Generally, Risk Management is the process of measuring, or assessing risk and then developing strategies to manage the risk. In general, the strategies employed include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk.

Traditional risk management focuses on risks stemming from physical or legal causes (eg fires, accidents and lawsuits). In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled later. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss vs a risk with high loss but lower probability of occurrence can often be mishandled.

Risk management also faces a difficulty in allocating resources properly. This is the idea of opportunity cost. Resources spent on risk management could be instead spent on more profitable activities. Again, ideal risk management spends the least amount of resources in the process while reducing the negative effects of risks as much as possible.


A definitive generic description of risk management that originated in Australia and New Zealand, now being taken up in many other countries, is set out in the Australian & New Zealand Standard 4360:2004. The core of the process is a series of five steps:

In parallel with the core process, communication & consultation is required to ensure adequate information is provided and conclusions are disseminated. Monitoring and review is an intrinsic part of the process required to ensure that the process is executed in a timely fashion and the identification, analysis, evaluation and treatment are kept up to date.
The standard can be found at www.standards.com.au and simple guidance on its application can be found at


Establishing the context includes planning the remainder of the process and mapping out the scope of the exercise, the identity and objectives of stakeholders, the basis upon which risks will be evaluated and defining a framework for the process, and agenda for identification and analysis.


After establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, will cause problems. Hence, risk identification can start with the source of problems, or with the problem itself.

When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated.


Partners withdrawing during a building project may endanger funding of the project.

Project ideas may be stolen by employees and used to set up a competing development.

The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed by templates or the development of templates for identifying source, problem or event. Common risk identification methods are:


Once risks have been identified, they must then be assessed as to their potential severity of loss and to the probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring eg a shopper suing a shopping centre for an accident caused by a slippery floor. Therefore, in the assessment process it is critical to make the best educated guesses possible in order to properly prioritize the implementation of the risk management plan.

The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of past incidents. Furthermore, evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets.
Asset valuation is another question that needs to be addressed. Thus, best educated opinions and available statistics are the primary sources of information. Nevertheless, risk assessment should produce such information for the management of the organisation that the primary risks are easy to understand and that the risk management decisions may be prioritized. Thus, there have been several theories and attempts to quantify risks. Numerous different risk formulae exist, but perhaps the most widely accepted formula for risk quantification is:
Rate of occurrence multiplied by the impact of the event equals risk
Later research has shown that the financial benefits of risk management are not so much dependent on the formulae used. The most significant factor in risk management seems to be:

In business it is imperative to be able to present the findings of risk assessments in financial terms.


Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:

Ideal use of these strategies may not be possible. Some of them may involve trade offs that are not acceptable to the organization or person making the risk management decisions.


Includes not performing an activity that could carry risk. An example would be not buying a property so as not take on the liability that comes with it.


Upon the investigation of the minutes of a strata title body corporate administrating the plan of an investment unit it is discovered that they have not insured the building as required under the act. Therefore, to avoid the possibility of the loss of the value of the investment asset by the body corporate being unable to rebuild after say, fire and any fines or legal consequences of not abiding by the act the investor has decide not to buy the unit.

Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed.


Old buildings in the inner suburbs of Sydney inevitably have had some “illegal” structures added over the years (such as a laundry attached to the rear of the house). The investor may wish to avoid the risk of buying a building with an illegal addition but in doing so will miss out on a number of profitable opportunities in the inner suburbs of Sydney.

Not entering an investment to avoid the risk of loss also avoids the possibility of earning the profits.


Risk reduction involves methods that reduce the severity of the loss. Examples include sprinklers designed to put out a fire to reduce the risk of loss by fire. This method may cause a greater loss by water damage and therefore may not be suitable. Halon fire suppression systems may mitigate that risk, but the cost may be prohibitive as a strategy.


Involves accepting the loss when it occurs. True self insurance falls in this category. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained by default. This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible. War is an example since most property and risks are not insured against war, so the loss attributed by war is retained by the insured. Also any amounts of potential loss (risk) over the amount insured is retained risk. This may also be acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals of the organization too much.

