Risk Management Courses

Not familiar with e-Learning?

A vast topic the pervades all aspects of business today. And rightly so.

Until about 15 years ago no one in business gave formal consideration to risk. Yes, it was there in the books on management from business schools but the practical application of risk mitigation was something only insurance companies talked about. Not so today. And if your organization is not ‘up to speed’ on managing risk you are, at best, bleeding profit or, at worst, laying the groundwork for your organization’s demise.

Our area of interest is ISO Management System Standards and in this post, we give you an overview of the many posts we have published on this topic.

Definition of Risk

ISO 31000 defines risk as the ‘effect of uncertainty on objectives’, where an effect is a deviation from the expected that can be positive or negative, or both and can address, create or result in opportunities or threats.

This definition leaves the door open to risk assessment to be based on opinion rather than on objective evidence. Other ISO Standards consistently use a different definition, namely, a ‘combination of the probability of occurrence of harm and the severity of that harm.’

While this definition leads to semi-quantitative measurement, at best it has been found (dare I say proven) to be reliable, not in terms of absolute values, but in terms of one being able to rank risk. That is, the higher the risk rating, the greater the risk. So, while not acceptable to the mathematical purists, it does give us an objective basis for making decisions regarding the control and mitigation of risks. Until something better comes along, this is our best option.

What is Risk Management?

Risk management is the act of proactively identifying possible threats to an organisation and laying out appropriate measures to minimize their impact.

A risk management plan can include but is not limited to an assessment of the organization’s structure, the identification of its key objectives, the allocation of resources in activities designed to effectively manage risks, the designation of people responsible for key tasks, and the development of strategies to ensure continual improvement of systems and processes among other things.

The Swiss Cheese Model for risk control

One control to mitigate each threat is not enough to manage risk. A standard such as ISO 27001, and the companion Code of Practice, ISO 27002, create the impression that one control is enough. Consider Annex A of ISO 27001. It lists vulnerabilities (which become threats where the vulnerabilities are exploitable) and suggests one control. This is not a good approach.

Several controls should be applied whenever practicable. It can be shown (as in the link below) that a combination of several weak controls can mitigate risk far better than one strong one, with the added bonus that failure of a control does not leave you totally vulnerable (as is the case if the one strong control fails).

The Risk Management Tools of ISO 31010

While we don’t like ISO 31000, we love its companion, ISO 31010. This Standard contains 40 plus risk management tools and, while it does not include examples, it sets out how each method can be applied and where it is best used. It includes methods covering all parts of the Risk Management Process, namely,

Identification (of the threats)
Consequence (or Severity of the risk event should it occur)
Likelihood (or probability of occurrence of the risk event)
Level of Risk (for individual events and for combinations of such events
Evaluation, i.e., consideration of the overall level of risk, risk appetite and setting the risk acceptance level.

Some examples from ISO 31010 are given in the table.

Click on the image to magnify the view

Risk-based Thinking in ISO 9001

There was much debate back in 2015 when the revised ISO 9001 Standard was published about what exactly risk-based thinking was about and how the requirement for it should be understood and addressed. And what it boiled down to was you had to think about risk but you didn’t have to document it!

Not a problem, of course, until some auditor asked for evidence that it had been done, which resulted in everyone documenting what they had done! So, the end result is that today every organization certified to ISO 9001, almost without exception, has documented risk management as part of their QMS documentation.

In many instances, the risk assessment will be a pretty lightweight effort but it will still be part of the QMS. The best advice is to include in your management system documented risk management (risk evaluation with risk mitigation, as appropriate) applied to each of the processes that make up your QMS.

Information Security Risk Management with ISO 27005

ISO 27001, the Information Security Management System and the associated guide, ISO 27002, Code of Practice for information security controls, do not address the question of how to address the risk associated with the various threats to information security that apply.

This can be found in the frequently ignored standard ISO 27005, information security risk management. The examples of typical vulnerabilities and threats are useful in clarifying three much-misunderstood aspects of information security, namely, risk asessment, risk treatment and risk acceptance.

ISO 45001 requires Risk Management

Like its ‘parent’ ISO 9001, this standard also calls for risk-based thinking. In addition, it also calls for Risk Management in relation to the occupational health and safety (OH&S) of all persons present at the workplace (e.g., staff, contractors, persons delivering and collecting goods, and visitors) plus those managed from the workplace (e.g., installation, service and maintenance staff and those working from home or on business away from the office).

