<p><b>4. Treat Risks</b></p><div class="figure-img" data-ke-type="image" data-ke-style="alignCenter" data-ke-mobilestyle="widthOrigin"><img src="https://t1.daumcdn.net/cafeattach/1JO1g/2c1ea77579ec358b3e47a937a10b0057d920891c" class="txc-image" data-img-src="https://t1.daumcdn.net/cafeattach/1JO1g/2c1ea77579ec358b3e47a937a10b0057d920891c" data-orgin-width="969" data-origin-height="52"></div><div class="figure-img" data-ke-type="image" data-ke-style="alignCenter" data-ke-mobilestyle="widthOrigin"><img src="https://t1.daumcdn.net/cafeattach/1JO1g/ee2297db2b3d599e00efcd856fd394cba4050646" class="txc-image" data-img-src="https://t1.daumcdn.net/cafeattach/1JO1g/ee2297db2b3d599e00efcd856fd394cba4050646" data-orgin-width="185" data-origin-height="110"></div><p><b>Risk treatment involves developing a range of options for mitigating the risk, assessing those options, and then preparing and implementing action plans. The highest rated risks should be addressed as a matter of urgency.</b></p><p><b>Selecting the most appropriate risk treatment means balancing the costs of implementing each activity against the benefits derived. In general, the cost of managing the risks needs to be commensurate with the benefits obtained. When making cost versus benefit judgements the wider context should also be taken into account.</b></p><p><b>Depending on the type and nature of the risk, the following options are available:</b></p><ul style="list-style-type: disc;" data-ke-list-type="disc"><li><b>Avoid - deciding not to proceed with the activity that introduced the unacceptable risk, choosing an alternative more acceptable activity that meets business objectives, or choosing an alternative less risky approach or process.</b></li><li><b>Reduce - implementing a strategy that is designed to reduce the likelihood or consequence of the risk to an acceptable level, where elimination is considered to be excessive in terms of time or expense.</b></li><li><b>Share or Transfer - implementing a strategy that shares or transfers the risk to another party or parties, such as outsourcing the management of physical assets, developing contracts with service providers or insuring against the risk. The third-party accepting the risk should be aware of and agree to accept this obligation.</b></li><li><b>Accept - making an informed decision that the risk rating is at an acceptable level or that the cost of the treatment outweighs the benefit. This option may also be relevant in situations where a residual risk remains after other treatment options have been put in place. No further action is taken to treat the risk, however, ongoing monitoring is recommended.</b></li></ul><p><b>A range of treatments may be available for each risk and these options are not necessarily mutually exclusive or appropriate in all circumstances.</b></p><p> </p><p><b>Develop a risk treatment plan</b></p><p><b>Determine the level of treatment plans required for each risk level. For example, for risks rated as ‘high', a treatment plan must be developed. However for risks rated as ‘low' and ‘very low' that have improvement opportunities, development of a treatment plan may be at the discretion of the partner or partners.</b></p><p><b>Effective risk treatment relies on committing to realistic objectives and timelines for implementation.</b></p><p><b>For each risk identified in the risk assessment, detail the following:</b></p><ul style="list-style-type: disc;" data-ke-list-type="disc"><li><p><b>Specify the treatment option selected - avoid, reduce, share/transfer or accept.</b></p></li><li><p><b>Document the treatment plan - outline the approach to be used to treat the risk. Any relationships or interdependencies with other risks should also be highlighted.</b></p></li><li><p><b>Assign an owner - who is accountable for monitoring and reporting on progress of the treatment plan implementation.</b></p></li><li><p><b>Specify a target resolution date - where risk treatments have long lead times, consider the development of interim measures. For example, it is unlikely to be acceptable for a residual risk to be rated ‘high' and to have a risk treatment with a resolution timeframe of two years.</b></p></li></ul><p><b>Determine the level of treatment plans required for each risk level. For example, for risks rated as ‘high', a treatment plan must be developed. However for risks rated as ‘low' and ‘very low' that have improvement opportunities, development of a treatment plan may be at the discretion of the partner or partners.