Academia.eduAcademia.edu
Words have meaning..... especially in risk management G. J. Marling , T. Horberry and J. Harris Minerals Industry Safety and Health Centre (MISHC), Sustainable Minerals Institute (SMI) The University of Queensland (UQ) Brisbane St Lucia, QLD 4072 AUSTRALIA E-mail: g.marling@uq.edu.au Abstract: There is a fundamental problem with the definitions and interpretation of the elements of risk management: different definitions arise in a number of well-recognised standards and other guiding documents. The primary issue is that the definitions and descriptors are at odds with each other and difficult to understand and interpret. In the past, this has lead to companies developing their own interpretations of the elements in their risk/safety management systems and thus exacerbating the problem. A draft set of plain English interpretations (PEI) was developed and the Delphi technique used with 26 risk-experts to improve/validate these PEIs. These were further validated by 24 operators/workers. The implications of these new PEIs is that they could be considered by the ISO Working Group Risk Management Standard and similar committees for future standards and guidance documents, adopted by companies for their risk/safety management systems and form part of an on-going PhD study. Keywords: definitions, interpretations, ISO standards, risk management, Delphi technique, plain English. Introduction Statutory Obligation to Manage Risk In Queensland, there are statutory obligations imposed on certain persons to manage occupational hazards by undertaking risk management activities. This paper describes the establishment of that obligation and introduces the importance of consulting standards, supporting handbooks and codes of practice on the subject of risk management. The Work Health and Safety Act 2011, Queensland (WHS Act), imposes an obligation of various personnel in the workplace to manage risk. In terms of managing occupational health and safety (OHS) risk, compliance with the WHS Act and Work Health and Safety Regulations 2011 (WHS Regulations) may be achieved by following either: the prescriptive parts of the WHS Regulations; or the requirements of the various codes of practice, or following another method, such as a technical or an industry standard, so long as it provides an equivalent or higher standard of work health and safety than the WHS Regulations or code of practice. So risk is not just another four-letter word, it is an overriding concern in the process of making decisions, i.e. determining a course of action (Wall, 2009). However, we argue here, that this process may be hampered by the numerous definitions of risk management terminology given in the various guidance material. These reference sources are discussed in more detail in section 1.3. Risk Management Terminology Concerns regarding risk management terminology have been widely debated (Kaplin and Garrick 1981) since the 1980s. Further to this, Kaplin and Garrick stated ‘An effective decision making process, whether conducted by individuals or societies, requires agreement on basic terms. Without such conceptual clarity, miscommunication and confusion are likely’, (Fischhoff et al, 1984 p 136). Zink and Leberman (2001, p 56), discuss a ‘gulf between the definitions of risk and risk management’, however their concern is more about the gap between the perceptions of risk and risk management rather than definitions. Haimes (2009, p 1647), contends that ‘the Risk Definition Committee of the Society for Risk Analysis (SRA)(2) printed 13 definitions of risk on the program jacket of its first meeting in 1981. The definitions of risk continue to multiply as ‘risk’ be- comes a household term’. Risk language ensures that everyone shares a common method of speaking of risk that cut through management layers and breakdown functional silos, saving time on resolving communication issues and problems associated with being ‘lost in translation’, (Espersen 2007). Wright (2012) discusses the problem of blurring of certain risk concepts in English and the fact that in many languages other than English there is only one word for a number of terms. But whilst there has been concern about risk management terminology, as far as we are aware, no one has actually tried to systematically determine the problematic nature of the terminology and how to overcome these issues. The aim of this study was to use well recognised risk-expertise to develop a set of PEIs for the seven elements of the risk management process, i.e.: establishing context, risk identification, risk analysis, risk evaluation, risk treatment, communication and consultation and monitoring and reviewing. Reference Sources for the Risk Management Process In Queensland and the rest of Australia, there are many well-recognised reference sources for the risk management process. These include Australian and international standards, codes of practice, industry guidance documents and a plethora of academic articles and books on risk management. Arguably, at the time of this study, the top-three reference sources for risk management are: ‘ISO Guide 73:2009 Risk management – Vocabulary’, ‘AS/NZS ISO 31000:2009 Risk management – Principles and guidelines’ and ‘HB 89:2012 Risk management - Guidelines on risk assessment techniques’. All three of these are in broad alignment with their