Featured Product
This Week in Quality Digest Live
Risk Management Features
Oliver Binz
Better internal information systems help managers tell consumer demand from inflationary pressure
Steven I. Azizi
Take these steps to protect your employees and your company
Oliver Laasch
There’s unlikely to be a point of general stability anytime soon
Gleb Tsipursky
You shouldn’t trust your gut as a decision-maker: Here’s why.
NIST examines disinfection methods that could be critical in the future if PPE supply is low

More Features

Risk Management News
ISO 21434 automotive cybersecurity and implementing design and process FMEAs
Implementing a SIOP process can smooth supply spikes while improving cash flow and increasing profitability
Does your business’ security match up with competitors?
Prior to vote, IAF seeks industry feedback to understand the level of demand from businesses and regulators.
The acquisition targets the rapidly widening gap between quality data creation and leverage
Winter 2022 release of Reliance QMS focuses on usability, mobility, and actionable insights
Designed to offer a comprehensive safety solution for fleet vehicles and workforce personnel
A cybersecurity expert lays out crucial HR practices to amplify attack readiness for modern businesses
NordLocker study discloses industries at a heightened risk of ransomware attacks, with manufacturers taking a troubling second place

More News

Glen Fraser

Risk Management

Hacking Risk Management

Three ways to build it into your processes

Published: Wednesday, October 1, 2014 - 11:25

No matter what industry you’re in, you’re probably hearing about risk management. It’s in compliance, governance, quality management—it’s everywhere. It’s also a broad-reaching topic. In quality and compliance management, we see risk as a function of operations. We’re being told to manage our risks and take action on controlling risk.

But what are we really doing with risk? Are we implementing risk-based strategies within our quality and compliance operations? Companies are so intensely focused on maintaining operational excellence within their respective areas, that many put the concept of risk management aside as a future project, one that would be completed once they’ve finished keeping in line with current compliance processes.

Is risk management so onerous that it needs to be a whole project, or can we effectively bring the risk dynamic into our daily operations? For those in quality management, there will soon be no choice: The ISO 9001 revision due out next year will include risk management as an element of the quality management system (QMS), and the concept will become a reality for many. However, risk management as a concept doesn’t need to be overwhelming, especially in the context of quality and compliance management.

Let’s go ahead and break it down, “hack” our way into risk management. There are simple ways companies can start incorporating it into existing processes without completely reworking them.

Risk management as a process

Risk management can be a process in and of itself. ISO 31000 is dedicated exclusively to risk management, and it’s really a framework for going about the process of building a risk management system. Surprisingly, it doesn’t have to be overly complicated. As with any standard, there are the overall documentation and reviews—the required commitments, policies, and management reviews for a risk management strategy, but the process itself can be broken down into the following five steps.

Step 1: Identify your risks. Essentially, once you’ve determined your company has to build a risk plan, the first major task is to identify what your risks actually are. You’re looking to see where in your processes threats exist. This can be done by talking with stakeholders, such as company leaders and managers, and by identifying existing adverse events. Many companies start by surveying their operations and then categorizing the possible risks into a “taxonomy of risk.” This is nothing more than grouping the various hazards into broad categories to build a list of risks within the organization. Other organizations look at past events to see where the most troublesome areas are, and identify specific risks from there. You might not get all your risks identified during this first pass, but that’s why risk management is designed to be a continuous process.

Step 2: Analyze your risks. Now that you’ve built a list of risks, you’ll want to take that list and determine how bad those risks are. Most companies will use a common set of tools to accomplish this. For the most part, this means categorizing each event according to its severity and frequency. Severity simply means, “How bad is the risk to the company?” Frequency means, “How likely is this risk to happen often?” You can scale these two levels to obtain a general idea of what risks are severe or frequent. The following table gives you an example of how severity and frequency can be scaled:



Negligible: There is no significant risk of injury or loss of operation from this hazard.

Infrequent: Recurring manifestations of the hazard are very unlikely.

Marginal: There is a potential for minor or remote injury, or minor or remote delay of operations from this hazard.

Occasional: Some recurring manifestations of the hazard are likely to occur.

Critical: There is a potential for severe injury or a significant delay of operations.

Likely: This hazard will be experienced.

Catastrophic: There is a high likelihood to result in death or stoppage of operations.

Frequent: This hazard is likely to occur often.

Step 3: Evaluate your risks. This is where you take your risks, scale them, and then based on the result, come to a decision. For many, this becomes a challenge. How do you quantify risks? Organizations will take these scales and assign a numerical value to them, where 1 is the lowest risk, and 4 is the highest. They can then calculate risk on a simple multiplication scale, and for each result, they build a decision. Here’s an example of a simple multiplication factor, using the scales from the table above:

Risk Result

Description (suggested)


No recall, regulatory reporting, or corrective action is required. However, you may want to consider for improvements to the product or processes.


You may want to issue a recall only for events resulting in a physical injury or cost impact. Although a corrective action isn’t required, you may want to consider voluntary action.


This risk is as low as reasonably practicable (ALARP), but undesirable for the business. A recall or investigation is likely unless there is clear mitigation. Corrective action is usually required unless there is a documented reason.


