5. Risk management
'Risk management' is a term used to describe a formal and structured process of identifying and managing risk. Generally speaking, it involves assessing, and then actively managing, an organisation's potential exposure to loss, damage or litigation.
Buying insurance is one part, but not the only part, of a risk management programme. By paying the premium, the insured transfers some of its risk to a third party insurer. In many cases, effective practical strategies for reducing risk, such as safety protocols and security devices, can work together with insurance to reduce risk exposure. Indeed, some risk management strategies may result in reduced insurance costs by reducing the likelihood of claims.
The Government of Western Australia has published a booklet called Can you risk it? which encourages active risk management for the following reasons (among others):
- to help with strategic planning;
- to reduce unexpected and costly surprises;
- to more effectively and efficiently allocate resources;
- to achieve better results from projects and programmes;
- to assist in clearly defining insurance needs;
- to obtain better information for decision-making;
- to comply with regulatory requirements;
- to assist in preparation for auditing;
- to lessen risk, which will encourage more people to participate in your activity;
- to balance opportunity and risk; and
- to assist in obtaining insurance cover.
Can you risk it? is an introduction to risk management for community organisations. It provides a step-by-step guide on how to assess risks and will be useful for all types of incorporated associations. The publication may be obtained from the:
5.1 Basic risk management steps
There are a number of basic steps involved in the process of managing an incorporated association's risks. It is essentially a process of identifying each risk, evaluating each risk, deciding what actions need to be taken to address or reduce each risk and constantly monitoring and reviewing the process.
- Identify each risk. This requires a thorough analysis of the association's operations, activities and business. The aim is to identify what goes on in the association, what risks it is exposed to, what kinds of events occur that may present risks, and so on.
- Assess risks and consequences. Assessment requires balancing the likelihood of a risk occurring against the potential consequences. The association needs to decide which risks it will act upon and which risks it will ignore. For example, an association may choose to avoid a risk by not continuing with a particular activity, or determine that the risk is so unlikely to occur that it does not require any action.
- Treat risks. The association then needs to decide how it will deal with and manage each relevant risk. This involves considering any existing risk control measures (eg insurance, security alarm), deciding whether the existing measures are adequate, considering any additional measures that may be required and so on. This is also an exercise in balancing cost with consequences.
- Monitor and review the process on a regular basis. It is important to regularly review if there has been any change in the association's risk position and, if necessary, repeat and review the process set out above.
The Insurance Commission of Western Australia has produced a useful spreadsheet called 'Community RiskBase' that can be used to capture an organisation's risks and control measures. Click here to go to the relevant part of their website.
In addition, "ourcommunity.com.au" provides an online gateway for organisations, and includes various examples on risk management checklists. Those checklists and other resources may be accessed at ourcommunity.com.au - Community Insurance Centre.
5.2 Potential areas of risk
It is almost impossible to produce an exhaustive list of all potential risks that may apply to an incorporated association, as there are so many variables. However, common examples of categories of risk include:
- individual and public health and safety;
- security considerations (eg premises, records, computers);
- financial and administrative risks;
- reporting and legal requirements;
- professional liability;
- general liability;
- potential for error or accident;
- potential for damage; and
- potential for litigation.