Management system guidance
ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.
Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.
6.1 Actions to address risks and opportunities
6.1.1 Determine the risks and opportunities to be addressed
The risks and opportunities should be relevant to the context of your organization (Clause 4.1), as well as, any interested parties (Clause 4.2). You should ensure that your organization has applied this risk identification methodology consistently and effectively.
Although risks and opportunities have to be determined and addressed, there is no requirement in ISO 9001:2015 for a formal, documented risk management process or risk matrix. Confirm that your organization has a methodology in place that enables them to effectively identify risks and opportunities with respect to the planning of its management sytem. Reference to risk-based thinking is present in the following clauses of the standards:
- Determine and address risks (Clause 4.4.1);
- Promote risk-based thinking (Clause 5.1.1);
- Ensure risks determined and addressed (Clause 5.1.2);
- Determine risks that need to be addressed to achieve intended results (Clause 6.1.1 - this page);
- Plan actions to address risks; integrate into processes; evaluate effectiveness of actions (Clause 6.1.2 - this page);
- Control those risks identified (Clause 8.1);
- Evaluate effectiveness of actions on risks (Clause 9.1.3);
- Review effectiveness of actions on risks (Clause 9.3.2);
- Improve the quality management sytem responding to risk (Clause 10.3).
The risks and opportunities should be relevant to the context of your organization (Clause 4.1), as well as, any interested parties (Clause 4.2). You should ensure that your organization has applied this risk identification methodology consistently and effectively. What process has been developed to identify risks and opportunities?
In the absence of documented processes or procedures, you may need to use observations and interviews (and a review of the process output, which may contain documented evidence) to assess the processes that determine whether or not undocumented processes are being carried out as planned.
External and internal issues, and relevant needs and expectations of relevant interested parties may be sources of risks. Objective evidence may be in the form of a dedicated risk matrix, risks added to other forms such as an aspect register, corrective action log and forms, etc.
All management system processes represent differing levels of risk in terms of your organization’s ability to meet its objectives. Due to this reason, the consequences of failures or non-conformities in relation to processes, systems, products and/or services will not be the same for all organizations.
Risk and opportunity register
While not mandated by ISO 9001, ISO 14001 or ISO 45001, risk and opportunity registers can help identify and record the risks and opportunities facing different areas of the business and identifying risk is a critical step in managing it. Risk and opportunity registers will allow your organization to assess the risk in context with the overall context of your organization, and will help to record the controls and treatments of those risks. Risk and opportunity registers can be developed in tiers:
- Strategic level - risks and opportunities associated with the local, regional, and global economic, social, political, cultural, regulatory and competitiveness, key stakeholder strategies or strengths and weaknesses in attaining objectives.
- Operational level - organizational structure and culture, existence of any operational constraints, business resilience vulnerabilities, issues relating to recent change management, stakeholder community concerns, regulatory and contractual requirements and constraints
- Process level - stability of I.T. systems, human error, measurement and inspection failures, environmental or workplace safety, mechanical failure, process quality, internal controls and compliance errors, ineffective processes with poor performance metrics, or process controls not functioning
The risk and opportunity register or risk log becomes essential as it records identified risks and opportunity, their severity, and the actions and steps to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is a table. A table presents a great deal of information in just a few pages. As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.
- Description of the risk;
- Risk Type (business, project, stage);
- Likelihood of occurrence which provides an assessment on how likely it is that this risk will occur;
- Severity of effect which provides an assessment of the impact that the occurrence of this risk would have on the project;
- Countermeasures and actions taken to prevent, reduce, or transfer the risk. This may include production of contingency plans;
- Risk owner who is responsible for ensuring that risks are appropriately engaged with countermeasures undertaken;
- Current status of whether this is a current risk or if risk can no longer arise and impact;
- Other columns such as quantitative value can also be added.
