Risk-Based Thinking: Where to Begin

What is Risk?

Risk can be defined as “the effect of uncertainty on outcomes” (ISO 31000) or, alternatively, as “anything that can prevent an organization from achieving its objectives” (Kendall, 2017). Managing risk means taking responsibility and exploring uncertainty. Successfully addressing risk means making decisions that further an organization’s mission and goals. This framework is fundamental to ensuring effective quality management.

Hazards and threats are sources of risk. Hazards, which are situations with the potential to result in injuries, damage or harm, can be physical, chemical, biological, ergonomic, psychological, political or social. Hazards can become threats if (and when) they are activated. For example, a virus (computer or biological) may be a hazard, but it only becomes a threat if you might be impacted by it. The likelihood and severity of that impact on a particular person, place or thing determines the risk.

What you can do to effectively manage risk in your organization

Risk is relative to who or what is being impacted. As a result, you should develop an organizational profile (called “organizational context” in ISO 9001:2015) before you begin. This description of your organization should include its characteristics (including vision, mission and main offerings), its capabilities (assets and workforce profile) and its environment (including regulatory requirements, supplier and partner relationships, and market conditions). The organizational profile also should address the strategic context, such as the competitive environment, current challenges, and advantages or disadvantages that may impact success factors.

Organizational Context
Characteristics Vision, mission, product/service offerings
Capabilities Physical assets, information assets, workforce profile, workforce conditions, proprietary processes, goodwill and trust
Environment Legal and regulatory requirements, supplier capabilities and relationships, partner capabilities and relationships, market conditions
Strategic Context: Competitive Environment, Challenges

Most importantly, the organizational profile must describe stakeholders and their needs. Each stakeholder group may have a different risk profile, and some stakeholders may have more impact on the success of a company than others. Stakeholders, referred to as “interested parties” in ISO 9001:2015, can be customers, suppliers, employees, members of the community or region where the organization is located or society in general. Governments are also stakeholders, particularly for organizations that are highly regulated.

How can I implement risk management?

Organizations can identify, evaluate and treat risks to different degrees of formality, and can limit the scope to individual divisions or facilities or expand it to the enterprise level. Systematic risk management follows a data-driven Plan-Do-Check-Act (PDCA) approach (IOSH UK, 2017) and is characterized by the following activities:

  • Setting policies for quality, environmental management and/or health and safety
  • Defining procedures, roles and responsibilities
  • Conducting risk assessments and implementing controls
  • Continuously monitoring performance and conducting regular reviews
  • Continuously improving policies, procedures, roles, responsibilities and controls to improve the performance of the entire system

These steps can be treated as parallel processes when quality, environment and health and safety systems are managed independently, or can be combined for organizations that have integrated management systems (IMS) in place.

Want to know more? Dr. Radziwill’s full report can be found HERE.

About the Author

Nicole Radziwill is Quality Practice Lead at Intelex in Toronto, Ontario. She uses data science and applied machine learning to enhance quality and catalyze innovation in industrial systems. Nicole is a Fellow of the American Society for Quality (ASQ), a Certified Six Sigma Black Belt (CSSBB), a Certified Manager of Quality and Organizational Excellence (CMQ/OE), and editor of Software Quality Professional with a PhD in Quality Systems from Indiana State. She is one of ASQ’s Influential Voices and blogs at http://qualityandinnovation.com.


This entry was posted in Quality & Supplier Management and tagged , by Nicole Radziwill. Bookmark the permalink.

About Nicole Radziwill

Nicole Radziwill is a quality manager and data scientist with more than 20 years leadership experience in software, telecommunications, research infrastructure, and higher education. Prior to joining Intelex, she was an associate professor of data science and production systems at James Madison University, Assistant Director for End to End Operations at the National Radio Astronomy Observatory (NRAO), managed software product development for the Green Bank Observatory (GBO), and managed client engagements for Nortel Networks and Clarify (CRM). She is an ASQ-certified manager of operational excellence (CMQ/OE), an ASQ-certified Six Sigma Black Belt (CSSBB), and contributed to the development of ISO 26000—“Guidance on Social Responsibility.”

Leave a Reply

Your email address will not be published.