</b></p><p> </p><p><b>Implement and monitor treatment plans</b></p><p><b>When implementing a treatment plan, consider how the initiatives will be supported:</b></p><ul style="list-style-type: disc;" data-ke-list-type="disc"><li><b>Firm structure - Does there need to be any change to structure or delegations to support the risk treatment plan?</b></li><li><b>Financing - If the budget for control improvement is constrained, should there be a process to prioritise controls with the greatest need or cost benefit?</b></li><li><b>Resource availability - Does the firm have sufficient physical, human or financial resources to implement the risk treatment plan?</b></li><li><b>Communication with stakeholders - Does the firm need to commence briefing sessions to inform stakeholders as to what changes are required and why?</b></li></ul><p><b>For each risk identified in the risk assessment, detail the following:</b></p><ul style="list-style-type: disc;" data-ke-list-type="disc"><li><b>Monitoring mechanisms and review points - Specify the mechanisms by which implementation will be monitored. This may include indicators to determine if the risk is increasing or decreasing. Successful implementation will usually be linked to business planning activities and reviewed regularly.</b></li><li><b>Status of the treatment plan - the status of the treatment plan is either ‘open’ for in progress or ‘closed’ when implementation has been completed. If the status is closed and the risk has been eliminated, it may be removed from the current risk register into a closed items register. Where a risk is not eliminated, it should be retained in the current register and if another treatment plan is required this should be agreed or, if no other action is possible, the treatment agreed could be to accept and monitor the risk.</b></li></ul><p><b>Example</b></p><p><b>The key output from the risk treatment stage in the risk management process is the action plan for treating the risks identified. An example of how this can be documented in a risk register is shown:</b></p><div class="figure-img" data-ke-type="image" data-ke-style="alignCenter" data-ke-mobilestyle="widthOrigin"><img src="https://t1.daumcdn.net/cafeattach/1JO1g/04704766d8486fdead1b430e82ef7ff87be14f28" class="txc-image" data-img-src="https://t1.daumcdn.net/cafeattach/1JO1g/04704766d8486fdead1b430e82ef7ff87be14f28" data-orgin-width="30" data-origin-height="30"></div><p><b>RISK IDENTIFICATION RISK TREATMENTEvent ActionPlanRisk OwnerResolve by</b></p><div class="table-wrap"><table data-ke-type="table" data-ke-align="alignLeft" style="width: 100%;" border="1"><tbody><tr><td><b>Failure to meet compliance obligations</b></td><td> </td><td><b>AVOID</b></td><td><b>Implement formal compliance monitoring process:</b><br><br><b>1. Identification of compliance requirements</b><br><b>2. Identification of system or tool to manage compliance requirements</b><br><b>3. Monthly review of compliance requirements to ensure there have been no material compliance breaches.</b></td><td><b>Practitioner</b></td><td><b>30-Sep-12</b></td></tr><tr><td><b>Loss of Practitioner</b></td><td> </td><td><b>REDUCE</b></td><td><b>Implement succession plan:</b><br><br><b>1. Put in place power of attorney arrangements</b><br><b>2. Document key processes</b><br><b>3. Put in place a key client management system to ensure adequate documentation is maintained for key clients</b><br><b>4. Adequately train a secondary level of management and/or identify a potential candidate for partner.</b></td><td><b>Practitioner</b></td><td><b>31-Oct-12</b></td></tr><tr><td><b>Failure to collect receivables in a timely manner</b></td><td> </td><td><b>REDUCE</b></td><td><b>Implement receivables tracking and debtor follow-up process:</b><br><br><b>1. Identify requirements to track receivables, consider such things as payment terms and conditions</b><br><b>2. Develop process to track aged debtors/receivables and supporting requirements including system reports</b><br><b>3. Consider monitoring requirements including frequency.</b></td><td><b>Office Manager</b></td><td><b>15-Sep-12</b><br><br></td></tr></tbody></table></div><p><b>5. Monitor & Review</b></p><div class="figure-img" data-ke-type="image" data-ke-style="alignCenter" data-ke-mobilestyle="widthOrigin"><img src="https://t1.daumcdn.net/cafeattach/1JO1g/2748251f5181907812ac36689d31564ed813344c" class="txc-image" data-img-src="https://t1.daumcdn.net/cafeattach/1JO1g/2748251f5181907812ac36689d31564ed813344c" data-orgin-width="969" data-origin-height="52"></div><div class="figure-img" data-ke-type="image" data-ke-style="alignCenter" data-ke-mobilestyle="widthOrigin"><img