The Difference between ISO 13000 and AS/NZS 4360:2004
Example scenario: a member of your team is confused about the options under the hierarchy of ontrol.
Use the options below to assist her in understanding the hierarchy of control pyramid. Briefly explain
why you chose the control measure/s you have. Option Control measure Why did you choose this
measure?
Avoiding the risk Changing the consequences Changing the likelihood Retaining the risk P a g e | 108
BSBRSK 501 MANAGE RISK
Sharing the risk with a third party P a g e | 109 BSBRSK 501 MANAGE RISK
Activity 4.1.1–4.1.2
P a g e | 110
BSBRSK 501 MANAGE RISK
4.2 – Develop an action plan for implementing risk treatment The aim of a risk management action plan is to ensure that risk management is embedded in the culture of the organisation and to ensure that the organisation maintains risk management best practice. It outlines how an organisation is going to identify, minimise and/or control the risk, including monitoring and reviewing the risk management process.
The action plan should cover the following areas:
1. Introduction
1.1. Purpose of the Action Plan:
This should include what the risk management plan is for. You may
even write a Risk Management Statement
1.2. Goals of the organisation’s Risk Management:
What are the organisation’s goals? I.e. to ensure that the highest levels of risk are identified and properly management, risk is focused where it is needed. 2. Context and Background
2.1. What Risk Management is:
Define risk management and its importance to the organisation.
2.2. Benefits of the plan:
How does your Risk Management Plan benefit your organisation? E.g. meet your legal obligations
2.3. Organisation's background :
What is the organisation’s background and the areas where risk management has been applied? E.g. may include policy and procedures, the use of specification, equipment checks, tests and quality assurance.
P a g e | 111
BSBRSK 501 MANAGE RISK
3. Risk Management at your organisation 3.1. Overview of the risk process: How risk is handled in the organisation
3.2. Risk Management structure and responsibilities:
How is your risk management plan structured? Who is responsible for individual tasks and in what areas? Who is each party accountable to? Does your organisation, for example, have a Risk Management Steering Committee?
3.3. How the plan is implemented: How is the plan implemented? At what level is it implemented at? How is it documented? What levels of risk are acceptable? How is risk management recorded and documented? What contingency plans does the organisation have in place?
3.4. Timeframe:
The timeframe should consider who obtains copies of the Action and Risk Management Plan? When? Other factors that may be included are: training, timeframes for review and when documentation should be completed and submitted to the Board/Manager, depending on the size of the organisation.
3.5. Monitoring and review:
Most organisations review their plans annually and align it with their planning process. Continuous improvement is a legislative WHS requirement, so organisations must demonstrate that they are working to improve their operations.
P a g e | 112
BSBRSK 501 MANAGE RISK
4. Initial risk identification and risk treatment 4.1. Risk criteria: In this section, you need to prioritise the importance of Risk Management, in terms of how it can impact on the organisation. For example, if too many people are injured in the workplace, the organisation’s reputation will be negatively affected.
What risk management processes are communicated to you?
Do you believe that this information is appropriate or should you receive more or less information?
Why? Why not?
What is the importance of making sure that your documentation is completed and processed correctly
4.5 – Implement and monitor action plan
Once an action plan has been developed, it needs to be implemented as soon as possible. It is important
to make sure that the action plan is reported to workgroups and stakeholders.
When an action plan is implemented, awareness and motivation need to be communicated to your
stakeholders. How would you create this awareness and motivate your team into becoming mpowered
in the implementation of the plan? Why would you do this?
How is risk evaluated in your organisation (or an organisation that you have known or worked for)?
Do you believe that it is evaluated sufficiently? Why? Why not?
Activity 1.1.1 – 1.1.3
|
Estimated Time
|
30 Minutes
|
|
Objective
|
To provide you with an opportunity to review organisational processes, procedures and requirements for undertaking risk management in accordance with current risk management standards.
|
|
Activity
|
What is the difference between the new ISO13000 and AS/NZS 4360:2004?
The main difference between the ISO 13000 and AS/NZS 4360:2004 is that the first one aims to align uniformity between risk management systems whereas the latter one does not care about enforcing uniformity in risk management systems.
Briefly outline the legal framework.
The legal framework requires a project or organization risk management system to follow certain legal guidelines. In many of the risks, certain legal aspects are related and it is important to ensure the legal rules or guidelines are followed while managing the risks.ase study: Christine Finkel worked 13 hours a day, six days a week for three months. She noted that the floor was slippery but decided to help a customer before taking steps to clear the area. By the time that Christine returned to the area, she had forgotten that the floor was wet. Christine fell and broke her leg.
What unsafe behaviour have you identified here?
The identified unsafe behaviour is that Christine preferred to serve the customer rather than prioritizing the safety of herself or the other staffs and customers i.e. she failed to address a risk before continuing her daily duties that resulted in disaster.
What could be the impact of Christine’s situation to the organisation?
Christine’s situation will result in the loss of an important staff of the organization for a considerable amount of time that will affect the daily operations of the organization.
What would you do if you took a job as a supervisor and walked into a similar situation?
