When maintaining your ISO 9001 Quality Management System, one of the most important things to be done is to manage risk on a daily basis. Learning how to apply a risk management process systematically, and then following the 5 core risk management process steps described below will enable this part of your QMS to run smoothly and will result in it being a positive experience for all parties involved.
A definition of risk that is often used is that it is an uncertain event that, when it occurs, the results can be either positive or negative. This concept that a risk can have either a positive or a negative effect is important, as most people naturally think that a risk always has a negative effect. Once you realize and understand that a risk could also have a positive effect, you’ll be in the right frame of mind to spot opportunities, another important element of ISO 9001. There is an old adage that says “Accept the inevitable and turn it to your advantage.” If you are able to do this, you’ll be able to use risks that are identified and turn them into opportunities.
Uncertainty lies at the core of risk management. You may not know how likely it is that an event will occur or even if it will occur at all. By the same token, the consequences when it does occur will also be uncertain. Likelihood can be described as the probability that an event will occur, while the consequence is defined as the outcome or impact of an event. Used together, these two elements determine the magnitude or size of the risk.
Generally, risk management processes follow a few logical steps, although the terminology used to describe these steps is often different, and additional steps are sometimes added. The 5 risk management process steps described below form a simple, yet effective risk management process.
Step 1: Risk Identification. In order to identify risk, so-called risk based thinking has to be used. People often notice potential risks, but then don’t think anything more about it and don’t take action. When a risk is uncovered, it must be recognized as such and should then be described in terms of its potential effects techniques are available to identify risks. At this stage it is also logical to capture the details in a Risk Register.
Step 2: Risk Analysis. Once risks are identified you determine the likelihood and consequence of each risk. You should understand the exact nature of the risk and how it could affect your quality goals and objectives. This information should also be captured in the Risk Register.
Step 3: Risk Evaluation. Risk evaluation is done by determining the magnitude of the risk, which is a combination of the likelihood of the risk happening and the severity of the risk consequences. Once the risk magnitude has been established, a decision needs to be made about whether the risk is acceptable or not as is. If it is not acceptable, the next step would be to determine what needs to be done in order to mitigate the risk. The risk evaluation is once again captured in the Risk Register.
Step 4: Risk Treatment. Risk treatment is also known as Risk Response Planning. This process involves assessing all the risks identified, and then creating and implementing action plans that will mitigate the risks until they are at acceptable levels. While doing this, you need to look not only at minimizing the negative risks, but also at how the opportunities that have been identified can be enhanced. Creating preventive plans, mitigation strategies and contingency plans are all part of this process. Remember to add the risk treatment plans to the Risk Register.
Step 5: Risk Monitoring and Review. Once the full detail of your risks and the steps to mitigate them are in the Risk Register, this can be used to regularly monitor, track and review risks.
Risk is about uncertainty. Once a framework has been built around the uncertainty and it has been defined properly, the risk has effectively been mitigated. Although it is never possible to completely remove risk, identifying and then managing all risks will prevent unpleasant surprises and uncover golden opportunities. The process will also help to resolve problems that do occur much quicker and easier, as the problems have already been identified, and plans to treat them are already in place. Impulsive reactions and doing “fire-fighting” to resolve problems is minimized, and this leads to less stress for all parties concerned. The end result is that the impact of threats are minimized and opportunities that are revealed can be maximized.
ISO 9001 quality management systems (QMS) are implemented using MyEasyISO software in Quebec City (Canada), while ISO 14001 & OHSAS 18001 Health Safety Management Systems (HSE) are implemented with MyEasyISO in Valparaiso (Chile).