GI512-15

Introduction to Management
of Risk
16.01

© Australian and New Zealand Institute of Insurance and Finance 2016

This work is copyright. Apart from any use as permitted under
the Copyright Act 1968, no part may be reproduced by any
process without prior written permission from the Australian
and New Zealand Institute of Insurance and Finance.
Editions: 06.01, 10.02, 13.01
www.anziif.com
Acknowledgements
The Australian and New Zealand Institute of Insurance and Finance
would like to acknowledge the following industry representatives for their
contributions to the module GI512-15.
AS/NZS ISO 31000:2009, Risk Management – Principles and guidelines and
HB 436:2004, Risk Management Guidelines material reproduced under
licence from SAI Global Ltd.
Industry experts
Bob Anderson, 2011 review and ISO 31000 specialist advice
Stuart Bassett, LLB, BComm, FICSM, ASA, AAII, AIRM—contributing
author and case studies
Kevin W Knight AM; CPRM; Hon FRMIA; FIRM (UK); LMRMIA; ANZIIF
(Mem)—2010 review and ISO 31000 specialist advice
Gordon Taylor, ANZIIF Fellow; CIP, Adv Dip FS, Hon Life Member
Shaun Wilkinson, ANZIIF (Fellow), FCII, DipBusStuds(Ins Mgt), FIRM—
principal author, technical advice and New Zealand review
Gordon Young, BA, MSc, ARM, AFRMIA, CPRM—contributing review
Assessors
Ian Deayton
Eddy Lau
Sophia Chiu
Project Management and instructional design
Cathie Thomas, ANZIIF (Allied)
Desktop publishing
Staphenie Yau, ANZIIF (Allied)
Copy editing
Christina Perrett, ANZIIF (Allied)

Disclaimer
This subject matter is provided by ANZIIF for study, on the understanding
that no person should act on the basis of the material contained in this
publication without considering and taking professional advice.
In particular:
 ANZIIF, its directors, authors, or any persons involved in this
publication expressly disclaim any and all contractual, tortious, or
other form of liability to any person in respect of the publication
and any consequences arising from its use, including any
omission made, by any person in reliance upon the whole or any
part of the contents of this publication.
 ANZIIF expressly disclaims any and all liability to any person in
respect of the consequences of anything done or not done by any
person in reliance upon the contents of this subject material.
Competency standards
This module is part of an accredited competency-based course of study under
the Australian Qualifications Framework (AQF).
The AQF Implementation Handbook defines competency as…
…the possession and application of both knowledge and skills to defined
standards, expressed as outcomes, which correspond to relevant
workplace requirements and other vocational needs.
It focuses on what is expected of the person in applying what they have
learned and embodies the ability to transfer and apply skills and
knowledge to new situations and environments.

The module is designed to address the following competency in

FNS15 Financial Services Training Package (volume two):

Code Title

FNSRSK501 Undertake risk identification

FNSRSK502 Assess risks

BSBRSK501 Manage risk

Contribute to WHS hazard identification, risk assessment and

BSBWHS404
risk control

ANZIIF’s commitment to continuous improvement

ANZIIF is committed to providing a quality learning experience to all students
and makes every attempt to ensure the accuracy, currency and reliability of the
content contained within all learning materials at the time of publication.
Changes over time or other developments can impact upon the accuracy of such
content and, as a result, ANZIIF relies on the assistance of industry experts for
verification. We also appreciate any feedback students can provide to assist us in
improving our materials. To assist us in maintaining our commitment to
continuous improvement, please direct any comments regarding content you
perceive as inaccurate or inappropriate to ANZIIF’s Student Support Team at the
following email address: [email protected].
Contents

Section 1 Risk management—an overview 7

Defining risk 8
Defining risk management 9
Evolution of a discipline 12
ISO 31000:2009—The International Standard for risk management 15
The language of risk 19
Section summary 20

Section 2 Risk management in practice 23

Developing a risk management framework 24
Communication and consultation 34
Establishing the context 39
Section Summary 45

Section 3 Risk assessment 49

Risk identification 50
Risk analysis 69
Risk evaluation 80
Section Summary 90

Section 4 Risk treatment 97

Treatment objectives 98
Risk treatment options 102
Assessing risk treatment options 116
Designing and documenting risk treatment 119
Implementing the risk treatment plan 124
Risk financing 125
Section summary 133

Section 5 Monitoring and review 145

Monitoring 146
Reviewing 150
Event/loss reporting 152
Trend analysis 154
Taking action 157
Section summary 159

Section 6 Risk management and the Insurance program 163

Optimum level of retained loss 164
How insurance companies manage exposures to risk 166
The basis of underwriting 169
The principles of underwriting 173
Overview of risk management and insurance programs 174
Evaluating risk and compliance factors 175
Risk management strategies 178
References and recommended reading 187

Appendices 189
Appendix 1—Example: Risk identification questionnaire 189
Appendix 2—Masterprint’s risk identification information 197
Appendix 3—Masterprint’s risk assessment reference tables 201
Appendix 4—Masterprint’s risk register 203
Appendix 5—Outline of Masterprint’s risk management program 205
Appendix 6—Starex Insurance risk management implementation report 207
Appendix 7—Example: Risk register 211
Appendix 8—Example: Risk treatment schedule 213
Appendix 9—Example: Risk treatment action plan 215
 Section 1

Risk management—an overview

Introduction
Risk is inherent in everything that we do, whether it is driving a car,
developing a project, dealing with clients, establishing work priorities,
purchasing new equipment or systems or, indeed, deciding not to take any
action at all. We are continually taking risks and, as a consequence, we
manage the effects of being exposed to risks all the time, often without
realising it.
Over time, the concept of risk management has gradually developed—today it
is an essential part of business; public and private, large and small. Every
organisation is exposed to a wide variety of risks, any of which may create an
upside (a gain) or a downside (a loss) for the organisation. In the course of
everyday business, an organisation takes risks as well as being exposed to risk
by virtue of its existence. It makes sense for an organisation to manage all
those risks in a coordinated and coherent manner according to an overall plan.
This allows an organisation to maximise the upside of the risk exposures
whilst minimising the downside. Risk management is a tool that enables the
organisation to do this in an effective and efficient manner.
Recent developments in the management of risk have been mainly affected by
the changing attitudes towards corporate governance and the accountabilities of
directors and officers. No longer is it accepted that insurance coverage
discharges the obligation to manage the risks to which organisations are
exposed. Instead, organisations are now eager to learn about how to
effectively manage the risks to which they are exposed, including the risk
management process which will be outlined in this section and then detailed
focus of the remainder of this learning module.
As such, this first section of the module provides an overview of the concepts
of risk and the processes of risk management and how these are applied
within the commercial environment.

Learning outcomes
This section focuses on the knowledge requirements that underpin practical
competencies covered in the subsequent sections. When you have worked
through this section, you should be able to:
 evidence a knowledge of the principles of risk management
 evidence a knowledge of ISO 31000:2009, Risk Management—Principles and
guidelines.

www.anziif.com 7
Introduction to Management of Risk

Defining risk
There are countless definitions of risk to be found in published works and
there are numerous different types of risk. In the past, risk was commonly
seen as the chance of something happening that will have an adverse effect on
an organisation or individual. This limited view of risk has now been
superseded by a much broader definition and understanding. For example,
the International Standard—ISO 31000:2009, Risk Management—Principles and
guidelines defines risk as:
… the effect of uncertainty on objectives

In their book Enlightened Risk Taking, George Head and Melanie Herman
defined risk as:
…the measure of the possibility that the future may be surprisingly
different from what we expect.

Risk is all about uncertainty, or more importantly the effect of uncertainty on

the achievement of objectives. Without risk there is no reward or progress, but
unless risk is managed effectively opportunities will not be maximised and
threats will not be minimised.
All risks have a source—they are generally associated with a particular
decision, situation, event or incident—and they have a likelihood and a
consequence.
You will notice as you read through the learning material and undertake the
questions and activities that the term risk has both a positive and negative
connotation. This is because there is both an upside and downside to the risk
equation. The downside is the potential for damage to reputation, failure of
market or product, reduction in earnings or turnover, property damage or
similar type of loss. The upside is the potential for benefit in terms of
company profile or credibility, increased profit, reduction in costs, increase in
turnover or other similar gain.

8 GI512-15 16.01
 Risk management—an overview

Defining risk management

Without risk there is neither reward nor progress.
We take risks in order to derive a benefit or secure an opportunity. To
optimise the outcomes from such an undertaking, we need to maximise any
opportunities that may occur and minimise the downsides of exposure to
risks.
As a discipline, risk management provides a knowledge base and a logical
framework that facilitates the effective handling of events that could produce
a benefit or could cause harm. It is a multi-faceted process by which to
maximise opportunities and minimise threats.

Individuals and everyday risk management

Managing the effects of risk is part of all our activities, whether at home, at
work or at leisure. Whatever we do and however we do it, there is always an
element of risk.
Consider:
 When you last mowed the lawn, did you check for stones on the grass
before starting? Did you wear solid shoes, boots or go barefoot?
 Also, consider how much care do you really take when you drive a
vehicle? Why do you service your vehicle?
As individuals, we understand that our activities have consequences that may
affect our families, our friends and broader society. With these consequences
in mind, we aim to effectively manage the risk exposures in our lives.

Risk management in organisations

Business organisations, both large and small, can understand the
consequences of their activities in terms of the risks to which they are
exposed.
An organisation should grasp opportunities to make a profit and at the same
time protect itself from the possibility of financial loss. Because risk taking can
be a source of profit and/or reward for any organisation, the coordinated
management of all risk exposures plays an important part in the ongoing
wellbeing of businesses and organisations as well as for individuals and
society as a whole.

www.anziif.com 9
Introduction to Management of Risk

George Head, an American educator and Vice President of the Insurance

Institute of America in the 1980s, described risk management as a specialist area
within the field of general management. Head and Herman (2002) defined risk
management as:
…using an organisation’s resources and activities to counter potential
losses and seize potential gains.

Risk management can help an organisation to avoid crises, or to manage the

resultant impacts much better. Risk management can give a company an
advantage over competitors, through better preparation for adverse events. If
such an event occurs, the company will be able to respond more effectively
than its competitors. By implementing risk and loss control measures and an
appropriate business continuity plan, an organisation can ensure it will
remain capable of meeting its objectives.
When it is effective, risk management can also add value to a company. It can
maximise profit by maximising any possible gains whilst minimising loss and
providing cost-effective solutions to the effects of risk.
Risk management applies equally to non-profit organisations such as
churches and charities as well as government organisations, all of which are
exposed to a diverse array of risks, requiring a similar risk management
framework to that of a commercial organisation. Whereas the objectives of
many organisations are to maximise their profit, not-for-profit organisations
may seek to maximise the effectiveness of the services they provide.
Organisations with a fully implemented risk management program will
present far less risk as far as Underwriting is concerned.
 They will have identified their risk and implanted risk treatment to reduce
their risks
 The potential loss estimates will be reduced and business contingency
plans will be in place if required
 The risk of business interruption will be reduced.
This course is designed to provide an understanding of risk management best
practice and be able to advise the underwriter on the level of risk
management within an insured’s organisation.

10 GI512-15 16.01
 Risk management—an overview

Examples—Poor risk management

Many organisations have suffered considerable losses or actually ceased to
exist because they have failed to identify the risks to which their organisation
was exposed, or they adopted a poor risk management approach.
Here are some of the outcomes that have involved risks faced by international
companies in recent years:
 Perrier was compelled to instigate a worldwide recall of mineral water
bottles when benzine was found in some routine sample tests.
 Union Carbide was required to pay hundreds of millions of dollars in
claims after the gas leak in Bhopal, India.
 ExxonMobil incurred considerable costs when the tanker Exxon Valdez ran
aground and leaked massive amounts of oil.
 Intel faced huge recall expenses as well as Directors’ and Officers’ liability
suits when certain shareholders filed actions alleging they had badly
handled a problem with their Pentium chip. Specifically, a minor problem
became a worldwide crisis when the company poorly communicated this
issue to its customers.
 The World’s largest Insurer, AIG received an $182b bail out by the US
Government. It suddenly collapsed in September 2008 due to bad bets it
made insuring mortgage-backed securities. Fox Business Network
reported ’On the subject of risk management, Mr. Greenberg the once head
of AIG was as bold as ever, saying “had I stayed there, what I’m sure
about, the break down in risk management would not have taken place.”’
 BP oil spill 20th April 2010 in the Gulf of Mexico total estimated cost was
$9.5 billion. “Thus, it comes as no surprise that, as The Times also reported,
no BP official had overall responsibility for safety on the Deepwater
Horizon. This highlights the main lesson of this case: In hazardous
operations—such as the search for energy sources in increasingly
dangerous environments—minimising catastrophic risk demands strong,
accountable safety supervisors and workable, realistic planning for
emergencies”. Dana M. Radcliffe, Senior Lecturer of Business Ethics at
Cornell University’s Johnson Graduate School of Management.

www.anziif.com 11
Introduction to Management of Risk

Evolution of a discipline
Risk management has evolved as a discipline, to utilise numbers and
information from the past to assist in quantifying and predicting the future.
It is a useful tool; however, it is not an exact science because, above all, the
future is unknown and remains unpredictable.
The beginnings of risk management lay firmly in game playing, gambling and,
consequently, statistics. The following is an outline of the foundations of risk,
adapted from Peter Bernstein’s book, Against the Gods as they have developed
since the seventeenth century.

Historical foundations of risk management

1654: Theory of probability
The study of risk really began during the Renaissance period. In 1654, a French
nobleman named Chevalier de Méré challenged the mathematician Blaise
Pascal to solve a puzzle related to a game of chance. The puzzle revolved
around how to divide the stakes of an unfinished game of chance between
two players when one of the players was leading the game. The outcome of
this challenge led to the discovery of the theory of probability, allowing people
to make decisions and forecast the future by using numbers. Over the years,
mathematicians and scientists advanced the probability theory, taking it from
a gambling aid to a powerful instrument for analysing data. This theory
remains as the mathematical core of the concept of risk as we know it today.

1700s: Law of large numbers

Over time, other quantitative techniques of risk management emerged. In the
early 1700s, the Swiss scientist and mathematician, Jacob Bernoulli invented
the law of large numbers (i.e. the accuracy of predictions of results from a pool
of homogeneous exposures to risks will increase with the increase in the
number in the pool). This law is fundamental to insurance underwriting and
methods of statistical sampling. Indeed, by 1725, mathematicians were
devising tables of life expectancies and the English government was able to
finance itself through the sale of life annuities.

1730: Law of averages

1730: In 1730, Abraham de Moivre developed the structure of normal
distribution (now commonly known as the bell curve) and also discovered the
concept of standard deviation. These two concepts form the law of averages and
are fundamental to modern techniques for quantifying risk.

12 GI512-15 16.01
 Risk management—an overview

1750s: Bayesian probability

Using these theories and laws that had been developed, by the middle of the
18th century, marine insurance emerged as a prosperous business. In the
1750s, an English minister named Thomas Bayes advanced statistics and risk
management further by demonstrating how decision making could be
improved by mathematically combining new information into old
information.

1875: Regression to the mean

In 1875, Francis Galton, a lay mathematician, discovered regression to the mean.
This means that whenever someone makes any decision based on the
expectation that things will return to normal, they are using the idea that
things will actually regress to the mean or the normal.

1916: Administrative theory

In his seminal work, Administration Industrielle de Generale, Henri Fayol
postulated the following functions of administration (which has its modern
equivalent in executive management):
 Technical—production
 Commercial—buying, selling and exchange
 Financial—the search for the optimum use of capital
 Accounting—the recording and analysis of financial transactions
 Managerial—planning, organisation, command, coordination and control
 Security—the protection of property and persons.

1952: Diversification
Harry Markowitz, a graduate student at the University of Chicago,
demonstrated mathematically why it is unwise to ‘put all your eggs in one
basket’ and that diversification is a necessary risk management strategy that
should be employed.

1956: The advent of risk management

The concept of risk management first appeared in an article written by Russell
B. Gallagher for the Harvard Business Review. In the article, he urged corporate
insurance buyers to concentrate on the cost of dealing with the effects of
exposure to risk rather than on getting the most insurance for their money.

www.anziif.com 13
Introduction to Management of Risk

A traditional insurance-focused approach

As little as fifty years ago, the term risk management was still little-known and
infrequently used in business organisations. Prior to the implementation of
modern risk management practices, organisations were fairly unscientific in
identifying their risk exposures, offering little more than reactive solutions by
adopting what is now regarded as a traditional insurance-focused approach.
Organisations using this approach basically purchased insurance for those
exposures that were insurable, thereby sharing the organisation’s potential
losses with an insurance company for an agreed price.
However, certain problems with the insurance-focused approach soon became
obvious. It was realised that the proceeds from insurance did not cover all the
costs a company might incur from a loss. In addition, insurance is not able to
provide finance to offset the downside outcomes of all of an organisation’s
exposures to risk. Managers began to see that it was equally as important to
prevent losses from occurring as it was to insure against them.

A contemporary approach
The status of risk management has grown over the years, seeing changes to
the operational risk management structures of organisations as well as the
approaches to the management of risk. In the early days, risk management
was seen as an informal discipline within the management process. Now, with
the continued pressure on the bottom line performance of organisations—large
and small, public and private—the management of risk has become a vital
part of a fully integrated approach to the management of an organisation.
In contrast to the traditional insurance-based approach, the contemporary
approach to risk management takes a proactive, holistic approach to risk
exposures. It seeks to provide solutions by managing the effects of all risk
exposures in the context of the overall management of the organisation.
The management of risk is now widely considered an integral function of
general management. It is about managing exposures to risk through
planning, organising, directing and controlling the resources or activities of
individuals or organisations. This cannot be done without embedding risk
management within the overall management system of an organisation.
Risk management has become very important to the future business survival
of companies. It is an iterative process of continuous improvement that is
embedded into existing practices or business processes.
While some organisations employ independent specialist risk management
consultants, other organisations have a dedicated risk management structure
within their operations. Whatever structure is adopted, the role and
accountabilities of modern risk management operations are always to
maximise any opportunities and reduce any chance of failing to meet
organisational objectives.

14 GI512-15 16.01
 Risk management—an overview

ISO 31000:2009—The International

Standard for risk management
The International Standards Organisation (ISO) published ISO 31000:2009,
Risk Management – Principles and guidelines on 15th November 2009.
The Standard provides a set of principles, a framework and a process for
effectively managing risks. It provides critical information for establishing,
implementing and maintaining a risk management program, espousing the
adoption of an integrated and holistic approach at both strategic and
operational levels. This is deemed to be ‘an integral part of good management
practice and an essential element of good corporate governance’.
It has been formally adopted as the national Standard of risk management for
Australia and New Zealand. Standards Australia and Standards New Zealand
produced a local edition—AS/NZS ISO 31000:2009, Risk Management—
Principles and guidelines and withdrew its predecessor—the AS/NZS 4360, Risk
Management Standard series. The new Australia/New Zealand Standard is
identical to the international one, except that it contains a preface and an
introduction which address the transition to the current edition.
Note: For simplicity’s sake, further references to the Standard (both local and
international versions) will use the short title ISO 31000:2009.

Activity—ISO31000:2009
Access the ISO 31000:2009 Standard provided with this module.

‎Log into the study centre at www.anziif.com/study-centre,‎‎under the resources

listed for this learning module, you will find the ‎ISO 31000:2009 Risk
management—Principles and guidelines‎from your list of Resources.‎
Note: ANZIIF’s licensing agreement allows you to access a secure online
‎version to assist you with your studies, but limits your rights to print or
distribute the ‎Standard. For purposes other than personal study, or for access
to a number of ‎other risk management publications, you can purchase the
Standards by ‎contacting the Standards Australia’s publisher, SAI Global at
www.saiglobal.com.

www.anziif.com 15
Introduction to Management of Risk

Eleven risk management principles

ISO 31000:2009 stipulates 11 risk management principles that an organisation
should address to effectively manage its risks and achieve its objectives.
According to these principles, the management of risk must:
1 create and protect value by contributing to the achievement of
objectives and improved performance
2 be an integral part of organisational processes, from the setting
of organisational objectives to strategic planning, project
management and operational activities
3 be an integral part of the decision making process, so that
decisions are the right ones and can be managed to a successful
outcome
4 explicitly address uncertainty
5 be systematic, structured and timely
6 be based on the best available information, and acknowledge any
data limitations
7 be based on the organisations risk profile, and risk appetite for
given situations
8 recognise the impact of the human, cultural and environmental
paradigms of the organisation on the achievement of objectives
9 address the perceptions of stakeholders, not just company
management
10 be dynamic and responsive to change and take account of new or
emerging risks
11 be continually improving as the organisation matures.

These principles need to be addressed by an organisation’s Board and senior

management when they establish a mandate and commitment to manage risk
within the organisation.

Risk management framework

ISO 31000:2009 advocates a risk management framework designed to provide the
foundations and arrangements that will embed the management of risk
throughout the organisation at all levels. The framework does not prescribe a
management system per se, but rather emphasises the fact that organisations
should weave the risk management components into their existing
management system.
To be effective, a framework must be founded upon a mandate and commitment
by an organisation’s senior management. This undertaking must include a
dedication to the implementation, review and continual improvement of how
risk is managed, ensuring that each step is fully focused on the achievement of
organisational objectives. The framework calls for a clear understanding of the
context in which the organisation operates so as to ensure the risk management
policy clearly states the Board’s commitment to the management of risk.

16 GI512-15 16.01
 Risk management—an overview

The framework also sets out how the management of risk is to be woven into
the organisational fabric so as to become an integral part of how things are
managed within the organisation rather than having risk management as an
add on or separate activity divorced from the mainstream line management of
the business.
An organisation’s Board must ensure there is accountability and authority for
the management of risk. ISO 31000:2009 seeks to differentiate between risk
owners who are accountable for managing risk (i.e. those persons with a
corporate and/or legal liability for their decisions or lack of decision) and
those who are responsible for specific tasks (i.e. those persons with an
obligation to carry out an instruction from a higher authority).

Prescribed risk management process

Organisations of all sizes are increasing their focus on the management of
risks. In order to assist with the management of risks, ISO 31000:2009 provides
a consistent approach to the risk management process for businesses. The
process, as outlined ISO 31000:2009, provides guidance for the development
and implementation of policies and procedures which in turn enable an
organisation to handle the risks to which it is exposed. The policies and
procedures also assist an organisation in maximising any opportunities that
may occur whilst minimising the downsides of exposure to those risks which
could significantly affect the viability of the business.
There are five major steps in the risk management process and each step
comprises a number of activities.
The risk management process, as prescribed by ISO 31000:2009, consists of
five activities:
1 communication and consultation
2 establishing the context
3 risk assessment, including identification, analysis and evaluation
4 treating risks
5 monitoring and review.
These activities are used as the basis for assessing and managing complex risk
management portfolios. As a risk management practitioner, you need to
understand all of the activities and the steps encompassed by each one. It is
this process, graphically represented below in image 1.0 that will be the
primary focus of the coming sections of this learning module.

www.anziif.com 17
Introduction to Management of Risk

Image 1.1 Overview of the risk management process

Each step in the risk management process will be looked at in detail in the
following sections of this module.

Activity 1.1—Risk management publications

SAI Global provides organisations around the world with information
services and solutions for managing risk, achieving compliance and driving
business improvement.
They provide aggregated access services to standards, handbooks, legislative
and property publications; and they facilitate good governance and awareness
of compliance, ethics and policy issues and provide training and
improvement solutions to help individuals and organisations risk
management programs succeed.
ISO 31000:2009 Risk management—Principles and guidelines is a core reference
for professionals involved in the management of risk provided by SAI Global.
Note: that standards may be purchased by contacting the Standards
Australia’s publisher, SAI Global (www.saiglobal.com)

Self-help question 1.1

1 What is the current National Standard of risk management for Australia
and New Zealand?
2 What are the 11 risk management principles?
3 What are the five basic activities to be performed in a risk management
process?
4 What three steps are integral to risk assessment activities?
Answers to self-help questions are provided at the end of each section.

18 GI512-15 16.01
 Risk management—an overview

The language of risk

Organisations and individuals may use the terms associated with risk
management in very different and often confusing ways. This is due to the
different spheres of industry or business in which an organisation may
operate and also because each business has their own particular perspective
on risk and what it means in the context of their operations.
To effectively manage the risks of an organisation, it is critical that the
relevant people have a common understanding of the concepts and language
that is used. This means that the language of risk management needs to be
understood throughout the organisation and by significant external parties.

A shift of emphasis
Traditionally, business and industry have used the word risk to describe the
chance of a loss occurring. This is different from the way in which the term
risk is now being used by risk management specialists and within the various
risk management standards that have been published around the world.
ISO 31000:2009 has clearly shifted the emphasis of the field from the
uncertainty of an event happening to the effect of uncertainty on objectives. The risk
management process aims to clearly assess risk and feed this information into
the management system for resolution.

Risk management and the management of risk

Although we manage risk using a risk management process, there is a semantic
problem with the term risk management in that many people still associate it
with insurance buying: a misunderstanding that is particularly common at
executive management and board level. This confusion is somewhat alleviated by
talking about the management of risk, a phrasing that many people believe
more clearly distinguishes the activity from insurance buying. Once this basis
is established, it is sometimes found that references to the risk management
process have more traction with senior management.

Activity1.2—Risk management vocabulary resources

ANZIIF has developed a risk management glossary to assist you in
understanding many of the terms that are used in this diploma. It can be
accessed online at www.anziif.com/study-centre
For further information or assistance on navigating ANZIIF’s website, refer to
your enrolment confirmation materials or visit ANZIIF’s online Award Course
Discussion Forum.
More broadly, ISO Guide 73:2009, Risk management—Vocabulary has been
developed to encourage the international adoption of a common language of
risk. It may be purchased by contacting the Standards Australia’s publisher,
SAI Global (www.saiglobal.com).

www.anziif.com 19
Introduction to Management of Risk

Section summary
In this section, we have provided an introduction to the theory of risk.
We looked at the basic definitions of risk and risk management, outlined the
history of their evolution and gave a brief overview of the current state of risk
management as a discipline.
In short, risk is the effect of uncertainty on objectives. Without risk there is no
reward or progress, but unless risk is managed effectively opportunities will
not be maximised and threats will not be minimised. Risk management,
therefore, is the use of an organisation’s resources and activities to counter
potential losses and seize potential gains.
Whereas early risk management techniques focused on the purchasing of
insurance, contemporary methods adopt a proactive, holistic approach to risk
exposures. Modern risk management seeks to provide solutions by managing
the effects of all risk exposures in the context of the overall management of the
organisation.
ISO 31000:2009, Risk Management—Principles and guidelines sets out a set of
principles, a framework and a process for effectively managing risks. It
espouses the adoption of an integrated and holistic approach to the
management of risk at both strategic and operational levels.
The risk management process, as prescribed by ISO 31000:2009, consists of
five activities:
1 communication and consultation with stakeholders
2 establishing the context
3 risk assessment, including three steps
- identification
- analysis
- evaluation
4 risk treatment
5 monitoring and review.
To effectively manage the risks of an organisation, it is critical that the
relevant people have a common understanding of the concepts and language
that is used.

20 GI512-15 16.01
 Risk management—an overview

Answers to self-help questions

Self-help question 1.1
1 The current National Standard of risk management for Australia and New
Zealand is AS/NZS ISO 31000:2009, Risk Management—Principles and
guidelines.
2 As defined by ISO31000:2009, the 11 risk management principles include:
1 create and protect value by contributing to the achievement of
objectives and improved performance
2 be an integral part of organisational processes, from the setting
of organisational objectives to strategic planning, project
management and operational activities
3 be an integral part of the decision making process, so that
decisions are the right ones and can be managed to a successful
outcome
4 explicitly address uncertainty
5 be systematic, structured and timely
6 be based on the best available information, and acknowledge any
data limitations
7 be based on the organisations risk profile, and risk appetite for
given situations
8 recognise the impact of the human, cultural and environmental
paradigms of the organisation on the achievement of objectives
9 address the perceptions of stakeholders, not just company
management
10 be dynamic and responsive to change and take account of new or
emerging risks
11 be continually improving as the organisation matures.
3 The five basic activities to be performed in a risk management process?
a communication and consultation
b establishing the context
c risk assessment, including three steps
d treating risks
e monitoring and review.
4 Risk assessment includes identification, analysis and evaluation.

www.anziif.com 21
 Section 2

Risk management in practice

Introduction
Whereas the first section introduced the theoretical underpinnings of risk
management, this section will begin to identify how that theory is practically
applied in organisations, starting with the establishment of a risk management
framework and forming the foundations of a risk management process.
A risk management framework is the cornerstone of an organisation’s risk
management program. It sketches the infrastructure and boundaries within
which an organisation will construct its risk management approach. It sets out
how an organisation will develop and implement a risk management program
as an integral component of its overall management system, and establishes
what the rules will be.
Important components of the risk management process that will impact on the
success of the risk management program are: (a) communication and
consultation with stakeholders; and (b) establishing the context. These two
components form the basis for all of the subsequent stages of the risk
management process—whether it’s identifying risks, analysing risks, treating
risks or monitoring them. Both the stakeholders and the context for risk
management should be referred to throughout the rest of the process to
ensure that the risk management program remains on track and relevant to
the organisations objectives.

Learning outcomes
When you have worked through this section, you should be able to:
 contribute to the implementation of basic risk management principles
 define the organisational environment
 evidence and understanding of the nature and scope of business
 define the boundaries of risk management activities
 identify and evaluate existing risk management processes
 communicate with relevant internal and external stakeholders
 demonstrate an ability to consult with a diversity of people
 identify relevant guidelines
 develop risk evaluation criteria.

www.anziif.com 23
Introduction to Management of Risk

Developing a risk management

framework
Section 2.3 of ISO 31000:2009 defines a risk management framework as a:
…set of components that provide the foundations and organisational
arrangements for designing, implementing, monitoring, reviewing and
continually improving risk management throughout the organisation.

ISO 31000:2009 does not prescribe a management system but seeks to assist an
organisation in integrating the management of risk into its overall
management system. The risk management program should be firmly
embedded throughout the organisation’s management system. The risk
management framework should include strategic and operational planning,
decision making and processes and practices for dealing with risk exposures.
A well-defined risk management framework establishes the parameters
within which an organisation will manage its risk exposures. It sets the scope
for the entire risk management process and determines how systemic risk
management can be established and maintained within the organisation.
To this effect, an organisation’s risk management program should be firmly
integrated into the overall management plan of the organisation and it should
fully support the organisation’s overall objectives. For an organisation to
successfully manage its risk exposures, it is necessary for the board, senior
management and operational management to support and commit to the risk
management program.
The risk management framework establishes how the organisation will view
exposure to risk as well as the administrative, human and financial resources
necessary to enable those exposures to be managed effectively whilst meeting
the organisation’s objectives.
The framework for the management of risk must be fully integrated into an
organisation’s management system. Successful implementation of a risk
management framework requires developing, establishing and sustaining
systemic risk management throughout an organisation. The steps to achieve
these outcomes should include:
 ensuring the support of senior management
 developing a risk management policy
 reviewing existing risk management processes
 developing a risk management plan
 establishing responsibility, accountability and authority
 customising the risk management process
 resourcing
 establishing procedures for monitoring and reviewing
 documenting.

24 GI512-15 16.01
 Risk management in practice

Ensuring the support of senior management

The risk management framework of an organisation starts with the Board
approving a mandate and commitment for the implementation of a risk
management policy. This sets out the organisation’s commitment and
approach to risk management and how it will integrate with existing
management structures and systems.
To ensure the success of the risk management program, it is critical that there
is active and ongoing support for the management of risk by the
organisation’s directors and senior executives from the outset of the risk
management program.
It is important to develop an organisational risk management philosophy and
awareness of risk and of the impacts of exposure to risk at both a board and
senior management level. It is vital that all levels of management in the
organisation take ownership of all of the risks to which their particular part of
the organisation is accountable.
A senior manager should be identified as the risk management champion to lead
and sponsor risk management initiatives across the organisation.

Developing a risk management policy

An organisation’s risk management policy should be a high-level document
which outlines the organisation’s approach to risk management and sets the
risk management program firmly within the management structures of the
organisation. According to section 4.3.2 of ISO 31000:2009, the risk
management policy should contain:
a the organisation’s rationale for managing risk;
b links between the organisation’s objectives and policies and the risk
management policy;
c accountabilities and responsibilities for managing risk;
d the way in which conflicting interests are dealt with;
e commitment to make the necessary resources available to assist those
accountable and responsible for managing risk;
f the way in which risk management performance will be measured and
reported; and
g commitment to review and improve the risk management policy and
framework periodically and in response to an event or change in
circumstances.
In short, the risk management policy provides a guide for managing risk
within the organisation and it is closely aligned with the overall management
of the organisation.

www.anziif.com 25
Introduction to Management of Risk

Key issues that the risk management policy should address include:
 the purpose of the risk management program and its aims—objectives,
philosophy, culture and structure of the organisation should be clearly
reflected in, and totally supported by, the risk management program
 ensuring the risk management program is embedded within the
organisation’s management systems
 the scope and parameters of the risk management program—that is, which
risk exposures will be managed within which parts of the organisation
 the organisation’s tolerance or appetite for exposure to risks
 ensuring clearly designated responsibility, accountability and authority for
specific areas of the risk management program and the overall risk
management program is established from the outset—this includes
performance measurements and reporting processes and accountabilities
 resources required to implement and maintain the risk management
program—this includes the people, skills, information systems and
financial resources required
 clear documentation and communication of the risk management process
and overall program (including the risk management policy) to all
stakeholders
 regular monitoring and review of the implementation and maintenance of
risk management initiatives.
Implementing risk management is a difficult task and for it to be successful
it’s critical that a well drafted policy is produced and that the implementation
has the support, commitment and sponsorship of senior management.
When the risk management policy has been crafted, it should be
communicated to all stakeholders to ensure they are all working from the
same ‘game plan’.

Activity 2.1—Risk management policy

If possible, find out whether the organisation you work for has a risk
management policy.
If the organisation has such a policy, read through the policy and determine
whether the document covers the areas outlined above. Think about whether
there are ways in which the policy could be improved to strengthen the
organisation’s approach to the management of risk.

26 GI512-15 16.01
 Risk management in practice

Reviewing existing risk management

processes
One of the first steps involved in establishing a risk management framework
for any organisation is to evaluate existing management processes and
systems in order to identify where elements of risk management are already
being practised within the organisation. Undertaking a critical review of
existing risk management allows the organisation to assess:
 how effectively risk management practices are currently being undertaken
by the organisation (or parts of the organisation)
 how well risk management practices have been integrated into existing
management and operational practices
 whether any existing risk management practices need to be amended or
expanded as part of the formal risk management program
 whether there are any constraints (including physical and financial
resources) associated with extending risk management initiatives and/or
introducing a formal risk management program within the organisation
 the legislative, regulatory and compliance requirements that must be
addressed.
It is essential that the elements of risk management that are already in place
are critically reviewed and assessed so that planning starts from a known
base.

Developing a risk management plan

A risk management plan provides a high-level view of risk management within
an organisation, setting out how risk management will be deployed.
A risk management plan should be produced to define exactly how risk
management will be carried out within the organisation. It should always
reflect the organisation’s strategic and operational plans. The aim of the risk
management plan is to entrench risk management within the organisation’s
existing business practices, procedures, systems, policies and the like (at both
strategic and operational levels). This will help make sure that risk
management has the best chance possible of succeeding within the
organisation and that it is capable of being sustained.
A risk management plan generally encompasses:
 the organisation’s risk management policy
 the context established for risk management
 the scope and objectives of risk management activities
 the functions of risk management within the organisation
 the person/s responsible for implementing the functions and activities.
Sitting under the risk management plan is a summary of the risk register and
the risk treatment schedule for major risk exposures. These documents are
detailed in the later sections of this module about risk assessment and risk
treatment respectively.

www.anziif.com 27
Introduction to Management of Risk

Organisational-level risk management plan

Plans should be developed for managing risks at all appropriate
organisational levels through the application of risk management. This should
include practical strategies that will be taken to encourage the adoption and
embedding of the risk management process into the critical activities, systems
and processes of the organisation. Measures to ensure the risk management
process is sustained and enhanced should also be defined. The process for
managing risk exposures should be embedded into the policy development,
business and strategic planning and change management processes for the
organisation. This will involve recording:
 the strategic, organisational and risk management context
 risk exposures identified for the organisation
 analysis and evaluation of these risk exposures
 treatment strategies
 monitoring and assurance mechanisms, and
 strategies for raising awareness, skills acquisition, training and education.

