Risk Treatment
Risk treatment is the process to modify risk. It involves selecting a treatment option, assessing the appropriateness and effectiveness of the treatment option, preparing treatment plans and implementing them. Accountability for taking risks or for not acting resides with the appropriate person dependent on the level of risk.
Risk Treatment Options
Avoid the Risk
Occasionally, a risk will be able to be avoided by not proceeding with the activity likely to generate the risk. This should not be the automatic preferred option (unless the risk is evaluated as High/Certain/Severe with no mitigating options).
Risk avoidance can occur inappropriately because of an attitude of risk aversion (failure to accept any Risk, or worse, not recognising risks at all). Inappropriate risk avoidance can increase the significance of other risks. Risk aversion results in:
- decisions to avoid or ignore risks regardless of the information available and potential costs incurred in not treating those risks
- failure to treat risk
- leaving critical choices and/or decisions up to other parties
- deferring decisions that the organisation cannot avoid
- selecting an option because it represents a potential lower risk regardless of the benefits of the original activity.
Reduce the Likelihood of Occurrence
Exposure to risk may be limited by reducing or controlling the likelihood of an event occurring.
The following may reduce or control the likelihood of a risk occurring:
- policies and procedures
- audit, compliance, inspections and process controls and programs
- contractual conditions
- formal reviews of requirements, specifications, design, engineering, and operations:
This list is neither exhaustive nor exclusive; there may be other options.
Reduce the Consequences
Preparation to reduce, control or mitigate the consequences of a risk can aid in making a particular risk more acceptable.
The following may reduce or control the consequences of a risk:
- contingency planning
- contractual arrangements/conditions
- design features
- engineering and structural barriers
- fraud control planning
- minimisation of exposure to sources of Risk
- separation or relocation of an activity and resources
- reserving resources
- public relations.
This list is neither exhaustive nor exclusive; there may be other options.
Transfer the Risk
Transferring the risk involves another party bearing or sharing some part of the risk. Risk transfer mechanisms include the use of contracts, insurance arrangements and organisational structures such as partnerships and joint ventures.
Transferring risk to other parties or physically transferring the source of risk to another location may reduce the risk to GGiA but may not reduce the overall level of risk to its constituents.
Retained Residual Risks
After risks have been reduced or transferred, residual risks may remain. Plans should be put in place to manage the consequences of these residual risks.
Risks may also be retained by default, for example a low-level risk that is considered acceptable for GGiA to carry or where there is a failure to identify and/or appropriately transfer or otherwise treat a risk.
Implementing Treatment Options
The objective is to mitigate the risk to an acceptable level through the implementation of targeted treatment actions. It is not usually cost-effective or even desirable, however, to implement all possible risk treatments so it is necessary to select, the most appropriate risk treatments, or combination of treatments. This requires an evaluation of benefits and disadvantages of each risk treatment option by considering:
- The cost to implement the treatment
- The benefits to be achieved in implementing the treatment
- If the treatment triggers any other risks
- Resources required to implement and maintain the treatment
- Capacity of the organisation to accept the change associated with the treatment.
Once treatments have been selected the following process is followed:
- Determine the treatment owner and schedule treatment implementation
- Implement each action by the scheduled time
- Review the success of each action implemented
- Communicate the success of each action implemented in mitigating the risk and reducing the risk profile.
For higher priority risks, GGiA is required to develop and implement specific risk management plans, including funding considerations. Lower priority risks may be accepted, however, continue to be monitored so that they don’t become higher priority risks.
Ideally, the responsibility for treatment of risk should be borne by those best able to control the risk. Responsibilities should be agreed between the parties at the earliest possible time. If after treatment there is residual risk, a decision shall be taken as to whether to retain this risk or repeat the risk treatment process.
Last Modified: 16/08/24 at 2:49 PM