Products SKU Attributes Content Price ActionCourse 725 - 14 hours+ ISO 21001 Accredited :: Available on-demand 24/7$406Course 726 - 36 hours+ ISO 21001 Accredited :: Available on-demand 24/7$1,029Course 724 - 18 hours+ ISO 21001 Accredited :: Available on-demand 24/7$433Course 723 - 9 hours+ ISO 21001 Accredited :: Available on-demand 24/7$217
Risk is a vast topic that pervades all aspects of business today. And rightly so.
Until about 15 years ago, no one in business formally considered risk. Yes, it was there in the business school management books, but the practical application of risk mitigation was something only insurance companies talked about. Not so today. And if your organization is not ‘up to speed’ on managing risk, you are, at best, bleeding profit or, at worst, laying the groundwork for your organization’s demise.
Our area of interest is ISO Management System Standards, and in this post, we give you an overview of the many posts we have published on this topic.
Definition of Risk
ISO 31000 defines risk as the ‘effect of uncertainty on objectives,’ where an effect is a deviation from the expected that can be positive or negative, or both, and can address, create, or result in opportunities or threats.
This definition leaves the door open for risk assessment based on opinion rather than objective evidence. Other ISO Standards consistently use a different definition: a ‘combination of the probability of occurrence of harm and the severity of that harm.’
While this definition leads to semi-quantitative measurement, at best, it has been found (dare I say proven) to be reliable, not in terms of absolute values, but in terms of one being able to rank risk. That is, the higher the risk rating, the greater the risk. So, while not acceptable to the mathematical purists, it does give us an objective basis for making decisions regarding the control and mitigation of risks. Until something better comes along, this is our best option.
What is Risk Management?
Risk management is proactively identifying possible threats to an organization and laying out appropriate measures to minimize their impact.
A risk management plan can include but is not limited to an assessment of the organization’s structure, the identification of its key objectives, the allocation of resources in activities designed to manage risks effectively, the designation of people responsible for key tasks, and the development of strategies to ensure continual improvement of systems and processes among other things.
The Swiss Cheese Model for Risk Control
More than one control to mitigate each threat is required to manage risk. A standard such as ISO 27001 and the companion Code of Practice, ISO 27002, create the impression that one control is enough. Consider Annex A of ISO 27001. It lists vulnerabilities (which become threats where the vulnerabilities are exploitable) and suggests one control. This is not a good approach.
Several controls should be applied whenever practicable. It can be shown (as in the link below) that a combination of several weak controls can mitigate risk far better than one strong one, with the bonus that failure of a control does not leave you totally vulnerable (as is the case if the one robust control fails).
The Risk Management Tools of ISO 31010
While we don’t like ISO 31000, we love its companion, ISO 31010. This Standard contains 40 plus risk management tools, and while it does not include examples, it sets out how each method can be applied and where it is best used. It contains methods covering all parts of the Risk Management Process, namely,
- Identification (of the threats)
- Consequence (or Severity of the risk event should it occur)
- Likelihood (or probability of occurrence of the risk event)
- Level of Risk (for individual events and combinations of such events
- Evaluation, i.e., consideration of the overall level of risk, risk appetite, and setting the risk acceptance level.
Some examples from ISO 31010 are given in the table.
Click on the image to magnify the view
Risk-based Thinking in ISO 9001
There was much debate back in 2015 when the revised ISO 9001 Standard was published about what exactly risk-based thinking was about and how the requirement for it should be understood and addressed. And what it boiled down to was you had to think about risk, but you didn’t have to document it!
Not a problem, of course, until some auditor asked for evidence that it had been done, which resulted in everyone documenting what they had done! So, the result is that today, every organization certified to ISO 9001, almost without exception, has established risk management as part of their QMS documentation.
The risk assessment will often be a lightweight effort but will still be part of the QMS. The best advice is to include in your management system documented risk management (risk evaluation with risk mitigation, as appropriate) applied to each of the processes that make up your QMS.
