Governance, Risk and Compliance Blog

Using EQMS to manage risk

Posted by Marc Gardner on Mon, Oct 09, 2017

To stay competitive in today's market, it's vital you have a good strategy to manage risk. In recent times, some high-profile organisations have learned the hard way that neglecting risk can not only be costly, but undo years of work building a strong brand and reputation.

If your organisation is ISO-certified, or in the process of becoming certified, you'll already be familiar with risk-based thinking and embedding this way of working across the business. ISO standards now require a risk-based approach, where risk is less an isolated part of your quality management system (QMS) and more a feature of the QMS as a whole. With this approach, you can handle risk much more proactively instead of merely reacting when things go wrong.

ISO 27001, for example, requires you to document how you'll assess and treat risk as you implement your information security management system. And while ISO 9001 doesn't formally say you must do a full risk assessment, it does say you must monitor, measure, analyse and evaluate the risks and opportunities.

A commonly used tool for assessing risk is the risk assessment matrix. You've probably seen one before. A grid of reds, ambers and greens telling you what risks are likely to occur and how severe their impact could be.

Manually creating a risk assessment matrix takes a lot of time – you need to identify what risks apply to your business, decide how you'll evaluate them ('likelihood' and 'impact' tend to be the most common) and then assess them based on the criteria you've chosen.

EQMS Risk Manager

Features

EQMS Risk Manager gives you a framework for identifying, evaluating, managing and monitoring risk. By bringing together data into one integrated, central system, EQMS Risk Manager takes away the problem of business units and departments all working in isolation, without transparency or any knowledge of each other's processes.

Identifying risk Any user can log in and suggest a risk. The system directs the suggestion to your Risk Manager, who then decides whether to log the suggestion as a risk to be further assessed, or reject it. The system records the Risk Manager's response and feeds it back to the user who made the suggestion.
Evaluating risk The system keeps a full list of all the risks your business faces. It assesses each risk against the data provided (including likelihood and impact) and uses a formula to calculate a risk level and risk class.  
Managing risk If the risk class and risk level are unsatisfactory, the Risk Manager may take action to lessen the risk (and perhaps lower its class and level) until it becomes acceptable. For higher risks, the Risk Manager may define which action should be taken when a related incident occurs so its impact can be limited.
Monitoring risk The system has powerful risk analysis and monitoring tools such as configurable risk calculators and risk traffic lights. It provides easy access to a bank of assessments so users can see what controls were tested and the results of the assessments. Risk Managers can access a range of reports to analyse metrics, and apply a number of parameters to help with their decision-making.


Benefits

EQMS Risk Manager saves you time and money by allowing you to assess risks quickly, efficiently and consistently. Its workflow functionality enables you to assign responsibilities and set deadlines to ensure risks are dealt with promptly and never ignored. Your employees know exactly who's responsible for doing what when it comes to limiting risk, which in turn allows you to better demonstrate compliance.

 

What you should do now

If you'd like to know more about how EQMS Risk Manager can help your organisation manage risk easily, arrange a demonstration by clicking the following link.

Request your EQMS Software demonstration

Tags: Risk Management, Risk Based Thinking

What to expect with ISO 45001 – A new approach to risk

Posted by Marc Gardner on Wed, Sep 16, 2015

The incorporation of Annex SL into the ISO 45001 standard is a key driver towards the 'risk-based approach'.

If ISO 45001 follows in the same vein as the 9001 and 14001 standards, which is likely, then it'll be necessary to determine the risks and opportunities, plan actions to address them, implement the actions in occupational health and safety management system processes and evaluate the effectiveness of these actions.

Taking a risk-based approach ensures your organisation is proactive rather than reactive, preventing potentially damaging events and promoting improvement. Once a management system is risk-based, preventive action is automatic.

While risk is commonly understood to be negative, risk-based thinking allows for opportunities to be found – this is the positive side of risk. Analysing risks can often bring forth opportunities for improvement and enable businesses to make strategic decisions. Applying a robust management system can also be considered an important aspect of risks and opportunities.

