An effective risk management strategy involves proactive risk identification, ranking, and risk mitigation. Deciding how much risk your company is willing to accept is a major part of the risk management process.
• Risk - The combination of probability and the associated impact of an occurrence.
• Risk Appetite (Tolerance) - The acceptable level of risk an entity is willing to accept in pursuit of its objectives.
• Risk Management - Using managerial resources to integrate risk identification, risk assessment, risk prioritization, development of risk handling strategies and mitigation of risk to acceptable levels.
• Risk Mitigation - The management of risk through the proactive use of countermeasures and controls.
• Risk Register - A record that identifies risks and associated severity, impact, and mitigation actions.
• Risk-based Thinking - An integrated, system approach to risk, rather than treating it as a single component of a Quality Management System (QMS).
"What could possibly go wrong?" Many companies attempt to manage risks in their operations but really miss the value that a proactive risk management plan can add. The ISO 9001:2015 revised standard requires a robust risk management strategy be implemented for QMS compliance. This 'spirit of integration' has always been part of business management however, ISO 9001:2015 has brought risk management to the forefront. The Preventive Action clause has been removed from the 2015 standard, requiring risk management to prevent any undesired outcomes.
Identify the Risks
Risk is ever-present in daily life. If you wish to cross a street, risk is present……and you may be hit by a car! Risk management works the same way in a corporation. “If we ___________, there is a risk that __________ will happen.”
Brainstorming with stakeholders and other interested parties is a common method of risk identification. Identifying the risk is the first step to attacking the problem head-on. To ignore a risk, will not make it go away.
Deciding how much risk your company can accept is a major part of the risk management strategy. If your business is buying and selling stocks, you know you must accept a certain amount of risk in order to maximize your gains. How much risk becomes a company decision. It should be clear to everyone involved.
An airline will certainly want to lower their risk level much more than the example above. Saying a flight “may or may not arrive at the destination” is quite different that saying “a stock may or may not increase in price“. You can understand the analogy.
Both of these examples will result in negative results however, a risk can also be an opportunity or Positive Risk. Risk is commonly understood to be negative. In Risk-based Thinking, opportunity can also be found which is sometimes seen as the positive side of risk.
For example, having more retail customers that you are equipped to handle is a positive risk…….too much of a good thing. If you cannot satisfy the increased customer base, you will loose some of the customers. Is that an acceptable way of mitigating the risk for your company?
Risks that are identified by a company should be quantified and qualified in writing. This may sound confusing but in reality, it simply means ranking the risks.
The ranking may be according to several variables such as monetary consequences, loss of customers, and/or legal exposure to lawsuits. A common method applies the risk formula (probability x impact), using the resulting product for ranking the Risk Score.
After ranking the risks, upper management must make a realistic determination as to what loss is acceptable for the company. If the risk is too many customers, management will certainly want to capture as much business as possible but preparation for this risk will certainly cost money (something upper management rarely wants to hear). There will be a need for more employees, more hardware such as checkout equipment and software that can handle the increased transactions. Store hours may need to be extended (higher payroll costs) and an increased inventory of a new product necessary. This may create logistics problems and supplier issues, creating more risks.
Mitigate the Risks
There are four (4) ways to effectively deal with risk.
• The first is avoidance. Risk can be eliminated usually by eliminating the cause(s).
• The second is mitigation. This is done by reducing the risk event probability, risk event value or both.
• The third is acceptance. Just decide to accept the consequences (commonly referred to as risk tolerance).
• The fourth is transference. This is done by removing the impact or consequences of the risk event. Buying insurance is an example.
Being proactive in risk identification, ranking, and mitigation is the best approach to manage your risks. Remember, periodically evaluating risks and implementing needed changes to the risk mitigation strategy is necessary for effective risk management and compliance with the ISO 9001 revised standard. Only upper management can decided the risk tolerance (acceptance) for their company however, effective risk management is the responsibility of all employees.
Until next time, Think Quality!