Risk Management

The truth about Risk

A common misconception about risk management is that it is all about the chance of something happening.  People often only give weight to the probability of a risk event and not the consequences… “That hasn’t happened in the past! What are the chances of that happening now?”

Only when the worst case scenario happens do some people react.  They treat the symptoms of poor risk management, and are forced into an expensive clean-up operation to address them. Occupational health and safety is a case in point.  For example, the risk of coming into contact with exposed electrical wiring (the risk event) may be minimal but should someone inadvertently do this, it could lead to serious injury or death (consequences no one wants to happen).  Damage pay outs to affected workers and their families can be financially crippling.  In this example, proactively addressing electrical maintenance with a qualified electrician is not only much cheaper but could prevent unnecessary heartbreak.

Analysing risk events: likelihood and consequence

When you analyse risk, you must look at the likelihood and the consequence of a risk event happening.

What risks does your business face?  If you are a small business, is it key man risk, with risk events including extended illness/death of your business principal? If you are in manufacturing, is it the risk of product recall from faulty merchandise, with risk events including use of sub-standard componentry, or perhaps quality checking errors?

When considering the consequences of risk events, it is helpful to look at the impact on assets (financial and/or physical such as buildings), people (employees and/or the public), reputation and the environment.

The same consequence can mean different things for different businesses.  For example, the loss of $50K can be catastrophic for a small business (and therefore classified as high), but barely cause a ripple in a large one (and subsequently be classified as low).

Now look at the likelihood of a risk event.  How often does this risk event occur? If it occurs four times a year, that works out to be a likelihood of approximately 1% (reasonably low).  Don’t forget we are talking about the risk event itself, not the consequence.  For instance, a pallet may fall off a high shelf in a warehouse at least twice a week, but so far hasn’t squashed anyone yet.  That still means that the likelihood of the event is 40% (which is fairly high).

For each identified risk event for your business, likelihood and consequence are then plotted on a matrix to identify how critical a risk event is: whether it is a risk that is considered high, medium or low.  This then helps determine what mitigating strategies are appropriate. Refer to the example 3×3 matrix diagram below.

risk matrix

When you have a risk treatment plan, you need to evaluate it overall.  What is your residual risk after you have put in place strategies to address identified risk events?  Is this residual risk acceptable?  If not, recycle through your risk management system until it is.

A risk management system contributes to good governance

A successful risk management system is also fundamental to the governance of a business and is fed into all aspects of its management.  It starts at the board level, with an agreed risk appetite and criteria to manage risk, and is then integrated into such things as policies and objectives, standards and guidelines, plans, procedures, and audit programs. Refer to the following risk management diagram.


A proactive risk management system adds immeasurable value to your business. It not only helps you avoid catastrophe, such as the death of employees or environmental degradation, it also helps you achieve your business goals.

For more information about how Change Factory can assist with setting up risk management system in your organisation, contact us today.