A vast topic the pervades all aspects of business today. And rightly so.
Until about 15 years ago no one in business gave formal consideration to risk. Yes, it was there in the books on management from business schools but the practical application of risk mitigation was something only insurance companies talked about. Not so today. And if your organization is not ‘up to speed’ on managing risk you are, at best, bleeding profit or, at worst, laying the groundwork for your organization’s demise.
Our area of interest is ISO Management System Standards and in this post, we give you an overview of the many posts we have published on this topic.
Definition of Risk
ISO 31000 defines risk as the ‘effect of uncertainty on objectives’, where an effect is a deviation from the expected that can be positive or negative, or both and can address, create or result in opportunities or threats.
This definition leaves the door open to risk assessment to be based on opinion rather than on objective evidence. Other ISO Standards consistently use a different definition, namely, a ‘combination of the probability of occurrence of harm and the severity of that harm.’
While this definition leads to semi-quantitative measurement, at best it has been found (dare I say proven) to be reliable, not in terms of absolute values, but in terms of one being able to rank risk. That is, the higher the risk rating, the greater the risk. So, while not acceptable to the mathematical purists, it does give us an objective basis for making decisions regarding the control and mitigation of risks. Until something better comes along, this is our best option.
See also: ISO 9001 Risks & Opportunities – DOs and DON’Ts.
What is Risk Management?
Risk management is the act of proactively identifying possible threats to an organisation and laying out appropriate measures to minimize their impact.
A risk management plan can include but is not limited to an assessment of the organization’s structure, the identification of its key objectives, the allocation of resources in activities designed to effectively manage risks, the designation of people responsible for key tasks, and the development of strategies to ensure continual improvement of systems and processes among other things.
The Swiss Cheese Model for risk control
One control to mitigate each threat is not enough to manage risk. A standard such as ISO 27001, and the companion Code of Practice, ISO 27002, create the impression that one control is enough. Consider Annex A of ISO 27001. It lists vulnerabilities (which become threats where the vulnerabilities are exploitable) and suggests one control. This is not a good approach.
Several controls should be applied whenever practicable. It can be shown (as in the link below) that a combination of several weak controls can mitigate risk far better than one strong one, with the added bonus that failure of a control does not leave you totally vulnerable (as is the case if the one strong control fails).
See also: Risk Management – the Swiss Cheese Model Explained
The Risk Management Tools of ISO 31010
While we don’t like ISO 31000, we love its companion, ISO 31010. This Standard contains 40 plus risk management tools and, while it does not include examples, it sets out how each method can be applied and where it is best used. It includes methods covering all parts of the Risk Management Process, namely,
- Identification (of the threats)
- Consequence (or Severity of the risk event should it occur)
- Likelihood (or probability of occurrence of the risk event)
- Level of Risk (for individual events and for combinations of such events
- Evaluation, i.e., consideration of the overall level of risk, risk appetite and setting the risk acceptance level.
Some examples from ISO 31010 are given in the table.
Click on the image to magnify the view
Risk-based Thinking in ISO 9001
There was much debate back in 2015 when the revised ISO 9001 Standard was published about what exactly risk-based thinking was about and how the requirement for it should be understood and addressed. And what it boiled down to was you had to think about risk but you didn’t have to document it!
Not a problem, of course, until some auditor asked for evidence that it had been done, which resulted in everyone documenting what they had done! So, the end result is that today every organization certified to ISO 9001, almost without exception, has documented risk management as part of their QMS documentation.
In many instances, the risk assessment will be a pretty lightweight effort but it will still be part of the QMS. The best advice is to include in your management system documented risk management (risk evaluation with risk mitigation, as appropriate) applied to each of the processes that make up your QMS.
See also: ISO 9001 Risk-based Thinking – DOs and DON’Ts.
Information Security Risk Management with ISO 27005
ISO 27001, the Information Security Management System and the associated guide, ISO 27002, Code of Practice for information security controls, do not address the question of how to address the risk associated with the various threats to information security that apply.
This can be found in the frequently ignored standard ISO 27005, information security risk management. The examples of typical vulnerabilities and threats are useful in clarifying three much-misunderstood aspects of information security, namely, risk asessment, risk treatment and risk acceptance.
See also: ISO 27005:2018 Information Security Risk Management
ISO 45001 requires Risk Management
Like its ‘parent’ ISO 9001, this standard also calls for risk-based thinking. In addition, it also calls for Risk Management in relation to the occupational health and safety (OH&S) of all persons present at the workplace (e.g., staff, contractors, persons delivering and collecting goods, and visitors) plus those managed from the workplace (e.g., installation, service and maintenance staff and those working from home or on business away from the office).
Documentation of the threats arising at each location and for each process in the workplace is needed as well as the necessary mitigation of each of those risks. The applicable regulations (manual handling, noise, dust, VOCs, signage, etc.) all must be documented within the risk management system.
See also ISO 45001 Certification: 21 FAQs answered and ISO 45001 requires Risk Management and not just Risk-based Thinking.
ISO 14971 is not a requirement of ISO 13485 but …
Section 7.1 of ISO 13485, the medical device management system standard, has a Note, which states: ‘Further information can be found in ISO 14971.’ The ISO 14971 Standard is not, therefore, a requirement of ISO 13485; it’s not even given the status as a Guideline. How then do you meet the requirement of ISO 13485 that ‘The organization shall document one or more processes for risk management in product realization.’?
There are two key issues to note here …
1. The threats to be treated here are risks to the user and/or patient safety and not component failure or failure of a process activity to function as intended.
2. Almost without exception, organizations certified to ISO 13485 choose to include ISO 14971 in their QMS.
See also ISO 14971 Risk Management; 12 FAQs answered. and ISO 13485 requires Risk Management and Risk-based Thinking.