Excerpt from the Diploma of Risk Management distance education course
The Diploma of Risk Management and Business Continuity via distance education
Gain a qualification and an industry certification undertaking a course fully accredited by the Australian Skills Quality Authority (ASQA) and endorsed by the Risk Management Institution of Australasia.
Paladin Risk Management Services has taken an innovative approach to learning by offering a distance education option for the Diploma of Risk Management and Business Continuity.
This comprehensive course enables you to become accredited through the provision of education materials including an education kit and an accompanying chapterised DVD.
Below is an excerpt from the distance education chapter on the identification of risks.
The identification of risks
The next part we are going to go through is the identification of risks. The risk identification part of the process, allows us to identify the risks that we need to manage. Those that we don’t identify are obviously those that we don’t need to manage. The comprehensive identification is therefore really important using a well-structured systematic process. And identification needs to include the risks whether or not they are under the control of the organisation.
Now as we alluded to in session one, it is about events. It is not about causes, it is not about consequences, it is about events. If you cannot conduct a post event analysis on a particular event or a particular risk that you have in your risk register then there is no way it should be in your risk register. We are dealing with events. Through post event analysis, this assists us in understanding whether the risk that we have in our risk register is appropriate.
It is focussed on identifying what can happen, where and when? How it can happen? What will the consequences be if the risk does occur? What controls do we currently have in place and how effective are they? I must tell you right now that we must talk about controls and I will give you the pre-soap box warning for that. We need to also understand and remember it is about risks and not issues. These are things that there is a chance that it might happen, but there is also a change that it might not happen. An issue, as we talked about in session one, is something that has already occurred. The incident has already taken place.
So, the first thing that I want to talk about is risk sources. If we are in a large organisation and we say what are the risks to that organisation? If we try and do that, in one hit, it’s like trying to eat an elephant. What we want to try and do is break it down, so that we can identify and have smaller bite size chunks, that we can identify risk against. Now, risk sources are defined in the ISO 31000 as “element which alone or in combination has the intrinsic potential to give rise to risk”. The 4360 standard which is obviously been superseded highlighted that identifying sources of risk and areas of impact provides a framework for risk identification and analysis, focuses risk identification activities and contributes to more effective management of risk”.
So how do we do that? How do we identify those sources of risk? We do this through the risk breakdown structure. So, within complex organisations, the identification of risk becomes problematic without a well-developed Risk Breakdown structure (RBS) which breaks it down into those bite size chunks. It provides a means for the organisation to structure the risks being addressed or tracked and it can be considered as a hierarchically organised depiction of the identification risks arranged by activity or source of risk. It also has the ability to allow us to look at the cumulative effect of risk across the organisation. And more importantly, it allows us to identify the total risk exposure to the organisation.
Now, what does it look like? You will find it very difficult to see that in your notes, however, I have included a larger copy of this in the templates. So that is what it might look like for the organisational breakdown. This is one we might like to see as a project and in session three when I go through the project risk management there is a copy of that also in the templates. We will go through that in session three. But as you can see we have this hierarchical structure, so in this case, we are able to break it down into those constituent elements within the organisation and then we ask the fundamental question against each of those boxes, what can go wrong/or what has gone wrong in the past in terms of events? If you ask those questions as opposed to what are the risks? You will find that people will be very forthcoming in terms of identifying those events that either have happened or potentially could happen.
You have been watching an excerpt from the Diploma of Risk Management and Business Continuity Distance Education Course.