#248 How To Address Risk Management Within ISO

Most ISO Standards take what’s known as a ‘risk-based approach’, which focuses on proactively identifying and mitigating potential risks while capitalising on opportunities.

The methods for managing risk can be very varied, and many make the mistake of treating it as a separate task rather than as an integrated part of your existing processes.

In this episode, Ian Battersby explains what risk management means in regard to ISO management, what this looks like in practice and breaks down different methods you can utilise for effective risk management.

You’ll learn

• What is risk?
• Where is risk referenced in ISO Standards?
• How do you identify risks and opportunities?
• How can you document risks and opportunities?
• What does a Risk Register look like?
• How are risks categorised?
• How many risks should you document?
• How do you evaluate and rate risks?
• How do you address opportunities?
• How can ISO 31000 help?
• How different ISO Standards define their relevant risks
• Governance and risk management

Resources

• Isologyhub

In this episode, we talk about:

[02:05] Episode Summary – Ian dives into the topic of risk management within in ISO. Explaining what risk is, how they should be documented and evaluated and what methods you can use to do so.   

[02:45] Further info on risk management: If you want more guidance there is a dedicated risk management Standard (ISO 31000).

[03:10] What is risk? Risk, as defined by ISO Standards is:

“An effect of uncertainty on objective.

An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats”

So important to note that this includes both risks and opportunities.

[03:40] Where is risk referenced in ISO Standards? The main risk related requirements can be found in Clause 6 Planning for most ISO Standards:

6.1 Actions to address risks and opportunities – There’s a positive and a negative aspect mentioned right from the start.

However, these elements aren’t relegated to a few clauses. ISO Standards are built on a ‘risk-based approach’, which is directly mentioned within the introduction:

“This International Standard employs the process approach, which incorporates the Plan-Do-Check-Act (PDCA) cycle and risk-based thinking

Risk-based thinking enables an organization to determine the factors that could cause its processes and its management system to deviate from the planned results, to put in place preventive controls to minimize negative effects and to make maximum use of opportunities as they arise.”

While it is prescriptive, it does allow flexibility for businesses to determine what risks are significant to them.

Other places it’s mentioned in Standards includes Leadership:

“Top management shall demonstrate leadership and commitment by: d) promoting the use of the process approach and risk-based thinking”

It’s not just about adopting the risk-based approach, leaders have to promote it. The use of the word ‘shall’ indicates that this is not optional and cannot be delegated.

[08:10] How do you identify risks and opportunities? The Planning clause directly references clause 4, which is Context of the organisation.

Within that clause, businesses are required to think about the things which affect the way you operate, the world in which you work, the people and organizations you must consider, the obligations placed upon you.

One key activity that typically happens at that stage is a SWOT and PESTLE, that’s not specified by the Standard but it’s a very popular method of identifying your risks and opportunities against multiple areas.

The results of which can be fed back into Clause 6 Planning when it asks you to consider and do the following:-

• Give assurance that the system can achieve its intended result(s);
• Enhance desirable effects;
• Prevent, or reduce, undesired effects;
• Achieve improvement.
• Plan actions to address these risks and opportunities;
• Integrate and implement the actions into its system processes;
• Evaluate the effectiveness of these actions.

This is where you have the freedom to determine what significant risk means to your business. This also establishes the approach to risk management as proactive rather than reactive.

[13:15] How can you document risks and opportunities? Just because you need to determine risks, you don’t necessarily need a risk management process or methodology based on the guidance in a standard like ISO 31000.

There’s no requirement to even have a risk register! However, we do strongly recommend using one.

If you choose not to use one, you could document each risk individually with the plan of action to mitigate it. This is fine, but a register allows you to see what’s happening across all risks.

It allows comparison of different types, different categories, across different parts of the organisation, at different levels. It can support decision making and allocation of resource where there’s competition for that resource. It can prompt escalation and more significant management attention where it’s needed.

It can also form a basis for reviewing the effectiveness of your processes.

So, while not a firm requirement, it can be a very useful tool.

[15:20] What does a Risk Register look like?: A typical Risk Register usually sits in a table or Excel document. You can number your SWOT and PESTLE findings and put them into this Risk Register.

One of the columns included is interested parties affected by it, e.g. the risk that your processes deliver the wrong product directly relates to your customers; the risk of enforcement may relate to your board; the risk of terrible PR may affect your investors; the risk of polluting may affect the local population, enforcement agencies etc

Certain standards also require you to determine compliance obligations associated with each interested party, so that may be useful to add as a column.

Then, you need a column for detailing what the impact of the issue is (remember, both positive and negative). Then you need to evaluate each entry, this involves measuring the significance, the size and scale.

When evaluating risks, you need to indicate which processes you have in place that control the risk.  Then you need to rate the risks in their current (do-nothing) form.

This is where it helps to have a register where different types and categories can be judged alongside each other, so you’ll be able to see what’s really important in one place.

An organisation needs to decide what level of risk it’s prepared to accept; this may be a straightforward decision where a specific value triggers escalation and action, but it may be more complex, depending on the organisation you are in and the environment in which you operate.

