Sei sulla pagina 1di 69



1. ESTABLISH RISK CONTEXT ........................................................................................... 4

1.1 – Review organisational processes, procedures and requirements for undertaking risk
management in accordance with current risk management standards in accordance with
current risk management standards .................................................................................. 5

1.2 – Determine scope for risk management process ...................................................... 10

1.3 – Identify internal and external stakeholders and their issues .................................... 13

1.4 – Review political, economic, social, legal, technological and policy context .............. 16

1.5 – Review strengths and weaknesses of existing arrangements ................................. 22

1.6 – Document critical success factors, goals or objectives for area included in scope .. 24

1.7 – Obtain support for risk management activities ........................................................ 27

1.8 – Communicate with relevant parties about the risk management process and invite
participation ..................................................................................................................... 29

2. IDENTIFY RISKS ............................................................................................................ 30

2.1 – Invite relevant parties to assist in the identification of risks ..................................... 30

2.2 – Research risks that may apply to scope.................................................................. 32

2.3 – Use tools and techniques to generate a list of risks that apply to the scope, in
consultation with relevant parties ..................................................................................... 36

3. ANALYSE RISKS ............................................................................................................ 39

3.1 – Assess likelihood of risks occurring ........................................................................ 39

3.2 – Assess impact or consequence if risks occur .......................................................... 42

3.3 – Evaluate and prioritise risks for treatment ............................................................... 44

4. SELECT AND IMPLEMENT TREATMENTS ................................................................... 50

4.1 – Determine and select most appropriate options for treating risks ............................ 51

4.2 – Develop an action plan for implementing risk treatment .......................................... 56

4.3 – Communicate risk management processes to relevant parties ............................... 59

4.4 – Ensure all documentation is in order and appropriately stored ................................ 62

4.5 – Implement and monitor action plan ......................................................................... 65

4.6 – Evaluate risk management process ........................................................................ 67

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 2 of 69

REFERENCES ................................................................................................................... 69

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 3 of 69


1.1 Review organisational processes, procedures and requirements for undertaking risk
management in accordance with current risk management standards

1.2 Determine scope for risk management process

1.3 Identify internal and external stakeholders and their issues

1.4 Review political, economic, social, legal, technological and policy context

1.5 Review strengths and weaknesses of existing arrangements

1.6 Document critical success factors, goals or objectives for area included in scope

1.7 Obtain support for risk management activities

1.8 Communicate with relevant parties about the risk management process and invite

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 4 of 69

1.1 – Review organisational processes, procedures and requirements for
undertaking risk management in accordance with current risk management
standards in accordance with current risk management standards

Risk Management Standard

Risk management involves the ability for organisations to obtain a balance between realising
opportunities for gains while minimising losses. Essential to good management practices,
risk management is also an important element in the element of corporate governance.

Risk identification and management is very important for a company

as identifying risks and control measures helps in ensuring a
profitable and effective business. The purpose of risk management
standards is therefore to provide a framework that can assist
companies to implement risk management systems systematically
and effectively.

The AS/NZS ISO 31000: 2009 is the most commonly used risk
management standard and is a set of principles and general
guidelines that can be considered when developing risk management frameworks and

The AS/NZS ISO 31000: 2009 provides organisations with principles and general guidelines
to be considered when developing risk management frameworks and programs. These are
broadly as follows:

1. Creates and protects value: effective risk management ensures that an organisation
can achieve its objectives
2. Integral part of organisational processes: the risk management process needs to be
an integral part of overall organisational processes to ensure that risks are identified
and controlled.
3. Part of decision-making: where risk is a part of decision making, this ensures that
decisions are made in the context of full knowledge of risks.
4. Explicitly addresses uncertainty: identifying risks means that organisations
understand what potential risks there are and can act accordingly.
5. Systematic, structured and timely: it is important for the risk management process to
be systematic, structured and timely.
6. Based on the best available information: using up to date and accurate information is
important to ensure that risks are accurately identified.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 5 of 69

7. Tailored: the risk management process needs to be specifically focussed on the
internal factors within an organisation, as well as external factors that affect an
8. Takes human and cultural factors into account: it is important that risk management
takes these factors into account to ensure that all possible risks are identified.
9. Transparent and inclusive: the risk management process should include consultation
with all stakeholders and regular communication about risks should occur.
10. Dynamic, iterative and responsive to change: the process needs to be flexible,
potential risks may need to be reconsidered over time.
11. Facilitates continual improvement and enhancement of the organisation: the risk
management process is designed to contribute to continuous improvement over time.

The legislative framework

The legislative framework that you operate in usually stems from the requirements of:

• Acts
• Regulations
• Codes of Practice
• Standards

Work Health and Safety Legislations and Risk Management

The WHS Act and Regulations require persons who have a duty (PCBUs) to ensure health
and safety to ‘manage risks’ by eliminating health and safety risks so far as is reasonably
practicable, and if it is not reasonably practicable to do so, to minimise those risks so far as
is reasonably practicable.

Therefore, risk management is also an essential component of WHS legislation as managing

risks means that the health and safety of all persons is ensured.


Work Health and Safety Act 2011 (NSW) aims at ensuring that WHS is managed effectively
in the workplace by ensuring that employees are protected from WHS risks.

WHS Regulations

Work Health and Safety Regulation 2017 (NSW) provide details on the health and safety
representative election processing, statutory notices and the details about incident

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 6 of 69

Codes of practice

The aim of the WHS Codes of Practice is to provide detailed information on how you can
achieve the standards required under the work health and safety (WHS) laws.


A standard is how specifications and procedures are designed to make sure that methods
and materials are fit for the purpose intended. They are documents that are published to
make sure that the standards are consistent across Australia. These standards can be found
at the SAI Global Limited and can be purchased through the website:

The Risk Management Process contains:

• Hazard Identification
• Risk assessment
• Implementation of Risk Control Measures:
• The hierarchy of controls
o Elimination
o Substitution
o Isolation
o Engineering
o Administrative
• Review the effectiveness of the risk management process in your workplace as part
of your organisations continuously improvement process.

Risk Control Options

• Avoiding the risk: do not take the course of action that involves the risk
• Reducing the risk: take action to reduce the likelihood of the risk occurring or the
severity of the potential consequences
• Transferring the risk: transfer the responsibility for the risk to another party
• Financing the risk: cover the financial consequences of risk
• Retaining the risk: run the risk that the event may occur and bear the consequences.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 7 of 69

Risks may include those relating to:

Commercial relationships – a formal business relationship between two parties, in which

there is some agreed on material or financial benefit to each party. A commercial
relationship is doing business, where there is an exchange of benefits that have material

Economic circumstances and scenarios – these are the risks caused from an action or
inaction that has an undesirable outcome. The losses in this scenario are usually called risks
which may be monetary or physical. For example; in response to a downturn in demand, an
organisation may retrench their staff so that they can keep operating.

Individual activities – these can include negligence, untrained personnel and those unfamiliar
with the organisation's procedures. Under WHS Law, employees have a legal responsibility
to ensure that they maintain a safe work environment. It is the responsibility of the employer
to ensure that the health, safety and welfare at work of all employees and others who come
on to the workplace.

Human behaviour – this refers to the range of behaviours that are influenced by a person’s
culture, attitudes, emotions, values, ethics, authority, rapport, hypnosis, persuasion, coercion
and/or genetics. Behaviour-based safety focuses on employee behaviour and aims to
minimise the cause of work-related injuries and illnesses.

Management activities and controls – these are usually guided by an organisation’s policies
and procedures and the appropriate job description. The level of risk in a management
position will vary according to their position, the amount of training or education that they
have and their level of experience. If you are in a management position, it is essential that
you make sure that you are aware of all of the risk in your work area.

Natural events – these are the effects of natural hazards such as floods, tornados,
hurricanes, volcanic eruptions, earthquakes and landslides. These types of hazards can lead
to financial, environmental and human loss. To counteract and minimise the risk to an
organisation and its employees, organisations – depending on the kinds of risks relevant to
an area – will put together a Natural Disaster Risk Management Plan that encompasses:

Political circumstances – these are a form of risk that is faced by investors, governments and
corporations. The level of risk can be controlled, as it is understood and managed from the
start. Organisations face political risk by making decisions that are strategic, financial or

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 8 of 69

Technology is a key factor in an organisation’s ongoing success. Technology, when used
correctly, can be the difference between an organisation obtaining a larger share of the
market, thereby having a competitive advantage, or the loss of a larger share of the market.
Many organisations’ competitive advantage comes from their ability to be more responsive to
market demand.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 9 of 69

1.2 – Determine scope for risk management process

There are many different types of risk that your organisation has to deal with. These include:

• Legal
• Financial
• Safety.

As a member of a team or in your role as leader, supervisor or manager, it is essential that

you understand the risk that your decisions or feedback, with regards to decisions, will
impact on not only on yourself, but also your organisation. Since globalisation in the early
part of the 1990s, the level of risk for many organisations has risen, threatening their overall
continued existence.

Responsibility for the risk rests on the organisation/people that have control of it. This
includes the person who controls the budget, the spending and who is responsible for
ensuring that decisions have been carried out.

It is important that your organisation has in place a systematic and holistic approach to risk
management, to protect your organisation and its assets. Risk is defined under the
standards as “the chance of something happening that will impact on objectives”.
Technically, risk is the probability of a threat agent that exploits vulnerability and the results
in impact on the business.

For example; your employees have been trained in WHS in the workplace. The vulnerability
is that, even though they understand WHS, they do not know when to start applying it. The
trainer emphasised that their duty of care started when they began work, so they did not
report a ditch in the tarmac at the main entrance until they started work. Heavy rainfall had
cracked the tarmac where it had been laid incorrectly. Overuse of the tarmac widened the
crack into a ditch, over time.

They were busy and did not use their common sense. In the time between entering the
workplace and they starting work, a truck hit the ditch and rolled before it exploded, killing
both the driver and his son (who rode with his father that day).

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 10 of 69

Define the scope

One of the most important aspects of any risk management plan is your ability to make sure
that risk is broken down to a basic state and analyse the impact for the organisation if risk
management practices and procedures are not followed.

