Understanding Risk

Once all risks have been identified, each risk is analysed in terms of consequence and likelihood.

• The consequence is defined as the outcome of an event expressed qualitatively or quantitatively, being a loss injury, disadvantage or gain. There maybe a range of possible outcomes associated with an event.
• The likelihood is used as a qualitative description of probability or frequency[1].

The consequence and likelihood can then be combined to produce a risk rating.

The consequence of a risk occurring can range from negligible (1) to catastrophic (5). The likelihood of an occurrence is determined for each individual risk and can range from almost certain (A) to negligible (E).

The initial risk rating is called the inherent risk rating. The inherent risk is the rating before consideration of any existing risk treatments or mitigating controls that may reduce the adverse consequences of the risk of the likelihood of it occurring.

While a risk may be identified as inherently extreme or high, there may be risk treatments or mitigating controls in place that will reduce the likelihood of that risk occurring, or the adverse consequences if it does occur. The risk grading after consideration of all mitigating controls is known as the assessed risk rating.

An audit can be conducted after the risk assessment to determine the effectiveness of these key controls. If certain mitigating controls / strategies are found not to be working effectively, new strategies may need to be developed or existing controls may need to be more strongly enforced.

[1] Risk Management Standard AS/NZS 4360:1999, p 2

Once the inherent and assessed risk ratings have been determined for each risk, the major risks can be separated from those considered of lower priority.

Lower priority risks are generally those with a low or negligible assessed risk rating. These can be reported to management to promote awareness of all risks faced by the organisation, however they may not require urgent management attention or the implementation of action plans.

Major risks (ie: those with extreme or high assessed risk ratings) should be brought to management attention immediately and an effective strategy and action plan developed to treat these risks.