Risk lurks in every nook and cranny of a business - and there is increasing pressure from standards like ISO 9000 and 31000 for senior management teams to address it.
Yet a 2017 Qualsys survey revealed that 67% of quality professionals believe that their leadership team is completely disengaged with governance, risk and compliance management. Worse still, most businesses aren’t currently using any formal risk assessment process.
Nothing grabs the headlines like a good business disaster - think of Volkswagen's $30 billion emissions scandal, Uber's hacker breach or KFC's chicken shortage.
So how can businesses embed the risk-based thinking they need into their daily operation?
1. Get everyone in the business to own risk
Identifying risk, of course, comes first, and it’s not something you can just know. Risk exists in every area, site and department of a company, from finance and production to information security and suppliers. Examples include:
- Mergers and acquisitions
- Reputational damage
- Counter party risk
- Market competition
As such, no one person can pinpoint risk on their own. Different areas of a business operate differently and can be stronger or weaker in their management of risk.
Nor should a risk assessment be a one-off: “our office is in a flood risk area, so if there is heavy rain it might flood, forcing us to shut down.” As business processes change, new risks are constantly being introduced - so looking at risk should be a routine.
Onboarding a new supplier? Introducing a new IT system? Updating a financial policy? They all bring risk, and every employee connected to those areas should consider how. Risk assessment should be a constant, flexible process encompassing everyone in your business.
Human error can strike anywhere, even in the largest and most complex of enterprises. In 1999, NASA's $125m Mars Orbiter probe entered the orbit of Mars 100 kilometres too close to its surface and was destroyed - because its attitude control system used imperial measurements, while its navigation software used metric. A costly, so-called 'schoolkid blunder' might have been averted had more eyes been on the case.
Implementing a robust system collating input from everybody is a valuable way of strengthening your risk assessment and gathering a comprehensive picture of the full gamut of risk - what mistakes might be made, what uncertainties can impact your objectives, and how to manage and minimise them. Just because a particular risk hasn’t happened yet, it doesn’t mean it won’t.
2. Implement an integrated risk management system
So you’ve asked your staff to consider and identify risk areas. But how do you quantify each risk and assess how to respond to them? You’ve probably seen a risk assessment matrix like this before, where risks are assessed by severity and likelihood:
The standard matrix is an effective, if simplistic, tool for risk assessment. Knowing what to do with risk information is another thing entirely; new standards and regulations are demanding increasingly sophisticated, specific and comprehensive risk programs, while giving businesses flexibility to determine their own processes.
The 2015 iteration of ISO 9001 prescribes 'risk-based thinking', with preventative actions and input from senior management, while the ICO mandates a privacy-risk-specific Privacy Impact Assessment (PIA) to comply with the EU’s upcoming GDPR regulation.
Because of this, understanding how to assess and manage specific risks in compliance with various frameworks and the context of your organisation takes time and consideration.
Some businesses are more risk-averse than others and have a lower ‘risk appetite’. Some appreciate resources like gap analysis templates and risk management software as effective tools for risk management. Others employ methods like the Delphi technique or SWOT.
Take the opportunity to do your research and consider what external support you can draw on.
Whatever process you map out for risk control, some key elements include:
- Auditing auditing auditing. 'Taking the temperature' of your business at frequent intervals with internal audits allows you to see how risks are being addressed and managed.
- Fine-tuning responses. Don’t wait for a risk to mature - ensure CAPA processes are already in place. When something does go wrong, your team can respond quickly and intuitively.
- Delegating responsibility and making sure skill gaps are plugged. Your staff should know what is expected of them, and how. An airtight workforce will have a lower incident rate and faster risk remediation time
- Looking for standard commonalities. New ISO standards share the Annex SL high level structure, giving them similar risk management themes and values. Targeting these core areas avoids duplication of efforts and allows risk management to be rapidly implemented. One Qualsys customer, Aberdein Considine, used this approach to achieve four ISO standards in less than a year.
3. Measure risk opportunities
Lastly, you should avoid seeing risk as a purely negative phenomenon. As well as asking, “what could go wrong?”, ask, “what uncertainties might present opportunities?” Risks and opportunities are really two halves of the same coin: uncertainty.
- A project might be budgeted for - and come in above or below target.
- An inbound marketing campaign might aim to increase website traffic - and bring in absolutely nobody, or so many people that your website crashes.
- A new product might flop, or completely swamp production with high demand.
The common thread is the uncertain; the difference is that positive risk presents opportunity, while negative risk demands redressing. By planning for positive risk as well - what to do with those unspent funds, how to tweak your website to cope with more visitors, what production contingency plans you can put in place to cope with demand - you are not only encouraging optimism as well as caution, you are prepared for any eventuality. And your business will be stronger, healthier and more prepared because of it.
What to do next
Unsure how to start tackling risk?
Our free ISO 31000 toolkit contains a range of resources to help you get to grips with the risk management standard.
Qualsys are also hosting a full-day interactive risk management workshop at our Sheffield office on 22 March. Delegates will learn how to:
- Drive and embed risk-based thinking across their business
- Apply risk standards like ISO 31000 to their processes and practices
- Build a robust risk management system around core risk principles using tried and tested tools and templates
- Engage team members to identify and manage risk