Manage risk exposures at each level of the

organisation
There are significant challenges associated with establishing and
implementing risk management at each level of an organisation, including:
 For the board the challenge is to set the organisation’s strategic objectives,
establish the risk management policy and to review the organisation’s
performance in managing its risk exposures.
 For executive management the challenge is primarily one of integration with
existing management practices and systems.
 For operational managers, the challenge is to provide effective leadership of
risk management within the organisation.
 For all stakeholders, the challenge is one of ensuring that the risk
management is effectively established and maintained and that continuous
improvement processes are achieved.
Plans should be developed and implemented for each hierarchical level, each
area or department, each function or business process, each program, project,
or team activity. Such plans should be consistent with, and may be part of,
organisational-level plans.
The plans should be developed with consideration for how they will integrate
with the risk management process. The process for managing risk exposures
should be embedded into all critical planning and management activities,
including those involved in the management of changes.
The process followed, the decisions taken, and the actions planned, should be
recorded. The manager/s of each organisational area concerned should ensure
that the plans are relevant and appropriate to their area.

28 GI512-15 16.01
 Risk management in practice

Establishing responsibility, accountability

and authority
Although the directors and senior management are ultimately responsible for
managing all of the risks to which the organisation is exposed, all personnel
within the organisation are accountable for managing the risk exposures
within their areas of control.
This can be achieved by specifying those persons who are accountable for:
 the management of particular risk exposures
 implementing specific risk treatment strategies, and
 maintaining risk controls within the organisation.
It is also important to establish performance measures and reporting
processes for the specific areas of the risk management program.
In recent years as a direct result of the greatly increased emphasis on
corporate governance and regulatory compliance in business, the
management of risk has become a key issue for the boards and management
of listed companies. For example, there are now stock exchange requirements
in many countries for management and directors of listed companies to
inform themselves and to report on key risk exposures of the organisation and
how the organisation is effectively managing these exposures.

Compliance and due diligence

At its simplest, due diligence means take care. Due diligence also describes the
process of analysing/verifying information to ensure that all the information
that is required by law is provided and that the information is correct. It is a
formal process that responsible officers (for example, executive managers of the
organisation) must apply in discharging their duties. In this case, it can also
mean ensuring that a proper and thorough study of the proposed risk
management program has been undertaken.
A due diligence statement is a document whereby responsible officers formally
acknowledge their responsibilities and accountabilities towards ensuring that
an organisation’s risk management policy and associated processes,
procedures, systems and activities are properly implemented and maintained.
A due diligence statement is not always necessary, but in some cases—for
certain types of organisation—it may be needed to fulfil organisational
compliance requirements as set by legislation and regulation.

www.anziif.com 29
Introduction to Management of Risk

Customising the risk management process

The principles, framework and process set out by ISO 31000:2009 are designed
to be applicable to any type of organisation, though it does not mandate a one
size fits all approach. Rather, it emphasises the fact that the management of
risk must be tailored to the specific needs and structure of a particular organisation.
This module describes a generic process for managing risk exposures that is
used by numerous organisations in a number of different industry sectors. In
the spirit of ISO 31000:2009, the generic process should be customised for the
specific organisation and its policies, procedures and culture. As part of this
process, the organisation should specify performance requirements and the
criteria by which the success of the risk management process can be assessed.
The organisational structure that the risk management process will operate
within needs to be comprehensively understood and integrated into the initial
planning. This should enable the accountable parties to be sure that the
framework will achieve the required outcomes. This involves establishing a
set of steps, tasks and activities, along with suitable measurement metrics, that
will be taken by the organisation to achieve these initiatives.
There are four basic structures that might be used by an organisation for the
management of exposures to risk:
1 external risk management consultants
2 internal insurance departments
3 risk management departments
4 integrated risk management.

External risk management consultants

Small organisations often rely almost solely on a specialist risk management
consultant to provide them with generic risk management program advice to
supplement their own activities. In particular, the consultant would provide a
range of risk management services, calling upon specialist services as
required—for example, fire protection engineers.

Internal insurance departments

Some organisations have an insurance department that principally relies on
commercial insurance programs as a means of sharing the downside effects of
the organisation’s risk exposures. An intermediary or consultant provides
advice about retention levels, recommended financing arrangements such as
insurance coverage and claims administration. In addition, they may
undertake loss control surveys of the organisation’s assets to ensure that
maintenance procedures and protection systems are adequate.

Risk management departments

Some organisations have a risk management department which provides
advice and service to the organisation on the management of risk. These
organisations typically require more specific risk management advice and
may employ specialist staff, such as engineers and auditors.

30 GI512-15 16.01
 Risk management in practice

Integrated risk management

The fourth structure is largely characterised by the maturity of the
organisation’s approach to the management of risk. The organisation will
have a significant commitment of Board and top management attention to risk
and its management; as well as sufficient resources to effectively manage risk.
It calls for a serious mandate and commitment from the Board along with
management leadership to ensure it is woven into the organisational fabric
and culture across the organisation. An example of the type of organisation
using this structure would be a major listed company such as a large
manufacturing or petrochemical organisation or a major government
department. External risk management services provided at this level may
include advice on compliance programs, reputational management,
alternative structures for funding losses, actuarial advice, etc.

Activity 2.2—Risk management structures

Think about the ways in which your company structures its risk management
requirements. Which of the four risk management structures is it most closely
aligned to?

Resourcing
To properly establish and maintain a risk management program, adequate
resources need to be committed to the program.
The organisation should identify resource requirements and provide adequate
resources for the risk management program, including training for personnel
who apply the risk management process or who perform a role in supporting,
monitoring and verifying it. This may involve conducting a training needs
analysis to determine exactly what training is required.

Monitoring and reviewing

Not only do individual risk exposures need to be formally monitored and
reviewed by an organisation on an ongoing basis, but each step in the risk
management process itself should also be monitored and reviewed on an
ongoing basis. In addition, overall management of risk within the
organisation should also be regularly monitored and reviewed.
Section 5 of this learning module will detail the requirements for effective
monitoring and review of the risk management process.

www.anziif.com 31
Introduction to Management of Risk

Documenting
When establishing, implementing and maintaining a risk management
framework, it is essential that the activities are efficiently recorded to provide:
 evidence that the process has been conducted properly
 a body of knowledge for the organisation to work with
 effective review of decisions and processes
 an accountability and audit mechanism
 access to monitoring and review
 a means of communicating information to stakeholders.
Whatever the documentation requirements, it is important to remember that
keeping efficient documentation is an essential part of good corporate
governance for any organisation.
Apart from the risk management plan itself, some of the other documentation
that may be necessary to establish, implement and maintain a risk
management program includes:
 compliance and due diligence statements
 a risk register containing details of all of the identified risk exposures
 a risk treatment schedule and action plan
 event/loss reports and an incident/near miss database
 a cost of risk analysis
 monitoring, review and audit documents.
There may be other documents required to be generated as part of the risk
management program of an organisation and these are likely to depend on the
type of business conducted by the organisation and the associated legal and
business requirements.

More information—Risk management documentation

Each of the above mentioned items of documentation is covered in more
detail elsewhere in this module:
 Due diligence statements were described earlier in this section as a part of the
establishing responsibility, accountability and authority step for developing a
risk management framework.
 The importance of risk registers will be introduced in Section 3 and then
expanded upon in Section 4 of this learning module.
 Risk treatment schedules and action plans will be primarily addressed in
Section 4.
 Event/loss reports, incident/near miss databases, cost of risk analyses and other
documentation of the monitoring and review process are discussed in
further detail in Section 5.
Additionally, examples of a risk register, a risk treatment schedule and a risk
treatment action plan are included as Appendices 4, 5 and 6 respectively.

32 GI512-15 16.01
 Risk management in practice

Self-help question 2.1

1 What information/outputs will an evaluation of an organisation’s existing
risk management practices provide?
2 Identify at least six issues which should be addressed in an organisation’s
risk management policy?
Answers to self-help questions are provided at the end of each section.

Case study—Masterprint’s risk management program

Note: The Masterprint case study forms a basis that will be built upon in case studies
and activities throughout this learning module.
Masterprint is a privately owned medium-size company that prints a range of
quality brochures, sales magazines, leaflets and periodicals.
Mike Trigg has just been appointed as a new independent director for
Masterprint. At his first board meeting, Mike makes enquiries about what
Masterprint is doing to manage the many risks to which it is exposed. One of
the senior managers explains that Masterprint has an extensive insurance
program and therefore considers that the company is effectively managing all
of the risks to which it is currently exposed.
Mike is concerned that exclusively insurance-based approach is too narrow to
address all the risks to which Masterprint is exposed. He believes that there
should be a more integrated approach to managing risks.
Following a robust discussion by board members, the board approves the
development and implementation of a risk management program within
Masterprint.
Masterprint’s finance manager, Marjorie Crawford, is given the responsibility
of assisting the organisation’s management team to implement risk
management within the organisation.

Self-help question 2.2

1 What should Marjorie Crawford determine before establishing the risk
management context for Masterprint?
2 What should be taken into account when setting the scope and boundaries of
Masterprint’s risk management program?
Answers to self-help questions are provided at the end of each section.

www.anziif.com 33
Introduction to Management of Risk

Communication and consultation

The first step in the risk management process is to establish channels of
communication and consultation with both internal and external stakeholders.
The lines of communication that are established in this initial phase should be
maintained and utilised throughout each stage of the risk management
process to ensure that every activity is executed appropriately and effectively
and with a clear understanding of the relevant responsibilities,
accountabilities and authorities.
Consultation and communication with stakeholders is essential for the
successful implementation of risk management and it is an important
consideration for each step of the risk management process. It involves
establishing and maintaining a dialogue with both the internal and external
stakeholders about issues relating to the risk exposures and management.
Communication and consultation should involve dialogue between
stakeholders, with emphasis on establishing a consultative process rather than
a one-way flow of information. Such a collaborative approach allows
stakeholders to contribute to and understand the decision making process and
the reasoning behind risk management activities. This offers stakeholders an
opportunity to endorse the risk treatment plans, thereby encouraging the
ownership of risk exposures. In this sense, communication and consultation
activities are closely linked to the broader risk management framework step of
establishing responsibility, accountability and authority.

Benefits of effective risk management

communication
Communication and consultation are important to the success of the risk
management process because it makes risk management explicit (rather than
implicit) and highlights its relevance to the operations of an organisation.
A major benefit of good communication and consultation processes is that
they bring together multiple perspectives from both inside and outside the
organisation. In turn, this provides a more well-rounded understanding of the
risk exposures that the organisation faces and facilitates improved decision-
making.
Sharing information about specific risk exposures and the risk management
program in general, adds value to the organisation by creating consistency
and coherence across business units/departments and encouraging the
ownership of risk exposures and risk management activities.
Well-managed communication and consultation ensures that:
 the context can be appropriately defined
 risk exposures are identified effectively
 different perspectives and expert opinions are brought together to analyse
and evaluate risk exposures
 appropriate change management occurs during risk treatment.

34 GI512-15 16.01
 Risk management in practice

Stakeholder identification and analysis

Each stakeholder group needs to be clearly identified and their different
objectives clearly understood. For example, a stakeholder group might be the
suppliers who provides raw materials to a particular department of the
company and their particular objective might be to sell their products to the
company at the highest possible price in order to maximise profits, whereas
the objective of the company department might be to purchase the materials
at the lowest possible price in order to reduce expenses. For the company
department to meet its operational objectives it must recognise the views of
other stakeholders and all stakeholder views and objectives must be balanced
accordingly to ensure goals and objectives are met.
For most organisations there are several internal and external stakeholder
groups which need to be considered as part of managing an organisation’s
risk exposures.
Internal stakeholders typically include:
 the board
 shareholders
 senior management
 operational management
 staff.
External stakeholders may include:
 sub-contractors
 suppliers
 key customer groups
 regulatory bodies
 industry associations
 the community
 special interest groups
 financial institutions providing funding or credit.
Perceptions of risk exposures generally vary according to the different values,
needs, drivers, assumptions, concepts, and concerns of stakeholders as they
relate to risk exposures and/or the issues under consideration. Stakeholders
are likely to make judgements about the acceptability of an exposure to risk
based on their perception of that exposure. Since the views of stakeholders
can have a significant impact on the decisions made, it is important that their
perceptions of risk exposures are identified and recorded and the underlying
reasons for them understood and addressed within the risk management
program.

www.anziif.com 35
Introduction to Management of Risk

Risk management communication planning

Once stakeholder groups are identified, then these groups should be
consulted with (by means of a well-planned consultation process) as part of
the risk management process.
Understanding the needs and concerns of stakeholders and communicating
with them regularly and comprehensively is important to the decision makers
in an organisation to effectively manage its risk exposures.
To aid effective communication and consultation within the risk management
program, it is necessary to develop a process for communication and
consultation. The first step is to identify those stakeholders who are affected
by the risk management process; the second step is to develop a
communication and consultation plan with each of the identified groups of
stakeholders. The third step is to agree on the methods of communication that
will be used in developing, implementing and maintaining a risk
management program.
It is important to develop a communication plan for both internal and external
stakeholders at the commencement of the risk management process. This plan
should address issues relating to both the risk exposure itself and the process
required to manage it.

Risk management roles

In order to be confident in their capacity to correctly address the risks that
they face, an organisation may require management or advice on a variety of
risk exposure issues, such as:
 compliance with statutory requirements
 corporate governance
 process design
 business continuity
 environmental matters
 internal auditing
 ergonomics
 storage
 quality control.
Depending on the complexity of the risk exposures and of the organisation’s
activities, these advice and management tasks may require the knowledge and
skills of a specialist or they could be handled by more generally skilled staff.
It is not unusual for an organisation to ensure that it has sufficient skills in risk
management by:
 boosting internal training of its management to include an understanding
of how to most effectively carry out their responsibilities and
accountabilities and to exercise their authority
 employing or sub-contracting risk management specialists on a needs basis to
work with the company to assist risk owners in the management of the risks
to which it is exposed.

36 GI512-15 16.01
 Risk management in practice

Obviously, these strategies are aimed at honing an organisation’s abilities by

focusing on either:
 internal risk management roles, or
 external risk management specialists.

Internal risk management roles

Employees
The employees of an organisation are in the best position to know and
understand not only the risks to which their organisation is exposed but also
the risks it is taking to survive and prosper. As a consequence, risk
management is the responsibility of all employees of an organisation—from
the board of directors to the office cleaners.
Specific roles within an organisation may have responsibility for providing
advice to line managers on special risk exposures, for example:
 human resource managers are responsible for providing advice on staff
morale, welfare and retention
 a security manager has responsibility for providing advice on personal
safety and loss prevention
 an IT manager is accountable for IT disaster recovery and data back-ups,
etc.

Management and the executive

Every manager should be accountable for ensuring that all of the risks to
which his or her part of the organisation is exposed are managed in
accordance with the organisation’s risk management plan. An organisation may
employ a risk management specialist to co-ordinate or facilitate the plan.
It is the Chief Executive Officer who is the ultimate risk manager of the
organisation as they are the only person in a position with the authority and
resources to make decisions on how risk is to be managed. Sound delegation
of authority will ensure that line managers at the various levels will be made
accountable for the management of risk in their areas of control.
Whatever structure an organisation adopts, the ultimate responsibility for
managing risk remains with the board and management of the organisation to
ensure that every risk has an owner.

www.anziif.com 37
Introduction to Management of Risk

External risk management specialists

External risk management specialists are often used by organisations to assist
with the risk management process as well as to undertake cost–benefit
analyses. Risk management specialists also undertake a variety of tasks,
including, but not limited to:

Occupational health and Business continuity (management of

safety activities disruption related risk)

- ergonomic review and recommendation - business impact analysis

- analysis of public safety - crisis/emergency response planning

- safety audits - business continuity planning

- environmental audits - disaster recovery planning

- work systems management Legal

- safety training - compliance programs

- construction risk review - legal opinion

- hazardous substances review - contract drafting or review

Property loss control activities Audit

- property loss control programs - fraud prevention

- motor vehicle risk analysis - governance and assurance programs

- security system review - effectiveness of risk treatment programs

- fire protection design and review General risk management activities

- property regulatory review - major event management

- construction risk review - self-assessment programs

Business analysis - corporate reporting standards

- credit analysis and review - client newsletters

- mentoring programs for the board’s risk

- market analysis
committees

- risk exposure analysis - risk manuals and procedures

Activity 2.3—Risk management specialists

Make a list of the different types of risk management specialists used by your
organisation and outline the tasks they undertake. Consider whether your
organisation needs to extend its specialist base and, if so, in what areas.

38 GI512-15 16.01
 Risk management in practice

Self-help question 2.3

Outline three of the major benefits of extensive communication and
consultation in the risk management process.
Answers to self-help questions are provided at the end of each section.

Establishing the context

The strategic, organisational and risk management contexts of an organisation
must be established before risk management can be effectively implemented
within an organisation.
It is essential to the risk management process that the relationship between an
organisation and its environment is clearly defined. This is achieved by
executing the second step in the risk management process, establishing both
the internal and external context for managing risk within the organisation.
Establishing the context is important as it sets the scope and boundaries of the
application of risk management for the organisation and determines the
framework for the entire risk management process structure.
Establishing the context of an organisation has four distinct components
relating to the:
1 external context
2 internal context
3 risk management process context
4 definition of risk criteria.

External context
Establishing the external context involves defining the relationship between
the organisation and the environment in which it operates; for example, the
legislative and regulatory environment and the laws, regulations and codes of
practice that it must adhere to.
The external environment also includes organisation’s suppliers, customers
and competitors as well as the political, technological and social environment
which impacts on the organisation. Much of what occurs outside of an
organisation is often relevant to the operating units of the organisation
meeting their objectives.
When establishing the context, all relevant stakeholders should be consulted
and their objectives should be considered to ensure that the risk management
program adopted by the organisation is as robust as possible.

www.anziif.com 39
Introduction to Management of Risk

Internal context
Establishing the internal context involves understanding the organisation itself.
This facet of the context provides the risk practitioner with an understanding
of the inner life of the organisation.
The fundamental areas for consideration when establishing an organisation’s
internal context include:
 organisational goals and objectives—If risk management is to succeed, it must
dovetail with the organisation’s strategic and operational goals and
objectives, and it must be firmly embedded within the day-to-day
management of the organisation so that it helps achieve the organisation’s
goals and objectives.
 organisational structure—The type of structure that the organisation has
(e.g. flat or hierarchical) and the way that the different departments
interact has a significant impact on the way that the risk management
program is established and maintained.
 organisational culture—How does the organisation function on a daily
basis? What are the documented policies and procedures? Is it process or
systems driven or perhaps it has a more organic way of functioning?
 internal stakeholders—All internal stakeholder groups should be consulted
and their objectives considered.
 internal resources—What are the capabilities of the organisation? What
resources are available for application to the risk management program
and how can they be effectively utilised?

Risk management process context

Once the internal and external context of an organisation is understood, the
context of the risk management process can then be established. The risk
management context includes the parameters of the risk management activities
and the delineation of to which parts of an organisation they will be applied.
The parameters of the risk management process must be clearly defined,
taking into consideration both the costs and benefits of risk management. For
example, it’s no good introducing a state-of-the-art risk management initiative
if it fails to support the organisation’s goals and objectives, or the organisation
simply cannot afford to implement the initiative.

40 GI512-15 16.01
 Risk management in practice

According to ISO 31000:2009, the context of the risk management process will
vary according to the needs of an organisation. It can involve, but is not
limited to:
 defining the goals and objectives of the risk management activities;
 defining responsibilities for and within the risk management process;
 defining the scope, as well as the depth and breadth of the risk
management activities to be carried out, including specific inclusions and
exclusions;
 defining the activity, process, function, project, product, service or asset in
terms of time and location;
 defining the relationships between a particular project, process or activity
and other projects, processes or activities of the organisation;
 defining the risk assessment methodologies;
 defining the way performance and effectiveness is evaluated in the
management of risk;
 identifying and specifying the decisions that have to be made; and
 identifying, scoping or framing studies needed, their extent and objectives,
and the resources required for such studies.
In practical terms, this means working out the roles and responsibilities of
those in the organisation when it comes to managing each exposure to risk. It
also means working out the relationship between risk management and the
different parts of the organisation.
Establishing the scope of the risk management process is integral to effectively
managing risk.

Organisational versus project-based contexts

The context for managing the exposures to risk of an entire organisation will
be quite different from the context for risk management of a particular project
that an organisation is undertaking.
Establishing the context for risk management of an organisation involves:
 a single organisation which can present diverse risk exposures
 historical review and future strategies
 speaking with Chief Executive Officer, Chief Financial Officer, operations
management, and so on
 obtaining a mandate and commitment from the Board
 a workplace which remains relatively constant
 a regulatory environment relevant to the particular industry
 taking into account competitors.

www.anziif.com 41
Introduction to Management of Risk

Contrastingly, the context for risk management of a construction project, for

example, would differ in that it:
 is likely to involve more than one organisation
 usually has a short duration
 is often distinctly different from the day-to-day activities of an
organisation, thus creating a different risk exposure/profile
 as a physical location, is in a constant state of change
 has a different regulatory environment
 involves speaking with project staff/engineers/financiers and so on.

Classifying risks
The risk management context enables the organisation to establish and
classify the types of risks to which it is exposed, for example:
 strategic risks
 financial risks
 operational risks
 legal and compliance risks.
This risk classification process sketches out the risk exposures that will then
be identified in the risk management process.

Defining risk criteria

The last step in establishing the risk management context is to develop the
criteria against which risks will be evaluated.
Developing risk criteria is all about determining the benchmarks against
which the risk exposures will be evaluated. The risk criteria need to be set to
enable the organisation to effectively identify, analyse, evaluate and treat its
risk exposures. Risk criteria need to be set to enable the organisation to
effectively identify, analyse, evaluate and treat risk exposures.
These risk criteria will reflect the external, internal and risk management
context outlined above. The way that exposures to risk are evaluated might
depend on operational, technical, financial, political, ethical, legal, social and
even personal criteria. It is important to establish the criteria at the outset and
to ensure that the risk criteria match the type and level of risk exposures.
The primary objective of risk management is the management of the effects of
unexpected events. It is not always possible to reduce the impact of risk to
zero and there remains the prospect that, despite an organisation’s best efforts
to manage risk exposures, an impact may still be sustained. Whether any
further action is taken will depend on whether or not the risk is tolerable to
the organisation. A tolerable risk is one where the exposure is such that, if the
risk should occur, the organisation’s objectives could still be achieved. It is
therefore necessary to determine the organisation’s risk tolerance level as a
yardstick for developing its risk criteria.

42 GI512-15 16.01
 Risk management in practice

Tolerable risks
Organisations are generally prepared to tolerate some risk exposures under
certain circumstances if a benefit can be derived from being exposed to the
risk in question. For example, the risks associated with a certain project may
be significant but the financial and reputational returns associated with
undertaking the project may be substantial and therefore the company is
prepared to tolerate these risk exposures and take on the project.
What will be deemed a tolerable level of risk for an organisation depends on a
number of factors such as:
 the financial strength of the organisation
 the attitude of board and management of the organisation, that is, are they
risk takers or are they risk adverse?
 the nature of the risk exposure itself in terms of the organisation’s
activities—that is, if a risk is realised (whatever its size), would it severely
damage the organisation’s ability to meet its objectives, goals and targets?
 the measure/s necessary to handle the risk of loss and its consequences so
as to minimise its effects.

Classifying risks according to tolerance

A common means of addressing how much risk an organisation is prepared to
tolerate is by classifying the risk exposures into three distinct groups:
1 Upper group—those risk exposures which the organisation considers
intolerable, regardless of the benefits associated with the risk exposure.
2 Middle group—that is, those risk exposures where the costs and benefits
need to be careful analysed to determine the balance between the
opportunities to the organisation and the associated risk exposures/
threats.
3 Lower group—those risk exposures where the likely positive and negative
outcome is negligible.
Obviously, with groupings such as these there are subjective, value
judgements implicit in the criteria which an organisation uses to allocate risk
exposures to a particular grouping. What one organisation regards as an
intolerable (upper group) exposure, another organisation might regard as a
risk exposure that may be tolerable (middle group) given careful cost–benefit
analysis and the organisation’s particular situation.

www.anziif.com 43
Introduction to Management of Risk

Case study—Establishing the context for Masterprint

Marjorie Crawford, Masterprint’s finance manager, has been given the
responsibility of introducing a risk management program for the company.
She is excited about the prospect of this initiative and wants to have a meeting
next week with various staff members to commence the project. Marjorie
needs to draw up a list of staff members that will need to be consulted to
establish the context for the risk management program. Prior to the meeting
she also wants to put together a list of information that will be required to
understand the business and establish the context for the project.
Following is some background information about Masterprint.

Details of Masterprint
Capital $10,000,000

Shareholders 10

Annual sales $20,000,000

Staff 80 staff members

Annual revenue growth 15%

Location(s) Ridgeworth (inner city factory)

Vehicles 3 delivery trucks and 14 cars

(incl. sales/executive staff vehicles)

Business Printer of fine quality brochures,

sales magazines, leaflets and periodicals

Self-help question 2.4

1 In establishing the context for risk management, what information needs to
be gathered by Masterprint?
2 Which members of Masterprint’s team do you think you would need to be
involved in establishing the context for the risk management program?
Answers to self-help questions are provided at the end of each section.

44 GI512-15 16.01
 Risk management in practice

Section Summary
In this section we looked at the basic risk management principles and how it
applies to organisational environments. We learned about how to
communicate with relevant internal and external stakeholders, demonstrating
the ability to consult with a diverse range of people for example, being able to
work with operation team members and being able to relate at a higher level
to a board.
We looked at identifying relevant guidelines and developing risk evaluation
criteria.
As described in ISO 31000:2009, a risk management framework is a:
…set of components that provide the foundations and organisational
arrangements for designing, implementing, monitoring, reviewing and
continually improving risk management throughout the organisation.

A framework for the management of risk must be fully integrated into an

organisation’s management system. The steps to achieve this include:
 ensuring the support of senior management
 developing a risk management policy
 reviewing current risk management systems (if any exist)
 developing risk management plans
 establishing responsibilities, accountability and authority
 customising the process
 resourcing
 establishing methods for monitoring and reviewing
 documenting risk management activities.
This section also covered the first two steps in the prescribed risk
management process:
 Communication and consultation
 Establishing the context.
Establishing channels of communication and consultation with internal and
external stakeholders requires each stakeholder group to be clearly identified
and their different objectives clearly understood. The lines of communication
that are established in this initial phase should be maintained and utilised
throughout each subsequent stage of the risk management process to ensure
that every activity is executed appropriately and effectively and with a clear
understanding of the relevant responsibilities, accountabilities and authorities.
The second activity in the risk management process involves defining the
strategic, organisational and risk management contexts of an organisation.
Establishing the context of an organisation has four distinct components
relating to the:
1 external context
2 internal context
3 risk management process context
4 definition of risk criteria.

www.anziif.com 45
Introduction to Management of Risk

Answers to self-help questions

Self-help question 2.1
1 An evaluation of an organisation’s existing risk management practices will
provide useful information about how well risk management is currently
being utilised by the organisation (or certain parts of the organisation) and
how well risk management practices have already been integrated into
existing management and operational practices. An evaluation will also
show existing risk management practices may be amended as part of any
risk management initiatives. Another benefit of an evaluation is that it may
highlight whether there are any constraints associated with introduction
particular risk management initiatives.
An evaluation will enable those risk management elements already in
place in the organisation to be critically reviewed and assessed so that a
proper risk management program can be implemented from a known base.
2 Issues which should be addressed in an organisation’s risk management
policy include:
- the purpose and objectives for the risk management program
- links between the organisation’s strategic and operational plans
- the array and scope of risk exposures that the organisation needs to
manage
- the organisation’s risk tolerance level
- the person/s responsible for managing the risk management program
and those responsible for particular risk exposures
- the documentation required as part of the risk management program
- how the risk management program will be monitored and reviewed in
terms of organisational performance and in reference to the risk
management policy.

Self-help question 2.2

1 Before establishing the risk management context, Masterprint should,
among other things:
- obtain the support of the management team
- establish the risk management framework for the organisation
- develop risk management plans
- look at the existing risk management in place besides the company’s
insurance program
- set up a communication process with all relevant stakeholders
- establish how the risk management process will be documented.
2 The organisation’s risk management policy should clearly set the scope
and boundaries of Masterprint’s risk management program, indicating
which risk exposures will be managed within which parts of the
organisation.

46 GI512-15 16.01
 Risk management in practice

Self-help question 2.3

The major benefits of utilising a communication and consultation process as
part of the risk management process are that it:
 aids sharing of information about risk management and risk exposures
 creates consistency and coherence across business units/departments
 assists decision making by looking at risk management from several
different perspectives
 improves understanding of how and why risk management decisions are
made and why certain actions are taken
 encourages ownership of risk management activities in the organisation
 encourages ownership of specific risk exposures
 appropriate change management occurs during risk treatment.
(Your answer should include at least three of these points.)

Self-help question 2.4

1 Information that needs to be gathered by Masterprint to establish the
context for the risk management program includes:
- details on historical, current and future strategies, operations and
activities
- annual reports, financial and other relevant literature produced by the
organisation
- details on legislation, regulation and competition that affects the
organisation and its activities
- any industry-based literature which focuses on contemporary issues
affecting the printing industry.
2 The members of the Masterprint team that would most likely need to be
involved in establishing the organisation’s context for risk management
include the Chief Executive Officer, the Chief Financial Officer and key
operations management staff. These personnel could provide information
about exactly what the company does and how it operates.

www.anziif.com 47
 Section 3

Risk assessment

Introduction
After channels of communication and consultation have been opened and
once the context has been established, the next step in the risk management
process is risk assessment. Rather than considering risk assessment to be a
single discrete activity, ISO 31000:2009 encourages dividing it into three
distinct steps:
1 identification
2 analysis
3 evaluation.
The aims of risk assessment are predominantly to understand and measure
the characteristics of an organisation’s risk exposures to inform decision
making and actions. This involves collecting detailed information to inform
the analysis, using a variety of techniques such as quantitative, semi-
quantitative and qualitative analysis and presenting the results in a format
suitable for the subsequent step, risk evaluation.
The primary aim of risk identification is to put together a comprehensive list of
risk sources, events, their causes and their potential consequences. Identified
exposures should then be analysed to determine the likelihood and
consequences of an outcome that is different from that which is expected.
Following analysis, the risk evaluation stage involves determining which risks
can be tolerated and—for those that cannot—leads towards identifying
appropriate risk treatment options to reduce risks to a tolerable level.
International Standard ISO/IEC 31010:2009, Risk management—Risk assessment
techniques (henceforth referred to simply as ISO/IEC 31010) provides
additional guidance on risk assessment techniques that may assist in all three
steps of the risk assessment process.

Learning outcomes
When you have worked through this section, you should be able to:
 identify risk exposures
 clearly describe risk exposures
 identify and apply risk assessment tools
 compare exposures with guidelines
 categorise risk exposures
 analyse specific issues using measurement criteria
 establish consequences of risk exposures
 establish likelihood of risk exposures
 prepare a risk analysis matrix.

www.anziif.com 49
Introduction to Management of Risk

Risk identification
The process of identifying risks to be managed is best undertaken by breaking
down the subject of the risk assessment into key parts or topics, as established
in the risk management context.
Before undertaking the risk identification process, it is important to gather
information pertaining to historical incidents and emerging issues affecting
the subject of the risk assessment activity. This may include data specific to
the organisation and general information relevant to the subject under
assessment. This information may be gathered using a range of sources
including, but not limited to internal incident data, results from audits, staff
interviews or group discussions, questionnaires and open source data.
The process adopted for identifying a comprehensive list of risks will be
dictated by time and budget constraints. Where the risk assessment activity
requires consideration of a broad range of risks, a staged approach may be
appropriate. A high level assessment may be undertaken to identify and
assign priorities to focus detailed analysis on areas of the highest priority.
The risk identification process is most effective when key stakeholders are
involved in structured brainstorming workshops. Each key part or topic is
reviewed one by one and the following factors identified:
 What are the sources of risk or threat—the things which have the inherent
potential to harm or facilitate harm?
 What could happen—events or incidents that could occur whereby the
source of risk or threat has an impact on the achievement of objectives?
 Where—the physical locations/assets where the event could occur or where
the direct or indirect consequences may be experienced.
 When—specific times or time periods when the event is likely to occur and
or the consequences realised.
 How—the manner or method in which the risk event or incident could
occur?
 Causes—what are the direct and indirect factors that create the source of
risk or threat?
 Business consequences—what would be the impact on objectives if the risk
was realised?
 Business areas / stakeholders affected—what parts of the organisation and
what stakeholders might be involved or impacted?
 Existing Controls—a preliminary review of existing controls is undertaken
to identify (detailed review is completed during the risk analysis process):
 What controls currently exist to minimise the likelihood and consequences of
each risk?
 What vulnerabilities exist that could undermine the effectiveness of the
controls?
When each part or key component has been reviewed and a list of all risks
established, consideration is given to whether the list is comprehensive, the
objectives and scope of the risk assessment activity have been adequately
covered and whether the information relied upon is valid and credible.

50 GI512-15 16.01
 Risk assessment

Risk identification is all about identifying what can happen to the

organisation, how and why it might happen, and when and where it is
likely to happen.
As defined in Section 2.15 of ISO 31000:2009, risk identification is the:
…process of finding, recognizing and describing risks
NOTE 1: Risk identification involves the identification of risk sources,
events, their causes and their potential consequences.
NOTE 2: Risk identification can involve historical data, theoretical
analysis, informed and expert opinions, and stakeholder's needs.

As an integral step in the risk assessment activities of the risk management

process, risk identification is the systematic identification of all exposures to
risk, whether under control or not. The aim is to produce a descriptive and all-
inclusive list of risks to which the organisation is exposed, summarising the
potential events that might have an impact on the achievement of an
organisation’s objectives.
Only after all of an organisation’s risk exposures have been identified can the
best methods to handle them be determined.

Risk exposures
A risk exposure may be an event or incident and it will have a cause and a
consequence. The consequences of an exposure to risk may be positive or
negative. Some risk exposure may be insurable, while others will not be.
Identifying an organisation’s risk exposures is an essential part of a risk
management process. When identifying risk exposures, all possible causes
and scenarios should be carefully considered. A systematic plan for managing
the effects of risk exposures cannot be constructed until it is known exactly
what the risk exposures are, how and why they might arise, and their likely
effects.
There are four characteristics of each risk exposure that must be considered in
the identification stage of the risk management process:
1 the source of the risk
2 the impact of the effects of exposure to risk
3 stakeholders affected by the risk
4 current controls in place to treat the risk.

www.anziif.com 51
Introduction to Management of Risk

Sources of risk
ISO Guide 73:2009, Risk management—Vocabulary defines a risk source as an:
…element which alone or in combination has the intrinsic potential to
give rise to risk

Exposures to risk may arise from a diverse range of sources, including:

 management activities or decisions
 individual activities and decisions
 human behaviour
 commercial
 legal
 natural events
 technological issues
 political circumstances
 economic circumstances.
Indeed, it’s quite likely that some of the risks identified will not be directly
under the control of the organisation—for example, risks related to the
economic or political circumstances.
Exposures to risk can arise from many sources, including the risk-taking that
is inherent in the organisation’s pursuit of success in its chosen business.
However, even if the effects of such risk exposures are insurable, it is essential
to know about the different solutions that will cater for the effects of these
exposures.
A risk source can be tangible or intangible and may be categorised (or
clustered) in a variety of ways. We might, for example, divide sources into
global and organisational. Organisational risks may be further broken down
into subcategories such as:
 financial/market sources
 political/regulatory sources of risk
 operational sources of risk
 legal/liability sources of risk.