definitions for the key risk management terms; however, often the words used in the definitions themselves are open to interpretation. There are also many other current reference sources that have ambiguous and conflicting definitions of the key risk management terminology, both within themselves and compared to the three previously listed reference sources. This could lead to confusion when applying the principles of risk management. This problem is further compounded by entities writing their own safety/risk management systems and putting their own interpretation on the definitions of key risk management process terms. It is little wonder, therefore that confusion may exist when it comes to having to interpret and explain what the key risk management process terms exactly mean. A code of practice provides practical guidance for people who have work health and safety duties about how to achieve the standards required under the Act, and about effective ways to identify and manage risks, (http://www.deir.qld.gov.au/workplace/law/legislation/codes/index.htm). In Queensland, there are currently 39 codes of practice for managing OHS related risks, however the one that deals with the risk management process itself is ‘How to Manage Work Health and Safety Risks Code of Practice 2011’. There are a further 12 codes of practice associated with managing OHS risks in draft form that have been released by Safe Work Australia for public comment prior to publication and potential adoption by the states. The purpose of the How to Manage Work Health and Safety Risks Code of Practice 2011 is to provide ‘practical guidance for persons who have duties under the WHS Act and Regulations to manage risks to health and safety’, (How to Manage Work Health and Safety Risks Code of Practice 2011, p 4). A standard is a ‘documented agreement containing technical specifications or other precise criteria to be used consistently as rules, guidelines, or definitions of characteristics to ensure that materials, products, processes and services are fit for their purpose’, (http://www.iso.org/iso/support/faqs/faqs_standards.htm). Standards attempt to overcome technical barriers in commerce due to differing technical regulations across national and state boundaries. Technical barriers result from disparate and large user-based groups coming together to undertake some well-established process that between them is mutually incompatible. Establishing national or international standards is one way of preventing or overcoming this problem. International standards are documents developed by international standards organisations and are available for consideration and use worldwide. Where an international standard has been adopted by a nation it may contain both the international and national prefix. An example of this is the standard for risk management AS/NZS ISO 31000:2009 - Risk Management - Principles and Guidelines, referred to as ISO 31000:2009 in this paper. Standards in themselves are usually documents that give high-level guidance on a process. As a result these can often be open to interpretation and so guides and/or handbooks often support them to give further context through a more detailed explanation or examples/case studies. International and national standards are not mandatory to follow unless they are ‘called up’ in statutes or regulator bodies, even then processes can be varied from the standard as long as a risk assessment proves that the adopted/adapted process yields a higher level of management and control than the standard would give. The discussion below is bounded to standards and books that are relevant to OHS risks. There are many other risk domains, e.g., but not limited to, environmental, technology and finance, that could call up other standards and handbooks, but these have been excluded. More recently, and post data collection for this study, ‘HB 436:2013 Risk management guidelines – Companion to AS/NZS ISO 31000:2009’ has been released to support ISO 31000:2009 whereas previously it was ‘HB 4360:2004 Risk management guidelines – Companion to AS/NZS 4360:2004’. This handbook supersedes the 2009 version that supported AS4360:2009. Initial examination of the updated handbook reveals that whilst it contains text to guide how to conduct each of the elements of the risk management process, its contents do not overcome any of the above-mentioned problems in terms of interpretation and understanding. PROBLEM DEFINITION Two initial studies were conducted to better identify practitioner’s views on current risk management terminology and how this may be affecting their practice. Site Visits A series of site visits were undertaken at four high-risk operations: an open cut coal mine, an underground gold mine and two rail construction projects. An examination of safety/risk management systems was undertaken to explore if there was a problem with the quality of the outcomes from risk management forums at both a formal and informal level. Follow-up interviews and discussion with site personnel highlighted a common theme of confusion amongst risk managers and practitioners when trying to apply the definitions of the steps of risk management. Suggestions were made that a published set of ‘plain English operational interpretations’ to accompany definitions (contained in standards) may help to alleviate this confusion. Part 1 – Review