Evaluating risks

It is important to determine how serious the risks facing a business are. The business owner must determine the level of risk that a business is willing to accept. Risk evaluation involves comparing the level of risk found in the analysis process with previouslyestablished risk criteria. From there it must be decided if these risks require treatment. The result of a risk evaluation is a prioritised list of risks that require further action. This step is about deciding whether risks are acceptable or need treatment.

Low or tolerable risks may be accepted. ‘Accepted’ means the business chooses to accept that the risk exists, either because the risk is low and the cost of treating it would be uneconomic, or there is no reasonable treatment that can be implemented.

A risk may be accepted if:

the cost of treatment exceeds the benefit, so that acceptance is the only option (applies particularly to low risks)
the level of the risk is so low that specific treatment is not called for
the opportunities presented outweigh the threat to such a degree that taking the risk is justified
there is no treatment for the risk – for example, the risk that the business may suffer storm damage.

If the risk is medium or high and therefore not acceptable, the risk must be mitigated or treated. Specific actions to treat the risk should be outlined in the risk management plan.

Resources

Events

Important

The result of a risk evaluation is a prioritised list of risks that require further action. This step is about deciding whether risks are acceptable or need treatment.