Information Security Risk Management with ISO 27005
ISO 27001, the Information Security Management System, and the associated guide, ISO 27002, Code of Practice for information security controls, do not address how to manage the risk associated with the various threats to information security that apply.
This can be found in the frequently ignored standard ISO 27005, information security risk management. The examples of typical vulnerabilities and threats help clarify three much-misunderstood aspects of information security: risk assessment, risk treatment and risk acceptance.
ISO 45001 requires Risk Management
Like its ‘parent’ ISO 9001, this standard also calls for risk-based thinking. In addition, it also calls for Risk Management concerning the occupational health and safety (OH&S) of all persons present at the workplace (e.g., staff, contractors, persons delivering and collecting goods, and visitors) plus those managed from the workplace (e.g., installation, service and maintenance staff and those working from home or on business away from the office).
Documentation of the threats arising at each location and for each process in the workplace is needed, as well as the mitigation of each of those risks. The applicable regulations (manual handling, noise, dust, VOCs, signage, etc.) must all be documented within the risk management system.
ISO 14971 is not a requirement of ISO 13485, but …
Section 7.1 of ISO 13485, the medical device management system standard, has a Note that states: ‘Further information can be found in ISO 14971.’ THEREFORE, the ISO 14971 Standard is not a requirement of ISO 13485; it’s not even given the status of a Guideline. How do you meet the requirement of ISO 13485 that ‘The organization shall document one or more processes for risk management in product realization.’?
There are two key issues to note here …
1. The threats to be treated here are risks to the user and/or patient safety, not a component failure or failure of a process activity to function as intended.
2. Almost without exception, organizations certified to ISO 13485 choose to include ISO 14971 in their QMS.
Our ISO 21001 Educational Organization status is shown on all Certificates we issue.
Satisfied Customers Say:
… it has been an excellent source of information and increased my experience of implementing the ISO 9001 and auditing.
There were a few minor issues with course content integration with course software, however, Customer Service through the Support Ticket was quick to respond and address issues. The ability to learn and gain qualifications through an online platform such as deGRANDSON’s offer is an extremely flexible option. I would commend this learning option and the use of Safari iOS which works consistently with the learning platform. The Support Team are very efficient and quickly resolves any issues that might be encountered, many thanks.
This is an excellent course. The content in the 3 modules was so beneficial and helped me to grasp details that I had previously struggled with. It was evident that the content was factual and from the real world in its tips for application. The answers and direction provided in the FAQ’s was excellent and very helpful. Any query I had was answered promptly. I honestly don’t know what you could do better. Thank you for all your help and guidance.
Course states 24 hours, I would say it took double that time to complete. Had some technical difficulties but Ultan King in support has been very helpful in resolving all issues.
Have only completed the first part of the course, enjoying it immensely, so far. the content is thorough and clearly explained. I only have one small observation – that it may be better using a real person, or even person(s) to present rather than a computer generated voice which can be a little wearing over time.
David Vickers(Private Learner)
Cost / learning is really adapted. You can progress with adapted elearning at your rythm
Benoît F.(Private Learner)
I’m extremely pleased with my ISO 45001 Lead Auditor course from deGrandson that I started in February 2021. I work for Amazon as a Construction Manager constructing fulfilment centers in the UK, EU and worldwide. The course material is excellent, the online learning system is very easy to use and the course is very well structured. I highly recommend this course by deGrandson. Dr John FitzGerald is an expert in this subject area and it shows. You will be pleased that you also chose to study with deGrandson.
These are very detailed courses and they work very well for us.
On-line study at my own pace is most suitable learning media to me. The course is timely with the latest 2019 edition of the Standard coupled with value for money package.
Gnana Sakaran Rajagopal (Principal)GSR Consulting Services
All the way through this course I have been extremely impressed with the excellent support that has been in place for students, and this provides confidence that issues are resolved promptly with fair consideration.
Steve Fitzjohn(Private Learner)
By Credit Card, Debit Card or with your PayPal Account.
And you can spread the cost of your purchase
No hidden charges
Price includes the Tuition Fee, Course Materials, Examinations and issue of your Certificate. – all Online at no extra cost.