Risk 101: Understanding the Basics of Risk Management

Risk management is essential to running a successful business. Whether protecting employees, maintaining profitability, preserving your company’s reputation, or meeting regulatory requirements, managing risk effectively is critical.

What is Risk?

In simple terms, risk is the possibility that something unwanted or harmful might happen. It is the combination of two factors:

• Likelihood (How likely it is to happen)

• Consequence (How severe the outcome would be if it did happen)

In ISO 31000:2018 (Risk management – Guidelines), risk is defined as:

This definition is intentionally broad and applies to both positive and negative outcomes. It emphasizes that risk is not solely about threats or negative consequences but also includes opportunities. The key aspects of this definition are:

• Effect: Refers to a deviation from the expected—this can be positive, negative, or both.

• Uncertainty: Relates to the lack of knowledge or understanding about an event, situation, or outcome.

• Objectives: These are the desired goals or outcomes that an organisation aims to achieve.

The ISO 31000 standard recognises that risk can impact different aspects of an organisation, including health, safety, environment, finances, reputation, and compliance. The approach it recommends involves managing risk by understanding the context, identifying potential risks, assessing their likelihood and consequences, implementing controls, and monitoring and reviewing the effectiveness of those controls.

Risk is everywhere in business—whether it’s related to safety, health, environment, finances, productivity, reputation, or compliance. Every business process or activity carries some degree of risk.

Purpose of Risk Management

The purpose of risk management is to systematically identify, assess, and control risks to reduce their impact to acceptable levels. It ensures organisations can:

1. Protect employees and assets.

2. Achieve business objectives.

3. Maintain compliance with legal and regulatory requirements.

4. Safeguard reputation and financial stability.

Scope of Risk Management

Risk management applies to all aspects of a business. This includes:

• Safety and Health – Preventing workplace injuries and illnesses.

• Environment – Minimising harm to the environment.

• Financial – Protecting against monetary loss or fraud.

• Productivity – Ensuring efficient processes and avoiding downtime.

• Reputation – Safeguarding the company’s public image.

• Regulatory Compliance – Meeting legal and industry standards.

International Standards for Risk Management

The ISO 31000 standard is a globally recognised framework for risk management. It provides guidelines and principles to help organisations develop a structured approach to managing risks. It outlines how to create, implement, monitor, and continuously improve risk management processes across all areas of an organisation.

The Risk Management Process

A comprehensive risk management process involves the following steps:

1. Establishing Context – Understanding the environment, stakeholders, and goals.

2. Risk Identification – Recognising potential hazards or risks.

3. Risk Assessment – Evaluating the likelihood and consequences of each risk.

4. Risk Control – Implementing measures to reduce or eliminate risks.

5. Monitoring and Review – Continuously improving the process.

Hierarchy of Control

When controlling risks, it’s essential to use the Hierarchy of Control, a systematic approach ranked from most effective to least effective:

1. Elimination – Remove the hazard completely.

2. Substitution – Replace the hazard with something less harmful.

3. Isolation – Separate people from the hazard.

4. Engineering Controls – Modify equipment or processes to reduce risk.

5. Administrative Controls – Implement policies, procedures, or training to reduce risk.

6. Personal Protective Equipment (PPE) – Wear gear to minimise risk (e.g., gloves, helmets).

7. Behaviours - While not included in the typical hierarchy of control, behaviours and culture significantly impact on the success of controlling risk.

Understanding Higher and Lower Order Controls

It is important to note that Elimination, Substitution, Isolation and Engineering controls (higher order controls) focus on reducing risk by removing or controlling the hazard at the source or put barriers between people and hazards, while Administration, PPE and Behavioural controls rely on people to "do a thing" or "wear a thing". These are lower order controls and are less effective because they depend on consistent human performance, which can be influenced by factors such as fatigue, distraction, skill level or other human factors. For higher consequence activities, lower order controls are not effective on their own and should be supplemented by higher order controls.

