3. Evaluate the Risks
The purpose of risk evaluation is to make decisions based on the outcome of the risk
analysis regarding which risks require treatment and the priorities of that treatment.
Depending on the risk rating and the adequacy of the current controls in place an
evaluation is made whether to:
• accept the risk or
• treat the risk by:
i) Avoiding the risk,
ii) Transferring the risk or
iii) Controlling the risk.
Criteria used to make decisions regarding accepting or treating the risk should be
consistent with the defined internal, external and risk management contexts and
taking account of the service objectives and goals.
Accepting the risk
A risk is called acceptable if it is not going to be treated. Accepting a risk does not
imply that the risk is insignificant. Risks in a service may be accepted for a number
of reasons,
• The level of the risk is so low that specific treatment is not appropriate
within available resources (based on, for example, a cost benefit
analysis)
• The risk is such that no treatment option is available. For example,
the risk that a project might be terminated following a change of
government is not within the control of the HSE.
• The opportunities presented outweigh the threats to such a degree
that the risk is justified.
Steps 1-3 above conclude the Risk Assessment process, it is however
essential that in terms of managing assessed risks that a treatment (action)
plan is put in place against those risks that have been evaluated as
requiring treatment.
3. Evaluate the RisksThe purpose of risk evaluation is to make decisions based on the outcome of the riskanalysis regarding which risks require treatment and the priorities of that treatment.Depending on the risk rating and the adequacy of the current controls in place anevaluation is made whether to:• accept the risk or• treat the risk by:i) Avoiding the risk,ii) Transferring the risk oriii) Controlling the risk.Criteria used to make decisions regarding accepting or treating the risk should beconsistent with the defined internal, external and risk management contexts andtaking account of the service objectives and goals.Accepting the riskA risk is called acceptable if it is not going to be treated. Accepting a risk does notimply that the risk is insignificant. Risks in a service may be accepted for a numberof reasons,• The level of the risk is so low that specific treatment is not appropriatewithin available resources (based on, for example, a cost benefitanalysis)• The risk is such that no treatment option is available. For example,the risk that a project might be terminated following a change ofgovernment is not within the control of the HSE.• The opportunities presented outweigh the threats to such a degreethat the risk is justified.Steps 1-3 above conclude the Risk Assessment process, it is howeveressential that in terms of managing assessed risks that a treatment (action)plan is put in place against those risks that have been evaluated asrequiring treatment.
การแปล กรุณารอสักครู่..