ISO 9001:2015, clause 6.1 requires an organization to identify its risks and take actions to address identified risks. It is very tempting to start with a huge list of potential risks for the organization, but is the organization focusing on the actual risks that have an effect on its operations? To perform an effective risk assessment, an organization must first identify the uncertainty in its processes.
ADVERTISEMENT |
When uncertainties are identified, mitigation controls can be targeted at the effects of the identified uncertainties. Failing to identify an uncertainty first could lead to flawed risk identification and nonvalue-added controls. The approach defined here will lead to more effective and meaningful risk identification and mitigation.
How does an organization identify its uncertainties?
Before we go any further, there are two definitions that I must define to put this concept in perspective. These are “uncertainty” and “risks.” Uncertainty is defined as, “something that is uncertain or that causes one to feel uncertain.” Risk is defined as, “the effects of uncertainty.” Given these definitions, it’s clear why an organization must start by defining the uncertainty within its processes, before attempting to identify the effects of that uncertainty or its risks. An organization that doesn’t start with identifying uncertainty will define false risks and miss actual risks that are affecting it. There is uncertainty in all organizational processes. The effect of these uncertainty is what plagues the organization and its interested parties, so we must identify the uncertainty first.
Identify uncertainty, then its effects
Identifying uncertainty first is critical to effective risk identification. Here is a simple example. Let’s say an employee identifies the risk of being late to work but doesn’t start with identifying the uncertainties involved. Some uncertainties of being late to work might include traffic, mechanical issues, weather, running out of gas, or getting into an accident. The effect of any one of these uncertainties could result in the risk of the employee being late to work. Each of the uncertainties would require its own risk mitigation to address its effect on the risk of being late to work. The employee may have put a risk mitigation in place for traffic, but failed to think about getting into an accident; therefore, the risk of being late to work might not be effectively mitigated. If the employee identifies all of the uncertainties first and then develops risk mitigation and contingencies for each uncertainty, the employee will drastically reduce the probability and the effect of being late for work.
Let’s apply this concept to an organizational process.
Mitigating effects of uncertainty
Here is an example of an uncertainty that can affect every organization. Consider the uncertainty involved in the employee hiring process. There are many effects of uncertainty or risks involved in this process. As explained above, the organization should first start by identifying the uncertainties and then identifying the effects of the uncertainties or risks. Here are a couple of uncertainties involved with the employee hiring process.
• Candidate may not fit organizational culture
• Candidate may not be qualified
The effect of these uncertainties is that the organization may not hire the right candidate. But the organization shouldn’t start by identifying the risk; it must first identify the uncertainties to reduce the probability and effect of the risk. Otherwise, it might fail to put risk mitigations or contingencies in place to address the effects of the uncertainties.
For example, what if the organization simply attempts to mitigate the risk by having candidates complete an application and go through an interview? This mitigation control may help reduce the probability and effects of the risk, but there are many organizations that hire candidates using these controls, and employees still don’t fit their culture or are not qualified. This is because the risk mitigation focused on the risk rather than the uncertainty.
To address the uncertainty of the candidate not fitting the organizational culture, the organization may conduct a committee interview or have the candidate take a personality test. To address the uncertainty of the candidate not being qualified, the organization may call references and request proof of credentials. Both of these risk mitigations would go a bit further than the application and interview controls. Once the uncertainties and their effects are identified, the organization would be in a position to identify effective risk mitigations, which would target the effects of uncertainties.
Conclusion
Risk mitigation is more than simply writing a random list of risks. An organization must first identify the uncertainties within its processes. Once the uncertainties are identified, it must then identify the effects of the uncertainties. These are the risks that will most likely effect the organization. Focusing on the uncertainties and their effects allows an organization to implement a more robust and proactive risk mitigation program.
Add new comment