Determining risks and opportunities

Many professionals approach Qualsys for advice on how to determine risks and opportunities and the appropriate level of action to take to address them.

When planning for your occupational health and safety (OH&S) management system, you should identify the risks and opportunities you must address to:

  1. Ensure that your management system can achieve its intended result(s)
  2. Reduce any undesired effects as far as possible
  3. Achieve continual improvement.

Put simply, to determine risks and opportunities, you must first determine your organisation's objectives before you can identify potential events that may prevent you from achieving those aims.

Analyse and prioritise

ISO 9001:2015 and ISO 14001:2015 define a risk as "the effect of uncertainty on an expected result". It's highly likely that this definition will again be applied to ISO 45001. If this is the case, then it follows that:

  • an effect is a deviation from the expected – positive or negative

  • risks are about what could happen and what the effect of this happening might be

  • risk also considers the likelihood of an event occurring.

There are various methods to approaching ISO 45001 risk-based thinking; which method is appropriate is determined by the nature of your organisation.

In smaller organisations, it may be sufficient to simply provide appropriate records of risk-based thinking and to ensure control of business processes (e.g. regular reviews of documentation, clear sight of training and competencies, sufficient data for analysis and continual improvement).

In contrast, many busy teams in larger organisations use risk registers as a framework for assessing, evaluating and prioritising risks. Risk management software such as EQMS Risk Manager enables you to identify and assess risks looking at 'likelihood' and 'impact'. EQMS Risk Manager's workflow means you can assign responsibilities and set deadlines to ensure risks are dealt with rapidly and efficiently. EQMS triggers escalation to guarantee critical actions never go ignored.

Planning and implementing actions to address risk

Planning actions to address risks and opportunities can include:

  • avoiding risk
  • eliminating the risk source
  • changing the likelihood or consequences (likelihood and impact)
  • sharing the risk
  • retaining risk by informed decision
  • even taking risk in order to pursue an opportunity.

When doing your own planning, it's again imperative that you consider the context of your organisation. For example, the process of planning actions to mitigate a potential fault with a nuclear reactor at a power plant will be much more thorough and meticulous than planning actions to mitigate the risk of paper cuts.

Similar to this, the risk presented by polluted air in a country with whom an organisation has little trade or links is minor in comparison to the country in which it mainly trades and operates. It's essential to understand your organisation and its strategic direction as this will enable you to determine and address the associated risks.

Many organisations use risk management software such as EQMS Risk Manager to implement actions to address risks. EQMS Risk Manager enables you to create automated workflows for addressing risks, highlighting responsibilities and sending email notifications of various tasks to the relevant individuals. This ensures actions to address risks are completed via a closed-loop process.    

Check the effectiveness of the actions – do they work?

In simple terms, to check the effectiveness of your actions to address risk, you need to ask, "Do they work?". There are various methods you can employ to do this, including:

  • Audits and internal reviews
  • KPI analyses
  • Project evaluations

One important aspect of this checking involves having the right data available to make informed decisions. By improving how you aggregate risk data, you can strengthen your capability in making judgements about risk. This leads to gains in efficiency, reduces the chances of loss events occurring, and enhances your strategic decision-making.

Many organisations are now employing KPI dashboards such as EQMS Dashboard to provide instant access to real-time management information. With an overarching view of key performance indicators that are determined by management, organisations can track performance in critical areas and make informed decisions.

Instant access to risk assessments, audit reports, customer complaints, non-conformance and CAPA statuses and document notifications give you the ability to 'take the temperature' of your organisation, carry out trend analysis and demonstrate that you are operating a 'culture of compliance'.

Moving forward

The ISO 45001 standard will likely encourage organisations to build risk management into their entire management system.

With risk-based thinking, you're able to adopt a risk-based approach to improve customer confidence and satisfaction, and to establish a proactive culture of prevention and improvement.  With such explicit benefits, this can only be seen as an opportunity and a step in the right direction.

