4. Treat Risks

Risk Management Framework

Risk treatment involves developing a range of options for mitigating the risk, assessing those options, and then preparing and implementing action plans. The highest rated risks should be addressed as a matter of urgency.

Selecting the most appropriate risk treatment means balancing the costs of implementing each activity against the benefits derived. In general, the cost of managing the risks needs to be commensurate with the benefits obtained. When making cost versus benefit judgements the wider context should also be taken into account.

Depending on the type and nature of the risk, the following options are available:

  • Avoid - deciding not to proceed with the activity that introduced the unacceptable risk, choosing an alternative more acceptable activity that meets business objectives, or choosing an alternative less risky approach or process.
  • Reduce - implementing a strategy that is designed to reduce the likelihood or consequence of the risk to an acceptable level, where elimination is considered to be excessive in terms of time or expense.
  • Share or Transfer - implementing a strategy that shares or transfers the risk to another party or parties, such as outsourcing the management of physical assets, developing contracts with service providers or insuring against the risk. The third-party accepting the risk should be aware of and agree to accept this obligation.
  • Accept - making an informed decision that the risk rating is at an acceptable level or that the cost of the treatment outweighs the benefit. This option may also be relevant in situations where a residual risk remains after other treatment options have been put in place. No further action is taken to treat the risk, however, ongoing monitoring is recommended.

A range of treatments may be available for each risk and these options are not necessarily mutually exclusive or appropriate in all circumstances. Selection of the most appropriate risk treatment approach should be developed in consultation with relevant stakeholders and process owners.

Develop a risk treatment plan

Determine the level of treatment plans required for each risk level. For example, for risks rated as ‘high', a treatment plan must be developed. However for risks rated as ‘low' and ‘very low' that have improvement opportunities, development of a treatment plan may be at the discretion of the partner or partners.

Effective risk treatment relies on attaining commitment from key practice stakeholders and developing realistic objectives and timelines for implementation.

For each risk identified in the risk assessment, detail the following:

  1. Specify the treatment option agreed - avoid, reduce, share/transfer or accept.

  2. Document the treatment plan - outline the approach to be used to treat the risk. Any relationships or interdependencies with other risks should also be highlighted.

  3. Assign an appropriate owner - who is accountable for monitoring and reporting on progress of the treatment plan implementation. Where the treatment plan owner and the risk owner are different, the risk owner has ultimate accountability for ensuring the agreed treatment plan is implemented.

  4. Specify a target resolution date - where risk treatments have long lead times, consider the development of interim measures. For example, it is unlikely to be acceptable for a residual risk to be rated ‘high' and to have a risk treatment with a resolution timeframe of two years.

Management may wish to define expectations of the detail of treatment plans required for each risk level. For example, for risks rated as ‘high', a treatment plan must be developed. However for risks rated as ‘low' and ‘very low' that have improvement opportunities, development of a treatment plan may be at the discretion of the risk owner.

Forecast risk analysis

Forecast risk analysis involves the assessment of risk after existing controls and treatment plans for new or reinforced controls are taken into account. Changes from residual to forecast ratings will be dependent on whether these controls are designed to address the likelihood of the risk, the consequence or the risk or both.

For each risk identified in the risk assessment, detail the following:

  • Assess forecast likelihood - What is the probability of the risk event occurring within the control environment? This should be determined after a review of the proposed changes to the design of the control and/or its operating effectiveness.
  • Assess forecast consequence - What is the extent of the most probable impact of the risk event if it were to occur within the control environment? Assume that the future controls will be operating at their intended future strength rather than the maximum consequence if the controls were to fail.
  • Determine overall inherent risk ranking - Apply the risk rating to determine the overall ranking.

For each risk, there should be only one overall forecast risk rating based on consideration of the future effectiveness of the single control, or the multiple controls, in place to address the risk.

Implement and monitor treatment plans

The treatment plan owner is responsible for coordinating activities that ensure risk treatments are implemented. The owner may not be directly responsible for implementing the risk treatment plans, however, they are responsible for ensuring that plans are completed within the expected timeframe.

When implementing a treatment plan, consider how the initiatives will be supported:

  • Firm structure - Does there need to be any change to structure or delegations to support the risk treatment plan?
  • Financing - If the budget for control improvement is constrained, should there be a process to prioritise controls with the greatest need or cost benefit?
  • Resource availability - Does the firm have sufficient physical, human or financial resources to implement the risk treatment plan?
  • Communication with stakeholders - Does the firm need to commence briefing sessions to inform stakeholders as to what changes are required and why?

For each risk identified in the risk assessment, detail the following:

  • Monitoring mechanisms and review points - The treatment plan owner should specify the mechanisms by which implementation will be monitored. This may include indicators to determine if the risk is increasing or decreasing. Successful implementation will usually be linked to business planning activities and will be reviewed regularly at meetings.
  • Status of the treatment plan - the status of the treatment plan is either ‘open' for in progress or ‘closed' when implementation has been completed. If the status is closed and the risk has been eliminated, it may be removed from the current risk register into a closed items register. Where a risk is not eliminated, it should be retained in the current register and if another treatment plan is required this should be agreed or, if no other action is possible, the treatment agreed could be to accept and monitor the risk.

Example

The key output from the risk treatment stage in the risk management process is the action plan for treating the risks identified. An example of how this can be documented in a risk register is shown:

example

RISK IDENTIFICATION   RISK TREATMENT
Event   Action Plan Risk Owner Resolve by
Failure to meet compliance obligations   AVOID Implement formal compliance monitoring process:

1. Identification of compliance requirements
2. Identification of system or tool to manage compliance requirements
3. Monthly review of compliance requirements to ensure there have been no material compliance breaches.
Practitioner 30-Sep-12
Loss of Practitioner   REDUCE Implement succession plan:

1. Put in place power of attorney arrangements
2. Document key processes
3. Put in place a key client management system to ensure adequate documentation is maintained for key clients
4. Adequately train a secondary level of management and/or identify a potential candidate for partner.
Practitioner 31-Oct-12
Failure to collect receivables in a timely manner   REDUCE Implement receivables tracking and debtor follow-up process:

1. Identify requirements to track receivables, consider such things as payment terms and conditions
2. Develop process to track aged debtors/receivables and supporting requirements including system reports
3. Consider monitoring requirements including frequency.
Office Manager 15-Sep-12

Risk treatment plans may involve the redesign of existing controls, introduction of new controls or monitoring of existing controls. Low impact risks may require periodic monitoring while major risks are likely to require more intense management focus.

AS/NZS ISO 31000:2009