of Safety / Risk Management Systems A review of the safety / risk management systems was undertaken at each of the four operational sites and after systematic review of the outcomes the following conclusions were tentatively drawn and these were then validated through informal interviews with site personnel: in all cases, safety and risk systems documentation had grown to the point that there had been many amendments resulting in the loss of context and ambiguities in terms of the methodologies and accountabilities and responsibilities for managing risk; there were conflicting terminology and definitions of the risk management processes; much of the audit trail documentation (registers and records) for risk related activities was completed in an ad-hoc manner, e.g. sometimes perfect, sometimes missing key information and sometimes missing details of who conducted or was involved in the risk management process; a review of occurrence reports identified that in many cases, where required, the appropriate risk management technique was not applied before commencing the activity or was incorrectly carried out, and there was very little evidence of monitoring and reviewing activities being undertaken. Part 2 - Informal Interviews Interviews (n = 27) at four operational sites provided evidence to support the conclusion that risk management definitions were either too scant and/or too technical to clearly define the process in layman’s terms. A representative set of comments to support this were as follows: Project Managers and Risk/Safety Specialists “A clearer set of definitions of the risk management steps would possibly help establish what we should be doing”; “I am frustrated because our procedure for risk management is very clear, but nobody wants to follow it as they there are parts of the process that they do not understand and may not be necessary”; “I am confused by our complex documented risk management process, some terms seem misleading for example ‘risk treatment’, when you read the intent of this step it appears there are a number of other options besides just ‘treating’ the risk”; “I think a set of concise explanations of the phrases would help”; Operational Staff “The safety management documentation seems to be written for office people to understand and not for us workers to make happen”; “I am baffled why we have two approaches to managing risk, a simple ‘Stepback’ in the field and a complex ‘talkfest’ in the office”; “I read the explanations of what I should be doing for safety and risk management, but they do not make sense to me”. Global Survey As part of an ancillary study, a global survey (n = 289) was undertaken of people working in high-risk industries. A secondary result of this survey was that respondents appeared confused by the ambiguity of risk management terms in the reference sources and their company’s safety/risk management systems. Furthermore, it became apparent that a clear and concise set of PEIs may help overcome this confusion. When questioned about their company’s and their own expectations for people to be efficient and effective in the seven steps of the risk management process, a number of respondents indicated that they did not understand the definitions of the seven elements of risk management (from ISO 31000:2009). A representative set of comments to support this were as follows: “Our management systems are too complex and big to use”; “I am confused by the risk management terminology and their explanations”, and “There needs to be a uniformed process and terminology across the organization”. The outcomes of these studies suggest that people at all levels of an organisation find the current risk management terminology, i.e. definitions and guidelines, confusing and therefore difficult to apply. Prompted by these results we set about to develop a set of PEIs for the seven elements of the risk management process that could better inform risk people applying risk-based decision making on what they should be focussing on within each element. METHOD Initially the research team developed a draft set of PEIs to supplement the definitions for each of the risk management elements. These were developed by comparing all of the definitions and words of guidance from 9 standards, 1 guide and 16 handbooks, some are current, some are in revision and some are yet to be revised for harmonisation with ISO 31000:2009. The draft PEIs were then sent to risk-experts (n = 26), including risk partitioners/facilitators, lawyers and academics with a collective experience in risk management of over 700 years, noting that all had been practicing risk management in their vocations for at least 25 years. The risk-experts were asked to comment on and offer suggested improvements that did not change the intent of the definition, but gave a better and concise guidance on how the element would be successfully achieved. Consensus between risk-expert’s opinions was then reached using the Delphi technique. The resultant PEIs were then sent again to the same risk-experts for comment, and changes made according to the Delphi technique. Once the PEIs were developed through consensus with the risk-experts, they were sent to a group of frontline operators/workers (n=24) to validate that PEIs were clear to people working at the ‘sharp-end’ or operational level of business - where the OHS risks are