Transcript

NARRATOR

The journey of a risk. We will run through the journey a risk takes through its life. Stage 1, target risk level. The target risk level is the level of risk that we would like to achieve. Stage 2, gross risk. This is the risk level and reflects the worst case. The gross risk level, so sometimes called inherent risk level, assumes any specific and significant controls and mitigating activities do not exist or do not work as intended. Stage 3, current risk. This is the level of risk we face today. It should take into account existing controls providing they are effective. A common mistake in assessing the current risk level is to include planned mitigation actions. This is incorrect and can lead to the risk being under called. Note that controls should only be taken into account if they are effective. Controls that are planned to be introduced and controls that have been shown to be ineffective should not be included in the assessment of the current risk level.

Stage 4, residual risk. This is the level of risk we will have in the future, once all of our planned treatment actions have been completed. The residual risk will also take into account existing controls and any controls that we plan to introduce. So the residual risk level will normally assume that all controls will be effective. To prevent under calling the residual risk level, only treatment actions that are fully funded and resourced should be taken into account. In certain circumstances, our risk treatment plans- so those that are funded and resourced- may not reduce the risk level enough. And we may still be operating with a higher risk level than planned. In this case, we would also record our target risk level. We would then look to explore what other treatment actions could be undertaken to reduce the risk level further. The risk treatment actions that move us from residual to target may not be funded or resourced.

Let's look at some common scenarios and the implications. One, gross risk level equals current risk level. We have no controls or the controls we have are ineffective. Two, current risk level is less than gross risk level. We have a set of effective controls that have reduced the risk level, so down to its current point. Three, current risk level equals residual risk level. There are no activities planned and funded to reduce the risk level. Four, residual risk level equals target risk level. Our planned and funded activities to reduce the risk level will get us to the risk level we'd like to achieve.

As we've seen, all risk levels change over time. Risk is dynamic. It changes. And because of this, each of the risk levels mentioned above may change. It may be that incidents have occurred that highlight that our controls are ineffective. So the current risk level increases. Or it may be that treatment actions are effective. So our current risk level reduces. However, the actions may not be as effective as we think. And so the residual risk level increases.

We also need to remember that external factors, often beyond our control, can change any of the risk levels. The only thing to remember is that, unless the risk can no longer happen, it is not closed. And even if the current risk level is at the target point, if the growth risk level is not, then you need to ensure that your controls remain effective. This is why assurance over controls is so important and why models such as Three Lines of Defence, as described in Session 7, are so valuable.