 

What you should do now

Download the EQMS Datasheet Pack to learn more how EQMS Risk Manager can improve your approach to risk management.

Trusted ISO Compliance Software

Tags: Risk Based Thinking, ISO 45001

Friday Feature – Mistakes Can Cost the Earth... and Pay for Space Flight

Posted by Alastair Atcheson on Fri, Jul 17, 2015


Human error, fraud, and badly managed budgets cost businesses billions of pounds every year. Although these losses may be small on an individual scale, they can add up astronomically.

Understanding loss is often much more tangible when put it is put in perspective. For example, how much do businesses lose compared to the total cost of sending a space craft to the most distant planet in our solar system?


New_Horizons_Probe

Putting a Price on Pluto

This week, NASA’s New Horizons mission to Pluto showed us an entirely new world. The probe revealed giant ice mountains, craters and huge valleys on the surface Pluto and its moons, all for the fraction of a cost of some costly business errors.

The total cost of the New Horizons mission was around $700 million, or about $46.7 million per year for the 15 years it took scientists to design, build and fly the probe to a distant speck 3 billion miles away.

While that may sound like a lot, it looks like money-well-spent compared to some of these costly errors.


1. Improper Medicare payments cost the American government nearly 1000 times as much each year as New Horizons

In 2013, ‘improper payments’ consisting of overpayments, payments sent to the wrong people, and fraud, cost the US government $45.7 billion. To put that in even better perspective, the government spends less than $10 billion on NASA every year.


2. Annual payments to dead federal workers cost more than the Pluto mission’s annual spend

$84.7 million was paid to federal workers who had already died by the government’s Office of Personnel Management in 2013. That’s nearly double the cost of New Horizons.



3. NASA previously lost a Mars orbiter craft by mixing up metric and imperial

NASA’s impressive budget handling had no doubt been influenced by their previous mistakes, like the time they lost a $125 million orbiter craft in space by forgetting to ensure that everyone involved was using the same measuring system.

In 1999, American company Lockheed Martin still worked in feet and inches, and an unfortunate oversight meant that the craft’s coordinates weren’t transferred between Lockheed in Denver and NASA in California.


tom_hanks_apollo

As you can see, organisations face a huge range of variables when it comes to managing and minimising loss. While it is impossible to predict and prevent every area of loss, the first step to ensuring that your organisation has maximum control is to implement the proper management systems.

EQMS software consolidates and integrates governance, risk management and compliance initiatives across your organisation with a single solution. EQMS tools manage your policies, audit programme, risk assessments, incidents, accidents, business issues and more.

No longer will your team be mixing up measurements, sending payments to the wrong people, or losing probes in space. While that last one may not strictly apply to your business, effective management systems are vital to minimising loss and improving efficiencies.

Ensure that mistakes don’t cost your organisation the Earth! Learn more about EQMS software with our datasheets here, or follow the link below.

 

ISO 9001 Software


Picture credits:
www.news.discovery.com
w
ww.sporcle.com


 

Tags: Risk Management, Risk Based Thinking

ISO 9001:2015 – The CQI's Richard Green on 'Risk and Opportunities'

Posted by Alastair Atcheson on Thu, May 28, 2015

Risk is a concept that many people naturally assume is something bad; ‘That’s a bit risky, are you sure you want to risk that?’ However, the upcoming changes to ISO 9001 will require businesses to move away from this perception and instead view risk as ‘risk and opportunity’.


As part of his presentation on clarifying the jargon of ISO 9001:2015 (see the full webinar here), The Chartered Quality Institute’s Head of Technical Services, Richard Green, discusses the definitions of risk and how organisations should approach the increased focus of risk in ISO 9001:2015.

 

Why Watch?

In this segment, Richard defines risk as ‘the effect of uncertainty’ that can be ‘positive or negative’. A hot area of debate, a universal definition of risk is something that still needs to be resolved.
Annex SL does not prescribe a risk management methodology, but it does require companies to:

  • determine their risks and opportunities
  • plan and take actions to address them


While many companies will already approach risk similarly, Richard argues that the bulk of the work to come is due to organisations general focus on risk, rather than both risk and opportunity. However, you have the freedom to do this in any way that works for you, as long as you determine and plan.

