Quality Digest      
  HomeSearchSubscribeGuestbookAdvertise December 17, 2017
This Month
Home
Articles
Columnists
Departments
Software
Need Help?
Resources
ISO 9000 Database
Web Links
Back Issues
Contact Us

by Simon Ledgard and Erroll Taylor

ISO 9004:2000 and Risk Management

ISO 9004:2000 is a guideline for performance improvements. It’s not a traditional standard to which organizations become registered. Instead, ISO 9004 provides guidance for organizations that want to go beyond the requirements of ISO 9001:2000. ISO 9001 is a quality management standard with a process-based approach toward continuous improvement and addressing customer needs. ISO 9004 goes beyond the requirements of ISO 9001 and focuses on stakeholder needs. Stakeholders include internal personnel, customers, owners, suppliers, society and other shareholders. The ISO 9004 audience is much broader and encompasses a variety of potentially different requirements.

By applying ISO 9004, organizations are afforded the opportunity to understand the wider environment in which they operate. A large number of stakeholders affect the decisions of organizations. In many established organizations, the needs and expectations of stakeholders are not incorporated into how resources are being utilized.

In developing both short- and long-term strategic objectives, your organization should consider current and future stakeholders’ needs. Of course, you cannot and should not meet all stakeholder needs. Some stakeholder needs may be in direct conflict with others. All organizations have limitations on the resources they can deploy. Organizations must develop their business strategies carefully in order to balance stakeholder expectations and remain profitable. In determining stakeholder needs and prioritizing those needs, your organization gains the content and balance for sound strategic and operational decisions. You can then use this information as a fundamental part of your risk management processes.

The concept, structure and principles of ISO 9004 are similar to those used in ISO 9001, but ISO 9004 incorporates the needs of a larger audience and covers additional aspects in greater detail. Organizations already familiar with ISO 9001 will find it relatively straightforward to apply ISO 9004. However, the results will dramatically affect how your organization’s resources are allocated and utilized. ISO 9004 provides the opportunity for your organization to improve your management system to incorporate all appropriate stakeholder needs.


Recent news events have focused business leaders on the importance of looking after all their stakeholders. Although profit is fundamental to business success, it’s no longer acceptable to drive businesses exclusively through financial controls. Other factors must be considered to ensure that the business of business remains successful during the medium term. Customers, employees, legislation, litigation, and local and worldwide opinions can all significantly affect the health and prosperity of any organization.

Will your company be the next one to hit the headlines? Consider the following leads from July 2002 issues of the Financial Times:

• U.S. regulators are underfunded and pulled in dozens of directions in their efforts to restore investor confidence.

• Sony became the latest victim of investor concern.

• Tyco shares dropped sharply after a Goldman Sachs analysis.

• China’s insatiable demand for coal has precipitated a series of terrifying underground explosions.

• The World Health Organization yesterday released the draft text of a groundbreaking international tobacco control treaty.

• Farmers and residents are protesting the planned seizure of their land to build a new international airport for Mexico City.

Governments in North America, Europe and Asia are increasingly focusing on corporate governance and internal controls. As a result, organizations will have to demonstrate that they have structured management systems in place to review and prioritize all their stakeholders’ needs as well as manage the business risks they face. Many view these issues as related initiatives that must be adopted as additional business functions.
How can organizations juggle the conflicting requirements of high financial returns, fair salaries, decent working conditions, low prices, excellent service and minimal impact on the environment?

Encouraged by such standards as ISO 9001:2000, many organizations are adopting a process-based approach and applying it to all their activities. It’s become an essential tool in helping them understand their customers’ needs and expectations. Quality management is no longer the exclusive domain of manufacturing operations; the process approach has proved invaluable to service organizations such as local governments, health care institutions and financial organizations. As an additional benefit, management standards require that companies build a cycle of continuous improvement into everything they do.

Companies that have implemented these standards and evolved with them have seen that they help manage conflicting priorities in a structured way. The challenge for these organizations is to recognize what’s not being done and where development is required to build upon systems already in place.