52 GI512-15 16.01
 Risk assessment

Image 3.1 Sources of risk

Impact of the effects of exposure to risk

Managing a risk exposure’s impact on an organisation and its objectives is the
primary purpose of risk management. Identifying the impacts of a risk
involves:
 identifying which organisational objectives may be affected
 establishing what the likely effects on the objectives might be
 determining where, when, why and how the risks are most likely to occur.
A risk exposure may have potential identified sources of risk with the
consequences for property, reputation and image, people, income, legal
liability and environment.
The measure that is used to record the financial consequences of a potential
exposure to risk will largely depend on the organisation’s objectives—for
example, if the organisation’s objective is growth, then the risk exposure
would be measured in market share rather than in dollar terms.

Risk stakeholders
After figuring out what might happen and what its eventuation might entail,
it is necessary to work out who would be affected by the risk/incident/event
occurring.
The stakeholders affected by any given risk exposure should be identified.
To this end, the step of stakeholder identification and analysis performed as a part
of the communication and consultation activities should provide a firm basis,
although some risks may not affect all of an organisation’s stakeholders. In
this particular stage it is important to identify the persons, organisations or
any other entities that are exposed to potential benefit or loss by the identified
risk.

www.anziif.com 53
Introduction to Management of Risk

Current controls in place to treat the risk

After a risk has been identified and described in terms of its source, potential
impacts and the stakeholders which it may affect, it remains to document
what controls, if any, are already in place to treat the risk.
While this is certainly a key aspect of identifying individual risk exposures,
the detailed coverage of risk treatment methods and evaluations will be
presented in the later sections of this module on risk treatment and monitoring
and review.

Self-help question 3.1

Consider each of the following situations and match them with the type of
risk source that they represent. For each situation, please select what you
believe to be the most appropriate source of risk.

Situation Source of risk

1 Change in import tariffs A Financial/market

2 Overthrow of government B Data management

3 Damage to plant equipment by a forklift C Legal liability

4 Severe Acute Respiratory Syndrome (SARS)

D Political and regulatory
epidemic

5 Compliance of computer system with date

E Political fragmentation
recognition

6 Unconscious error in processing advice F Pandemic

7 Bear run on the stock exchange G Currency

8 Change to health and safety laws H Physical damage

9 Foreign exchange rate fluctuation I State action/policy

Answers to self-help questions are provided at the end of each section.

Activity 3.1—Risk sources in your organisation

Take note of examples of the different sources of risks that your organisation
is exposed to and determine whether they would be categorised as global or
organisational sources of risk.

54 GI512-15 16.01
 Risk assessment

Risk identification techniques

A number of techniques are commonly used for identifying risk exposures
and to determine potential consequences. The risk identification methods
used by an organisation will should be determined by the context which has
been established and those organisational activities which are to be included
in the risk management process. The quality, relevance and reliability of the
obtained information are pivotal to the entire risk management process.
As Note 2 attached to Section 2.15 of ISO 31000:2009 clarifies, risk
identification may involve:
 historical data
 theoretical analysis
 informed and expert opinions
 stakeholder's needs.
The tools and techniques for risk identification at the disposal of an
organisation may include, but are not limited to:

Risk identification technique Information classification

Examining financial statements

Reviewing statistical records

Performing or reviewing site inspections Historical data

Reviewing legislative acts and business codes of practice

Analysing flowcharts and organisational activities

Using scenario analysis

Analysing client contracts Theoretical analysis

Utilising systems engineering techniques

Consulting with management

Consulting with experts

Informed and expert
opinions/stakeholder needs
Using questionnaires/surveys/checklists

Risk identification workshops

Several of the above-mentioned risk identification techniques may involve a

team of people. This team should include people closely connected with the
particular activity under review as well as others who are not closely
involved. Some team members who are not closely involved need to be
included in the risk identification process because those who are close to an
activity or operation can sometimes fail to recognise a problem or risk. In
order to ensure that the team adopts a wide perspective in identifying
potential problems, the team should come from various areas of the
organisation; for example, production, security, health and safety, finance or
management.

www.anziif.com 55
Introduction to Management of Risk

Historical data
Examining financial statements
Examining the financial statements of an organisation will provide a broad
outline of the possible financial exposures that an organisation may face.
Those financial statements may offer clues as to what the major sources of the
organisation’s income and profit may be or what the likely loss events may be
and the exposures against which the organisation needs protection.
Common financial statements that can assist with risk identification for an
organisation include:
 balance sheets
 profit and loss statements
 cash budgets/cash flow records.
Valuable risk information may also be gleaned from:
 asset register and valuations
 sources and application of funds statement
 operating statements
 revenue and expenditure statements.

Balance sheet
The balance sheet lists an organisation’s assets, liabilities and its net worth—
it provides an overview of a business at a specific date. When reviewing
exposures to risk from a balance sheet, the risk management specialist needs
to ensure that the figures are the latest available. Costing values that are
required for accounting purposes are not necessarily those needed for risk
management.
From the balance sheet, both assets and liabilities provide clues to potential
loss exposures. An asset review needs to identify those assets which may
reduce in value through loss. Similarly, the liability section of the balance
sheet needs to identify future/contingent liabilities.
If accurate replacement values (as opposed to book values) are required to
assess the maximum possible loss potential of a business, the risk specialist
may need to seek additional input from financial staff and/or external
specialists such as valuers.
In addition, the balance sheet and profit and loss statement of an organisation
provide a means of determining both the organisation’s financial strength and
the potential maximum loss that the organisation could withstand.

56 GI512-15 16.01
 Risk assessment

Profit and loss statements

Profit and loss statements provide the details of revenue, expenses and profits
for a specific accounting period. Profit and loss statements, like the balance
sheet, are related to past performance and past activities. However, they can
still help identify the effects of exposures to risk. It is important to analyse
each income or expense item in an operating statement to determine the
possible upside and downside associated with the exposure. If a major loss
occurs, well-prepared cash budget or cash flow analyses can help the risk
management specialist understand the expected post-loss liquidity levels of
the business. Profit and loss statements are also useful in analysing business
interruption exposures.

Cash budgets/cash flow records

A well-prepared cash budget will provide information on the anticipated
outcomes of an organisation in terms of liquidity. Changes in net working
capital are revealed in cash flow records and indicate changes in operations
during the period of reporting. Each change in the source and application of
funds may reflect a significant change in the organisation’s exposures to risk.

Reviewing statistical records

Organisations gather statistics on numerous activities, procedures and
processes. The statistical records kept by organisations which may be relevant
to the risk identification process include:
 sales/marketing reports
 staffing, employee and attendance records
 production output reports
 incidents/near misses
 outages/strikes
 previous losses (often the claims history)
 customer complaints
 other reports.
All of these records can assist with the identification of exposures to risk and
the likely effects of these exposures.
Using claims histories, past occurrences can be noted, particularly past near
misses or incidents that could happen again. The potential for loss increases if
steps are not taken to reduce or eliminate the specific risk. An organisation’s
past loss history can also be used to project future trends and identify areas of
poor housekeeping or supervision. It is important that both insured and
uninsured losses are considered.

www.anziif.com 57
Introduction to Management of Risk

Information about possible exposures to risk can also be gleaned from

numerous other sources, including (but not limited to):
 government records and statistics
 competitors
 industry associations
 external statistics for the particular industry
 insurance company records
 water authority maps
 weather bureau data
 electricity authorities.

Performing or reviewing site inspections

Site inspections allow a first-hand look at exposures, thereby providing the
immediate identification of obvious potential risk exposures. Site inspections
can reveal much about the processes and procedures used by an organisation.
They can also reveal much about the likely risks to which the organisation is
exposed from outside the boundaries of the organisation’s own site; that is,
the area surrounding the actual physical site. It is suggested that a site
inspection should follow the same process regardless of the site. For example,
a process used for fire surveys is to start the inspection by walking around the
boundary of the site looking outwards at the surroundings, before continuing
to walk around the site and gradually working towards the centre. This
entails looking not only at all of the buildings but also at the site’s plant and
processes, as well as other contents associated with the site.
Site inspections also provide an opportunity to clarify observations by
obtaining information from staff members. For example, employees are often
a valuable source of information regarding machinery reliability, maintenance
schedules and spare parts availability as well as exposures to risk.
Site inspections can assist in identifying the occupational health and safety
and housekeeping standards of an organisation and its operating
effectiveness. A site inspection also helps to identify exposures to risk in the
surrounding environment. For example, a factory may be situated in a flood
plain near a river, or on an earthquake fault line, or next to a munitions depot
or fireworks factory.
Following a site inspection, the risk management specialist (or whoever has
conducted the inspection) should debrief site management on their findings
before leaving the site and should then produce a survey report that can be
used to assess the likely effects of the organisation’s exposures to risk. The
survey report is often also used by underwriters to assess risks and determine
the premium, terms and conditions of insurance contracts.
For example, a site inspection of a factory situated in a flood plain near a river
should show the steps the organisation and/or authorities have taken to
minimise flood damage and should investigate the history of flooding.

58 GI512-15 16.01
 Risk assessment

Reviewing legislative acts and business codes of practice

Legal risk management specialists need to review the relevant legislation of the
country in which they are operating to ensure that the organisation is aware of
and complies with relevant statutes. In Australia, they particularly need to
review the federal and state Occupational Health and Safety Acts and other
legislation such as the Dangerous Goods Act, the Trades Practices Act, and the
Workers Compensation Acts. In New Zealand, risk managers should consider
compliance with the Health and Safety in Employment Act, the Accident
Rehabilitation and Compensation Insurance Act, and the Dangerous Goods Act, the
Fair Trading Act, the Consumer Guarantees Act and other relevant legislation.
An organisation should be aware that, for example, if it does not provide a
safe workplace, there are potential criminal penalties for it as an employer.
Legal risk management specialists, whilst not needing to be lawyers
themselves, nevertheless must understand the ramifications and penalties
related to legislation and codes of practice to ensure that an organisation
complies with all requirements.

Analysing flowcharts and organisational activities

Organisational activities and processes can be illustrated through flowcharts
and diagrams. They can provide an overview of the operations of an
organisation. Flowcharts should include all areas of the organisation for
review. For example, a typical organisational flowchart of a manufacturer
would indicate the path of raw materials from the supplier to their arrival at
the organisation, through the various processes undertaken to becoming a
final product (including key operations and equipment), to storage of the
product, and finally the process for despatch to the customer. Flowcharts
would also include the finance, marketing and maintenance pathways of an
organisation. The larger an organisation, the more likely that flowcharts will
have sectioned areas/departments/processes.
Flowcharts are particularly useful for identifying key operations upon which
an entire production process may depend; that is, bottlenecks. They can
identify the vulnerability of a particular process to possible interruption.
Flowcharts also help identify company and departmental interdependencies,
as well as identifying dependencies on external customers and suppliers of
raw materials and utilities such as power or water.
It is important that flowcharts are considered in conjunction with other risk
identification methods. Flowchart analysis tends to highlight physical risks
and does not take into account the potential losses that may arise from non-
visible activities; for example, design and technology.
A company’s flowcharts can identify organisational interdependencies. These
flowcharts will show key operations and equipment and perhaps provide
additional information on the services which the company and its
dependencies undertake for certain suppliers or customers.

www.anziif.com 59
Introduction to Management of Risk

Theoretical analysis
Using scenario analysis
Essentially, scenarios are stories that describe the possibilities for a given set
of conditions. Scenario analysis is the technique of depicting alternative futures
and analysing how various strategic decisions might lead to different
outcomes.
Scenario analysis was first used in the work on the atom bomb in the 1940s and
has developed since then into a well-established methodology for estimating
the probability or frequency of the occurrence of unexpected or unwanted
events.
Scenario analysis involves the following steps to determine the likelihood of an
event occurring:
1 identify the unexpected or unwanted event
2 describe the circumstances to be investigated
3 identify the critical control points
4 develop an event tree or scenario tree
5 quantify and evaluate the nodes of the event/scenario tree.

Analysing client contracts

All contracts an organisation makes with customers, suppliers and contractors
should be reviewed to check the proposed activity envisaged by the contract
and the indemnities granted by either party. These indemnities may alter the
normal common law position between the parties to the contract. This could
result in additional exposures being accepted by the organisation. It could also
affect the current insurance policies and therefore place a greater financial
burden on a business overall. Whilst such contracts do have a considerable
benefit, this analysis usually focuses on the downside exposures associated
with the contract.

Utilising systems engineering techniques

Systems engineering is a branch of engineering concerned with the
development of large and complex systems where the system is an assembly
or a combination of interrelated elements or parts that are working together
towards a common objective.
Systems engineering focuses on:
 the real-world goals for services provided by, and constraints on, such
systems
 the precise specification of system structure and behaviour, and the
implementation of these specifications
 the activities required in order to develop an assurance that the
specifications and real-world goals have been met
 the evolution of such systems over time and across system families.
It is also concerned with the processes, methods and tools for the
development of systems in an economic and timely manner.

60 GI512-15 16.01
 Risk assessment

Informed and expert opinions/stakeholder needs

Communicating and consulting with others is vital when working through the
process of identifying exposures to risk. Potential exposures to risk should be
discussed with as wide a range of people as possible to gain their professional
opinions and to gauge their concerns. Risk identification workshops are a
good way of achieving this objective.

Consulting with management

Managers, particularly those with extensive experience of an activity or long-
term employment with an organisation are well placed to identify exposures
to risk and the likely effects. The only danger is that by qualification they may
focus on particular exposures to risk, such as production, while missing other
exposures to risk, such as strategic issues. A good example is power utilities,
which usually employ a number of engineers who are good at identifying
generation and distribution risks but may have little experience or ability in
identifying financial risks.
Management interviews can also be conducted at departmental level.
Departmental managers can provide guidance and direction on identifying
exposures to risk (and likely effects) in their particular department because
they are intimately involved in the operations of the department. Depending
on the activity, it may also be prudent to involve key operators and other staff
in this process to ensure that all exposures are identified.
In addition to consulting management, operational staff members often know
the most about problems, hazards and risks associated with particular areas of
operation within an organisation. These people are a valuable source of
information when identifying the risk exposures that an organisation faces
and providing information about the most appropriate risk treatment
measures for these risk exposures.

Consulting with experts

Some experts outside an organisation may be familiar enough with the
organisation (or the type of organisation, or the particular type of activity) to
contribute valuable information to the risk identification process.
External experts and consultants useful in identifying risks may include:
 practitioners in law
 finance experts
 statisticians
 accountants
 auditors
 strategic planning consultants.

www.anziif.com 61
Introduction to Management of Risk

Using questionnaires/surveys/checklists
There is a wide range of questionnaires, surveys and checklists available for
risk identification purposes; for example, surveys used to identify asset,
liability, revenue/expense, reputation and image, and occupation health and
safety risk exposures. The aim of all these information gathering documents is
to identify the exposures to risk by listing specific opportunities or hazards to
which the organisation could be exposed and then to seek information about
them from relevant personnel. It is important that surveys, checklists and
questionnaires from a range of personnel are examined to ensure the most
comprehensive identification of possible effects from the exposures to risk.
Many risk management consultants, insurers and brokers produce
standardised questionnaires, checklists and surveys which can often be
adapted for a particular industry and/or organisation. The questionnaires,
surveys and checklists used by insurance companies generally focus on
aspects of exposures on which the basic underwriting decisions will be made.
However, at times, these standardised forms may not adequately highlight
relevant exposures for a particular organisation’s needs and that the forms
may need to be adapted accordingly.
For example, insurance companies use questionnaires, surveys and checklists,
in conjunction with other information, to make an assessment of the
exposures to risk that they are asked to underwrite. Insurers often produce
standardised questionnaire/survey forms for brokers and specialist risk
managers to use covering classes of insurances.
Standardised questionnaires, surveys and checklists have further strengths
and weaknesses. Their strengths are that, when properly drafted, they can be
issued and answered by people with little risk management expertise. They
can also be used for multiple sites. However, their weaknesses are that they
do not encourage people to provide more than a limited set of answers or to
‘think outside the square’. Respondents are often not motivated to consider all
of the possible ramifications or to provide their thoughts and ideas about a
particular risk exposure. However, these weaknesses can sometimes be
overcome by using forms that include a combination of open and closed
questions to obtain both facts and opinions. In general, questionnaires,
surveys and checklists should be used in conjunction with other risk
identification and assessment methods. Standard questionnaires, surveys and
checklists do not normally cater for specialised exposures to risk which
require more defined analysis.
Considerable time and care need to be applied to the design and wording of
surveys, checklists and questionnaires to ensure they capture the required
information about risk exposures.

62 GI512-15 16.01
 Risk assessment

Activity 3.2—Risk identification questionnaires

Refer to Appendix 1—Example: Risk identification questionnaire for examples of
the types of questions used to determine occupational health and safety risks.
Look at the questionnaires, surveys and checklists used by your organisation
to identify and assess exposures to risk. Discuss with colleagues or your
supervisor whether any of these documents have needed to be modified for
specific circumstances or situations.

Risk identification workshops

Where possible, the use of a slice group provides an excellent means of
utilising the corporate memory and knowledge of the organisation or business
unit. A slice group brings together senior managers, supervisors and staff from
across the organisation rather than a vertical slice group for a specific
department or business unit which may be swayed by a strong manager.
Risk identification workshops are essentially brainstorming. Brainstorming is
a good starting point for risk identification and involves a group of staff
(5–8 people is generally the optimum size for a group) identifying an
organisation’s exposures to risk. Specific types of staff are often more aware of
particular exposures to risk and so may have a personal interest in solving the
management problems of a particular type of risk exposure; for example,
financial, operational, human resource and legal.
Brainstorming also allows for in-depth interaction between the different team
participants. This technique works best when group participants use their
imaginations and avoid placing an excessive emphasis on detail. A risk
identification workshop attempts to identify and document, under a number
of risk category headings, the likely effects on the organisation of its exposure
to risk. The workshop can focus on a particular element or activity within the
organisation (e.g. a process or operational risks), or a particular department
(e.g. risks faced by the IT department) or it can explore the full range of
exposures facing an organisation—from potentially catastrophic to minor
events. For example, a catastrophic event may be an oil tanker hitting the
factory’s LPG tanks or a scandal which is broadcast by the national media,
whilst a minor event may be a broken window or a staff resignation.
A schedule of key words covering many areas of risk may trigger participants’
recognition of potential exposures to risk, while other tools such as a risk
identification table may help to bring out and clarify the results of
brainstorming.

www.anziif.com 63
Introduction to Management of Risk

Activity 3.3—Risk identification techniques

Select a client and imagine that you are reviewing their exposures to risk.
Identify the types of information you would hope to obtain by examining each
of the following:
 information gathered from management interviews
 flowcharts
 annual accounts
 current insurance policies
 site inspection report
 risk questionnaires/checklists/surveys
 loss/claims histories
 contracts and agreements with customers, suppliers, contractors
 organisational charts
 health and safety procedures
 information gathered from a risk identification workshop
 business plans.

Self-help question 3.2

Patrice Kisnorbo works in a remote area across town that is poorly serviced by
public transport. After some time, Patrice decides to purchase a car to
facilitate an easier daily commute.
She purchases a practical vehicle, taking out a loan for 75 per cent of the
purchase price.
Identify any unexpected events that may occur as a result of Patrice’s
ownership and operation of the car.
Answers to self-help questions are provided at the end of each section.

64 GI512-15 16.01
 Risk assessment

Documenting the risk identification process

The risk identification techniques and process should be carefully
documented so that their purpose, their method of execution and the results
garnered are all well recorded.
The documentation should capture the approach, method or technique used
for risk identification, the scope of the risk identification process, the
participants who took part in the process and the information sources
consulted to gather the relevant information.

Risk register
Perhaps the most important document that should be generated as a result of
the risk identification process is a risk register.
A risk register is a core risk management document that contains detailed
information about each identified risk exposure.
During the risk identification stage, the information recorded in the risk
register will include:
 a detailed description of each risk exposure—what can happen and how it
can happen
 its source/s—the cause of the exposure
 its impact/s—the potential consequences
 the likelihood of a risk actually occurring
 any existing treatment measures in place to mitigate the exposure (and the
adequacy of these controls)

www.anziif.com 65
Introduction to Management of Risk

Use the table 3.1 below to gain an understanding for what should be covered
in a risk register.
Table 3.1 Sample Risk Register with consequence table
RISK REGISTER

Function/ activity

Completed by ……………………………. Date…………………………….

The risk (what can happen)

Source of risk

Risk rating

Consequence code
Likelihood
code 
Insignificant Minor Moderate Major Catastrophic

Almost
Medium High High Catastrophic Catastrophic
certain

Likely Low Medium High High Catastrophic

Possible Low Medium High High Catastrophic

Unlikely Low Low Medium High High

Rare Low Low Medium Medium High

Existing controls and

adequacy

Risk accepted

Once established, a risk register can be referenced and added-to throughout

the risk assessment activities (and thus, it will be referred to in the subsequent
subsections) as well as acting as a resource for all future risk management
reviews and projects.
The risk register should be customised by each organisation to reflect their
specific structure and activities. You will note that the example risk register
also contains fields for recording:
 consequence ratings
 likelihood ratings
 level of risk
 risk priority in terms of treatment requirements.
These aspects of a risk register are also important, but the required
information is often not immediately available during the risk identification
step. The fields may be completed in the subsequent steps of risk assessment,
risk analysis and evaluation.

66 GI512-15 16.01
 Risk assessment

Self-help question 3.3—Identifying Masterprint’s exposures

In developing their risk management program, Masterprint develop a risk
identification information report based on inspections, interviews and collated
key documents. This report includes:
 general risk information
 a flowchart of their operational activities
 a detailed layout plan of the Masterprint premises.
These portions of the Masterprint report are summarised in Appendix 2—
Masterprint risk identification information.
Review the materials in Appendix 2 closely and extract from it a list of as many
possible risk exposures as you can.

Ref. Masterprint’s risk exposure

Answers to self-help questions are provided at the end of each section.

www.anziif.com 67
Introduction to Management of Risk

Risk identification table

To help compile the issues and risk exposures identified into a logical order, a
risk identification table as shown below can be used to the categorised sources
of risk with the area of impact.
Table 3.2 Example: Risk identification table
Area of impact
Types of exposure
to risk
Timing &
 Assets Revenue Cost People Performance Environment Intangibles
schedules

Property

Financial

Liability –
personal

Liability – general

Health and safety

Production

Marketing

Environmental

Security

Political

Key personnel

Note: The types of exposure to risk and the areas of impact presented in the
table above should not be regarded as either prescriptive or exhaustive. Risk
identification classifications and tables should be customised to suit each
individual organisation.

68 GI512-15 16.01
 Risk assessment

Risk analysis
Once an organisation’s risk exposures have been identified, the effect and
extent of its potential consequences need to be analysed and quantified.
Risk analysis is the analysis of individual risk exposures in terms of their
likelihood and consequence. Section 2.21 of ISO 31000:2009 defines risk
analysis as a:
…process to comprehend the nature of risk and to determine the level of
risk
NOTE 1: Risk analysis provides the basis for risk evaluation and decisions
about risk treatment
NOTE 2: Risk analysis includes risk estimation.

In effect, risk analysis is about quantifying the exposure. Risk quantification

measures the likelihood and the consequence of the potential that could result
from an event.
To effectively undertake risk assessment of an organisation, information
gathered on individual exposures to risk in the risk identification process
should be utilised. In addition, the assessment will be enhanced by:
 planned future strategies of the organisation
 historical and operational data
 management attitudes to data collection
 existing control measures for identified risk exposures.
Proper analysis of an organisation’s risk exposures produces a comprehensive
understanding of:
 the likelihood that a benefit or loss will occur from being exposed to the
particular risk
 the consequences of the exposure to risk.
From there, risk exposures are carefully analysed by combining the
information about consequence and likelihood of the risk exposure to
establish a risk rating, whilst at the same time taking into account any existing
controls associated with the risk exposure.
It is essential to measure risk exposures to enable the organisation to
distinguish minor tolerable risk exposures from major exposures, providing
valuable information for the subsequent steps in the risk management
process, risk evaluation and treatment of risk exposures.

www.anziif.com 69
Introduction to Management of Risk

Likelihood and consequence

The next step in analysing risks is to determine the likelihood (or frequency) of
each unexpected and/or loss producing event and the likely consequence
(or severity or impact) of such event.
Likelihood means the number of times an event is likely to occur in a given
period of time.
The consequence represents the impact on the business if the event occurs.

Likelihood
When determining the likelihood of an unexpected event, the number of times
it can potentially occur in a year is measured.
The likelihood of an unexpected event can be measured in terms of frequency
of occurrences (that is, occurrence per year—No./Yr). The potential frequency
of an event needs to be determined using a descriptive scale. Examples of
descriptions that may be used for the likelihood of an unexpected event/loss
are:
 almost certain
 likely
 possible
 unlikely
 rare
 very rare
 almost incredible.

Consequence
The effect that such event can have on the organisation is also measured. This
is the loss consequence and it is often measured in financial ($) terms. Where
possible, the following factors are taken into account:
 injury to people
 financial implications, including financial/asset damage or loss
 adverse reputation and image effects
 environmental damage
 disruption of business operations (both short- and long-term).

Measurements of likelihood and consequence

Measurement scales typically use descriptors that are either:
 nominal—descriptors are used to assign data to categories
 ordinal—use of comparative scales
 interval—using points, limits, quantities on a scale (i.e. quantitative
intervals between units of measurement)
 ratio—similar to interval scale, but with a set point (e.g. no loss, $10 loss,
$100 loss).

70 GI512-15 16.01
 Risk assessment

Activity 3.4—Estimating likelihood and consequence

Identify one of the major risk exposures that your organisation or a client
organisation is likely to face.
Estimate what you believe would be the chances of an unexpected event
occurring and actually resulting in a loss. Estimate the impact of this event
and loss for the organisation.

Sources of information
The most comprehensive and best available sources of information should be
used when analysing an organisation’s risk exposures so as to provide the
necessary data for evaluating the consequences and likelihood of potential
losses.
The most common method of arriving at measurement, analyses and forecasts
is a review of each identified risk exposure by management, and relevant
specialists, using an agreed set of factors (that is, the criteria determined in the
establishing the context step) and a standard methodology.
The main sources of information for risk analysis may include:
 information obtained from the risk identification process
 industry practice, experience and benchmarks
 industry literature
 market research
 expert industry opinion
 personal knowledge and expertise
 financial, process or systems modelling.

Information from the risk identification process

Data on an organisation’s operations can be obtained from various sources, as
outlined in the section on risk identification techniques (i.e. information from
questionnaires, surveys, checklists, preliminary management interviews etc).
The information entered into the risk register during the risk identification step
should provide a firm basis for analysis, but it will rarely encapsulate all that
is required to comprehensively assess a risk.

Industry practice, experience and benchmarks

A valuable source of information for analysing risks is the practice, experience
and benchmarks of the industry in which the organisation operates. Utilising
industry practice, experience and benchmarks enables comparison of the
exposures to risk of the company in question with other companies in the
industry.

www.anziif.com 71
Introduction to Management of Risk

Industry literature
Published articles, books and other printed material regarding the industry in
which the organisation operates is a valuable source of information on
industry practice, experience, techniques and processes.

Market research
Market research may also provide valuable insights into the requirements of
customers, problems associated with suppliers and the public image and
reputation of the organisation in question. Market research may be conducted
by or on behalf of the organisation, or may be accessible from other pre-
existing sources.

Internet search engines

Internet searches can be a valuable source of Risk identification.
For example an organisation manufacturing a particular machine may do a
search to see if any liability issues have arisen in similar machines.

Expert industry opinion

Experts in the industry in which the organisation operates can often provide
valuable insights into the various problems experienced by the industry and
possible solutions these problems.

Personal knowledge and expertise

Every person undertaking analysis of exposures to risk and their likely effects
has considerable knowledge and expertise that can often greatly assist in the
risk analysis process.

Financial, process or systems modelling

Finally, financial, process or systems modelling can be used to test a wide
range of scenarios. Using modelling techniques (such as ‘@ Risk’) on the
available financial, process and systems data can help accelerate the risk
analysis process.

Qualitative versus quantitative analysis

Risk analysis techniques may be qualitative, semi-quantitative or quantitative.
To most effectively analyse their risk exposures, an organisation should
ideally use a combination of techniques.
Generally, qualitative analysis is used in the first instance to provide a general
indication of the level of risk and more specific quantitative analysis will take
place if required.
Regardless of the method/s of analysis selected, it is important to recognise
that the past does not always accurately reflect the future in terms of loss
likelihood and consequences. Monitoring the context and the changing
environment is important to ensure that assumptions are well-founded.

72 GI512-15 16.01
 Risk assessment

Qualitative risk analysis

Qualitative analysis in risk management can be defined as:
words to describe the magnitude of potential consequences and the
likelihood that those consequences will occur.

Qualitative analysis is generally used:

 to identify those exposures to risk which require further analysis
 in situations where the level of risk doesn’t require further analysis
 when there is inadequate information available to conduct quantitative
analysis.
Qualitative risk analysis should utilise any factual data and information
where it is available.
Qualitative risk analysis techniques are generally cheap and easily applied
within an organisation. However, such techniques do not provide statistically
valid numerical data and estimates upon which risk exposures can be ranked.
Qualitative analysis uses words, descriptions and scales to describe the
dimensions of the probable consequences and likelihood that a particular
incident/event will occur.
Generally, qualitative risk analysis is used in the first instance to obtain a
general indication of the risk exposures that an organisation faces, enabling
the major risk exposures to be clearly identified. Then, if deemed necessary by
the organisation, more specific quantitative risk analysis can be undertaken.
The descriptive scales used for qualitative analysis are usually adjusted or
altered to reflect the circumstances of the particular organisation and the risk
being considered. The type of scale used to measure the consequence and
likelihood of risk exposures generally depends on the nature and range of
both the consequence and likelihoods being investigated.
The following are examples of qualitative measurements for likelihood and
consequence of loss resulting from exposure to risk. An organisation must
develop tables tailored to its specific needs.
Table 3.3 Example—Qualitative measures of likelihood

Level Descriptor Description

A Almost certain The event will occur on an annual basis

B Likely The event has occurred several times or more

C Possible The event might occur once in your career

D Unlikely The event does occur somewhere from time to time

E Rare Heard of something like this occurring elsewhere

F Very rare Have never heard of this happening

www.anziif.com 73
Introduction to Management of Risk

Table 3.4 Example—Qualitative measures of consequence

Level Descriptor Example detail description

IV Catastrophic Most objectives cannot be achieved

III Major Some important objectives cannot be achieved

II Moderate Some objectives affected

I Minor Minor effects that are easily remedied

Example—Qualitative likelihood and consequence data

The following is an example of the sort of broad qualitative statistical
information that an insurer may provide about risk likelihood and consequence
regarding instances of fire in particular types of workplaces.
Table 3.5 Example—Qualitative likelihood and consequence
Occupancy Fire likelihood Fire severity

Dairy products Low Medium

Metal assembly Low Medium

Cement plant Medium High

Library Low High

Office Low High

Shopping centre Medium High

Printing Medium Medium

Foam rubber manufacturer High High

Vehicle parking Low Low

Semi-quantitative risk analysis

Qualitative analysis techniques using descriptors and the like have their limits
as they provide relatively imprecise estimates. In addition, descriptors cannot
be easily converted for use in software programs for modelling purposes, as
number values are required to perform calculations.
To facilitate the use of calculations and modelling, numbers can be assigned to
represent the descriptive terms found in qualitative risk analysis methods.
This is described as a semi-quantitative method of analysis, as numbers are
used to express qualitative descriptors.
Semi-quantitative risk analysis uses expanded qualitative scales (that is,
words and descriptors) to produce a more detailed, numerical ranking scale.

74 GI512-15 16.01
 Risk assessment

Table 3.6 Example—Semi-quantitative measures of likelihood

Level Descriptor Indicative frequency (expected to occur)

A Almost certain Once a year or more frequently

B Likely Once every three years in your career

C Possible Once every ten years

D Unlikely Once every thirty years

E Rare Once every 100 years

F Very rare One in every 1,000 years

It should be noted that the numeric ranking employed in semi-quantitative

analysis is not indicative of the high degree of precision that a fully
quantitative model might produce. Despite their limitations, semi-quantitative
methods do provide crude mathematical estimates to assist analyses.

Example—Semi-quantitative analysis in practice

A plane crash and a power failure are two risk exposures with which people
can readily identify. In the diagram below, respondents have been asked to
estimate the likelihood of those risks using a scale based on qualitative
descriptors—anywhere from very rare to certain. The arrows pointing to the
line represent a respondent’s estimation of those likelihoods.
Table 3.7 Example—Semi-quantitative analysis in practice

Numbers have been ascribed to the descriptive terms (and the space between
those terms) to facilitate the development of calculations for the risk
exposures. However, this is not necessarily a precise analysis of the data: on
the scale, an event rated 8 is not twice as likely to occur as one rated 4.

www.anziif.com 75
Introduction to Management of Risk

Quantitative risk analysis

Quantitative analysis may be described as using the use of numerical values
for both consequences and likelihood using data from a variety of sources.
Risk quantification can be conducted to varying degrees, depending upon the
information and data an organisation has available about their exposures to
risk. For some risk exposures, more precise values for likelihood and
consequences can be determined and used for more detailed analysis. The
likelihood of events sometimes can be calculated through detailed analysis of
past losses providing more accurate probabilities for future events. For
consequences, for example, total values of financial losses or actual duration
of lost time can be identified through analysis and can provide more precise
calculations to determine the level of risk.
Quantitative risk analysis techniques provide numerical data for ranking risk
exposures. However, these techniques require a disciplined and long-term
approach to recording and interpreting data to provide accurate and valid
inputs. The quality of the analysis is dependent on the accuracy and statistical
validity of the data and models used, as well as the skill of the person
undertaking the analysis. It should always be remembered that there are
usually assumptions which underpin the assignment of quantitative amounts
With the ability to precisely define event likelihoods and consequences in
terms of actual numerical values, an organisation can use relatively
straightforward statistical methods of risk analysis to generate more precise
measures.