Risk and opportunity identification
Risk identification should be carried out with the full involvement of the relevant parties to ensure the relevant perspectives and expertise should be represented (e.g. appropriately qualified representatives from various functions, contractors, stakeholders, suppliers and specialists as appropriate.
Risk and opportunity identification is a critical activity at both a strategic and operational level. It needs to include all significant sources of risk, including those beyond our organization’s control. If a risk, threat, or opportunity is not identified, there can be no strategy to address it.
The objective of this step is not to create an onerous and lengthy list of all possible risks, but to identify all significant risks that could impact our organization. Risks and opportunities are identified through the use of:
- Workshops and focus groups, using brainstorming approaches;
- SWOT Analysis Template to identify and analyse strengths, weaknesses, opportunities and threats;
- PESTLE Analysis Template to identify and analyse external context issues from local, regional, national and international perspectives;
- Context & Interested Parties Analysis matrix to identify and list the needs and expectations of any interested parties and the risks or opportunities arising from them;
- Interviews with respective management;
- The intranet as a means of reporting incidents or risks for consideration.
6.1.2 Plan the actions needed to address the risks and opportunities
When deciding how to plan and control the management system, including its component processes and activities, your organization needs to consider both the type and level of risk associated with them. Ensure that your organization is taking a planned approach to addressing risks and realizing opportunities, and that any actions taken have been recorded. Options to address risks and opportunities can include:
- Avoiding risk;
- Taking risk in order to pursue an opportunity;
- Eliminating the risk source;
- Changing the likelihood or consequences;
- Sharing the risk;
- Retaining risk by informed decision;
- SWOT analysis by the organization as part of its business strategy to identify the external risk and opportunities and action plans to address them;
- Formal business risk assessment performed by the organization talking into consideration its context, associated risk and opportunities and mitigation plan;
- Use of process approach by organization to identify sources of input, activities, output, receiver of output, performance indicators to control and monitor processes, the risks and opportunities associated with them and action plan to address them.
Formal business risk assessment performed by the organization talking into consideration its context, associated risk and opportunities and mitigation plan. The use of the process approach by your organization to identify sources of input, activities, output, end-user/customer, performance indicators to control and monitor processes and the risks and opportunities associated with them, and action plans to address them:
- Meeting minutes;
- SWOT and/or PESTLE analysis;
- Planning, analysis and evaluation activities;
- Risk determination or evaluation records.
Risk management methodology
Understanding the risks and managing them appropriately will enhance your organization’s ability to make better decisions, safeguard assets, and enhance your ability to provide products and services and to achieve your mission and goals.
By considering risk throughout your organization the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service. Risk-based thinking therefore helps to:
- Improve customer confidence and satisfaction;
- Assure consistency of quality of goods and services;
- Establishes a proactive culture of prevention and improvement;
- Intuitively take a risk-based approach.
We suggest that you use the familiar Plan-Do-Check-Act (PDCA) methodology to manage your organization’s transition to risk-based thinking; using an approach that ring-fences processes into ‘risk themes’ or groups such as:
- Business planning and strategic direction;
- Process risk;
- Product and service risk;
- Risk associated with the control of externally provided product and service.
Risk and opportunity assessment
Assessment of the severity of a risk drives management attention and supports planning for risk mitigation. A qualitative risk assessment scheme consisting of qualitative probability and impact scales is undertaken to ensure consistency. Ensure that all accountable managers should engage with risk owners to:
- Identify the control measures already applied to each risk i.e. existing control measures. These may be pro-active (reducing the probability) or reactive (reducing the impact);
- Rank the probability and impact of each risk after taking into account the actual effectiveness of the existing control measures;
- Enter the existing control measures and the associated current risk probability and impact scores into the risk and opportunity register.
Forecast probability, cost and time data is assessed for each risk based on the causes and effects described, taking into account the existing controls and active responses. Probability or likelihood estimations are established giving due consideration to the effectiveness of existing control measures. The consequence evaluation criteria define the consequence criteria, assessed against potential financial loss, reputation impact, health and safety, legal and regulatory compliance and management time and effort.
