The objective of Risk Treatment and Risk Mitigation is to identify how your identified risks will be treated. Risk treatment involves identifying the options for treating each risk, evaluating those options, assigning accountability (for Very High, High and Moderate residual risks) and taking relevant action. For each risk, the risk owner must establish an appropriate level of treatment. Control measures in addition to those already existing may be needed to achieve this level of mitigation. Accountable managers should engage with risk owners to develop a satisfactory response for each risk in order to:
The risk owner is responsible for the development of the response. When a response action is completed, the risk should be reassessed to reflect any newly introduced control measure. Monitoring Continuous systematic and formal monitoring of implementation of the risk and opportunity process and outputs take place against appropriate performance indicators to ensure process compliance and effectiveness. Monitoring takes a variety of forms that range from self-assessment, inspections and internal audits, to detailed reviews by independent external experts. Escalation On occasion, it may be appropriate to escalate a health and safety risk to ensure it is assessed and/or managed by the person or party best placed to do so (able and with appropriate authority). For example, where a more substantial or coordinated response is required than the current risk owner can authorise or implement will justify higher level assessment and/or management, as appropriate:
Managing opportunities Your organisation recognises an ‘opportunity’ as a set of circumstances which makes it possible to leverage positive factors and attributes, for example:
Opportunities may be identified as positive effects of risks, as in a risk forcing implementation of a risk reduction measure that is beneficial in a broader context than just reducing a particular risk. For example, health risks may require measures to improve working environment. These measures also create opportunities to attract and retain better qualified employees, improve morale and job satisfaction, and reduce turnover, and so the initial health risk creates positive opportunities to improve the overall job satisfaction. Check that any actions taken to address the risks and opportunities are recorded and ensure that the effectiveness of each action was effective at addressing the issue, and that the action taken was proportionate to the risk or opportunity. Consider the following as useful tools:
0 Comments
Understanding the risks and managing them appropriately will enhance your organisation’s ability to make better decisions, safeguard assets, and enhance your ability to provide products and services and to achieve your mission and goals. By considering risk throughout your organisation the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product and/or service. Risk-based thinking therefore helps to:
I suggest that you use the familiar Plan-Do-Check-Act (PDCA) methodology to manage your organisation’s transition to risk-based thinking, also using an approach that ring-fences processes into ‘risk themes’ or groups such as:
Risk and opportunity assessment Assessment of the severity of a risk drives management attention and supports planning for risk mitigation. A qualitative risk assessment scheme consisting of qualitative probability and impact scales is undertaken to ensure consistency. Ensure that all accountable managers should engage with risk owners to:
Forecasting probability, cost and time data is about assessing each risk based on the causes and effects described, taking into account the existing controls and active responses. Probability or likelihood estimations should be established giving due consideration to the effectiveness of existing control measures. The consequence evaluation criteria is about assessing against potential financial loss, reputation impact, health and safety, legal and regulatory compliance and management time and effort. Risk assessments should be undertaken to provide an improved understanding of the risk profile and derive a more detailed understanding of certain cost and time risks. Forecast probability, cost and time data can be assessed for each risk based on the causes and effects described, considering the existing controls and active responses. Probability or likelihood estimations should be established giving due consideration to the effectiveness of existing control measures. The consequence evaluation criteria define the consequence criteria, assessed against potential financial loss, reputation impact, health and safety, legal and regulatory compliance and management time and effort. If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses). Risk identification should be carried out with the full involvement of the relevant parties to ensure the relevant perspectives and expertise should be represented (e.g. appropriately qualified representatives from various functions, contractors, stakeholders, suppliers and specialists as appropriate). Risk and opportunity identification is a critical activity at both a strategic and operational level. It needs to include all significant sources of risk, including those beyond our organisation’s control. If a risk, threat, or opportunity is not identified, there can be no strategy to address it. The objective of this step is not to create an onerous and lengthy list of all possible risks, but to identify all significant risks that could impact our organisation. Risks and opportunities are identified through the use of:
Plan the actions needed to address the risks and opportunities When deciding how to plan and control the management system, including its component processes and activities, your organisation needs to consider both the type and level of risk associated with them. Ensure that your organisation is taking a planned approach to addressing risks and realising opportunities, and that any actions taken have been recorded. Options to address risks and opportunities can include:
