Risk Management in ISO 9001 is defined as “the effect of uncertainty” on business objectives. Risk is about dealing with uncertainty. Anything that can have an impact on the strategic direction of a business, can be considered as a risk.
If we have no objectives, we are not doing anything. If we have an event without any objectives, we can’t have a risk. “If you aim at nothing, you will hit every time.” Risks are defined top to bottom, and managed, bottom-up.
Importance of Risk Management in ISO 9001
Over the past years, risks have been increasing. Boards of directors, and C-level management, are increasingly seeking to implement risk management processes within their business. Having said that only around half of the businesses have actually defined the risks relating to their business, and 38% have created a process to handle the identification of risks and implementation of actions based on these risks.
There is no single style of risk management or approach to risk management that offers all answers. Various styles can be adopted – and could operate as complementary approaches, within an organization.
Factors influencing Risk Management in ISO 9001
The factors that have an impact on Risk Management in ISO 9001 are defined as internal and external issues.
The internal context relates to what happens within the company. Relates to the organization itself, and factors within the control of the company. The external context relates to the environment in which the company operates. Without evaluating the internal and external risks, we might be considering risks that are not relevant to our business.
- Market forces
- Regulated industry
- Political objections
- Technology standards
- Key drivers
- Trends among supply chain
- Employees availability
- New competitors
- Key suppliers
- Key marketing partners
- Customer concentration
- Strategic plans
- Hierarchy, roles
- Organizational influence
- Level of available expertise
- IT systems
- Formal and informal reporting processes
- Code of ethics/conducts
By handling risk in a structured way, we are able to have an increased control over the risks at hand, and to increase the number of opportunities that are seized. Most notably, proper risk management increases the resilience of a business.
Benefits of ERM include benefits of increased presence and better control of the follow elements of a business. This is called the FIRM risk scorecard.
One of the most commonly used management systems is the ERM (enterprise risk management). Now it is important to not let these risk management tools take over the actual reasoning behind implementing a RMS (risk management system).
Identifying and Prioritising Risks
There are 3 different types of risks identified as Risk Management in ISO 9001
- New risks that have emerged in the external environment
- Existing risks – changed circumstances
- Risks that were not previously faced by the organization, because risks are associated with changed core processes – new risks in new context
The following are some of the methods can be used to identify and prioritise risks.
- Questionnaires and checklists
- Works and brainstorming
- Inspections and audits
- Flow charts and dependency analysis
The two most important elements to consider when identifying Risk Management in ISO 9001 are:
- Probability – how likely is it that the risk is going to materialize. You do this by assigning a probability value based on the likelihood of the risks’ occurrence – from a very minute change of occurring to almost sure that it will happen
- Impact – once you have the probability figures out, you then work towards estimating the cost of the impact of the risk if does materialize. This relates to the effect that this risk would impost on the project – from barely noticeable change to change in project objective – or cost-wise – insignificant cost increase to more than 50% increased cost.
When handling any type of ERM, the values for the probability and impact must be defined through a table – so that defining the probability and impact would have a structured approach, whereby everyone will agree on the exact value that should be used – and not basing these values based on opinions.
By multiplying the probably and impact, we will be able to identify which risks are most worthy of our attention and consideration.
Inherent risk – this is the risk that exists prior to taking any action to mitigate the risks. Residual risk – is the risk level after controls have been implemented.
Conclusions about Risk Management in ISO 9001
In today’s fast-paced world, business owners cannot be static, and wait until a adverse situation actually happens. But rather, they must be proactive and seek to identify issues before they actually take place.
Luke Desira, an ISO 9001 consultant in Malta, has helped over 100 SMEs in Malta to identify and mitigate risks and to seize sizable opportunities. If you’d like more information, please feel free to get in touch now.