to be monitored to:
 capture information that can be used in the evaluation phase
 demonstrate due diligence
 identify new or modified risks
 determine when/if corrective or remedial action needs to be taken relating to planned

activities.
Here are a few tips to remember:
 do it regularly
 be seen doing it
 involve others.
As you monitor the risk management process, evaluate each step to:
 judge its effectiveness
 learn lessons for future risk management
 improve existing risk actions.

Options for evaluating include:
 Process-based evaluation (assessing the effectiveness or success of the processes used).
 Goals-based (judging the success or effectiveness of plans based on how close they came to
achieving their stated goal/s).
 Outcomes-based (looking at all the results and effects of the plan: the positive and the
negative).
The focus of evaluation can include:
 processes followed in the risk management process to see if they are being implemented as
intended, and whether or not they are working
 the scope of risk management that was decided to see if anything has changed necessitating
an increase or decrease in that scope
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
 the business environment within which the organisation is operating to see if new risks have
emerged or if identified risks have varied significantly
 satisfaction levels of stakeholders with action taken to manage risks
 treatment options applied to see whether they remain viable and legitimate or if they need to
be changed
 incidents that occurred during the period
 resources allocated to the process to determine if they are sufficient/adequate and/or

appropriate.
Image by Gustavo Fring on Pexels
Activity: Practical
Continue working on the practical activity you did at the end of topic 2 (Beirut
explosion - https://www.nytimes.com/2020/08/04/world/middleeast/beirut-explosion-
blast.html).
1. Say how you will address (treat) each of you two chosen risks.
2. Choose one risk and develop an action plan for implementing the chosen risk
treatment.
3. Explain how you would communicate risk management actions to relevant
parties.
4. List any data that could be available for future monitoring.
Assume that the explosion has now occurred.
5. How can the risk of a similar tragedy happening again be minimised in the
future?
answers.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
Activity: Summary
Congratulations! You have now completed all the content required to successful
apply your knowledge.
Create a mind map to summarise what you’ve learnt.
Activity: Develop
It’s time to put what you’ve learnt into practice.

1. Identify a (real or simulated) business or work area suitable to apply risk
management to (for example, Uber eats food delivery).
2. Establish a risk context by:
 providing a real or simulated review of its organisational processes,

procedures and requirements for undertaking risk management.
 determining the scope for the risk management process.
 identifying internal and external stakeholders.
 reviewing the political, economic, social, legal, technological and policy

context for the organisation.
 preparing a real or simulated analysis of strengths and weaknesses of

existing risk management-related arrangements.
 document critical success factors, goals or objectives for one risk

management process.
3. Explain how stakeholders will be consulted by:
 describing the consultation processes that would be used to engage with

stakeholders.
 preparing a written invitation to a stakeholder to attend a risk management

consultation session.
4. Identify risks likely to impact the business, including
 an explanation of how risks for this business might be identified.
 the use of at least one tool or technique to identify risks.
 evidence of research into at least three identified risks.

5. Analyse the risks by:
 assessing the likelihood of three of the risks they have identified occurring.
 assessing the impact or consequence if those three risks occur.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578
 prioritising the chosen risks.
6. Suggest at least one viable treatment option for each of the three risks.
7. Prepare an action plan for implementing each of the treatments selected and:
 give details of how the three plans would be implemented to ensure their
effectiveness.
 explain how the action plan would be shared with stakeholders (identify
who these would be).
 explain negotiation principles you may use to negotiate details of the action
plan with stakeholders.
8. Describe the evaluation and monitoring protocols that would apply to the three
action plans.
9. List all the documents the business would generate and maintain as part of their
risk management process.
The information should be presented in the form of a written report.
The information must be professionally presented and in a clear, easy to follow
structure.
Your trainer will provide any submission requirements or details.
RTO: 40735 CRICOS: 03796A ABN: 24 111 139 578

BSBOPS504 Student Guide (Ver. 1) PDF

Uploaded by

Copyright:

Available Formats

You might also like

BSBOPS504 Student Guide (Ver. 1) PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BSBOPS504 Student Guide (Ver. 1) PDF

Uploaded by

Copyright:

Available Formats

STUDENT

© 2020 RTO Works

Application of the unit

What does “risk management” mean?

Image by Gladson Xavier on Pexels

A risk in business management can be seen as anything that:

 could result in a negative outcome for the enterprise.

 the size of the business/organisation

 the people you work with.

Image by Suzy on Pexels

Type of risk Description Example Key responsibility

Strategic risk These risks can occur at A business sells  CEO

Compliance These risks involve Complying to all  Head of safety

Table 1: Types of business risk

 brainstorm more examples for each type of risk.

 explain what their impact might be on an organisation.

 say whether the risks are direct or indirect.

What are common sources of business risk?

Activity: Research and discuss

Work in a group and answer the questions:

 What is meant by “internal” sources of risk in a business or organisation?

 What is meant by “external” sources of risk in a business or organisation?

The three most common categories of business risk sources are:

Consider the quote:

In a group, discuss this quote.

 Do you agree with it?

 How is right? How is it wrong?

 risk mitigation (or control)

 monitoring implemented risk control measures.

Identify Analyse Control Monitor

Figure 1: Risk management process

What sources of information should I consider for risk

In order to successfully manage risk, a variety of information sources should be consulted

Relevant information sources are described in the table below.

 is able to shed light on or assist with risk identification, risk analysis

 is likely to be impacted by an adverse risk event.

Industry Standards may be internationally accepted practices, government

 principles underlying risk management

 the risk management framework

 the risk management process.

Table 2: Information sources

ntinuous improvement methods

Activity: Research and discuss

Research legislation relevant to your workplace or industry of interest (such as

Work together in small groups to:

Image by Pixabay on Pexels

Read more about the AS/NZS ISO 31000:2018:

As a group discuss the purpose and key elements of the standard.

How can risk management be supported in an organisation?

 having management commit the necessary funds to risk management activities

 gaining ready approval to spend money on any aspect of the process.

 understanding the risk context

 setting up critical success factors.

Figure 2: Risk management process – topic 2

What does “risk context” mean?

It can be determined by a combination of:

 undertaking an internal protocols review

 defining the risk management scope