CHAPTER 6 - RISK ASSESSMENTS
16. Risk Assessment
(1) Risk assessment is a systematic process to assign values to risks based on likelihood and probability criteria. The Institution must adopt a credible risk rating matrix and related criterion for this purpose.
(2) The purpose of risk assessment is to help the Institution to prioritise the risks in order of importance so that they can be addressed accordingly.
(3) Risk assessment should be performed through a three-stage process:
a) the inherent risk should be assessed to establish the level of exposure in the absence of deliberate management actions to influence the risk;
b) a residual risk assessment should follow to determine the remaining level of risk after the mitigating effects of management actions to influence the risk are factored in, and
c) the residual risk should be evaluated against the Institution's risk appetite to determine if additional management intervention is needed to reduce the risk further.
(4) Risk assessment should be strengthened by supplementing Management's perceptions with the methods referred to in 14(7).
(5) Assessments should be re-performed for the priority risks when significant environmental and/or organisational events occur, but at least once a year, to determine the changes in the level of risks and whether these demand further management action.