Back to Learning Resources

Risk Management

Risks faced by a business or a big project are best managed with a formal process. Essentially, the steps are as follows



Managing and assessing risks is something we all do every day, mostly without even thinking about it. When the complexity increases beyond our everyday experiences, such as risks faced by a business or a big project, a more formal approach is needed. However, it really isn’t difficult.

A generic risk management process has been set out in ISO standard 31000 and can be applied to any kind of risk by any kind of organisation. Project management standards PMBOK and PMI both describe a similar process for managing project risk.

Different kinds of risks need different assessments in terms of the questions to ask or the exact technique you use, but the overall risk management process is the same. Essentially, the steps are as follows:

  • Establish the context – what activities are we talking about? What are you trying to do?
    • e.g., using a piece of machinery, making/building something, collecting measurements, importing or exporting goods, staff, data analysis and reporting.
  • Identify risks – what might affect the outcome?
    • e.g., a weather event, change to regulations, injury, staffing shortages, lack of required skills, loss of a key supplier, chemical exposure, theft, fraud, computer failure, human error.
  • Analyse the risks – to prioritise them.
    • What are the consequences if the risk actually occurs? How likely is it to occur?
    • minor injury, loss of life, schedule delays, change to reputation, financial losses/gains, business growth/closure…
  • Evaluate – can we live with this risk?
    • is it a minor inconvenience? major problem? fantastic opportunity?
    • what’s our risk appetite? – risk averse? risk seeking? neutral?
    • How could we change the consequences or change the likelihood?
    • Weigh up the cost/benefit balance for different options.
    • for hazards, see the hierarchy of controls
  • Control/treat – actually implement what you decided should be done to control the risk!
    • changes to work practices
    • extra monitoring to watch out for triggers
  • Review – is it working?
    • Can we do better?
    • Has anything changed?
    • Does this risk still apply?

Looking at past incidents will help you become aware of the different kinds of risks and hazards to look for.

Some organisations have developed specific forms for particular hazards they deal with, to make it easier to remember to ask all the relevant questions.

The resources below include many example risk assessment forms that follow the generic process.

More resources on Risk Management:

Austrade looks at Export risks including political, legal, corruption, financing, quarantine risks.

The Queensland Government Business and industry portal has some guidance for businesses on risk management.

Workplace Health and Safety QLD has several Codes of Practice looking at Risk Management

For examples of what can go wrong and motivation on making your workplace safer, browse through the court summaries resulting from past safety incidents.

Safework Australia has several model Codes of Practice including one on How to Manage Health and Safety Risks has help sheets on each risk management step from a community organisation point of view, but there’s good information in there for businesses too.

For some examples of Hazard specific risk assessment forms, take a look at the “Hazard-specific risk assessment forms” section of the safety management system at The University of Melbourne

Get started today

Book a guided tour of Toolbox, one-on-one via Zoom