In short, yes. It doesn’t matter who you are or where you sit in an organization, EVERYONE is responsible and accountable for risk-based thinking.
Businesses today face increasing levels of complexity and risk. Organizations are under pressure to deliver profitable business outcomes while operating in a socially and environmental responsible way.
According to a study conducted in 2019 by the American Institute of Certified Public Accountants, 59% of respondents perceived a significant increase in the volume and complexity of risk for their business in the last five years.
The modern management systems Standards, like ISO 9001, ISO 14001 and ISO 45001, define risk as “the effect of uncertainty.” This is understood in relation to achieving planned or expected business outcomes and goals. Under the Annex-SL structure, risk incorporates both negative risks and positive risks, or opportunities.
To remain competitive, businesses MUST incorporate risk-based thinking across the entire organization. It’s not just the responsibility of the quality manager, or individual process owners. Leadership sets the tone for risk identification and management during the strategic planning cycle.
So, what is risk-based thinking and how do you enable a risk-based thinking culture?
Risk-based thinking brings a systematic approach to managing and controlling risk. It’s something we all do automatically, and quite often, sub-consciously. As an example, consider the drive you take to get to and from work. While you’re driving, you are considering what speed you need to go, which roads will get you there the fastest as well as actioning on any hazards you encounter on the road.
Risk-based thinking highlights the critical topics and issues that an organization must address. It also helps an organization understand how well it is adapting to change. A proven, best-practice approach to manage and achieve any objective is to measure, evaluate and, where necessary, improve the actions taken. This approach is equally important for managing actions in response to targeted and constantly evolving risks and opportunities.
Organizations now need to evaluate the level of risk in each business process by taking steps to manage and control the identified risks to a level the organization deems acceptable.
Those steps include:
- Identify risks in operations and determine how to evaluate those.
Are you weighing risks emerging from both external and internal factors? Do you have an organizational environment that encourages risk detection and communication? How can you make processes more effective and efficient while managing risk?
- Assess the level of risk and determine your risk profile and comfort level.
A method including criteria to evaluate the risks along with method to determine the effectiveness of the actions taken to control the risk will also need to be defined.
- Prioritise and control those risks.
Consider how those risks will be prioritized and controlled through treatment options. Implementation of actions to address each risk will have to be developed and tested for effectiveness.
Similar to the critical success factors of ISO 9001, ISO 14001 and ISO 45001, embedding a risk-based thinking culture starts at the top. Senior management are responsible to effectively monitoring the changing business environment of the organization to determine if the strategic plan remains relevant and cascade the business strategy throughout the entire organization.
The key to successful implementation is engaging and ensuring individuals feel their contributions are helping improve the organization. By requiring all employees to adopt a risk-based thinking mindset to their everyday functions and empowering authorized persons at all defined levels in the organization, every employee can clearly link how they manage their tasks and risks to how their work enables the organization to achieve its goals.
Risk-based thinking therefore:
- Builds a strong knowledge base
- Establishes a proactive culture of improvement
- Assures consistency of quality of goods or services
- Improves customer confidence and satisfaction
Read the “Real-Life applications of Risk-Based Thinking in ISO 9001:2015” here
Learn more about the current version of the ISO 9001:2015 Standard.
View our full list of Auditor Training courses here.
About the AuthorMore Content by Carmine Liuzzi