Understanding Risk Management and ISO Standards

Risk analysis and management may be the most important activities a company engages in

Published: Monday, July 17, 2017 - 12:01

Every company is in business to take risks.

Every action or failure to take action by that company naturally has some form of risk inherent in the process. To survive, a company needs to identify opportunities and take them when beneficial, but the amount of risk must be understood. Whether it’s determining to pursue new markets and make new investments or discontinuing those pursuits, risk is built into the nature of business.

If risk is built into the nature of business, then risk analysis and management may be the most important activities a company engages in. With the recent changes to management systems standards, the concept of risk management has never been more prominent, or had more potential to be misunderstood.

Risk management used to be confined to specific standards around issues such as business continuity (ISO 22301), information security (ISO 27001), and supply chain security (ISO 28001), but now it’s a fundamental concept in quality, health and safety, and environmental standards as well.

So what is risk? Business Dictionary.com defines risk as:
“1. A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action
“2. Finance: The probability that an actual return on an investment will be lower than the expected return. Financial risk is divided into the following categories: Basic risk, Capital risk, Country risk, Default risk, Delivery risk, Economic risk, Exchange rate risk, Interest rate risk, Liquidity risk, Operations risk, Payment system risk, Political risk, Refinancing risk, Reinvestment risk, Settlement risk, Sovereign risk, and Underwriting risk.
“3. Food industry: The possibility that due to a certain hazard in food there will be an negative effect to a certain magnitude.
“4. Insurance: A situation where the probability of a variable (such as burning down of a building) is known but when a mode of occurrence or the actual value of the occurrence (whether the fire will occur at a particular property) is not.
“A risk is not an uncertainty (where neither the probability nor the mode of occurrence is known), a peril (cause of loss), or a hazard (something that makes the occurrence of a peril more likely or more severe).
“5. Securities trading: The probability of a loss or drop in value. Trading risk is divided into two general categories: (1) Systemic risk affects all securities in the same class and is linked to the overall capital-market system and therefore cannot be eliminated by diversification. Also called market risk. (2) Nonsystematic risk is any risk that isn’t market-related or is not systemic. Also called nonmarket risk, extra-market risk, or unsystemic risk.
“6. Workplace: Product of the consequence and probability of a hazardous event or phenomenon.”

Read more here.

So in essence risk is basically the effect of uncertainty on objectives, but in looking to be more succinct we can use the following: The processes of identifying, analyzing and then evaluating whether the risk should be modified or controlled in order to satisfy risk criteria, followed by data-driven application of resources to minimize, monitor and control identified risks and opportunities.

When applying risk management fundamentals from management systems, a company can manage its risk by using the requirements as a guideline, along with such techniques as:
• Risk register
• Analysis of alternatives
• Hazard analysis
• Fault tree analysis
• Failure mode and effects analysis (FMEA)
• Hazard and operability study (HAZOP)
• Risk traceability analysis

Our upcoming webinar, “Fundamentals of Risk Management,” will focus on avoiding risks that need to be avoided, but more than that it is about understanding and taking the right level of the right risk.

Join us as we review review:
• What is risk management and where does it fit in the new standards?
• How does it apply to my business?
• Is it just limited to what happens within our walls?
• What level of action is appropriate?
• Common misconceptions
• Understanding and applying the intent and best practices

The webinar, which I will present and which will be hosted by Quality Digest editor in chief Dirk Dusharme, occurs on Thursday, July 27 at 2 p.m. Eastern, 11 a.m. Pacific. Click here to register.

About The Author

Pam Bethune

Pam Bethune is the regional competence manager of the automotive sector for DEKRA. She is a lead auditor for IATF 16949, ISO 9001, ISO 14001, ISO 13485, and OHSAS 18001. Bethune expertise includes change leadership in quality systems, lean manufacturing, and Six Sigma in automotive and pharmaceutical industries. She has a reputation for building and strengthening teams performance in diverse manufacturing and service organizations.