ISO 31000 defines risk as the ‘effect of uncertainty on objectives,’ where an effect is a deviation from the expected that can be positive or negative, or both, and can address, create, or result in opportunities or threats.
This definition leaves the door open for risk assessment based on opinion rather than objective evidence. Other ISO Standards consistently use a different definition: a ‘combination of the probability of occurrence of harm and the severity of that harm.’
While this definition leads to semi-quantitative measurement, at best, it has been found (dare I say proven) to be reliable, not in terms of absolute values, but in terms of one being able to rank risk. That is, the higher the risk rating, the greater the risk. So, while not acceptable to the mathematical purists, it does give us an objective basis for making decisions regarding the control and mitigation of risks. Until something better comes along, this is our best option.
See also ISO 9001 Risks & Opportunities – DOs and DON’Ts.
Risk management is proactively identifying possible threats to an organization and laying out appropriate measures to minimize their impact.
A risk management plan can include but is not limited to an assessment of the organization’s structure, the identification of its key objectives, the allocation of resources in activities designed to manage risks effectively, the designation of people responsible for key tasks, and the development of strategies to ensure continual improvement of systems and processes among other things.
In the Swiss Cheese mode, which is fully demonstrated in our ISO 27001 training courses, each control to reduce risk is represented as a slice of cheese.
The holes in the slice represent weaknesses in individual parts of the system and are continually varying in size and position across the slices. The system produces failures when a hole in each slice momentarily aligns, permitting (in Reason’s words) “a trajectory of accident opportunity”, so that a hazard passes through holes in all of the slices, leading to a failure.
Consider these two scenarios:
a) One major control that is 95% effective
Here, the chance of failure of the control is 5 in 100 (or 5%). Or, to put it another way:
With one major control in place, the chances of successfully controlling the risk are 95.0%
b) Four minor controls, each of which is 60% effective?
In this case, we need to combine the individual chance of failure to evaluate the combined effect of the four controls.
Consider how the risk of failure decreases as we add each of the four controls.
Remembering that each is 60% effective, the chance of failure is the remaining 40%.
- So, with one control in place, the chance of failure is 40%.
- With two controls in place, the chance of failure is 40% x 40%. That is 16%.
- With a third control in place, we get 40% x 40% x 40%. That is, 6.4 %
- And add in the fourth control, we get 40% x 40% x 40% x 40%. Giving us a 2.56% chance of failure.
Therefore, with four minor controls in place, the chances of successfully controlling the risk are 97.4%.
In the example above, the robustness of the protection provided by the four minor controls is greater. If the one major control fails, there is zero protection remaining. But if one of the four minor controls fails, a 93.6% chance of successfully controlling the risk remains.
That said, for the multiple controls to be effective, they must be independent of one another. An example would be, say, three controls, each requiring an electricity supply to maintain their protection.
Here, one adverse event, a power loss, would knock out all three controls, and the assumed protection of three controls would not accrue.
Secondly, that we can reliably predict the level of risk reduction, a control will provide. We can’t. Only by monitoring the performance of a system over time can we confirm the risk reduction achieved. Risk Management can help with this.
There was much debate back in 2015 when the revised ISO 9001 Standard was published about what exactly risk-based thinking was about and how the requirement for it should be understood and addressed. And what it boiled down to was you had to think about risk, but you didn’t have to document it!
Not a problem, of course, until some auditor asked for evidence that it had been done, which resulted in everyone documenting what they had done! So, the result is that today, every organization certified to ISO 9001, almost without exception, has established risk management as part of their QMS documentation.
The risk assessment will often be a lightweight effort but will still be part of the QMS. The best advice is to include in your management system documented risk management (risk evaluation with risk mitigation, as appropriate) applied to each of the processes that make up your QMS.
See also ISO 9001 Risk-based Thinking – DOs and DON’Ts.