Risk assessments are undertaken to provide an improved understanding of the risk profile and derive a more detailed understanding of certain cost and time risks. Forecast probability, cost and time data is assessed for each risk based on the causes and effects described, considering the existing controls and active responses.
Probability or likelihood estimations are established giving due consideration to the effectiveness of existing control measures. The consequence evaluation criteria define the consequence criteria, assessed against potential financial loss, reputation impact, health and safety, legal and regulatory compliance and management time and effort.
Risk treatment and mitigation
The objective of this step is to identify how the identified risks will be treated. Risk treatment involves identifying the options for treating each risk, evaluating those options, assigning accountability (for Very High, High and Moderate residual risks) and taking relevant action.
For each risk, the risk owner must establish an appropriate level of treatment. Control measures in addition to those already existing may be needed to achieve this level of mitigation. Accountable managers should engage with risk owners to develop a satisfactory response each risk in order to:
- Identify a response strategy to treat, terminate, tolerate or transfer the risk;
- Identify response actions to improve control measures as required. These will be SMART;
- Identify a response action owner for each action and confirm with them that they accept accountability for implementing the action within the time allowed.
The risk owner is responsible for the development of the response. When a response action is completed, the risk should be reassessed to reflect any newly introduced control measure
Continuous systematic and formal monitoring of implementation of the risk and opportunity process and outputs take place against appropriate performance indicators to ensure process compliance and effectiveness. Monitoring takes a variety of forms and range from self-assessment, inspections and internal audits, to detailed reviews by independent external experts.
On occasion, it may be appropriate to escalate a health and safety risk to ensure it is assessed and/or managed by the person or party best placed to do so (able and with appropriate authority). For example, where a more substantial or coordinated response is required than the current risk owner can authorise or implement will justify higher level assessment and/or management, as appropriate:
- Escalate through established lines of management accountability all hazards and risk that may require mitigation;
- This may take place during formal reviews, or through other simple mechanisms at management meetings;
- Issue reports in accordance with requirements;
- Provide key information such as statistical data on numbers of active hazards, unassessed risks, overdue actions, and others as appropriate
Your organization recognizes an ‘opportunity’ as a set of circumstances which makes it possible to leverage positive factors and attributes, for example:
- Develop new products, services and processes;
- Develop new markets, or increase market share;
- Improve the work environment;
- Improve productivity;
- Improve operational efficiency (reduction of resource use, reduction of waste, etc.).
Opportunities may be identified as positive effects of risks; as in a risk forcing implementation of a risk reduction measure that is beneficial in a broader context than just reducing a particular risk. For example, health risks may require measures to improve working environment.
However, these measures also create opportunities to attract and retain better qualified employees, improve morale and job satisfaction, and reduce turnover; and so, the initial health risk creates positive opportunities to improve the overall job satisfaction.
Check that any actions taken to address the risks and opportunities are recorded, and ensure that the effectiveness of each action was effective at addressing the issue, and that the action taken was proportionate to the risk or opportunity. Objective evidence could be in the following various forms:
- Meeting minutes;
- SWOT analysis;
- Reports on customer feedback;
- Competitor analysis;
- Quality manual;
- Brain-storming activities;
- Planning, analysis and evaluation activities;
- Strategic planning documents;
- Design and development reviews;
- Marketing and sales data;
- Production inspections and service reviews;
- Corrective actions;
- Non-conformance reports;
- Management review minutes;
- Risk determination or evaluation records.
More information on PDCA
Free internal audit checklists
Check out our free internal audit checklists. The audit checklist template is just one of the many tools which are available from the auditor’s toolbox that help ensure your audits address the necessary requirements.
Over 8,000 companies and globally recognized brands have relied on our templates to provide a path to improve, collaborate, and to enhance their operations to achieve certification, please see our client list for more information.