taken. Delphi Technique Background The Delphi technique is based on the principle that opinions from a structured group of individuals are more accurate than those from unstructured groups (Harold & Turrof, 1975;Rowe & Wright, 2001). The Delphi technique is also known as collective intelligence (Hiltzand & Turoff,1978). It is a form of brainstorming where experts can give their opinion individually and anonymously. They also get access to the opinion of the other experts as the process progresses through two or more rounds (Standards Australia Limited, 2012). After each round, the experts are provided with an anonymous summary of the other experts’ opinions from the previous round as well as the reasons they provided for their decisions. Experts are encouraged to revise their earlier opinions in light of the replies of other experts. The theory being that during this process the range of the opinions will decrease and the group will converge towards a consensus opinion (Rowe & Wright, 1999). The process of individuals working anonymously to form a consensus may help to reduce the various biases that results in regular, face-to-face group meetings, such as ‘group think’, ‘the halo effect’ and the ‘bandwagon effect’. Application of Delphi Technique Method A group of 26 risk-experts agreed to partake in a study using the Delphi process to develop PEIs of the seven risk management elements. The risk-experts came from three domains: industry recognized facilitators/practitioners (18), lawyers (3) and academics (5). The risk-experts were given the definitions that were provided in the industry accepted standards as well as the draft set of PEIs developed by the researcher. The risk-experts were asked to review the draft set of PEIs, and respond as to whether or not they agreed with them, and if not to provide an alternative PEI. 23 of the risk-experts provided responses to the first round. Three of them did not offer any alternative PEIs but provided important information about the broader context of this process, such as highlighting the importance of firstly defining what we mean by risk. Analysis of the first round of responses included review of those that indicated they did not agree and gave an alternative PEIs and those who answered they did agree and also gave some notations for consideration. Firstly irrelevant information was discarded. Where changes were implemented, more weight was given to those who answered that they did not agree with comments rather than those who agreed but also added comments. The analysis involved an iterative process to look at each respondent’s suggestion and determine if their alternative wording added value to the initial PEI. Common and conflicting viewpoints were identified as part of this process. As the ranked list was worked through, whenever a change was made to the progressive amendment to the initial PEI a check was made to make sure that it did not adversely impact on the context of the higher ranked alternatives. When each of the seven elements of the risk management process was completed and a new PEI established it was checked to make sure it did not adversely impact on the context of the other six elements of the risk management process. The new alternative PEIs were then sent to the 20 risk-experts who did respond either agreeing or disagreeing with the initial PEIs. A similar procedure was followed to amend the their responses and come to a consensus about the PEIs. Once a satisfactory level of consensus was achieved with the risk-experts it was then out through a Delphi process with operators/workers. For this research a combinations of the Pareto principle and the law of diminishing returns was used, following Standards Australia Limited (2012), i.e. 80% consensus was considered sufficient. Note some elements got 80% consensus on the first round, but were distributed again for the respondents to consider the set of elements as a whole. Results Draft PEIs were formulated for each of the seven elements of the risk management process, as defined in ISO 31000:2009, as follows: Establishing the context Risk identification Risk analysis Risk evaluation Risk treatment Communication and consultation Monitoring and reviewing. Taking ‘establishing the context’ as an example to work in detail, the definition for this element of the risk management process is defined in ISO 31000:2009 as follows: ‘Defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy.’ The initial draft wording (round one) for a PEI of ‘establishing the context’ was sent out to the group of 26 risk-experts as follows: ‘Establishing the context’ in the risk management process involves evaluating the external and internal environment in which your organisation operates. This includes political, economical, cultural and operational elements of your organisation. From this broad-based perspective an overarching strategic approach to risk can be mapped for your organisation, including establishing the criteria against which risk will be evaluated and defining the structure of the analysis. The initial draft wording for a PEI of ‘establishing the context’ resulted in the 60% support for the wording, Table 1 depicting levels of consensus and the difference between rounds is shown at the end of this section. 