In addition to ISO 9001:2000, two other risk-based approaches to management systems have been introduced with the environmental standard ISO 14001 and the occupational health and safety system OHSAS 18001. With these, organizations are encouraged to identify and evaluate all the environmental and occupational risks they face. Significant risks with severe consequences must be managed, either by eliminating them or reducing their frequency and/or severity.

By adopting these process and risk-based approaches, organizations can improve their understanding of customer requirements and expectations. Organizations that do so will also be in a better position to manage the way in which they interact with their physical environments and look after the health and safety of people at work. Standards offer a method of measuring progress against objectives, which in turn helps drive continual improvement, competitiveness and success in an increasingly demanding environment.

Prioritizing stakeholder needs

A new standard, ISO 9004:2000, Guidelines for performance improvement, can help companies effectively review and prioritize stakeholder needs. This standard takes them beyond the requirements of the global benchmark quality management standard ISO 9001:2000 by using eight management principles:

• Interested parties

• Leadership

• Involvement of people

• Process approach

• System approach to management

• Continual improvement

• Factual approach to decision making

• Mutually beneficial supplier relationships

By adopting ISO 9004:2000, organizations develop a better understanding of the wider environment in which they operate. All organizations are affected by stakeholders. In some cases these effects are highly visible, and a detailed review of them is unnecessary. However, in most organizations, stakeholder needs and expectations are often taken for granted, and this leads to inappropriate use of the organization’s resources.

Stakeholders can include owners/shareholders, suppliers, competitors, society, employees and customers. Their immediate and future needs must be considered when developing both short- and long-term strategic objectives. Of course, not all stakeholder needs can or should be met. Some may directly conflict with others, and all organizations inevitably have limitations on the resources they can deploy. Companies must develop business strategies that will balance stakeholder expectations against survival in a competitive business climate. One aspect of such strategies is allocating resources to the most appropriate stakeholder needs. Knowing and prioritizing stakeholder needs contributes to sound strategic and operational decisions and also can be input into the risk management process.

The concept, structure and principles of ISO 9004:2000 are similar to those of ISO 9001:2000. Organizations already familiar with ISO 9001:2000 will find applying ISO 9004:2000 relatively straightforward. However, the new standard can have a dramatic impact on the way these organizations’ resources are deployed—particularly stakeholder needs, expectations and relative priorities.

Identifying and evaluating risks

Risks can be seen positively as business opportunities, such as investing in an innovative new product, moving into new geographical markets or merging with another organization. Organizations that can effectively manage these risks are much more likely to protect and enhance their stock market valuation and expand their business.
In a more traditional—i.e., negative—sense, risk is usually seen as a potential for loss, whether it’s lost revenue, litigation, claims or harm to people, property or the environment.

In fiercely competitive manufacturing industries that use just-in-time techniques, late delivery from a supplier means production downtime and unhappy customers. Claims for lost revenue and damage to reputation ricochet down the supply chain, destroying the financial viability of otherwise successful businesses. Aside from the obvious negatives incurred when people or the environment are injured, the inevitable and damaging press coverage that follows can destroy shareholder confidence and business value.

The risks associated with less-tangible assets, such as an organization’s brands, must also be carefully evaluated. Brands take years and significant financial investments to build but only seconds to destroy. For example, air traffic controllers have recently charged the pilots of some low-cost airlines in the United Kingdom with putting efficiency above other criteria. Would you fly with an airline with a poor safety record?

After all the necessary business information is gathered, the next step in a risk management process is to perform a risk assessment. This may seem more of an operational issue, but in fact it requires a companywide approach. Risk can be inherent in an acquisition opportunity just as much as it is in an accident.

Organizations that have successfully applied the environmental management system standard ISO 14001 have reviewed their operations with respect to significant environmental issues (e.g., air and water emissions, waste management, land contamination, raw materials and natural resources, and other local environmental and community concerns). As part of the process, the standard helps these companies respond to a common stakeholder expectation: managing risk and preventing loss with respect to the environment.