If the risk is acceptable, should you still commit resource to addressing it; there’s a balance in reducing risk overall; is it an easy win?  Is it easy to do?

If you feel you should address a risk, what method of risk treatment should you adopt?

The actions you propose to take should then be set out in proper detail: who will do what by when?  What resource?  Basically detailing the measures to assess effectiveness. 

If a risk or a group of associated risks require an objective, state clearly and link to that objective.

[21:35] How are risks categorised? The types of risks you will be focused on will depend on the ISO Standard you’re implementing.

For example, for ISO 9001 this will be the ability to consistently deliver the best we can to our customers. For ISO 45001 the ultimate aim is to protect your workforce from harm.

Regardless, you can get quite broad with the nature of your risks, including considerations such as the ability to fund right equipment and infrastructure; or any investment in a sustainable future; the competence of personnel; the safe working environment to deliver products/services; compliance with relevant legislation; forces affecting our market; stability of supply chains; reputation; social attitudes to work, technology etc

But, regardless of whether you’re certified to a multitude of standards, operations are typically so interdependent that you can’t separate financial risks from operational ones etc.

[23:55] How many risks should you document? It’s easy to get overwhelmed by generating a huge register when you’re a small organisation, but you should be realistic. Focus on what’s really significant.

If you do a SWOT/PESTLE, if it generates lots of issues but not everything has to be treated as a risk and opportunity for the risk register.  

First, ask yourself, what will actually have an impact on you if it materialises?  What is beyond control or influence?  What requires just monitoring?

A larger organisation will tend to generate a larger register, but this can be categorised in different ways:

• Split by functions
• Split by category (operational, safety, compliance, financial)
• Significance; operational vs strategic or corporate
• This can be done by the scale of the risk, any risk above a specific threshold could be escalated to the strategic level
• There could be factors in the risk evaluation which include strategic significance
• There could be specific subjects (eg, compliance) which you automatically escalate to a strategic level

[25:55] How do you evaluate and rate risks? There are lots of complex and sophisticated ways of doing this. Certain sectors, industries, processes have specific needs and ways of evaluating risk. But, if you’re new to this, or there aren’t such complexities to consider, a very simple methodology is best.

Keep to a simple matrix of consequences and likelihood. Consider what the impact would be if the risk materialised, and rate these from 1 to 5:

1 = the consequences are not significant, it would only be a slight impact on the organisation, minor disruption, small financial loss, little/no physical harm.

5 = the consequences are disastrous, it could materially affect the way the organisation operates, it could cause serious physical harm, it could lead to severe financial loss, it could totally prevent us delivering our products/services.

Now consider the likelihood of the event occurring, again rating these from 1 to 5

That could be qualitative evaluation:

• 1 = very rarely
• 5 = happens regularly, or it’s certain to happen

OR, it could be more quantitative

• 1= once in ten/five years
• 5 = daily/weekly

Then multiply these numbers and plot them on a matrix. The matrix will then provide a visual heat map that indicates the level of risk and inform about the level of resource you should apply to addressing the risk.

[29:15] How do you address opportunities? You can also evaluate opportunities in a similar manner. Rather than assessing negative consequences, you consider the positive impacts on the organisation when an event occurs.

These are plotted in the same way on a matrix, but with appetite and tolerance rather than consequences and likelihood.

Risk appetite can be defined as ‘the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives’.

These appetites range from averse, cautious to an open, eager appetite.

For example, a public sector risk appetite example could a local council adopting a “cautious” approach to financial management while having an “open” appetite for innovation in digital service delivery. This balances the need for fiscal responsibility with the desire for improved efficiency, often accepting higher risks for long-term environmental or social gains.

Risk tolerance is the actual threshold that you can get away with, that your organisation can bear before action / escalation is needed; financial, operational, reputational, enforcement.

This concept may not be for you if you’re at an early stage of development, but one to keep in mind.

[32:00] How can ISO 31000 help?  If we feel we should address a risk, what method of risk treatment should we adopt?

ISO 31000 Risk Management Guidance suggestions include:

• Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
• Taking or increasing the risk in order to pursue an opportunity;
• Removing the risk source;
• Changing the likelihood;
• Changing the consequences;
• Sharing the risk (e.g. through contracts, buying insurance);
• Retaining the risk by informed decision (no influence, cost too great)

[33:40] How different ISO Standards define their relevant risks: ISO 45001 states:

“The organization shall establish, implement and maintain a process(es) to:

a) assess OH&S risks from the identified hazards, while taking into account the effectiveness of existing controls;

b) determine and assess the other risks related to the establishment, implementation, operation and maintenance of the OH&S management system”

ISO 22301 Business Continuity states:

“The organization shall implement and maintain a risk assessment process.

The organization shall:

a) identify the risks of disruption to the organization’s prioritized activities and to their required resources;

b) analyse and evaluate the identified risks;

c) determine which risks require treatment.”

Be careful not to confuse these types of risk with organisational, system risks.

[36:05] Governance and risk management: A Risk Register is not a static document. It need to be reported on regularly, such as during Management Review meetings.

The register itself isn’t evidence of good risk management.  It’s how you use it to demonstrate that your actions have addressed risks and opportunities which counts.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List