23 participants responded, however three responded with comments were helpful in broad context but it was not possible to determine if they agreed or disagreed. A further three participants did not respond at all. As a result, these six were removed from the subsequent panel. Following feedback from the 23 risk-experts of the initial draft wording (round one) for a PEI of ‘establishing the context’ the PEI was amended and was sent out to the reduced group of 20 risk-experts as a second round as follows (strikeout and greyed words represent deletions and additions): ‘Establishing the context’ in the risk management process is the process of involves evaluating the external and internal environment in which your organisation operates with respect to the specific objective you are trying to achieve.  This includes legal and regulatory frameworks, political, economical, cultural, commercial, technological and operational elements of your organisation. From this broad-based perspective, an overarching strategic approach to risk can be mapped for your organisation, including establishing the benchmark criteria against which risk will be evaluated and defining the structure of the analysis. This results in a starting plan and scope for the next six steps of the process that can be applied at a strategic, tactical and operational level, as appropriate. Round two of the wording for a PEI of ‘establishing the context’ resulted in the 80% support from the risk-experts for the wording, refer Table 1, and as such did not require a further round for validation with the risk-experts. Following feedback from the 20 risk-experts of the round two wording for a PEI of ‘establishing the context’ the PEI was amended as follows: ‘Establishing the context’ in the risk management process involves is the process of evaluating the external and internal environment in which your organisation operates with respect to the specific objective you are trying to achieve. This includes legal and regulatory frameworks, political, economical, cultural, commercial (including financial), technological and operational elements of your organisation. From this broad-based perspective, a strategic approach to risk can be mapped for your organisation, including establishing the benchmark criteria against which risk will be evaluated and defining the structure of the analysis. This results in a starting plan and scope for the other six steps parts of the process that can be applied at a strategic, tactical and operational level, as appropriate. Round three of the wording for a PEI of ‘establishing the context’ was forwarded to 24 operators/workers for validation. Round three of the wording for a PEI of ‘establishing the context’ resulted in 83% support for the wording from the operators/workers, refer Table 1. Whilst this is lower than the 95% of risk-experts the Delphi technique relies on best practice principles of the law of diminishing returns and greater than 80% agreement is considered enough to not require a further round. A number of comments were received from the operators/workers that were considered worthy of some very minor word changes as follows: ‘Establishing the context’ is the process of evaluating the external and internal environment in which your organisation operates with respect to the specific objective you are trying to achieve. This includes legal and regulatory frameworks, political, economical, cultural, commercial (including financial), technological and operational elements of your organisation. From this broad-based perspective, a strategic approach to risk can be mapped for your organisation, including establishing the criteria against which risk will be evaluated and defining the analysis structure of the analysis. This results in a starting plan and scope for the other six parts of the process that can be applied at a strategic, tactical and operational level, as appropriate. The PEI above has only very minor amendments compared to the round two wording an as such did not warrant a further Delphi technique round with the operators/workers. The results of the six other elements are summarised in Table 2 in Appendix A. This table only contains the definition from ISO 31000:2009, the initial PEI and the final PEI following review by the risk-experts and operators/workers. Table 1 below depicts the progression of consensus to the PEIs in the two rounds of risk-expert feedback and the one round from operators/workers. It shows a consensus score for each round and a difference between rounds Table 1 – Table Depicting Progressive Consensus Scores and Differences Between Rounds One, Two and Three 1 Establish the context 2 Risk identification 3 Risk analysis 4 Risk evaluation 5 Risk treatment 6 Communication and consultation 7 Monitor and review Round 1 60% 60% 75% 85% 65% 95% 65% Round 2 95% 80% 85% 100% 95% 100% 90% ∆ Rounds 1 and 2 35% 20% 10% 15% 30% 5% 25% Round 3 83% 88% 92% 80% 80% 92% 92% ∆ Rounds 2 and 3 -12% 8% 7% -20% -15% -8% 2% Note that while there was a decrease in consensus between rounds two and three for elements 1 and 4-6, the consensus in round three is higher than round one in all elements of the risk management process with the exception of elements 4 and 6. Discussion and conclusionS The work here has shown that there are considerable differences in the definitions the various risk management standards and codes of practice use to explain the elements of risk management. Further, that