What to read first: Assumptions
|New to this||Version 3.0 Beta|
It is quite likely that you have been given some guidelines already, and that those guidelines include:
- A template for a risk register, with a row for each risk and columns for per-risk details. Possibly it’s a form in an online system.
- A rating scale or matrix for risk consequences or impacts, distinguishing about five levels of impact.
- A rating scale for risk likelihoods, probability, or frequencies.
- A look-up matrix that takes a risk’s likelihood level and its consequence level and gives a combined ‘level of risk’ (or risk severity). This matrix may be brightly coloured.
- A separate template for registering risk treatments.
The how-to steps in this guide will differ from guidelines you have been given within your organisation.
This guide articles include models showing how the recommended method can be represented on a whiteboard or on a page. That way you won’t have to invent your own formats and steps while you are busy enough running your actual business and managing its risks. In important areas, the models provided here will look comfortably like typical corporate prescriptions. The models in Clear Lines on Audit and Risk can even be matched in a corporate database, if it has enough flexibility.
The important differences from organisational guidelines may not be about one template or scale being better than another.
This guide does not assert that its models are the best.
This guide asserts that real confidence in your unit’s outcomes is important, while going through the motions of ‘risk management’ is not. That change of perspective may lead to fundamental differences.
Another source of difference might be an organisation focus on Enterprise Risk Management, which could compete with your own management of risk.
The guide gives tips about managing those differences.
Please share any experiences with alternative models based on similar principles, and with linking this guide to on-line corporate ‘risk management’ systems. You can use the Leave a Reply box at the bottom of this page.
The blog method is consistent with the Australian Commonwealth Risk Management Policy, the international standard ISO 31000, and with the Australian ISO handbook on applying the international standard (HB 436). Specific templates, scales, and matrices do not appear in any of those sources. ISO 31000 starts out with some key principles for effective risk management (Section 3), and these principles are the central focus of the process recommended by the Clear Lines on Audit and Risk.