Risk management
Risk management

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

Free course

Risk management

2 The importance of assessing all consequences

In Session 3 you saw how one risk can have more than one consequence. It is therefore important that you can understand and assess all of the consequences a risk can have. It is also important to consider how a consequence can evolve.

Risks change over time. It may seem obvious to say so, but over time the risk level faced for some risks may go up, while for other risks it may go down. Sometimes this is due to things within your control (e.g. tangible things you have done to alter the risk level); other times it may be due to a change in the external environment that change the level of risk faced. Consider the different points at which risks are normally assessed.

Download this video clip.Video player: asset_27.mp4
Skip transcript


The journey of a risk. We will run through the journey a risk takes through its life. Stage 1, target risk level. The target risk level is the level of risk that we would like to achieve. Stage 2, gross risk. This is the risk level and reflects the worst case. The gross risk level, so sometimes called inherent risk level, assumes any specific and significant controls and mitigating activities do not exist or do not work as intended. Stage 3, current risk. This is the level of risk we face today. It should take into account existing controls providing they are effective. A common mistake in assessing the current risk level is to include planned mitigation actions. This is incorrect and can lead to the risk being under called. Note that controls should only be taken into account if they are effective. Controls that are planned to be introduced and controls that have been shown to be ineffective should not be included in the assessment of the current risk level.
Stage 4, residual risk. This is the level of risk we will have in the future, once all of our planned treatment actions have been completed. The residual risk will also take into account existing controls and any controls that we plan to introduce. So the residual risk level will normally assume that all controls will be effective. To prevent under calling the residual risk level, only treatment actions that are fully funded and resourced should be taken into account. In certain circumstances, our risk treatment plans- so those that are funded and resourced- may not reduce the risk level enough. And we may still be operating with a higher risk level than planned. In this case, we would also record our target risk level. We would then look to explore what other treatment actions could be undertaken to reduce the risk level further. The risk treatment actions that move us from residual to target may not be funded or resourced.
Let's look at some common scenarios and the implications. One, gross risk level equals current risk level. We have no controls or the controls we have are ineffective. Two, current risk level is less than gross risk level. We have a set of effective controls that have reduced the risk level, so down to its current point. Three, current risk level equals residual risk level. There are no activities planned and funded to reduce the risk level. Four, residual risk level equals target risk level. Our planned and funded activities to reduce the risk level will get us to the risk level we'd like to achieve.
As we've seen, all risk levels change over time. Risk is dynamic. It changes. And because of this, each of the risk levels mentioned above may change. It may be that incidents have occurred that highlight that our controls are ineffective. So the current risk level increases. Or it may be that treatment actions are effective. So our current risk level reduces. However, the actions may not be as effective as we think. And so the residual risk level increases.
We also need to remember that external factors, often beyond our control, can change any of the risk levels. The only thing to remember is that, unless the risk can no longer happen, it is not closed. And even if the current risk level is at the target point, if the growth risk level is not, then you need to ensure that your controls remain effective. This is why assurance over controls is so important and why models such as Three Lines of Defence, as described in Session 7, are so valuable.

End transcript
Interactive feature not available in single page view (see it in standard view).

When assessing a risk you need to consider the level of risk and how this changes over time. This part of the process is iterative, where assessment of risks and treatment of risks need to be considered together. Risk treatment will be covered in more detail in Session 5.


Take your learning further371

Making the decision to study can be a big step, which is why you'll want a trusted University. The Open University has 50 years’ experience delivering flexible learning and 170,000 students are studying with us right now. Take a look at all Open University courses372.

If you are new to university level study, we offer two introductory routes to our qualifications. Find out Where to take your learning next?373 You could either choose to start with an Access courses374or an open box module, which allows you to count your previous learning towards an Open University qualification.

Not ready for University study then browse over 1000 free courses on OpenLearn375 and sign up to our newsletter376 to hear about new free courses as they are released.

Every year, thousands of students decide to study with The Open University. With over 120 qualifications, we’ve got the right course for you.

Request an Open University prospectus371