Risk Management in ISO 9001
Organizations today work in highly volatile market conditions and deal with a number of risks. Changing trends, new technologies, a surge of social media, concerns over the environment, globalization and many other such factors have changed the way markets operate and move today. Apart from these external factors, internal team structures and dynamics, our own competencies and capabilities play an important role in determining the ability of a company to deal with the changing conditions. Understanding of all these factors, external or internal; referred to as “Context” in ISO 9001; and strategically planning measures to handle these situations are critical to the success of any company today.
The Context of a company may lead to many risks that companies face today. Consider how a complaint on social media regarding your company can go a long way to disrupt a potential client’s impression and may ruin prospects.
Your competition offering higher salaries may lead to high attrition in your own company.
Government plans to change regulations may impact the way you operate and escalate your cost.
Are you ready to deal with these situations?
Companies need to plan effective responses to these risks because if these responses are weak, unplanned or ill-timed, it may have a very dramatic effect on the future of any business.
Efficient Risk Management is important to ensure companies are ready for adverse situations and can deal with them. ISO 9001 requires that a company shall create a sound approach for handling risks and be ready for any unforeseen situations.
What is Risk as Defined in ISO 9001?
ISO defines risk as ‘effect of uncertainty on the expected result’. ISO also defines opportunities which are “Positive Side of Risk”. The context of an organization may also present a number of opportunities and should also be addressed adequately. For example, advancement in technology may make your current methods of operation obsolete and you run the risk of going out of business but it also presents an opportunity for you to venture into newer areas of business. ISO 9001 not only focuses on risks but also emphasizes on capturing opportunities and enlarging them.
How to Identify Risks and Opportunities?
Based on the context and the requirements of interested parties, a company shall determine the risks in its company. This can be done by a simple SWOT Analysis.
As per Wikipedia, SWOT analysis (or SWOT matrix) is a strategic planning technique used to help a person or organization identify strengths, weaknesses, opportunities, and threats related to business competition or project planning.
The Strengths and Weaknesses are internal (Internal Factors) to the organization.
Opportunities and Threats are external (External Factors) to the organization.
Here’s a sample SWOT analysis done by a new food joint:
The SWOT matrix points to a number of risks and opportunities. The opportunity of business growth in the age group less than 25 can be easily enhanced with the introduction of food items that this age group likes. This will also handle the risk of lower sales which the business may face of their weakness: “Lack of variety in food items”. ISO 9001 requires that you identify these risks and opportunities and address them appropriately in a timely manner.
How to Address Risks?
Once risks are identified, it is very important for an organization to address it to reduce either the probability of its occurrence and/or reduce the impact of the risk. This could be as simple as identifying actions to mitigate the risks and ensuring timely closure of the actions. However, based on the complexity and size of an organization, a detailed risk evaluation may be carried out. An organization may define a detailed risk methodology to handle risks. This methodology may involve evaluating the risk, giving it a rating to compare it against an acceptance limit and then deciding adequate response to the risk.
Risk Evaluation Methodology
There can be several risk matrixes that can be used to derive risk levels. A simple method is to evaluate risk to give a rating to risk. Below are some of the factors that could be rated:
- Risk Impact/ Severity: Typical severity level of an outcome of risk may be rated based on the impact of risk. The impact may be high, medium, low or rated in terms of numbers on a scale (Say 1 to 10).
- Risk Probability / Likelihood: This involves rating the probability of occurrence of the risk. These may be rated as high, medium, low or rated in terms of % of likelihood of occurrence or simply in numbers.
- Risk Rating may be calculated by simply multiplying Probability and Impact.
Risk Rating= Probability x Impact
- Risk Acceptance Level: Organization may establish a Risk Acceptance level. This means coming up with an acceptable limit of risk.
This risk rating may be used to establish priority in addressing identified risks and deciding on an adequate level of response to the risk.
How to control risk?
Once the risk rating and acceptance level are decided, the next step is to understand if the risks that are identified falls within the acceptable limit or not. If risk rating lies below the acceptable limit, this would mean already in place and applied controls over the risk are working well and organizations may not need any additional controls on the risk. If the risk is not adequately controlled (i.e. Risk Rating is beyond the acceptable limit), new control procedures or actions may need to be defined. Actions need to be taken on risk to:
- Reduce the probability of the risk occurrence (called Mitigation) and /or
- Reduce the impact of the risk (called Contingency)
Wherever possible, both the above actions should be taken to control risk.
Review and Monitor Risks
The risks need to be monitored and tracked on a regular basis. Monitoring risks help in understanding the effectiveness of actions planned. Once the control measures are implemented, you may need to check whether the risk is within the acceptable levels or not.
This will require revisiting the risk rating to find out if the controls applied were able to reduce the risk probability or impact. This should be done on a fixed frequency or on events like changes in process, staff, or equipment.
Each business operation of an organization involves risks and opportunities. The key to the success of any organization is to handle these risks and opportunities well in advance. This ensures that there are lesser surprises, better planning and quick decision making.
This, in turn, leads to higher performance and improved customer satisfaction.
Effective Risk Management is vital for the success of any organization and should be done by all levels of management and for all operations.
– Avital Koren is the Director of ISO Global
ISO Terms Explained
To the novice quality manager, ISO jargon can be extremely overwhelming. What is an NCR? What do you mean by OFI? Are we certified or accredited? But before you go and pull out your hair, let’s take a moment to go over some of the most frequently used terms and their definitions with regards to ISO and Management System Certification.