src="https://t1.daumcdn.net/cafeattach/1JO1g/1b27b8b00de8d088b088635a2105c2a24b73793b" class="txc-image" data-img-src="https://t1.daumcdn.net/cafeattach/1JO1g/1b27b8b00de8d088b088635a2105c2a24b73793b" data-orgin-width="197" data-origin-height="110"></div><div class="figure-img" data-ke-type="image" data-ke-style="alignCenter" data-ke-mobilestyle="widthOrigin"><img src="https://t1.daumcdn.net/cafeattach/1JO1g/955f93dc3d68fea62418199b6d731c458ad222b6" class="txc-image" data-img-src="https://t1.daumcdn.net/cafeattach/1JO1g/955f93dc3d68fea62418199b6d731c458ad222b6" data-orgin-width="969" data-origin-height="68"></div><p><b>Monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance. The results should be recorded and reported externally and internally, as appropriate. The results should also be an input to the review and continuous improvement of the firm's risk management framework.</b></p><p><b>Responsibilities for monitoring and review should be clearly defined. The firm's monitoring and review processes should encompass all aspects of the risk management process for the purposes of:</b></p><ul style="list-style-type: disc;" data-ke-list-type="disc"><li><b>Ensuring that controls are effective and efficient in both design and operation</b></li><li><b>Obtaining further information to improve risk assessment</b></li><li><b>Analysing and learning lessons from risk events, including near-misses, changes, trends, successes and failures</b></li><li><b>Detecting changes in the external and internal context, including changes to risk criteria and to the risks, which may require revision of risk treatments and priorities</b></li><li><b>Identifying emerging risks.</b></li></ul><p><b>Monitor & Review</b></p><p><b>Regularly review risks identified in the firm’s risk register. Document any actions or events that change the status of a risk, for example:</b></p><ul style="list-style-type: disc;" data-ke-list-type="disc"><li><b>Changes to a risk eval‎uation as a result of improvements in controls</b></li><li><b>A control breach and near miss should be logged at the time of the event</b></li><li><b>A new risk that has been identified.</b></li></ul><p><b>Partners should review the risk register on a regular basis, such as at a monthly partners’ meeting, to determine if any remedial action needs to be taken immediately.</b></p><p> </p><p><b>Continuous Improvement</b></p><p><b>The effectiveness of the risk management framework implemented needs to be periodically reviewed to ensure continuous improvement of risk management in the firm.</b></p><p><b>The purpose of the framework is to embed a risk aware culture within the firm. This can be eval‎uated in light of breaches and near misses, the effectiveness of communication, and assessing what lessons have been learned and remedial actions taken.</b></p><p><b>The framework is only effective if the context remains relevant to the firm, as this sets the scope for risk management. Ensure the practice objectives and the internal and external context for risk management are current and accurate.</b></p><p><b>The assessment criteria used in the risk framework also need to be reviewed to ensure they remain relevant to the size and complexity of the practice.</b></p><p> </p><p><b>Example</b></p><p><b>The key output from the monitor and review stage of the risk management process is ongoing. An example of how this can be documented in a risk register is shown:</b></p><div class="figure-img" data-ke-type="image" data-ke-style="alignCenter" data-ke-mobilestyle="widthOrigin"><img src="https://t1.daumcdn.net/cafeattach/1JO1g/8f37c75efb1a81a7af79f07a40f082e5f0c5c88b" class="txc-image" data-img-src="https://t1.daumcdn.net/cafeattach/1JO1g/8f37c75efb1a81a7af79f07a40f082e5f0c5c88b" data-orgin-width="30" data-origin-height="30"></div><p><b>RISK IDENTIFICATION RISK MONITORING & REVIEWEvent MethodProgress and Compliance ReportingStatus</b></p><div class="table-wrap"><table data-ke-type="table" data-ke-align="alignLeft" style="width: 100%;" border="1"><tbody><tr><td><b>Failure to meet compliance obligations</b></td><td> </td><td><b>Monthly review at Practitioner/Partner meeting</b></td><td><b>1. Compliance review incomplete</b><br><b>2. Research delayed on potential system/tool</b></td><td><b>OPEN</b></td></tr><tr><td><b>Loss of Practitioner</b></td><td> </td><td><b>Quarterly review of succession plan</b></td><td><b>1. Power of attorney in place</b><br><b>2. Documentation of key processes in progress</b></td><td><b>OPEN</b></td></tr><tr><td><b>Failure to collect receivables in a timely manner</b></td><td> </td><td><b>Report fortnightly on receivables</b></td><td><b>1. Receivables tracking under review</b></td><td><b>OPEN</b></td></tr></tbody></table></div>
<!-- -->