Risk transfer causes another party to accept the risk. For an investment property insurance is risk transfer that using contracts. Other times it may involve contract language that transfers a risk to another party without the payment of an insurance premium. For example a tenant may accept the risk as part of the lease agreement. The rent review clause of a typical lease manages the risk of the rent falling below a market rent.

Some ways of managing risk fall into multiple categories. Risk retention pools are technically retaining the risk for the group, but spreading it over the whole group involves transfer among individual members of the group. This is different from traditional insurance, in that no premium is exchanged between members of the group up front, but instead losses are assessed to all members of the group.


Decide on the combination of methods to be used for each risk. Each risk management decision should be recorded and approved by the investor. This is most likely to be carried out by the property manager. For example, the extent of the extensions over and above the basic fire policy should be the decision of the investor. For example, to include meltdown (as opposed to fire), flood or plate glass extensions. If the investment property is sited in a well behaved society the investor my prefer to carry the plate glass insurance themselves.
The risk management plan should propose applicable and effective security controls for managing the risks. For example, a yearly update of the building cover by having a replacement cost valuation carried out by the valuer. A good risk management plan should contain a schedule for control implementation and responsible persons for those actions. In the case of updating the cost of replacement, the employment of the valuer can be carried out done by the property manager at a certain date each year. However, the property manager would need instructions in writing to do this. The risk management concept is old but is still not very effectively measured


Implementation is the following of all the above planned methods to mitigate or eliminate the effect of the risks. For example, purchase insurance policies for the risks that have been decided to be transferred to an insurer, avoid all risks that can be avoided without sacrificing the investment strategy, reduce others, and retain the rest.


Initial risk management plans will never be perfect. Practice, experience, and actual loss results, will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced.
Risk analysis results and management plans should be updated periodically. There are two primary reasons for this:


If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses that are not likely to occur. For example, insuring against war. Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably. Unlikely events do occur, but if the risk is unlikely enough to occur, it may be better to simply retain the risk, and deal with the result if the loss does in fact occur.

Prioritizing too highly the risk management processes itself could potentially keep an organization from ever completing an investment project or even getting started. Delay while assessing risk will cost the investor through loss of interest and rising building costs.
It is also important to keep in mind the distinction between risk and uncertainty.


In investment project management, a risk is more narrowly defined as a possible event or circumstance that can have negative influences on a project. Its influence can be on the schedule, the resources, the scope and/or the quality.

In project management when a risk escalates, it becomes a liability. A liability is a negative event or circumstance that is hindering the project.
Some of the processes for assessing risk include the following (the parentheses contain some of the jargon used to refer to them).

In addition, every probable risk can have a preformulated plan to deal with it and to deal with its possible consequences (to ensure contingency if the risk becomes a liability).


In project management, risk management includes the following activities:


Risk management is simply a practice of systematically selecting cost effective approaches for minimising the effect of threat realisation to the investor. All risks can never be fully avoided or mitigated simply because of financial and practical limitations of the real world. Therefore all investors have to accept some level of residual risks which still may realise despite their efforts.

Whereas risk management tends to be preemptive, Business Continuity Planning (BCP) was invented to deal with the consequences of realised residual risks.

The necessity to have BCP in place is because even very unlikely events will occur if a necessarily long time is available. Risk management and BCP are often mistakenly seen as rivals or overlapping practices. In fact these processes are so tightly tied together that such separation seems artificial. For example, the risk management process creates important inputs for the BCP (assets, impact assessments, cost estimates etc). Risk management also proposes applicable controls for the observed risks. Therefore, risk management covers several areas that are vital for the BCP process. However, the BCP process goes beyond risk management's pre-emptive approach and moves on from the assumption that the disaster will realise at some point.


Further reading


The property investors is investing for one clear reason: To make a profit. Poorly managed risks will have tangible and sometimes dramatic effects on that profit. For example, if the building is not adequately insured and burns down. Therefore, sound risk management is important to ensure that your investment strategy can overcome any problems and the investment to continue to grow.

Threats to a small investors or project can come from a variety of sources. Typically risk is categorized risks into four areas:


An effective risk management strategy must be systematic and robust. It also must be straight-forward, and simple to implement. There are three stages:

Operational risks are minimized by clear check and balance procedures and management oversight within the company. Strategic risks can be minimized by better documentation, such as a good lease with modern plain english clauses.