Defining the scope of risk is not easy. All risks need to be recognised and, if required,
quantifiable. The scope should provide details of processes regarding risk and the
deliverables. A major part of this requires that a risk analysis is performed for your work site;
this necessitates that you identify and assess risks that may jeopardise your organisation’s
processes and ongoing success.

As with any other aspect of good organisational management, it is essential that you obtain
and maintain support of organisational members. Obtaining their feedback and ideas allows
them to create ownership for the risk management process. Studies demonstrate that when
people take ownership of a program, there is a higher level of success for that program.

We have now considered the types of risk that may affect an organisation. The scope of the
Risk Management Plan needs to consider what the plan may apply to and the variables that
may impact on the scope.

Before you consider the scope, it is important to have a clear picture of what you are
applying the scope to. For example, you may work in an organisation where the scope, in
the first instance, encompasses the whole organisation. The organisation also has several
projects running at the same time. The procedures used to identify and resolve or report the
risks during the initial development of the Risk Management Plan will usually be utilised for
individual risk analyses completed on each project.

This clearly demonstrates that an organisation, depending on the organisational structure,

must have at least one Risk Management Plan. Other organisations may run several risk
management plans based on the amount of projects that may run internal and/or external to
the organisation.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 11 of 69

External environment – the external environment includes other players who have an impact
on the decisions you will make. The external environment consists of:

• The economic system

• Competitors
• The social system
• The political/legal system; and
• The environmental system.

Internal environment – there may be times when your partner’s internal processes are in
conflict with your own. When on a customer’s work site, their risk management processes
must take precedence over your organisation’s processes. Internal processes may include
policies, procedures and practices that include identification, assessment, control or
reporting of risk.

This does not mean that you should not ignore your own organisation’s procedures. In most
instances of your organisation’s historical records, you should still follow your organisational
procedures. This is to assist future individuals undertaking a similar project in the preparation
and management of their own project.

Whole organisation – the context of a risk management plan will assist in establishing the
whole risk management plan for the organisation. This means that you need to make sure
that you include:

• The scope of the plan

• The objectives of your stakeholders and who they include
• How the risks will be established and evaluated
• The processes framework
• The identification and analysis of the risk.

The risk context will assist you in defining the purpose and importance of the scope for your
organisation and how risk assessments will take place. The scope will help define:

• What areas should be covered

• What should be covered within a specified time period
• The resources that are needed
• Will you need the expertise of external specialists; if so, who?
• Who the stakeholders are
• How risk shall be evaluated

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 12 of 69

• What records need to be kept and how
• How much analysis you will need to complete the assessment safely
• The environment that the risk assessment operates in and how it will impact on the
way in which the risk assessment is performed
• What needs to be evaluated and why

1.3 – Identify internal and external stakeholders and their issues

The stakeholders shall be either internal or external. Internal stakeholders are people who
support the organisation and who are internal to the organisation, including employees,
investors and management. External stakeholders include people who are impacted by the
organisation including the consumer and the community. It is important to know each
perspective and their objectives so that you can address their needs in the Risk
Management Plan.

Take the time to work out what each party’s interest in risk management is and use it to
determine their objectives.

Internal stakeholders include:


Employees need to be protected from risk. They require information that will assist them in
ensuring that the workplace is safe. Risks and the procedures on controlling and/or
minimising the risk should be made available to them. Employees need to be kept up-to-date
on safety issues and changes to legislation that will impact on their practices. Employers
must communicate changes to employees and provide training when necessary.

Internal Investors:

It can be argued that employees are investors in the organisation, in terms of investing their
knowledge and skills to the organisation to maintain safety. For the sake of this guide, the
investors are the owners of the organisation. They provide capital, to ensure that their duty
of care is maintained by guaranteeing that employees are provided with a safe work


Management needs to ensure that they balance providing support for the employees with
being accountable for working within their budget. Risk management decisions should

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 13 of 69

address the safety of staff and working within their allocated budget. They need to make
economic decisions while ensuring that their team is not placed at risk.

External stakeholders include:


Customers purchase the goods and services that the organisation either produces or sells.
They may be other organisations or individuals. When the customer purchases your product,
it is essential to make sure that the product is safe. Customers need to be confident that they
are not at risk.


In the same instance, suppliers need to make sure that the products that they sell are free of


Creditors need to know that they are going to be protected, by ensuring that all legislative
requirements are met within your organisation; and


That all taxes are paid, and appropriate industry laws are followed and adhered to.

Now that you know what a stakeholder’s interest in your organisation is, you should change
their interests into objectives. Be aware that these objectives will become an important part
of the context of the Risk Management Plan. It is through these objectives that you will be
able to plan your risk management plan.

Your stakeholders’ objectives need to be identified, depending on the nature of their

relationship with you and who they are.

You can identify stakeholder objectives by:

• Consulting with industry experts to clarify information.

• Being familiar with the legislation relating to your industry.
• Using information provided by professional associations to keep up-to-date, with
regards to industry trends.
• Consulting with stakeholders to determine objectives. You could use contracts and
agreements to assist you in identifying these objectives.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 14 of 69

• Implementing feedback and consultation procedures, to allow you to keep in touch
with your stakeholders requirements.

When developing a risk assessment, take the time to reflect on your plan to ensure that the
event/situation and the existing elements that may have an impact on the level of risk that
the stakeholders are exposed to are clear. Make sure that each stakeholder is aware of the
elements that may impact on their decisions. The success of any planning rests on ensuring
that the information provided is clear and up-to-date. Stakeholders can then make informed
decisions that will, in turn, assist you in developing the policies and procedures for the Risk
Management Plan.

For example, weather conditions of previous years indicate that staff will be exposed to
minimal risk of rock slide on a building site. However, one of the effects of El Nino saw an
increase in rain fall over the summer. Dried dirt has shifted and the chances of a mud slide
over the winter period have increased. Your contractor is concerned that the level of risk has
risen and the equipment left on-site shall be at a higher level of risk also.

Stakeholders would weigh the cost of insurance, putting in placing more safety practices and
the cost of replacement. The priority of this risk would rise as the chances of rain causing a
mud slide rose. By ensuring that the stakeholders have a report on the after effects of El
Nino, stakeholders’ decisions would be more informed and the budget and time allocated to
minimising the risk would be varied according to their responses.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 15 of 69

1.4 – Review political, economic, social, legal, technological and policy context

The successful management of any organisation or individual project or group of projects

rests on the ability of your organisation to adapt rapidly to the pressures of the external
environment. Once your stakeholder has made a decision on an event, whether they are an
owner or a worker, your responsibility does not cease to exist. In a global market that is
static, you need to have the ability to scan the environment and identify areas that will impact
on your organisation or project.

Time is a highly regarded commodity and you are not able to spend too much of it studying
the market so that information you can present information (if so required) to make a
decision that will change the procedures of the organisation. You need to have a method
that will allow you to understand both the external environment and the interconnections
between its various sectors, and translate the understanding to planning and decision-
making processes.

This activity can be done through environmental scanning. Brown and Weiner (1985, p. ix)
define environmental scanning as “a kind of radar to scan the world systematically and
signal the new, the unexpected, the major and the minor”.

Environmental scanning can be utilised to:

Control the flow of information – if staff are provided with too much information, information
overloading may occur. Employees may become confused trying to work out which
information is relevant and which is not. By controlling the flow of information, you are
ensuring that your team are provided with the appropriate information, so that they will be
able to provide an informed decision.

Keep managers up-to-date – information should be timely and should give managers time to
identify changes in market trends, market conditions and any other variables that will impact
on the final decision.

The way in which information is provided will vary between organisations, according to the
industry of the individual organisation; it will also vary according to the procedures and
requirements of the management team and stakeholders who will have an impact on the
decision-making process. The scanning of the external environment can be completed
internally or externally. Employees may be required to scan the market to identify changes to
trends. External organisations or bodies may be used to monitor the external environment.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 16 of 69

These external bodies may include stakeholders, professional associations and government

The type of information gathered will vary. However, the streams of information gathered in
the external market will usually include:

• The economic system

• The social system
• The policy context
• The political/legal system
• The technology system.

The economic system

An organisation’s economic system comprises of the allocation, consumption, distribution

and production of resources. The economy tends to go through periods of varying degrees
of growth. Businesses prosper when the economy is booming and living standards are
rising. Conversely, businesses are prone of go under when the economy is in a state of

The economic system is the organisation of the economy to allocate scarce resources. It is
governed by the needs of the individual departments. Resources are allocated according to
their priority of the organisation. For example, if your organisation has been audited, with
regards to its WHS, and the report stipulated that your organisation was not fully complying
with the law, then quick action would be taken to correct the safety of your internal and
external customer. This may mean that the organisation’s budgets would need to be
reviewed and reallocated, due to the reprioritisation of the decision-making process.

This example clearly demonstrates that decisions about resource allocation impact on the
decision-making process. Decisions of an economic nature can be influenced by:

• The decision making structure of the organisation

• Who makes the decisions
• Whether decision making is centralised or decentralised; or both; and
• How resources are allocated.

The economic system can also be influenced by:

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 17 of 69

• The way in which information is obtained and analysed to make a decision. Planning
– whether centralised, decentralised or both – will be influenced by how the
information is coordinated and utilised.
• Ownership and control – Stakeholders, as we have already identified, provide input
to the decision-making process and can, in some instances, be a major contributor in
the final decision. The level of control will vary according to the organisation.
• The incentive structure, which uses recognition and rewards, to encourage human
resources to build their skills and take ownership of their roles and responsibilities,
allowing management to fulfil other roles. This could also be part of the social system
• Economic systems are usually divided through the way in which economic inputs (the
means of production) and the decisions made about the inputs.

The two main economic systems are:

• Capitalism
• Socialism.

The capitalist economic system is concerned with the production of profit maximisation
through investments and competition with other business owners. These systems may be
both regulated and unregulated.

The socialist economic system produces goods and services upon demand and ensures that
sufficient production is carried out for this end. This system is based on capital accumulation
seeking to control or direct the system through state ownership or cooperative control.