Documentation of the threats arising at each location and for each process in the workplace is needed as well as the necessary mitigation of each of those risks. The applicable regulations (manual handling, noise, dust, VOCs, signage, etc.) all must be documented within the risk management system.

ISO 14971 is not a requirement of ISO 13485 but …

Section 7.1 of ISO 13485, the medical device management system standard, has a Note, which states: ‘Further information can be found in ISO 14971.’ The ISO 14971 Standard is not, therefore, a requirement of ISO 13485; it’s not even given the status as a Guideline. How then do you meet the requirement of ISO 13485 that ‘The organization shall document one or more processes for risk management in product realization.’?

There are two key issues to note here …

1. The threats to be treated here are risks to the user and/or patient safety and not component failure or failure of a process activity to function as intended.

2. Almost without exception, organizations certified to ISO 13485 choose to include ISO 14971 in their QMS.

There were a few minor issues with course content integration with course software, however, Customer Service through the Support Ticket was quick to respond and address issues. The ability to learn and gain qualifications through an online platform such as deGRANDSON’s offer is an extremely flexible option. I would commend this learning option and the use of Safari iOS which works consistently with the learning platform. The Support Team are very efficient and quickly resolves any issues that might be encountered, many thanks.

Anon
08-May-21
This is an excellent course. The content in the 3 modules was so beneficial and helped me to grasp details that I had previously struggled with. It was evident that the content was factual and from the real world in its tips for application. The answers and direction provided in the FAQ’s was excellent and very helpful. Any query I had was answered promptly. I honestly don’t know what you could do better. Thank you for all your help and guidance.

Anon
(31-Jan-22)
Course states 24 hours, I would say it took double that time to complete. Had some technical difficulties but Ultan King in support has been very helpful in resolving all issues.

Anon
(17-Sep-21)
Have only completed the first part of the course, enjoying it immensely, so far. the content is thorough and clearly explained. I only have one small observation – that it may be better using a real person, or even person(s) to present rather than a computer generated voice which can be a little wearing over time.

David Vickers
(Private Learner)
Cost / learning is really adapted. You can progress with adapted elearning at your rythm

Benoît F.
(Private Learner)
I’m extremely pleased with my ISO 45001 Lead Auditor course from deGrandson that I started in February 2021. I work for Amazon as a Construction Manager constructing fulfilment centers in the UK, EU and worldwide. The course material is excellent, the online learning system is very easy to use and the course is very well structured. I highly recommend this course by deGrandson. Dr John FitzGerald is an expert in this subject area and it shows. You will be pleased that you also chose to study with deGrandson.

Kenny M.
1construct
These are very detailed courses and they work very well for us.

Christina C.
hg-medical
On-line study at my own pace is most suitable learning media to me. The course is timely with the latest 2019 edition of the Standard coupled with value for money package.

Gnana Sakaran Rajagopal (Principal)
GSR Consulting Services
All the way through this course I have been extremely impressed with the excellent support that has been in place for students, and this provides confidence that issues are resolved promptly with fair consideration.

Steve Fitzjohn
(Private Learner)
Thanks for the great Course, I really enjoyed it.

Neil Smith
Ukhuselo Management Systems

24/7 training :: any time, any place, any device

Not familiar with e-Learning?

A vast topic the pervades all aspects of business today. And rightly so.

Definition of Risk

What is Risk Management?

The Swiss Cheese Model for risk control

The Risk Management Tools of ISO 31010

Risk-based Thinking in ISO 9001

Information Security Risk Management with ISO 27005

ISO 45001 requires Risk Management

ISO 14971 is not a requirement of ISO 13485 but …

Related Articles

Internationally Recognized Certification

Satisfied Customers Say:

Anon

Anon

Anon

David Vickers

Benoît F.

Kenny M.

Christina C.

Gnana Sakaran Rajagopal (Principal)

Steve Fitzjohn

Neil Smith

Free Trial Lesson

Smart Ticket System

Secure payment

And you can spread the cost of your purchase

No hidden charges

Frequently asked questions

Test your auditor skills

Anon

Anon

Anon

David Vickers

Benoît F.

Kenny M.