Organizations that have successfully applied OHSAS 18001 have identified hazards and performed risk assessments relating to routine and unusual activities performed by anyone who has access to the workplace, even subcontractors and visitors. They’ve also extended this examination to workplace facilities, whether the organization or an outside supplier provides them. Organizations that adopt this standard not only establish a culture of risk management, but also address another key stakeholder concern: the people within the organization.

Essentially, the challenge to organizations is to master the risk assessment process and apply it companywide. Once the process is adopted for obvious concerns, such as those related to waste management or heavy machinery, it can be used to evaluate less tangible assets—like brand management. Again, the environment in which an organization works—and this includes the stakeholders who influence how it operates—is a key prerequisite and shouldn’t be forgotten.

Managing risk through an integrated system

Once risks have been identified, a company must decide how it plans to tolerate, terminate, transfer or treat them. Treating a risk is often the most complicated choice because it requires control and measurement. These form the foundation of an effective management system.

Difficulties arise when an organization determines that a risk falls outside its management system’s usual scope. For example, a risk might be identified in information security and how information is collected, stored, maintained, accessed and communicated throughout the business and to other stakeholders. By adhering to the requirements agreed upon by industry and applying appropriate management system safeguards, such as those outlined in the information security standard ISO 17799, the organization can improve its current system and mitigate significant risks.

Another aspect of managing risks through treatment is maintaining the balance between competency and procedure. Organizations that have implemented ISO 9001:2000 are aware that it’s often more appropriate to manage a process by means of competent personnel rather than requiring them to follow meticulous, step-by-step instructions. This philosophy also applies to risk management: By its very nature, risk can’t always be controlled through checklists.

Using the skills of a trained and highly competent staff is a very effective method of managing risk. Proper training and experience allow staff to identify inherent risks in given situations and quickly work out the most appropriate course of action. This implies a very different culture from one in which staff is expected to work methodically through detailed procedures before filling in the required documentation.

When managing risk, it may therefore be appropriate to build in checkpoints along a process to measure and identify potential risks. Staff competency can be matched to perceived risks at each stage in the process, ensuring that the risks are managed safely. Employee competency can be tested periodically, which will in turn help drive training programs and succession planning.

Most management system standards require that an organization measure its performance against objectives. For organizations that have successfully implemented management system standards, these measurements can be applied to risk management. Also, because processes are already in place to measure and analyze information, additional data required for risk management can be more readily obtained. For example, a company might decide that storing a particular manufacturing byproduct beyond an established amount is an unacceptable risk. To monitor and continuously evaluate this risk, the company can determine from the sales process the number of orders anticipated and from those figures, the corresponding amount of byproduct expected once production is completed. A process can then be developed to ensure that when the byproduct exceeds the established storage amount, it’s safely disposed of or recycled.

Any business using an integrated approach that includes risk management will be able to provide objective evidence to top management, who can use the information to ensure the organization’s health and implement continuous improvement through management review. Applying a management system standard ensures a structured approach to fact-based decisions about the organization’s future.

One system for best practices

Is risk management an independent issue, something that must be managed separately from everyday operations? Evidence indicates that most organizations are already managing risk through their management system standards.

Building upon what’s already in place is often the most appropriate way forward. Perhaps the true challenge for organizations today isn’t identifying and managing risk but figuring out how to establish a culture based on a single business management system that can be used to apply best practices.

Internationally recognized standards can help organizations assess all their stakeholders’ needs and expectations. The results of internal and external audits to these standards can be used to drive organizational risk management. The whole system must have a continual improvement focus in line with strategic objectives in order to safeguard the organization’s future prosperity. Such a system could be described as a total business management system.

About the authors

Simon Ledgard is a sector category manager of manufacturing at BSI Inc. He assists in the development of services for key manufacturing sectors around the world and the development of new BSI assessment services, such as business performance improvement review, based upon the principles of ISO 9004:2000.

Erroll Taylor is global marketing manager of manufacturing at BSI Inc. He is responsible for developing BSI’s services aimed at key manufacturing sectors around the world, including automotive, aerospace and defense, engineering, electrotechnology, and building and construction.

For more information about BSI Inc., visit www.bsiamericas.com. Letters to the editor regarding this article can be sent to letters@qualitydigest.com.