The social system

The social system is the use of attitudes, behaviours and ideas influenced by human
relationships. The incentive structure can be influenced by the social system. Using the
example above in the incentive structure, we can see that when employees to take
ownership for their actions, their productivity usually encourage increases which will release
resources (management) to perform other tasks.

The social system is initialised through empowerment. Empowerment is the process of

increasing the capacity of individuals or groups to make choices and transform those
choices into desired outcomes and actions. (PovertyNet, 2011).

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 18 of 69

Organisations can also be influenced externally by including consumer attitudes and
behaviours, which will invariably depend on the age of the consumer, the type of consumer
and whether they are professionals, trade workers or admin staff, etc.

The political/legal system

The political/legal system creates the rules and frameworks within which business operates.
Government policy supports and encourages some business activities, e.g. enterprise, while
discouraging others, e.g. the creation of pollution. A political system is one of politics and
government that is usually compared to a legal or social system. A political system is
composed of a complete set of institutions, interest groups (such as political parties, trade
unions, and lobby groups), the relationships between those institutions and the political
norms and rules that govern their function.

Formerly a colony of Britain, Australia has one of the oldest continuous democracies in the
world that is shaped on pre-federation colonial parliaments, such as “one man, one vote and
women’s suffrage”. The Australian Constitution defines the following responsibilities
including those of the:

The Federal Government

Foreign affairs, trade, defence and immigration

Government of states and territories

For all matters not assigned to the Commonwealth
Government, they adhere to the principles of responsible

The High Court

Arbitrates on disputes between the commonwealth and states.
Many court decisions have expanded the constitutional powers
and responsibilities of the federal Government.

The Australian Constitution sets out the powers of government into three chapters:

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 19 of 69

State parliaments are subject to the federal constitution and their state constitutions. A
federal law overrides a state law. In most instances, the relationships between the states
and commonwealth are formerly responsible. Local government bodies are developed by
legislature at both the state and territory level. This is a brief outline of Australia’s political
system. For a more thorough explanation, refer to:

The legal system in Australia has three sources that you may need to refer to. The sources

• The laws that are made in parliament

• Delegated legislation
• The decisions made by judges in courts, that are published in volumes of law reports.

The legal system can be a complicated process and the task to finding the relevant law may
be difficult, even for a lawyer. The basic legal system in Australia consists of:

• The fundamental belief in the rule of the law, where all people are treated equally
under the law
• That the common law system is formed on the basis of the United Kingdom’s
• That the common laws system encompasses the law of precedence where judge’s
decisions are based on previously settled cases
• Nine legal systems – the eight state and territory systems and one federal system
which incorporates three separate branches of government – legislative, executive
and judicial.

The technological system

Technological systems refer to material objects, such as machines and hardware that are
used by employees, to ensure that they are productive within their industry. The aim of the
technological system is to ensure that the human environment – such as the materials, tools,
techniques and sources of power – are utilised to make life easier and local more productive.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 20 of 69

For example, to remain competitive, an organisation will usually purchase an upgrade their
technology –such as computers or equipment – if there is evidence that the upgrade will
have a positive impact on their ability to meet their customers’ needs and increase sales.

A technological system may also be described as a network of agents interacting in the

economic/industrial area under a particular institutional infrastructure, and involved in a
generation, diffusion and utilisation of technology. This means that firms, taken individually,
can’t explain economic change. Instead, they must be viewed as a part of a larger system;
various firms interact with each other and institutions matter.

The aim of the study of technological systems is to understand the links between
technological systems and economic growth. This linkage can be observed after your
organisation purchases new technology. If the organisation aims to improve productivity,
then a purchase of equipment to allow the organisation to meet the demand means they will
be able to take a larger share of the market and ultimately improve their profits.

Another way the organisation can improve their productivity and profits is through the
improvement of processes or the quality of their output. For instance, employees may
identify a way to improve productivity, by changing or eliminating steps in the development
process without affecting output. Eliminating steps in the production process will also
improve productivity and more units will be produced to meet customer demand.

The policy context

The policy context is the course of action the business takes in the decision-making process
that influences the way they make decisions and the actions that they take. Let’s refer to the
examples discussed in the technological system. One of the goals of the organisation is to
improve productivity. Imagine that the organisation becomes aware of a new computer
program that would revolutionise their industry by increasing productivity, so that they would
be a market leader.

However, due to the infancy of the technology, the price of the equipment would blow the
organisation's budget. In the same instance, a member of the organisation’s production team
identified a way in which to improve productivity, so that they are on par with the new

Preliminary investigations have identified that the improvement in processes would save the
organisation a lot of money, in that they would increase productivity. The policy context
comes into play here when the processes of the organisation will have an impact on the final
decision made.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 21 of 69

Consider the two options:

• New equipment equals blowout in the organisation’s budget

• New processes equal cost savings, empowered staff and improve productivity
equivalent to the new technology found in the equipment.

What may be obvious to you may not be so to others. Your organisation's procedures may
be geared to the procurement of new equipment. The stakeholders of the organisation may
not believe that the processes that the employees and to put in place will meet their goals. If
you are manager, your goal would be to change the mind of the stakeholder.

1.5 – Review strengths and weaknesses of existing arrangements

As you are considering the development of the risk management plan, it is important that
you take the time to review the weaknesses and strengths of any existing risk management
arrangements. To use a systematic approach, you should perform a SWOT analysis.

SWOT is an acronym for strengths, weaknesses, opportunities and threats which make up
the four factors of the SWOT matrix. The aim of this tool is to produce a model that can
serve to provide direction in the development, formulation and assessment of risk
management plans. As an important step in the planning process, many organisations tend
to undervalue or omit it from the Risk Management Plan.

The SWOT analysis is straightforward and easy-to-use. The four factors are divided into
external and internal issues. The organisation's risk management objectives can be obtained
by analysing the information gathered in the tool. The SWOT analysis can assist in
identifying any potential obstacles to the success of the risk management plan, as well as
the flaws in the plan.

Risk management requires organisations to avoid, eliminate or, at the very least, minimise
identified threats and weaknesses. The organisation should scrutinise the weaknesses, to
ascertain whether or not it is possible to change them into assets. Identified threats should
be examined to see if there are opportunities to strengthen areas that have been eliminated.

The opportunities and strengths should be analysed to identify whether the threats and
weaknesses have met the organisation’s objectives.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 22 of 69

SWOT Matrix

➢ What does the organisation do ➢ What risk management areas

well, according to risk
can you improve upon?
➢ What resource areas do you use
➢ What unique resources (i.e. staff
skills) can you draw from? less of than your competitors?
➢ What are the organisation’s ➢ What may your competitors see
strengths? as your weaknesses, with
regards to risk management?

➢ What risk management areas

➢ What trends could have a
can you improve upon?
negative impact on your
➢ What resource areas do you use
less of than your competitors?
➢ What are your competitors
➢ What may your competitors see
as your weaknesses, with
➢ What threats do you
regards to risk management?
weaknesses expose the
organisation to?

Risk management is also central to strategic management and some organisations utilise
the SWOT analysis tool by determining the benefits of each activity that they perform, in
terms of risk management. This is done by focusing risk management processes and
determining the value of each potential value the ultimate strategies will apply to the
organisation. It makes the organisation consider the potential success or failure each
strategy that can be implemented and the impact that the strategy will have on the

Risk management must be a continuous process that considers the past, present and future
activities of the organisation. The risks facing an organisation can result from both external
and internal factors that can impact on the organisation.

Some organisations consider these internal and external drivers and, at times, can overlap
over both areas. These can be further categorised into types of risk such as strategic,
financials, operational, hazard, etc.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 23 of 69

When analysing the SWOT analysis, care should be taken to ensure that the final decision is
aligned with the organisation's goals. For example; a change within your industry is a
strategic risk. Within that change, your organisation may be called to change their
procedures to ensure that safety standards are maintained. To close any gap wrought by
this change, a risk assessment should be performed to ensure that the employer performs
their duty of care of providing a safe work environment to their employees.

1.6 – Document critical success factors, goals or objectives for area included
in scope

Critical success factors (CSFs) is the term for an element that is necessary for an
organisation or project to achieve its mission. CSFs are those few things that must go well,
to ensure success for an organisation and, therefore, they represent those enterprise areas
that must be given special and continual attention to bring about high performance. CSFs
aim to assist organisations in narrowing their results, and if their results are satisfactory, the
organisation will ensure the successful competitive performance for the organisation
(Rochart, 1979, p.84).

Your organisation's critical success factors need to match the areas that will assist the
organisation to succeed. CSFs need to maintain a high level of performance, so that the
organisation’s current and future needs are met. Grabowski and Roberts (1999) suggest that
the following four factors are designed to ensure the high level of performance that your
organisation needs. These factors include:

• Organisational structuring and design

• Communication
• Organisational culture
• Trust

Galorath (2006) writes that the importance and essence of risk management requires five
activities that are:

1. Top management support

2. An integral part of the entire program management structure and processes

3. The participation of everyone involved

4. Cultural imperative

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 24 of 69

5. A pattern of measurement.

Critical success factors should correlate with the pattern of values, ideas and thoughts
transmitted by the symbols that shape the organisation’s behaviour. For example,
management support demonstrates a support for an initiative. In this instance, risk
management is an important part of the organisation’s culture. If management demonstrates
the appropriate support for the organisation’s risk management culture, then the level of
team members who follow organisational procedures should increase.

The more information that is shared to the team, the greater the chance is that desired
behaviour will become organisation-wide. As more and more of the team start demonstrating
and participating in the risk management process, the clearer the organisation’s culture

The importance of culture within effective risk management is that knowledge transference
requires individuals to come together to interact, exchange ideas and share knowledge with
one another. Moreover, culture creates individuals who are constantly encouraged to
generate new ideas, knowledge and solutions (Muller, 2009).

The relationships developed within an organisation involve the building of the organisation’s
structure. Think about your own organisation. What common vocabulary do the teams
share? How do they differ from other organisations within your industry?