Example—Quantitative analysis in practice

Returning to the example risk exposures of an aeroplane crash and a power
failure, it might be possible to accurately determine the statistical probability
of those events. The likelihood of a business in a metropolitan area
experiencing a power failure could perhaps be established based on
information from the power company and the businesses records. Aviation
experts might be able to calculate the probability of an aeroplane crashing into
the metropolitan area.
Using these quantified probability values, you could calculate actual
likelihoods as part of the risk analysis. In the table below, 0 represents the
absolute impossibility of an occurrence in a given time frame, whereas 1
represents its absolute inevitability in that same time frame. All those values
in between 0 and 1 represent a mathematically relative ratio of such
likelihood.
Table 3.8 Example quantitative analysis in practice

76 GI512-15 16.01
 Risk assessment

Common analysis methods

Qualitative and quantitative risk analysis techniques may be carried out
according to any number of established methods.
Some of the common methods are outlined in the following tables.
Note: Many of the techniques outlined in the following tables require
significant training and understanding of systems and/or activities in order to
be effectively utilised as part of the risk analysis process. They are largely
undertaken by experienced risk management specialists.
Table 3.9 Quantitative risk analysis techniques
Technique Common applications Features

Lists hazards and/or safety issues

Identifies:
- possible accident scenarios
Primarily used for systems - contingency planning
review - compliance verification
‘What if?’ scenarios
Can be used in all Unsuitable for complex processes
industries Incapable of identifying
organisational interdependencies
Very user-friendly
Inexpensive

Lists process hazards

Can be used in all
industries Identifies the consequences of
HAZOP: Hazard and deviations
Operability studies Most appropriate in Can assess adequacy of hazard
chemical and process-
driven industries controls and pinpoint appropriate
controls

Lists:
- components failures
FMEA: Failure
mode and effect - causes
analysis Generally used for - consequences
reliability analysis of single
& - criticality
components and for
FMECA: Failure accident investigation. Useful for identifying single-point
mode and effect and failures
criticality analysis Time-consuming
Expensive

Generally used for analysis Evaluates:

of safety critical tasks. - human error and associated
Human Error Can be used in all hazards
Analysis (HEA) industries - consequences
Mainly used in aerospace - potential steps for mitigation of
and nuclear industries ‘human error’

Generally used as a
reliability prediction tool
Suitable for mechanical
Reliability block systems Uses process and failure data to
diagrams Can be used in all determine system reliability.
industries
Most appropriate in
aviation industry

www.anziif.com 77
Introduction to Management of Risk

Technique Common applications Features

Systematic review to identify events

Can be used in all
that lead to a hazard (i.e. the event
industries
that sits at the top of the ‘tree’)
Mainly used in aerospace
Identifies and quantifies failures that
and nuclear industries
lead to an unwanted event
Fault free analysis Used for accident
(FTA) Achieves best results using
investigation purposes
modelling and quantification
Used throughout all stages software
of operations, but
Good for complex systems where
particularly relevant in the
combinations of events and
design stage
interdependencies exist

Used to model
dependencies and
escalation of events Involves systematic mapping of
Event tree analysis realistic event scenarios.
Can be used in all
(ETA) Good technique for modelling
industries
catastrophic events.
Mainly used in process-
driven sectors

Used to predict
sensitivities and likely
failure regime Very systematic
First order
reliability methods Can be used in all Provides a numerical estimate of the
(FORM) industries likelihood of failure for variable
inputs.
Mainly used in structural
engineering

Used to model uncertainty of

Can be used in all investment decisions
Monte Carlo industries Provides a range of outcomes
methods Mainly used in finance Enhances the estimation of risk
sector Difficult to apply due to the need to
create a mathematical model

Further reading—Risk assessment techniques

The most relevant, comprehensive and best available techniques should be
used when analysing risks. ISO/IEC 31010 provides a starting point for
available techniques.
While a detailed knowledge of that standard is not necessary to successfully
complete this learning module, interested readers may choose to purchase
them from Standards Australia’s publisher, SAI Global (www.saiglobal.com).

78 GI512-15 16.01
 Risk assessment

Risk analysis using software packages

The specific risk analysis methods used by an organisation will depend upon
the activities undertaken by the organisation and the resources available for
the risk management process. Larger organisations generally use the ongoing
application of computer and software-based technologies to analyse risk
exposures at a detailed level.
Exposures to risk can be analysed using a number of specifically designed
software packages that are specifically designed to record and analyse
incidents and losses, undertake predictive modelling and analyse risk
exposures. These software packages are commonly used by risk management
specialists and consultants, large organisations, banks, finance and insurance
companies and large broking organisations.
The software collects and analyses information to highlight specific areas of
concern requiring further evaluation, for example, the statistics may identify
an increased employee accident rate within a section of an organisation, or
statistics may reveal an increased rejection rate from a manufacturing process.
An investigation could then be conducted to determine whether the increased
rate is due to poor training, inadequate supervision, poor use of protective
clothing, malfunctioning machinery or some other factor. From there the
appropriate action can be taken to minimise the effects of the exposure.

Risk Surveyor’s role in Risk Analysis

The Risk Surveyor can play an important role assisting the Clients in risk
analysis. The Risk surveyor brings experience in:
 Lessons from Claims, which can be used to highlight risks
 Knowledge of similar industries and the risks that they have identified
 A knowledge of risks that have been developed in the underwriting
process
 Insurance industry research and guidelines
It must be expected that clients may not have the ability to identify all their
Risks. A good example would be the use of expanded polystyrene sandwich
panels in building construction. Some organisations may have used this
material, perhaps specified by an architect, and may not be aware of the fire
risk of this material.
The Risk Surveyor can be an excellent resource in the identification of risks
that can assist the client and improve the risk from an underwriting
perspective.
We discuss the importance of the risk surveyor role and risk surveying in
module three of this course.

www.anziif.com 79
Introduction to Management of Risk

Documenting the risk analysis process

The risk analysis process should be carefully documented, recording the
following information:
 the risk analysis approach employed by the organisation
 details of the method or technique used for risk analysis
 key assumptions and limitations
 information sources used to gather the relevant information
 the scope of the risk analysis process
 those taking part in the process.
Aside from standalone reports, documentation of the outcomes of risk
analysis may also take the form of additions or appendices to the risk register
developed as a part of the risk identification stage.

Risk evaluation
When the exposures to risk have been identified and analysed, the next step in
the risk management process is to evaluate the exposures.
Section 2.24 of ISO 31000:2009 defines risk evaluation as a:
…process of comparing the results of risk analysis with risk criteria to
determine whether the risk and/or its magnitude is acceptable or
tolerable

Note: Risk evaluation assists in the decision about risk treatment.

According to Section 5.4.3 of ISO/IEC 31010:

Risk analysis provides an input to risk evaluation and to decisions on
whether risks need to be treated, and on the most appropriate risk
treatment strategies and methods. Risk analysis can also provide an
input into making decisions where choices must be made and the options
involve different types and levels of risk.

Risk exposures need to be evaluated so that decisions can be made regarding

whether or not particular risk exposures are acceptable to an organisation—
and action needs to be taken. This involves determining the order in which
the risks will be actively treated by the organisation. It establishes a risk
hierarchy for the organisation.
Arranging risk exposures into a hierarchy—from those that could result in a
catastrophe to those that would only have a minor effect on the organisation—
assists in determining:
 whether risk management activities need to be undertaken in relation to a
particular risk exposure
 if an exposure requires treatment
 in which order the risk exposures should be treated—that is, there are
likely to be particular exposures that are deemed more important or
troublesome and thereby need to be treated first.

80 GI512-15 16.01
 Risk assessment

To this end, a risk analysis matrix—which records the likelihood and

consequence of all identified risk exposures and organises that information
into a schedule that indicates practical priorities—should be developed as part
of the risk evaluation process, allowing the organisation to assign risk ratings
to each exposure. This, in turn, facilitates sound decision making about which
risks need treatment and in what order of priority they should be treated.
Evaluating risk exposures also assists in:
 determining the existing risk treatment measures the organisation has in
place
 assessing the strengths and weakness of each of the existing risk treatment
measures.
This is particularly important as such measures are likely to influence the
future treatments of the exposures to risk.

Basis of evaluation
The analysis and quantification of a risk exposure’s likelihood and
consequences paves the way for each risk to be evaluated. This involves
subjective comparisons of the understandings developed regarding each risk
exposures.
The evaluation of risk exposures is also closely linked to the organisation’s
tolerance for risk. Organisations are generally prepared to bear a certain level
of risk in return for benefits to the business. The organisation’s attitude to and
capacity to accept or tolerate risk should be determined as a part of defining
the risk criteria, as developed in the establishing the context activities of the
risk management process.

Developing a Risk Analysis Consequence Table

Each organisation should develop their own Risk Analysis Consequence Table to
identify their ’appetite for risk’, in other words, what can they afford to lose.
A loss of $50m may not be a problem to the global giant BP but it would be a
catastrophic loss to the small printing company used in our case study.
The Risk Analysis Consequence Table is typically developed by the risk manager
or risk management committee and can be used by all people who are
completing risk registers. The following is a sample risk analysis consequence
table.

www.anziif.com 81
Introduction to Management of Risk

Table 3.10 Sample Risk Analysis Consequence Table

MASTER PRINT RISK ANALYSIS CONSEQUENCE TABLE

Corporate / People Work

Rating Financial Environment
Market Image Environment

Serious long
Catastrophic Cost Death of
Serious public term
Increase/revenue multiple
V or media outcry. environmental
decrease > $10m employees
Impact

Cost
Major Significant Death / major Serious
Increase/revenue
adverse injury to Medium term
IV decrease $1m to
publicity employee impact
$10m

Ongoing Cost
Moderate Moderate
moderate Increase/revenue
Loss of key staff short term
III adverse decrease $500,000
impairment
publicity to $1m

Cost
Minor One-off adverse Increase/revenue Loss of personal
Minor impact
II publicity decrease property
<$500,000

Cost
Insignificant Increase/revenue
Loss of laptop
I decrease
<$100,000

The identification and assessment of a particular risk incurring a loss is an

essential first step in determining whether any individual risk is tolerable to
the organisation or whether it requires further treatment in order to reduce
the risk exposure. Care must be taken to ensure all aspects of the particular
risk and all of the associated consequences are taken into account in its
evaluation. In addition, to correctly evaluate the risk exposure, it is also
necessary to take stock of the organisation’s own resources as ultimately it is
these resources that cushion the impact of any risk exposure.
Whatever the organisation’s tolerance for risk, the basis upon which risk
exposures are evaluated must be consistent with the risk management
framework the organisation has adopted in the establishing the context activities
of the risk management process.
Effective evaluation of risk exposures is achieved by comparing the risk
analysis data for each risk exposure against the risk criteria which were
determined when the context for the risk management program was
established.

82 GI512-15 16.01
 Risk assessment

So, risk evaluation is about using the information from the risk identification
and risk analysis stages to make a decision about which risk exposures require
treatment and what the priorities for treatment should be, taking into account
the criteria developed as a part of establishing the context activities of the risk
management process.
The less comprehensive or precise the information that was used to calculate
the likelihood and consequence of a risk exposure, the more subjective the
approach to risk evaluation needs to be. When adopting a subjective
approach, the risk management specialist should indicate the margin of error
as related to an estimation of loss.

Correlation between likelihood and

consequence
In broad terms, extreme unexpected events and severe losses tend to occur
less frequently, whereas small unexpected events and losses tend to occur
more frequently, and average-size unexpected events and losses tend to occur
with average frequency. Whilst an exposure to a risk may have an
insignificant consequence and can be dealt with easily in isolation, the high
likelihood of this unexpected event occurring can unnecessarily impact on
organisational objectives.
The correlation between the likelihood and the consequence of a
loss/unexpected event is in most cases inversely proportional. Likelihood and
consequence can be formulated into a probability distribution. As the
following diagram shows, this probability distribution can be used to
interpret the likely annual occurrence of particular types of losses/unexpected
events.
Table 3.11 Example—Usual correlation between the likelihood and consequence of a risk

www.anziif.com 83
Introduction to Management of Risk

However, it should be noted that the correlation between consequence and

likelihood is not always inversely proportional. In some cases there can be
some low frequency/low severity risks as well as high frequency/high severity
risks. The calculation of likelihood and consequence of loss as a probability
distribution should only be done if there are a sufficient number of items of
information, otherwise the results will be inconclusive.

Risk matrices and risk ratings

When both measures of likelihood and consequence have been determined,
then a qualitative risk analysis matrix can be developed to prioritise exposures
by assigning a risk rating to each particular risk. The qualitative and
quantitative risk analysis data is used to set priorities for treatment based on
the level of risk to which the organisation is exposed.
The following table is an example of a qualitative risk analysis matrix, the
framework of which is based on the results of analysis that led to categories of
likelihood and consequences.
While the example illustrates the relevant information and structures, it is
important that each organisation develops its own matrix tailored to its
specific needs.
Table 3.12 Example—Risk analysis matrix
Consequence code
Likelihood
code 
Insignificant Minor Moderate Major Catastrophic

Almost
Medium High High Catastrophic Catastrophic
certain

Likely Low Medium High High Catastrophic

Possible Low Medium High High Catastrophic

Unlikely Low Low Medium High High

Rare Low Low Medium Medium High

The descriptors low, medium, high and catastrophic are the risk ratings derived
by combining any one risk exposure’s analysed likelihood and consequence.
The risk ratings arrived at by using the risk analysis matrix can be used by an
organisation to define the risk priority.

84 GI512-15 16.01
 Risk assessment

Depending on their specific circumstances, an organisation may link risk

ratings to various responses, such as the level of management attention
required or the time scale of the response required. For example:
Catastrophic Risk: Immediate action required.
Senior executive management/Board accountable.
High risk: Senior executive management attention needed.
Management accountability and responsibility
specified.
Medium risk: Manage by specific monitoring or response
procedures by accountable Line Managers.
Low risk: Manage by routine procedures.
Unlikely to need specific application of resources.

Due to the limited information provided in the matrix and its tendency to
oversimplify complex issues, decision making should not be based on the
matrix alone. The matrix should be used in conjunction with other sources of
risk identification and analysis data (as identified earlier in this section).
Nevertheless, a risk analysis matrix and the resultant risk ratings are
extremely useful tools for organising, evaluating and presenting risk
assessment outcomes to lead into the next activity of the risk management
process, risk treatment.

Prioritisation for action

The outcomes of evaluating the risk exposures include decisions about:
 whether a particular exposure requires any treatment
 whether an activity or project should be undertaken (and under what
circumstances)
 priorities for treating individual risk exposures.
Risk evaluation involves the ranking of risk exposures to determine which
ones will be actively treated.
Exposures to risk must be evaluated and prioritised for action based on their
description.
Prioritisation will be affected by practical considerations such as:
 What are the organisation’s corporate objectives?
 What is the public perception of the organisation?
 What are the manager’s priorities?
 What are the stakeholders’ expectations?
 What resources are required to manage the risk exposure?
 What are the budget constraints?
 What are the risk ratings? Typically, an organisation will initially
concentrate on catastrophic and high risks.

www.anziif.com 85
Introduction to Management of Risk

Case study—Masterprint’s Risk Register.

Marjorie Crawford, the Finance Manager for Masterprint in conjunction with
the risk management project team have identified and documented the risks
to which the company is exposed.
Michael Jones, the Facilities Manager for Masterprint has taken one of those
risks and will complete a Risk Register on that risk. The risk he is
investigating is leakage of oil from oil tanks and the subsequent pollution of
the river. The tanks are close to the river as shown in the diagram below. The
tanks are highlighted in yellow on the Greenway River map.
Image 3.1 Greenway River Map

86 GI512-15 16.01
 Risk assessment

Steps to complete the Risk Register

Step 1 Completing the Register
Establish a rating from the consequence table. Here Masterprint have come up
with a rating of ‘Major’. The Facilities Manager is concerned that there could
be clean up costs and any bad publicity of this sort could have a negative
effect on the Government re-tendering process.

MASTER PRINT RISK ANALYSIS CONSEQUENCE TABLE

Corporate / People Work

Rating Financial Environment
Market Image Environment

Serious long
Catastrophic Serious public or Cost Death of
term
Increase/revenue multiple
V media outcry. environment
decrease > $10m employees
al Impact

Cost
Major Death / major Serious
Significant Increase/revenue
injury to Medium term
IV adverse publicity decrease $1m to
employee impact
$10m

Cost
Moderate Ongoing Moderate
Increase/revenue
moderate Loss of key staff short term
III decrease $500,000
adverse publicity impairment
to $1m

Minor Cost Loss of

One-off adverse
Increase/revenue personal Minor impact
II publicity
decrease <$500,000 property

Insignificant Cost
Increase/revenue Loss of laptop
I decrease <$100,000

Step 2 Establish the Likelihood Rating

Masterprint have established a likelihood rating of ‘possible’.

Level Descriptor Indicative frequency (expected to occur)

A Almost certain Once a year or more frequently

B Likely Once every three years in your career

C Possible Once every ten years

D Unlikely Once every thirty years

E Rare Once every hundred years

www.anziif.com 87
Introduction to Management of Risk

The Facilities Manager has completed the following Risk Register:

MASTER PRINT RISK REGISTER

Function/ activity

Completed by John Jones Date:8th November 2010

Pollution to river from oil spill.. Potential for high clean up

The risk (what can happen)
costs and could put Government contracts at risk

Source of risk Leak from unbunded oil tank near river

Risk rating High

Consequence code
Likelihood
code 
Insignificant Minor Moderate Major Catastrophic

Almost
Medium High High Catastrophic Catastrophic
certain

Likely Low Medium High High Catastrophic

Possible Low Medium High High Catastrophic

Unlikely Low Low Medium High High

Rare Low Low Medium Medium High

Existing controls and

adequacy

Risk acceptable? ❑ Yes ❑ No

Masterprint have given this risk a ‘high’ rating i.e. Priority #2.
Note: In the case of operational decisions at Masterprint, Senior executive
management attention is needed for risk escalations of high ratings.
Management accountability and responsibility to address the issue needs to
be specified.

88 GI512-15 16.01
 Risk assessment

Existing risk treatment measures

Finally, risk evaluation also involves determining the effectiveness of existing
risk treatment measures the organisation currently has in place and assessing
the strengths and weaknesses of each of these measures. The importance of
this step lies in the fact that such measures are likely to influence the future
treatments of the organisation’s risk exposures.

Case study—Masterprint’s risk assessment

Marjorie Crawford, the finance manager for Masterprint, has asked the project
team to determine what the likelihood of each of the loss exposures actually
occurring is and what impact (consequence) each of these exposures is likely
to have on Masterprint. To quantify the risk exposures, the project team is
undertaking a risk rating analysis for Masterprint.

Self-help question 3.4—Rating Masterprint’s risk exposures

Complete Masterprint Risk Registers (Appendix 4) for the following risks:
1 There is no sprinkler system in Building No. 1. The building is protected
by fire hose reels and extinguishers only. There are open doorways
between Building 1 and Building 2. A fire in Building 1 could spread to the
building protected by sprinklers and overcome the sprinkler system in
place with a potential for a total loss.
2 Masterprint’s premises are bounded by a river on one side. This could
present a significant risk if the river is susceptible to flooding. Local
Council have reported the Masterprint buildings are located in a 1:100 year
flood area.
3 Theft of three laptops from office.
After you have completed the Risk Registers, list the risks by priority and list
what action should be taken for each of the risks.
Answers to self-help questions are provided at the end of each section.

www.anziif.com 89
Introduction to Management of Risk

Section Summary
This section has provided you with knowledge on how to identify and clearly
describe risk exposures.
You will have learned how to identify and apply risk assessment tools and
compare exposures with guidelines, categorise risk exposures, analyse specific
issues using measurement criteria, establish consequences of risk exposures,
establish likelihood of risk exposures and prepare a risk analysis matrix.
This section covers risk assessment as a three-step activity consisting of:
 identification
 analysis
 evaluation.
And risk identification as the identification of individual exposures to risk
that an organisation faces. The risk identification process should include
discovering and documenting various characteristics of risk exposures,
including:
 the source
 the organisational objectives that might be affected
 when, where, why and how the risk is likely to occur
 who might be affected
 existing risk controls in place.
The risk identification process should be carefully documented and should
include a risk register that captures the details of the individual risk.
We review risk analysis and the analysis of individual risk exposures in terms
of their likelihood and consequence. Risk analysis enables an organisation to
distinguish between minor tolerable risk exposures and major ones.
Risk analysis includes determining the likelihood and consequence of each loss-
producing event. It is important to measure risk exposures to enable an
organisation to determine the effectiveness of treatments implemented.
The consequences of risk can be measured in terms of impact. Examples of
descriptors used for the consequence of risk are: negligible, minor, moderate,
major and severe.
And lastly we looked at risk evaluation involving the ranking of risks to
determine which should be actively treated. The measures of likelihood and
consequence are used to create a risk analysis matrix. Using the output of the
matrix, the exposures can be assigned a risk rating, evaluated and prioritised
for action based on their description.

90 GI512-15 16.01
 Risk assessment

Answers to self-help questions

Self-help question 3.1
1 2 3 4 5 6 7 8 9

I E H F B C A D G

Self-help question 3.2

The unexpected events that may result in owning a car include the following:
Opportunities:
 Independence from the limitations of public transport and freedom to
travel whenever and wherever you please.
 Possible savings in travel time.
Risks:
 Inability to service the loan if you lose your job.
 Mechanical or electrical breakdown of the car.
 Loss or damage of the car from an accident.
 Loss or damage to your property in the vehicle due to theft or involvement
in an accident.
 Loss or damage to property owned by a third party.
 Injury or death of a third party where there is an accident involving the
car.
 Injury or death of you or the passengers in the car if the vehicle is involved
in an accident.
 Possibility of incurring a traffic infringement notice—e.g. speeding fine or
parking fine.

Self-help question 3.3

Risks or problems that Masterprint is likely to be exposed to:
1 Raw materials are largely stored in the one area, leaving Masterprint’s
stocks vulnerable to fire, water damage or the like.
2 Masterprint could be placed in a difficult situation if the Document
Management System used to store master copies of clients’ work was
damaged or destroyed. Clients would not be able to access master copies
of important documents and could take action against Masterprint.
3 Transportation of raw materials from the storage area to the printing plant
is carried out by hydraulic trolley and/or forklift. What happens if the
forklift and/or trolley are damaged or stolen?
4 The printing machine is particularly important because print production
cannot continue if the printer breaks down. There is a significant reliance
on this single piece of machinery.
5 Breakdown of folding machinery could interrupt regular business
operations.

www.anziif.com 91
Introduction to Management of Risk

6 The collation and binding operations rely on key pieces of machinery that
may be difficult to replace quickly if damaged or destroyed.
7 Reliance on one particular supplier could endanger production in the short
term.
8 Reliance on one particular distributor could endanger distribution in the
short term.
9 The doorways between Building No. 1 and Building No. 2 are permanently
open. This presents an increased level of risk if there is a fire at the
premises
10 There is no sprinkler system in Building No. 1. The building is protected
by fire hose reels and extinguishers only.
11 Masterprint’s premises are bounded by a river on one side. This could
present a significant risk if the river is susceptible to flooding.
12 The LPG, oil and diesel storage tanks are unfenced. There is easy access to
the tanks from the scrubland. This presents a significant risk to Masterprint
if any of the tanks are tampered with.
13 The LPG, oil and diesel storage tanks present a risk of fire and/or
explosion.
14 The staff parking their cars on the bitumen at the side of the access
roadway near the main plant operations creates traffic congestion and
could cause an accident damaging Masterprint’s premises and causing
injury to staff and others.
15 The absence of gate keepers and gates being left open after hours leaves
Masterprint vulnerable to theft from the premises.
16 Miscellaneous equipment and parts around the waste skip area and inside
the buildings indicates poor housekeeping standards. This situation could
cause an accident as the skip is adjacent to finished product and flammable
liquid store.
17 The computer backup is stored on-site only. Even though the backup is
stored in a fireproof cupboard, it could be damaged or stolen.
18 The valuation of the buildings is outdated and current insurances are likely
to be inadequate. If a loss occurs, Masterprint could incur considerable
costs because they are underinsured.
19 The staff lunchroom is situated next to the materials storage area and the
recharger facility. This is particularly dangerous because there is evidence
that staff actually smoke cigarettes in the lunch room. This situation poses
a significant fire hazard.
20 There is a fireworks manufacturer situated next to Masterprint’s premises
presenting a significant risk in terms of fire and explosion.
21 If Masterprint is not successful in retaining the contracts with
commonwealth government departments when they are re-tendered, the
company may lose a significant portion of its revenue stream.
22 Reliance on only one operator for specialty machinery such as printers and
binders could mean that deadlines are jeopardised. Clients could take
action against Masterprint for delays in production or delivery.

92 GI512-15 16.01
 Risk assessment

Self-help question 3.4

Risk Register 1

MASTER PRINT RISK REGISTER

Function/ activity Financial

Completed by John Jones Date: 9/11/2010

There is no sprinkler system in Building 1. The building is

protected by fire hose reels and extinguishers only. A fire
The risk (what can happen) in Building 1 could spread to the sprinkler protected
Building 2 and overcome the sprinkler system with a
potential for a total loss.

Source of risk Fire

Likelihood is rated as possible. A total loss would Exceed

Risk rating $10m and the consequence rating would be Catastrophic.
The overall risk rating is Catastrophic.

Consequence code
Likelihood
code 
Insignificant Minor Moderate Major Catastrophic

Almost
Medium High High Catastrophic Catastrophic
certain

Likely Low Medium High High Catastrophic

Possible Low Medium High High Catastrophic

Unlikely Low Low Medium High High

Rare Low Low Medium Medium High

Existing controls and

adequacy

Risk acceptable? ❑ Yes ❑ No

www.anziif.com 93
Introduction to Management of Risk

Self-help question 3.4

Risk Register 2

MASTER PRINT RISK REGISTER

Function/ activity Financial

Completed by John Jones Date: 9/11/2010

Adjacent river flooding and causing damage to stock. Local

The risk (what can happen)
Council advised property is located in a 1:100 flood zone.

Source of risk Flood

1:100 has a likelihood rating of Rare. Estimated loss is

Risk rating $1m which gives a Consequence rating of Moderate.
Overall risk rating is Medium.

Consequence code
Likelihood
code 
Insignificant Minor Moderate Major Catastrophic

Almost
Medium High High Catastrophic Catastrophic
certain

Likely Low Medium High High Catastrophic

Possible Low Medium High High Catastrophic

Unlikely Low Low Medium High High

Rare Low Low Medium Medium High

Existing controls and

adequacy

Risk acceptable? ❑ Yes ❑ No

94 GI512-15 16.01
 Risk assessment

Self-help question 3.4

Risk Register 3

MASTER PRINT RISK REGISTER

Function/ activity Office

Completed by John Jones Date: 9/11/2010

The risk (what can happen) Theft of three laptops from office

Source of risk Theft

Value of laptops is $3,000 which gives a Consequence

Risk rating rating of Insignificant. Likelihood is rated as Possible. This
gives an overall risk rating of Low.

Consequence code
Likelihood
code 
Insignificant Minor Moderate Major Catastrophic

Almost
Medium High High Catastrophic Catastrophic
certain

Likely Low Medium High High Catastrophic

Possible Low Medium High High Catastrophic

Unlikely Low Low Medium High High

Rare Low Low Medium Medium High

Existing controls and

adequacy

Risk accepted

Masterprint Risk Priorities

1. Fire in Building 1—Spreading to the sprinkler protected Building 2
……………………………………………………………….CATASTROPHIC
Immediate action required. Senior executive management/Board accountable.
2. Flooding of premises………………………………………………MEDIUM
Manage by specific monitoring or response procedures by accountable line managers.
3. Theft of Laptops…………………………………………………………LOW
Manage by routine procedures. Unlikely to need specific application of resources.

www.anziif.com 95
 Section 4

Risk treatment
Introduction
Once an organisation’s risk exposures have been identified, analysed and
evaluated, the next activity in the risk management process is to examine the
methods available to treat and control those exposures.
Risk treatment is an all-embracing term that includes risk acceptance,
avoidance, control, and sharing (including financing). The aim is to either:
 avoid the risk by
- deciding not to pursue the activity that gives rise to the risk
- removing the risk source
 control the risk by
- changing the likelihood
- changing the consequences
 share the risk with another party or parties by way of
- contractual arrangement
- risk financing
 retain the risk by
- accepting the exposure based on an informed decision
- taking or increasing the risk in order to pursue an opportunity.
The cost of treating the risk exposure is measured in terms of a trade-off
between reducing the impact of any event that may be experienced and the
cost of the risk treatment measures used to manage the exposure.
Risk treatment activities involve:
 identifying the objectives of treatment
 selecting and assessing a range of options for treating risk exposures
 preparing risk treatment plans
 implementing the risk treatment plans.
In some instances a combination of treatment options may be used. The
optimum solution for managing a risk exposure’s effects on the organisation
will only be revealed when all alternatives have been considered.

Learning outcomes
When you have worked through this section, you should be able to:
 establish and report on the need for a risk plan with objectives of controls
 identify risk controls
 evaluate effectiveness and extent of controls.

www.anziif.com 97
Introduction to Management of Risk

Treatment objectives
For the downside outcomes of exposure to risk, the objectives of establishing
and implementing a risk management treatment process can be broken down
into:
 pre-event objectives
 post-event objectives.
When deciding on the objectives for managing a particular risk exposure, an
organisation needs to decide how to minimise the likelihood of the risk being
realised. These are known as pre-event objectives.
A decision also needs to be made on how the consequences can be minimised
if an unexpected event does occur: these are known as post-event objectives.

Pre-event objectives
Pre-event objectives form a significant part of what an organisation wishes to
achieve by implementing a risk management program. Depending on the
organisational objectives that are trying to be achieved, pre-event objectives
are likely to include:
 cost control
 reducing anxiety
 meeting externally imposed obligations
 meeting social responsibilities.
All of the above require the application of the principles of risk management
in order to achieve the best outcome for the organisation. At times this may
require balancing and resolving conflicting priorities. Let’s look at each of
these pre-event objectives in more detail.

Cost of control
Providing for the costs of controls and preparing for potential financial losses is
an important pre-event objective. The costs of a risk management program
can include:
 costs associated with occupational health and safety programs (human
safety and welfare risks)
 costs associated with physical devices to reduce losses—for example,
sprinklers, security alarms (property/infrastructure risks)
 costs associated with controlling business risks—for example, financial
reviews, market research (operational risks)
 costs associated with different techniques for handling losses—for
example, crisis management and contingencies (administration costs)
 costs of retained losses—that is, realised risks with financial consequences.
A business requires a cost-effective approach to managing risks.

98 GI512-15 16.01
 Risk treatment

Reducing anxiety
By conducting a full analysis of the risk exposures that an organisation faces,
the risk management process can help reduce anxiety of employees,
shareholders, regulators and other stakeholders. Anxiety is reduced if a
business has knowledge of the identified problems, and it is further reduced
when steps are taken to control, eliminate or share those problems, thereby
ensuring the viability of the business. Anxiety is also reduced because the
implementation of measures to control risk may reduce the pressure on the
organisation’s balance sheet.

Meeting externally imposed obligations

To achieve satisfactory pre-loss objectives, the external environment that can
affect business operations must be considered. This can include government
legislation and regulation as well as obligations to society. All businesses
operate in a political environment that involves legislative authorities,
government agencies and pressure groups. Organisations must therefore
ensure they are acting within the law as well as fulfilling their general and
specific social responsibilities. For example, all organisations are obliged to
meet the safety requirements of relevant occupational health and safety Acts
and Regulations.
A recent example in Australia has been the effects of the increase in workplace
deaths. In Victoria, harsher laws have been introduced resulting in increased
penalties and the potential for imprisonment of company management and
directors if adequate workplace care is not taken. Similar moves have also
been taken in New Zealand for the same reason.

Meeting social responsibilities

A business has a social responsibility to endeavour to continue to provide a
stable workplace and continuity of employment for its workforce. An
organisation should act as a socially responsible citizen in the community in
which it operates. Primarily this can be achieved by providing minimal
disruption to its business activities.
In New Zealand, increased penalties have been applied to health and safety
legislation and it is now illegal to take insurance against fines and penalties.

Case study—Breach of social responsibilities

In recent years in Victoria, Australia, the petrochemical explosions at Coode
Island and at the Longford Gas Plant have breached this social responsibility.
At Coode Island, as a result of an explosion, a toxic cloud spread across parts
of Melbourne and many nearby residents were required to evacuate their
houses until the danger had been controlled.
Similarly the Longford disaster not only resulted in workplace deaths but
considerable disruption to businesses throughout the state.

www.anziif.com 99
Introduction to Management of Risk

Post-event objectives
The consideration of post-loss objectives involves adopting a reactive basis—
post-loss objectives are designed to minimise any loss that may occur. It is
important to recognise that, regardless of efforts to reduce risk or to minimise
loss, losses are still likely to occur.
Post-event objectives for an organisation commonly include:
 survival of the business
 re-establishment and stabilisation of profits
 continuing operation of the business
 continued stability and/or growth
 meeting social responsibilities.

Survival of the business

All organisations want to ensure that even if they suffer a loss they will be
able to survive as an ongoing entity. To ensure company survival, the risk
management process needs to make provisions for limiting the extent of any
loss and for resuming operations as soon as possible. This may be referred to
as the management of disruption-related risk.

Continuing operation of the business

Business organisations need to plan to enable continuity of business
operations after a loss. The management of disruption-related risks in an
organisation must not only address the need for continuity of operations but
also ultimately aim to increase the business earnings capacity.
Continuity of operations is a vital post-event objective. The aim is to reach the
operational level that applied prior to a major loss as rapidly as possible.

Case study—Ineffective planning for continuity

The after-effects of the aforementioned Longford gas explosion in Australia
demonstrated how important planning can be to achieve the objective of
continuing operation of the business. This explosion disrupted the gas supply to
much of the state of Victoria. Questions were raised that delays in reinstating
gas supply related to the ineffectiveness of planning based on post-event
objectives.

100 GI512-15 16.01

 Risk treatment

Re-establishment and stabilisation of profits

The re-establishment of pre-event levels of profit is an essential business
objective. The objective is to not only replace lost profit, but to do so without
increasing costs. Business interruptions, due to unexpected problems or losses
in other areas, cause profits to be lost. Post-loss objectives, then, must include
the mechanisms by which any potential profits that have been lost in this way
can be replaced.

Continued stability and/or growth

Plans need to be put in place to allow for the continued growth of the
business. In determining post-loss objectives, an organisation needs to
thoroughly investigate whether, if a disruption occurs, they have the
alternative means to not only maintain existing productivity but also expand
during any rebuilding phase. For example, alternative supplies of raw
materials, premises and equipment plus keeping existing customers fully
briefed on what the organisation is doing to manage the effects of the loss
should all be identified. Business continuity plans should be available to be
implemented.

Meeting social responsibilities

The requirement for an organisation to meet social responsibilities has already
been described in the previous section on pre-loss objectives; however, an
organisation must endeavour to ensure that any loss suffered by the
community, suppliers, or customers is mitigated where possible. Furthermore,
if possible, the organisation must ensure that the business of suppliers and
customers does not unduly suffer due to losses. An organisation should also
have adequate corporate communication procedures in place as part of its
business continuity plans to ensure that any damage to their reputation and
image is mitigated.

Self-help question 4.1

Best Baby Foods has had a major fire at its main manufacturing plant. The fire,
caused by faulty electrical circuitry, has halted all production at the plant.
What do you think the post-event objectives of Best Baby Foods would be?
Answers to self-help questions are provided at the end of each section.

www.anziif.com 101
Introduction to Management of Risk

Risk treatment options

As defined by Section 5.5.1 of ISO 31000:2009:
Risk treatment involves selecting one or more options for modifying
risks, and implementing those options. Once implemented, treatments
provide or modify the controls.

Managing exposures to risk can be either proactive or reactive.

A proactive approach to managing risk exposures relies on:
 good practice
 the creation of complete, meaningful and productive systems
 detailed planning, because the practice and systems must be in place
before a risk exposure event occurs.
For those risks which may have a financial impact on an organisation, a
reactive/traditional approach is sometimes employed, which places an
emphasis on insurance to provide some reimbursement of any loss that may
result from exposure to risk. However, whilst insurance may be the only
option for providing some financing to offset the effects of exposure to risk,
insurance does not help to control or eliminate any exposure to risk or any
negative outcomes of that exposure. This is a short-term solution to the
original problem as the price of insurance will increase as a result of claims
being lodged. In some cases, eventually the option to purchase insurance may
become untenable.
Adopting a proactive approach to managing risk provides a number of
options for organisations when dealing with potential losses. These treatment
options are to:
 avoid the exposure to risk (risk avoidance)
 control the risk exposure by (control)
- reducing its likelihood
- reducing its consequences
 share the exposure to risk or its consequences (risk sharing)
 retain the exposure to risk and its consequences (risk retention).
Risk treatment involves identifying the most appropriate option or
combination of options for treating a particular risk exposure, preparing a risk
treatment plan and implementing this plan.
After consideration has been given to how risk exposures will be treated, the
organisation must also determine how residual negative outcomes of a risk
that could have a financial impact will be financed.
Organisations need to select the most appropriate solution for managing
identified risk exposures through risk treatment and financing. With an
understanding of risk treatment, including financing methods, an
organisation can determine the best options for dealing with the identified
risk exposures.

