Risk at present is very popular. More of different Management Standards are now incorporating Risk as part of their requirements. The reason is that it is a more robust and auditable requirement to assist Improvements than the traditional “Preventative Action”, which companies have often struggled to demonstrate compliance. Too often with smaller Organisations, they are regularly implement improvement activities, but do not have a systematic method to show to external Assessors.
Risks comes in many different forms and Management Standards
API Q1 & API Q2 – Risk relating to Product Quality & Delivery
ISO 9001 upgraded Standard – Risk of not achieving Customer Expectations
ISO 45001 – Risk of injury or ill health
ISO 14001 – Risk of Pollution and reducing the Environmental impact of the businesses operations
ISO 27001 – Risks to the Information handled by the Business
The problem with Risk assessments is that
They are subjective. This is often driven by previous experience
They are an Analysis tool, rather than an end in themselves
They depend on the Starting point. The initial requirements determine the result. For example if the starting point is Health and Safety, then the results will be considering safety issues
The advantage of the Risk approach
Ongoing so as actions are taken or circumstance change, then the Risk register can be modified.
Prioritise areas and actions
Are any of these Risks more important than others? Yes – their impact will vary depending on circumstances and No – they all will affect most Businesses
How should Risks be documented? Whilst there are preferences, the important requirement is that there is a clear methodical method, whose outcome is a priority list of Mitigation and Controls to better manage the Risks. Do the results satisfy the common sense test? What is more important – the minor problem that recurs frequently or a major problem that is very infrequent.
Accept that there will be occurrences that have not been included in the Assessment – like Earthquakes in Lincolnshire or Tornados in Birmingham. Instead look at the impact on the Business – damage to Building, disruption for key staff, etc.
Accept that there are Risks. One Client said that he had been concerned that the “Sky fall down on him” – It has not fallen yet, so far so good
Risk Assessments & Risk Management are not ends in themselves. They are only as good as the resulting Actions
Risk Management is fundamentally making Businesses more Resilient.
For more information on managing risks contact Charter 4 today.