If your business is to demonstrate risk management,
As specified by the law and international standards,
You must demonstrate risk treatment.
Risk treatment involves selecting one or more options for modifying risks, and implementing those options.
Once implemented, treatments provide or modify the controls.
Risk treatment involves a cyclical process of:
assessing a risk treatment;
deciding whether residual risk levels are tolerable;
if not tolerable, generating a new risk treatment;
and assessing the effectiveness of that treatment.
Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances.
The options can include the following:
avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
taking or increasing the risk in order to pursue an opportunity;
removing the risk source; changing the likelihood;
changing the consequences; sharing the risk with another party or parties (including contracts and risk financing);
and retaining the risk by informed decision.
Risk Treatment includes the selection of risk treatment options.
Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment.
Decisions should also take into account risks which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe (high negative consequence) but rare (low likelihood) risks.
A number of treatment options can be considered and applied either individually or in combination.
The organization can normally benefit from the adoption of a combination of treatment options.
When selecting risk treatment options, the organization should consider the values and perceptions of stakeholders and the most appropriate ways to communicate with them.
Where risk treatment options can impact on risk elsewhere in the organization or with stakeholders, these should be involved in the decision.
Though equally effective, some risk treatments can be more acceptable to some stakeholders than to others.
The treatment plan should clearly identify the priority order in which individual risk treatments should be implemented.
Risk treatment itself can introduce risks.
A significant risk can be the failure or ineffectiveness of the risk treatment measures.
Monitoring needs to be an integral part of the risk treatment plan to give assurance that the measures remain effective.
Risk treatment can also introduce secondary risks that need to be assessed, treated, monitored and reviewed.
These secondary risks should be incorporated into the same treatment plan as the original risk and not treated as a new risk.
The link between the two risks should be identified and maintained.
Next, the organisation must prepare for the implementation of risk treatment plans
The purpose of risk treatment plans is to document how the chosen treatment options will be implemented.
The information provided in treatment plans should include:
the reasons for selection of treatment options, including expected benefits to be gained;
those who are accountable for approving the plan and those responsible for implementing the plan;
resource requirements including contingencies;
performance measures and constraints;
reporting and monitoring requirements; and timing and schedule.
Treatment plans should be integrated with the management processes of the organization and discussed with appropriate stakeholders.
Decision makers and other stakeholders should be aware of the nature and extent of the residual risk after risk treatment.
The residual risk should be documented and subjected to monitoring, review and, where appropriate, further treatment.
To test this within your business, select 1 traveller and 1 trip.
Now demonstrate all the above, as it applies to that specific traveller and that specific journey.
Now apply it to 10 travellers and 10 business trips.
Is the risk treatment, clear, documented, unique and specific to each traveller and trip?
If not, you don’t have adequate evidence to demonstrate travel risk management, in addition to having an inadequate system of risk treatment.
To learn more about business travel risk management and your obligations,
Next, in this series on travel risk management, we examine monitoring and review, step 7 of 7 required for travel risk management.
Safe work systems and enterprise risk management, inclusive of business mobility and travel.