BSBRSK501 Manage Risk Task 2

Risk analysis

RISK ANALYSIS AND MANAGEMENT PLAN

1

A) Likelihood :Once risks are identified, the next step is to determine the likelihood that the potential vulnerability can be exploited. Several factors need to be considered when determining this likelihood. First, the auditor needs to consider the source of the threat, the motivation behind the threat, and the capability of the source. Next, auditors need to determine the nature of the vulnerability and, finally, the existence and effectiveness of current controls to deter or mitigate the vulnerability. The likelihood that a potential vulnerability could be exploited can be described as high, medium, or low.

Rare risk means that highly unlikely, but it may occur in exceptional circumstances. It could happen, but probably never will.

Unlikely risk means that not expected, but there's a slight possibility it may occur at some time.

Possible risk means that the event might occur at some time as there is a history of casual occurrence at the University &/or similar institutions.

Likely risk means that there is a strong possibility the event will occur as there is a history of frequent occurrence at the University &/or similar institutions.

Frequent risk means that very likely. The event is expected to occur in most circumstances as there is a history of regular occurrence at the University &/or similar institutions/Organizations。

According to the Case Study, there are:

1. Banking Risk – There is possibility of theft of cash that is left on premises as the banking in Café was not done every day and often $4000 was kept on the premises overnight in the cash register. It is a possible risk.
2. Manager’s Travel Risk – It is an unlikely risk that the manager would involve in an accident in spite of being a competent driver because of the steep narrow climb up the range with trucks blocking the way that is quite difficult in daylight hours.
3. By-law Compliance Risk – It is an unlikely risk that if the employees or the manager use more water, they could get the fines for excessive usage of water and consequently breaching the current by-law will occur.

B) Consequence: Failing to address risk can lead to consequences that span the spectrum from mere inconvenience to grave danger. The general level of consequence is Catastrophic, Major, Minor, and Insignificant.

Catastrophic Risk like multiple injuries, regulatory intervention, net revenue loss or asset damage exceeds $x, damage to reputation at international level and long-term environmental damage.

Major Risk such as single stakeholder, breach of licenses, legislation, regulation or mandated standards; net revenue loss or asset damage between $xxx, damage to reputation at national level and medium-term (1-5yr) environmental damage.

Minor Risk like breach of internal procedures, net revenue loss or asset damage between $x-$xx, adverse news in local media and environmental damage which requiring up to $250,000.

Insignificant Risk like no breach of licenses, standards, guidelines or related audit findings; net revenue loss or asset damage $x, public awareness may exist, but there is little public concern and negligible environmental impact.

According to the Case Study, there are

1. Banking Risk – There is a possibility for theft of cash left on the premises and it is also dangerous to the employees in the Café. So, it is a major risk of not banking money every day.
2. Manage Travel Risk - There is a possibility for the manager to have an accident because of the long drive and also the navigating the steep narrow climb up the range. If there is any accident occurs, the company has to insure the manager as well as to find a substitute for the manager and this will slow down their Café business. So, it is major risk.
3. By-law Compliance Risk – If the company didn’t use the water effectively,they will end up paying the fines up to $50,000 according to the current by-law and it would be a loss for the company as well as a drawback for their organization. So, it is a minor risk.

C) Priorities:

Now that you have determined both the likelihood and consequence of risk, the two are combined to determine the rating. The most effective method of risk analysis is to generate a risk matrix. A risk matrix is shown below, where the identified consequence meets the identified likelihood, a risk rating is given.

The allocation of a risk rating should prompt a decision to be made about the action to be taken, as below.

Extreme – immediate senior management action, e.g. multiple deaths of employees.

High – Action plan needed, allocated responsibilities, e.g. damage to valuable assets.

Medium – Risk requires only monitoring and review, e.g. loss of assets due to staff theft.

Low – Risk accepted – but not ignored, e.g. a paper cut.

Extreme – Banking risk: keeping cash of $4000 on the premises is an extreme risk as there is possibility for theft and dangerous to employees.

High – Manager’s travel risk: because of the long drive. Then the company has to substitute for the manager as well as to do the insurance for the manager in order to support the manager.

Medium – By-law compliance risk: it is important to use the water effectively; other wise the company will end up paying the fines up to $ 50000.

D) Options: The options for treating the risk which is likely to be effective and feasible for the organization are action plan early and internal control procedures.

The following need to be considered when choosing an appropriate treatment for a risk: acceptability to all, administration efficiency, capacity compatibility, continuity of effects, contracts, cost effectiveness, economic and social environment, equity, individual freedom, jurisdictional authority, objectives, regulatory, risk creation and timing.

Develop an action plan for treating risks

Plan Early

Experienced operators know that risk management is a proactive process. It is not the thing you do when a risk emerges because by then it may be too late. Effective risk action plans are those that are part of the operations of the organization. Problems that start small can escalate into large threats, or a risk may appear suddenly that threatens the reputation of the entire organization. Having risk management processes and planning in place when these happen could stop the escalation and minimize the impact from the sudden disaster. The risk action plan outlines how the risk is to be managed and a timeline for this process to take place. It should include: the risk, risk rating, treatment activity or controls, roles and responsibilities for those involved, timeline, and monitoring arrangements.

Internal Control Procedures

Risk Management and Internal Controls

The Company is committed to the identification, monitoring and management of risks associated with its business

activities. Management is ultimately responsible to the Board for the Company’s system of internal controls and risk management. The Company’s risk management policies and procedures cover regulatory, legal, property, treasury, financial reporting and internal controls. A clear organizational structure exists detailing lines of authority and control responsibilities. Each business unit is responsible and accountable for implementing procedures and controls to manage risks within its business. Company management has established within its management and reporting systems a number of risk management controls. These include:

• Formal operating and strategic planning processes for all businesses within the Company;
• Annual budgeting and periodic reporting systems for all businesses which enable the monitoring of progress against financial and operational performance targets and metrics and evaluation of trends;
• Guidelines and limits for approval of capital expenditures and investments;
• Policies and procedures for the management of financial risk and treasury operations; and
• Standards of Business Conduct which are applicable to all employees. Certain risks cannot be mitigated to an acceptable level by internal controls. Such risks are transferred to third parties in the international insurance markets to the extent considered appropriate. An internal audit function operates under a charter which defines the purpose, authority and responsibility of the Corporate Audit Department. The Corporate Audit Department’s mission is to provide an independent, objective assessment of risk and evaluation of the effectiveness of internal operating and financial controls within the Company’s various operating businesses. The areas of emphasis for the conduct of the assessment include the:
• appropriateness, efficiency, and effectiveness of the internal control environment and the susceptibility of that environment, on a sample basis, to frauds, failures in internal controls, or breaches in authority;
• reliability and integrity of financial and other operating controls;
• extent of compliance with Company policies and procedures;
• accuracy and integrity of and security over data and information;
• accountability for the Company’s assets to safeguard against loss;
• adequacy of reviews made by the operating companies to ensure an effective internal controls environment is fostered; and
• economy and efficiency with which resources are employed. The results of each audit and agreed-upon management action plan are reported on a timely basis to the management responsible for implementing changes. The Corporate Audit Department reports to the Company’s Audit Committee and meets with them at least four times a year to review the annual Corporate Audit Plan and the results of its activities. The activities of the Corporate Audit Department are separate and distinct from those of the Company’s independent registered public accounting firm. However, active coordination between the two groups is recognized as essential in order to maximize the Company’s return on investment for audit services.

Risk management plan