Trust is also another critical success factor. Trust is the “willingness of a party to be
vulnerable to the actions of another party, based on the expectation that the other will
perform a particular action important to the trustor, irrespective of the ability to monitor or
control that other party” (Mayer, Davis and Schoorman, 1995, p.711).

For trust as a critical success factor to succeed, it is essential that risk management
processes include cooperation and teamwork. Trust is an important prerequisite to “changing
those related alliances, thus mitigating risk, as organisations are unwilling to adopt alliance-
like organisational structures that make them vulnerable to the fluctuation of the
environment” (McAllister, 1995).

To measure the success and/or failure of the organisation’s critical success factors, the
organisation must, according to the WHS Act 2011, maintain records of actions and
dangerous occurrences. By monitoring and reviewing the risk management process, the
organisation will be able to provide evidence that they are continuously maintaining and
reviewing the effectiveness of risk control.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 25 of 69

Completing documentation and keeping records in a systematic manner allows the
organisation to demonstrate that they are adhering to the WHS Act in their State and/or

These records can also assist management in identifying whether the organisation is
meeting its needs, with regards to the critical success factors.

For example, based on the three critical success factors discussed, measurement of
success can be demonstrated:

• When employees demonstrate that they are following the organisation’s culture by
adhering to the safety procedures in place
• That employees are building relationships by discussing and communicating
decisions and change with each other to identify the best practice
• That trust is being developed and reinforced as staff members become empowered
and take initiative with regards to risk management issues.

This trust is built on management’s ability to support their team and communicate changes,
so that their team members become empowered. In turn, they will be able to make informed

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 26 of 69

1.7 – Obtain support for risk management activities

Management support and commitment is one of the final critical success factors, with
regards to risk management. Management actions are important. They can be constructive
and build staff confidence; they can also be destructive, which can lead to the failure of
organisational initiatives. Destructive management is where management provides no
feedback and, if they provide feedback, it destroys staff morale.

Conversely, constructive feedback and support can lead to the empowerment of

management’s subordinates. The aim of constructive feedback is to provide employees with
information to improve their actions, to create better results. For feedback to be useful, it is
important to make sure that it is actionable. This is an important management interpersonal

To give constructive feedback to team members it is important to make sure that your
feedback is:

Timely – Give feedback as soon as the behaviour is demonstrated.

Supported with positive words – Be positive and make sure that your choice of words
demonstrates a positive work environment. The receiver needs to know that they are making
a positive contribution to the risk management process.

Descriptive and gives facts – Stick to facts. Be clear and specific to ensure that the receiver
know and understands the issue and what their goals are. Make sure that the receiver
knows, for example, how their failure to act will impact on the organisation, staff members
and management. For instance, if you identify a hazard and do not report it, a customer or a
member of your team may be injured – this will have a negative impact for management of
the organisation, in terms of loss of business, reputation, productivity or profits.

Aimed at supporting collaboration so that new ideas for improvement are devised –
Acknowledge all recipients’ efforts, even if they are not appropriate at the time. Failure to
acknowledge their input can lead to the failure of the recipients contributing in the future.

Creating an environment where people are empowered, productive and contribute happily to
risk management is an essential part of the success of a risk management plan.
Empowerment aims to enable an individual to take action and control their work and make
decisions in an autonomous way. It allows employees to feel that they are controlling their
own destiny.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 27 of 69

To reinforce this environment:

• Demonstrate that you value them – Use positive body language and demonstrate
your appreciation for their contributions.
• Share vision – Help your team members to see the bigger picture by giving them
access to your organisation’s policies, procedures, mission, values and vision
• Share goals and direction – Make sure that the team knows the direction of the group
and their connection to the rest of the organisation, so they obtain a sense of
• Trust people – Trust your team members to make the correct decision to meet these
goals. In turn, when they are given clear expectations, they will learn to trust and
relax you.
• Provide information for decision making – Keep staff abreast with what is happening.
Informed decisions can only be made when team members are provided with up-to-
date information
• Delegate authority – Use opportunities to delegate authority to team members, so
that they can make become empowered and build confidence to operate
• Provide continuous feedback – Give rewards and recognition by acknowledging the
team members’ efforts. Work with the team to develop employee skills and
• Focus on the problem, not the people – What is the cause of the problem? Do not
automatically assume that a person’s actions are at fault. Is there a way in which
processes can be improved?
• Listen and ask questions – Show respect and treat people how you prefer to be
treated. Ask questions and encourage team members to ask questions, to either
reinforce their knowledge or to clarify information
• Reward and recognise empowered behaviour – Recognition and rewards that
acknowledge team member’s contributions will counteract any feeling of inadequacy
that team members may feel.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 28 of 69

1.8 – Communicate with relevant parties about the risk management process
and invite participation

For everyone to be involved in the Critical Success Factors, it is imperative that they receive
ongoing support and training. This is part of an employer’s duty of care for each State and/or
Territory. Effective risk management plans have communication procedures in place that
give clear expectations for staff. Communication ensures that team members understand
and support not only where the team is now but also where they want to be (Clutterback and
Hirst, 2002).

Communication needs to also be addressed, with regards to any party that has an impact on
the Risk Management Plan. Relevant parties may include:
• All staff
• Internal and external stakeholders
• Senior management
• Specific teams or business units
• Technical experts.

Professionals, both inside and outside the organisation, also need to be informed about what
is happening. Communication does not only need to be verbal. It is essential for
professionals to be supplied with the information required to perform the correct tasks under
the WHS Act as part of their duty of care. Communication could include the update of
procedures or required participation in training.

It is also imperative to ensure that relevant parties are given a chance to clarify information,
so that they can improve the organisation’s channels of communication.

Team members need to use the communication process to understand their roles and
responsibilities in the risk management process. A clear understanding of the
communication process is required so that team members can be given an opportunity to
see how their contributions impact on the organisation.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 29 of 69


2.1 Invite relevant parties to assist in the identification of risks

2.2 Research risks that may apply to scope

2.3 Use tools and techniques to generate a list of risks that apply to the scope, in
consultation with relevant parties

2.1 – Invite relevant parties to assist in the identification of risks

Another form of good communication is the utilisation of consultation. This is a way in which
management not only provides staff with up-to-date information, but also provides
stakeholders and any relevant parties with the opportunity to assist in the identification of

A part of good management, with regards to risk management, is management’s ability to

work in consultation on the subject of promoting a safe and healthy workplace. Using the
government legislation that encourages the team approach to the consultation process
creates effective communication, which in turn improves productivity and encourages
workers to build a sense of ownership where their contributions are made.

Consultation with employees ensures that the organisation is proactive with regards to risk
management. Employers need to consult with employees during each step of the
consultation process. All types of hazards need to be identified and methods to eliminate or
control the workplace environment hazards and risks need to be created.

The WHS Acts and Regulations of each state and/or territory will contain legislation with
regards to consultation within your relevant State/s and/or Territory/ies. Even though they
will vary in each State and/or Territory, the following overview should be part of the
consultation process including:

• WHS representatives and Committee. Gives employees an opportunity to be

consulted on WHS issues. The feedback they provide will ensure that best practices
are met. The aim of consultation is to ensure that informed decisions are made.
Informed decisions can only be made when all of the people who operate in the risk

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 30 of 69

area are heard. These personnel are able to give the WHS committee and
representative’s different perspectives and feedback about which action to take.
• Workplace Health and Safety Officer are trained to identify risk and to provide expert
advice on hazards and the risks involved and the ways in which to either eliminate or
control the risk. They can also clarify any areas in which the WHS representatives
and committees need assistance.

Other agreed arrangements can include:

• Employees seeking industrial representation with regards to obtaining assistance in

WHS issues. Industrial representation will differ from industry to industry. It usually
includes the engagement of an industry and WHS expert who can assist employees
with regards to WHS issues.
• Regular meetings may be either a preventative measure against unsafe acts by the
education of employees on how to perform their job roles and responsibilities safely.
Staff, WHS committee and representative meetings should be held to ensure that
hazards and risks are eliminated or controlled as soon as possible.
• These meetings should be of a consultative nature where management shows
support for WHS and risk issues and employees are actively encouraged to
participate in the consultative process.
• Brief talks about hazards and risks on a regular basis. These talks may be either
formal or informal. The aim is to provide employees with up-to-date information and
to ask if they have identified any risks and hazards within the workplace. Talks may
include whether they have reported the risk or hazard and if the organisation has
actioned steps to minimise the risk.
• Work groups include groups working together to meet a common goal. This could
include a whole department, an entire section or personnel from each department,
who work together to minimise a problem that requires different perspectives.
• Job task training includes the training of employees to learn the tasks involved in
their job role. Specific attention will usually be aimed at ensuring that employees are
trained in WHS issues attached to the job task.

Note that each form of contact includes employers and employees consulting with each
other. During the consultation process, team members may use a variety of tools and
methods to explore the options that could be available to them.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 31 of 69

2.2 – Research risks that may apply to scope

Stakeholders can only assist you when they have the information they need, so that they can
make informed decisions or recommendations. At times, this may not be a viable option.
This means that you may need to research the risk to determine whether a risk or hazard
can be eliminated or controlled.

Research is the search for knowledge through a systematic investigation, with an open mind,
to investigate ways to eliminate or control risk within the organisation’s procedures and
legislative requirements. The purpose of research is to discover, interpret and develop
methods and systems with regards to risk in a systematic manner.

Research may include:

Data or statistical information (such as qualitative and/or quantitative research) Quantitative
research relies on the investigation of mathematical information to assist in the decision-
making process. Quantitative analysis is a simple tool used to measure things, so that you
can evaluate an investment to determine which measure to use to control risk.

For example, the repeated flooding of the shop floor in the back room, the WHS
representative gave the WHS Committee three recommendations with regards to either
eliminating or controlling the flooding. These recommendations may include:

o Purchasing a sign and allocating a staff member to maintain the area to minimise the
chance that anyone will slip;

o Purchasing equipment to replace the damaged equipment which is causing the

flooding of the back room; or

o Hiring a pump to siphon the water into the drain behind the factory.

