I'm going to open with a bit of an inflammatory statement and hope you don't close the page, are you ready…
You are doing risk management wrong, and your business is suffering because of it. For that matter, I bet your whole ISO document structure is wrong!
Now, while you calm down a bit here's a question, if I asked you how your risk management process is working for your organisation, what would you say? I bet you jump directly to your health and safety system and then proclaim that it is brilliant, couldn't be better, if they gave awards out for managing your H&S risks you would be on the podium.
The thing is, that's not what I asked, and besides, health and safety, while absolutely critical, isn't your entire risk management process.
Risk Management – Not Just for Health and Safety
Let's take a moment and think about the various ISO standards, they all have some core commonalities that we should think about. Yes, they (mostly) all now follow the same higher-level structure to name all the clauses, which makes it easy to integrate them into one single system.
The other thing they have in common is the underlying thinking of the documents, they all encourage you to do two things, embed PDCA (Plan – Do - Check - Act / Adjust) thinking, and they all need you to take a risk-based approach to your management system. It doesn't matter if it's ISO9001 for Quality Management, ISO14001 for Environmental Management, ISO45001 for Occupational Health & Safety or the brilliant ISO45003 for Psychological Safety, ISO27001 for Information Security, ISO13485 for Medical Devices or ISO22000 for Food Safety, they all want you to take a risk-based approach to the system.
That means they expect you to understand of course your health and safety risks, but importantly also what your business risks are, your environmental risks / impacts, your food safety risks, and so on.
On the whole most businesses have health and safety risks, food safety risks and so on, but business risks unfortunately substantially less so, which is bizarre as your board of directors needs to manage these things, makes you wonder right?
We Have the Risk – What Now?
Firstly, let's make sure we understand what we are going to call a risk. A risk is something that is going to cause us the problem or harm (if it's an H&S or environmental risk). So if we were thinking H&S you could have a hazard such as forklift which then has multiple risks like toppling, gas bottle swapping, people vs forklifts. If it's a business risk then you may have an issue such as Cashflow, and then you have risks like major client loss to competitor or collapses, exchange rate fluctuations and so on. Each of these will have different controls in place.
All going well, each of those risks ends up with control or mitigation measures, if you scan them here's my bet, few if any, have a documented procedure or process in there that was developed specifically because you identified the risk.
What if I said every risk, irrespective of them being a business risk, H&S, food etc should have a procedure or SOP or some document attached to it as part of the control measures? Sounds crazy right?... but the whole reason you are writing a procedure is because you have identified there is the potential for something to go wrong, so you write it down, clarify it and train people on it.
Let's go back and think about the documents and procedures we have in our ISO Management system just for a minute. What is driving their creation? Is it just you, ticking off a clause in a standard or something a client or worse a consultant says you need? How is that supporting your business?
ISO Document Structures
When you look at the vast majority of companies ISO management systems, they will list the structure of the system something like the pyramid shown here.
It's a pretty classic view with the policy at the top which then drives your system procedures that you develop because your policy says you will do certain things.
Those system procedures are then broken down into day-to-day operational procedures, work instructions and so on.
Where are the risks in this structure? All the standards say you need to take a risk-based approach so where are they? Chances are they are in that bottom section of Forms, Registers and Records.
If you are taking a risk-based approach, why are risks the last thing in your pyramid? Are you fitting the risks to the documents you have or just not linking them up at all because you didn't think about it? (95% are the latter!)
If you really want to take a risk-based approach, then your system structure actually looks like this!
Our risks should sit right below our policy -why? Because it is the policy, i.e. the direction we set as an organisation that will drive the risk management approach you take and the risks that you are going to need to ultimately manage.
Our Policy would say that we value everyone's safety or that we'll ensure that we provide the best possible products etc etc.
Since that's what our policy says, we should be able to then develop the risks to the business that are going to stop us meeting those policy requirements. That bit's important and a bit of a head switch - what is going to happen that means we wouldn't meet our policy. So, if I have a policy of everyone home safe then what are the risks from an H&S, business, environmental etc perspective that would stop that happening? If our policy says we will deliver the greatest chocolate products to benefit humanity, what things would get in the way of doing that? What would put achieving that at risk?
Procedures as Control Measures
If you think about the procedures you have as control measures rather than, well, just a procedure, what does that look like?
It looks a bit like this!
Everything after the risk is effectively a control measure or evidence such as training records, PPE records, supplier assessments, internal audits and so forth. That final level only happens to support one of the control measures that you are putting in place to mitigate the risk.
The Impact of the Risk-based Approach
Doing this will completely change how you run your business and structure your ISO management systems as well as your day-to-day processes. Interestingly, because you work this way, a few things will also automatically happen:
- It will change what procedures you actually have; you'll start thinking about what is driving the need for this document, what is it really addressing? If you don't see what it's addressing, you don't need it (or you have missed something)
- You will then need to think about how you will train it, what work instructions or SOPs will you need for the detail work and what outputs do you need to record to make sure it is actually working.
- It will change how you write your documents. You are no longer writing some formal document no one will understand (or use) unless you are an auditor. You need to write something everyone will understand so they can actually use them, which is pretty important.
- When you are reviewing your systems or doing internal auditing you are effectively also reviewing your risk management processes for the business, now how many organisations actually do that?
Stop Doing it Wrong - Take a Real Risk-based Approach
Thinking about your business risks, your environmental, health and safety, food safety or any other type of risk as an add on or after the fact is a mistake. Risks should drive everything you do, they define how you control your business. It even helps you drive your strategy, for example if one of your risks is a competitor eroding your market, your control measures should absolutely drive a strategic decision.
Taking the time to step back and understand your risks helps you ensure you are developing the right processes, procedures, training and making the right decision that can be traced all the way back up to your source document, your policy and then all the way forward to your training, your SOP's and your investments.
If you aren't thinking about risk in all your ISO systems like this, you are doing it wrong - stop doing it wrong and drive better business outcomes.