Risk is the possibility of events or activities impeding the achievement of an organisation’s strategic and operational objectives. Risk-based thinking is something we all do automatically and often sub-consciously. Risk is often thought of only in the negative sense but risk-based thinking can also help to identify opportunities. This can be considered to be the positive side of risk.
The concept of risk has always been implicit in ISO 9001 and the 2015 revision makes it explicit in the hope of preventing undesirable outcomes. Risk based thinking isn’t new; it’s already part of the process approach. Explicit risk-based thinking makes preventive action part of the routine.
What to do
Identify what the risks and opportunities are in your organization; these depend on the circumstances (context) of your organisation. ISO 9001:2015 will not automatically require you to carry out a full, formal risk assessment, or to maintain a “risk register”, but the following points may be worthy of consideration:
- analyse and prioritise the risks and opportunities in your organisation; what is acceptable or unacceptable? You may use a SWOT or PEST analysis to assist you.
- plan actions to address the risks – how can I avoid, eliminate or mitigate the risk?
- implement your plans and take action
- check that your actions have implemented and are effective – do they work?
- learn from experience – continual improvement
If this seems familiar then you may want to develop a formal risk register
Components of a Risk Register
There is no standard list of components that should be included in the risk register. Some of the most widely used components are:
- Dates: As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.
- Description of the Risk: A phrase that describes the risk.
- Risk Type (business, financial, product, etc): Will the risk impact timeframes, resources or reputation, etc?
- Priority: considers the likelihood that this risk will occur and the consequence that the occurrence of this risk would have on the organisation, finance, product, etc.
- Control measures: Actions to be taken to prevent, reduce, or transfer the risk. This may include production of contingency plans.
- Risk owner: The individual responsible for ensuring that risks are appropriately engaged with countermeasures undertaken.
- Status: Indicates whether this is a current risk or if risk can no longer arise and impact the organisation.
Why use risk-based thinking?
Successful organisations intuitively take a risk based approach because it brings benefits that:
- improve governance
- establish a proactive culture of improvement
- assist with compliance
- ensure greater knowledge of risks and improves preparedness
- increase the probability of reaching objectives
- reduce the probability of negative results
- make prevention a habit
- assure consistency of quality of goods and services
- improve customer confidence and satisfaction