Effective risk management is an integral part of the success of any organisation. This article examines the significant role that training can play in developing and maintaining effective risk management strategies in your organisation.

When it comes to developing and implementing effective risk management strategies, organisations can sometimes overlook the significant impact that investing in quality training have on that process, particularly when there are competing organisational and financial pressures.

However, courts and tribunals are increasingly examining the extent and effectiveness of training provided by employers in determining liability in employment-related claims, particularly in areas such as equal employment opportunity and work health and safety. As such, overlooking this crucial investment in training cannot continue if risk management processes are to be truly effective.

To appreciate the role of training in risk management, it is important to understand what “risk” and the risk management cycle are, and how training plays a role in every step of that risk management cycle. Each of these issues is discussed further below.

Also discussed below are the matters that need to be considered when an organisation is developing the most appropriate training framework from a risk management perspective.

“Risk”and the risk management cycle

Risk is defined as “the possibility of suffering harm or loss” and risk management is the process of identifying situations which have the potential to cause harm or loss to people or property, and taking steps to prevent, or at least reduce the potential of, the harm or loss occurring.

There are a myriad of risks to people or property in an employment context, which can ultimately lead to negative legal, financial or reputational outcomes for an organisation and, in turn, liability for the organisation and individuals within that organisation.

In a workplace context, systematically and proactively identifying risks and taking steps to address those risks in accordance with what is known as the “risk management cycle” are the best protection that an organisation can afford itself.

The risk management cycle consists of well-defined steps that, when taken in sequence, lead to informed decisions about how best to avoid or minimise the impact of these risks. Broadly speaking, the risk management cycle has five stages:

• identifying risks;
• assessing and analysing those risks;
• planning and implementing a risk management plan;
• monitoring and evaluating the risk management plan; and
• reviewing and adapting the risk management plan based on the monitoring and evaluation.

It is important to note that while the risk management cycle has clearly defined stages, risk management is, and is intended to be, a continuous process. The reality is that an organisation will likely be at a different stage of the risk management process for all actual and potential risks it has identified. The organisation is therefore best- placed by acknowledging and embracing continuous risk management as this will ensure risks are identified and addressed at the earliest opportunity and in the most cost-effective manner, and that there is continuous improvement in the management of that risk and in risk management within the organisation more generally.

Turning now to look briefly at each of these stages in a workplace context, and how training performs a significant role in each of those stages:

Identifying risks

The first stage of the risk management cycle is identifying actual or potential risks in the workplace. Catalysts for a process of risk identification typically include introduction of new equipment or processes, changes in legislation or regulation, change in premises, incident response, or as the outcome of regular auditing. Depending on the context, the risk identification process may be undertaken internally or externally, or a combination of both.

However, the organisation also needs to build a culture of identifying and reporting risks irrespective of when and how they become known, and at all levels of the business, with the key message being that risk management is the role of everyone in the organisation, not just management. This message should be accompanied by training in risk identification and protocols for what to do if they identify a risk (for example, reporting requirements and/or shutting down machinery).

Assessing and analysing risks

Once a risk has been identified, the next step is to assess and analyse the extent of that risk for the organisation. This includes who the risk affects, how the risk manifests, and why it manifests in the way that it does. It is also important that any assessment of the risk undertaken is done by someone who is adequately trained or qualified to do so, to ensure that the risk is properly characterised and managed. Properly understanding the risk and what it may mean for the organisation will facilitate and streamline the planning and implementation of an appropriate plan to manage that risk.

Planning and implementing a risk management plan

The next stage, the planning and implementation of a risk management plan, can be a delicate balancing act, with organisations required to measure the extent of the risk to the organisation against the cost of addressing that specific risk. Ultimately, some level of risk may in fact be acceptable to the organisation on a cost/benefit analysis. This is a reality accepted in a legal context, with the standard typically applied being that organisations take “all reasonable steps” to eliminate or minimise risk in the workplace – the courts do not expect or demand perfection.

From a training perspective, the risk management plan may include a variety of measures including the implementation or updating of a policy or procedure, and related training. Policies and procedures are one of the most significant risk management tools that an organisation can utilise as part of its training regime, as they, set the standards expected by the organisation, standardise the approach taken by the organisation to the management of identified risks, and provide an objective reference point for employees and management.

However it is important that any training conducted for the purpose of managing workplace risk is also effectively implemented, or there can be serious consequences for the organisation. The most recent example of the impact on an organisation of training being deemed ineffective is the decision of the Full Federal Court in Richardson v Oracle Corporation Australia Pty Ltd.¹

In that matter, the Federal Court at first instance held that the employer was vicariously liable for the sexual harassment of one of its former employees by another employee, despite, amongst other measures, having a Code of Conduct in place and providing refresher training every two years, because that training did not state that sexual harassment was against the law and did not refer to the relevant legal standard (being, in this case, the relevant legislation). The Court ordered that the employer pay the harassed employee $18,000 in general damages.

On appeal, the Full Federal Court increased the damages payable by the employer to its former employee to $130,000 and, in doing so, appeared to herald a new approach to the calculation of damages in sexual harassment matters.

Monitoring and evaluating the risk management plan

After a risk management plan is implemented, the organisation should then continue to monitor and evaluate the plan to ensure that it is and remains appropriate. Two key decisions need to be made by the business at this stage of the process, namely:

• what approach it intends to take in monitoring and evaluating the plan (for example, structured, ad hoc or continuous monitoring and evaluation (or a combination)); and
• what standards it will apply in evaluating if the plan (that is, determining what “success” is in the context of managing a particular risk).

Reviewing and adapting the risk management plan

The final stage in the risk management cycle is reviewing and adapting the risk management plan based on the outcome of the monitoring and evaluation.

These outcomes may require a wholesale review of the risk management plan, or amendments to specific aspects of that plan, to rectify any deficiencies or introduce improvements.

If there are any changes to the risk management plan, the relevant personnel will need to be trained in respect of the amendments to that plan, including but not limited to in any changes to policies and procedures that apply to their employment.

What does your organisation need to consider in developing its training framework?

There is no “one size fits all” approach to training in a risk management context. The circumstances of your organisation at the relevant time will largely dictate the training framework that is implemented.

However, there are critical matters that every organisation needs to consider in reviewing or developing its training framework in support of its risk management strategy. These include:

• What are the immediate areas of risk for the organisation, including areas in which it is obliged to provide training under relevant legislation or regulations?
• Does the organisation have a heightened vulnerability in one or more risk areas that need to be addressed and, if so, what training is required to address those risk areas?
• What is the organisation’s current training framework (including policies and procedures) and what, if any, of that framework is directed to managing the immediate areas of risk? Are there any gaps?
• Are the organisation’s policies and procedures up to date? Do those policies and procedures need to be reviewed in light of any recent legal or other developments (including organisational or technological developments)?
• What resources does the organisation have available for training? How are those resources going to be most effectively utilised?
• What does the training need to cover in terms of content? Is it necessary to develop and rollout different training for different levels within the organisational structure?
• How is the training to be delivered? Is there internal capability for developing and delivering the training, or would an external provider be preferable?
• When should the training occur (for example, at induction or on promotion) and how often? Is refresher training required, and, if so, how often and in what form?
• What steps are being taken by or on behalf of the organisation to record accurately, and retain records of, the training that is provided?

1. ^{Richardson v Oracle Corporation Australia Pty Ltd [2014] FCAFC 82 (15 July 2014)}