 

 

See the Full Webinar!

Receive one hour’s worth of IRCA CPD points by watching the full 25 minute presentation here and completing a summary questionnaire on the topics covered. Correct submissions will be sent a PDF certificate confirming CPD points from IRCA. Richard’s presentation covers the essential changes to ISO 9001:2015 and was recorded at the annual EQMS User Group in April 2015.

 

ISO 9001 Changes IRCA Webinar

 

Tags: CQI, ISO 9001:2015, Risk Management, Events, Risk Based Thinking

ISO 9001:2015 revision explained: Risk-based thinking

Posted by Alastair Atcheson on Wed, Feb 11, 2015

The revised ISO 9001 standard has moved away from what it called "preventive action" towards a "risk-based approach". Preventive action was found to be lacking when it came to driving change and continuous improvement. The risk-based approach is likely to be much more effective in allowing organisations to become stronger, fitter businesses.

Taking a risk-based approach means:

  • Determining the risks and opportunities
  • Planning actions to address them
  • Implementing them in a quality management system
  • Evaluating their effectiveness

All this ensures your organisation is proactive rather than reactive, preventing potentially damaging events and promoting improvement. Once a management system is risk-based, preventive action is automatic.

Though we commonly understand risk to be negative, risk-based thinking has a more positive slant in that it provides opportunities for improvement and enables businesses to make strategic decisions. Applying a robust quality management system is another important aspect.

"Quality management is currently going through a state of metamorphosis," says Kate Krachai, director of leading quality management consultancy Quality Context. "Quality professionals must change the opinion of those in organisations that view quality as simply improving compliance. It's more than that – it can empower a business by reducing risk. Even better, a good quality management system not only enables you to reduce risk, but also take risks.

"Reducing risk to take more risks may sound counter-intuitive, even paradoxical, but that’s where the power of quality can be. By considering compliance risks you can drive a business forward by giving it the power and control to take educated risks."

Determining risks and opportunities

But how do you determine your risks and opportunities and the appropriate level of action to address them?

Well, you need to determine your objectives before you can identify things that might get in the way of you achieving them.

You must consider:

  • Issues that may affect your organisation's values, culture, knowledge and performance
  • How these issues may impact your ability to deliver products and services that meet customers' needs and any regulations that may apply
 
Look at them both from an internal perspective – strategies to achieve your policies and objectives; your relationship with your staff and stakeholders (including partners and suppliers) – and an external perspective – issues arising from political, economic, social and technological changes within the sector.

 

Analysing and prioritising your risks and opportunities

ISO 9001 defines a risk as "the effect of uncertainty on an expected result". So:

  • an effect is a deviation from the expected – positive or negative

  • risks are about what could happen and what effect it might have

  • risk also considers the likelihood of an event occurring

Though the revision to ISO 9001 doesn't formally say you must do a full risk assessment or maintain a risk register, it does say you must monitor, measure, analyse and evaluate the risks and opportunities. There are various methods to approaching risk-based thinking – which method is appropriate to you is determined by the context of your organisation.

In smaller organisations, it may be sufficient to simply provide appropriate records of risk-based thinking and to ensure control of business processes (e.g. by regularly reviewing documentation, keeping clear records of training and competence, recording sufficient data for analysis and continual improvement).

In contrast, many busy quality teams in larger organisations use risk registers as a framework for assessing, evaluating and prioritising risks. Risk management software such as EQMS Risk Manager enables you to identify and assess risks looking at 'likelihood' and 'impact'. EQMS Risk Manager's workflow functionality allows you to assign responsibilities and set deadlines to ensure risks are dealt with rapidly and efficiently. EQMS triggers escalation to guarantee that critical actions never go ignored.