102 GI512-15 16.01

 Risk treatment

Risk avoidance
Risk avoidance is treatment strategy based on a conscious and informed
decision not to be exposed to a particular risk and its likely effects.
Risk avoidance eliminates any possibility of an event occurring by either
abandoning or not undertaking an activity because the risk exposure is
considered excessive.
Avoidance may be the most appropriate technique for dealing with an
exposure, especially in cases where the costs and potential outcomes
associated with accepting a risk exposure are prohibitive.
For example, a manufacturer could decide that as the potential cost of product
liability claims from a new product will be so high, it cannot economically
produce the product.
The decision to avoid an exposure to risk must, at times, be balanced against
losing an opportunity for organisational or market growth or for market
visibility, such as the risk exposures associated with building a new factory or
merging with another organisation.
In most countries, government legislation and industry practice codes have
made risk avoidance compulsory for some specific dangerous activities. The
risk management process aims to comply with legislation and industry codes
related to risk avoidance.
While avoidance can eliminate the probability of a loss, there are certain
limitations and certain instances where it is not practical:
 avoidance may not be possible
 avoidance may not be feasible
 avoidance may not be desirable
 avoiding one exposure may create another.

Avoidance may not be possible

While everyone seeks to avoid sickness, it cannot be avoided completely;
there is no such thing as a completely safe environment.

Avoidance may not be feasible

While it may be possible to avoid some risk exposures—for example,
ownership of buildings—it is not feasible to avoid all exposures associated
with the occupation of buildings as this would effectively prevent most
organisations from operating.

Avoidance may not be desirable

While it may be feasible to avoid a specific exposure, doing so may cause the
organisation to forgo a great opportunity or a market advantage—for
example, a new product.

www.anziif.com 103
Introduction to Management of Risk

Avoiding one exposure may create another

If a firm chooses not to use its own vehicles for delivery of goods, it will avoid
the risk exposures associated with the ownership of delivery vehicles.
However, without their own vehicles to deliver goods, the firm must use
other methods of delivery. Any method chosen will involve a new set of risk
exposures which may be lower or higher than the exposure avoided and
therefore needs to be carefully examined.

Case study—Timeless Tubing

The following case study highlights the cost–benefit analysis that needs to be
undertaken when deciding whether to use a risk avoidance strategy.
Timeless Tubing manufactures tubing for a range of different industries. They
have recently developed a new system of tubing with specific applications in
the offshore oil and gas industry. However, further analysis has raised
concerns about the significant potential consequences of product failure. If the
tubing were to fail, the exposure arising from lawsuits would be so large as to
threaten the existence of the entire company. While Timeless Tubing is
confident that the new tubing system is an excellent product, they decide that
the risk is too great and that the only alternative is either to avoid the risk and
cease production of the new tubing, or to find an alternative ‘safer’ market
outside of the oil and gas industries.

Self-help question 4.2—Masterprint’s risk avoidance

Which (if any) of Masterprint’s identified risk exposures do you believe could
be completely avoided?
Look at the list of identified risk exposures from the answer to Self-help
question 3.3 and refer to Appendix 2—Masterprint’s risk identification information
for background information as needed.
Answers to self-help questions are provided at the end of each section.

104 GI512-15 16.01

 Risk treatment

Control
Control is about trying to change the nature of the risk exposure itself to
reduce the downside as much as possible and maximise the upside for the
organisation. Not all risks may be appropriately treated by control strategies.
In respect to the upside effects of exposure to risk, the aim of control is to
maximise the possible benefit whilst minimising any adverse effects on the
organisation.
In respect to the downside effects of exposure to risk the aim of control is to
prevent or reduce likelihood of a risk from occurring so that organisational
objectives can be achieved, or to limit the consequence should the event occur;
that is, mitigate the impact on the organisation’s goals.
Controls can be directed at all exposures to risk—hazard, operational, strategic
and financial—and can be achieved by implementing policies, standards,
procedures and physical changes to a workplace (such as the installation of
equipment and fittings). The management of an organisation must be
committed to control strategies for these strategies to succeed.
Controls should involve treatment programs designed to improve the
performance of an organisation and reduce the likelihood and consequences
of exposures. Control involves eliminating or minimising adverse effects by
limiting the likelihood of an event occurring (i.e. reducing the risk) or by
limiting the consequences of the event (i.e. reducing the amount exposed).
In many instances, a control strategy will involve a combination of both types
of measures. Some control measure may simultaneously reduce the likelihood
and consequences of an identified event—for example, a driver education
course could effectively reduce both the number of accidents that occur and
the severity of these accidents.
The extent of the control program will very much depend on organisational
objectives and the context of the risks identified and may also reflect drivers
that are external to the organisation, such as changes in government
legislation and regulation or advances in technology.
All physical control measures need to be considered in terms of their cost
effectiveness when compared with the value of assets they protect and/or the
level of interruption to business and growth. It does not make good business
sense to spend more on a control measure than the maximum probable loss
associated with the particular risk exposure.

www.anziif.com 105
Introduction to Management of Risk

Controlling the likelihood of risk

There are a wide variety of techniques that may be used to reduce the
likelihood and effects of a risk exposure.
The following are examples of control measures that are likely to reduce the
likelihood of an event occurring, including:
 audit or compliance programs
 contract conditions
 formal reviews of requirements, specifications, design, engineering and
operations
 inspection and process controls
 investment and portfolio management
 project management
 preventative maintenance
 quality assurance, management and standards
 research and development, technological development
 structured training and other programs
 supervision
 testing
 organisational arrangements
 technical controls.

Examples—Controlling the likelihood of fire, security and

fraud risks
Where there is an identified risk of fire, physical control measures might be
employed such as good housekeeping or implementing a no-smoking policy.
For security type risks, control measures might include physical barriers and
the installation of locks.
For fraud type risk, control measures could include instigating background
checks on staff members and strengthening auditing procedures.

106 GI512-15 16.01

 Risk treatment

Controlling the consequences of risk

Reducing the consequences of exposure to risk focuses on reducing the
potential impact of any event that may occur.
The following are examples of control measures that are likely to reduce the
consequences of risk:
 business continuity planning
 contractual arrangements
 contract conditions
 design features
 disaster recovery plans
 engineering and structural barriers
 fraud control planning
 minimising exposure to sources of risk
 portfolio planning
 pricing policy and controls
 separation or relocation of an activity and resources
 public relations
 ex gratia payments
 training and education—that is, what to do as well as why it needs to be
done.

Example—Controlling the consequences of fire

An example of a physical control strategy designed to reduce the
consequences of an impact caused by fire could be a sprinkler system installed
in a building to reduce the damage/cost of repair to the building or any
subsequent interruption to normal business activities.
Note: A sprinkler system does nothing to reduce the likelihood of a fire
occurring; such systems reduce the expected amount of loss or the
consequence.

www.anziif.com 107
Introduction to Management of Risk

Case study—Milthorne Manufacturing’s risk controls

Milthorne Manufacturing, a company which manufactures a range of rubber
products for the automotive industry (for example, hoses and distributors),
has identified a number of physical risks/hazards associated with production
processes.
After considerable analysis, the risk management team has suggested a
number of strategies for dealing with specific risk exposures in terms of either
preventing an event/loss from occurring or reducing the impact if there is an
occurrence.
The recommended control strategies are:
 limit energy
 use safer substitutes
 prevent build-up
 prevent release.

Limit energy
Use the minimum energy necessary for the task. At the input side of every
operation, seek ways to reduce actual or potential input—for example, small
weights for manual handling and small containers for hazardous material.
When necessary, stop the operation—for example, manufacture of extremely
hazardous substances or operation of vehicles in selected areas. Remove
unneeded objects from overhead surfaces.

Use safer substitutes

Use less hazardous chemicals. Increase the machine maintenance schedule
and use remote or automatic oilers. Use material handling equipment where
possible. Where possible, use carbon dioxide instead of carbon tetrachloride in
fire extinguishers.

Prevent build-up
Use regulators, governors, and limit controls. Where possible, provide signals
and controls such as gas or humidity detectors. Improve housekeeping and
minimise storage to prevent fuel build-up. Control floor loadings, reduce
speed and lengthen steep grades.

Prevent release
Use safety factors in structure design. Protect stores from anticipated shocks—
for example, collisions. Contain energy for conservation—for example,
thermal insulation on pipes, doors and release mechanisms, additional
insulation of electrical equipment and wiring. Provide toe board railings on
walkways above ground level. Use safety chains and life lines. Eliminate
intersections—for example, one-way traffic or overpasses, separate vehicle
and pedestrian traffic. Arrange remote storage of flammables.

108 GI512-15 16.01

 Risk treatment

Business continuity planning

Business continuity planning—also known as the management of disruption-related
risk— is a critical ingredient of any control program. It is, in effect, a plan for
controlling risk exposures with the sole objective of ensuring an organisation’s
survival in the event of a major disruption to business services. It seeks to
mitigate the downside consequences of exposure to disruption related risk as
effectively as possible.
Business continuity plans specifically address the management of disruptions
that could significantly damage or even destroy the organisation. These plans
provide a framework and resources to tackle any major unexpected event as it
occurs and they also help the organisation manage the subsequent recovery
from an unexpected, catastrophic event.
A business continuity plan should provide a framework in which an
organisation’s management may work in the abnormal conditions created by
an event or incident which causes disruption to normal activities. This
facilitates the management of consequences and leads them back towards
organisational recovery.
Every organisation should prepare plans for preventing and coping with
actual or potentially severe loss situations covering both salvage operations
and plans for carrying on business following the occurrence of a major loss.
Most organisations are likely to have more than one such plan, each
addressing a specific group of similar risk scenarios, such as include:
 area type events—such as earthquake and flooding
 site-specific events—such as fire, bombings and explosion
 organisation-specific events—such as product failure, fraud and damage to
reputation.
The documentation of a business continuity plan may include:
 a disaster plan, including
- loss prevention and control measures
- an emergency plan
 a crisis management plan
 contingency plans.
All of these plans should be well documented (with copies held off-site in
secure locations) and should be tested regularly to ensure they remain
relevant to the current state of the organisation.
Using the business continuity plan that is appropriate to the particular type of
incident or event, the management should be able to marshal the
organisation’s skills, knowledge, manpower and other resources to resolve all
of the problems created by the incident or event.

www.anziif.com 109
Introduction to Management of Risk

Disaster plan
The disaster plan is essentially preventative or, if these measures fail, it is the
first line of defence. It should cover:
 loss prevention and control measures
 an emergency plan.

Loss prevention and control measures

This element is concerned with identifying and assessing all of the major
hazards on an ongoing basis and implementing risk and loss control measures
prior to the occurrence of any incident. Under normal conditions loss
prevention and control measures should be implemented as soon as the funds
are available.

Emergency plan
This sets out in broad terms the management structures, procedures and
resources that may be used to handle a major emergency whilst it is occurring
and immediately afterwards until it is brought under control. The plan details
measures to counter the immediate effects of the major loss incident such as
saving life and limiting damage to bring the situation under control as quickly
as possible.

Crisis management plan

The crisis management plan is complementary to the disaster plan and
focuses on the communication, command and control organisation. For
example, the plan describes who the decision makers are, where they would
meet, how information would flow up to the decision makers and how
decisions would flow down to operational personnel. The aim of the plan is to
reduce the impact of the emergency by getting the business back into
operation as quickly as possible. In this phase of contingency planning,
regaining the confidence of the public, customers and employees is as
important as repairing the physical damage.
There should also be recovery plans outlining how certain elements of a
business can be brought back to full activity (for example, IT disaster recovery
plans).

Contingency plans
Controlling risks invariably involves reducing the probability that a loss will
occur or the severity of any loss that may occur, or both. Neither reducing the
probability of loss nor its severity is ever likely to totally eliminate loss, nor is
it certain that the control measures will always work as expected. Therefore,
it is prudent for every organisation to have in place contingency plans that not
only reinforce the control measures taken but, more importantly, act as a
further means of limiting the consequences of loss in the event of a major
event occurring.

110 GI512-15 16.01

 Risk treatment

Further reading—Business continuity planning resources

The Standards Australia handbooks HB 292:2006, A Practitioners Guide to
Business Continuity Management; and HB, 293:2006, An Executive Guide to
Business Continuity Management are excellent resources for professionals
interested in business continuity planning. These handbooks provide
guidance for those who are involved in establishing and maintaining a
business continuity plan for their organisation.
While a detailed knowledge of these standards is not necessary to successfully
complete this learning module, interested readers may choose to purchase
them from Standards Australia’s publisher, SAI Global (www.saiglobal.com).

Risk sharing
Risk sharing involves sharing some part of a risk exposure with another party
or parties. This can be achieved by contracts, insurance and organisational
structures such as joint ventures and partnerships. Risk sharing can be both a
control and financing measure—risk exposures can be disaggregated and
shared with other parties and/or the cost associated with the potential loss can
be shared with another organisation, such as an insurance company, bank or
finance company.
In effect, risk exposures cannot be transferred entirely, perhaps other than by
a sale agreement, and even then some contingent liability may remain. Where
an organisation shares its risk exposure (either wholly or in part) with another
party, the organisation transferring the risk actually acquires a new risk as the
organisation to which they have transferred the risk exposure may not manage
the exposure properly. Ineffective management of risk can mean that there is a
risk to the primary organisation in that their image and reputation may be
damaged as a result of the contractual relationship. So, the nature of the risk
exposure has actually changed rather than been removed.
Risk transfer by contractual arrangement does not always unburden an
organisation from a risk exposure or its associated losses; other aspects have
to be considered, such as:
 the indirect impact of the loss on the reputation of the organisation
 the financial capacity of the other party to pay for the loss
 the impact of legislation—for example, trade practices, occupational health
and safety laws
 protection for a criminal offence—for example, breaching fair trading
laws—cannot be contractually transferred.

www.anziif.com 111
Introduction to Management of Risk

Risk sharing by means of insurance will be considered later in this section

under the heading Risk financing. Some of the non-insurance-based ways that
risk exposure or loss can be shared with another party include:
 hold harmless agreements
 construction contract
 leases
 contracts of bailment and carriage
 contracts of sale, supply and service
 bonds
 partnerships and joint ventures.

Hold harmless agreements

A hold harmless agreement where one party to a contract agrees that the other
party will not assume a loss or liability associated with a particular activity,
thereby relieving the other party of responsibility. Following are some
examples of the types of contracts where the risk exposure is transferred from
one party to another.

Construction contract
With a construction contract, responsibility for certain risk exposures and
losses associated with the project are usually transferred to one of the parties
involved. In terms of financing any losses, all contractor’s risks and liability
policies are usually effected on behalf of all of the firms involved in the project
either by the principal or by the major contractor.

Leases
Contractual transfers arise from the sale or lease back of buildings thereby
transferring responsibility for property risk exposures. Most leases contain
insurance provisions that not only specify which of the parties is to be
responsible for financing any insurable losses that may occur but also the
extent of that financing.

Contracts of bailment and carriage

The kind and amount of risk exposure or loss that may be transferred is
controlled to a certain extent by statutory law, particularly where a common
carrier is involved. However, despite this, the law governing the relative
responsibilities of the parties is usually drafted in such a way as to give
considerable scope for the apportionment of these responsibilities through the
terms of the contract. Usually the bailee and the carrier seek to transfer,
by contract, all of the responsibility for financial loss back onto the owner or
person purchasing the service.

112 GI512-15 16.01

 Risk treatment

Contracts of sale, supply and service

There are many variations in these types of contract, and there are also many
ways in which the cost of loss may be transferred, varying from hold harmless
agreements to actual transfer of ownership. In the former case only the cost of
loss is transferred whilst with the latter both the cost of loss and ownership of
the risk exposure are transferred.

Bonds
In this situation, one party—called the surety—agrees to guarantee that
another party—called the principal—will undertake some express obligation or
task to a third party—known as the obligee. This type of agreement is often
used with large supply contracts and construction projects. It is also used in
certain circumstances where fees have to be paid on a regular basis to
government organisations, such as duty to customs and wharf charges to port
companies.

Partnerships and joint ventures

Organisational structures such as partnerships and joint ventures offer
businesses the opportunity to transfer or share risk exposures between parties.
The legal and financial responsibilities for any losses that may arise from
exposure to risk by each party in the partnership or joint venture will be dealt
with in the contractual agreement between the parties.

Risk retention
Risk retention is about making an informed, conscious decision to accept the
effects of exposure to a particular risk without modification or control. This is
the most common form of risk treatment where severity is extremely low or
the likelihood of the risk event occurring is considered to be exceptionally
remote.
The decision to accept a risk exposure is usually made after full consideration
of its likelihood and consequences.
Not all risks can be eliminated, even if an attempt is made to adopt all of the
above control measures. There is a point where risk exposures cannot be
eliminated or their effects reduced any further. Plans need to be put in place
to manage the consequences of the retained risk exposures in the event that it
is realised. An organisation may also decide to accept a risk exposure that is
integral to its business operations.
Risk retention can be:
 planned, or
 unplanned.

www.anziif.com 113
Introduction to Management of Risk

Planned risk retention

Planned risk retention involves an organisation making a conscious decision
to retain an identified risk exposure and to put in place financial
arrangements to cover any loss that may occur.
If managed, budgeted and financed properly, planned risk retention, can
ensure the profitability and survival of an organisation even if a major loss
occurs.
Planned risk retention will be discussed further in the risk financing
component of this section.

Unplanned risk retention

In instances where an organisation has not identified a risk exposure, an
organisation unconsciously accepts and retains the risk exposure; that is,
unidentified risk exposures. This means that the organisation has to directly
bear the unidentified risk exposure/s and any losses and associated costs.
Unplanned risk retention involves the retention of risk exposures and their
impacts by default; that is, an organisation fails to identify and treat particular
risk exposures and nor does it put in place any financial arrangements to
cover any financial impact that may occur.
Unplanned risk acceptance can affect the stability or even survival of an
organisation if a major risk is realised.

Activity 4.1—Risk treatment options

Think about the above risk treatment options and consider how they apply to
either your organisation or a client organisation. The following reflective
questions may help relate the activities of risk treatment to the organisation:
 Are there some risk exposures that the organisation should avoid or has
made a conscious decision to avoid?
 What methods of risk control does the organisation use to reduce: (a) the
likelihood of occurrence, and (b) the consequences of risk?
 What significant risk exposures does the organisation accept/retain? Why?

114 GI512-15 16.01

 Risk treatment

Self-help question 4.3

Again referring to the list of Masterprint’s identified risk exposures from the
answer to Self-help question 3.3, determine which (if any) of the exposures can
be controlled in order to reduce the likelihood or consequences of the risk.
Use the following table to outline and categorise the identified risk exposures
and suggest some risk controls.

Category
Ref. No. Risk Control
A P L R/E R&I

Legend for Category section:

A = asset
P = personnel
L = liability
R/E = revenue/expense
R&I = reputation and image
Answers to self-help questions are provided at the end of each section.

www.anziif.com 115
Introduction to Management of Risk

Assessing risk treatment options

Having identified the possible risk treatment strategies as being risk
avoidance, control, risk sharing or risk retention, it remains to choose which of
those options is suitable to each identified risk.
Section 5.5.2 of ISO 31000:2009 states:
Selecting the most appropriate risk treatment option involves balancing
the costs and efforts of implementation against the benefits derived, with
regard to legal, regulatory, and other requirements such as social
responsibility and the protection of the natural environment. Decisions
should also take into account risks which can warrant risk treatment that
is not justifiable on economic grounds, e.g. severe (high negative
consequence) but rare (low likelihood) risks.

Treatment options should be assessed on the basis of:

 the risk evaluation criteria determined when establishing the context for the
risk management program
 the benefits or opportunities created
 the extent of risk reduction achieved
 the cost of implementing the treatment option.
The particular methods of risk treatment employed by an organisation will
largely depend on the nature of the organisation, their particular exposures to
risk and their appetite for risk. What is appropriate for one organisation may
not necessarily be appropriate for another; hence, risk management programs
need to be tailored to the organisation.
When assessing risk treatments, all options should be considered. Risk
treatment options may be applied either individually or in combination.
In practice, it is not often that only one risk treatment option will be employed
to treat a risk exposure and its likely effects. Organisations often combine
treatment options to effectively manage exposure to risk.
When selecting the most appropriate treatment option for a particular risk
exposure it is crucial that a cost-benefit analysis is undertaken. The cost of
implementing the treatment must be weighed against the benefits achieved
from the treatment option. However, where the cost of treating a risk
exposure is high but there are opportunities open to the organisation from
that risk exposure, then the exposure and the treatment option also need to be
carefully assessed against the benefits of the potential opportunities.

Self-help question 4.4

Masterprint is concerned about the increasing number of motor vehicle
accidents their delivery drivers are experiencing. Marjorie Crawford, the
finance manager, wants to consider how their risk management program can
help reduce both the number and magnitude of accidents.
Using a combination of risk treatment options, what preliminary advice
would you give Masterprint to help reduce the likelihood and consequence of
the motor vehicle accidents?
Answers to self-help questions are provided at the end of each section.

116 GI512-15 16.01

 Risk treatment

Financing treatment
Once an organisation has decided which risk treatment options are optimal to
reduce the effects of exposure to a particular risk, it is then necessary to
acquire information on how much the options for treatment will cost to
implement. Accurately forecasting the potential cost of treatment is required
in order to manage risk exposures by the most efficient and economical
means.
The cost of a treatment will be a contributing factor in whether it is a feasible
method of handling the exposure to risk.

Cost–benefit analysis of treatment options

Part of managing risk involves financing the various risk treatment measures
that the organisation decides to put into place.
Selection of the most appropriate risk treatment methods will usually be
guided by extensive cost–benefit analyses; that is, balancing implementation
costs with the benefits derived from the risk treatment. It does not make sense
to spend more on treating a risk exposure than the loss that would be saved
by that treatment measure.
While in many instances this cost will not be significant when compared with
the potential impact of the corresponding risk if the measures had not been
put in place, in some case the cost can be quite significant in real terms.
Management is unlikely to approve the expenditure for a risk treatment
measure without a detailed cost–benefit analysis having been documented.
Among other things, a cost–benefit analysis may include items such as:

Costs Benefits

insurance premium reductions

capital costs (for physical resources)
(if applicable)

current costs (resources and/or materials)

for back-up and/or redundancy tax savings, including capital prevention
and minimisation allowance
additional supervision to reduce losses

security systems Government or other grants

first aid and safety courses and seminars

spin-off benefits in terms of productivity,
labour relations etc.
cost of disruption of production

It is also worthwhile remembering that once the high initial cost of a physical
control measures has been incurred, the organisation generally has the
continuing benefit of these measures for little or no extra cost. Conversely,
insurance and other risk financing measures often only provide a benefit for a
limited period of time (usually 12 months) before additional expenditure is
required.

www.anziif.com 117
Introduction to Management of Risk

Direct and indirect costs associated with

losses
No matter what type of insurance is chosen by an organisation to fund its
insurable risks, insurance does not cover the total amount of any loss. Apart
from under-insurance, there are many indirect costs and long-term effects
associated with every accident or event that falls outside the scope of the
insurance contract and therefore are not part of any settlement. An analysis of
total costs of any incident will reveal:
 the direct cost of the loss or injury, where relevant
 the indirect costs associated with repairing or replacing the loss or
rehabilitating the injured person/s, the administrative processes involved,
pain and suffering, lost production, downtime disruption, wasted labour
cost, and time spent on accident investigation and legal proceedings
 distraction of management in dealing with the loss and its related
problems rather than future operations
 the long-term effects of diverting money and/or resources from other more
productive uses to repair, replace or rehabilitate the results of the incident
—there is also a possibility that the organisation may suffer a loss of
reputation and market share as a result of the incident
 possible damage to the organisation’s reputation due to the incident
 the loss of customers or potential growth as a result of customers having to
find alternative suppliers during the resumption of production/ services.

Case study—Crane Connections

One of Crane Connections large tower cranes collapsed on a building site.
Unfortunately the crane was a write-off and the building site on which the
crane was situated suffered extensive damage, as did the plant services room
of an adjacent building. Other buildings in the vicinity also suffered some
damage. Luckily no-one was injured as the crane collapsed when the building
site and most of the surrounding businesses were closed.
In order for work to resume on the building site and in surrounding
buildings, Crane Connections conducted an immediate recovery operation.
They used some of their other cranes to remove the damaged crane from the
site and to remove debris. Police were required to control access to the site
during the recovery operations.
The air conditioning plant of the adjacent building, housed in the plant
services room, was badly damaged and the building was forced to close until
the air conditioning could be repaired. Some of the other surrounding shops
and buildings were also forced to close until debris was removed, repairs
were made and safe access was assured.
A formal accident investigation of the crane’s collapse was required to
determine the cause of the accident and to allocate responsibility.

118 GI512-15 16.01

 Risk treatment

Self-help question 4.5

What do you think might be some of the direct costs, indirect costs and long-
term effects of the crane collapse outlined in the above case study?
Answers to self-help questions are provided at the end of each section.

Designing and documenting risk

treatment
Risk treatment plans are designed to help organisations document how the
selected treatment options will be put into operations. A well-executed
treatment plan should include:
 the proposed actions/activities
 how the treatment will be resourced
 exactly whose responsibility it will be to implement the treatment
 within what timeframe the treatment will be implemented
 the measures for determining whether the treatment was successful
 monitoring and reporting requirements.
It is essential that the treatment plans take into account and are incorporated
into the overall operational and budgetary management of the organisation.
The development of a treatment plan is only one part of a process that the
organisation uses to manage a specific set of risk exposures; it’s about what
the organisation is going to do and when it will be done and it tends to focus
on individual risk exposures.
If an exposure to risk is accepted and control/risk sharing options considered,
then a decision has to be made on how it is going to be managed.
To do this a risk treatment plan needs to be systematically developed in
conjunction with two or three people who are familiar with the processes and
procedures within the organisation. By using this approach, any difficulties
associated with risk treatment can usually be solved prior to implementation.

www.anziif.com 119
Introduction to Management of Risk

Documents that may be used to keep a formal record of risk treatment

activities include:
 risk register
 risk treatment schedule
 risk treatment action plan.
Note: An example risk register is provided in Appendix 4 of this learning
module; an example risk treatment schedule is provided in Appendix 5 and an
example risk treatment action plan is provided in Appendix 6.
These documents are indicative examples of the way in which a risk treatment
program can be systematically developed, but will not be practically
applicable to all organisations. If the content of the documents does not suit
the organisation in question, the document should be changed to ensure not
only its suitability for the organisation but also its consistency or
standardisation within the organisation.

Risk register
As introduced and outlined in the previous section, a risk register provides a
record for each identified risk exposure, noting it’s:
 source
 nature
 existing controls
 consequences and likelihood
 initial risk rating
 vulnerability to external and internal factors
 existing controls
 whether the risk is acceptable or not
 additional risk treatments.

120 GI512-15 16.01

 Risk treatment

Masterprint Risk Register case study

MASTER PRINT RISK REGISTER

Function/ activity Financial

Completed by John Jones Date: 8th November 2010

Pollution to river from oil spill. Potential for high clean up

The risk (what can happen)
costs and could put Government contracts at risk

Source of risk Leak from unbunded oil tank near river

Risk rating Catastrophic

Consequence code
Likelihood
code 
Insignificant Minor Moderate Major Catastrophic

Almost
Medium High High Catastrophic Catastrophic
certain

Likely Low Medium High High Catastrophic

Possible Low Medium High High Catastrophic

Unlikely Low Low Medium High High

Rare Low Low Medium Medium High

The tanks are not bunded, which means the tank does not
have a double skin that has the capacity to hold the full
Existing controls and
contents of the tank should the inner tank perish & leak,
adequacy
and there is no insurance coverage for sudden and
accidental insurance.

Risk acceptable? ❑ Yes ❑ No

The Risk Register shows that there are no existing controls, the tanks are not
bunded and there is no insurance coverage for sudden and accidental
pollution insurance. This risk is then escalated to Management for
consideration.
Once reviewed, the risk is not accepted by John Jones (the risk owner) and
additional risk treatments need to be established.

Risks that are not accepted

 Having not accepted the risk, we need to go back to the risk register to
identify additional treatments
 review costs/ benefits and decide on which additional treatments will be
implanted
 establish a risk rating after treatments.

www.anziif.com 121
Introduction to Management of Risk

Review the risk register and recommend additional risk treatments

MASTER PRINT RISK REGISTER

Function/ activity Financial

Completed by John Jones Date: 8th November 2010

Pollution to river from oil spill. Potential for high clean-up

The risk (what can happen)
costs and could put Government contracts at risk

Source of risk Leak from unbunded oil tank near river

Risk rating Catastrophic

Consequence code
Likelihood
code 
Insignificant Minor Moderate Major Catastrophic

Almost
Medium High High Catastrophic Catastrophic
certain

Likely Low Medium High High Catastrophic

Possible Low Medium High High Catastrophic

Unlikely Low Low Medium High High

Rare Low Low Medium Medium High

Existing controls and The tanks are not bunded and there is no insurance
adequacy coverage for sudden and accidental insurance

Risk acceptable ❑ Yes ❑ No

Cost Benefits
Risk Rating after
Additional Risk Treatments Analysis A. Accept
Treatment
R. Reject

Avoid the Risk by buying oil in when

Low Reject
needed. Wouldn’t be economical

Reduce the consequence by bunding

Low Accept
the oil tank. Cost $ ,000

Residual Risk Acceptable? ❑ Yes ❑ No

After starting with a risk rating of ‘catastrophic’ the bunding of the tank will
prevent any oil leaking into the river. The residual risk is now rated as ‘low’.

122 GI512-15 16.01

 Risk treatment

Risk treatment schedule

The risk treatment schedule documents the management controls to be
adopted, who is responsible for implementation of the plan, the resources to
be utilised, budget, implementation timeframe and the review process.
A risk treatment schedule details any new actions and controls to be adopted
by the organisation to treat specific risk exposures. The schedule includes the
actions to be taken to treat the risk exposure, the person/s responsible and
accountable for implementing the treatment plan, what resources are required
to put the treatment plan into action, the financial resources required to be
allocated to the risk treatment initiative, and the timeframe for implementing
the treatment plan. The risk treatment schedule also outlines how each control
and treatment will be reviewed (including the method of reporting on
progress/completion of initiatives) and how often it will be reviewed.

Risk treatment plan

The risk treatment plan documents how all the selected treatment options for
any given risk will be implemented, including how they will work together to
treat the identified risk exposures. It provides a summary of the
recommended response and impact and an action plan relating to each
exposure to risk. It will outline a program for reviewing the effectiveness of
the risk treatments.
The plan should:
 clearly identify and prioritise the individual risk treatments that are to be
put into action
 identify who will be responsible and accountable for implementation
 include a schedule for implementation
 provide an outline of the expected outcomes of each risk treatment
 provide a breakdown of the costs and resources involved in implementing
each risk treatment
 identify those risk treatments which can’t be implemented due to financial
limitations and a schedule for implementing these risk treatments
 detail the monitoring and review process used to determine the
effectiveness of the risk treatments.

Residual risk
After the risk treatment options have been determined and the treatment
plans have been established, it is highly likely that some residual risk
exposure will remain. All stakeholders should be made aware of exactly what
this residual risk exposure is, its extent and what risk it constitutes for the
organisation. This can be achieved by carefully documenting the residual risk
exposures and regularly monitoring and reviewing them.

www.anziif.com 123
Introduction to Management of Risk

Self-help question 4.6

Using the Masterprint risk registers in the answer to Self-help question 3.4,
complete the risk register showing the new treatments and residual risk
ratings.
Answers to self-help questions are provided at the end of each section.

Activity 4.2—Develop a treatment plan for your organisation

Select either your organisation or one of your company’s clients and think
about how a risk treatment plan for the organisation might be developed.
If possible, use the documents in Appendices 4, 5 and 6 to develop a risk
treatment plan for one of the exposures to risk that you have identified.

Implementing the risk treatment plan

The risk treatment plan should be implemented by those in the best position
to manage the risk exposure and to be successfully implemented, the plan
should:
 be communicated to all appropriate parties before implementation
commences
 clearly specify what risk treatments will be implemented
 document who is responsible and accountable for implementing and
reviewing the effectiveness of the treatments
 explain how the implementation will be monitored (the plan should be
monitored and the progress of the plan critically reviewed against the
actual plan).
The development and implementation of a treatment plan should not be
confused with implementing a risk management program. The implementation
of a risk management program takes a much higher level view; that is, selling
the concept of managing risk to the board, senior management and other
stakeholders, developing objectives, assigning responsibility, identifying the
resource requirements, setting the risk management policy and other
associated policies, selecting personnel and communicating policies.

124 GI512-15 16.01

 Risk treatment

Risk financing
Risk financing is all about ensuring that there is funding available to offset
any negative financial effects on the organisation in the event that a risk
eventuates.
For some risk exposures, the conventional method for financing is insurance.
Through insurance, or a similar financial instrument, risk financing is
primarily concerned with achieving the most efficient means for covering the
cost of funding the effects of an event to financial loss. It does not, however
prevent the event occurring.
The risk financing method used is largely dependent on the outcome of the
establishing the context, risk identification, assessment and treatment steps of
the risk management process. The following diagram outlines the traditional
risk financing options used by organisations to fund loss exposures.
Table 4.1 Options for risk financing

Risk financing deals with ways of funding and managing the downside
consequences of exposure to financial risk. In the long term, any financing
arrangement works effectively as a sharing of the financial impact of events
by spreading the cost over a number of years.
The most common methods of financing risk are conventional insurance and
self-insurance.

www.anziif.com 125
Introduction to Management of Risk

Traditional insurance
Traditional insurance is a common method of financing risk, whereby an
organisation buys insurance cover from one or more commercial insurers.
The organisation pays an agreed premium for a specific insurance contract,
for a specific period of time (usually not more than 12 months).
Insurance contracts do not cover all possible losses or even the total cost of
those losses. This may be due to a number of factors such as:
 a restricted scope of cover policy wording
 the cost of premiums over time
 under-insurance
 the un-insurability of a particular exposure, such as loss of reputation or a
nuclear catastrophe.
It should be noted that insurance companies reinsure the losses that they
experience from the business that they underwrite to limit the effect of those
losses on their bottom line. However they must also finance the losses that
they experience as the result of being in existence (for example, using or
owning assets and employing people) in much the same way as non-
insurance organisations.
Traditionally, commercial insurance was the method of risk financing most
frequently used by an organisation. Insurance is ideally suited to providing
finance for what would be a catastrophic loss for an organisation. Obviously,
what is considered a catastrophic loss will vary from organisation to
organisation and this should be taken into account when an organisation is
deciding whether or not to utilise insurance and what form the insurances
should take.
However, if the risk management process is successfully applied, insurance is
generally only purchased when:
 there is a remote risk of a very large loss—that is, a catastrophe—and the
premium is appropriate
 there is a risk of a large loss and the premium is reasonable
 the likelihood of loss is unpredictable and there is a need to smooth out the
cost of losses over a number of years thereby spreading the impact on the
organisation’s bottom line over a number of years.
It is generally unlikely that an organisation will wish to purchase insurance
when effectively the organisation would be swapping dollars with its insurers
such as when:
 the likelihood is high but the amounts are small
 the total amount of loss in any one year would not materially affect the
organisation’s bottom line or profit.

126 GI512-15 16.01

 Risk treatment

Loss stabilisation
A loss stabilisation plan, or finite insurance, is another form of insurance that
organisations can use to finance risk. A loss stabilisation plan, however, is an
adaptation of a first loss insurance contract in which the insurer agrees to pay
the organisation any loss up to a maximum amount per loss. In exchange, the
organisation agrees to pay the insurer a premium equal to the maximum
amount payable divided by the period over which the insured will reimburse
the insurer; for example, if five years, the premium is equal to one fifth. The
organisation may not cancel the agreement until premiums equal the total of
any losses plus the insurer’s expenses and profits have been paid. The insurer
therefore has a guaranteed profit, and if there is any surplus at the end of the
period after an agreed amount of investment income has been taken into
account this is paid back to the organisation.
The loss stabilisation plan is one of a variety of alternative risk sharing/
alternative risk financing plans that are now available to organisations. These
are, however, often quite complex risk financing techniques, taking
considerable time to put in place and they involve a combination of insurance
and banking type financing transactions.

