Risk Management Courses

It is a vast topic that pervades all aspects of business today.  And rightly so.

Until about 15 years ago, no one in business formally considered risk.  Yes, it was there in the business school management books, but the practical application of risk mitigation was something only insurance companies talked about.  Not so today.  And if your organization is not ‘up to speed’ on managing risk, you are, at best, bleeding profit or, at worst, laying the groundwork for your organization’s demise.

Our area of interest is ISO Management System Standards, and in this post, we give you an overview of the many posts we have published on this topic.

Definition of Risk

ISO 31000 defines risk as the ‘effect of uncertainty on objectives,’ where an effect is a deviation from the expected that can be positive or negative, or both, and can address, create, or result in opportunities or threats.

This definition leaves the door open for risk assessment based on opinion rather than objective evidence.  Other ISO Standards consistently use a different definition: a ‘combination of the probability of occurrence of harm and the severity of that harm.’

While this definition leads to semi-quantitative measurement, at best, it has been found (dare I say proven) to be reliable, not in terms of absolute values, but in terms of one being able to rank risk. That is, the higher the risk rating, the greater the risk.  So, while not acceptable to the mathematical purists, it does give us an objective basis for making decisions regarding the control and mitigation of risks. Until something better comes along, this is our best option.

See also ISO 9001 Risks & Opportunities – DOs and DON’Ts.

What is Risk Management?

Risk management is proactively identifying possible threats to an organization and laying out appropriate measures to minimize their impact.

A risk management plan can include but is not limited to an assessment of the organization’s structure, the identification of its key objectives, the allocation of resources in activities designed to manage risks effectively, the designation of people responsible for key tasks, and the development of strategies to ensure continual improvement of systems and processes among other things.

The Swiss Cheese Model for Risk Control

More than one control to mitigate each threat is required to manage risk. A standard such as ISO 27001 and the companion Code of Practice, ISO 27002, create the impression that one control is enough.  Consider Annex A of ISO 27001. It lists vulnerabilities (which become threats where the vulnerabilities are exploitable) and suggests one control. This is not a good approach.

Several controls should be applied whenever practicable.  It can be shown (as in the link below) that a combination of several weak controls can mitigate risk far better than one strong one, with the bonus that failure of a control does not leave you totally vulnerable (as is the case if the one robust control fails).

See also: Risk Management – The Swiss Cheese Model Explained

The Risk Management Tools of ISO 31010

While we don’t like ISO 31000, we love its companion, ISO 31010.  This Standard contains 40 plus risk management tools, and while it does not include examples, it sets out how each method can be applied and where it is best used. It contains methods covering all parts of the Risk Management Process, namely,

• Identification (of the threats)
• Consequence (or Severity of the risk event should it occur)
• Likelihood (or probability of occurrence of the risk event)
• Level of Risk (for individual events and combinations of such events
• Evaluation, i.e., consideration of the overall level of risk, risk appetite, and setting the risk acceptance level.

Some examples from ISO 31010 are given in the table.

Click on the image to magnify the view

Risk-based Thinking in ISO 9001

There was much debate back in 2015 when the revised ISO 9001 Standard was published about what exactly risk-based thinking was about and how the requirement for it should be understood and addressed.  And what it boiled down to was you had to think about risk, but you didn’t have to document it!

Not a problem, of course, until some auditor asked for evidence that it had been done, which resulted in everyone documenting what they had done!  So, the result is that today, every organization certified to ISO 9001, almost without exception, has established risk management as part of their QMS documentation.

The risk assessment will often be a lightweight effort but will still be part of the QMS. The best advice is to include in your management system documented risk management (risk evaluation with risk mitigation, as appropriate) applied to each of the processes that make up your QMS.

See also ISO 9001 Risk-based Thinking – DOs and DON’Ts.

Information Security Risk Management with ISO 27005

ISO 27001, the Information Security Management System, and the associated guide, ISO 27002, Code of Practice for information security controls, do not address how to manage the risk associated with the various threats to information security that apply.

This can be found in the frequently ignored standard ISO 27005, information security risk management. The examples of typical vulnerabilities and threats help clarify three much-misunderstood aspects of information security: risk assessment, risk treatment and risk acceptance.

See also: ISO 27005:2018 Information Security Risk Management

ISO 45001 requires Risk Management

Like its ‘parent’ ISO 9001, this standard also calls for risk-based thinking. In addition, it also calls for Risk Management concerning the occupational health and safety (OH&S) of all persons present at the workplace (e.g., staff, contractors, persons delivering and collecting goods, and visitors) plus those managed from the workplace (e.g., installation, service and maintenance staff and those working from home or on business away from the office).

Documentation of the threats arising at each location and for each process in the workplace is needed, as well as the mitigation of each of those risks. The applicable regulations (manual handling, noise, dust, VOCs, signage, etc.) must all be documented within the risk management system.

See also ISO 45001 Certification: 21 FAQs answered, and ISO 45001 requires Risk Management and not just Risk-based Thinking.

ISO 14971 is not a requirement of ISO 13485, but …

Section 7.1 of ISO 13485, the medical device management system standard, has a Note that states: ‘Further information can be found in ISO 14971.’  THEREFORE, the ISO 14971 Standard is not a requirement of ISO 13485; it’s not even given the status of a Guideline.  How do you meet the requirement of ISO 13485 that ‘The organization shall document one or more processes for risk management in product realization.’?

There are two key issues to note here …

1. The threats to be treated here are risks to the user and/or patient safety, not a component failure or failure of a process activity to function as intended.

2. Almost without exception, organizations certified to ISO 13485 choose to include ISO 14971 in their QMS.

See also ISO 14971 Risk Management; 12 FAQs answered. ISO 13485 requires Risk Management and Risk-based Thinking.

Related Articles

• ISO 14971 – FMEA alone is not enough
• ISO 9001 and Risk-based Thinking – Some Practical Advice