Under the Australian Risk Management Standard, (AS/NZS ISO 31000:2018) risk is defined as the “effect of uncertainty on objectives” and is measured in terms of the likelihood of that risk occurring and the consequences if it did.
The Standard assumes that:
Definition of Risk
Uncertain – not able to be relied on, not known, definite or understood.
Uncertainty in terms of risk means we need to initially consider anything that is not definite, in relation to our business objective. Further analysis then occurs to determine whether we need to, or can, do anything about it. Well-managed risk management processes that are embedded in our day-to-day functions provide many benefits to organisations and can underpin the effective achievement of objectives.
Hazard: a source of danger, a possibility of incurring loss or misfortune, probability or threat of a damage, injury, liability, loss, or other negative occurrence, caused by external or internal vulnerabilities.
No amount of planning can overcome risk, or the inability to control chance events. In the context of procurement, risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on procurement objectives. A risk has a cause and, if it occurs, a consequence. Risk refers to any factor (or threat) that may affect adversely the successful completion of the procurement in terms of delivery of its outputs or adverse effects on resourcing, time, cost and quality. These factors/threats include risks to the business environment that may prevent the outcomes/benefits from being realised fully.
Risk planning is the process of defining potential risks and the ways in which the team will both mitigate their occurrence and respond if they actually occur. The result of this work is called a risk management plan: the comprehensive manner in which the team will identify and plan for how to deal with risk. The objectives of risk management are to increase the probability and impact of positive events and decrease the probability and impact of negative events in the procurement.
Most organisations have a pre-defined approach to risk management. The policies can define the activities to initiate, plan, and respond to risk. The team must map the activities risk management to these policies to conform to an organisation’s requirements. In addition, there may also be predefined roles and responsibilities within an organisation. These roles could impact on risk management planning, the decisions relevant to the risks, and the involvement of the participants. These roles and responsibilities and the policies associated with working with these individuals should be identified and considered early in the activities process to save time and frustration. The last component for the team to understand within the context of their organisation is the limit of power and autonomy they have on the activity.