Evaluating risks in your organisation

    THE TAKEAWAY: In evaluating the risks you have identified, you need to make a subjective evaluation of what - for your group - constitutes an acceptable risk.

This is the fifth step in a seven-stage process of successfully tackling risk management in your organisation (go to the Insurance and Risk Management Help Centre for information about the other steps.

By now you should have undertaken a detailed identification of risks that your organisation faces (remember this could be a very small list if your organisation is small and passive), and analysed these risks (or hazards) to determine frequency and severity. Now it's time to evaluate your risks.

By working together your organisation can review the results of your analysis and objectively assess each of the risks in turn. This is probably a job for your risk management committee but it is important to keep everyone involved in the process.

The evaluation of risk will enable priorities to be established that equate to an appropriate level of risk. This will allow you to decide what is an appropriate action for treating each risk.

A major decision you will have to make before looking at how to treat risks is whether a risk is acceptable or unacceptable. This decision will depend on the aims and activities of your organisation and should be made according to set criteria that you are confident to stand by.

These criteria should be documented so that they can be reviewed and monitored over time and to ensure that there is a record for future committees to follow and understand.


Criteria for acceptable and unacceptable risks can be listed under 'frequency' and 'severity/consequences'.

For example, in terms of severity, your organisation may deem the following consequences unacceptable:

  1. Injuries resulting in hospitalisation
  2. Financial losses of more than $500 for one incident
  3. Any bad publicity
  4. Any legal action against the organisation
  5. A broken window from a fallen tree limb.

In terms of frequency, these may be unacceptable:

  1. Frequent minor injuries
  2. Events that frequently interrupt your group's activities
  3. Frequent small financial losses.

Although these criteria will reduce some of the indecision, ultimately the decision on whether a risk is acceptable or unacceptable rests with those responsible for the evaluation. The process is inherently subjective, which is why we suggest that you may want to involve more than one person in this step. The answers will depend on the knowledge and experience of the people involved.

When weighing up whether a risk is acceptable or not, consider how you defined your organisation - what were your aims and activities when you established a context for risk management? For example, many people would consider frequent minor injuries in a contact sport as "part of the game" but if this is occurring through poor coaching or training techniques then this should be attended to.

Many groups - most sporting clubs, rock-climbing groups, cycling clubs, protest groups, history buffs who organise full-scale re-enactments of American Civil War battles - will be based around activities that involve some inherent level of risk. Only you can decide what is an acceptable level of risk for your group. Remember, though, that a judge may have an entirely different perspective. Don't just discount something because it has never happened.

If you decide a risk is unacceptable, you will have to decide how to treat it. If the risk is minor, or the cost of avoiding it is beyond your capacity to pay, you may need to consider accepting the risk if it is core to your group's existence.

But remember a decision to accept a risk must be an informed and reasoned one because if something does go wrong and somebody gets hurt, you may well be asked why the risk was deemed acceptable.

If you choose to accept a risk, don't just forget about it. Be mindful of the consequences and don't just ignore them in the hope it will never happen. Monitor the risk and reassess it regularly - you may decide in the future that a risk you once thought was acceptable can no longer be accepted.


Remember that this is an ongoing process and decisions you make should be documented.

Keep a record not just of what decisions were made, but why they were made. These reasons should be included in minutes for your meetings. This ensures that future committees can understand what happened and what you were thinking at the time the decision was taken. They can also be used in defence of a claim taken out against your organisation.

Examples of records used to defend claims are:

  • Meeting minutes - any decision made at a meeting should be minuted to provide a record of what was decided and why. Significant decisions should be supported in some way by a record of the process used to arrive at the decision made. This may include decisions made at meetings through a consultative process. These should also be minuted.
  • File notes - conversations in person or on the phone where an action is agreed, advice is sought and/or provided, or information is provided, should be recorded. This can be done in a hard copy or electronic register. It provides traceability should a complaint be made or an incident occur.
  • Incident records - notes taken or forms completed when a person reports an incident or injury are essential. Organisations need to be consistent in the type of information they gather when recording an incident, and in investigating the surrounding circumstances. It is a good idea to have a specific form for this kind of record.
  • Training records - attendance by staff or volunteers at any training should be recorded. These records may be requested by a court at some stage to make an assessment of the competency of the people concerned. .

Keeping records such as these helps prove that decisions you have made have been reached systematically and that the rationale for a decision is sound.

Evaluating risks in your organisation is the fifth step in a seven-stage process of successfully tackling risk management in your organisation. The sixth step is treating risk.