such differences can cause confusions in industry when trying to apply them. The research found that it was possible to successfully develop a set of PEIs for the seven risk management elements and iteratively validate them using the Delphi technique with risk-experts and operators/workers. It took a two-round Delphi session for the risk-experts to come to consensus and a single-round Delphi session for the operators/workers to agree that the revised PEIs would assist with them understanding the key elements in the risk management process. Furthermore, these PEIs are understood and agreed by operational personnel. The implications of this work is that it could be considered by the ISO working committee for risk management for future improvement to the risk management standards and handbook, or adopted by companies for implementation into their current safety/risk management systems. ACKNOWLEDGMENTS This work was conducted as part of the principal author’s PhD studies with the other authors being the supervisors for this research work. Although there was no funding sources for the work the authors would like to acknowledge the survey participants and their colleagues in MISHC for proofreading and administrative support. REFERENCES Codes or practice, accessed 23rd March 2014, <http://www.deir.qld.gov.au/workplace/law/legislation/codes/index.htm> Espersen. D., The Language of Risk, The Internal Auditor, Vol 64, No 3, 2007 Fischhoff. B, Watson. S.R., Hope. C, Defining Risk, Policy Sciences 17 (1984) 123-139, Elsevier Science Publishers B.V., Amsterdam. Haimes. Y. Y. On the Complex Definition of Risk: A Systems-Based Approach, Risk Analysis, Vol 29, No 12, 2009. Harold A. Linstone, Murray Turoff (1975), The Delphi Method: Techniques and Applications, Reading, Mass.: Addison-Wesley Hiltz, S.R., Turoff M. (1978), The Network Nation: Human Communication via Computer, Addison-Wesley, ISBN 978-0-262-08219-8 International standard, accessed 23rd March 2014, http://en.wikipedia.org/wiki/International_standard Kaplan. S and Garrick. B.J On The Quantitative Definition of Risk’, Risk Analysis, Vol 1 No 1, 1981 Queensland Government, How to Manage Work Health and Safety Risks Code of Practice 2011 Rowe and Wright (1999): The Delphi technique as a forecasting tool: issues and analysis. International Journal of Forecasting, Volume 15, Issue 4, October 1999 Rowe and Wright (2001): Expert Opinions in Forecasting. Role of the Delphi Technique. In: Armstrong (Ed.): Principles of Forecasting: A Handbook of Researchers and Practitioners, Boston: Kluwer Academic Publishers Standards Australia Limited (2012), HB 89:2012 Risk Management – Guidelines on Risk Assessment Techniques, SAI Global Limited, Sydney NSW, Australia. Standards, accessed 23rd March 2014, <http://www.iso.org/iso/support/faqs/faqs_standards.htm> Wall. K. D. Thinking about Risk: Definition, Assessment, and Management, The Armed Forces Comptroller54.3 (Summer 2009): 8-13 Work Health and Safety Act 2011, Queensland Knight. K. W. Presentation by to the Queensland Chapter of RMIA in Brisbane on 22 October 2012 Zink. R. and Leberman. S., Redefining Risk and Risk Management, A New Zealand Case Study, The Journal of Experiential Education 24.1 (Spring 2001). Appendix A: Progressive Development of PEIs for Elements 2-7 Table2 – Progressive Development of Plain English Definitions for Elements 2-7 of the Risk Management Process Element Definition from ISO31000:2009 Initial draft PEI Finalised PEI (following feedback From Risk Experts and Operators/Workers) Risk identification Process of finding, recognizing and describing risks. ‘Risk identification’ in the risk management process involves identifying and describing the types of risks that could affect your organisation. It involves a thorough examination of the activities of your organisation and the potential unwanted events that could occur. The result of this process is a comprehensive list of well-defined risks unique to your organization and the environment in which it operates. ‘Risk identification’ is the process of identifying the opportunities or hazards (sources of harm) and describing the types of credible risks that could affect your organisation. It involves a thorough examination of your organisation’s activities and the potential events that could occur and those that have occurred in similar circumstances. These events can be planned or unplanned. This results in a comprehensive list of well-defined risks, albeit there may be some uncertainties and ambiguities, unique to your organisation and its operational environment. Risk analysis Process to comprehend the nature of risk and to determine the level of risk ‘Risk analysis’ in the risk management process involves determining the relative effect individual risks are likely to exert on your organization/role. Risks are analysed in terms of their likelihood (rare>almost certain) and consequence (minor>catastrophic) on your organization. This provides data that can then be used to prioritise risk. ‘Risk analysis’ is the process of determining the relative effect individual risks are likely to exert on your organisation/role. Risks to your organisation are analysed in terms of the likelihood of the event(s) occurring (e.g. ranging from rare to almost certain) and consequence(s) if the event occurs (e.g. ranging from minor to catastrophic). Events can be