Analysing Risk
Risk analysis is the process to understand the nature of the risk and determine the level of risk. It is necessary to establish the probable impact of the risk on organisational objectives.
Following risk identification, GGiA implements a two staged risk analysis process to determine Residual Risk and then Treated Risk. That is, it assesses the consequence of each risk, should it occur, then determine the likelihood of risk occurring with those consequences. A rating is then assigned to describe the magnitude of the potential consequence and likelihood of occurrence of each risk.
- Residual Risk is determined by estimating the consequences of the particular risk should it occur, and the likelihood of the risk occurring, with the selected consequences, in the presence of existing controls; and
- Treated Risk is determined by identifying the additional actions (‘treatments’) that are required to reduce the risk, and then re-estimating the consequence and likelihood of the risk based on these planned treatments (i.e. treated risk is the risk that is ‘left’ after treatments are implemented).
Identifying controls
Once risks have been identified, it is necessary to confirm the range of existing controls that currently operate to manage the risks. A control can be a policy, process, system, people resource, or physical prevention, and it must be measurable and auditable.
It is preferable to focus controls at the risk source as this will ideally prevent or reduce the likelihood of the risk occurring (e.g., policy, technical guidelines, standards, training, management plans). If it is not cost effective to implement controls ‘at the source’, then it’s necessary to consider controls to minimize the impact of the risk should it occur (i.e., physical containment), procedural (contingency plans, emergency response procedures), behavioral (e.g., emergency response training).
Many of the controls currently in place to manage risks are built into existing business systems and processes. A control must be in place and operating – if not in place, there is still a treatment.
During the control identification process, it is necessary to identify the Control Owner. This often is not the risk owner nor are they under the direct influence of the risk owner. It is incumbent on the risk owner to regularly confirm with the control owner that the key controls are still in place and operating. It is equally incumbent on the control owner to notify the risk owner should a control breakdown/failure occur.
Control Effectiveness
To inform the determination of controlled consequence and likelihood, and whether further treatment of a particular risk is necessary, it is necessary to consider how effective the group of controls are in managing the risk. Understanding the control effectiveness is important as it can highlight where further work may be needed to reduce the severity of the risk by improving the controls.
Risk Control Effectiveness Table
Effective (well controlled) | Limited Effectiveness (needs moderate improvement) | Not effective (needs significant improvement) |
Controls are effective. Well documented, communicated and applied consistently. High level of confidence in the effectiveness and reliability of the controls. No improvement required. | Controls are moderately effective. Reasonably well documented, communicated and applied. Some confidence in the operating effectiveness and reliability of the controls. Moderate improvement required to mitigate risk. Improvement action required. | Controls are not effective. Controls are not (well) documented and communicated, and/or low confidence in the operating effectiveness and reliability of the controls. Significant improvement required to risk mitigation. Urgent action required. |
Residual Risk Assessment
Once the current controls have been identified, and their effectiveness evaluated, an assessment of consequence and likelihood, using the criteria on the Risk Consequence Table below, is undertaken to determine the Residual Risk.
In determining the appropriate consequence level its necessary to:
- Identify the specific consequence categories ‘triggered’ by the particular risk: Workplace Health and Safety, Reputation and Trust, Financial, Compliance and Governance, Program and Precinct Delivery, Environment and Cultural Heritage (see Risk Consequence Table)
- Determine the applicable consequence level for each category identified: Extreme, Major, Moderate, Minor, Insignificant, adopting a ‘plausible, worst case scenario approach
Select the highest level as the overall consequence level.
Consequence assessment
Consequence is determined by using the consequence ratings in the Risk Consequence Table below.
When using this table, it is necessary to consider the impact the Risk would have on the purpose and objectives of GGiA, as well as the impact on the objectives of the specific activity or function.
