Sunteți pe pagina 1din 13

Risk Response Protocols

Determining the Risk Acceptance Criteria: What Risk to Tolerate


Unacceptable risks

10

4
Accepta ble risks

8
6

12
9 12

2
1

3
3

6
3

8
4

10
5

Stage 4: Determine Risk Acceptability and Risk Response


Risk index Risk magnitude Risk acceptability Proposed actions

20 25 Maximum

Unacceptable Take action to reduce risk Unacceptable


with highest priority, accounting officer and executive authority attention

risk
15 19 High risk 10-14 5-9

Medium Low Minimum

Unacceptable Take action to reduce risk.


Inform snr management

Acceptable

No risk reduction control, monitor, inform management No risk reduction control. Monitor, inform management.

1-4

Acceptable

Risk Significance

If possible, it is useful to put values to the consequence score, for example, a cash loss over $1m might be considered very high if it threatened the existence of the organisation.

Since we need to sort risks, it helps to attach numbers to the risk measure (for example 4 for High).

Risk Significance

Consequence and likelihood can be multiplied together to give a single measure of the significance of a risk, or a different combination can be used. For example, take the risk that a lorry may break down. Assuming we have only three, old lorries, the consequence could be medium (scores 3) but the likelihood could be high (scores 4), giving a significance of 12.

Risks Before and After Internal Controls

Risks are ideally scored before and after taking account of the response which manages the risk.
I nherent (or gross or absolute) risk scores are measured by assessing the consequence and likelihood of a risk occurring before any internal controls are taken into account.

Risks Before and After Internal Controls


Residual (or net or controlled) risk scores are measured by assessing the consequence and likelihood of a risk occurring after any internal controls are taken into account.

What Risks are we Prepared to Accept?

We have talked about managing all risks to acceptable levels. Now we have scored risks before and after internal controls we can begin to define the organisations risk appetite. One method of deciding which risks to accept is to place them on a grid of likelihood and consequence (see below). This enables the board to define the action it requires management to take for each likelihood/consequence combination.

Grid Showing the Significance of Risk: Key


Y Axis Consequence of risk
Insignificant (1) Minor (2) (4) Catastrophic (5) Moderate (3) Major

X Axis Likelihood of Risk


Rare (1) Unlikely (2) Almost Certain (5) Possible (3) Probable(4

Grid Showing the Significance of Risk: Key


Unacceptable: Immediate action required to manage the risk. Issue: Action required to manage the risk. Supplementary issue: Action is advisable if resources are available Acceptable: No action required IR = Inherent Risk RR = Residual Risk Risk appetite as described by Board

What Risks are we Prepared to Accept?

It is therefore necessary to understand the organisations tolerance for each risk. This will help define how much tolerance management has of each risk.

Risk Assessment

Risks with exposure beyond managements tolerance would be prime candidates for focused risk management actions. The boundary between the acceptable risks and those which require managing is known as the risk appetite. If inherent risks cannot be managed below this line by treatment then they will have to be terminated, transferred or tolerated.

S-ar putea să vă placă și