Statistical measurement would be completed to identify which recommendation is more

viable. However, a final decision is usually not made until a complete story is told. This story
can be researched through qualitative research.

In risk management, quantitative analysis on a numerical scale considers the consequences

and likelihood and the level of risk involved in the process. Methods of numerical analysis
may include:

o Consequence analysis

o Influence diagrams

o Simulation and computer modelling

o Probability analysis.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 32 of 69

More of these shall be considered in more detail below.

Qualitative research is the non-quantifiable methods of evaluating business opportunities

and making decisions. Analysis of qualitative research can give you insight into the company
and can assist in the decision-making process. Using the example above, let us now analyse
options available to you.

You research the policies and procedures. The price of the equipment exceeds the budget
allocated for the department. The cost of a pump is negligible and suitable for the short term.
In today’s high-pressured globalised economy, money is usually scarce and reallocating a
member of your team to maintain the area, to minimise risk, will make your resources

In your search, you find that your organisation prioritises all WHS issues as the highest
priority. Failure to meet your industry’s minimum standards and a record of a member of
your team being injured could have a negative impact on the organisation. As such, it is
important to make sure that your decision ensures that the WHS issue is resolved as soon
as possible.

As reassigning a staff member and pumping the water from the area is a short-term
resolution, you may need to either purchase a new unit or obtain a second opinion to
determine if there are other viable options. When you are trying to make a decision on which
avenue you will take, it is important to make sure that you are going to meet your objectives,
but also that your decision is not going to eat away at your profit. This means that you may
need to research through other avenues, such as those listed below.

Information from other business areas – Business areas are part of your organisation's
operations. This may include product lines, branch offices or subsidiaries. For instance, if
you work at a branch of an organisation and a member of the team identifies a risk or
hazard, by consulting with another branch, you may find that they have already resolved the
problem and so you can act accordingly.

Lessons learned from other projects or activities – Records and documentation are
maintained and kept up-to-date for several reasons. One reason may be to meet your legal
obligations. Another reason may be so that you have access to the historical records of the
organisation. Historical records are documents stored away so that you can use them to
resolve hazards and risk in the workplace.

You may even need to review them so that you can identify what methods have been used
to resolve a hazard or risk in the past. There are times when procedures become obsolete,

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 33 of 69

as technology evolves. However, over time the procedure that became obsolete, may come
back into currency under a completely different set of circumstances.

Historical records of projects and activities can also be used to review the procedures that
may have been rejected in the past, but may prove current due to the changing structure of
the organisation.

Market research – Market research is an organised effort to gather information about

markets or customers. It is a very important component of business strategy. Even though
market research primarily aims to assist your organisation in obtaining a competitive
advantage over your competitors, it also ensures that you can find out what your competitors
are doing. As such, you can use your competitor to benchmark best practice and then set
out to emulate their practices, to minimise the chance of jeopardising the health and safety
of your staff, customers and stakeholders.

Previous experience – Pushing humans as an important resource to the organisation

teaches HR personnel that all humans have different backgrounds that can be utilised to
improve the internal processes of the organisation. When a hazard or risk is raised at your
workplace that you do not have background in, do not automatically assume that, because
you do not know something, members of your team will not know how to resolve the

Instead approach employees to find out if they have been exposed to a risk and/or hazard.
When a team member is familiar with a problem and how it was resolved, you may either
use their knowledge to resolve your organisation’s internal issues, or as a starting point to
resolve the organisation’s internal issues.

Public consultation – Public consultation is a regulatory process by which the public’s input
on matters affecting them is sought. Its main goal is to improvement the efficiency,
transparency and public involvement in large scale projects or laws and policies. Keep
Australia Beautiful (WA) is one such public consultation. Refer to the URL Address: – this will give you information on how public consultation operates in

Review of literature and other information sources – A literature review is a review of the
writing/ literature that is relevant to your industry, which can be used to support, evaluate or
critique a decision that you are trying to make. A literature review is not just a summary of

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 34 of 69

texts, journals and articles; it is a collection of articles used to support your stance and

Other sources of information may include:

Articles that clarify information to assist in proving your stance

Journals, such as industry journals, that may identify and explain how to resolve industry
risks and best practice to resolve hazards and risks inherent in your industry; and

Texts providing industry advice and assistance with ensuring that WHS standards are

Websites, such as professional associations and government legislative and environmental

sites that keep industry up-to-date with changes to legislation, best practice advice and
industry support to ensure that employers have the best information to meet their legal
obligations under the law.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 35 of 69

2.3 – Use tools and techniques to generate a list of risks that apply to the
scope, in consultation with relevant parties

Once you have completed your research you should also work in consultation with the
stakeholders of the work area. This can include:

• Employees
• Owners
• Suppliers
• Investors
• Contractors
• Industry sources.

Any other relevant party should also be consulted, so that a list of risks can be identified.
These risks should be relevant to the scope of the risk management process. When
gathering information, you may find yourself handling a lot of data. To be systematic in your
approach, you should take advantage of the tools and techniques that are available to you.

These tools and techniques may include:

Brainstorms. These are an excellent tool that can be used to generate creative problem
solving. It is good to use brainstorming to bring together a wide range of personnel so they
can bring their diverse experience and meaning to the task of solving the problems that you
face. Brainstorming also assists in ensuring that you look at a problem from a different

Brainstorming aims to get personnel out of their comfort zone and come up with innovative
and different ideas to resolve problems. Make sure that staff are very clear that no criticism
is allowed during the brainstorming session. Take the time to make sure that all incorrect
ideas are clarified and employees know the limits of the problem.

Group brainstorming is a good tool; however, many studies demonstrate that individuals who
brainstorm on their own have the greater chance of generating more ideas. This is ideal, as
individuals forget their own ideas in light of the ideas others are generating.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 36 of 69

To run a group brainstorming session effectively, you should:

• Make sure that you provide the relevant parties with a comfortable environment
• That one member of the team is assigned with writing ideas in your organisation’s
preferred format
• Clearly define the problem that you would like to resolve
• Use icebreakers, if people are not comfortable working together
• Give people time to generate ideas so that they can generate as many ideas as
• Do not criticise and try to make sure that everyone contributes new ideas
• Encourage people to have fun during the brainstorming session
• Make sure that are sufficient ideas to work with
• Take regular breaks, if your brainstorming session is going to be a long one.

Checklists. These are informational job aids, aimed at compensating for a human’s lack of
memory or attention. It can help you in performing the steps of a task in order and can be
used as a schedule. Checklists should be utilised to develop formal procedures that can
assist you in looking at the internal risk of activities.

Care should be taken when developing a risk, to ensure that you focus on a checklist that
helps you perform your task. They can be exhaustive. For this reason, you should control
how long they are.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 37 of 69

Fishbone diagrams. These are also known as Ishikawa diagrams or Cause and Effect
diagrams and look like a skeleton of a fish, as shown below:

Cause and effect diagrams can also be drawn to look like a tree. As with the fishbone, the
trunk of the tree or fish should lead to a final outcome. The large branches should represent
major categories and then the smaller links lead to smaller ideas that fall under that

To build a successful tree or fishbone, you need to:

• Make sure that everyone knows what the problem is

• Be clear
• Pursue each line of causality back to its root cause
• Make sure that the cause of each category is added to the tree
• For control, if the branches become overcrowded, split them
• Reflect and determine which has merit and pursue them.

Flow charts

Flow charts are representative of a process and are used to demonstrate the steps involved
in the process.

Note that each step in the process is divided by arrows that connect the symbols. Flow
charts aim to demonstrate the steps in a process and the visual of the flow chart will allow
you to view problems in the process, so that you can take appropriate corrective action.

Scenario analysis

Scenario analysis involves the assessment of various potential future events and the
development of scenarios that will be likely to pass if specific events took place. Scenario
analysis can be helpful in risk management by reflecting on your analysis of the internal and
external environment and determining the events that may impact on your organisation’s risk
management plan.

Based on the information that you acquire, you will be able to predict possible scenarios that
will impact on your Risk Management Plan. There are five steps to the scenario analysis
process. They are:

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 38 of 69


3.1 Assess likelihood of risks occurring

3.2 Assess impact or consequence if risks occur

3.3 Evaluate and prioritise risks for treatment

Risk Analysis Process

1. Gather information about potential risks: this could be done through a range of both
internal and external sources.
2. Assess the likelihood of the risk occurring using the risk assessment legend.
3. Assess the severity of the potential consequences for the agency of the risk
occurring using the risk assessment legend.
4. Assign a ranking to the risk using the risk assessment legend. The ranking of the risk
will determine its importance in terms of risk management.

3.1 – Assess likelihood of risks occurring

Once a list of risks has been identified, you will need to learn how to analyse the level of risk
so that you can identify how to minimise, control or eliminate the risk. It is the role of your
employer to ensure that a risk assessment is conducted. Risk assessments should also be
conducted when1:

➢ New substances and plant is introduced

➢ New work practices and procedures are introduced

➢ Changes are made to process, equipment and substances.

When you consider the level of risk, you should consider the injury or disease causing the
hazard. As the level of risk rises, so too does the level of the hazards – this means that there
will be more chance that the risk will cause an injury. Part of your Risk Management Plan
needs to address risk assessments. The risk assessment needs to determine the likelihood
and level of injury (severity) or disease that can result from exposure to the hazard. When a
hazard is identified, your employer should make sure that they follow the regulations that
deal with that hazard. There are usually specific regulations that deal with the risk
management of occupational electricity, driver fatigue, falls from heights, confined spaces,

All notes are taken from the Occupational Health and Safety Code of Practice 2008

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 39 of 69

construction and storage and handling of dangerous goods, noise and plant. When you are
unable to find any regulations for a hazard, then a risk assessment should be performed.

Employers need to consider:

➢ How often the hazard has the potential to cause harm

➢ The number of people exposed to the hazard

➢ The length of exposure to the hazard

➢ Amount of materials or exposure points

➢ The position of the employees in relation to the hazards

➢ The skills and experience of the people exposed

➢ The special characteristics of the people exposed

➢ Any elements that could distract personnel in the work environment

➢ Environmental conditions

➢ The work organisation – like rostering, shift arrangements and the pace in
which work should be performed

➢ The introduction of new work processes and procedures

➢ The effectiveness of existing control measures.

