How risk is now incorporated into management standards
Risk at present is very popular. More of different Management Standards are now incorporating Risk as part of their requirements. The reason is that it is a more robust and auditable requirement to assist Improvements than the traditional “Preventative Action”, which companies have often struggled to demonstrate compliance. Too often with smaller Organisations, they are regularly implement improvement activities but do not have a systematic method to show to external Assessors.
Risks comes in many different forms and Management Standards
- API Q1 & API Q2 – Risk relating to Product Quality & Delivery
- ISO 9001 upgraded Standard – Risk of not achieving Customer Expectations
- OHSAS 18001 – Risk of injury or ill health
- ISO 14001 – Risk of Pollution and reducing the Environmental impact of the businesses operations
- ISO 27001 – Risks to the Information handled by the Business
The problem with Risk assessments is that
- They are subjective. This is often driven by previous experience
- They are an Analysis tool, rather than an end in themselves
- They depend on the Starting point. The initial requirements determine the result. For example if the starting point is Health and Safety then the results will be considering safety issues
The advantage of the Risk approach
- Systematic approach
- Flexible methodology
- Ongoing so as actions are taken or circumstance change, then the Risk register can be modified.
- Prioritise areas and actions
Are any of these Risks more important than others? Yes – their impact will vary depending on circumstances and No – they all will affect most Businesses
How should Risks be documented? Whilst there are preferences, the important requirement is that there is a clear methodical method, whose outcome is a priority list of Mitigation and Controls to better manage the Risks. Do the results satisfy the common sense test? What is more important – the minor problem that recurs frequently or a major problem that is very infrequent.
Accept that there will be occurrences that have not been included in the Assessment – like Earthquakes in Lincolnshire or Tornados in Birmingham. Instead look at the impact on the Business – damage to Building, disruption for key staff, etc.
Accept that there are Risks. One Client said that he had been concerned that the “Sky fall down on him” – It has not fallen yet so far so good
Two Points
- Risk Assessments & Risk Management are not ends in themselves. They are only as good as the resulting Actions
- Risk Management is fundamentally making Businesses more Resilient.
For more information on managing risks contact Charter 4 today.