ISO 9001 and Risk Management: Explained

In every human endeavour there is an element of risk; personal, project or financial, or a combination of them all. The task of the responsible individual is to identify the risk and act accordingly. We all do these ‘risky’ things, almost daily, aware that we are taking a risk. Rather than avoiding risk we become adept at identifying it and having a strategy for dealing with it if the risk materialises. This is what risk management is about, and is a skill that is important in virtually every endeavour.

The popular misconception that risk management is difficult or complicated stems from the bureaucratic methodology of some system-oriented organisations and managers. It is neither complicated or bureaucratic, and need not be. Risk management is basically a simple proposition with a complexity dictated by the nature of the situation to which it applies - usually a project, and the parties involved. In its basic form risk management involves: In its simplest form, risk management deals with:

1. Identifying risk - Looking for anything that threatens the successful completion of the project against the original requirement. Risks can be environmental, organisational, technical, legal, economic or commercial.

2. Counteracting risk - Taking action to remove or reduce the probability of a risk being realised. The response depends on the nature or seriousness of the risk.

3. Acting when the risk event occurs - Invoking whatever contingency measures were devised for the risk that has materialised.

And for this to happen requires:

4. Monitoring at all stages - This typically means documenting a risk assessment in a profile that identifies the risk, the probability of its occurrence, and the impact if it does materialise. Factors that score highest are those that require the greatest attention and monitoring. A good risk manager will devise contingency plans that reduce either the probability or the impact of these occurrences, and so remove them from the scene.

Acting within a formally organised management system like that defined by ISO 9001 necessitates the application of risk assessment procedures to meet the minimum requirements of the Standard. Auditors who work within systems such as these might not initially notice any specific references to risk management in these domains even though the identification of potential failure (8.5.3) encompasses a broad topic that can only be called “risk management”.

Properly managed risk taking is a widespread trait in any successful forward thinking enterprise, since risk is a key aspect of any progression, advancement or improvement. It’s the personal acceptance of efficient risk management along with the unwavering impulse to push forward from a relaxed position which creates progress and advancement. Doing what we always do purely because the risks appear to be negligible or are well known is to be ‘risk averse’, and for progressive organisations cannot be acceptable. Nor is it acceptable to go after new ideas without detailed knowledge of their possible benefit, careful planning, a clear understanding of the potential threats to these gains being realised, and a plan for handling them should they appear. We should strive to manage in a way which isn’t predictable or reckless. Risk assessment is an essential tool to support this strategy. We ignore it at our peril…

Ed. Bones is a chartered quality professional, an IRCA registered Lead Auditor, and is a senior partner with Meon Consulting Group, providing expert audit and consultant services for ISO9001 & ISO14001 management systems. The company web site provides detailed information, and includes the offer of FREE Advice.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Leave a Comment