What is Risk Management in a Quality Environment?

There are terms which are almost ubiquitous at work that have so many meanings to so many people that they lose all definition. Risk is one of those words. So, when we talk about risk management and risk-based thinking, what do we actually mean? According to the ISO standard created specifically for risk management (there is one for everything — see ISO 13289:2011 Recreational Diving Services — Requirements for the Conduct of Snorkeling Excursions), 31000:2018 defines risk as “the effect of uncertainty on objectives”. It is important to note that there is no value judgement assigned to that definition; risks can have both positive and negative impacts. ISO 9001:2015, the general management standard, incorporates this concept by defining uncertainty with potentially positive outcomes as opportunities, while reserving the term risk to refer to uncertainty with the potential to result in negative effects. The most important thing to remember when considering both risks and opportunities is that these are events which have not yet occurred; risk management refers to preventive actions taken to avoid potential negative effects, or to capitalize on opportunities, not responding to negative events which have already happened.

So, if risk management is a preventive exercise, how do we identify risks? Generally, there is a tendency to take items identified during a SWOT analysis as weaknesses or threats and to simply apply to them the label of risk. This is not going to be 100% accurate, particularly with weaknesses. In many cases weaknesses or threats can be contributing factors to uncertainty, which may expose an organization to risk, but the identified items may not be risks, properly defined, in and of themselves. The true measure of whether something is a risk is being able to apply one question: Does this result in uncertainty in our operation/organization/project/process/service? Using this principle requires the willingness and ability to zoom out of day-to-day work and operations to be able to consider the future impact of a potential course of action. Once a risk has been identified, to have any value it must also be quantifiable. Quantifying risks has three basic components: the potential impact, the likelihood of the risk being realized, and a determination of whether the risk is actionable. Whether or not it is actionable has a huge impact on whether steps ought to be taken to address a risk. There are some things that are both extremely likely to happen at some indeterminate point in the future and that would have catastrophic impact on a business were they to do so (i.e. Chicxulub-class asteroid impact, Yellowstone caldera eruption, etc.), but factoring these events into your risk management system would be neither feasible nor helpful.

Identifying and qualifying risks has value if and only if one has a system in place to respond to them. That response is a three-fold process. The first step is prioritizing. For a newly implemented risk management system, that means defining three items: criteria for response, objectives, and timelines. Defining criteria for response requires establishing thresholds for initiating a formal mitigation effort taking into account likelihood and potential impact. Establishing objectives requires defining success in responding to risks, both generally and on a case-by-case basis. Defining timelines requires determining expectations for when developing and delivering plans on mitigation efforts will occur. Once risks have been prioritized, a proper mitigation plan can be drafted. At a minimum, these plans should document the risk, establish the mitigation strategy, and identify the party responsible for ensuring its execution. This fits neatly within the already established infrastructure of the CAPA (Corrective and Preventive Action) program, should your organization have one (and it should). Once a plan is in place, the final step in the response is to execute.

Once a plan has been drafted and executed, a final, crucial step remains: evaluating its effectiveness. You have to establish guidelines for accountability relating to risk mitigation, especially designing some sort of response or escalation mechanism for responding to unsuccessful mitigation efforts. When those guidelines are established, you can focus on identifying measurements and metrics and creating or adapting a reporting vehicle for delivering that information to key decision makers. This final step will allow the organization to move beyond simply responding to individual risk items; it will allows you to begin fostering an operational culture centered around risk-based thinking and risk accountability.

Ultimately, risked-based thinking is a key component in the pursuit of continuous improvement. By building a system based on identifying potential negative impacts and taking steps to eliminate or mitigate them ahead of time an organization can put itself in a position to proactively chart a smooth course instead of relying on reacting to events and implementing knee-jerk solutions on the fly. Cliché as it may be, this is a clear demonstration of the concept that an ounce of prevention is equal to a pound of cure.