When talking about the likelihood, we are describing the probability or frequency of an injury
or illness occurring.

Likelihood may refer to:

➢ Probability of a given risk occurring, such as:

o Very likely (exposed to hazard constantly)

o Likely (exposed to hazard occasionally)

o Unlikely (could happen but only rarely)

o Highly unlikely (could happen but probably never will).

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 40 of 69


Risk Matrix


5 Fatality H E E E E

4 Major Injury H H E E E

3 Moderate Injury M M H H E

2 Minor Injury L L M H H

1 Negligible injury L L L M H

Unlikely Possible Likely Very Likely



E Extreme risk – Detailed research and management planning required at senior

High risk – Senior management attention needed

Moderate risk – Management responsibility must be specified

Low risk – Manage by routine procedures

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 41 of 69

3.2 – Assess impact or consequence if risks occur

Consequence is the outcome or impact of an occurrence. In other words, you need to be

able to make a judgement about how much harm workers may be vulnerable to if they are
exposed to the hazard.

Consequences may be rated as:

➢ A fatality

➢ Major or serious injury (serious damage to health that may be irreversible,

requiring medical attention and ongoing treatment). This is likely to involve
significant time off work.

➢ Minor injury (reversible health damage that may need medical attention but
limited ongoing treatment). This means that it is less likely to spend more
than a day off work.

➢ Negligible injuries (might sustain slight injury and may require only primary
first aid) and no time off work.

Moderate Injury Consequence and possible likelihood form part of standard Risk
Management, but you can decide if they meet your requirements.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 42 of 69

Variations of consequences in states and/or territories may include:
➢ Significance of outcomes if the risk occurs, such as:

➢ Disastrous

➢ Severe

➢ Moderate impact

➢ Minimal impact.

If there is an uncertainty about the level of risk, or a lack of information about the level of
exposure to the risk after a risk assessment, your employer will need to consider:
➢ Whether there is more information available

➢ What specialists are available to consult

➢ Whether surveys, environmental and medical monitoring are needed

➢ The records and data that should be reviewed including employee

complaints, staff turnover, unscheduled absences and sick leave

➢ Whether the organisation's culture and the behaviour of its staff add to the
risk, or are the actual risk factor; and

➢ Assessing the training levels and competency of the team.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 43 of 69

3.3 – Evaluate and prioritise risks for treatment

Once you have collected your data, you need to make sure that you familiarise yourself with
the risk management system in place, so risks can be managed and controlled. These
systems should be identified and form part of the risk analysis.

The risk analysis is the study of the likelihood and consequences where you should
➢ What is the likelihood of an incident occurring?

➢ If an accident occurs, what would be the magnitude of its consequence?

The level of risk created by an incident is determined by the analysis of combined impact of
likelihood and consequence. To properly identify levels of risk, the best information can be
found in the types of areas that you researched in Section 2 of this Learner Guide and may
have included:

➢ Available records

➢ Results from inspections carried out

➢ Statistical data from various sources

➢ Relevant experience

➢ Research

➢ Specialist and expert judgement

➢ Experiments.

Much of this information can be obtained through the consultative process that you have
developed with stakeholders, using the techniques discussed above.

There are three types of risk analysis. They are qualitative, semi-quantitative and
quantitative. The type of analysis that you do will depend on the data available. In practice,
most organisations will generally use qualitative analysis to obtain an indication of risk levels.
It is only when more specific and precise indicators are required that quantitative analysis is

Qualitative analysis uses scales to analyse the likelihood of an event occurring and its
consequences. These can be used to analyse different risks in different circumstances by
simply varying, adapting and adjusting them to suit.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 44 of 69

Qualitative analysis would be used in most cases. This type of analysis is used:
➢ As an initial screening exercise, to identify risks that require more detailed

➢ Where the level of risk does not justify the time and effort spent on a more
detailed analysis.

This is a review of the likelihood.

Expression Attributes

Very likely Exposed to hazard constantly

Likely Exposed to hazard occasionally

Unlikely Could happen but only rarely

Highly unlikely Could happen but probably never will

In the same way, consequences arising from an incident occurring may be

qualitatively measured. An example of a consequence measure is:

Expression Attributes

A fatality Death

Major or serious (Serious damage to health that may be irreversible,

injury requiring medical attention and ongoing treatment). This
is likely to involve significant time off work;

Minor injury (Reversible health damage that may need medical

attention but limited ongoing treatment). This means that
it is less likely to spend more than a day off work

Negligible injuries Might sustain slight injury and may require only primary
first aid, and no time off work

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 45 of 69

When the likelihood and consequence are put together, you have an example of the
analysis matrix.

Risk Matrix


5 Fatality H E E E E

4 Major Injury H H E E E

3 Moderate Injury M M H H E

2 Minor Injury L L M H H

1 Negligible injury L L L M H

Unlikely Possible Likely Very Likely



E Extreme risk – Detailed research and management planning required at senior

High risk – Senior management attention needed

Moderate risk – Management responsibility must be specified

Low risk – Manage by routine procedures

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 46 of 69

Risk analyses are usually aimed at the negative consequence of risk. The consequence
measure therefore reflects the losses and undesired outcome that might arise. However, risk
management is increasingly being applied to identify and prioritise opportunities, as the risk
associated with not exploiting an opportunity or embarking on a particular business strategy
can be high. In many instances, the ‘upside risks’ are potentially more serious than the risk
that bad events will occur (i.e. the ‘downside risks’).

When considering the opportunities, the likelihood measure need not change, as it will
describe the chance that a benefit will arise. The consequence measure must, however, be

An example is as follows:

Expression Attributes

Insignificant Small benefit, low financial gain

Minor Minor improvements to image, some financial gain

Moderate Some enhancements to reputation, high financial gain

Major Enhanced reputation, major financial gain

Outstanding Significantly enhance reputation, huge financial gain

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 47 of 69

When risks and opportunities are being considered together, a two directional measure of
consequence may be appropriate.

Negative Consequence Positive Consequence

-H -H -H -M M H H H

-H -H -M -M M M H H

-H -M -M -L L M M H

-M -M -L -L L L M M





Legend (for opportunities):

L = low opportunity, manage by routine procedures

M = moderate opportunity, management responsibility must be specified

H = high opportunity, detailed planning required at senior levels to prepare for and capture

Another way to measure risk includes the hierarchy of control. The hierarchy of control will
be discussed in more detail in Section 4 of this learner guide.

There will be times when you will not have the skills, knowledge and experience to
complete a risk assessment of a work area. When this occurs, then you may need to
consult with an expert. Expert advice may include:
➢ Federal, state and local government regulatory authorities

➢ Private consultants appropriate to the risk being evaluated.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 48 of 69

Once you have evaluated the level of risk, it is important that you develop a priority rating.
This means that the level and acceptability of risk associated with a given event should be
based only on a recommended timeframe for management of the risk, according to the
assessment and on expert advice. Once risk level has been analysed and evaluated, it is
important to prioritise the risk. Risks should be categorised into low, medium and high risks
that will be create a risk priority rating. This can also be called a risk profile.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 49 of 69


4.1 Determine and select most appropriate options for treating risks

4.2 Develop an action plan for implementing risk treatment

4.3 Communicate risk management processes to relevant parties

4.4 Ensure all documentation is in order and appropriately stored

4.5 Implement and monitor action plan

4.6 Evaluate risk management process

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 50 of 69

4.1 – Determine and select most appropriate options for treating risks

There are times when the most effective control measure cannot be implemented
immediately. Lack of funds, resources or physical means that employers will need to identify
and prioritise the implementation of a control measure – this will be determined according to
the organisation’s risk profile for the hazard. High-level risks should be implemented before
medium and low-level risks. Remember, a risk profile is how the organisation rates the
hazards, such as whether a risk is low, medium or high level risk.

Your employer has a duty of care to ensure that employees have a safe work environment to
work in.

This means that part of their Risk Management Plan is to eliminate the risk and, if they
are unable to eliminate the risk, they need to minimise it by:
➢ Controlling employees exposure to the risk

➢ Do not make changes just so they create a new hazard; and

➢ Allows employees and contractors to work in a safe and comfortable work


To do this, employers should use the Hierarchy of Control pyramid. The Hierarchy of Control
pyramid aims to assist employers with the appropriate way in which to control risk. It

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 51 of 69

: Hierarchy of Control Pyramid

The following section is adapted from the WHS Code of Practice 2011. Employers need to
start at the top of the hierarchy and work their way down. The hierarchy of control pyramid is
structured in the following way.

Eliminate the hazard

The elimination of hazards is a very effective control measure. Elimination prevents:
➢ Human error

➢ Lack of awareness

➢ Stress

➢ Fatigue

➢ From influencing the selection of control measures

➢ From acting in an uncontrolled manner

➢ Giving priority to operational or production plans.

Elimination includes:
➢ Removing trip hazards

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 52 of 69

➢ Disposing of unwanted chemicals

➢ Removing hazardous plant or substances

➢ Promptly repairing damaged equipment

➢ Increasing the use of e-mail to reduce excessive photocopying and collation.

The best time in which to use elimination is at the design stage of a process, equipment or
plant. This is referred to as a safe design; these practices are applied all at once and have a
positive impact on health and safety in the workplace. When no hazards exist, no risk, injury
or illness exists. When elimination is not appropriate, then your employer should minimise
the risk by substituting or modifying he hazard.

Substitute or modify the hazard

Substitution or modification of a hazard ensures that the hazard is minimised. Substitution or

modification should only be considered when risk to employees has been identified and
when the changes will decrease the level of risk for the person performing the task.

Examples of substitution include:

➢ Substitution of a hazardous chemical with a less hazardous chemical

➢ Substitution of telephone headsets with headsets in a reception area

➢ Substitute of smaller package or container to reduce the risk of manual lifting

injuries like back strain.

