Let's Talk About Risk

We work with a lot of organisations helping with their ISO9001, 14001, 27001 or 45001 implementation and ongoing management of their new systems. We like to use Mango for this as it's a fantastic fully integrated platform to manage all the requirements of these standards. Over the last few years, we have noticed an ongoing trend within these implementations around the understanding of Risk. Mango has a dedicated Risk module and you can build any form of risk management template with it but what type of Risk do you think 99% of clients talk about? Yep Health & Safety, which is important but that's not all risk is, it's a whole bunch more than that.  

Defining Risk 

The International Standards Organization ISO31000:2018 document is all about Risk Management so it seems like a great basis to use when we are talking about risk and explain why you need to look at Risk through as many different lenses as required.

Under the terms & Definitions of the ISO31000 standard it has the following definitions:

It adds a couple of notes to support and expand on this which tell us that an Effect is deemed a deviation from the expected, i.e. you thought X was going to happy but you got Y and that this can be both a negative (which is the route most people seem to take when thinking about Risk) and also a Positive , think of it as threats and opportunities that are linked to the Risk you are looking at.

For example, if we look at the current global crisis of the Covid-19 Pandemic what we see it a whole bunch of Risk (out of interest how many of your risk registered included a pandemic or a national shut-down!?) There are clearly risks with this in terms of

• People – will my team get ill, will they be able to return to work and so on,
• Liquidity – do I have enough money to keep going
• Customers – will they still exist to buy my products

These are all negatives or threats when you link them to this Risk however there is another side of things that you also need to take into account when thinking about your risks, the opportunities

• People – will there be more resources available to me as a result of this
• Sales – if my competition falls over, I may pick up those sales – if I do how do I handle that new requirement for capacity and materials?

So, when looking at the risks you need to think of both the positive and the negative effects of the risk and that then informs you on how you will manage the risks.

Risk Management

Again, referring back to ISO31000:2018 we find a definition of Risk Management that we can use in our organisation:  

1. Check with suppliers about the material availability for various levels of upside
2. Check with the operation about the capacity availability and what the limiting factor is
3. Check with your shipping company on their availability
4. Check with the bank on funds available for the new upside and can you carry the load

There will no doubt be a bunch more of these things as well.

Risk in Business 

When we think about risk we need to think about the business as a whole and classify risks correctly and repeatably across the organisation, you will certainly have risks around health and safety, you will have risks under your ISO9001 Quality Management System, your ISO27000 Information Security Management System, your ISO14000 Environmental Management System and a range of others as well and they all need to judged with the same approach.

You need to look at these all with the lens of threats and opportunities rather than just the downsides or what could go wrong and focusing on mitigating those negatives. You need to build both short and longer term actions on how you will respond to these threats and opportunities into your risk registers which of course you would review on a regular basis to ensure you correctly manage your business risks.

The ISO31000 Risk Management Blog Series 

Over the coming weeks we'll be walking through the entire ISO31000 Risk Management process explaining what the standard means and what steps it talks about when setting up a sound Risk Management System for your organisation across a range of disciplines to ensure that you have the tools to manage the threats and opportunities in your organisation. Why not subscribe to the blog and or the newsletter to get regular updates from us on this and other topics to help keep making things better in your organisation.