planned or unplanned. This results in data that can then be used to prioritise risk for management action as part of ‘risk evaluation’. Risk evaluation Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable. ‘Risk evaluation’ in the risk management process involves comparing estimated levels of risk against the pre-established criteria. It then considers the balance between potential benefits and adverse outcomes to determine if the risk is acceptable/tolerable. This enables decisions to be made about the extent and nature of the treatments required and about priorities. ‘Risk evaluation’ is the process of comparing estimated levels of risk against the criteria defined earlier when establishing the context. It then considers the balance between potential benefits and adverse outcomes, to determine if the risk is acceptable or tolerable based on the quality of the controls in place. This results in decisions being made about the current and potential future risk mitigation strategies and their priorities to ‘as low as reasonably practicable’ principles. Risk treatment Process to modify risk and can involve: taking an increased risk on order to pursue an opportunity; removing the risk source; changing the likelihood; changing the consequence; ·haring the risk with another party or parties, including contracts and risk financing, and retaining the risk by informed decision. ‘Risk treatment’ in the risk management process is essentially the process of determining ‘risk mitigation strategies’ to modify risk that involves consideration of four key strategies: terminating the risk, i.e. avoiding the risk by deciding to not start or not continue the activity that gives rise to the risk; tolerating the risk, i.e. taking on increased risk in order to pursue an activity or retaining the risk by informed decision; treating the risk, i.e. removing the risk source, changing the likelihood and/or consequence, or transferring the risk, i.e. sharing the risk with another party or parties including contracts and/or risk financing. ‘Risk treatment’ is the process of determining further risk mitigation strategies, with consideration of the hierarchy of controls, to: eliminate or reduce risks that are unacceptable or intolerable, or accept risks or opportunities, or increase risks providing they remain acceptable or tolerable. For each risk identified, this results in consideration of four key decisions: terminating the risk, i.e. avoiding the risk by deciding not to start or continue the activity, or removing the risk source, that gives rise to risk; tolerating the risk, i.e. accepting the risk or taking on increased risk, by informed decision, in order to pursue an activity/opportunity; treating the risk, i.e. changing the likelihood and/or consequence associated with the risk, or transferring the risk, i.e. passing on or sharing the risk with other parties including contracts and/or insurance. Communication and consultation Continual and iterative processes that an organisation conducts to provide, share or obtain information and to engage in dialogue with stakeholders regarding the management of risk. Communicate and consult with person(s) or organization(s) that can affect, be affected by, or perceive themselves to be affected by a decision or activity, as appropriate, about each stage of the risk management process and the outcomes of managing and controlling the risk. A key part of this process is to give / receive feedback to feed into steps 1-5 above. ‘Communication and consultation' is the process of sharing or obtaining information and engaging in dialogue with persons or organisations that can affect, be affected by, or perceive themselves to be affected by, a decision or activity. It happens at each stage of the risk management process with a particular focus on the outcomes of managing and controlling the risk. It should also include consideration of lessons learned from within and external to the business. This results in giving or receiving feedback for consideration in the other elements of the risk management process. Monitoring and reviewing Monitoring (continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected) and reviewing (activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives). Monitoring is the continual checking to determine the performance of the mitigation strategies in place. Reviewing is the activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives. A key part of this process is to give / receive feedback to feed into steps 1-5 above. ‘Monitoring’ is the process of checking, supervising and critically observing planned controls. These activities are undertaken at appropriate frequencies, depending on the nature and scope of the particular risk. This results in establishing that planned controls are in place and remain in place and whether the operating environment, and thus risk, has changed. ‘Reviewing’ is the process of determining the suitability, adequacy and effectiveness of the implemented controls to achieve established objectives that were defined earlier in ‘establishing the context’. This results in establishing a cycle of continuous improvement including considering new and/or more appropriate controls. Note bold lettering in column 2 above indicates that these terms are further defined in ISO 3100:2009 RISK Conference 2014 Brisbane, Australia, 28-30 May 2014