Isolate the hazard

The aim of isolation is to separate the employees from the hazard. This can be performed by
putting up signs and barricades or placing the hazard in a separate room; thereby removing
the hazard from the main work area.

Examples of isolation include:

➢ Use of a fume cupboard to isolate and store chemicals

➢ Use of remote handling equipment for hazardous substances and


BSBRSK501 Learner Guide Version 4.0, October 2019 Page 53 of 69

Use engineering controls to control the hazard at its source

Engineering controls is the next control option to minimise risk within the hierarchy of
controls. Engineering controls includes engineering modifications to plant or to a system of
work needing to be changed.

Engineering controls include:

➢ Modification to plan

➢ Installation of guarding on machinery

➢ Use of a ventilation system to remove chemical fumes or dust.

Use Administrative controls

Administrative controls include changing procedures and practices to minimise risk.

Administrative controls should be used to back up and supplement other controls that have
been put in place. These control measures may be needed when your employer waits for the
evaluation and implementation of other control measures.

Examples of administration controls include:

➢ Regular maintenance of equipment and plant

➢ Written procedures for all equipment and work procedures

➢ A training, education and supervision program for employees/contractors,

which includes preventative maintenance and housekeeping procedures.

Use personal protective equipment (PPE)

The final control measure under the hierarchy of control pyramid is the use of personal
protective equipment (PPE). PPE should only be used when the higher control measures are
not appropriate or adequate. They can be used as a final barrier between the hazard and the
employee. The use of PPE may require your employer to make sure that you change your
behaviour, as it does not control the hazard. The PPE must be appropriate for the type of
work the employer/employee is doing.

Employers should train employees and contractors in the correct use and maintenance of
PPE. Supervision would also be needed, to make sure that staff are compliant in the use of
the Personal Protective Equipment.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 54 of 69

Determining risk control measures for hazardous manual tasks

• Postures, movements, forces and vibration relating to the hazardous manual task;
• the duration and frequency of the hazardous manual task;
• workplace environmental conditions that may affect the hazardous manual task or
the worker performing it;
• the design of the work area; the layout of the workplace;
• the systems of work used; and
• the nature, size, weight or number of persons, animals or things involved in carrying
out the hazardous manual task.

Risk Minimisation Process

• Implementation of policies and procedures to ensure that staff understand and follow
appropriate procedures.
• Implementation of quality and compliance processes, for example, regular auditing to
ensure that risk management standards are met.
• Providing staff induction, ongoing training and performance management in relation
to risk management
• Ongoing monitoring of risk through a range of measures such as historical data, team
meetings or performance reviews.
• Development and implementation of continuous improvement processes to ensure
that risk management processes are reviewed and monitored.
• Implementing quality assurance procedures and systems to ensure that risk
management processes are regularly checked, reviewed and monitored on an
ongoing basis.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 55 of 69

4.2 – Develop an action plan for implementing risk treatment

The aim of a risk management action plan is to ensure that risk management is embedded in
the culture of the organisation and to ensure that the organisation maintains risk
management best practice. It outlines how an organisation is going to identify, minimise
and/or control the risk, including monitoring and reviewing the risk management process.

The action plan should cover the following areas:

1. Introduction

1.1. Purpose of the Action Plan:

This should include what the risk management plan is for. You may even write
a Risk Management Statement

1.2. Goals of the organisation’s Risk Management:

What are the organisation’s goals? I.e. to ensure that the highest levels of risk
are identified and properly management, risk is focused where it is needed.

2. Context and Background

2.1. What Risk Management is:

Define risk management and its importance to the organisation.

2.2. Benefits of the plan:

How does your Risk Management Plan benefit your organisation? E.g. meet
your legal obligations

2.3. Organisation's background :

What is the organisation’s background and the areas where risk management
has been applied? E.g. may include policy and procedures, the use of
specification, equipment checks, tests and quality assurance.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 56 of 69

3. Risk Management at your organisation

3.1. Overview of the risk process:

How risk is handled in the organisation

3.2. Risk Management structure and responsibilities:

How is your risk management plan structured? Who is responsible for

individual tasks and in what areas? Who is each party accountable to? Does
your organisation, for example, have a Risk Management Steering Committee?

3.3. How the plan is implemented:

How is the plan implemented? At what level is it implemented at? How is it

documented? What levels of risk are acceptable? How is risk management
recorded and documented? What contingency plans does the organisation
have in place?

3.4. Timeframe:

The timeframe should consider who obtains copies of the Action and Risk
Management Plan? When? Other factors that may be included are: training,
timeframes for review and when documentation should be completed and
submitted to the Board/Manager, depending on the size of the organisation.

3.5. Monitoring and review:

Most organisations review their plans annually and align it with their planning
process. Continuous improvement is a legislative WHS requirement, so
organisations must demonstrate that they are working to improve their

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 57 of 69

4. Initial risk identification and risk treatment

4.1. Risk criteria:

In this section, you need to prioritise the importance of Risk Management, in

terms of how it can impact on the organisation. For example, if too many people
are injured in the workplace, the organisation’s reputation will be negatively

4.2. Summary of the organisation’s risks:

This section should include the risk exposures present within the organisation, as
demonstrated by the above graph. The meaning of the graph includes:

o Residual risk – the remaining level of risks after risk measures have been

o Under action – A plan is in place for the action to be done, including who is doing
the plan, the resources needed, the costs and timing targets.

o Controlled – Refers to the level of risks that have been controlled and maintained at
an acceptable level.

o Based on the findings, the scope would probably need to be reviewed, so the
progress is maintained within the Risk Management Plan

4.3. Detail Assessment of the organisation's risks

A detailed report of the organisation’s Risk Management Plan should be shown

on a bar chart, with individual appraisals of the risks. These should be
demonstrated in the organisation’s risk register.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 58 of 69

4.3 – Communicate risk management processes to relevant parties

Once you have completed your risk management action plan, you need to communicate the
plan to the appropriate parties. The information communicated should align with the needs of
the recipient.

For example, a line worker would only need the information to perform their duties and tasks
correctly. Line supervisors would need sufficient information to make sure that their team
has the knowledge to perform their tasks correctly. This would also include making sure that
their team had access to documentation and procedures, so that the empowered team
member would be able to make informed and up-to-date decisions, with regards to their jobs
and their work area.

The information that will be communicated will vary between organisations and may include
the following internal reporting and communication:

Who to communicate What may be communicated?


Team ➢ Their accountability for individual tasks

Members/Contractors ➢ Understand how they can enable continuous improvement risk
management response
➢ Understand that risk management and risk awareness are a key part
of the organisation’s culture
➢ Report systematically and promptly to senior management any
failures or new risks

Leading ➢ Level of authority

hands/supervisors ➢ Risk assessments
➢ Risk register
➢ Communicate risks to management
➢ Ensure policies and procedures are available
➢ Ensure team members are meeting obligations
➢ Consult with external sources and stakeholders

Management ➢ Authorise risk management practices within their scope of authority

➢ Consultant with external consultants
➢ Individual plan implementation
➢ Report to the Risk Management Committee and/or senior
➢ Understand that risks management is an ongoing part of the
organisation’s culture
➢ Performance indicators that allow them to monitor their business and
financial activity progress towards objectives and identify
developments that require intervention

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 59 of 69

➢ Training (allocation and confirmation of)

Risk Management ➢ Coordinating the regular formal updating of Business Unit and
Committee corporate Risk Registers and Risk Treatment Action Plans and
compiling a master set;
➢ Maintaining corporate risk and risk control information;
➢ Ensuring that all relevant risk areas are considered, including those
emanating from the services of external providers and contractors;
➢ Analysis and reporting to the organisation’s executive;
➢ Ensuring appropriate linkages to the organisation’s business and
corporate planning processes and, where necessary, to budget

Board of Directors ➢ Corporate Strategy and planning and aligning strategies to

organisational risk management plan
➢ Review of Risk Treatment Action Plans
➢ Know the significant risks to the organisation
➢ That awareness runs throughout the whole organisation
➢ Manage communications with the stakeholders as required
➢ Publish the risk management policy
➢ How the organisation will manage a crisis

Information must be made available to all stakeholders, so that all members of the team are
protected from risk. The more current the information is, the better position stakeholders will
be in to provide informed decisions.

When providing information to team members, it is important to make sure that they do not
access information that exceeds their level of authority. Breach of privacy of personnel and
stakeholders can bring with it hefty fines and, in some cases, fines. If you are in a position
where you are not aware of the level of authority that a stakeholder has, consult your
organisation's policies and procedures or consult with management. If necessary, consult
with your client to obtain permission for external parties to help in managing risk.

Information should be communicated to stakeholders to:

➢ Ensure that they are aware of a problem and what impact it may have on
their activities

➢ Ensure that they have sufficient information to consider alternatives and the
feasibility of suggestions.

When you communicate information, make sure that it is in a format that is easy to access
and understand. For example, if you are required to provide personnel with a lot of facts and
figures, then the information will be easier to read if it is in a graph to demonstrate a change

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 60 of 69

in trends, a variation in the level of risk staff are exposed to or other variables. This
information can be used to demonstrate when a hazard becomes a risk.

The way in which information is communicated will vary according to the policies and
procedures of the organisation. Emails are an excellent way to keep a record of staff that
have received their emails and allow the organisation to maintain a trail to demonstrate their
continuous improvement process.

As a part of the consultative process, it is important that you discuss the hazard with relevant
stakeholders, with regards to the evaluation of the Risk Management Plan. This means that
you should communicate with:

➢ Workers, supervisors and health and safety representatives – What staff

should you consult with? Do you have a reporting structure that you need to
follow, with regards to the site? Does your client have safety representatives
that need to be consulted with, if you make changes to the way in which a
task is performed? If you answered yes to any of these questions, then it is
important to consult with appropriate personnel and communicate any
changes that you may implement.

➢ Stakeholders who may be exposed to the control measure – Employees

of your organisation may not be the only party that is exposed to risk. Other
stakeholders should also be included. However, you may also consider
members of the public. If there is any chance that a member of the public is
exposed to risk, then it is important to take steps to ensure that they are
aware of the risk.

