The nature of risk, ISO 31000 framework overview, three pillars (principles, framework, process), eight principles, types of risk (strategic, operational, financial, compliance, reputational, project, ESG, emerging), and the risk management lifecycle.

Communication and consultation, scope/context/criteria, risk assessment overview, risk treatment, monitoring and review, recording and reporting. Establishing external and internal context, defining risk criteria and appetite.

Brainstorming, structured interviews, SWOT and PESTLE analysis, bow-tie analysis, checklists and prompt lists, process mapping, cause-and-effect (Ishikawa) diagrams, and Failure Mode and Effects Analysis (FMEA).

Likelihood and consequence scales (5-point), risk rating matrices (5×5), heat maps, inherent vs residual risk assessment, control effectiveness evaluation, and worked examples with real-world construction scenarios.

Weighted scoring systems, Risk Priority Numbers (RPN), expected value calculations, probability distributions (normal, triangular, lognormal, PERT), Monte Carlo simulation, and Value at Risk (VaR).

Setting risk criteria and appetite (appetite, tolerance, threshold, capacity), comparing risk levels against criteria, the ALARP principle (As Low As Reasonably Practicable), prioritisation factors, and communicating evaluation results.

The five treatment options (avoid, reduce, share/transfer, accept, exploit), developing treatment plans, cost-benefit analysis of controls, residual risk assessment, and treatment effectiveness monitoring.

Enterprise/organisational risk (ERM frameworks: ISO 31000, COSO, AS/NZS 4360), project risk management (RAID logs, schedule risk), supply chain and third-party risk, IT/cybersecurity risk (ISO 27001, NIST CSF), and HSE risk (safety cases, environmental).

Designing risk registers (19 fields), Key Risk Indicators (KRIs) with RAG thresholds, escalation pathways, risk reporting hierarchy (frontline to board), board-level reporting, and GRC integration.

Leadership and accountability, risk ownership, embedding risk in decision-making (7 decision types), training and communication strategies, continuous improvement, learning from incidents, and ISO 31000 audit considerations.

Embedded in all organisational activities

Consistent, comparable, reliable results

Tailored to context and objectives

Involving stakeholders at all levels

Responsive to changing context

Data, judgement, and observation

Behaviour shapes risk management

Learning and improving over time

📊 Risk Rating Matrix

5×5 likelihood-by-consequence grid producing risk scores from 1–25. Four risk bands (Low 1–4, Medium 5–9, High 10–14, Extreme 15–25). Includes matrix design variations and documented limitations.

🎯 Monte Carlo Simulation

Thousands of iterations sampling from probability distributions. Applied to project schedule and cost risk, financial modelling, insurance, and supply chain quantification. Produces full outcome distributions.

🔀 Bow-Tie Analysis

Visual technique mapping causes (threat tree) and consequences around a central risk event. Preventive barriers on the left, mitigative barriers on the right. Highly intuitive for non-technical stakeholders.

⚙️ FMEA

Failure Mode and Effects Analysis — systematic bottom-up technique. Rates Severity × Occurrence × Detectability (1–10 each) producing Risk Priority Numbers (RPN) from 1–1,000 for failure prioritisation.

🐟 Ishikawa / Fishbone

Cause-and-effect diagrams identifying root causes using the 6M categories: Methods, Machines, Materials, Measurement, Man, and Mother Nature. Structured approach to root cause analysis.

🌐 SWOT & PESTLE

SWOT for strategic-level risk identification (weaknesses and threats). PESTLE (Political, Economic, Social, Technological, Legal, Environmental) for systematic external environment scanning.

1. Avoid the Risk

Decide not to start or continue the activity. Used when risk exceeds capacity to manage or benefits don't justify the exposure.

2. Reduce / Modify

Take action to reduce likelihood, consequence, or both. The most common treatment option. Requires cost-benefit justification.

3. Share / Transfer

Transfer financial consequences to a third party — insurance, subcontracting, hedging. The risk event itself is not transferred, only the impact.

4. Accept / Retain

Consciously retain the risk. Can be active (with contingency plan) or passive. Must be a documented decision, not a failure to act.

5. Exploit (Opportunity)

For positive risks, actively pursue and enhance the upside. Invest more heavily to capture competitive opportunity, accepting associated downside exposure.

Risk Assessment Practical Exercise

Establish context, conduct structured risk identification (2+ techniques), complete qualitative analysis, evaluate and prioritise, develop treatment plan for top 3 risks. Deliverable: completed risk register + 500-word methodology narrative.

Case Study Analysis

Analyse a published case study of a significant risk event. Identify risks, evaluate treatment options, assess management failures, recommend improvements. Deliverable: 1,500–2,000 word written analysis with ISO 31000 references.

Theory Examination

90-minute closed-book exam. Section A: 20 multiple-choice (20 marks). Section B: 4 short-answer questions, 150–200 words each (40 marks). Section C: 1 extended scenario response (40 marks).

Standards

• ✓ ISO 31000:2018
• ✓ COSO ERM 2017
• ✓ ISO 27001 (Cyber)
• ✓ NIST CSF

Techniques

• ✓ Risk Rating Matrix (5×5)
• ✓ Monte Carlo Simulation
• ✓ Bow-Tie Analysis
• ✓ FMEA / RPN Scoring

Sectors

• ✓ Enterprise / Corporate
• ✓ Projects & Construction
• ✓ Supply Chain & Third-Party
• ✓ IT / Cybersecurity / HSE

Assessment

• ✓ Practical Exercise (40%)
• ✓ Case Study Analysis (35%)
• ✓ Theory Examination (25%)
• ✓ 10 Modules · Full Content