What is Risk?
Risk can be defined as “the effect of uncertainty on outcomes” (ISO 31000) or, alternatively, as “anything that can prevent an organization from achieving its objectives” (Kendall, 2017). Managing risk means taking responsibility and exploring uncertainty. Successfully addressing risk means making decisions that further an organization’s mission and goals. This framework is fundamental to ensuring effective quality management.
Hazards and threats are sources of risk. Hazards, which are situations with the potential to result in injuries, damage or harm, can be physical, chemical, biological, ergonomic, psychological, political or social. Hazards can become threats if (and when) they are activated. For example, a virus (computer or biological) may be a hazard, but it only becomes a threat if you might be impacted by it. The likelihood and severity of that impact on a particular person, place or thing determines the risk.
What you can do to effectively manage risk in your organization
Risk is relative to who or what is being impacted. As a result, you should develop an organizational profile (called “organizational context” in ISO 9001:2015) before you begin. This description of your organization should include its characteristics (including vision, mission and main offerings), its capabilities (assets and workforce profile) and its environment (including regulatory requirements, supplier and partner relationships, and market conditions). The organizational profile also should address the strategic context, such as the competitive environment, current challenges, and advantages or disadvantages that may impact success factors.
|Characteristics||Vision, mission, product/service offerings|
|Capabilities||Physical assets, information assets, workforce profile, workforce conditions, proprietary processes, goodwill and trust|
|Environment||Legal and regulatory requirements, supplier capabilities and relationships, partner capabilities and relationships, market conditions|
|Strategic Context: Competitive Environment, Challenges|
Most importantly, the organizational profile must describe stakeholders and their needs. Each stakeholder group may have a different risk profile, and some stakeholders may have more impact on the success of a company than others. Stakeholders, referred to as “interested parties” in ISO 9001:2015, can be customers, suppliers, employees, members of the community or region where the organization is located or society in general. Governments are also stakeholders, particularly for organizations that are highly regulated.
How can I implement risk management?
Organizations can identify, evaluate and treat risks to different degrees of formality, and can limit the scope to individual divisions or facilities or expand it to the enterprise level. Systematic risk management follows a data-driven Plan-Do-Check-Act (PDCA) approach (IOSH UK, 2017) and is characterized by the following activities:
- Setting policies for quality, environmental management and/or health and safety
- Defining procedures, roles and responsibilities
- Conducting risk assessments and implementing controls
- Continuously monitoring performance and conducting regular reviews
- Continuously improving policies, procedures, roles, responsibilities and controls to improve the performance of the entire system
These steps can be treated as parallel processes when quality, environment and health and safety systems are managed independently, or can be combined for organizations that have integrated management systems (IMS) in place.
Want to know more? Dr. Radziwill’s full report can be found HERE.
About the Author
Nicole Radziwill is Quality Practice Lead at Intelex in Toronto, Ontario. She uses data science and applied machine learning to enhance quality and catalyze innovation in industrial systems. Nicole is a Fellow of the American Society for Quality (ASQ), a Certified Six Sigma Black Belt (CSSBB), a Certified Manager of Quality and Organizational Excellence (CMQ/OE), and editor of Software Quality Professional with a PhD in Quality Systems from Indiana State. She is one of ASQ’s Influential Voices and blogs at http://qualityandinnovation.com.