➢ Consult and monitor incident reports – Communicate your findings, as

your relevant stakeholders may have important information that they can add
to improving the Risk Management Plan. Incident reports can also assist in
identifying the impact changes to procedures which can be sourced from an
increase or variation of incidence in a work area. If stakeholders are aware of
these incidents, then they will be able to take steps to control the risk.

➢ Review safety committee meeting meetings where possible – The review

process needs to integrate key performance indicators of the organisation.
The risk management plan needs to link personal performance and drivers,
to make sure that they are measurable to the organisation. For example, by
changing the way a procedure is performed, you will save the organisation
money with a decrease in injuries. This ensures that public liability insurance
does not increase and that work health and safety legislation is not breached,
avoiding fines.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 61 of 69

4.4 – Ensure all documentation is in order and appropriately stored

Your organisation has a legal obligation to maintain records of all hazards that have been
identified by staff within a work area. Most State/Territory legislation requires that a
workplace keeps certain records for a specified period of time. It is important to make sure
that you know how long these records should be kept in your State/Territory.

The organisation's documentation will include external reporting, where the

organisation will:
➢ To their external stakeholders on a regular basis setting out the
organisation's risk management policies and the effectiveness of its
objectives. Many stakeholders now look to the organisation to provide non-
financial information, such as its community affairs, human rights,
employment practices, health and safety and the environment. This is usually
a part of good governance, where the organisation protects the interests of
their stakeholders

➢ To government bodies if an incident arises from a hazard, such as to the

worker’s compensation body of each State/Territory.

Other records, such as health and safety in the workplace, should be kept as part of the risk
management process. It is important to make sure that your team and any other personnel
within your organisation are aware of the organisation's record-keeping requirements, where
the records can be found and how to access to them. Record keeping is a good work
practice and should increase the efficiency of the workplace.

Documents are recorded to ensure that the State/Territory WHS Act is complied with.
Risk is recorded to:
➢ Ensure that the risk management process follows the correct legislative

➢ Provide management and decision makers with a plan that ensures that risk
exposures are addressed in a logical manner

➢ Provide an audit trail in the case that processes are followed up

➢ Share and communicate risk management activities to employees and other


➢ Provide accountability that supports the organisation's strategic and risk

management plans

➢ Facilitate continuous monitoring and review of risk management.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 62 of 69

Management will usually write individual work area reports on the progress of risk
management programs for the risk management or workplace health and safety
committee. These reports will, in most instances, include:
➢ Compliance and due diligence statement

➢ First Aid/medical post records

➢ Hazardous substances registers

➢ Health surveillance and workplace environmental monitoring records

➢ Maintenance and testing reports

➢ Manufacturers’ and suppliers’ information, including SDS and dangerous

goods storage lists

➢ Mentoring and auditing documents

➢ WHS audits and inspection reports

➢ Records of instruction and training

➢ Risk management policy statement

➢ Risk register

➢ Risk treatment and action plan

➢ Safety bulletins or notices

➢ Workers’ compensation and injury management records

These documents leave a trail. This trail provides evidence that the organisation is
complying with their legal obligations. The aim of this evidence is to ensure that your
employer can:
➢ Demonstrate that the risk assessment process is conducted properly

➢ Provide management and other decision makers with a plan that addresses
the key exposures for the organisation in a logical and prioritised way

➢ Provide an accountability mechanism aimed at supporting the corporate plan

➢ Facilitate continuous monitoring and review of risk management

➢ Provide an audit trail for the follow-up of key actions related to the exposures
being addressed

➢ Share and communicate risk management activities among all staff

members, most particularly with staff.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 63 of 69

Documentations are important to an organisation. They not only leave an audit trail, they
provide a historical account of risk management processes for the organisation, which can
be used to improve its risk management policies and procedures.

Files need to be secured, to ensure that unauthorised personnel cannot access them. To
ensure that the organisation’s confidentiality and the privacy of the team members and
external specialists are maintained, files are usually kept under lock and key, in a secured
location. This may be a storage facility separate from the organisation or a secured room
designated for the files.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 64 of 69

4.5 – Implement and monitor action plan

Once an action plan has been developed, it needs to be implemented as soon as possible. It
is important to make sure that the action plan is reported to workgroups and stakeholders.

The information that you need communicate in every step of the process includes:
➢ Decisions made, with regards to resolving a hazard

➢ How a change in a procedure is implemented and why the change is


➢ How the benefits of the change will benefit all parties. Research has shown
that if stakeholders understand how a specific change impacts on them, they
will be more than inclined to take ownership of the change

➢ The benefits of working safely

➢ The consequences if they fail to follow the control measures.

For your action plan to succeed, you need to make sure that you gain the support and
cooperation of key personnel at all levels. This means that you need to make sure that you
communicate your action plan to key personnel and that you create awareness of the plan.

To implement an action plan, you should:

1. Create a communication plan that requires you to identify all of the key
personnel and determine what information they need, and adapt the way that
you communicate with them to meet their needs

2. Raise awareness by assigning key personnel with authority over different

sections of the action plan. If necessary, provide them with training and
support while they learn their roles and responsibilities. By allocating key
personnel with charge of an area, they will become involved in the action
plan and will feel like they are making a difference in how the organisation
works, meaning they will take more ownership in the success of the action

Another way to further awareness is to obtain the support of management.

Not all managers will be involved with the action plan. They may not even be
aware of the plan. What you need to do is increase their awareness, so that
employees will become empowered. One way you can improve awareness is
through communicating the action plan with methods applicable to the
audience, such as in formal meetings, to keep the managers up-to-date on
progress and changes to the action plan.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 65 of 69

3. Build capacity. Systems and training should be used to build the skills and
knowledge to build the success of the action plan by building organisational
capacity. Research demonstrates that the level of employee participation will
increase as their knowledge and confidence rises.

Training should be used to help employees understand the importance of

their performance and its connection to the information gathered, so that
informed decisions can be made. Training provides the chance to gather
feedback and evaluations, especially as training creates an awareness of the
organisation’s systems.

Training may include how to operate equipment, following organisational

procedures for reporting, monitoring and data collection, and specialised
training in using and maintaining equipment so that they operate at an
efficient level.

4. Motivate. Motivation is also another important tool for developing staff

participation in the implementation of the action plan. This can be done by
empowering your team.

Stakeholders can be empowered by:

o Offering incentives to create interest and foster employee ownership

o Recognising individual and group efforts

o Offering bonuses and rewards for goals that have been met

o Using environmental messages that they relate to

o Letting stakeholders know the cost if they do not follow procedures;


o Linking the performance of the stakeholder to the organisation's goals.

5. Track and Monitor. Tracking should be used to demonstrate that the

organisation is monitoring the success and/or failure of the action plan.
Tracking should be centralised and aimed at measuring progress, with
regards to meeting the organisation’s deadlines, goals and milestones.

Once a problem in the action plan is identified, corrective action should be

taken and a reassessment completed, to ensure that the corrective action
has done what it was supposed to do.

This means that you should perform regular updates to make sure that the
corrective action is appropriate, conduct periodic reviews to make sure that
risk management and ensure action plan goals are being met and that the
corrective action is still appropriate.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 66 of 69

4.6 – Evaluate risk management process

Risk management is an ongoing process. Risks will change as the environment changes.
For example, you introduce a new piece of equipment to a work site. New risks will arise
when the equipment makes a job easier or changes the way in which other tasks are
perform. Risk will arise by the introduction of the equipment.

Good risk management places emphasis on monitoring and reviewing all current
organisational plans, strategies, systems and controls. Monitoring ensures that, as risks
change, new control measures are introduced.

Ongoing review of the risk management process is required, to ensure that the plan remains
relevant to the workplace. Factors that may impact upon risk assessments and control
measures can also change over time. This means that the risk management process should
be repeated regularly, to ensure that the risk management process remains effective.

There are many methods that can be used to monitor and review procedures and
these should be considered part of your management plan. You can complete:
➢ Self-assessments

➢ Physical inspections

➢ Checking and monitoring success of actions

➢ Audit and reassessment of risks to achieving objectives

➢ Key dates, time frames and deadlines should be set for communicating,
monitoring, reporting and review.

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 67 of 69

When you monitor the effectiveness of control measures, it is helpful to ask the following

Have the chosen control measures been implemented as

Yes No

Are the chosen control measures in place?

Are the measures being used?

Are the measures being used correctly?

Are the chosen control measures working? Yes No

Have any of the changes made to manage exposure to the assessed

risks achieved what was intended?
Has exposure to the assessed risks been eliminated or adequately
Are there any new problems? Yes No

Have the implemented control measures introduced any new

Have the implemented control measures resulted in the worsening
of any existing problems?

You should be able to answer the following questions:

➢ Has the risk management process added value for your company?

➢ Are the outcomes of the program measurable?

➢ Would you make a decision to contract or expand the risk program based on
this information?

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 68 of 69


Brown, A., & Weiner, E. (1985). Supermanaging: How to harness change for personal and
organisational success. New York: Mentor

Clutterback, D. and Hirst, S (2002). “Leadership communication: A status report”, Journal of

Communication Management, Vol 6(4), pp.351-354.

Grabowski, M and Roberts, K. (1999), “Risk mitigation in virtual organisations”

Organisational Science. Vol 10(6). PP.704-722.

Mayer, R.C., Davis, J.H., & Schoorman, F.D. (1995). “An integrative model of organisational
Trust”, Academy of Management Review. Vol. 20 (3), pp. 709 – 734

McAllister, D. J. (1995), “Affect and cognition-based trust as foundations for interpersonal

cooperation in organisations,” Academy of Management Journal, Vol. 38(1), pp.24-59

Muller, R. (2009), Critical Success Factors for effective risk management procedures in
financial industries: A study from the perspectives of the financial institutions in Thailand.
Umea University. Master Thesis

Rochart, J.F. (1979). “Chief executives define their own data needs”, Harvard Business
Review, Vol 57 (2), pp.81-93.

SafeWork NSW
URL Address:
Access Date: 30.10.2019

BSBRSK501 Learner Guide Version 4.0, October 2019 Page 69 of 69