COVID-19 has highlighted the importance of implementing a preemptive approach to risk management. In this article, we look at why risk-based thinking is vital for forward-thinking businesses.
ISO 9001 is the world’s most recognizable standard for a quality management system (QMS). It enforces confidence in an organization’s ability to consistently supply products and services to a uniform standard. This is achieved by controlling processes within the organization and an important aspect of that is the introduction of risk-based thinking throughout the entirety of the QMS.
Adverse risk events, such as COVID-19, demonstrate the importance of adopting a risk-based way of thinking. Unpredictable, negative events can significantly reduce a company’s ability to deliver consistency. Without risk-based thinking at the heart of a QMS, an organization is always reacting to an event, rather than proactively anticipating it. A system that is reacting will be delayed and disrupted, but an organization that has adopted proactive behaviors will already have processes in place to mitigate the negative impact of the event.
Unlike previous iterations of ISO 9001, which separated preventative actions into their own clause, the latest version – ISO 9001:2015 – ensures it is part of every facet of the organization. This is because risk-based thinking is key to achieving continual improvements within the QMS.
It is easier to start by defining what it is not. It is not:
Instead, risk-based thinking is a systematic and organic process for the integration of risk management thinking into an organization. It is all-encompassing and continual.
Businesses are not single, linear structures. It is therefore important for risk-based thinking to be introduced in a way that links all aspects of the organization. The level of complexity the risk-based thinking needs to encompass will depend on the size and structure of the building.
An Enterprise Risk Management (ERM) structure is pertinent for the highest levels of the organization. It must be developed and implemented at a strategic level and it must be capable of identifying risk in all aspects of the business. It must also remain focused on adding value to the business.
The ISO 31000 family of standards provide an up-to-date framework for companies wishing to implement risk management processes. They aim to create and protect value within an organization by providing a framework for managing risk, making decisions, setting objectives, and improving performance.
At the simplest level, a risk matrix can be developed that incorporates a list of risks.
To achieve maximum efficacy, risk-based thinking must be promoted from the top down, encompassing everything from high-level strategic planning to functional processes. In theory, this should not be difficult because, as individuals, we all employ risk-based thinking all the time. The difficulty is that businesses often become stultified in their thinking and this creates reactive tendencies.
A simplified strategy for implementing risk-based thinking should include:
It is important during implementation to ensure strategy and practice are aligned. This will increase opportunities and positive outcomes, while optimizing resource management and enhancing long-term viability.