Risk treatment involves developing a range of options for mitigating the risk, assessing those options, and then preparing and implementing action plans.
The highest rated risks should be addressed as a matter of urgency.
Selecting the most appropriate risk treatment means balancing the costs of implementing each activity against the benefits derived. In general, the cost
of managing the risks needs to be commensurate with the benefits obtained. When making cost versus benefit judgements the wider context should also be
taken into account.
Depending on the type and nature of the risk, the following options are available:
- Avoid - deciding not to proceed with the activity that introduced the unacceptable risk, choosing an alternative more acceptable activity that meets business objectives, or choosing an alternative less risky approach or process.
- Reduce - implementing a strategy that is designed to reduce the likelihood or consequence of the risk to an acceptable level, where elimination is considered to be excessive in terms of time or expense.
- Share or Transfer - implementing a strategy that shares or transfers the risk to another party or parties, such as outsourcing the management of physical assets, developing contracts with service providers or insuring against the risk. The third-party accepting the risk should be aware of and agree to accept this obligation.
- Accept - making an informed decision that the risk rating is at an acceptable level or that the cost of the treatment outweighs the benefit. This option may also be relevant in situations where a residual risk remains after other treatment options have been put in place. No further action is taken to treat the risk, however, ongoing monitoring is recommended.
A range of treatments may be available for each risk and these options are not necessarily mutually exclusive or appropriate in all circumstances.
Develop a risk treatment plan
Determine the level of treatment plans required for each risk level. For example, for risks rated as ‘high', a treatment plan must be developed.
However for risks rated as ‘low' and ‘very low' that have improvement opportunities, development of a treatment plan may be at the discretion of
the partner or partners.
Effective risk treatment relies on committing to realistic objectives and timelines for implementation.
For each risk identified in the risk assessment, detail the following:
Specify the treatment option selected - avoid, reduce, share/transfer or accept.
Document the treatment plan - outline the approach to be used to treat the risk. Any relationships or interdependencies with other
risks should also be highlighted.
Assign an owner - who is accountable for monitoring and reporting on progress of the treatment plan implementation.
Specify a target resolution date - where risk treatments have long lead times, consider the development of interim measures.
For example, it is unlikely to be acceptable for a residual risk to be rated ‘high' and to have a risk treatment with a resolution
timeframe of two years.
Determine the level of treatment plans required for each risk level. For example, for risks rated as ‘high', a treatment plan must be developed. However for risks rated as ‘low' and ‘very low' that have improvement opportunities, development of a treatment plan may be at the discretion of the partner or partners.
Implement and monitor treatment plans
When implementing a treatment plan, consider how the initiatives will be supported:
- Firm structure - Does there need to be any change to structure or delegations to support the risk treatment plan?
- Financing - If the budget for control improvement is constrained, should there be a process to prioritise
controls with the greatest need or cost benefit?
- Resource availability - Does the firm have sufficient physical, human or financial resources to implement the
risk treatment plan?
- Communication with stakeholders - Does the firm need to commence briefing sessions to inform stakeholders as
to what changes are required and why?
For each risk identified in the risk assessment, detail the following:
- Monitoring mechanisms and review points - Specify the mechanisms by which implementation will be monitored.
This may include indicators to determine if the risk is increasing or decreasing. Successful implementation will usually be linked to business
planning activities and reviewed regularly.
- Status of the treatment plan - the status of the treatment plan is either ‘open’ for in progress or ‘closed’ when
implementation has been completed. If the status is closed and the risk has been eliminated, it may be removed from the current risk register
into a closed items register. Where a risk is not eliminated, it should be retained in the current register and if another treatment plan is
required this should be agreed or, if no other action is possible, the treatment agreed could be to accept and monitor the risk.
Example
The key output from the risk treatment stage in the risk management process is the action plan for treating the risks identified. An example of how this can be documented in a risk register is shown:
| RISK IDENTIFICATION |
|
RISK TREATMENT |
| Event |
|
Action |
Plan |
Risk Owner |
Resolve by |
| Failure to meet compliance obligations |
|
AVOID |
Implement formal compliance monitoring process:
1. Identification of compliance requirements
2. Identification of system or tool to manage compliance requirements
3. Monthly review of compliance requirements to ensure there have been no material compliance breaches.
|
Practitioner |
30-Sep-12 |
| Loss of Practitioner |
|
REDUCE |
Implement succession plan:
1. Put in place power of attorney arrangements
2. Document key processes
3. Put in place a key client management system to ensure adequate documentation is maintained for key clients
4. Adequately train a secondary level of management and/or identify a potential candidate for partner.
|
Practitioner |
31-Oct-12 |
| Failure to collect receivables in a timely manner |
|
REDUCE |
Implement receivables tracking and debtor follow-up process:
1. Identify requirements to track receivables, consider such things as payment terms and conditions
2. Develop process to track aged debtors/receivables and supporting requirements including system reports
3. Consider monitoring requirements including frequency.
|
Office Manager |
15-Sep-12 |
Risk Management Framework