Enhancing Administrative Controls with Engineering Solutions

Although administrative controls are considered lower-order controls, they can be enhanced with engineering solutions to make them more reliable and effective. This approach creates a multi-layered control that strengthens the overall risk management strategy. For example, if training or competency was the only control, an interlock system is in place to ensure only those with up-to-date training and competency can operate the equipment. Another example for administrative controls such as inspections, is to schedule these into your maintenance management system so a work order is produced, lowering the risk of the inspection being missed.

So Far as Reasonably Practicable

So Far as Reasonably Practicable (SFAIRP) is a common safety principle used worldwide. It means that you must do everything you can to eliminate or reduce risks unless the effort, time, or cost of doing so is far greater than the benefit gained.

In simpler terms, it’s about taking reasonable steps to keep people safe, without expecting you to do things that are unrealistic or hugely expensive for very little safety improvement.

To reduce risk so far as reasonably practicable, a full understanding of the risk is required including what can go wrong, how bad the consequences are, how quickly the risk can escalate from failure of controls to causing harm (risk velocity) and putting in place measures to a) prevent the risk from eventuating and b) having robust response processes in place to minimise harm if the risk were to eventuate.

Understanding Hazards, Likelihood, Consequence, and Risk Matrix

Risk assessment involves breaking down risks into key components:

• Hazard: Anything with the potential to cause harm. Example: Wet floor in a supermarket.

• Likelihood: The chance of the hazard causing harm. Example: A wet floor in a busy area is more likely to cause a slip.

• Consequence: The severity of harm if the hazard causes an incident. Example: A slip could result in minor bruising or a severe injury.

• Risk Matrix: A tool that helps assess risk by combining likelihood and consequence to determine risk level (e.g., Low, Medium, High, Critical).

Risk Appetite

Risk appetite refers to the amount of risk an organisation is willing to accept to achieve its objectives. It’s about understanding what level of risk is considered acceptable, what requires more attention, and what is entirely unacceptable. This is usually embedded into the risk matrix through levels of risk calculation.

Basic Risk Assessments

Most organisations use basic forms of risk assessment to manage everyday tasks and identify hazards associated with routine activities. These assessments are generally straightforward and suitable for low to moderate-risk activities.

• Job Safety Analysis (JSA) / Job Hazard Analysis (JHA): A structured approach to breaking down tasks to identify hazard and controls for each step.

• Safe Work Method Statement (SWMS): Similar to a JSA / JHA, a SWMS is used to outline high-risk work activities, potential hazards and controls to minimise risk. Commonly used in the construction industry.
  

Complex Risk Assessments

While basic risk assessments work for many situations, some industries require more detailed and structured approaches, such as:

• HAZOP (Hazard and Operability Study): A systematic approach to identifying and evaluating hazards in complex processes.

• Bowtie Analysis: Visual representation of how risks are controlled through preventive and mitigating measures. Controls are aligned with specific threats or causes rather than attempting to control the event or consequence.

• Fault Tree Analysis: A method to identify possible failure points in a system.

• Layers of Protection (LOPA): A semi-quantitative assessment method used to evaluate the effectiveness of multiple safety controls in place to prevent a hazardous event. It helps determine if enough independent protective layers are present to reduce risk to an acceptable level.

• Quantitative Risk Assessment (QRA): A QRA involves using numerical data and statistical methods to estimate the probability and consequences of hazardous events.

Understanding the Foundations of Good Risk Management

Effective risk management starts with a thorough understanding of core risk management concepts and a comprehensive assessment of the risk. This means:

• Knowing what can go wrong (hazards and risks).

• Understanding how bad the consequences could be (severity).

• Considering how quickly the risk could escalate (risk velocity).

• Applying suitable controls to prevent or mitigate harm.

By applying standards like ISO 31000 and using well-established tools such as the risk matrix and the Hierarchy of Control, organisations can better identify, assess, and control risks.

The key to good risk management is using a systematic and structured approach that covers all aspects of risk, including health, safety, environment, productivity, financial stability, and reputation. Implementing effective risk management processes helps create a safer and more resilient operation, capable of anticipating, preventing, and responding to risks before they cause harm.

If you'd like to learn more, here are some of our upcoming courses in risk management or view our training calendar here.

If you would like to discuss your risk management strategy, please contact SRA Global.