Self-insurance
Every organisation has a certain level of financial resources that, in some
instances, may be more secure than that of many of the underwriters
operating in the market. Therefore the organisation has the capacity to fund,
at least to some extent, its own losses. Just how much an organisation is able
to fund will depend on its financial resources and the risks to which it is
exposed. However, just because an organisation has the ability to finance a
loss, does not always mean that it is willing to do so. An organisation’s
propensity to retain risk is largely dependent on the tolerance to risk of its
board and/or management; that is, the level of loss it is willing to accept, and
its ability to effectively manage losses.
Self-insurance can be either planned or unplanned.

Unplanned self-insurance
Unplanned self-insurance relates to financial exposures not identified during
the risk identification phase. As a result, the business makes no provision to
finance any losses that may occur from those exposures and must use funds
that may have been budgeted for other costs or as surplus, to pay for the loss.
There is an assumption that sufficient funds are available or can be made
available. With small losses this is not likely to be a problem although an
accumulation of such small losses could seriously impact on the organisation’s
cash flow and bottom line. However, if a major loss occurs this could affect
the financial stability of an organisation and in some cases cause the collapse
of the business.

www.anziif.com 127
Introduction to Management of Risk

Planned self-insurance
Planned self-insurance relates to financial exposures to risk that an
organisation has identified and which it has decided to carry itself by
financing any losses from its business funds. The organisation sets up a fund
in much the same manner as an insurance company operates. When a loss that
is self-insured occurs, it is paid for from the fund that has been set-up,
whereas if it isn’t self-insured, it is paid out of that organisation’s other funds
that usually have been earmarked for other expenditure.
An organisation is most likely to use self-insurance when:
1 the business has no other basis of handling the downside of exposure to
risk—for example, many high-loss businesses such as wood working and
fibreglass industries find it almost impossible to obtain property insurance
2 self-insurance offers the cheapest or best method to fund the loss—in this
situation, the following elements must be present:
- the number and amount of losses must be predictable over a period of
time
- the organisation must be able to meet the largest single loss that may
occur
- the cost of self-insurance should be no higher than the insurance
premium/s.
By self-insuring, an organisation adopts the same principles as an insurer;
they are using the law of large numbers. But to adopt this approach, the number
and amount of the losses must be predictable over a number of years and the
pool of exposures to risk must be large enough to ensure a reasonable level of
predictability of results.
An organisation must also consider catastrophic losses and their likely effect
on the business. This is in addition to withstanding the aggregate losses; that
is, an accumulation of small losses. With catastrophic losses, an organisation
should only carry losses up to the level that it is able to predict accurately.
Above that level, an insurance or reinsurance placement should be arranged.
Where a business decides to self-insure all or some of their risk exposures,
they must be willing to undertake the administration of the self-insurance
portfolio. There are six commonly used methods of funding self-insurance
whereby losses are paid from:
1 budgeted operating expenses
2 funded loss reserves
3 unfunded loss reserves
4 cost deferral mechanisms
5 mutual pool
6 licensed captive insurer.
All of these risk financing methods have taxation implications and need to be
carefully structured.

128 GI512-15 16.01

 Risk treatment

An organisation must decide which method of self-insurance offers the best

means of financing such losses. It is highly likely that the organisation will use
a combination of the following methods to self-insure.

Budgeted operating expenses

The least formal method of funding is to treat the loss as an operating expense
of the business (often as a ‘repairs and maintenance’ item) and reduce the
profits for the period. The ‘operating expense’ form of self-insurance is best
suited to financing losses that are relatively high frequency (i.e. statistically
predictable) and low severity. It is important that the dollar ($) amount of
losses treated in this manner do not distort either budgeted profit levels or the
‘repairs and maintenance’ budget of the organisation. Care should also be
taken to ensure that the number, or total amount, of losses does not increase
significantly over time.

Funded loss reserves

Funded reserves are used where there is a high frequency of losses but low
impact—for example, minor physical damage to motor vehicles. The funded
reserve approach is more formal than the unfunded reserve method as losses
are covered by an allocation of assets (usually liquid). A budget is normally
set to fund the predictable losses. Only the amount of the funds actually used
to pay losses can be treated as legitimate tax expenses and it is therefore
important that the level of reserves is set carefully and that payments are
made for losses that fall within the scope of funded reserve.

Unfunded loss reserves

A reserve is provided so that losses can be charged to the organisation’s
retained earnings rather than against the trading profit. An unfunded reserve
arises where the provision made for expected losses is not backed by any
assets set aside for such losses; for example, the provision for bad debts.
Unfunded reserves are used when loss frequency is not high and the amounts
involved are small to medium.

Cost deferral mechanisms

Cost deferral mechanisms involve obtaining a loan, line of contingent credit or
equity placement to finance a risk.
It is uncommon for an organisation to obtain a loan to fund a loss and this
method of risk financing is usually more expensive than purchasing
insurance. If a loan is taken out to fund a loss, the loan is normally arranged
on an ad hoc basis or via a line of credit. If an organisation arranges a
contingent line of credit with its bank, it usually pays a small annual fee.
In the event of a loss, the organisation is given a loan by the bank which it has
to pay back over a period of time plus interest, thus working effectively in the
opposite way to the normal insurance contract.
The other option besides ‘debt’ is for a firm to issue more equity in times of
crises to fund losses. For example, QBE sold additional shares to, in part,
restore its balance sheet following the 11 September 2001 losses.

www.anziif.com 129
Introduction to Management of Risk

The advantages of cost deferral are that, like insurance, it effectively smooths
out the cost of the loss by:
 spreading the cost over a number of years
 off-setting the loss by gains elsewhere.
Either a loan or a line of contingent credit may provide an organisation with
the opportunity to spread the cost of a loss across a significant time period in
order to lessen the financial impact on the organisation. The drawbacks are
that the economic climate at the time of loss may make funds difficult to
obtain or the interest rates may be high. In addition, if the loss is significant
and could affect the organisation’s survival, then lenders may not be willing
to provide a loan.

Mutual pool
A mutual pool involves a number of organisations joining together and
pooling resources in order to develop a greatly increased capacity for carrying
loss, such as liability losses. Mutual pools are a recent development and
usually require their participants to carry very high deductibles, some as high
as US$50 million. They operate in a similar manner to excess of loss
reinsurance covering a layer up to a maximum amount of any loss that is in
excess of the deductible.
The mutual pool only underwrites the losses of those organisations which
have contributed capital to the pool and the participants share in the fortunes
of the pool as a whole.

Licensed captive insurer

A licensed captive insurer is often a wholly owned subsidiary of an individual
organisation, which enables the company to finance some of its losses on a
more economical basis. There are, however, various types of captive insurance
companies:
 pure captive—wholly owned by one company and which only
underwrites the risk exposures of its parent company
 open market captive—wholly owned by one company but which
underwrites not only the risk exposures of its parent company but also the
risks of other non-associated organisations
 group captive—jointly owned by a number of companies which
underwrites the risk exposures of the group
 trade captive—jointly owned by members of a trade association which
underwrites the risk exposures of the trade association
 protected cell captive—wholly owned by a captive insurance management
company but which underwrites the risk exposures of a number of
independent companies as if each had its own pure captive.
The captive insurance company is normally not managed by its parent but by
a specialist captive insurance company manager, who provides not only all of
the accounting and company secretarial services for the captive but also
underwriting services including claims management. The parent of the
captive is, however, normally responsible for the strategic management of the
captive.

130 GI512-15 16.01

 Risk treatment

The captive insurance company is a more complex form of self-insurance that

enables an organisation to make better use and retention of its funds
compared with dealing with the commercial insurance market. A captive
insurer is particularly useful to international organisations as such
organisations often find that local legislation interferes with their global self-
insurance program by insisting that its local insurances be placed with local
insurers. A captive insurer provides the means whereby such covers may be
placed locally and then reinsured back through the captive, thereby
maintaining internal control over the insurance program. In addition, through
the use of a captive insurer, an organisation can have access to broader policy
wordings with broader scope, particularly cover for losses that may not be
able to be insured in the normal insurance market.
If properly structured and financed, the captive insurance company is able to
directly access the reinsurance market in exactly the same way as direct
market insurance companies. Therefore, it is able to arrange more
sophisticated covers with much higher retentions than may be economically
possible by placing the business with the direct insurance market.

Case study—Masterprint’s insurance program

Acme Insurance has the following general information about Masterprint’s
current insurance program.
Masterprint has:
 80 employees
 buildings, plant and equipment with a replacement value of $10 million
 a turnover of $20 million
 14 cars and 3 delivery trucks
 3 directors.
Masterprint has been spending close to $450,000 on insurance per annum.
Current policies include:
 Buildings/plant and equipment/business interruption/machinery
breakdown/transit insurance: $30 million combined limit, a deductible of
$1,000 for each claim, a five-day waiting period for any interruption losses
 Motor vehicle policies—comprehensive cover on all vehicles with a $200+
age excess
 Workers’ compensation (Australia)/accident compensation (New Zealand)
cover with statutory benefits
 Directors and officers cover
 Travel/personal accident insurance for directors
 Fidelity guarantee/crime policy with coverage of $1,000,000, a $100 excess
 Computer/interruption policy—material damage cover for $1 million.
Interruption/rewriting records cover of $5 million.
Due to hardening of the insurance market, it is anticipated that there will be
significant increases in Masterprint’s premiums in the upcoming year.

www.anziif.com 131
Introduction to Management of Risk

Premium summary
Policy Current premium Renewal terms

ISR/Business Interruption $350,000 $600,000

Motor Vehicle $22,000 $35,000

Workers’/Accident compensation $10,000 $12,000

Directors & officers $25,000 $60,000

Travel/Personal accident $10,000 $12,000

Fidelity guarantee $10,000 $10,000

Computer/Interruption $20,000 $40,000

Total premiums $447,000 $769,000

Marjorie Crawford, Masterprint’s financial manager, has informed Acme

Insurance that Masterprint has only increased the company’s budget for
insurances in the upcoming year from $450,000 to $500,000.

Self-help question 4.7

Using the information in the preceding case study:
1 What insurances do you think Masterprint would be required to have by
law—that is, obligatory insurances.
2 Determine what insurances you think Masterprint might be required to
have by contract.
3 Beyond insurances required by law and contract, what strategy could be
employed to finance Masterprint’s losses within the $500,000 allocated
insurance budget?
4 Outline what Masterprint’s revised renewal terms might look like, based
on strategies proposed in question 3.
Answers to self-help questions are provided at the end of each section.

Risk Surveyor’s role in risk treatment

The risk surveyor can play an important role assisting clients in identifying
risk treatments to reduce the likelihood and consequence of risks. The risk
surveyor brings experience in:
 lessons from claims which can highlight risks. For example the number of
fires caused by cutting and welding operations have led to risk surveyors
recommending ’Hot Work’ permits to their clients
 knowledge of similar industries and the risks that they have treated
 a knowledge of risk treatments that have been developed in the
underwriting process
 insurance industry research and guidelines.

132 GI512-15 16.01

 Risk treatment

The risk surveyor can be an excellent resource in the identification of risk

treatments that can assist the client and improve the reduction of the risk from
an underwriting perspective.
We look further into the relationship of the client with the risk surveyor in
module three of this course.

Section summary
This section has outlined how to establish and report on the need for a risk
plan with objectives and controls, to identify risk controls, and to regularly
evaluate the effectiveness and extent of the controls in place.
Risk management treatment is centred on deciding which measures will
ensure the achievement of pre-event objectives and post-event objectives.
The four main options for treating losses are:
1 risk retention
2 control by reducing the likelihood and consequence of risk
3 risk sharing
4 risk avoidance.
All risk treatment options should be considered when determining a suitable
treatment option or combination of options that are appropriate to the
exposure to risk. A risk treatment plan documents how all selected risk
treatment options will be implemented and their effects reviewed. The risk
treatment plan:
 identifies and prioritises individual risk treatments to be put into action
 identifies who is responsible for the implementation
 identifies the necessary resources
 includes a schedule for implementation
 outlines the expected outcomes of each risk treatment
 provides a breakdown of cost and resources
 identifies risk treatments which cannot be implemented due to operational
or financial limitations
 details the review process used to determine the effectiveness of risk
treatments.
Risk treatment plans need to be clearly devised, documented and
communicated so the reasons why the effects of the treatment and the reasons
it is required are clearly understood. Risk treatment documentation may
include a risk register, a risk treatment schedule and a risk treatment action
plan.
Risk financing is about appropriate funding and management of exposure to
risks. Risks can be financed by both conventional insurance methods and by
alternative methods such as self-insurance through operating expenses,
funded loss reserves, unfunded loss reserves, cost deferral, captive insurers or
mutual funds. Funds to finance the costs of losses come from a wide variety of
sources.

www.anziif.com 133
Introduction to Management of Risk

Answers to self-help questions

Self-help question 4.1
The main post-event objectives of Best Baby Foods would be to:
 move manufacturing to other plants if possible
 resume operations at the affected plant as soon as possible
 check electrical circuitry at all processing plants to reduce likelihood of a
similar loss and look at other means of reducing fire risks
 protect the reputation and image of the company through proactive
corporate communications to all stakeholders
 consider how to recuperate lost revenue by other means
 keep customers, suppliers and distributors briefed on the situation, letting
them know why stocks may be depleted and explain what the company is
doing to remedy the situation.

Self-help question 4.2

Some of the physical risk exposures that could perhaps be completely avoided
by Masterprint are those which require changes to how and where
Masterprint operates:
Risk No. 11: Flooding of river next to Masterprint’s premises. Loss could be
avoided if Masterprint moves their operations to another site.
Risks Nos. 12 and 13: Tampering with/explosion of LPG, oil and diesel storage
tanks could only be avoided if the storage tanks were removed and
petrochemicals were obtained when required from an off-site location.
Risk No. 20: Masterprint’s premises situated next to a fireworks manufacturer.
Loss could only be avoided if either Masterprint moves their operations to
another site or the fireworks manufacturer moves to another site.

134 GI512-15 16.01

 Risk treatment

Self-help question 4.3

Almost all of Masterprint’s identified risk exposures are able to be controlled:

Category
Ref Risk Control
A P L R/E R&I

Raw materials stored in Have multiple storage points;

1 ✓ ✓
one area investigate storage off-site

Damage, destruction, Storage of DMS back up off-

2 theft of Document site; alert clients to security ✓ ✓
Management System measures taken to protect DMS

Theft of, or damage to, Driver education course for

3 hydraulic trolley or forklift driver/s and trolley ✓ ✓ ✓
forklift operators

Have back-up machinery either

4-6 Breakdown of machinery on-site, at an alternative site or ✓ ✓ ✓
available with a contractor

Spread supply acquisition

7 Reliance on one supplier ✓ ✓
amongst a number of suppliers

Spread distribution services

Reliance on one
8 across more than one ✓ ✓
distributor
distributor

Doorways between Ensure doorways between

9 ✓ ✓
buildings always open buildings are closed after hours

No sprinkler system in
10 Install sprinkler system ✓
Building No. 1

Flood: Premises
11 Move operations to another site. ✓
bounded by a river

Tampering with storage Install security fencing around

12 ✓
tanks tanks

Ensure all WHS/housekeeping

Explosion of storage
13 standards are met and monitor ✓ ✓
tanks
tanks regularly

Parking/traffic Enforce policy that cars are only

14 congestion outside to be parked within designated ✓
premises parking areas

Employ security to man gates;

Theft due to poor
15 ensure gates are locked after ✓ ✓ ✓
security
hours

Equipment and parts left

Enforce stringent housekeeping ✓ ✓
16 around waste skip and
procedures
inside buildings

Computer back up stored Store computer back up off-site

17 ✓
on-site only also

Outdated building Update valuations and seek

18 ✓
valuations appropriate level of cover

Staff smoking in staff/ Strict enforcement of no-

19 ✓ ✓
lunch room smoking policy

www.anziif.com 135
Introduction to Management of Risk

Category
Ref Risk Control
A P L R/E R&I

Minimise storage of
Increased fire risk
combustible material between
exposure due to
20 Masterprint and neighbour and ✓ ✓
neighbouring fireworks
install drencher system on
manufacturer
exposed wall and roof

Public sector expertise

resources, facilities and
products should be used in
preference to engaging the
Revenue: Renewal of private sector, subject to value
21 government department for money considerations.
contracts Where the private sector is to be
engaged, opportunities to gain
government business are
encouraged through effective
competition.

Reliance on one operator Train/hire other staff to operate

22 ✓ ✓
for specialist machinery machinery

Self-help question 4.4

As part of their risk management program, Masterprint could reduce the
likelihood and consequence of motor vehicle accidents by implementing the
following risk treatment options:
 Risk control to reduce likelihood of accidents occurring: Masterprint could
send their delivery drivers on a driver education program. The program
could develop skills to help drivers avoid accidents, and could also
improve vehicle maintenance.
 Risk control to reduce consequences of accidents: the driver education
program can also help the delivery drivers employ skills to help lessen the
impact of accidents on the vehicles. Masterprint could also buy safer
vehicles which include safety devices such as driver and passenger airbags
and strengthened vehicle body.
 Risk transfer/sharing: instead of owning the delivery vehicles, Masterprint
could lease the vehicles and the lessor could assume responsibility for
vehicle damage.
Another strategy would be for Masterprint to purchase additional vehicles to
ensure that standby vehicles are available for use when delivery vehicles are
not operational. If the organisation has a motor vehicle insurance program in
place, an added benefit in reducing vehicle accidents is likely to be insurance
premium savings.
Finally, Masterprint could spend more money on improving the quality of
their fleet to have safer cars and a more regular repair and maintenance cycle.

136 GI512-15 16.01

 Risk treatment

Self-help question 4.5

The direct costs of the crane collapse include:
 the crane itself, which was a write-off
 the damage to the building site on which the crane was situated
 the extensive damage to the plant services room of the adjacent building
 the damage to other buildings in the vicinity.
The indirect costs of the crane collapse include:
 loss of business/income due to Crane Connections using its other cranes to
remove the damaged crane
 loss of income from the closure of the adjacent building because the air
conditioning plant room was damaged
 loss of income because of the prevention of access to the shops and other
buildings in the surrounding area
 suspension of work on the building site
 time spent investigating the accident and preparing the various reports
 time and cost of the police required to control access to the site during the
recovery operations
 loss of salaries and wages of staff employed at the buildings in the
surrounding area
 loss of customers/business for the organisations in the surrounding shops
and buildings resulting from the accident and the subsequent prevention
of access
 legal costs incurred in allocating responsibility for the collapse and
resultant damage.
The long-term effects of the crane collapse include:
 diversion of money to replace the crane and repair the damage done to the
surrounding buildings and the building site
 diversion of resources in the form of personnel and time necessary to effect
repairs and replace the crane.

www.anziif.com 137
Introduction to Management of Risk

Self-help question 4.6

Risk Register 1

MASTER PRINT RISK REGISTER

Function/
Financial
activity

Completed by John Jones Date: 9/11/2010

There is no sprinkler system in Building No. 1. The building is protected

The risk (what by fire hose reels and extinguishers only. A fire in Building No.1 could
can happen) destroy the manufacturing equipment and spread to the Building 2
overcoming the sprinkler system with a potential for a total loss

Source of risk Fire

Likelihood is rated as ’possible’. A total loss would exceed $10m and

Risk rating the consequence rating would be Catastrophic. The overall risk rating
is ‘Catastrophic’

Consequence code
Likelihood
code 
Insignificant Minor Moderate Major Catastrophic

Almost
Medium High High Catastrophic Catastrophic
certain

Likely Low Medium High High Catastrophic

Possible Low Medium High High Catastrophic

Unlikely Low Low Medium High High

Rare Low Low Medium Medium High

There is a no smoking plan in place, but is being disregarded. Except

for this ban there are no other existing controls to reduce the likelihood
of a fire. The wall between the two buildings would not reduce the
Existing Consequence Rating as doors are kept open.
controls and Hose reels and extinguishers would not reduce the Consequence
adequacy Rating.
Reduce the Consequence by relying on existing insurance cover,
however, Masterprint do not want to solely rely on insurance especially
in the light of the re-tendering process.

Risk ❑ Yes ❑ No
acceptable?

138 GI512-15 16.01

 Risk treatment

Cost Benefits
Risk Rating Analysis.
Additional Risk Treatments after
Treatment Accept or
Reject.

Reduce the likelihood of a fire by

Accept but
implementing a Fire Safety Risk Management
rating still
Program, including smoking controls, hot High
needs to be
work permits etc. The reduced Likelihood
reduced
rating would be Unlikely

Reduce the Consequences by installing fire Estimated cost

doors, thereby restricting a fire loss to 50%. High $20,000. Reject
Consequence rating would be Major rating too high

Reduce the consequence by installing a fire Estimated cost

sprinkler system in Building 1. Consequence Medium $100,000.
Rating would reduce to Minor Accept

Implementing the Fire Safety Management Control Program would

Residual Risk reduce the Likely hood rating to Unlikely and installing sprinklers
Rating reduces the Consequence Rating to Minor and that would give us a
Residual Risk rating of Low

www.anziif.com 139
Introduction to Management of Risk

Self-help question 4.6

Risk Register 2

MASTER PRINT RISK REGISTER

Function/ activity Financial

Completed by John Jones Date: 9/11/2010

The risk (what can Adjacent river flooding and causing damage to stock. Local Council
happen) advised property is located in a 1:100 flood zone

Source of risk Flood

1:100 has a likelihood rating of ’rare’. Estimated loss is $1m, which

Risk rating gives a Consequence rating of ‘Moderate’. Overall risk rating is
‘Medium’

Consequence code
Likelihood
code 
Insignificant Minor Moderate Major Catastrophic

Almost
Medium High High Catastrophic Catastrophic
certain

Likely Low Medium High High Catastrophic

Possible Low Medium High High Catastrophic

Unlikely Low Low Medium High High

Rare Low Low Medium Medium High

Existing controls
There are no existing controls. Flood insurance is not available
and adequacy

Risk acceptable? ❑ Yes ❑ No

Risk Rating Cost Benefits

Additional Risk Treatments after Analysis.
Treatment Accept, Reject.

Rejected too
Move to alternative premises No risk
expensive

Reduce consequence by setting up self

Low Accepted
Insurance program

Rejected cost
Reduce consequence by building flood barrier Low
estimate is $1m

Reduce consequence by developing a flood

Low Accepted
emergency plan

Risk acceptable? ❑ Yes ❑ No

Residual Risk
Low
Rating

140 GI512-15 16.01

 Risk treatment

Self-help question 4.6

Risk Register 3

MASTER PRINT RISK REGISTER

Function/ activity Office

Completed by John Jones Date: 9/11/2010

The risk (what can happen) Theft of three laptops from office

Source of risk Theft

Value of laptops is $3,000 which gives a consequence

Risk rating rating of ‘Insignificant’. Likelihood is rated as ‘Possible’.
This gives an overall risk rating of ‘Low’

Consequence code
Likelihood
code 
Insignificant Minor Moderate Major Catastrophic

Almost
Medium High High Catastrophic Catastrophic
certain

Likely Low Medium High High Catastrophic

Possible Low Medium High High Catastrophic

Unlikely Low Low Medium High High

Rare Low Low Medium Medium High

Existing controls and

Laptops backed up daily to the main Server
adequacy

Risk acceptable ❑ Yes ❑ No Notes: No additional risk necessary

Cost Benefits
Risk Rating Analysis.
Additional Risk Treatments after
Treatment Accept or
Reject.

www.anziif.com 141
Introduction to Management of Risk

Self-help question 4.7

1 The insurances that Masterprint would be required to have by law are
workers’ compensation insurance (Australia only) and third party motor
vehicle insurance. (Note: these insurances would not apply in New
Zealand; in the case of New Zealand accident compensation is required to
be effected by Masterprint.)
2 The insurances that Masterprint might be required to have by contract
could include property, business interruption and/or machinery
breakdown insurances which financiers require.
3 Strategies that could bring Masterprint’s insurances within the budget are:
- for insurances required by contract, the deductibles could be increased
and the sum insured reduced to first loss cover for $5 million per event
- seek to buy catastrophe protection only for other policies—where a loss
would not result in a catastrophe, insurance would not be purchased—
for example, machinery breakdown, travel and personal accident
insurance
- use money to invest in better risk control—for example, increased
maintenance and protection measures such as installing a fire sprinkler
system in Building No. 1, keeping computer back ups off-site, increased
staff training, director ‘indemnities’ in company’s articles.
Note: The above strategies/recommendations would need to be fully
explained and justified to Masterprint and agreement attained prior to
implementation.
4 Revised renewal terms:
- ISR/Business Interruption—first loss cover only, increase deductible,
delete machinery and transit cover.
- Motor Vehicle—remove cover on damage to Masterprint vehicles—
i.e. third party cover only.
- Workers’ Compensation—insurance remains unchanged. Masterprint
to increase staff occupational health and safety training to reduce
workplace safety incidents.
- Directors & Officers—discuss the necessity for comprehensive cover
with Masterprint. Reduce cover if agreed by Masterprint’s directors and
finance manager.
- Travel/Personal Accident—discuss the necessity for cover with
Masterprint. Terminate cover if agreed by Masterprint’s directors and
finance manager.
- Fidelity Guarantee—Increase policy excess to $1 million and insure for
catastrophe cover of $10 million only.
- Computer/Business Interruption— discuss the necessity for cover with
Masterprint. Terminate cover if agreed by Masterprint’s directors and
finance manager.

142 GI512-15 16.01

 Risk treatment

If Masterprint’s directors and finance manager agree to revised renewal terms

and risk management initiatives, the proposed policies can be summarised as
follows:

Policy renewal terms Current premium Renewal terms Revised

ISR/Business Interruption $350,000 $600,000 $250,000

Motor Vehicle $22,000 $35,000 $10,000

Workers’ Compensation (Aust.) $10,000 $12,000 $12,000

Directors & Officers $25,000 $60,000 $28,000

Travel/Personal Accident $10,000 $12,000 —

Fidelity Guarantee $10,000 $10,000 $5,000

Computer/Business Interruption $20,000 $40,000 —

Total premium amount $447,000 $769,000 $305,000

Using the above example, Masterprint’s revised insurances would only cost
$305,000. Masterprint could invest the remaining $195,000 of the $500,000
insurance budget in a risk management program that would provide tangible
benefits over a number of years.

www.anziif.com 143
 Section 5

Monitoring and review

Introduction
Monitoring and review are integral to the effectiveness of the risk
management programs over time. Risk exposures are not static and, as
circumstances change, programs need to alter to reflect those changes. As a
consequence, the risk management process needs to be applied in an iterative
and ongoing way within the risk management program for the organisation.
No matter how well-planned and implemented a risk management program
is, the nature of risk exposures is such that they are unpredictable and
unexpected events/losses will undoubtedly occur. Monitoring and reviewing
the risk management process can reveal successes of the program as well as
changes necessary to further improve performance.
It is also possible that an organisation’s commitment to risk management will
vary over time. By utilising the outcomes of the monitoring and review
process, the risk management program can be adjusted to ensure that it
remains viable and relevant, keeping the risk management program up-to-
date and on track.
Risk treatment plans in particular provide an important performance measure
for the risk management program.
The purpose of monitoring and review is to:
 review the effectiveness of the existing risk management program
 identify any changes in the context
 identify any new and emerging risks
 monitor risk exposures which have already been identified
 review data sources used in analysis and revise/update the data
 ensure risk treatment programs are being adhered to.

Learning outcomes
When you have completed this section, you should be able to:
 describe how to monitor and review the application of the risk
management process
 explain how to establish an event/loss reporting system
 outline how to assess event/loss reports
 identify and review loss trends and changes in risk exposures
 outline how to formulate and recommend appropriate risk and loss control
measures
 explain how to monitor and review the performance of the risk
management program and changes which might affect it.

www.anziif.com 145
Introduction to Management of Risk

Monitoring
Section 2.28 of ISO 31000:2009 defines monitoring as:
continual checking, supervising, critically observing or determining the
status in order to identify change from the performance level required or
expected
Note: Monitoring can be applied to a risk management framework, risk
management process, risk or control.

Using the above definition, it is apparent that monitoring and review of the
risk management process should be conducted on an ongoing basis
throughout each step of the process and all stakeholders should be consulted
and communicated with. This process includes the supervision of all activities
in the risk management process and looks at each individual exposure to risk
to ensure changing circumstances do not alter the parameters under which
risk strategies and priorities have been formulated.
Monitoring involves the perpetual upkeep and management of risk
information, and should:
 record and show any changes in risk profiles
 identify risk treatment measures and strategies
 track progress and completion of risk control actions
 allow progress against the risk management plan to be measured
 allocate and track accountability for risk exposures, treatment measures
and control actions
 trigger monitoring and assurance activity
 provide a means for the measurement and reporting of risk management
activity and progress generally.
Organisations, and the environment in which they operate, must be constantly
monitored to keep abreast of changes that may affect their risk exposure
profiles and treatment and financing programs. Continual monitoring and
review enables fine tuning and alteration of a risk management program so as
to achieve the best possible outcome for the organisation from the risks to
which it is exposed.
For example, if an organisation starts selling its products to new overseas
markets, then it is likely that the risks to which the company is exposed may
expand and change. There needs to be a monitoring process in place to ensure
that the risk management program deals with such change. As such, it is
necessary to repeat the risk management cycle on a regular basis.
Therefore, it is important to consider the why, what, who, when and how of
monitoring:
 Why do organisations need to monitor?
 Who does the monitoring?
 What should be monitored?
 When should the monitoring be done?
 How should the monitoring be conducted?

146 GI512-15 16.01

 Monitoring and review

Why monitor?
The most common reasons for monitoring are:
1 Meeting performance targets—risk management processes should have
performance targets and these targets need to be set with the
organisation’s objectives in mind as well its current exposures to risk and
its claims history.
2 Allocating funds—there are considerable costs associated with risk
exposures and a program to manage those exposures. Monitoring provides
ongoing information to: (a) enable such costs to be properly allocated;
(b) justify the basis of the allocation of these costs; and (c) prove the
benefits attained by establishing a risk management program.
3 Statutory reporting—monitoring can provide statistics and data which
may be required to satisfy statutory obligations—for example, workers’
compensation reporting requirements, environmental legislation and so
on.
4 Identifying new/changed exposures—exposures often change in the course
of business and ‘new’ exposures constantly arise. For example, an
organisation may decide to outsource the operation and maintenance of its
motor vehicle fleet thereby changing the nature and extent of motor
vehicle risk exposures for the organisation or it may decide to go into a
new market thereby changing its market risk exposures. All new and
changed risk exposures need to be promptly identified and reported on.
5 Defending the risk management program—if risk management practices
are questioned, particularly in regard to exercising duty of care,
contractual obligations and legislative responsibilities, monitoring and
review can provide information to defend an organisation’s actions.
6 Performance review—the performance of the risk management process
needs to be constantly monitored and regularly reviewed—for example,
accidents and incidents including near misses.

Who does the monitoring?

Managing risk is the job of every employee in an organisation, with the only
difference being the scope, breadth or accountability assigned to specific
persons. However, those with clear accountability, authority and resources for
managing risk exposures should both monitor and report on key exposures as
outlined above.

www.anziif.com 147
Introduction to Management of Risk

What should be monitored?

Generally the focuses of the monitoring process are people, products and
activities.
Monitoring should relate to each activity in the risk management process. One
of the main areas to monitor is changes to context, that is, changes to things
like:
 organisational objectives
 operating environments
 legislative changes
 business plans
 stakeholders.
New and emerging risks should also be monitored in terms of context to
ensure that existing risks are relevant.
The following are suggested starting points for the types of things that should
be monitored:
 new activities and changes in operating structure
 staff changes/training
 customer/product reports
 work accidents and incidents involving injury to people
 property and business interruption exposures—for example, purchase and
sale of assets, aggregation risks
 machinery breakdowns—for example, a record of the number of times
mechanical breakdowns occur on specified pieces of machinery
 incidents and near misses
 security breach incidents
 motor vehicle costs—the costs of motor vehicle accidents versus the cost of
insurance needs is often monitored and considered. Motor vehicle
insurance has typically been one of the first risk exposures that an
organisation self-insures.

When should the monitoring be done?

Informal monitoring occurs on a daily basis and formal monitoring programs
are generally dictated by the organisation’s structure, activities and markets.
Risk exposures are continually changing and therefore the risk management
process needs to be applied iteratively and on an ongoing basis. All of the
steps in the risk management process should be monitored and reviewed on a
continuing basis if the optimum results are to be obtained. Organisations, and
the environment in which they operate, must be constantly monitored to keep
abreast of changes that may affect their risk exposure profiles and treatment
and financing programs.

148 GI512-15 16.01

 Monitoring and review

How is monitoring conducted?

A risk management program needs both formal and informal monitoring and
review processes. Formal monitoring requires establishing reporting systems;
for example, monthly or quarterly claims reports associated with insurable
risks. Informal monitoring can include discussions with staff, reading reports,
inspecting the site and making general enquiries.
Following are some examples of formalised monitoring systems for hazard
type risks:
 workers compensation/accident compensation claims
 claims by third parties for faulty products
 property loss reports
 claims by third parties for bodily injury or property damage
 motor vehicle accident reports
 occupational health and safety reporting—for example, accident
investigation reports
 operating licence renewals—for example, dangerous goods storage and
waste discharge.
Recording the cause, time, place and amount of losses as well as other
information that may be used for analysing any unexpected events/losses
should form a fundamental part of any monitoring system.
Most of the above monitoring systems involve an actual event or loss and
some can (and often are) budgeted for by the organisation. They can be
measured, planned for, and the results for a period compared to the previous
time periods.
Examples of informal monitoring systems are:
 log analysis—that is, some businesses typically compile logs in areas such
as security, visitors, breakdowns, phone calls and so on
 staff meetings where incidents are raised and discussed
 customer complaints.
A monitoring process also needs to be established to identify new
developments so that new risk exposures that arise from them can be
reviewed.

www.anziif.com 149
Introduction to Management of Risk

Reviewing
In addition to ongoing monitoring procedures, regular formal reviews of risk
management processes and risk exposures should also be conducted to assess
and document:
 the effectiveness of the risk treatment plan, strategies and management
system
 the effectiveness of and adherence to risk treatment measures
 the relevance of the risk management plan to the organisation’s objectives
 factors which may affect the likelihood and consequences of a risk
exposure
 factors which affect the suitability or cost of particular treatment options
 board and management commitment to the risk management process.
Mechanisms need to be developed and implemented to ensure that regular
reviews take place. The board and management of an organisation should
take responsibility for making sure that a formal review of the organisation’s
risk management system, in accordance with the organisation’s risk
management plan, is carried out at regular intervals, such as annually.
The risk management system must remain relevant to the organisation at all
times. As an organisation’s circumstances are changing all the time, the
regular review of previous risk management decisions is vital.
In reviewing each of the activities in the risk management process, it is
essential that:
 the decisions made and the actions taken are checked to ensure that they
are the most logical and effective
 the actions taken (including any measures implemented) are working as
expected and are bringing about the desired result
 remedial action is taken to address those decisions or actions taken
(including any measures implemented) that are not working or not having
the desired effect—this remedial action should correct the situation.
To undertake a review of the management of risk, it is important to record
details of:
 how often individual risk exposures and the risk management program
itself will be reviewed
 the outcomes of the review and any other monitoring procedures
 how review recommendations will be actioned.

150 GI512-15 16.01

 Monitoring and review

Review questions
The review should ask the following questions:
 Are the risk management objectives aligned with the organisational
performance objectives and values?
 Do the risk management initiatives reflect the realities of the environment
in which the organisation in question operates?
 Are the outcomes of risk management able to be effectively measured?
 Do the risk management initiatives generate value for the organisation?
 Does the information provided allow senior management to make
decisions about whether to expand or contract resources and effort in
managing risk exposures?
 Is clear and concise information provided for evaluation by management
and the board?