If I was in the similar situation, I would have emphasized on first addressing the risk before continuing the daily operations at the store. This is because the risk should always be on the top of priority list that should always be identified and addressed as early as possible.
|
|
Estimated Time
|
30 Minutes
|
|
Objective
|
To provide you with an opportunity to determine scope for risk management process.
|
|
Activity
|
Do you believe understanding the different types of risk can assist you in defining the scope?
Understanding different types of risk can definitely assist one to define the scope. This is mainly because the scope of a project generally defines a boundary or limit of a project and with understanding the different risks, the boundary can be set accordingly such that the risks are not encountered or the chances of encountering the risks are minimized.
When writing the scope, what should the writer consider?
When writing the scope, the writer should consider a number of points as follows.
The main requirements that are to be fulfilled in the project
The assumptions that have been made in the course of the project
The exclusions and limitations that are applicable for the project
The available budget for the project
The proposed schedule for the project
Number of human resources available for the project
Various external factors like market condition associated with the project
What needs to be evaluated and why?
Based on your outline in the previous question, use your knowledge of your own organisation, or an organisation that you know, to write a brief scope of risk management. (Note: if you work or have worked in a large organisation, you can use this question to write a scope for a project you work on or have worked on) – In your answer, briefly explain the organisation or project.
For defining the scope of a project or risk management process, it needs to be evaluated whether the organization has sufficient resources to bypass the risk and how much the risk can affect the organization if encountered at any point of time.
As an instance, a case study of Starbucks has been chosen and the selected project is opening a new store in a new country in Asia. Starbucks is an American company that sells coffee and other similar drinks to the customers. Due to the high quality of coffee and the high brand value, the cost of a coffee drink in the company’s stores is generally high. If the company wants to open store in a new country in Asia, there are several risks associated. The scope of risk management for such a case can be defined as follows.
Ø Evaluation of the new market where the company is entering to determine the extent of competition in the same
Ø Evaluation of the maximum price limit of each product that will be accepted by the customers in the new market
Ø Evaluation of feasibility of the business in the selected market
|
|
Estimated Time
|
30 Minutes
|
|
Objective
|
To provide you with an opportunity to identify internal and external stakeholders and their issues.
|
|
Activity
|
List three internal stakeholders that you may find in an organisation.
Three internal stakeholders that can be found in an organization and their roles are as follows.
Project Manager – Management, control, change and supervision of any project
Finance Manager – Management of finances and project funds
Human Resources Manager – Management and recruitment of human resources
List four external stakeholders that may be associated with an organisation.
Four external stakeholders that may be associated with an organization are as follows.
Sponsor – Providing funds for a new venture or project
IT Assistant – Introduction and implementation of new IT related projects
Marketing Manager – Marketing of business of the organization
Procurement Manager – Procurement of the required supplies for a project of the organization
In the chart below, identify three stakeholders, state their objectives towards your organisation, or an example organisation, in terms of risk management (i.e. supplier believes goods loaded onto an unsafe delivery dock). Who is your contact with the supplier and how would you consult with them? What are the recommended feedback and consultation procedures with them?
|
Stakeholder
|
Objective/s
|
Contact
|
Feedback and consultation
|
|
Project Manager
|
Management and control of a project
|
Via email or phone call
|
Any changes in the project, management of a risk encountered during the project and others
|
|
Finance Manager
|
Management of project funds
|
Via email
|
Request for additional funds, allocation of funds to project teams
|
|
IT Assistant
|
Implementation of IT Projects
|
Face to face conversation
|
IT related risks, implementation requirements, project objectives
|
Case study: In recent months, your organisation has grown as demand for the product has increased. In turn, the number of deliveries from one of your suppliers has increased. Your organisation has established a strong relationship with one driver, Nick, and he is the only one able to deliver goods to the organisation due to the volatility of the goods delivered. Do you believe that the driver is put at risk? Why?
The driver is at risk due to the regular transportation of volatile goods that may cause a significant risk to the health of the driver. Since there are no back up drivers, Nick is daily exposed to such volatile goods that will affect his health in the long run.
What could the impact of the increase of deliveries have on the supplier?
With the increase of deliveries, the supplier has to keep up by constantly updating his inventory in order to maintain or increase the rate of the supply.
The supplier contacts you and asks you to change your driver policy as the driver has complained. What is this called? How would you resolve this problem?
This is a negative feedback from the part of the driver who does not feel the driver policy is suitable for him.
In order to resolve this problem, some changes are to be made in the driver policy and new drivers are to be recruited with the alternate shifts.
|
|
Estimated Time
|
30 Minutes
|
|
Objective
|
To provide you with an opportunity to review political, economic, social, legal, technological and policy context.
|
|
Activity
|
Gather into small groups for the following group activity:
Choose an example organisation and make a list of at least one change in the following areas that will impact on the organisation’s risk management processes. What steps would you take to ensure that your work area is safe in regard to risk?
An example organization for analysis is Apple Inc.
The areas are:
Political
Apple Inc. has been developing some features in their devices that may have political implications and some policies of some countries may brand these features as politically inappropriate.