Formal business risk assessment can be performed by the organisation taking into consideration its context, associated risk and opportunities and mitigation plan. The use of the process approach by your organisation can identify sources of input, activities, output, end-user/customer, performance indicators to control and monitor processes, and the risks and opportunities associated with them, and action plans used to address them:
Throughout ISO management systems, there is a reliance addressing your organisation's risks and opportunities. These should be relevant to the context of your organisation as well as any interested parties. You should ensure that your organisation has applied a risk identification methodology consistently and effectively. This is very important and at the heart of all four of our ISO standards which all take a risk-based approach. Indeed, in ISO 9001 alone, reference to risk-based thinking is present in all of the following clauses:
ISO defines a risk as the ‘effect of uncertainty on the expected result’. Effective management of risk is talked about well in advance to ensure there are less surprises, improved planning, effective decision making and better relationships with stakeholders. Effective management of risk leads to better performance, continual improvement and increases customer satisfaction. Opportunities are considered the positive side of risk which is why ISO 9001:2015 focuses on reducing risk and identifying opportunities. External and internal issues, and relevant needs and expectations of relevant interested parties, may be sources of risks. All management system processes represent differing levels of risk in terms of your organisation’s ability to meet its objectives. Due to this reason, the consequences of failures or non-conformities in relation to processes, systems, products and/or services will not be the same for all organisations. Risk and opportunity register While not mandated by ISO 9001, ISO 14001, ISO 45001 or ISO 27001, risk and opportunity registers can help identify and record the risks and opportunities facing different areas of the business and identifying risk is a critical step in managing it. Risk and opportunity registers will allow your organisation to assess the risk in context with the overall context of your organisation, and will help to record the controls and treatments of those risks. Risk and opportunity registers can be developed in tiers:
The risk and opportunity register or risk log becomes essential as it records identified risks and opportunity, their severity, and the actions and steps to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is a table. A table presents a great deal of information in just a few pages. As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.
When implementing an ISO management system, you should check whether your quality, environmental, health & safety and/or information security policies have been communicated and understood throughout your organisation. The policies must also be available to any relevant interested parties. If the personnel interviewed do not know what their measurable objectives are and/or do not know what the organisational objectives are that they have a direct impact upon, then you might need to evaluate the communication of your policies and objectives. Inferred awareness through knowledge of procedures is not considered sufficient - otherwise why have the requirement in the first place? A quick and convenient way to promote and communicate the policy might be to create a shortened version of the main policy - try condensing it to five key words or even a couple of short sentences. This can be posted on bulletin boards, for example. You could even add it to the reverse side of staff security passes or ID badges. The point is that you need to determine if your policy meets the intent and are understood. The exact content of policies does not need to be recited by individuals, but an awareness of the policies and how their job affects the company objectives is what you’re aiming for. Organisational roles, responsibilities and authorities Each employee needs to know who is responsible for the various elements of your management system to ensure a successful implementation. Develop an organisation chart and create job descriptions in order to clearly define roles, responsibilities and authorities and communicate those responsibilities and authorities throughout your organisation. You should develop and make available to all employees a list of key personnel and their job descriptions, responsibilities, along with an organisational chart of key employees as they relate to your management system. This should effectively define, document, and communicate the organisational structure of the management system. There is a need to demonstrate that there are identified staff who are responsible for ensuring parts of your management system is being properly taken care of. The sort of actions to think about might include: • Communication of roles, responsibilities and authority; • Processes and procedures to fulfil requirements are adequately resourced; • Awareness of expectations is demonstrated in all relevant levels of the organisation; • Reporting on the operation (e.g. results of audits and inspections) and performance of the management system (e.g. in business meetings, KPI reviews, etc). You should ensure that your organisation’s personnel have not only been advised of their management system responsibilities and authorities, but also that they understand these in the context of the overall purpose of the management system. You should also ensure that Top Management have assigned responsibility and authority for preserving the integrity of the organisation’s management system during changes (e.g. developing a new product or service line, moving premises, etc). If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses). |
WelcomeHere you'll find the latest blog articles on all things compliance, particularly focussed on quality, environment, health & safety and information security. Get a completely free, no obligation, totally tailored ISO Gap Analysis for your business...
Categories
All
Archives
October 2023
|