Cost of risk
Effective risk management delivers cost-effective outcomes. Part of the review
process involves measuring the annual costs saved through the application of
risk management. This can be achieved by using the cost of risk concept.
The cost of risk concept, involves an organisation ensuring that budgets and
objectives for risk costs are properly set, variations are monitored, examined
and, when required, actioned. The overall progress of applying risk
management should also be regularly assessed. The components for a cost of
risk measure will vary by the types of risks that the organisation is concerned
with and their criteria of assessment. Principally, the cost of risk includes any
costs associated with the risk impact (if these can be measured in financial
terms), the costs of treatment programs plus any administrative costs.
For example, the cost of risk can include the following factors:
 uninsured losses, including losses that fall below the deductibles
 internal (risk management) administration costs
 motor fleet management costs
 medical management/first aid
 fire protection
 government charges
 security
 quality assurance
 consultants’ fees
 insurance premiums.

www.anziif.com 151
Introduction to Management of Risk

As mentioned earlier with reference to the cost–benefit analysis when

selecting risk treatment options, it is worthwhile remembering that once the
high initial cost of a physical control measure has been incurred, the
organisation generally has the continuing benefit of these measures for little
or no extra cost. Conversely, insurance and other risk financing measures
often only provide cover for a limited period of time (usually 12 months)
before additional expenditure is required.

Case study—Just Right Couriers

Just Right Couriers have a fleet of 50 delivery vehicles, ranging from light
trucks to station wagons. This year’s insurance premium quote was $50,000.
Last year Just Right Couriers claims for vehicle accident repair costs were only
$20,000, so management have decided that they want to self-insure the
company’s motor vehicle fleet.
Monitoring and review of the self-insurance program will involve
determining:
 what types of areas need to be monitored
 what types of reports will be required and the frequency of these reports
 who will be responsible for managing monitoring and review of the self-
insurance program.

Self-help question 5.1

What factors need to be taken into account when monitoring the efficiency
and cost-effectiveness of Just Right’s motor vehicle self-insurance program?
Answers to self-help questions are provided at the end of each section.

Event/loss reporting
Another major part of monitoring and review is the establishment of a
variation reporting program—such as event/loss reporting—to provide detailed
information about the nature of variations from the expected that an
organisation has experienced over a particular period of time.
In loss reporting programs, it is essential that the details of near miss and below
the retention loss event are captured so that these may be analysed and used to
form a complete picture of the success of the risk management program. Such
details enable an organisation to learn from all past incidents and also to
determine whether risk management is having a positive effect on the
organisation by reducing the number and severity of incidents occurring.
An effective event/loss reporting program must be established to allow the
incidence of loss to be monitored and reviewed. The categories of information
required and the format for reporting need to be determined before the
event/loss reporting program is implemented so that information can be easily
analysed at a later date. The program should be comprehensive, reliable,
accurate, electronically accessible and user-friendly.

152 GI512-15 16.01

 Monitoring and review

Event/loss reports provide valuable information about the nature of unexpected

events and associated impacts incurred by an organisation, giving an insight
into both the likelihood and the consequence of the event. An effective
event/loss reporting program informs the organisation about the risk
exposures that have resulted in a negative impact over a particular period.
This information can be used to determine trends and to formulate the future
requirements of the organisation’s risk management program (particularly its
risk treatment plans) as well as any risk financing arrangements.
If the organisation uses a conventional insurance approach to risk
management, then it is also important that the event/loss reporting program
also informs the organisation about the uninsured losses that occur during
that same period.
For example, an event/loss report related to an organisation’s insurances
should include items such as:
 details of individual losses, for example:
- date
- location
- circumstances of loss
- policy
- amount
- excess/deductible
 third party recovery action
 current state of each individual loss and, if outstanding, the reasons why.
The organisation should produce loss reports from statistical data sourced
from a variety of areas. The report might include information on the type of
risk exposure and the size or type of that exposure.
With regard to an insurance-related event/loss program, premium to claims
ratios are another area that an organisation may monitor in its event/loss
reporting program. These programs usually focus on a specific type of risk
exposure; for example, motor vehicle accidents and claims. Prior claims over a
number of years should be included in the event/loss report so that the
organisation’s claims history covers a number of years. This makes the event/
loss report a very useful tool when negotiating with insurers.
There is also a wealth of information available about local, national and global
trends in risk exposures and associated events/losses that may impact on an
organisation’s risk management program. For example, an insurer may
provide information on poor loss experience in a particular industry sector or
the hardening of the liability market with respect to non-profit and
community organisations that may require increased deductibles or
premiums to be imposed or may lead to the organisation introducing extra
risk treatment measures.

www.anziif.com 153
Introduction to Management of Risk

Mandatory event/loss reporting obligations may also be a necessary part of

operating a business in a particular industry. As such, some organisations
may already have established event/loss reporting systems in place to report
losses or incidents such as electrical breakdowns and workplace injuries.
A comprehensive loss reporting program can pinpoint specific risk exposures
which have resulted in a loss and can provide valuable information about
trends and considerations for lessening and perhaps eliminating the effects of
such risk exposures in the future. Strategic risk management which includes
loss reporting program data can have a significant impact on loss ratios.
Conversely, inaction can also have an effect on loss ratios.

Activity 5.1—Event/loss reporting

If possible, access an event/loss report used by your organisation and consider
the following questions:
 Who is responsible for the loss reporting program in your organisation?
 What is the standard content and circulation of the report?
 How is the loss reporting program maintained so that is updated as
required?
 How is the loss reporting facility tailored to meet the needs of particular
departments/business units?
 What are the follow-up procedures to ensure action is taken on identified
problem areas?

Trend analysis
As part of the monitoring and review process, a trend analysis of event and/
or loss information is conducted to provide some indication of whether an
organisation’s loss experience is part of a particular trend. This analysis can
provide information on:
 unexpected event trends associated with particular risk exposures
 the changing nature of risk exposures and how the risk management
program (particularly risk financing) might be adapted to deal with these
exposures
 how to fund risks with a potential financial impact
 specific loss information—for example, what days of the week or what
time of the day are motor vehicle accidents likely to occur.

154 GI512-15 16.01

 Monitoring and review

Valid and reliable statistical techniques need to be used to conduct a trend

analysis. The types of statistical data used to identify loss trends may include:
 time series analysis
 event frequency
 seasonal effects/peaks
 value comparison
 trend projections.
A brief overview of these methods of identifying and analysing trends is
provided below. However, if you wish to find out more about the methods, a
good starting point is the Australian Bureau of Statistics website
(www.abs.gov.au) or Statistics New Zealand (www.stats.govt.nz).

Time series analysis

Time series analysis is a collection of observations of data items obtained
through repeated measurements over time.
A time series analysis helps identify patterns and any trends developing over
time, it highlights three particular areas: long-term trends, seasonal
movements/shifts and irregular fluctuations.
Depending on the type of organisation and the activity involved, a time series
could cover anywhere from a number of months to a number of years. Ideally,
for loss statistics, the time series should cover at least five complete years but
preferably 10 years or longer.

Event frequency
This type of trend analysis highlights whether a particular event is occurring
on a regular basis. For example:
 Slippage accidents/incidents may be occurring on a factory floor on a
regular basis due to inappropriate flooring or inadequate definition of
employee/visitor walkways in a wet area.
 A spate of motor vehicle accidents may occur in the organisation’s car
parking facility.

Seasonal effects
Seasonal effects or peaks help identify whether there are certain times when an
incident might occur. For example:
 A chain of clothing stores expects to achieve higher sales than normal
during the weeks before Christmas.
 A fruit packing company might experience a higher incidence of
machinery breakdown claims during the summer fruit picking season.
 Fires at schools may occur more often at holiday times.
A seasonal effect is a systematic and calendar related effect. Understanding
seasonal effects and peaks and troughs allows an organisation to make
seasonal adjustments to budgets, forecasts, activities and the like.

www.anziif.com 155
Introduction to Management of Risk

Value comparison
Event/loss values for the same types of risk exposures can be compared to
help understand why one event/loss might cost more than another. This is a
useful analysis in terms of the effective management of unexpected events
and losses; for example, was the loss amount and/or impact reduced in the
second or third instance by employing risk management techniques?
Value comparisons can also be employed to review repairer/supplier costs to
ensure that the amount for a particular repair or provision of goods/services is
reasonable.

Trend projections
Available information from a number of different sources (for example, client,
insurer and industry data) may indicate a trend increasing or decreasing in the
future. Such trends may have an impact on an organisation’s risk
management program, particularly the risk financing component. Consider
the following example of a chart which shows a trend towards increasing
private motor vehicle insurance premium costs.
Table 5.1 Example—Private motor vehicle insurance cost per vehicle

156 GI512-15 16.01

 Monitoring and review

Activity 5.2—Trend analysis techniques

Look at a loss report used by your organisation and consider the techniques
used to analyse any trends. Were there any recommendations made to reduce
the likelihood and consequences of future events/losses? If so, can you
identify whether the incidence and severity of the risk event has been
reduced? If there were no recommendations, can you identify the reasons
why?
Always remember the saying, ‘what you measure is what you get’. That is,
if relevant information is omitted from the analysis, you will end up with an
incomplete and inaccurate analysis and thereby may make incorrect and/or
misinformed remedial decisions. It is invariably too late to add extra analysis
requirements to an analysis system once it has been running for even a few
months. It is therefore important to get the design of such systems correct and
complete before they are implemented.

Taking action
After unexpected event and loss trend information has been assessed, it is
important to review the impact and significance of current and identified
trends so that suitable adjustments can be made.
There are occasions where organisations can put in place additional measures
after an unexpected positive event has occurred. Such measures can be
formulated to increase the likelihood of further occurrences as well as
increasing the benefit of any similar positive event occurring in the future.
There are also occasions where organisations can put in place additional risk
control management activities after a risk has been realised. Risk control
measures can be formulated to reduce further occurrences as well as reducing
the severity of any unexpected negative events and losses that may occur in
the future.
An organisation’s event and loss experiences should be monitored and
communicated at regular intervals so that action can be taken immediately
rather than just at the end of the financial year or at the time when renewal of
insurance covers is renegotiated.
It is important that any changes to an organisation’s risk management
program (particularly risk control measures) that result from loss reporting
and trend analysis are carefully considered, documented and communicated.
With regard to risk financing, the changes to an organisation’s risk
management program may also provide the basis for premium incentives or
penalties with respect to their insurance program.
The ultimate goal of a risk management program is not just to treat and
control an organisation’s risk exposures but rather to attempt to increase
profits whilst, if possible, prevent losses at the same time.

www.anziif.com 157
Introduction to Management of Risk

Self-help question 5.2

Masterprint’s risk management program is now in place. Management have
stressed the importance of regular formal monitoring and review.
1 Using information about Masterprint gathered in previous sections and the
information about event/loss reporting provided above, what information
would a property loss/event report for Masterprint most likely contain?
2 What procedures could Masterprint put in place to ensure regular formal
monitoring and review of: (a) individual risk exposures; and (b) the overall
risk management program?
Answers to self-help questions are provided at the end of each section.

158 GI512-15 16.01

 Monitoring and review

Section summary
The ongoing monitoring of activities, actions, systems, benefits and losses is a
vital part of the success of the application of the risk management program.
People, products and activities are the focus of the monitoring process. A risk
management program needs both formal and informal monitoring and review
processes.
The most common reasons for monitoring the risk management program are
to:
 ensure performance targets are met
 properly allocate funds to the risk management program
 meet statutory reporting requirements
 identify new and/or changed exposures to risk
 defend the risk management program
 review the performance of the risk management program.
Establishing and maintaining unexpected event and loss reporting programs
is an effective way to monitor and review incidences of loss. Reporting
programs provide valuable information on which future decisions about risk
exposures and treatment and financing can be made.
A loss report should include items such as:
 details of individual losses
 third party recovery action
 claims outstanding and reasons why.
Types of statistical data used to identify trends include:
 time series analysis
 event frequency
 seasonal peaks
 value comparison
 trend projections.
Regular formal monitoring and review of a risk management program is
conducted to assess:
 the effectiveness of the risk treatment plan, strategies and management
system
 the effectiveness of control measures
 the relevance of the management plan
 factors which may affect the likelihood and consequences of a risk
 factors which affect the suitability or cost of particular treatment options
 management commitment to the risk management process.

www.anziif.com 159
Introduction to Management of Risk

Answers to self-help questions

Self-help question 5.1
The factors that need to be taken into account when monitoring the efficiency
and cost-effectiveness of Just Right’s motor vehicle self-insurance program are
listed as follows.
 Fleet details (year on year):
- description of vehicles
- kilometres travelled
- service regimes
- warranty claims.
 Driver details (year on year):
- description of driver, including licence renewals and authorised
vehicles to drive by category
- driver training courses
- age of driver—for example, incidence of loss under 25
- male/female split.
 Accident details:
- type of vehicle
- time of day
- location—for example, city/country
- weather conditions
- single or multiple vehicle accident
- police accident investigations reports
- third party claims
- total accident costs—for example, vehicle repairs, legal costs, third
party costs
- management time/costs to administer self-insurance program.
 Cost of risk: the total cost of the self-insurance program must be
aggregated and compared with original budgets and what the costs would
have been had commercial insurance been purchased as opposed to self-
insurance.

160 GI512-15 16.01

 Monitoring and review

Self-help question 5.2

1 Masterprint’s property event/loss report might contain some of the
following information:
- if relevant, the specific insurance policies applicable and brief details of
the item/property insured and claims deductible
- date and time of the event and associated loss or damage
- specific location of the event (including loss and/or damage), including
the precise location of any machine/plant item that may be involved
- cause of the event/incident and how the loss and/or damage occurred
- amount of loss and/or damage and whether the item/property was
repaired or replaced
- nominating who is undertaking the repair/replacement, and the
timeframe involved
- details of any third parties to the event and the loss and/or damage
incurred, whether these parties may be responsible for the loss and/or
damage and what recovery action can be taken against these parties
- details of notification of the incident/event to police, if necessary
- any remedial action taken to avoid similar incidents
- other parties involved—for example, a finance company may have a
commercial interest in a plant item
- consequential interruption to the organisation or other parties
- details of external reports—for example, coronial inquiry
- review of contractual liabilities arising from the incident/event
- any government authorities involved in the incident/event and names
and details of these parties.
2 a Individual risk exposure monitoring techniques that Masterprint could
put in place include:
 incident/accident reports
 a copy of the insurance company claims reports
 property/liability surveys
 industry reports/statistics
 monitoring compliance with statutory reporting requirements—
for example, accident reporting requirements under various
occupational health and safety Acts
 technical information.
b The overall risk management program can be monitored by:
 development of a formalised plan—this should include regular
meetings to discuss any changes in the risk profile or the
organisation’s operations and ensuring necessary or recommended
actions are made
 development of a board/management risk management policy
statement
 training of key managers/personnel
 conducting of an organisational risk exposure review
 development of reporting and monitoring systems.

www.anziif.com 161
 Section 6

Risk management and the Insurance

program

Introduction
While the business continuity or contingency plan is the safety net for every
organisation’s risk management program, insurance often provides the main
form of loss financing for the program. The development and implementation
of an effective insurance strategy is an integral part of any risk management
program—it is often the main method used by organisations to finance the
possible downside of the organisation’s exposures to risk. While this applies
equally to organisations in the insurance industry, the insurance company
also needs to effectively and efficiently manage both the benefits and the
downsides from underwriting the exposures to risk of its customers. This
needs to be included in its risk management program.

This section touches on how insurance companies manage the risks to which
they are exposed (both operational and underwriting) as well as how it
formulates its own risk management program.

Learning outcomes
When you have completed this section you should be able to:
 outline how an insurance company manages both the operational and
underwriting risks to which it is exposed
 describe the basis and principles of underwriting that provide the major
source of an insurance company’s income
 explain the relationship between the insurance placement and the client’s
risk management program
 explain how appropriate risk assessment strategies and an insurance
company’s capacity to assess exposures to risk (both its own operational
risk exposures and those that it underwrites) are determined
 describe how an insurer establishes risk acceptance criteria for the
exposures to risk that it underwrites
 explain how an insurer’s risk assessment strategies for the exposures to
risk that it underwrites are implemented
 outline the evaluation and review processes of an insurer’s risk
management strategies for the exposures to risk that it underwrites.

www.anziif.com 163
Introduction to Management of Risk

Optimum level of retained loss

The primary objective of risk control is the avoidance of loss. However, too
often it is impossible to avoid all loss and, as a consequence, a secondary
objective of risk control is loss reduction. Here again it is rarely possible to
reduce loss to zero in financial terms. Thus, there remains the prospect that
despite all of the risk control efforts there may be an exposure to the risk of
loss for the insured. Whether any further action is taken will depend on
whether or not the exposure to the risk of loss that remains at that stage is
acceptable to the organisation. In fact, it would also be normal to apply the
same measure to the decision to implement a risk control measure. An
acceptable loss is one where the exposure is such that if a loss should occur,
the organisation’s survival would not be threatened.
What is an acceptable loss for an organisation depends on a number of factors
such as:
 the financial strength of the organisation
 the attitude of the board and management of the organisation—that is,
whether they are risk takers or risk averse?
 the nature of the risk exposures in terms of the organisation’s activities—
that is, if a loss occurred, whatever its size, would it severely damage the
organisation’s future trading performance?
 the measures necessary to handle the risk of loss and its consequences so
as to minimise its effects on the organisation.
The correct identification and assessment of the risk of loss is the essential first
step in determining whether a loss is acceptable or it requires further
treatment in order to improve the risk exposure so that any loss from it
becomes acceptable. Care must be taken to ensure all aspects of the risk
exposure and all of its consequences are taken into account in its evaluation.
In addition, to correctly evaluate the exposure it is also necessary to take stock
of the organisation’s own financial resources as ultimately it is these that will
cushion the impact of any loss. One common measure is the organisation’s
optimum loss retention level for which there are a wide range of techniques
that may be used. Listed below are some that are often used by risk managers.

164 GI512-15 16.01

 Risk management and the insurance program

a) Annual aggregate limits

 1 per cent to 5 per cent of working capital.
 1 per cent to 5 per cent of pre-tax earnings. This is sometimes
expressed as 1 per cent to 3 per cent of current earnings plus 1 per
cent of the average of the previous five years pre-tax earnings.
 Up to 10 per cent of earnings per share. This is also sometimes
expressed as 3 per cent to 5 per cent of earnings per share plus 0.1 per
cent to 0.5 per cent of sales.
 1 per cent to 3 per cent of total assets.
 1 per cent of net worth plus 1 per cent of average of past five years’
pre tax earnings.
 The basket method, which brings together a range of different elements
and was described by Robert J. Hansman in Risk management, July
1982 covering:
Table 6.1 Basket method
Weighting
Liquidity elements Result
factor

Working capital × 0.03 =

Non dedicated cash × 0.25 =

Financial strength

Net worth × 0.02 =

Total assets × 0.02 =

Gross sales × 0.01 =

Earnings

Projected earnings × 0.05 =

Historical earnings (last 3 ×

0.05 =
years)

Total of results

Total of results = Mean

Standard deviations of
= Adjustment
factors

= Mean less
Risk retention level
Adjustment

These are only guides to the maximum value of annual loss retention (both
insured and uninsured) and they should, therefore, be modified to take into
account the current circumstances and attitude to loss of the organisation. The
calculated value may also be used as the basis for determining a per event
deductible by dividing it by at least five.

www.anziif.com 165
Introduction to Management of Risk

b) Limit any one occurrence

 Up to 0.1 per cent of turnover
 Up to 0.1 per cent of shareholders’ funds.
These are only a rough guide to the maximum level of per event deductible.
They should, therefore, be modified to take into account the current
circumstances and attitude to loss of the organisation.
When assessing whether or not the amount of retained loss is acceptable, any
loss financing that has been placed should be taken into account as an
extension of the organisation’s financial resources. Therefore, it should not be
treated as being a measure that reduces the exposure to the risk or loss, or of
improving the acceptability of loss.

Insurance companies do not, however, use these types of calculation to

calculate any one occurrence excess that will be applied to the business that is
written, although the annual aggregate calculation may provide a guide in
placing necessary reinsurance protection (stop loss and excess of loss) for the
portfolio that it underwrites.

How insurance companies manage

exposures to risk
Organisations in the insurance industry, like those in other industries, are
exposed to a wide variety of risks. To achieve the optimum result, the
organisation should manage those exposures to risk holistically and logically
according to an overall plan. For many types of organisations the majority of
the exposures to risk are operational in nature, occurring because the
organisation exists and is taking risks in order to make a profit or to provide a
service. The insurance company is exposed to operational risks but, in
addition, for an insurance company a significant proportion of its exposures
to risk are financial in nature and are inherent in the business that it
underwrites. Regardless of this, the insurance company should still develop a
risk management program that covers both its operational and underwriting
exposures to risk.
An insurance company utilises risk management by making decisions on the
basis of expected loss levels arising from a balanced pool of business (as
determined by its actuaries and/or underwriters). Its underwriting is based on
past performance of that pool of business and dictates the guidelines for its
underwriters. The actuaries present a range of potential outcomes, a central
part of which become the expected outcomes and are based on the average risk
exposure in the portfolio. As risk management is a discipline for dealing with
deviations from the expected (both favourable and unfavourable), the
insurer’s next steps involve developing guidelines/controls for employee
actions, suggestions for customer behaviour (not always enforceable) and the
spreading of unexpected results among its financial partners (i.e.
shareholders, customers and other financial partners, using such techniques as
bank credit, hedges and reinsurance).

166 GI512-15 16.01

 Risk management and the insurance program

An insurance underwriter must measure the probability of results being

experienced that are either better or worse than expected and take action to
enhance the former and reduce the latter. Astute selection of customers and
encouraging customers to adopt controls and preventive measures enhances
the upside of the underwriter’s exposure to risk. Conversely, limits on the
number of customers and the purchase of reinsurance can reduce the
downside of exposure to risk.

Managing operational and underwriting risks

An insurance company is exposed to a range of different risks that not only
include those to which every non-insurance organisation is exposed (i.e. the
operational exposures to risk), but also those of the business that it
underwrites. It manages these two groups of exposures to risk differently.
It manages those risks to which every organisation is exposed (i.e. its
operational risks such as those that occur from the ownership or use of assets
or the employment of people or from entering into legal relationships) by
utilising the risk management process outlined in the earlier sections of this
module in the same way as non-insurance organisations.

The risk exposures of the business that it underwrites are those of the
insurance company’s insured, and the insurer is consequently unable to
directly manage such exposures to risk other than to provide suitable loss
financing. However, the underwriter may play a significant role in assisting
the client to better manage the risks to which the client is exposed. The
underwriter can do this by using risk exposure survey information, the
proposal form or its equivalent, the insurance company’s risk exposure
knowledge base, and the insurance company’s underwriting guidelines to:
 make suggestions on how the client may implement additional risk and
loss control measures and also suggest possible improvements
 determine whether or not to accept the business
 set the terms and conditions of cover (e.g. deductible, scope of cover,
limitations, or extensions, limits), if the business is acceptable
 if the business is acceptable, determine a suitable rate for the business.

www.anziif.com 167
Introduction to Management of Risk

Loss financing techniques

In establishing suitable arrangements to finance any losses from the business
that it underwrites, the insurance company management and/or underwriter
uses a combination of techniques similar to other financial institutions such as
merchant and trading banks, building societies and loan companies. These
techniques include purchasing some form of loss financing such as
reinsurance.
Like a non-underwriting organisation (including intermediaries and other
non-underwriting organisations in the insurance industry), an insurance
company will also implement suitable risk and loss control measures in
respect of the physical and liability (i.e. operational) risks to which it is
exposed. It will do this to maximise any upside of such risk exposures while
minimising any losses to its assets, personnel and legal relationships.
Recognising that it may suffer a loss that is greater than its own financial
resources, an insurance company may, like a non-underwriting organisation,
elect to effect some form of loss financing such as insurance.
Insurance companies need to establish a risk management program as indeed
do other organisations in the insurance industry. In the case of the insurer, the
risk management program must not only cover its operational risk exposures
but also the result from the business that it underwrites. This aspect of an
insurance company’s risk program will be examined later in this section.

168 GI512-15 16.01

 Risk management and the insurance program

The basis of underwriting

An insurance company creates a fund from the contributions of many
different insureds out of which the losses of a few of those insured are paid.
The contributions to the fund all relate to risk exposures that have similar
characteristics and therefore form a homogeneous group.
An insurer will underwrite more than one such group if it is to remain
commercially viable. However, for statistical purposes, it is usual for an
insurer to combine groups of homogeneous risk exposures under specific
types of business, such as fire or liability, to create a portfolio that is balanced.
In effect, underwriting involves:
 determining the level of contribution that is to be made to the fund by each
average exposure to risk (i.e. to ensure that the rate is commensurate with
the amount of extra exposure that is added to the insurer’s portfolio of
business by underwriting the particular exposure to risk)
 deciding on whether or not to underwrite a particular exposure to risk
 determining whether to apply the average rate, terms and conditions to the
particular risk exposure or to adjust these rates to take account of the
greater or lower exposure to risk as compared to the average.
Underwriting therefore involves four distinctly different, though related,
functions:
1 Determining the types of risk exposure that will form each balanced or
homogeneous portfolio of business.
2 Designing the scope, terms and conditions of the insurance contract that
will be used for each particular portfolio. In terms of efficiency, an insurer
will try to limit the number of different wordings it uses.
3 Determining the rate to be charged for the average exposure to risk and
any permitted variation to allow for the non-average exposure to risk. This
is rate making.
4 Deciding on the parameters for the acceptance or the declinature of specific
exposures to risk and appropriate terms and conditions.

What is a balanced portfolio?

The characteristics of a balanced portfolio are determined by:
 size of the portfolio
 characteristics or type of risk exposures
 diversity of risk exposures
 control of portfolio
 retention.

www.anziif.com 169
Introduction to Management of Risk

Size of the portfolio

When setting benchmarks for the size of the portfolio, it is important to
remember the portfolio must have:
 a large enough number of risk exposures to allow probability theory and
its associated laws to be used to predict the likely incidence and severity of
loss to a known degree of accuracy as well as ensuring an ability to
support associated costs
 the ability to grow, by generating new business (not by premium
increases).

Characteristics of the risks

A well-balanced portfolio will have these characteristics:
 a good mixture of small and large risk exposures
 different types of probable claims, for example greater loss frequency
compared to loss severity
 the probability that a large percentage of the portfolio will renew.

Small risk exposures have high administration costs, but the loss of a few
smaller risk exposures on renewal to another insurer will hardly be noticed.
Large risk exposures have the potential for larger claims, but lower
administration costs. However, the loss of a large risk exposure on renewal to
another insurer may have a significant negative impact upon the premium
pool. A good mix of small and large risk exposures helps balance potential
payouts, improves overall stability and helps ensure profitability.

The mix should be one where potential claims are mixed. Frequency means
too many small claims and loss severity means large serious claims. Both have
a significant impact on profitability. While new business costs are high, a large
percentage of renewal business allows for a better chance of profit .

Diversity of risk exposures

Risk diversity can be achieved by underwriting a good spread of risk
exposures in terms of location, size and type such as:
 The type of construction—for example with home insurance, too many older
timber homes would unbalance a portfolio. In private motor insurance, too
many under 21-year-old drivers would unbalance a portfolio.
 Location of risk exposures—for example, you do not want the majority of
risks located in a known cyclone, flood, bush fire or high crime area. The
acceptance of a risk exposure needs to be monitored to ensure a good
spread of locations and this can be accomplished by use of area weather
information and/or postal codes.

170 GI512-15 16.01

 Risk management and the insurance program

Control of portfolio
To control portfolios, insurers need to:
 provide clear guidelines and procedures in the form of underwriting
guidelines to staff and management
 update those guidelines and procedures regularly to reflect changes in
products
 conduct ongoing training of underwriters, claims officers, brokers and
management
 be willing to make hard decisions and decline to invite renewal for
substandard business, both for individual risk exposures and blocks of
business from unprofitable brokers or agents
 review portfolio statistics on a regular basis.
All staff need to understand the key components of successful portfolios.
Managers in particular need to continually monitor the statistical data to
ensure benchmarks are being met.
Finally, it is important to react to unprofitable risk exposures immediately,
maybe even prior to renewal. This takes the co-operation of the broker or
agent as well as continual monitoring by and communication between
underwriting and claims departments.

Retention
Retention of a portfolio for a number of years so as to even out the effects of
the costs of placing and maintaining the business on its books creates stability
and a deeper understanding. This type of loyal portfolio is basically re-
underwritten on each renewal by the company’s guidelines and, in most
cases, should return a reasonable profit.

www.anziif.com 171
Introduction to Management of Risk

Rate making
The first two functions occur relatively infrequently, with the first setting the
scope of the cover and the details of the losses that will be covered. The rate
making function involves:
 Determining the make-up of each homogenous group of exposures to risk
to be used when setting the rates for each particular type of contract.
 Deciding what will be considered the normal or average exposure to risk
for each homogeneous group.
 Calculating a rate for providing cover for the average risk of each
homogenous group for a twelve-month period—when calculating this rate,
the underwriter needs to take into account
- the loss experience for each homogenous group—this is normally
calculated using trend results from at least the last five years, although
ten years will produce a more stable result
- the cost of managing claims
- other management and administration costs
- any procurement costs
- the cost of purchasing reinsurance protection (if relevant)
- an allowance for a suitable profit margin
- to produce the pure underwriting rate.
Note: It is now also normal practice to take a contribution from the interest
earned on the premium and claims reserves into account when setting the
rate.
 Deciding on:
- those features of an exposure to risk that make it better or worse than
the average exposure to risk, and
- what additional rate or reduction must be charged for such features to
ensure that the result from the group over time is as close as possible to
or better than that planned.

Acceptance of business forms the major part of an underwriter’s day-to-day

work. The underwriter assesses the extent to which each exposure to risk
offered varies from the average in terms of:
 the extent of the particular variation from the average
 the period for which cover is required
 how far any extra risk of loss above that of the average exposure to risk
may be counteracted by loss prevention or risk reduction measures
 the rate to be charged and the additional terms and conditions to be
imposed.

172 GI512-15 16.01

 Risk management and the insurance program

Self-help question 6.1

You have been asked by your manager to recalculate the rate that your
company is charging on its homogenous portfolio of houses. The manager has
provided the following information:
 the total sum insured of the portfolio is $550 million
 the total number of properties in the portfolio is 1,500
 the average total amount of claims incurred over the past ten years is
$1 million
 the amount currently spent on reinsurance for this particular portfolio is
$15,000
 the average cost of managing claims over each of the past ten years is
$10,000
 other management and administration costs are estimated to be $35,000
per year
 procurement costs have averaged out over the past ten years at 18 per cent
 your company plans to make a five per cent profit margin.

Calculate the pure underwriting rate percentage (to two decimal places) to be
charged on the average risk exposure in this portfolio.
An answer to this self-help question is provided at the end of this section.

The principles of underwriting

There are a number of principles that apply to all types of insurance business
that should be kept in mind when assessing risk exposures for the possible
inclusion in a portfolio of business. Using the table of rates for the particular
homogeneous group, an insurance company should:
 Charge a premium that is commensurate with the increase in the total risk
for the portfolio caused by the assumption of the new business.
 Ensure that all claims settlements are within the terms of the contract and,
where applicable, follow the principle of indemnity.
 Underwrite the business using the same basic assumptions and criteria
that were used in compiling the table of rates and the contract for the
group of homogenous risk exposures.
 Write the gross account as if it were the net account so as to protect the
reinsurance support that has been effected to limit the insurance
company’s loss while at the same time maximising any benefit that may be
gained from underwriting the portfolio of business.

www.anziif.com 173
Introduction to Management of Risk

Overview of risk management and

insurance programs
Be aware that the insured’s risk management program is developed first and
the insurance placement (if required) is influenced to a large extent by the
results of applying the risk management process to the insured’s exposures to
risk. In addition, the cost, terms and conditions of the insurance placement
may also significantly influence the client’s risk and loss control strategies as
well as the level of self-insurance adopted by the client.
The company policies, procedures, underwriting guidelines and authorities all
form part of an insurer’s own risk management program for managing the
business that it underwrites. These form the parameters within which the
underwriter makes a judgement on whether or not to accept a particular piece
of business and, if so, on what terms and conditions and at what rate. The
parameters are established using:
 the insurer’s financial strength in terms of the reserves on its balance sheet
 loss trends of the types of business that it plans to underwrite
 the terms and conditions of any reinsurance cover that the insurer buys to
protect its bottom line.
Every industry has its own particular mixture of hazards and, as a
consequence, exposures to risk. It is essential that those underwriters
undertaking the survey of the risk exposures of an insured belonging to a
particular industry are aware of the types of hazards and exposures to risk
that may be found in that industry. The insurance company also needs to have
a detailed knowledge of the likely causes of loss in that industry and how
these may be avoided or minimised. This will assist the underwriter in
making a detailed assessment of the information supplied by the insured, the
broker (possibly) and the surveyor.
If the insurance company’s or the insurance industry’s loss experience
changes over time, it is possible that premium levels may need to be
readjusted or additional risk or loss control measures required in order to
bring the results of the portfolio back into line with the planned results. In
addition, the insured’s risk exposures may change over time and, as a
consequence, may vary significantly from the exposures used in making the
original underwriting decision. Therefore, it is possible that some adjustments
may need to be made in terms of premium, terms and conditions of the policy
or in the risk and loss controls being implemented by the client. If the changes
in loss experience or in the client’s risk exposures are extreme, it is possible
that the underwriter may decide not to renew the business.

174 GI512-15 16.01

 Risk management and the insurance program

Activity—Impact of changes to a risk

If possible, access a file on an insured where the exposures to risk have
changed significantly from the original acceptance of the risk. What impact
did these changes have on premium, terms and conditions of the insurance
program?

Self-help question 6.2

After presenting the results of your rate recalculation in self-help question 6.1
to your manager, he asks you to rework the rate using a revised incurred
claims figure of $750,000, which is a reduction resulting from a change in
reinsurance coverage. This will double the cost of reinsurance but will slightly
reduce the cost of claims handling to $9,500 per year. In addition, you are now
to take investment income of $50,000 into account in your calculations.

Use the following calculations to determine the correct answer.

Calculation A
𝑪𝒍𝒂𝒊𝒎𝒔 + RI + claims management costs + administration costs ÷ sum
insured
Note: Use $5.5m (not $550 million), as you produce a rate per $100 of sum
insured,
Calculation B
It is necessary to adjust the result to allow for procurement costs and a profit
margin. As these figures are a percentage of the final rate that is to be applied
the calculation, the approach is different from Calculation A.
Calculation A result ÷ (1 − (procurement costs + profit margin)
= Rate percent to be used.
An answer to this self-help question is provided at the end of this section.

Evaluating risk and compliance factors

Evaluating the risk and compliance factors of an exposure is particularly
important from an underwriter’s point of view. The evaluation will determine
whether the particular exposure to risk is accepted by the insurance company
and, if so, on what terms and at what cost. To evaluate the risk and
compliance factors for each particular exposure to risk, the underwriter will:
 access and analyse relevant data (e.g. data gathered from client, broker and
surveyor)
 evaluate each particular risk exposure against the risk acceptance criteria
within the context of the insurance company’s underwriting guidelines
 investigate and review the risk exposure data and the loss experience at
the commencement of the cover and thereafter at regular intervals
 consider whether the analysed risk exposure complies with relevant
legislation and company policy.

www.anziif.com 175
Introduction to Management of Risk

Analysis of client data

The underwriter uses information that is obtained from the client in the form
of a proposal form or, in the case of the larger clients, in the form of an
underwriting submission prepared by an insurance intermediary. The
underwriting submission usually contains information about the client’s:
 exposures to risk
 loss experience over a number of years
 organisation, its operations and its risk management program—in
particular any risk and loss controls that have been implemented as well as
information on the moral hazards associated with the particular client’s
business.
In addition, it is normal for the underwriting submission to be supplemented
by a report from a risk surveyor or loss control engineer on the specific
exposures to risk that the insurer is being asked to underwrite. The risk
surveyor or the loss control engineer may be an employee of the insurance
company, or the placing broker, or very occasionally an independent
specialist to whom the underwriter has sub-contracted survey work. In rare
cases the insured may appoint its own risk surveyor or loss control engineer
as part of its work to better understand and control the losses that may be
expected from its exposures to risk.

