The systematic approach to risk assessment requires that a specific process is followed. The process involves a number of steps:

• Establish the Context;
• Risk Identification;
• Risk Assessment;
• Risk Treatment and Control;
• Monitoring and Review.

A basic flowchart is available here. 

It is vital that the people that you involve in the risk assessment process are familiar with the organisation. It is also important to make sure that you consult as widely as you can (within reason) with your stakeholders (e.g. should at least include participants, officials, administrators and staff) and ensure that they receive regular updates and have opportunity for further input throughout the process.

As we noted earlier, wherever possible involve people who have some experience in risk assessment or risk management if at all possible.

It is also important to remember that risk assessment is required under various state and federal legislation that may apply to your organisation or activities. To find out more about various standards, you should consider consulting:

• Workplace Health and Safety Act and Regulations for your State;
• Australian Standard - AS/NZS 4801:2001 - Occupational health and safety management systems;
• Australian Standard - AS/NZS 4360:2004 - Risk Management and associated handbook HB 246-2004 Guidelines for Managing Risk in Sport and Recreation;
• Queensland Government Risk Management Code of Practice 2007.

There are also of course published technical standards in relation to specific equipment and it is important to be aware of any that may be relevant to your organisation and its equipment. This will allow you to formulate applicable risk strategies.

Establish the Context

It has already been pointed out how important the responsibility for risk assessment/risk management in the organisation is. This applies to both the people involved and the resources at their disposal. The right people and the right tools will ensure less and better managed risk!

The identification of the risks that may apply is a very major part of your risk assessment process. Identification of all the possible risks is the aim, although with the time constraints on most volunteers, there may be benefit in starting with the more significant and obvious risks and building on those progressively. If this is the case, it is important to document this and to continue the process rather than failing to carry on after the initial fervour. You need to make sure you use every research means at your disposal to identify the risks.

There are a number of strategies you can use:

• Consultation - You need to get as many people together to brainstorm about the risks applicable to your ‘environment' as possible. Paid staff, volunteers, board members, participants, your insurance broker, individuals with ‘risk assessment' experience, may all provide relevant input.
• Examine the organisations risk history - What is the organisations risk history? Have there been problems in the past? If so, how were they dealt with? If looking at event risk, have there been events previously? Have there been debriefs on previous events and recommendations for the future?
• Examine the organisations systems and processes - What systems are in place; not just ones that might specifically deal with risk, but look at whether a business plan, strategic plan and/or volunteer management plan are in place for example. Are there documented policies and procedures to follow?
• Reports/reviews/documents - Look at what is available on the internet, from other like organisations, from government agencies, in relation to risk analysis/management in similar situations to your own. E.g. an audit report from a sporting association that has become insolvent; a report on an event where there was a major accident.

You need to identify the risks. When doing so, recognise that there will be generally be a source or cause of the risk that puts ‘something' at risk, and from which there is an impact on the organisation. Again, you need to be systematic about the process and work through each situation to identify what might happen at each stage. At this point you are just trying to make as complete a list of the things that could go wrong across the organisation. For example:

This is a very simple example and the risks (depending on the product) are likely to be ‘minor'. However, in order to address these risks as with any others, you also need to ask yourself how and why the risks can occur. So, paying too high a price may have occurred for example because of a) insufficient research, b) buying from a ‘friend' or c) product shortage at the time.

A risk identification form may assist you in identifying and classifying risks. 

Having identified the risks that you may face, the next step is to actually assess them. As part of your research you should have identified a wide and varied number of risks. Some of them may be insignificant, whilst others could potentially result in having to close down your organisation, or even worse, injury or death.

In order to assess the risks you need to implement a process that allows you to evaluate and rate the risks. It is important for you to know whether to categorise the risks as at a low, intermediate or high level, and also to similarly assess both their consequences and likelihood. This risk reference guide may assist you.

Firstly, identify a scale to use to quantify the possibility of the risk occurring and the consequences if it did. We suggest that you allocate a number to each level of likelihood and consequence. For example:

A Risk Reference Guide has been provided which gives qualitative measurements for Likelihood and Consequences.

