Identifying Risk

Engaging Stakeholders

Communication and consultation with internal stakeholders and external stakeholders, State Commissioners and SGGO CEOs, where applicable, should occur during all stages of the risk management process. A well planned and effective consultative approach:

  • Helps establish the context appropriately.
  • Enables the interests of stakeholders are understood and considered.
  • Helps confirm that risks are adequately identified.
  • Brings different areas of expertise together for analysing risks.
  • Allows for different views to be considered appropriately when selecting risk measurement criteria and when evaluating risks.
  • Secures endorsement and support for treatment plans.
  • Enables all parties to be aligned and reduces the opportunity for ambiguity or uncertainty.
  • Enables appropriate change management during the risk management process; and
  • Develops an appropriate external and internal communication and consultation plan.

As GGiA continues to build a strong risk culture, the expectation will be that all Adults in Guiding will feel confident to speak up and to escalate their risk concerns openly, honestly, and quickly, and to contribute to practical solutions.

Establishing the Risk Assessment Context

Prior to undertaking a risk assessment, establishing the context is a critical first step. This involves identifying and articulating what the business wants to achieve and looking at the external and internal factors that may impact operations and objectives.

To establish the context, the following points should be considered:

  1. Defining the scope including:
    • relevant organisational strategies and objectives to be considered
    • the level of risk assessment to be undertaken (i.e., national or state); or
    • who should participate in the risk assessment (largely driven by the level of assessment being undertaken and internal and external stakeholders)?
  2. Systematically reviewing any changes (new or likely) because of the external (e.g., regulatory, political, community, stakeholders), and internal (organisational restructure, changes in policy, IT) operating environment, and how these impact, or potentially will impact, the relevant objectives. This is a fundamental activity as it enables a more considered and comprehensive risk identification activity.

The results of the above analysis will assist in determining the level at which further consultation during the remaining steps of the assessment is required (i.e., SGGO level, Region, District, Unit, Event, Corporate, etc.). For example, if the context of a particular assessment proves to be wholly at the SGGO level, it remains important for the organisation that individuals at all levels be aware of the risks associated with the activity or function and their potential implications.

Risk Categories

The major risk categories identified by GGiA are:

  • Child Safe Child Friendly
  • Our People
  • Financial
  • Strategic
  • Guiding
  • Operations
  • Information Security and Technology
  • Governance and Regulatory

See the Risk Appetite for Major Risk Categories Table in the Risk Appetite section for more information.

GGiA management will provide regular reports to the Board or relevant risk committee on emerging risks so that any new major risks can be identified.

Risk Identification

Risk identification is the process of finding, recognising and describing risks.

The aim of the risk identification process is to generate a comprehensive list of risks that describe the possible events and/or changes in circumstances that could prevent or delay the achievement of GGiA objectives, outcomes, and priorities, at all levels within the organisation.
This is the identification of what, why and how events arise as the basis for further analysis. Most of GGiA’s activities and initiatives will be comparatively straightforward, comprising no more than Girl Guiding activities or business processes. In these circumstances, the process of identifying and analysing Risk is directly comparable with that already well-practised by all levels of Adults in Guiding and management.

Risk during simple activities, such as Unit meetings, can be identified by asking:

  1. What is the activity we are about to do?
  2. How can it harm those involved?
  3. What action can I take which reduces or removes the risk?

For more complex activities (including State Office managed risk) we can identify risks by asking:

  1. When, where, why and how are the risks likely to occur, and who might be involved?
  2. What is the source of each risk?
  3. What are the consequences of the risk?
  4. What existing controls exist and are the controls adequate to mitigate the risk given the likelihood and impact?
  5. Who are the major stakeholders involved in the risk process, i.e., governance or operational risk?

In many cases a single risk may be apparent. Where the activity is more unusual and/or complex, the nature and level of any associated risks may not be so obvious. In these cases, a more structured approach to identifying and assessing the potential for risk may be required.

It’s important during risk identification not to only focus on the ‘front of mind’ risks but extend consideration to potential risks that are less obvious to ensure the activity is comprehensive. Determining any recent or likely changes in the external and internal operating environment will also contribute significantly to the risk identification activity. A well-structured, systematic process for risk identification has been developed because risks not identified at this stage are excluded from further analysis and treatment.

Risk identification is to be an ongoing and continual process. The purpose of thinking about risk is to prevent harm arising in the future and to enable the identification and taking of opportunities in an informed way – considering both the positive as well as the potential negative impacts.

While GGiA formally schedules regular risk reviews (see Risk Communication and Consultation Table), it also encourages all Adults in Guiding to communicate any emerging risks at any time – consistent with GGiA’s positive risk culture.

Risks will be identified and described under three key components:

  1. Risks are the likelihood a hazard will cause harm i.e., the chance of something happening that will have an impact on GGiA or its objectives.
  2. Causes are events or set of circumstances that give rise to uncertainty (risk). i.e., factors such as activities, practices, processes, compliance requirements, liabilities, influences, or obligations contribute to the Risk.
  3. Impacts is the combined effect on an organisation of the Likelihood and Consequences of a Risk occurring.

In generating the description of these three components, it is necessary firstly to identify what might happen (the risk), and then consider the possible causes that lead to the risk, and finally identify the impacts that are likely to arise if the risk was to occur. A risk may have one or more causes and, if it occurs, one or more impacts.

There is real benefit in identifying and describing risk into these three individual components including:

  1. Having a clear and concise understanding of the actual risk.
  2. Being able to readily focus, and prioritise, mitigation strategies.
  3. Ideally the aim is to avoid the risk or at least reduce it, and this is best achieved by focusing on the cause of the risk.
  4. If this can’t be achieved (e.g., cost-benefit), the next best option is to focus on controlling the risk itself.
  5. The least preferred option is to manage/reduce the impacts if the risk should occur.

Each risk needs to have a Risk Owner assigned who is accountable for the management of the particular risk, including the timely implementation of risk treatment plans

Once risks are identified it is necessary to link risks to Risk Categories (as this will allow the risk identification process to focus on the appropriate risks). The Risk Register allows for the recording of Risk Categories impacted by individual risks.

All risks, causes, and impacts need to be recorded into the appropriate Risk Register (GGA or an SGGO’s). Once a risk has been identified and recorded, it needs to be communicated to the SGGO and GGA Boards, as appropriate.

Last Modified: 16/08/24 at 2:49 PM