What is the Orange Book?

A deconstruction of the UK Governments guide about the concepts of Risk Management – Commonly known as the Orange Book

The full version is available here

Initially identify risks, then review them frequently

Risks are assigned to owners who manage them

Risks are identified to the point where specific actions can be identified to treat the risk

A Risk assessment is more Art than Science

Process to identify likelihood and impact for specific risks

Risks must be considered both as the likelihood and the impact

Tolerance levels

Inherent risk

Risk profile

Highest priority risks should be regularly monitored

Risk Appetite

Cost, not just financial costs Vs risk reduction

Contingency plan for unavoidable risks

Addressing Risks – See this page for a Risk Assessment Flow Chart

Tolerate – Live with it

Treat – Do something to reduce it

Transfer – Pass the Risk onto someone else

Terminate – Stop doing it

Preventative Controls – Majority of actions, aimed to limit the possibility of Risk realization

Corrective Controls – What to do if Risk is realized

Directive Controls – Rules put in place to stop Risk from being realized. Hot oven? Wear oven gloves.

Detective Controls – “After the event” actions. Proportional to the Risk

Reviewing Risks

Monitor to see if Risk level has changed

Check that Risk strategy is still effective

Does the Risk still exist?

Communication is the key to identifying Risk changes or new Risks

No Man is an Island

External Risks – Can’t reduce them, Contingency plan required

Laws and regulations have an effect

Economy both local and international has an effect

Terms