Requires a product recall, investigation, and immediate action on the product or process. A corrective action must be initiated, and a regulatory report may be required.

Step 4: Control the risk and implement solutions. For each potential risk, you want to put methods in place to ensure that the risk is reduced as much as is reasonably possible. This is where controls are determined. Controls are activities, actions, or processes that are designed to address a risk and reduce it. There are many outcomes of a risk. You can seek to accept the risk (if it’s low), reduce it to acceptable levels, compensate with other processes to outweigh the risk, transfer the risk to another area, or simply avoid it altogether if it’s too great.

Step 5: Monitor and review risks. Simply put, the risk process doesn’t stop with just a one-time evaluation. You want to continually monitor the risks and the actions you are taking to control them. This is done through regular monitoring, auditing, and reviews. The overall goal is that you are always looking to see if the conditions have changed. A low risk today might be a high risk tomorrow, and you want to ensure that you are constantly improving your risk levels over time.

This is, of course, a very simple view; many organizations may have further complexities, but this is the backbone of the risk-managing process. Chances are many organizations are doing this already as part of their existing operational processes. They look for ways to control risks, and then audit and monitor these controls. For these companies, risk management is centered on quantifying it.

Three ways to quantify and assess risk

How do you quantify and assess your risks in a way that is easy and doesn’t disrupt the current process? There are many ways to incorporate risk management into the dynamics of running a business, and not all of them are complicated. Many organizations are probably using some form of risk assessment—although might not call it such—and it meets all the criteria of risk management. Let’s look at the different levels of risk assessments.

First-level hack: the decision tree
Many companies will use decision trees when determining an action, which is a form of risk assessment. Within a decision tree, you are given an input (i.e., an adverse event), and you use the tree to help determine the outcome of that event. Decision trees can be built to help you arrive at the right decision and provide guidance on that decision. This is an effective method of risk assessment, especially since it allows the user to follow a path, usually through question-and-answer trees like this one:

Decision trees are effective in that they can be embedded directly into the operational processes. This is especially good when assessing the effect of a process change in a change management context, determining when you need to report something to a regulatory agency, or even if you are determining whether an adverse event needs to be addressed through a corrective action.

Second-level hack: the risk matrix
Perhaps the most common tool in many industries is the risk matrix. It’s a grid that is quick, easy, and colorful, and it’s designed to make risk levels evident to everyone in the operation. Risk matrices plot two (sometimes three) levels on a graph. These are usually the severity and frequency scales. Each risk level is assigned a number, and within the graph you plot a formula to calculate where the two numbers intersect (usually by multiplication). Then you assign a color to the level of risk—red, yellow, or green in a simple format (some companies will use more colors depending on the complexity of the result). Here’s an example of risk matrix:

The goal is to define a risk level based on two scales and build guidance into the results to help foster a decision based on the calculation. However, be careful to vet your risk matrix—sometimes you may get results that are mathematically sound but don’t fit the context of your operations. To mitigate this, you must vet the matrix using real-world examples (i.e., historical data) to ensure that your results are actually the right results. Some tweaking may be required, but once you vet the graph, the risk matrix is a powerful risk assessment tool.

Third-level hack: risk reporting and trending
Risk management and assessment are designed for measuring and making decisions to bring about compliance. However, as you measure risk and take actions, you are building a history of risk within your organization. This is valuable information that can help you fine-tune operations. It’s a good idea to create a risk library, or risk register, that will centralize risk data from all events, whether they come from quality, compliance, specific processes, or any adverse events. The risk register is a centralized location that will give you visibility into the risk within all operations.

Risk trending is a critical component of risk management, and it needs to come from historical data. You can build a risk history from various operational areas and report on the trends for that area. Not all operational areas will be the same in terms of how you assess the risk, but the risk register provides a common location for the data from your operations. With it you can see how risk management has evolved over time, analyze where high risks are likely to trend, determine what areas need more oversight, and assess how you can improve operations by using risk as a benchmark for overall compliance.

Risk management is a concept that is weaving its way into the fiber of just about every business discussion. However, many organizations, regardless of size, are still trying to establish their risk management framework. They are not ready to begin discussing risk management; they want to “do risk” but don’t have the time, or they simply don’t know where to start. However, most organizations are already “doing risk” but need to back up and start with the basics, think about how to work risk into their processes, and record their risks to learn and improve.

Rather than wait for the perfect moment to start executing a risk-based strategy, why not hack your way into risk management with simple yet effective methods that will not replace or rework your processes but enhance them? This way, you can start to measure and analyze risk while still maintaining your goals of operational excellence.


About The Author

Glen Fraser’s picture

Glen Fraser

Glen Fraser is the senior product manager for VERSE Solutions, a cloud-based quality and compliance management solution. Fraser has been involved in the IT industry for more than 30 years and in compliance for more than 15 years. He has owned his own consulting firm, built and managed product solutions for risk and compliance, as well as managed overall strategy for taking operational processes and automating them. Fraser currently provides industry and technical guidance on building best practices into VERSE Solutions cloud-based quality and compliance products.