Risk: The effect of uncertainty on objectives.1
Notes:
An effect is a deviation from the expected - positive and/or negative.
Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances or knowledge) and the associated likelihood of occurrence.
Whether you are conducting an activity or implementing change, there are likely to be potential hazards involved in the planning or execution of the activity. These hazards may be related to safety, security, compliance, financial, reputation, or capability. When a hazard has a probability of realisation (likelihood), and an impact (consequence), then it becomes a risk.
Risk is the chance of something happening that will impact upon objectives.
An integral part of any organisation is to have a Risk Management Process (RMP). RMPs proactively assess and mitigate those hazards as they are identified. In this way, an organisation can reduce the likelihood, or consequence (impact and scale) of any hazard….or, choose to accept the risk of the hazard eventuating, but this must be via a deliberate and considered risk assessment.
One of the most commonly known RMPs are the Federal and State Workplace Health and Safety RMPs that include the legislated WHS Act, Regulations and code of practice. For Defence, the primary resource is the Enterprise Risk Policy and Framework. There are also specific service or group-related RMPs and plans such as the Aviation Safety RMP, Navy Level RMP, Defence WHS RMP, Security Risk Management, Army Military Risk Management Policy, HQJOC Operational Risk Management and the CASG RMP to name but a few.
There are four steps in a RMP:
Identify the risk – determine the hazards that the activity might face.
Assess the risks (analyse and evaluate) – assess the likelihood and consequence of the hazard materialising.
Treat and manage the risk – taking steps to reduce or eliminate the risk as much as possible, or accept the risk.
Review and monitor – track the progress of the RMP and ensure all steps are being followed correctly; ensure the risk mitigation is in place and is effective; review the actions if the risk profile changes.
The Defence Risk Management Process is consistent with ISO31000:2018 Risk Management Guidelines.
Once a risk is identified and assessed, there are five ways a risk can be managed (treated):
Acceptance - when an organisation decides to accept the risks associated with a particular situation. With this kind of risk management, the organisation has recognised that it is not worth the cost and effort to mitigate the events that may occur due to the risk. The organisation may also take or increase the risk in order to pursue an opportunity.
Transference -when an organisation shifts the risks to another party, such as through insurance.
Risk Avoidance - is when an organisation takes steps to prevent or avoid a particular risk from happening. The organisation mitigates such risks by not involving in risky activities or situations. Remove the risk source.
Risk Reduction and Loss Prevention - are when an organisation takes steps or methods to reduce the impact of a particular risk that occurs. It combines risk acceptance as it acknowledges the risk involved while also focusing on how to reduce and contain the loss from spreading.
Risk Sharing - is when an organisation distributes the risk to the whole team. This method removes the burden of problematic events to one department and shares it with others so that those who can help and provide support for that problem can help and control those risks.
If the decision is taken to continue with the activity, then risk reduction activities can be conducted in order to further understand, reduce, mitigate or eliminate the risk. It is important that risk reduction activities are conducted in order to reduce the likelihood or consequence of a hazard. By conducting risk reduction activities, the effects of uncertainty can be reduced to ensure that the objectives of the business/project/product is able to deliver the required capability or activity.
When considering capability, acquisition and sustainment Risk Reduction Activities (RRA), the focus should be on defining and refining a suitable acquisition strategy to improve the chances of delivering the capability objectives of the business/project/product that is:
safe for use;
supportable;
environmentally compliant;
compliant with contractual conditions;
fit for purpose (scope) within the agreed tolerances of:
cost;
schedule; and
quality
Comments