| Describe the 'mandate and commitment' stage of a risk management process | Management of the organization needs to demonstrate a strong and sustained commitment to risk management by defining risk management policy, objectives, ensuring legal and regulatory compliance, ensuring necessary resources are allocated to risk management, communicating the benefits of risk management to all stakeholders. |
| Describe the 'Design of framework for managing risk' stage of a risk management process | Before the implementation, the organization must design a framework for managing risk. This includes:
• Understanding of the organization and its context
• Establishing risk management policy
• Ensuring accountability, authority and appropriate competence for risk management
• Integrating risk management into organizational processes
• Allocating appropriate resources
• Establishing internal and external communication and reporting mechanisms |
| Describe the 'Implementing risk management' stage of a risk management process | The organization must implement the framework for managing risk and risk management process. |
| Describe the 'Monitoring and review of the framework' stage of a risk management process | To ensure effectiveness of the risk management the organization should measure risk management performance and progress, review whether the risk management framework, policy and plan are still appropriate and review the effectiveness of the risk management framework. |
| Describe the 'Monitoring and review of the framework' stage of a risk management process | Based on results of monitoring and review, decisions should be made on how the risk management framework, policy and plan can be improved. |
| What does AS ISO 31000:2018 say about managing risk? | • Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances.
• Options for treating risk may involve one or more of the following:
– avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
– taking or increasing the risk in order to pursue an opportunity;
– removing the risk source;
– changing the likelihood;
– changing the consequences;
– sharing the risk (e.g. through contracts, buying insurance);
– retaining the risk by informed decision |
| What are the hierarchy of control measures in risk management? | • Eliminate or avoid the hazard/issue that is creating the risk
• Control the risk to an acceptable level and manage
• Transfer the risk to another party who can better manage the risk
• Accept the risk and manage it closely |
| Describe how risk treatment is determined | Risk treatment options should be selected based on the outcome of the risk assessment, the expected cost for implementing and benefiting from these options.
The risk tolerance and appetite of an organization will have a strong impact on the risk treatment plans, as some may choose to retain more significant risks than others if the potential positive outcomes are worth the balance.
Risks are ranked based on likelihood and consequence (each rated from 1-5) and from this the risk priority is determined. |
| What are the principles of risk management set out in AS/NZS ISO 31000:2009? | 1. Risk management creates and protects value;
2. Risk management is an integral part of all organizational processes;
3. Risk management is part of decision making;
4. Risk management explicitly addresses uncertainty;
5. Risk management is systematic, structured and timely;
6. Risk management is based on the best available information;
7. Risk management is tailored;
8. Risk management takes human and cultural factors into account;
9. Risk management is transparent and inclusive;
10. Risk management is dynamic, iterative and responsive to change;
11. Risk management facilitates continual improvement of the organization. |
| Briefly describe the concept of a Risk Register. | A risk register is a document used as a risk management tool and to fulfill regulatory compliance acting as a repository for all risks identified and includes additional information about each risk. It is commonly laid out as a table. |
| Why is a risk register an effective tool for risk management? | • It can be used to filter risks, track progress, document action plans;
• It is useful for risk owners, auditors, managers, directors
• It can be tailored to a reader’s particular need for detail;
• Each business group within an organisation can have it’s own risk register, linked upwards to corporate policy level risks;
• The “top 10” risks can be highlighted in the Register for ongoing management.
• Control measures can be classified as “Proactive” (affect the likelihood of an event occurring), or “Reactive” ( affect the level or duration of consequences) and monitoring can
be tailored for each risk.
• The Risk Register is supported by a report with workshop notes, analysis files, photos, diagrams & material that validates the summary in the Risk Register. |
| Briefly describe the external context of a risk analysis process. | The environment in which the entity operates and seeks to achieve its objectives including policy, operational, cultural, political, people, environmental, legal, regulatory, financial, technological and economic factors.
The external context of a risk analysis can have an effect on the likelihood and consequence of risks and can change throughout the duration of a project, thereby why continually undertaking the risk analysis process is important. External context usually refers to factors out of the business/organisations control, such as political state of the country, exchange rates, labour force, etc. |
| What is a risk criteria? | Risk criteria are the established reference points against which the significance of risk is evaluated and measured. |
| Briefly describe the difference between “Business Risk” and “Corporate Risk”? | Business Risk is sometimes limited to just commercial matters whereas Corporate Risk usually refers to all aspects of establishing and operating a business.
Furthermore, corporate risk is used when considering Government organisations and "not-for-profit" organisations where risks that threaten reputation, credibility or public confidence are often given more importance than commercial risks. |
| Briefly explain the purpose of “Monitoring and Review” in a risk analysis process. | Monitoring and review helps with the following:
• Ensuring that controls are effective and efficient in both design and operation.
• Obtaining further information to improve risk assessment.
• Analysing and learning lessons from risk events, including near-misses, changes, trends, successes and failures.
• Detecting changes in the external and internal context, including changes to risk criteria and to the risks, which may require revision of risk treatments and priorities.
• Identifying emerging risks. |
| Briefly describe the internal context of the risk assessment process in an organization | The internal context of the risk assessment process in an organization refers to the specific factors and elements within the organization that influence and shape the risk assessment activities. It involves understanding the organization's internal environment, structure, resources, and culture, as well as its objectives, strategies, and stakeholders. |
| Briefly describe the concept of risk management framework | A risk management framework (RMF) is a set of practices, processes, and technologies that enable an organization to identify, assess, and analyse risk to manage risk within your organization. |