Jack and Jill two retirees have been looking around for a suitable investment for their retirement nest egg about $800 000. Nearby is an old service station that has been disused for 3 years. They make enquiries with the local council and find out that the site is suitable for the construction of 8* 2 bedroom strata units. The council is only too pleased to have the site developed as it is an eye sore next to the local hopping centre.

Jack and Jill make enquiries with the oil company that owns the service station and find that they are only to glad to get rid of it as there are too many service stations in the area. They are so pleased to sell that it is on the market for only $600 000.

You have been employed to advise them on their proposed investment.


When old service stations are mentioned immediately the “alarm bells ring”. Old service stations will be subject to severe oil contamination and this will have to be completely remedied before the units can be built.

Your enquiries with council show that yes indeed the site is contaminated and they will need an environmental engineer' report that the site has been decontaminated before approval will be given for a residential use. Jack and Jills' investment is looking much riskier now than when they first made enquiries.


As mentioned the oil company is keen to sell the disused site so you begin negotiations with the company. You discover that it will take 12-18 months for the site to be decontaminated. Under these circumstances you successfully negotiate with the company that they carry out the decontamination process and obtain clearance to develop from the council. This way the risk of decontamination has been passed from Jack and Jill to the oil company. It also happens that they are experts in decontamination and can carry out the process more thoroughly and quicker than local contractors.


The risk can be mitigated by advising Jack and Jill to take up an option to purchase rather than buying outright. This will require the payment only of an option fee with the balance payable on the completion which is subject to council's approval to build. Their interests can be further reduced by having time limit on the option or the oil company will pay penalties or compensation for every month the decontamination process is behind schedule. A period of indemnity against any claim caused by the contamination has also been negotiated with the oil company.

You can also negotiate with the oil company for a discount in the purchase price as compensation for the extra costs incurred by the delay.


The oil company has decontaminated the site and during the 18month delay the investors have employed an architect to design the new 8*2 bedroom strata units. To reduce risk they have employed Council's pre planning enquiry and negotiation process. This is a free service and reduces the risk of the proposed development being rejected particularly on technical grounds. The architect is also there so that they know exactly what sort of development the council favours to mitigate risk of delay.

Risk is further reduced by a having a fixed process contract with the architect to obtain all council's approvals and supervise the building. Risk is further reduced by entering into a fixed price contract with the builder with penalties for any time overruns. The contract should have as long an indemnity period as possible (ie the period during which the builder will fix any faults). Further, it is checked with the builder that they are licensed, qualified and have made all insurance payments to the Board so that the investors can claim compensation if the builder does not complete for example, through bankruptcy.

  1. You advise the investors that immediately upon completion (with council's and the architects certificates completion) take control of the building and insure it against loss through fire, storm and tempest. Since there is no plant and equipment, plate glass or the likelihood of water damage these extensions are not taken up and the investors take the risks themselves.

You have advised the investors that the highest and best use of the site is keep ownership and lease the units out. This is because of the property's location near a viable and popular shopping centre. Risk is reduced by the fallback or exit position which is selling the units off to owner occupiers. This safety option has been achieved by having the units strataed even though the investors' intentions were to lease the properties. Further, the fallback position has been strengthened by the fact that council would look favorably on a change of use of the lower units from residential to home office.

Risk is reduced by employing a reputable and experienced property manager. A professional property manager will have access to a database of “bad tenants” and expertise in vetting prospective tenant. This will reduce the risk of the tenants' not paying or causing damage. To further reduce risk the valuer/agent advises the investors to take out landlord's insurance which will indemnify the investors against loss of rent and damage caused by the tenants.

If a professional and thorough property manager has been employed then there should be little risk to income arising from the building during the investment period. The property manager has agreed to notify the investors not only their monthly statements but immediately any major problems arises during the investment period.

As the investment matures the property will be subject to appreciation in an expanding economy. This means that the investors' equity will increase over time. This will allowing the investors to negotiate for a new loan at a lower interest rate.