Managing Risk
Facebook Icon to Share Blogs
LinkedIn Icon to Share Blogs

Managing Risk

The new lecturer wanted to learn more about management, as he wanted to be a senior manager and a lecturer. He knew that the higher you go in an organisation, the more management skills you need.


Asking for help


The new lecturer turned to his mentor to deepen his understanding of management. The mentor, now the Head of the department, was eager to nurture capable staff and agreed to assist his mentee, telling him “Today, we embark on a journey into the realm of risk and its management,” setting the stage for an enlightening conversation. The new lecturer, acknowledging his limited knowledge of the subject, confessed that his lack of understanding of risk is a risk. His mentor, with a knowing smile, recognised the underlying concern.


What is risk?


Underlining the significance of risk management in an organisation’s governance, the Head shared a globally accepted definition of risk from the International Risk Management Standard AS/NZS ISO 31000:2018 (the ‘Standard’). Here, ‘risk’ is defined as the ‘effect of uncertainty on objectives’, and ‘risk management’ is a series of coordinated activities to direct and control an organisation about risk. He also presented other easily understood definitions of risk, including ‘The chance of not achieving your objectives’ by Cyril Jankoff and ‘uncertainty that matters’ by David Hillson. The Head, eager to elaborate, chose the latter definition and used rain as a relatable example. He said that it is uncertain whether it will rain or not. If we are running a lecture at the college, it is an uncertainty that does not matter because we are safe from the rain. However, if we had a field trip in the open air, then uncertainty does matter.


Internal and external risks


The Head cautioned that one must be vigilant in assessing internal and external risks, as both require management. Internal risks get a lot of attention as they are generally easier to recognise and mitigate. They include personnel management issues, such as labour shortages and safety, and technology issues, such as outdated software. External risks are harder to recognise and mitigate but must be considered. They include economic slowdowns, macro infrastructure changes, and political risks from trade wars hurting international sales. He emphasised that failure to consider both types, especially in a way that adequately addresses both, can be detrimental or even fatal to an organism.


The Seven Generic Steps in the Risk Management Process


He said that according to the Standard, a Risk Management Process is a seven-step process. The steps are:

  • Step 1 - Communication and Consultation
  • Step 2 - Establish the Context
  • Step 3 - Risk Identification
  • Step 4 - Risk Analysis
  • Step 5 - Risk Evaluation


  • Step 6 - Risk Treatment
  • Step 7 - Monitoring and Review


Summary of the seven-step risk management process


The Head said that, in his opinion, the new lecturer should etch the four following steps into his mind, summarising them from the Standard’s seven-step approach. He said that the original Steps 1 and 2 were preliminary to the process and that Steps 4 and 5 could be amalgamated. He said that after establishing the context and communicating and consulting with others the seven-step summary could be summarised in four points:

  • Identify (Step 3 of the seven steps)
  • Assess, including prioritisation (Steps 4 & 5)
  • Treat (Step 6)
  • Did we get there? (Step 7 Monitor and review).


The Head’s summary of the four steps


First: Identify

He said the starting point in managing risk is identifying the internal and external risks you face, as one can only do something about risks if they are first identified. He listed ways to identify risk, including audits, complaints, history analysis and brainstorming. He said he often used brainstorming and found it a fast and effective way to identify key risks. However, he cautioned that those brainstorming should not all be of one occupation, such as engineers or accountants, but be a mixture so they could feed off each other when brainstorming.


Second: Assess (and prioritise)

After identifying the risks, he said we must assess them to determine how to treat them, and in what order. To assess the risk, we need to do two things: analyse and evaluate the risk. This is where we develop a better, more objective understanding of the risk. This step relates to analysing risks in terms of potential consequences and likelihood. Numbers are given for the consequence and likelihood of each risk, with 1 being the lowest and 5 being the highest. Thus, very high-risk consequences and likelihood will have a score of 5 for each, and when multiplied, the total will be

  1. The reader would see this as an Extreme Risk and know that this risk needs to be reduced as soon as possible. He noted that the purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation.


Third: Treat (Step 6)

This step focuses on how to best deal with the identified risks. Practical ways to respond to risk include:

  • Accept – here we need to understand the impact and be willing to accept the associated risk
  • Control – here we use preventative or corrective risk management control methods
  • Avoid - here we do not get involved in any activity
  • Transfer – here we give the matter to another Care is required here because if the risk is shifted to another department, the organisation will still hold it.


Did we get there? (Step 7 Monitor and review).


This final step relates to monitoring and reviewing risks. Did we get to where we wanted to be? For continuous improvement one needs to regularly monitor the effectiveness of all steps of the risk management process. Further mitigation may still be necessary if earlier attempt(s) did not

sufficiently reduce the risk.



The Dean summarised by saying that risk could be described as uncertainty that matters, and thus, risks need to be treated, with priority given to those that matter, that is, those with a high assessment score. He mentioned General George Patton, the famous Allied World War II general, who said that you need to take risks to achieve objectives but be sensible and only take calculated risks. The Dean said that is the way he ran his faculty.



Associate Professor Cyril Jankoff is the Associate Dean, Scholarship at UBSS and a member of the GCA Compliance Directorate