Risk Management In ISO 9000 Standard

Risk Management In ISO 9000 Standard

In each human endeavour there is an element of risk; personal, project or financial, or a combination of them all. The job of the responsible individual is to identify the risk and act accordingly. We all do these ‘risky’ things, almost daily, aware that we are taking a risk. Rather than staying away from the risk we become adept at identifying it and having a strategy for dealing with it if the risk materialises. This is what risk management is about, and is an ability that is important in virtually every endeavour.

The popular misconception that risk management is difficult or complicated stems from the bureaucratic methodology of some system-oriented organisations and managers. It is neither complicated or bureaucratic, and need not be. Risk management is basically a simple proposition with a complexity dictated by the nature of the situation to which it applies – usually a project, and the parties involved. In its basic form risk management involves:

1. Identifying risk – Looking for anything that threatens the successful completion of the project against the original requirement. Risks can be environmental, organisational, technical, legal, economic or commercial.

2. Counteracting risk – Taking action to remove or reduce the probability of a risk being realised. The response depends on the nature or seriousness of the risk.

3. Acting when the risk event occurs – Invoking whatever contingency measures were devised for the risk that has materialised.

And for this to happen needs:

4. Monitoring at all stages – This typically means documenting a risk assessment in a profile that identifies the risk, the probability of its occurrence, and the impact if it does materialise. Factors that score paramount are those that require the greatest attention and monitoring. A good risk manager will devise contingency plans that reduce either the probability or the impact of these occurrences, and so remove them from the scene.

Working within a formal structured management system similar to that defined by ISO 9000 requires the application of risk assessment practices to satisfy the requirements of the Standard. Auditors of such systems may not find specific references to risk management in these areas even though the identification of potential failure (8.5.3) is wholly concerned with a topic that is nothing less than risk management.

Well managed risk taking is an essential feature of any forward thinking enterprise, since risk is an element of any progression or advancement. It is the adoption of effective risk management in conjunction with the continuing need to drive forward from a comfortable position that leads to progress and advancement. Doing what we always do purely because the risks appear to be negligible or are well known is to be ‘risk averse’, and for progressive organisations cannot be acceptable. Neither is it acceptable to pursue new ideas without an understanding of their potential benefit, proper planning, a clear idea of the threats to these benefits being achieved , and a strategy for dealing with them should they materialise. We need to manage in a manner that is neither predictable or reckless. Risk assessment is an essential tool to support this strategy.