Risk Management - Risk Treatment

Interrelated factors from economic fluctuations and information overload, to changing workforce dynamics and rapid technological advancements, all contribute to what is considered today as a volatile, uncertain, complex and ambitious (VUCA) world. In a VUCA environment, organisations must be agile, innovative, and resilient to navigate the challenges and seize opportunities in an ever-evolving landscape. Councils in particular face a myriad of risks that can impact their operations, reputation, and the bottom line. To manoeuvre through these demanding times, effective risk management is essential.

What is risk treatment?

A critical component of risk management is risk treatment, which refers to the process of selecting and implementing measures to mitigate identified risks. Once a risk has been assessed, Council must determine the best strategy to manage it. The goal of risk treatment is to reduce the likelihood of a risk occurring or to minimise its impact if it does occur.

As per the relevant Standard, risk treatment involves an iterative process of:

• Formulating and selecting risk treatment options;
• Planning and implementing risk treatment;
• Assessing the effectiveness of that treatment;
• Deciding whether the remaining risk is acceptable; and
• If not acceptable, implementing additional treatment.

When is risk treatment required?

This is a matter for each Council to consider in their own context. However, generally speaking, risks with a residual rating assessed as being outside of Council’s risk tolerance should require risk treatment to bring the level of risk to an acceptable level.

Selecting the appropriate risk treatment option

Selecting the most appropriate risk treatment option(s) involves balancing the potential benefits derived in relation to the achievement of the objectives against costs, effort or disadvantages of implementation. Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances.

There are a variety of options for treating risk, including:

• Avoid the risk - Not to proceed with the activity or choosing an alternative approach to achieve the same outcome.? Aim is risk management, not aversion.
• Mitigate the risk - Reduce the likelihood by improving management controls and procedures or reduce the consequence by putting in place strategies to minimise adverse impacts, e.g. contingency planning, Business Continuity Plan, liability cover in contracts, etc.
• Transfer the risk - Shifting responsibility for a risk to another party by contract or insurance. Can be transferred as a whole or shared.
• Retain the risk - Retaining the risk by informed decision, potentially to pursue an opportunity.

?Planning and implementing risk treatment plans

The purpose of a risk treatment plan is to specify how the chosen treatment option(s) will be implemented, so that arrangements are understood by those involved, and progress against the plan can be monitored. The plan should clearly identify the order in which risk treatment should be implemented.

Council’s Risk Treatment Plans may include the following details:

• Analysis of treatment options (avoid, mitigate, transfer and retain) and rationale for chosen option, including consideration of costs and benefits gained/incurred through chosen treatment option
• Those who are accountable for approving the plan and those responsible for implementing the plan
• Proposed actions
• Resource requirements (including any contingencies)
• Performance measures
• Potential or actual constraints
• Target risk rating (in reference to Council’s risk appetite and tolerance)
• Reporting and monitoring requirements
• Timing for implementation and expected completion

Once the risk treatment plan is developed, the next step is implementation. This involves executing the strategies outlined in the plan and ensuring that all stakeholders are aware of their roles and responsibilities. Effective communication is key during this phase to ensure that everyone is aligned and understands the importance of the treatment measures.

Risk treatment requires ongoing monitoring and review. Councils should regularly assess the effectiveness of their risk treatment measures and adjust as necessary. This can involve:

• Regular Audits - Conducting periodic audits to evaluate the effectiveness of risk treatment strategies.
• Feedback Mechanisms - Establishing channels for stakeholders to provide feedback on the risk treatment process.
• Updating the Plan - Revising the risk treatment plan based on new information, changes in the business environment, or lessons learned from incidents.

Conclusion

In conclusion, risk treatment is a vital component of effective risk management. By identifying, analysing, and treating risks, Councils can protect their assets, enhance decision-making, ensure compliance, manage their reputation, and maintain business continuity. Prioritizing risk treatment allows Council to navigate uncertainties and better position themselves for long-term success.

For further support reviewing, developing and enhancing your Council’s risk treatment process, LGMS Member Council’s should contact their Regional Risk Coordinator. The RRC program is a key feature of your membership and our teams’ mission is to assist you with the development, implementation and review of your approach to enterprise risk management.