Risk Consequence Table
Risk Category | Insignificant | Minor | Moderate | Major | Severe |
Child Safe Child Friendly | An adult member without a girl facing role does not complete the CSCF for Adults in Guiding in the required timeframe and not making decisions in accordance with the CSCF Framework | An Adult in Guiding with a child facing role does not complete CSCF training in the designated timeframe (noting there will always be another adult present in accordance with the Supervision ratio) and not responding to feedback, a concern or a complaint in accordance with policy | A Leader or Manager not completing the CSCF for Leaders and Managers training and as a result is not aware of the responsibiliti es for reporting harm, abuse and neglect | Failure of an SGGO to have a system in place to monitor compliance with the CSCF Framework resulting in GGiA not being able to demonstrate compliance with the National Principles for Child Safe Organisations | Deliberate non- compliance with the CSCF Framework. or Repeated non- compliance with the CSCF Framework so that GGiA cannot demonstrate compliance with the National Principles for Child Safe Organisations |
Our People | Minor injury requiring first aid only; or minor complaint from a volunteer; or Recruitment of volunteer and staff roles outside of normal recruitment cycles that does not impact on the day-to- | Fractured bone, sprain etc. requiring medical intervention or Recruitment of a key volunteer leadership role or recruitment for executive leadership not completed by the required | Injury requiring admission into hospital or mid-tier volunteer or employees’ roles open impacting key decision making and outcomes in the organisation | Serious injury to personnel or executive leadership role is unfilled for more than 3 months | No members, or death of a participant at a Guiding activity or insufficient employees to support operational outputs or |
Risk Category | Insignificant | Minor | Moderate | Major | Severe |
day operations | time, but underway or Appropriate training for Adults in Guiding not delivered | data breach of personal identifiable data. | |||
Finance | A lost nominal petty cash receipt (e.g., for milk supplies). | Delayed parent membership fees to Units. | Cancellation of a national event with a loss causing a negative overall financial impact below the ‘major’ level. | Significant fraud, loss of a third of GGA’s or state membership, loss with a negative overall financial impact below the ‘Catastrophic’ level. | Girl Guiding entity insolvency or bankruptcy. |
Strategy | Projects are temporarily delayed due to reassignment of resourcing. | Strategic project reporting is complete but lacks stakeholder feedback. | Strategic Projects are delayed by more than 4 months, once commenced. | No stakeholder engagement during implementatio n of strategic goals. | Non delivery of GGA Board approved strategic initiatives |
Guiding | Program / activity interrupted for 1 week. | Program / activity interrupted for 2-4 weeks. | Program / activity involving 2 or more Units are actually or potentially interrupted for more than 4 weeks. | Program / activity involving 2 or more Regions are actually or potentially interrupted for more than 4 weeks and no alternative is available. | Program / activity that if interrupted have the potential to threaten GGiA viability. |
Risk Category | Insignificant | Minor | Moderate | Major | Severe |
Operations | Key employees unavailable to be contacted in a timely manner. | Temporary impact or interruption which may cause slight delay. | Short term impact to business operations, loss of data or personnel, short term impact | Significant impact to the business operations, loss of capacity and capability over medium timeline. | Non- compliance against Corporations Act resulting in penalties, fine or action by the ACNC |
Informatio n Security and Technology | Adult in Guiding device failure requiring replacement | Office Wi-Fi is impacted for more than 24 hours. | GGA, SGGO and/or national information (i.e., 1300) phone lines are offline for more than 24hours. | Data breach of non- personal identifiable data. | Data breach of personal identifiable data or a ransomware attack or total loss of Girl Guiding data. |
Governanc e and Regulatory | Adverse community sentiment/ media article or insignificant breach of governing rule with small breach of consequence | Informal complaint from parent/ member which may result in adverse media over several days, minor breach of governing rules with minor breach consequence | Formal complaint (e.g., written) or material breach of legislation leading to more significant review being undertaken, failure to follow Supervision ratios in Guide Lines. | A breach of legislations; failure to follow ASIC rules. | Sustained reputational or legal damage with potential to lead to the collapse / closure of a GGiA entity; Loss of GGA capacity to operate and WAGGGS removal of licence to operate as a recognised Girl Guide/Girl Scout organisation and very serious damage to the reputation. |
Risk Likelihood
Risk likelihood can be assessed from various sources including:
- past records and statistical analysis
- relevant experiences, specialist, and expert judgements
- testing of equipment
- research literature
Risk Likelihood Table
LIKELIHOOD | DESCRIPTION | Expected Frequency (as a guide only) |
Almost Certain | The event is expected to happen in most circumstances. | More than once a year |
Likely | The event will probably happen in most circumstances. | Once a year |
Possible | The event should happen at some time. | Once every 3 years |
Unlikely | The event will probably not happen (or could happen at some time). | Once every 10 years |
Rare | The event may only happen in exceptional circumstances | Less than once in 10 years |
Risk Impact Rating
Combining estimates of the Likelihood and Consequences of the event happening it is possible to calculate the level of the Risk that will remain from the event, by assigning a Risk Impact Rating using the Risk Analysis Matrix table below.
Risk Analysis Matrix Table
Likelihood | CONSEQUENCE | |||||
Insignificant | Minor | Moderate | Major | Severe | ||
LIKELIHOOD RATING | Almost Certain | Medium | Medium | High | Extreme | Extreme |
Likely | Low | Medium | High | High | Extreme | |
Possible | Low | Medium | Medium | High | High | |
Unlikely | Low | Low | Medium | Medium | High | |
Rare | Low | Low | Low | Medium | Medium |
Last Modified: 16/08/24 at 2:49 PM