 

 

Planning and implementing actions to address risk

Planning actions to address risks and opportunities can include:

  • Avoiding risk
  • Eliminating the source of the risk
  • Changing the likelihood or consequences (likelihood and impact)
  • Sharing the risk
  • Retaining risk by informed decision
  • Even taking risk to pursue an opportunity

When you're planning your own actions, again, you must consider the context of your organisation. Planning actions to mitigate a potential fault with a nuclear reactor at a power plant will be much more thorough and meticulous than if you were mitigating the risk of the wrong sandwiches being ordered for the staff vending machines.

Similarly, the risk of an economic downturn in a country with which your organisation has little trade or links is minor compared to a recession in the country in which you solely trade and operate. Understanding your organisation and its strategic direction is essential if you're going to determine and address the associated risks.

Many organisations use risk management software such as EQMS Risk Manager to implement actions to address risks. EQMS Risk Manager enables you to create automated workflows for addressing risks, highlighting responsibilities and sending email notifications of various tasks to the appropriate employees. This ensures actions to address risks are completed via a closed-loop process.

Checking the effectiveness of the actions – do they work?

In simple terms, checking whether actions to address risk are effective means asking "Do they work?". There are various ways you can do this, including:

  • Audits and internal reviews
  • Analysing KPI
  • Project evaluations

One important thing to bear in mind is making sure you having the right data available to make informed decisions. By improving how you aggregate risk data, you can make much stronger, better judgments. And this leads to you becoming more efficient, making fewer losses, and ultimately increasing profitability.

Many organisations now employ KPI dashboards such as EQMS Dashboard so they can have real-time, instant access to management information. Having an overarching view of the key performance indicators you've set, you can track your performance in critical areas and make informed strategic decisions.

Instant access to risk assessments, audit reports, customer complaints, non-conformance and CAPA statuses and document notification confirmations gives you the ability to 'take the temperature' of your organisation, analyse trends and demonstrate that your organisation has a 'culture of compliance'.

Moving forward

The concept of risk has always been implicit in ISO 9001 and many organisations take a risk-based approach intuitively. But the 2015 revision of the standard makes it more explicit and encourages organisations to build it into their entire management system.

Business risks are ever-growing worldwide, reflecting widespread political, economic and social uncertainties. ISO 9001:2015 makes it mandatory for you to adopt a risk-based approach, so that you improve customer confidence and satisfaction, assure a consistency of quality of goods and services, and establish a proactive culture of prevention and improvement. Every organisation should see risk-based thinking as an opportunity and a step in the right direction.

 

What you should do now

Download our datasheets to learn more about how our EQMS software can help your organisation adopt a risk-based approach.

 

ISO 9001 Software CTA

 

Tags: ISO 9001:2015, Risk Based Thinking

Audit, risk and document management [Webinar slides]

Posted by Michael Ord on Fri, May 03, 2013

Qualsys recently hosted a webinar where quality managers from across the globe joined us to explore the EQMS system capabilities and to answer questions. To download the webinar slides please click on the image below. 

 

EQMS Webinar Slides

 

 

Thank you to those who attended our first public (free) webinar of the year; we had people from the US, Ireland, UK and Russia.

For those who missed it, I was joined by Simon Wells, EQMS Training Manager, who gave an overview of the exciting new features for

  • EQMS Audit Manager - schedule audits, checklists, findings, reporting
  • EQMS KPI Dashboard 
  • EQM Document Manager - SharePoint, Outlook and Office Add-ins
  • EQMS Risk Manager

Simon also shared best practice tips and shortcuts in what will be a monthly 'buffet' style webinar; with 30 minutes look at the EQMS product, quality managment issues, and lessons from the many corporate clients that Simon's team trains each month.

Download EQMS Webinar slides - April.pdf

 

Simon Wells, Qualsys Simon Wells, Qualsys Training Manager
 

The next free webinar will be on Wednesday 29th May at 13:00 GMT.

It will focus on:

 

 

Attend Free Webinar

Tags: Quality Management Software, Audit Management Software, Document Management, Risk Based Thinking