Economic
Apple products are generally extremely expensive and hence, the acceptability of the products is low in certain countries.
Social
The device features are attractive to gather social interest around the world.
Legal
Apple Inc needs to abide by legal guidelines regarding development, research, branding and marketing of its own products.
Technological
Apple utilizes latest technology to develop the latest features that are included in the devices like smartphones and macbooks.
The policy context
Apple needs to revise its policy that considers all the above points and manage the business processes accordingly.
|
|
Estimated Time
|
30 Minutes
|
|
Objective
|
To provide you with an opportunity to review strengths and weaknesses of existing arrangements.
|
|
Activity
|
Complete a SWOT analysis of an organisation that you know well.
The chosen organization is Apply Inc.
|
Market competition
Availability of cheaper alternatives
|
|
Growing popularity
Growing markets in different countries
|
|
High price
Devices get outdated quickly
|
|
High brand value
Latest technology
First of its kind features
|
Is the organisation internally or externally driven? Why?
The organization is internally driven as it has its own research and funding structure with the development of one of its kind features.
|
|
Estimated Time
|
45 Minutes
|
|
Objective
|
To provide you with an opportunity to document critical success factors, goals or objectives for area included in scope; obtain support for risk management activities; and communicate with relevant parties about the risk management process and invite participation.
|
|
Activity
|
Use the following critical success factors and document how you would ensure that your organisation’s (or example organisation’s) performance improves. The CSFs are:
Trust
The employees must trust each other and the management must have trust on its employees.
Organisational culture
There should be an appropriate organizational culture that promotes trust and team work rather than conflicting roles.
Management support
Management must support the employees at all times for ensuring success in any operation.
Communication
There should be a well defined communication system so that the stakeholders and employees can freely interact with each other.
How can you know if you have handled the CSFs correctly?
If the CSFs are handled correctly, the overall performance of the organization will increase with the increase in happiness and morale of all the employees.
For one of the CSFs ask the relevant personnel (or trainer, if not working for an organisation) for support in managing associated risks and briefly document this.
For the management support, there is a risk that the management may not have complete faith in the employees. This is required to address in order to establish a suitable organizational culture.
Discuss the associated risks for the CSF, as mentioned in the last question, with those involved, or with two other persons from your training group, and note the outcome of this.
Some risks and their outcomes are as follows.
Conflicts – Personal fights between employees affecting organizational performance
Lack of Faith from Management – Low morale and performance of the employees
Misunderstanding due to lack of communication – Information not reaching the right persons
|
|
Estimated Time
|
40 Minutes
|
|
Objective
|
To provide you with an opportunity to identify risks.
|
|
Activity
|
Identify a risk in your work area or example work area (this can be a possible risk if there are no risks requiring improvement).
What is the risk?
A risk may be cyber security risk as the work involves constant usage of the internet.
Provide details of the problem.
With continuous internet usage, the system is prone to be affected to external attacks and security issues.
Who would you discuss this problem with?
This problem should be discussed with the IT Assistant.
What type of research would you do to measure the level of risk?
To measure the level of the risk, detailed analytic and technical research is necessary.
What documentation could you use?
The relevant IT implementation documentations can be used.
What literature would you research?
Literature related to cyber security risks can be researched.
Invite other members of your team/training group to also help identify any risks and note down the outcome of this.
Consultation is an important part of the risk analysis; in what ways can you gather information from stakeholders in this instance?
For gathering information, a team meeting can be called where all the stakeholders will have to participate and discuss the risks identified by them during planning and evaluation.
|
|
Estimated Time
|
45 Minutes
|
|
Objective
|
To provide you with an opportunity to analyse risks.
|
|
Activity
|
Using the research from Activity 2.1.1-2.3.1, complete the following:
Likelihood
Ø Probability of a given risk occurring, such as:
o Almost Certain (exposed to hazard constantly)
o Likely (exposed to hazard occasionally)
o Unlikely (could happen but only rarely)
o Highly unlikely (could happen but probably never will).
Moderate Injury consequences & possible likelihood form part of standard Risk Management but you can decide if they meet your requirements.
Consequences may be rated as:
a) A fatality
b) Major or serious injury (serious damage to health that may be irreversible, requiring medical attention and ongoing treatment). This is likely to involve significant time off work;
c) Minor injury (reversible health damage that may need medical attention but limited ongoing treatment). This means that it is less likely to spend more than a day off work.
d) Negligible injuries (might sustain slight injury and may require only primary first aid) and no time off work
Assess the risk
What is the likelihood of this problem arising again?
The likelihood of this problem arising again is high.
What are the possible consequences of this risk?
The possible consequence is that secure information and data from the workstation and the server connected to it may be stolen or damaged.
Evaluate and priorities risks for treatment?
Risk priority is an order in which the risks are arranged as per their chances of occurrence and the consequences of the risk.
What risk priority would you consider?
The chosen risk should be considered in the highest priority.
What opportunities do you think there are in your case? How can these opportunities be used?
In the chosen case, there is opportunity to learn more about cyber security risks such that there can be better preparations in the near future.
|
