RISKS … WHAT RISKS?

The question is can all management be described as risk management? What is risk management? What is management? What are risks? ISO 9001 the Quality Management Standards is the ideal toolset for risk management, as well as BS EN 18001 Occupational Health & Safety Standards, ISO 14001 Environmental Management Standards, and ISO 27001 Information Security Management Standards. Well risks don’t just happen, they have causes. Risks are potential. For example the cause of the risk would be a hazard. An obstacle to be tripped over is a hazard. The risk is the tripping over. The consequence of the risk is the potential impact and cost resulting from tripping over the obstacle i.e. injury (level of severity) damage to property, recovery time. We can of course take steps to prevent or manage (eliminate or reduce the risk). Remove the obstacle. Safeguard the obstacle with barriers, signage, and instructions (divert the route – make safe) The above example may be seen as a health and safety issue, and when we talk about risk management this is a very common association but there are many more risks a company has to manage every day. It begins with planning; we need to plan-out hazards and risks. Take a look at your key performance indicators, and your information security, your design reviews, product testing, production planning, supplier management and purchasing, engagement of sub-contractors, logistics just about everything you do and all the company’s activities include some sort of risk assessment and reviews. The fact is they are not always labelled as such. The current ISO 9001 standards do not effectively cover preventive action, it mentions corrective and preventive action which of course is incorrect, because preventive actions must occur during the planning and design stages. However, ISO 9001 is an effective risk management framework only sometime it gets lost in interpretation ISO 9001:2015 appears to be addressing this. Valuable tools that are key requirements of ISO 9001 are process audits and management reviews, previously these have been undervalued, but they are critical and cost effective tools for risk management. Now top management processes such as strategic planning will need to be audited. The cost of process audits weighed against the benefits (costs saved) makes process audits possibly the value for money/ cost of investment is possibly the best single investment a business owner can make. Management reviews should include hazards, risks and consequences. The most valuable and often under-appreciated statement in a business is the Quality Policy. This must be top managements statement of intent and commitment, therefore needs to address risk management and this must be cascaded to all points of the business including customers and suppliers. What else can we do? Include hazard and risk management in procedures. Create a risk management register based on Failure, Mode (critical) Effect Analysis, i.e. weigh the consequence of the risk v’s hazard. Create a legal register in order to develop awareness of your legal obligations (What is the risk of you not knowing) Cross refer the risk register and legal registers to identify what legislations are published to protect and guide or prosecute us from specific hazards and risks. Of course you don’t have to do this as dodging hazards and taking avoidable risks may be your thing.