Underwriting guidelines
As part of its risk management program, the insurance company will
formulate underwriting requirements for each type of business that it intends
to underwrite. These requirements will detail:
 the types of exposure to risk that it will underwrite provided it has the
necessary reinsurance cover in place and has sufficient details about the
individual exposure to risk
 the standard terms and conditions that will be required for accepting such
risk exposures
 the minimum acceptable level of exposure to moral hazard.
In addition, as outlined above the insurer will have formulated the premium
rate to be charged, based on the average exposure to risk which, in theory,
should take into account:
 the loss statistics for the type of exposure to risk
 the reinsurance premium that has to be paid
 the insurer’s expenses for management
 loss administration expenses
 business procurement expenses
 profit.

176 GI512-15 16.01

 Risk management and the insurance program

Investigating risk exposures

All exposures to risk should be fully investigated (as far as it is economical to
do so) before they are accepted and underwritten. However, it should be
noted that for many portfolios the risk exposures are all basically very similar,
or standard, such as in a portfolio of private cars, houses or their contents,
which means that acceptance and underwriting are routine. It is essential for
profitable underwriting that every accepted non-standard exposure to risk
(physical, legal and moral) is comprehensively investigated and reviewed on
a regular basis by both the insured and, while part of its portfolio, the
insurance company. By doing so, both the insured and the underwriter are
able to ascertain the effectiveness of the risk and loss control measures that
have been implemented and make adjustments as required. In addition, the
underwriter is able to monitor that the assumptions that have been made in
setting the premium rates for the particular type of business are still valid and
that the business continues to fall within the scope of the reinsurance
arrangements that have been effected.

Activity—Assessing risk exposures

If possible, access a recent non-standard insured file that you have handled
and determine the ways in which the exposure to risk was assessed before it
was accepted by your company.
1 Besides the proposal, were there any other risk assessment documents
used to help assess the exposure to risk? (e.g. underwriting submission,
claims history report, surveyor’s reports.)
2 In what particular ways were your company’s underwriting guidelines
applied to the particular exposure to risk? (e.g. premium, terms,
conditions applied to the risk.)
3 Has the exposure to risk been reviewed since the inception of the
insurance program?
4 Has the exposure to risk changed since the inception of the insurance
program?

www.anziif.com 177
Introduction to Management of Risk

Risk management strategies

Determining, establishing, implementing and evaluating risk management
strategies is an essential part of any insurance company’s risk management
program.

Determining appropriate risk assessment

strategies
Determining appropriate risk assessment strategies (i.e. determining the
insurance company’s capacity to analyse and evaluate risk exposures) is an
essential step in formulating the risk management context for the company.
The risk assessment strategies will help establish:
 the parameters within which the underwriter must work when assessing
any business that is offered to the insurer
 the risk acceptance criteria for each type of business offered to the insurer
 the terms and conditions that must be applied to any business that is
accepted
 the rating structure that must be applied to any business that is accepted.

While these strategies will vary between the different types or classes of
exposures to risk that the insurer has decided to underwrite (e.g. property,
liability, marine) they will all involve the same basic steps:
 consideration of the likely consequences that may occur from underwriting
the selected type of business and how likely those consequences are to
occur
 consideration of what makes a particular risk exposure of the selected type
acceptable in terms of the consequences and likelihood compared to other
exposures to risk.

The selected risk assessment strategies will enable the insurer to ensure that
its underwriters only accept and therefore underwrite business within the risk
acceptance criteria that were originally determined when the insurer decided
to underwrite the selected types of risk exposure.

Establishing risk acceptance criteria

An insurance company establishes risk acceptance criteria—its form of risk
exposure criteria—by:
 setting risk acceptance criteria, and associated authority limitations,
conditions and guidelines
 determining terms and conditions of risk acceptance for low hazard risk
exposures
 determining terms and conditions of risk acceptance for high hazard risk
exposures
 documenting risk acceptance criteria and guidelines, obtaining feedback
and conducting reviews.

178 GI512-15 16.01

 Risk management and the insurance program

In the course of formulating its risk management policy, an insurance

company will have firstly determined the types of business that it will offer to
insure. The insurer will then establish the rates, terms, limitations and
conditions that the underwriters are to use for the standard risk exposure for
each type of business that the company will underwrite as outlined above.
The next step in the process is to determine the criteria that underwriters will
use when deciding whether or not to accept individual exposures to risk for
each particular type of business.
It is recognised by insurers that risk exposures within each type of business
often vary from what is considered to be average or standard. Therefore,
underwriters need to be given guidelines on how these variations are to be
handled and the standard rates, terms or conditions of acceptance varied so as
to bring the likely results from underwriting non-standard exposures to risk
into line with that of the standard exposure to risk. As such, the terms and
conditions of acceptance for both the low and high hazard risk exposures
should be determined before any business is underwritten.
The final stage in the process is to determine the underwriting authority that
is given to each level of underwriter. Ideally, the structure of underwriting
authority within an insurance company is such that the majority of risk
exposures are able to be underwritten at the lowest possible level within the
structure.
An insurance company, like the non-insurance organisation, should document
all aspects of its risk management program and in particular the underwriting
risk acceptance criteria and guidelines. These generally take the form of an
underwriting or rating manual for each type of business that will be
underwritten. The underwriting or rating manual sets out the rates, terms,
limitations and conditions for the standard risk exposure for the class of
business together with the variations in terms and conditions required for the
acceptance of non-standard risk exposures. It is essential that there is ongoing
feedback on the underwriting risk acceptance criteria and guidelines. This
feedback, together with the emerging results from underwriting a particular
portfolio, is used to regularly review the underwriting or rating manual. If
necessary, the manual may need to be adjusted so that it truly reflects any
variation in results from the portfolio results that the insurance company
originally intended and planned for.

www.anziif.com 179
Introduction to Management of Risk

Implementing risk assessment strategies

Implementation of the assessment strategies that form part of the risk
management program involves communicating risk assessment strategies and
risk acceptance criteria and guidelines to relevant staff and intermediaries.
The effects of the risk assessment strategies should also be monitored.
It is essential that the underwriting manuals and other supporting material be
circulated throughout the insurance company to all personnel who are
involved in the processing of new and renewal business, including those
involved in surveying exposures to risk and handling claims. This material
may be incorporated in the insurer’s IT systems by which all business is first
underwritten or renewed. Once this material has been distributed it should be
supplemented with regular training of all personnel in the use of the manual
and in particular in the insurer’s risk assessment strategies as well as the risk
acceptance criteria and guidelines. The insurer should also ensure that all
intermediaries who introduce business are kept advised of the broad terms of
the risk assessment strategies and the risk acceptance criteria that the
underwriters are using. In addition, any advertising material that the insurer
uses, including the proposal forms, should reflect these strategies and risk
acceptance criteria.

To ensure that exposures to risk are being underwritten in a manner that is

commensurate with the planned outcomes for the portfolio of business, the
effectiveness of the risk assessment strategies and risk acceptance criteria and
guidelines should be continually monitored and reviewed. This involves
gathering feedback from those personnel who are involved in underwriting as
well as those involved in handling the claims from the business that has been
underwritten.

Activity—Communicating risk assessment strategies

Investigate how risk assessment strategies and risk acceptance criteria and
guidelines are communicated within your organisation?

Besides relevant staff, who else are risk assessment strategies and risk
acceptance criteria and guidelines communicated to? Do persons external to
the organisation (e.g. relevant intermediaries) have access to the risk
assessment strategies and risk acceptance criteria and guidelines?

180 GI512-15 16.01

 Risk management and the insurance program

Case study—Right Engineering Co and Medium Light

Engineering Co
Acme Insurance Brokers has approached your company for quotes for
property insurance for two large locally-owned light engineering companies,
Right Engineering Co and Medium Light Engineering Co, which are due for
renewal in eight weeks.
Your organisation currently does not insure either company. Both
submissions asked for the quote to cover earthquake damage in those
locations, where the earthquake exposure is above normal. In addition, Right
Engineering has asked that the quote be made on the basis that a $500,000
deductible be applied to each and every claim while Medium Light
Engineering has asked that the deductible be set at the lowest possible level.
Both companies are similar in size and both have operations in Sydney,
Brisbane, Adelaide and Melbourne, Australia, as well as in Wellington, New
Zealand. Their engineering plants are single-story high, concrete-floored and
constructed of concrete block and steel. They also employ a similar number of
staff and, while Medium Light Engineering is privately owned, Right
Engineering is listed on the Australian stock market.
From the extensive underwriting submission for each company that you
received from Acme Insurance Brokers and the survey carried out by your
company fire surveyor, you note that Right Engineering has implemented an
extensive, well-regarded risk management program under the guidance of a
sub-committee of its board, whereas Medium Light Engineering have done
little other than satisfy the risk control demands of its current insurer. Right
Engineering has installed fully functioning sprinklers in all of its premises
while Medium Light Engineering has only fitted smoke alarms in its premises.
Both have also installed the normal standard fire hydrants and other first aid
appliances, as well as burglar alarms.

The values for the premises are as follows:

Right Engineering Medium Light Engineering

Sydney $50 million $49 million

Brisbane $30 million $31 million

Adelaide $25 million $24 million

Melbourne $42 million $44 million

Wellington $15 million $13 million

www.anziif.com 181
Introduction to Management of Risk

The pure underwriting rate in your company’s rate book for the average type
of risk in this industry, provided that it is located in the average type location
(i.e. average exposure to wind, flood earthquake, etc), is 0.2 per cent for the
minimum deductible level of $10,000. The rate for earthquake cover is 0.1 per
cent and the loading for above average exposures to the flood and wind perils
is 0.05 per cent. The discount for sprinklers is 20 per cent while the discount
for larger deductibles is 10 per cent for deductibles between $25,000 and
$49,999, 12 per cent for those between $50,000 and $149,999, 15 per cent for
those between $150,000 and $249,999, 20 per cent for those between $250,000
and $499,999 and 25 per cent as a maximum, provided the risk exposures are
above average.

Self-help question 6.3

Prepare a premium quote for both submissions in the above case study and
explain your answer.
An answer to this self-help question is provided at the end of this section.

Evaluating risk management strategies

Evaluation and review of risk management strategies involves evaluating risk
assessment strategies to determine their effectiveness in achieving
underwriting risk management objectives. For example, the achievement of a
particular underwriting profit margin may be an indication that the insurer’s
risk management program is successful.
The insurance company uses the developments in loss experience for
particular types of business (i.e. number of losses, type of loss and total
amount paid out per claim) as an evaluation measure. It compares the actual
outcomes with the intended outcomes that were calculated when formulating
the company’s underwriting risk management program.
Any significant differences which result in a failure to achieve the originally
established risk management objectives are used as the basis for making
adjustments in the strategies in respect of the particular type of business so as
to ensure that the objectives are met in the long-term. It is possible that the
insurance company may amend its risk management objectives if the actual
outcome from a type of business clearly indicates that the outcome cannot be
obtained even with a change in strategy. For example, the company may
decide to stop underwriting that particular type of business. Conversely, if a
type of business is more profitable than had been expected, the company is
likely to try to underwrite more of that type of business so as to maximise its
profits.
It is important that this evaluation process be fully documented and that it is
communicated to all senior staff involved in the underwriting and renewal of
business. This will enable those involved in decision-making processes to
make appropriate changes in the underwriting risk management program.

182 GI512-15 16.01

 Risk management and the insurance program

Activity—Review and evaluation

How often are risk management strategies reviewed and evaluated within
your organisation? What does the review/evaluation process involve? Who is
responsible for conducting the review/evaluation?

Self-help question 6.4

List key points to effectively summarise the content of this section.
An answer to this self-help question is provided at the end of this section.

Answers to self-help questions

Self-help question 6.1
(1,000,000 + 15,000 + 10,000 + 35,000) divided by 5,500,000 = 0.1927272
Divide this result (0.1927272) by (1.0 – (0.18 + 0.05)) = 0.25 per cent or
0.250295 per cent.

Self-help question 6.2

(750,000 + 30,000 + 9,500 + 35,000 - 50,000) divided by 5,500,000 = 0.1408181
Divide this result (0.1408181) by (1.0 – (0.18+0.05)) = 0.18 per cent or
0.1828806 per cent.

Self-help question 6.3

Adelaide and Welling are above average Earth Quake Risks.

Right Engineering quote

Total sum insured = $162,000,000
Total sum insured for earthquake = $40,000,000
Property rate = 0.2 less (0.2*0.2) for the sprinklers less 25 per cent of the result
for the deductible = (0.2-0.04)-(0.25* 0.16) = 0.12 per cent
Earthquake rate = 0.1 less 25 per cent for the deductible = 0.1-(0.25*0.1) =
0.075 per cent
Property premium = $ 194,400.00
Earthquake premium = $ 30,000.00

www.anziif.com 183
Introduction to Management of Risk

Medium Light Engineering quote:

Total sum insured = $161,000,000

Total sum insured for earthquake = $37,000,000

Property rate = 0.2 per cent

Earthquake rate = 0.1 per cent

Property premium = $ 322,000.00

Earthquake premium = $ 37,000.00

Self-help question 6.4

The key points to this section you may have identified include:
 Organisations in the insurance industry are exposed to a wide variety of
risks. To achieve optimum results, an organisation should manage
exposures to risk holistically and logically, according to an overall plan.
 A significant proportion of an insurance company’s exposures to risk is
financial in nature and is inherent in the business it underwrites.
 The exposures to risk of the business that an insurance company
underwrites are those of their clients. An insurer is therefore unable to
directly manage such exposures to risk, other than to provide clients with
suitable loss financing. However, the underwriter may assist the client to
better manage the risks they are exposed to by using
- the proposal form or its equivalent
- risk exposure survey information
- the insurance company’s risk exposure knowledge base, and
- the insurance company’s risk management strategies, risk acceptance
guidelines and underwriting guidelines.
 An insurer uses a combination of risk management techniques to finance
any loss that it may suffer from the business that it underwrites. These
techniques include pooling, hedging and loss financing such as
reinsurance.
 An insurance company needs to establish its own risk management
program that covers both operational and financial risk exposures. The
company’s policies, procedures, underwriting guidelines and authorities
all form part of the insurer’s risk management program.
 Underwriting involves four distinctly different, though related, functions:
a determining the types of risk exposure that will form each balanced or
homogeneous portfolio of business
b designing the scope, terms and conditions of the insurance contract that
will be used for the particular type of exposure to risk
c determining the rate to be charged for the average exposure to risk and
any permitted variation to allow for the non-average exposure to risk
d deciding on the parameters for the acceptance or declinature of specific
exposures to risk and appropriate terms and conditions.

184 GI512-15 16.01

 Risk management and the insurance program

 Acceptance of business forms the major part of an underwriter’s day-to-

day work. Using the risk acceptance criteria the underwriter assesses the
extent to which each exposure to risk offered varies from the average
exposure in terms of:
- the extent of the particular variation from the average
- the period for which cover is required
- how any extra risk of loss above the average exposure may be
counteracted by loss prevention or risk reduction measures
- the rate to be charged and the additional terms and conditions to be
imposed.
 The evaluation of the risk and compliance factors helps the underwriter to
determine whether a particular exposure to risk should be accepted by the
insurance company and, if so, on what terms and at what cost.
 As part of its risk management program, an insurance company will
formulate underwriting requirements for each type of business that it
intends to underwrite.
 Determining appropriate risk assessment strategies (i.e. determining the
insurance company’s capacity to analyse and evaluate risk exposures) is an
essential step in formulating the insurance company’s risk management
program.
 When formulating its risk management policy, the insurer will:
- determine the types of business that it will offer to insure
- establish the table of rates, terms, limitations and conditions that
underwriters are to use for the standard exposure to risk for each type
of business underwritten
- determine the risk acceptance criteria that underwriters will use in
deciding whether or not to accept individual exposures to risk for each
particular type of business and how to handle any variations
- Note: the terms and conditions of acceptance for both low and high
hazard risk exposures will be determined before any business is
underwritten
- determine the underwriting authority to be assigned to each level of
underwriter.
 As part of its risk management program, an insurer should adequately
communicate risk assessment strategies and risk acceptance criteria and
guidelines to relevant staff and intermediaries.

The effects of the risk management strategies should be carefully monitored.

Evaluation and review of risk management strategies involves evaluating
these strategies to determine their effectiveness in achieving underwriting risk
management objectives.

www.anziif.com 185
 References and recommended
reading
Standards and handbooks
AS/NZS ISO 31000:2009, Risk management—Principles and guidelines. Standards
Australia/Standards New Zealand: Sydney & Wellington.
HB 221:2004, Business continuity management. Standards Australia/Standards
New Zealand: Sydney & Wellington.
HB 292:2006, A Practitioners Guide to Business Continuity Management.
Standards Australia/Standards New Zealand: Sydney & Wellington.
HB 293:2006, An Executive Guide to Business Continuity Management. Standards
Australia/Standards New Zealand: Sydney & Wellington.
HB 436:2004, Risk Management Guidelines—Companion to AS/NZS 4360: 2004.
Standards Australia/Standards New Zealand: Sydney & Wellington.
ISO/IEC 31010:2009, Risk management—Risk assessment techniques. International
Organization for Standardization: Geneva.

Print material
Bernstein, P.L. (1998) Against the Gods: The remarkable story of risk. John Wiley &
Sons Inc.: New York.
Gallagher, R.B. (1956) Risk management: New phase of cost control. Harvard
Business Review 34.5, 75-86.
Head, G. & Herman, M. (2002) Enlightened Risk Taking: A Strategic Risk
Management Guide for Nonprofits. Nonprofit Risk Management Center:
Washington.
Head, G. & Horn, S. (1985) Essentials of the risk management process, Insurance
Institute of America, Malvern, PA.
McDonald, T. (1993) Risk management. School of Accounting and Finance,
Deakin University, Victoria.
Williams Jr, C.A., Smith, M.L. & Young, P.C. (1995) Risk Management and
Insurance, McGraw-Hill, New York.

www.anziif.com 187
Introduction to Management of Risk

Online materials
www.ema.gov.au—Emergency Management Australia
www.riskmanagement.com.au—A Standards Australia portal providing
information about risk management
www.risksociety.org.nz—The New Zealand Society for Risk Management
www.rmia.org.au—The Risk Management Institution of Australasia
www.sra.org—The Society for Risk Analysis
www.standards.org.au—Standards Australia
www.standards.co.nz—Standards New Zealand
Head, G. & Herman, M. (2002) Enlightened Risk Taking. Washington: Nonprofit
Risk Management Center.
Bernstein, Peter L. (1998) Against the Gods: The remarkable story of risk. New
York: John Wiley & Sons Inc.
H.F. Kloman, ‘Rethinking Risk Management’, Geneva Papers, July 1992, H.F.
Kloman, Risk Management Reports, March 1998.
Rasche, Tilman (June 2001), ‘Risk Analysis Methods—a Brief Review’,
Minerals Industry Safety and Health Centre (MISHC), The University of
Queensland.
Risk Management Guidelines—Companion to AS/NZS 4360:2004. Standards
Australia International Ltd, Sydney. Sourced from Tables 10.1 and 10.2 of HB
436:2004,
Risk Management Guidelines—Companion to AS/NZS 4360:2004. Standards
Australia International Ltd, Sydney. Sourced from Table 10.4 of HB 436:2004,

188 GI512-15 16.01

 Appendices

Appendix 1—Example: Risk

identification questionnaire
1.1 General details
Employee Numbers: ________________________________________________________

Health & safety individual/s: _________________________________________________

1.2 Management involvement

Yes No

Is health & safety an agenda item at management meetings? ❑ ❑

Is the health and safety policy issued and known? ❑ ❑

Does management review all health and safety problems and solutions? ❑ ❑

Are managers and supervisors held accountable for corrective measures ❑ ❑

and, if so, how?

Is safety incorporated into general work practice? ❑ ❑

Is there a health & safety budget? ❑ ❑

Are regular supervisor/employee discussions held? ❑ ❑

1.3 Health and safety rules and procedures

Poor Fair Good Excellent

❑ ❑ ❑ ❑

Are there general and specific health & safety rules? ❑ ❑

Are they written and distributed to employees? ❑ ❑

Are rules enforced? ❑ ❑

Are rules reviewed annually? ❑ ❑

Are safe operating procedures posted at job locations? ❑ ❑

www.anziif.com 189
Introduction to Management of Risk

1.4 Pre-placement health assessments

Poor Fair Good Excellent

❑ ❑ ❑ ❑ Yes No

What is the company policy? ❑ ❑

Are all employees medically examined prior to employment? ❑ ❑

Is a specialist medical check carried out if required? ❑ ❑

Are reference checks carried out (e.g. safety record, workers’ ❑ ❑

compensation etc)?

1.5 Induction procedures

Poor Fair Good Excellent

❑ ❑ ❑ ❑

Is there a full formal induction regarding safety, general employment ❑ ❑

conditions etc?

Are there written handouts? ❑ ❑

Is the job induction carried out by a supervisor? ❑ ❑

Is the employee reviewed regularly, utilising a checklist? ❑ ❑

Is all information kept on an employee’s file? ❑ ❑

Are procedures reviewed annually? ❑ ❑

1.6 Self-inspections
Poor Fair Good Excellent

❑ ❑ ❑ ❑

Is there a formal self-inspection program? ❑ ❑

Are all departments included on the program? ❑ ❑

Are guidelines and a checklist used? ❑ ❑

Do managers and supervisors conduct inspections? ❑ ❑

Is there follow-up action on hazards, and priorities assigned? ❑ ❑

Is the checklist/inspection system reviewed regularly? ❑ ❑

Is there a hazard rectification system? ❑ ❑

190 GI512-15 16.01

 Appendices

1.7 Equipment/process audits

Poor Fair Good Excellent

❑ ❑ ❑ ❑ Yes No

Are new and existing hazardous equipment/processes audited? (use of ❑ ❑

checklists)

Is there liaison with statutory bodies? ❑ ❑

Is ventilation considered and periodically checked? ❑ ❑

Is effectiveness of guarding analysed? ❑ ❑

Are operator training requirements assessed? ❑ ❑

Are procedures regularly reviewed? ❑ ❑

1.8 Training
Poor Fair Good Excellent

❑ ❑ ❑ ❑

Are all training needs assessed? ❑ ❑

Is there basic health and safety training for all levels? ❑ ❑

1.9 Safety publicity/promotion

Poor Fair Good Excellent

❑ ❑ ❑ ❑

Are safety signs and posters used? ❑ ❑

Are safety signs and posters maintained/changed regularly? ❑ ❑

Is personal protective equipment used? ❑ ❑

Are safety committee minutes posted and distributed? ❑ ❑

Are films, talks and safety demonstrations held? ❑ ❑

Are targets set and displayed? ❑ ❑

www.anziif.com 191
Introduction to Management of Risk

1.10 Statutory requirements

Poor Fair Good Excellent

❑ ❑ ❑ ❑ Yes No

Is there knowledge of all health and safety requirements? ❑ ❑

Are accidents reported and on time? ❑ ❑

Is there liaison with statutory authorities? ❑ ❑

Is there a central chemical hazard file? ❑ ❑

Are chemical data sheets posted at the workplace? ❑ ❑

1.11 Use of specialist resources

Poor Fair Good Excellent

❑ ❑ ❑ ❑

Is use made of internal specialist resources to assist with identification and ❑ ❑

rectification?

Is use made of external specialist resources? ❑ ❑

When a problem is identified, are specialists called in? ❑ ❑

Are specialists used to identify problems? ❑ ❑

1.12 Ergonomics
Poor Fair Good Excellent

❑ ❑ ❑ ❑

Is there Ergonomic input into: ❑ ❑

- Work tasks ❑ ❑

- Work stations ❑ ❑

- New equipment/machinery ❑ ❑

- Potential problems elsewhere ❑ ❑

- Injuries after they have occurred ❑ ❑

192 GI512-15 16.01

 Appendices

1.13 Effective care

Poor Fair Good Excellent

❑ ❑ ❑ ❑ Yes No

Are there adequately trained personnel? ❑ ❑

Are there adequate numbers? ❑ ❑

Are there adequate facilities and maintenance of the facilities? ❑ ❑

Is there basic first aid for supervisors? ❑ ❑

Is there basic first aid for employees? ❑ ❑

Are there regular first aid drills? ❑ ❑

Is there adequate medical care through nurse and/or doctor? ❑ ❑

1.14 Rehabilitation
Poor Fair Good Excellent

❑ ❑ ❑ ❑

Is it practised? ❑ ❑

Is there a policy and procedures? ❑ ❑

Is there supervisory input? ❑ ❑

Are all activities documented? ❑ ❑

Are there alternative duties available? ❑ ❑

Are specialist services available? ❑ ❑

1.15 Accident investigation

Poor Fair Good Excellent

❑ ❑ ❑ ❑

Is there a form available? ❑ ❑

Are forms fully completed, and by whom? ❑ ❑

What accidents are investigated? ❑ ❑

What follow-up action is taken, and by whom? ❑ ❑

Is there costing of each accident? ❑ ❑

Are investigators trained? ❑ ❑

www.anziif.com 193
Introduction to Management of Risk

1.16 Work injury register

Poor Fair Good Excellent

❑ ❑ ❑ ❑ Yes No

Is a register kept? ❑ ❑

Are incidents recorded in a register? ❑ ❑

Is there an analysis of the register? ❑ ❑

What action is taken on problems highlighted, and by whom? ❑ ❑

Is there costing of injuries? ❑ ❑

1.17 Claims control

Poor Fair Good Excellent

❑ ❑ ❑ ❑

Are personnel allocated? ❑ ❑

Are claims reported to an insurance company? ❑ ❑

Is there regular contact with insurers? ❑ ❑

Are claims reports prepared quarterly? ❑ ❑

Does management receive and review reports? ❑ ❑

Does management take action on reports? ❑ ❑

Are cost controls established? ❑ ❑

1.18 Regular management reports

Poor Fair Good Excellent

❑ ❑ ❑ ❑

Does monthly management report detail: ❑ ❑

- Accident numbers ❑ ❑

- Claim numbers ❑ ❑

- Action taken on accidents ❑ ❑

- Analysis of injuries and action ❑ ❑

- Responsibilities assigned ❑ ❑

- Safety/injury trends and targets ❑ ❑

- Comments on level of safety activities ❑ ❑

194 GI512-15 16.01

 Appendices

Occupational Health & Safety Summary

Score
Poor Fair Good Excellent
(overall)

❑ ❑ ❑ ❑ ____

Pre-accident Score

1.1 General (non-measurable) ________________________________ ____

1.2 Management involvement ________________________________ ____

1.3 Health & safety rules and

________________________________ ____
procedures

1.4 Pre-placement health

________________________________ ____
assessments

1.5 Induction procedures ________________________________ ____

1.6 Self-inspections ________________________________ ____

1.7 Equipment/process audits ________________________________ ____

1.8 Training ________________________________ ____

1.9 Safety publicity/promotion ________________________________ ____

1.10 Statutory requirements ________________________________ ____

1.11 Use of specialist resources ________________________________ ____

1.12 Ergonomics ________________________________ ____

Post-accident
1.13 Effective care ________________________________ ____

1.14 Rehabilitation ________________________________ ____

1.15 Accident investigation ________________________________ ____

1.16 Work injury register ________________________________ ____

1.17 Claims control ________________________________ ____

1.18 Regular management reports ________________________________ ____

Total ____

www.anziif.com 195
 Appendix 2—Masterprint’s risk
identification information
General risk information report
The site at which Masterprint is situated has two buildings and both are
required for the operations of Masterprint. These buildings abut and openly
communicate.
The southerly of the two buildings (Building No. 1) houses the entire
manufacturing plant and stores raw materials and finished products. It is
estimated that the finished product store occupies approximately 22 per cent
of the total building area. The northerly of the two buildings (Building No. 2),
which is joined internally by two permanently open doorways, is used as the
general store, including receiving and despatch. There is also a lunchroom
area used by employees in this building.
Fire fighting facilities for Building No. 1 are limited to fire hose reels and
extinguishers.
The site is bounded on the western, northern and eastern sides by a chain link
wire fence two metres high, and on the southern side by a wide, slow-flowing
river. The ground slopes away gently to the river and down near the river
edge there are unbunded and unfenced LPG, diesel and oil storage tanks.
Whilst there is adequate car parking space for employees on a gravel car park
at the western side of the main buildings, employees prefer to park their cars
on the bitumen at the side of the access roadway nearer to the main plant
operations. This appears to lead to considerable congestion. There are no gate
keepers at either of the gates and no regulated traffic flow has been observed.
It has also been observed that both gates were still open at 6:00 pm even
though the day operators finished work at 4:30 pm and only about 5% of the
80 employees were still on site.
There was a considerable amount of miscellaneous equipment and parts
around the waste skip area and some inside the building.
The plant manager has advised that raw material and finished product stock
records are kept on a small computer in the office area. Backups are produced
on a weekly basis and stored in a fireproof cupboard adjacent to the safe in the
front office.
According to a note accompanying the accounts, the buildings at the plant
have been valued at historical cost (15 years old). Current replacement values
are approximately 3.5 times higher than the values used for current insurance
cover.
Both buildings are of brick construction on a concrete slab, single storey with
metal decking on steel frame roofs. The store building (Building No. 2) is
protected by automatic fire sprinklers.

www.anziif.com 197
Introduction to Management of Risk

Despite prominent ‘no smoking’ signs, there is considerable evidence of

smoking in the lunch area and adjacent to the recharger facility in the
production building.
With Masterprint winning the tenders for printing materials for two
government departments, it is expected that the output from Masterprint will
increase some 60 per cent over the next two years. It is most likely that this
will require an additional printing machine, which will need to be housed in a
separate building.
In addition, the contracts for the government departments will be required
(as a governance requirement) to be formally re-tendered every three years.

Flowchart of Masterprint’s operational activities

198 GI512-15 16.01

 Appendices

Greenaway Site layout

www.anziif.com 199
 Appendix 3—Masterprint’s risk
assessment reference tables
Masterprint classifications and codes tables
Likelihood descriptors and classification codes

Descriptor Almost certain Likely Possible Unlikely

Code A B C D

Consequence descriptors and classification codes

Descriptor Minor Moderate Major Severe

Code I II III IV

Risk rating descriptors and classification codes

Descriptor Low Medium High Catastrophic

Code L M H C

Masterprint risk analysis matrix

Consequence code
Likelihood
code 
I II III IV

A High High Very High Very High

B Medium High High Very High

C Medium High High High

D Low Medium Medium High

Masterprint risk rating definitions

Risk rating Definition

Immediate action required. Senior executive management/Board

Catastrophic
accountable.

Senior executive management attention needed. Management

High
accountability and responsibility specified.

Manage by specific monitoring or response procedures by accountable

Medium
Line Managers.

Manage by routine procedures. Unlikely to need specific application of

Low
resources.

www.anziif.com 201
 Appendix 4—Masterprint’s risk
register
MASTER PRINT RISK REGISTER

Function/ activity

Completed by ……………………………. Date:……………………….

The risk (what can happen)

Source of risk

Risk rating

Consequence code
Likelihood
code 
Insignificant Minor Moderate Major Catastrophic

Almost
High High High Catastrophic Catastrophic
certain

Likely Medium High High Catastrophic Catastrophic

Possible Low Medium High Catastrophic Catastrophic

Unlikely Low Low Medium High High

Existing controls and

adequacy

Risk accepted

www.anziif.com 203
 Appendix 5—Outline of Masterprint’s
risk management program
Masterprint’s Risk Management Manual contains the following sections:
1 Scope and Policy
2 Corporate Context
3 Structure , responsibility and authority
4 Consequence Table
5 Risk assessment procedure
6 Sample Risk Register.
Masterprint Risk Register Management
 Masterprint uses word processing risk registers.
Masterprint Risk Reporting and Communication
 Masterprint has a Risk Management committee that reports to the CFO
and the CFO reports to the Board.

www.anziif.com 205
 Appendix 6—Starex Insurance risk
management implementation report

STAREX INSURANCE
RISK MANAGEMENT IMPLEMENTATION REPORT

Client

Date
Reviewed

1.1 RISK MANAGEMENT MANUAL. Score

Does the Client’s Risk Manual cover the following areas:

1. A commitment from the CEO of the Organisation
2. Scope and Policy
3. Corporate Context
4. Structure, responsibility and authority
5. Legal and performance requirements
6. Risk assessment procedure
7. Training
8. Internal communication
9. Document and record control
10. Performance measurement
11. Corrective Action Requests
12. Audits
13. Management review
14. Risk Consequence Table
15. Sample risk registers.

Rating Score
Covers all the areas 25
Some areas are covered 10
No manual 0

1.2 RISK REGISTER MANAGEMENT Score

Rating Score
Recorded in its specialised software 25
Recorded in Spread sheets 15
Recorded in paper based systems 10
Risk registers are not used 0

www.anziif.com 207
Introduction to Management of Risk

1.3 RISK REPORTING & COMMUNICATION Score

Does the Client’s Reporting procedures meet the following

reporting lines:

The Board
Receives regular reports on all significant risks, i.e. risks
with ratings of Extreme and High;

The CEO
- Ensures all staff are aware of the Risk Management
program and reporting procedures
- Receives regular reports on all significant risks, i.e. risks
with ratings of Extreme and High.
- Monitors the Risk Management process is working
effectively
- Ensures there is Risk Management awareness throughout
the organisation.
- Includes Risk Management in regular Business Unit
Managers meetings;

The Risk Management Committee or Risk Manager

- Regularly review all risks with the Business units
- Ensures all treatments are implemented
- Report all significant risks to the Board
- Ensure all staff have been given training in the Risk
Management process;

The Business Unit

- Aware of all risks within their Business Unit and how are
they being managed
- Discuss Risks in regular Business Unit meetings
- Include Risk Treatment plans in any budgeting
- Include Risk management in all business plans
- Report all new risks to the Risk Management Committee
or Risk Manager;

Individuals
- Understand their accountability for their own risks
- Understand that management of risks is a key part of the
organisation’s structure
- Report any new risks

Rating Score
Meets 100% specified reporting 25
Estimate score where 100% not meet 1-24
No Reporting or communication 0

208 GI512-15 16.01

 Appendices

STRUCTURE, CULTURE & ADMINISTRATION OF RISK

1.4 Score
MAMAGEMENT

Does the Client’s Structure, culture and administration of

risk management meet the following:

- The Board has the responsibility for the risk management

program
- The Risk Manager/ Risk Management Committee reports
to the board with a dotted line to the CEO
- The risk management culture is embedded within the
organisation;
- Strong Buy-in from the Board, senior management,
business unit management, and staff;
- Widespread understanding and the involvement of all
business units;
- All staff have received training in risk management.

Rating Score
Meets 100% as above 25
Estimate score where 100% not meet 5-24
Nothing done 0

www.anziif.com 209
 Appendix 7—Example: Risk register

www.anziif.com 211
 Appendix 8—Example:
Risk treatment schedule

www.anziif.com 213
 Appendix 9—Example:
Risk treatment action plan
Function/Activity:________________________________________________________

Risk exposure____________________________________ Ref:_________________

Summary—Recommended response and impact

Action plan

1 Proposed actions

2 Resource requirements

3 Responsibilities

4 Timing

5 Reporting and monitoring required

Compiler:______________ Date:_____ Reviewer:_____________ Date:_____

www.anziif.com 215