Fundamentals of Risk Management
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
|
Risk response
180 treat risk When the level of risk exposure (likelihood) associated with a particular hazard is high but the potential loss (impact) associated with it is low, the organization will wish to treat the risk. Risk treatment will often be undertaken with the risk at the inherent and/or current level, so that when the risk has been treated, the new current level or target level may become tolerable. Actions to improve the standard of risk control will always be under constant review in an organization. On a personal level, wearing a seat belt when driving a car or fitting an intruder alarm in a house are examples of risk reduction actions. Improvements to standards of risk control in relation to physical (insurable) risks are well known. Fitting sprinklers to buildings, providing enhanced building security arrangements and employee security vetting are all examples of risk improvement actions designed to better manage hazard risks. When identifying suitable risk treatment options, the organization will need to look at the effect of the treatment on the likelihood of the risk materializing as well as looking at the impact of the risk should it materialize. Cost-effective risk treatments will need to be selected and the effect of different control measures can be shown on a risk matrix, as in Figure 16.1. There is an issue of terminology associated with treat risk. ISO 31000 considers that ‘treat risk’ is the main heading under which various options exist, such as: ● ● avoiding the risk by deciding not to start or continue with the activity; ● ● taking or increasing the risk in order to pursue an opportunity; ● ● removing the risk source; ● ● changing the likelihood or the consequences; ● ● sharing the risk with another party or parties; ● ● retaining the risk by informed decision. Other risk management standards refer to ‘risk response’ as the main heading and this is the approach taken in this chapter. Using risk response as the main heading then gives rise to the options of tolerate, treat, transfer and terminate. As with all issues of terminology, it is for the organization to establish its own risk vocabulary, one that is consistent with the external, internal and risk management context. In some cases, terminology will be dictated by the external context. For example, banks and other financial institutions will need to use the terminology of the regulator. On occasions, terminology is dictated by the internal context within the organization. If the terminology that has developed within the organization is inconsistent with the terminology in ISO 31000, it is probably the case that the risk manager would be better advised to use the terminology that already exists within the organization, rather than trying to introduce new terms or new meanings for existing terms. |