Secondly, for each risk draw up a risk assessment table using the above scale. Using the number you have allocated to each level of likelihood and consequence multiplied together, you can then come up with an overall rating for the risk you're looking at. For example:

Again, this is one option. You may prefer to use descriptors rather than numbers. For example, a risk that is Highly Unlikely and Insignificant may be rated as Very Low and one that is Highly Likely and Catastrophic may be rated as Extreme.

Thirdly, allocate a management descriptor for the ratings you have identified. You can do this whether you use numbers or descriptors. Remember that your risk rating is based on the two issues of likelihood and consequence. In your risk ratings you need to judge how to deal with risks that are highly likely although insignificant, as well as risks that are highly unlikely but catastrophic. For example, you need to make a decision on the relative risks of a highly likely but insignificant event compared with a highly unlikely but catastrophic event. Therefore the following overall rating might be applicable:

Ideally you should also provide examples of an acceptable, monitorable, risk etc, so that there is an ongoing consistency in ratings as those responsible for their management change over time.

You will need to look at some of the ratings that might be on the border. For example, something that has a rating of 5 which is identified as a requiring monitoring you may decide actually needs control. Make sure that you are happy with the assessment and the suggested controls as this is just a tool and common sense may require some fine tuning.

The sports organisation risk assessment for a Sporting organisation provided is a guide to the sorts of things you should consider and how to assess them.

Having developed a list of all the possible risks to your organisation and determined whether or not anything needs to be done from your risk assessment tables, you now have a number of choices in relation to the risks that you have identified:

• Acknowledge the risk, but consider that there is no action necessary - It's very minor and has minimal impact;
• Reduce the likelihood of the risk occurring - You may be unable to prevent it completely, but you can reduce the possible frequency (e.g. Ensure that the playing field is properly maintained to reduce the risk of injury from a poor playing surface);
• Reduce the consequences of the risk occurring - You may be able to reduce the consequences of the risk - for example, you cannot prevent the possibility of someone hurting themselves, but you can make sure medical assistance is on hand if required;
• Remove the risk completely - No longer provide the service/activity associated with the risk e.g. No longer allow teams to train at a particular venue which is poorly maintained;
• Transfer the risk - You can do this by taking out insurance so that the risk is in effect someone else's responsibility;
• Turn the risk to your advantage - Turning the risk of having other agencies deliver your coaching courses around by charging a registration certificate issuing fee to each graduate.

As part of the risk treatment and control process you also need to be asking yourself a couple of key questions.

1. Have I developed the best treatment strategy - Make sure you consult again to ensure that you have identified the best possible treatment.
2. What if anything are you doing now to control the risk - If you already have a strategy in place do you need to change it? For example you may already have medical assistance on hand to reduce the severity of injuries, but maybe the person you are using is a volunteer without up to date skills and they have not been as effective as they should be in dealing with injuries.
3. How are other people dealing with the same/similar risk? - You are unlikely to be the only one dealing with this type of risk. Can you learn from someone else's strategy?
4. If you change the strategy/implement a new strategy, what resources do you need? - Do you need an ambulance on hand for possible injuries rather than someone with First Aid training?
5. What is the cost/benefit analysis result? It is unnecessary to decide to have an ambulance on site for each event you run if your event has a zero or extremely minimal chance of an injury requiring that level of medical aid. 

As important as identifying, assessing and addressing the risks is, it is not the end of the story. The ongoing management of the risks that you have identified and the regular re-assessment of them and potential new ones is what completes the process. If you do not continue to assess existing risks and scan for new ones you leave yourself open as much as if you never undertook the process in the first place.

You need to collate the results of the risk assessment process that you have followed and the results and treatments implemented. This information is the core of your Risk Management Plan. The plan itself should also include:

• Specific policy statements - For example, the organisation's policy in relation to supervising children is that no less than two adults will be responsible for supervision and both must have a current working with children card.
• Costing's and risk assessments for the new and existing strategies that you are implementing;
• Identification of who is responsible for implementing the various strategies;
• Templates for reporting/identifying/assessing risks;
• Identification of review timetable for the Risk Management plan - Even though the process is ongoing it is possible for things to be missed, particularly if nothing goes wrong. The plan should be reviewed at least annually;
• Preparation of action plans where further action is required.