Risk Assessment

All of us manage risk in our everyday lives. It comes so naturally, that most of us don’t have to stop and think about the actions we take to reduce risk.

You wear a helmet when biking. You walk across at the light. You use your seatbelt in the car. You wash your hands before eating. But at work, we are often unprepared for the risks that may keep us from achieving our business objectives.

To understand how we can better control business risks, let’s start by defining “risk”.

What is Risk?

Risk is the “effect of uncertainty on an expected result”

The Effect in the definition is a deviation from the expected – positive or negative. The Uncertainty is the lack of information related to understanding or knowledge of an event, its consequence, or likelihood.

Risk often refers to potential “events” and their “consequences”.

Risk-Based Thinking

The concept of risk has been implicit in ISO 9001:2008. The corrective action on detected nonconformities required by clause 8.5.2 helps manage problems. The preventive action required on potential nonconformities by clause 8.5.3 is a form of risk management. However, the term “risk” is not mentioned anywhere in requirement clauses 4 through 8.

The new ISO 9001:2015 edition makes risk management explicit by mentioning the term “risk” a total of 14 times within requirement clauses 4 through 10.

Risk-based thinking ensures that risk is considered from beginning and throughout the process approach. Risk-based thinking makes preventive action part of your strategic planning and direction.

Risk is often thought of in the negative sense. However, risk-based thinking can also help identify possible business opportunities.

Risk-Based Approach

ISO 9001:2015 describes its risk-based approach in Annex A.4. One of the purposes of a quality management system is to act as a preventive tool.

The standard does not have a separate clause titled “Preventive Action”. Instead, the concept of preventive action is expressed through a risk-based approach with planning events being used throughout the standard to identify and analyze risks.

For example, the following clauses in ISO 9001:2015 deal with risk:

4.4 Quality Management System and its Processes
4.4.f – Determine risks and take actions to address.

5.1.2 Customer Focus
5.1.2.b – Ensure risks are determined and addressed.

6.1 Actions to Address Risks and Opportunities
6.1.1 – Plan to determine the risks that need to be addressed to achieve intended results.
6.1.2 – Plan actions to address risks; integrate into processes; and evaluate effectiveness of actions.

8.5.5 Post-Delivery Activities
8.5.5.a – Consider risks in post-delivery activities.

9.3 Management Review
9.3.1.e – Review effectiveness of actions on risks.

In addition, be sure to focus on other risk-related terms in the standard, such as consequences, constraints, complexity, impact, mitigate, and controls.

Risk Scenarios

When considering risk events, consider if any of these scenarios might impact your business:

  • product failures
  • late deliveries
  • service issues
  • supply chain disruption
  • technology shifts
  • competitive pressures
  • aging workforce
  • forecasting errors
  • undocumented processes
  • design complexity
  • currency changes
  • raw material shortages
  • oil price increases
  • work stoppage
  • economic downturn
  • increased regulations
  • unskilled workers
  • data breaches
  • organizational changes
  • project dependencies

Risk Probability

When rating the probability of a risk event, you might quantify the rating on a scale of 1 to 5:

1. Rare – unlikely to occur, but possible
2. Unlikely – unlikely, but can be reasonably expected to occur
3. Possible – will occur several times
4. Likely – will occur frequently
5. Almost Certain – continually experienced

Risk Consequence

When rating the consequence of a risk event, you might quantify the rating on this scale of 1 to 5:

1. Incidental – negligible business impact
2. Minor – slight business impact
3. Moderate – limited business impact
4. Major – serious business impact
5. Extreme – disastrous business impact

Risk Index

You can multiply the Probability rating times the Consequence rating to compute a Risk Index. In the example above, the Risk Index would range from 1 to 25. A low risk might be in the range 1-8, a medium risk from 9-16, and a high risk from 17-25. Your actions can be prioritized based on the severity indicated by the Risk Index.

Mitigation Actions

Five different types of actions to mitigate risk are:

1. Avoid Risk – withdraw from the activity
2. Eliminate Risk – eliminate the risk source
3. Change Risk – change probability or consequence
4. Share Risk – outsource risk or insure against it
5. Retain Risk – accept risk by informed management decision

Risk Assessment

The process for assessing risk would be to:

1. Define your relevant business objectives.
2. Identify events that could affect achieving those objectives.
3. Determine your organizational risk tolerance.
4. Assess the inherent likelihood and impact of risks.
5. Evaluate the portfolio of risks and determine risk responses.
6. Assess residual likelihood and impact of risks.

Inherent risk is the current level of risk assuming the existing responses operate according to design, and residual risk is the estimated risk after the responses under consideration are put into place.

Why Adopt Risk-Based Thinking?

Successful companies usually take a risk-based approach because it brings benefits:

  • Improves customer satisfaction
  • Assures consistency of products and services
  • Establishes culture of prevention and improvement

ISO 9001:2015 does not require a formal risk assessment, but does require documented information. ISO 31000, Risk Management, provides guidance and may be a useful reference, but is not required. In addition, consider the use of ISO 22301 for business continuity.

Next Steps

1. Analyze and prioritize your risks and opportunities. What is acceptable? What is unacceptable? Which opportunities should be acted on?
2. Plan actions to address the risks and opportunities. How can I avoid, eliminate, or mitigate the risk? How can I realize opportunities?
3. Implement the plan – take action.
4. Check the effectiveness of the actions – did it work?
5. Learn from experience – continual improvement.

See our new course, ISO 9001:2015 Requirements and Transition Guidance, for further information about risk in the context of your organization. Course handouts include risk assessment worksheets.