Industry is buzzing with chatter about the substantial changes the International Organization for Standardization is making, and will continue to make, to its management system standards. ISO 9001:2015 and ISO 14001:2015 have already stirred pertinent questions and debate about their enhancements; showing the strong move towards enhancing accountability, broadening stakeholder consideration and using good governance to improve the way organisations perform. The intent behind ISO management systems is shifting, and shifting fast. In this article we explain risk-based thinking.
The ability of organisations to prove conformance by simply fulfilling basic substantive requirements is now a thing of the past. Leadership is being forced to actively engage issues around Quality, Environmental and other “non-financial risk” areas of performance, and it is the unassuming concept of risk-based thinking which is making this all possible.
Those people not familiar with governance frameworks and the value and importance of corporate sustainability have probably not encountered the idea behind risk-based thinking and as a result its adoption can be a fairly daunting task. Thankfully risk-based thinking does not have to be and is not intended to be complicated, cumbersome or difficult. The idea is simple, make decisions based on the risks involved.
Risk is the tangible representation of the outcome(s) of unexpected or undesired events. It exists against a background of uncertainty; being a state of deficiency of information, understanding or knowledge. This state of deficiency, even partial, pertains to a circumstance, situation or event, its consequence or its likelihood. Risk can therefore be understood as being the effect of a deviation from what we expect or desire to happen, based on factors over which we have insufficient or inadequate control; due to a state of deficiency. In reality this is understood more simply as “what, where, why, how can something go wrong and how much will it cost”.
Globally the most commonly adopted definition of risk is that it is the “effect of uncertainty on objectives” (ISO Guide 73). We therefore manage risk so as to better achieve our objectives and herein enters the idea of risk-based thinking. Sufficient understanding of uncertainty is clearly required in order to make consistently good decisions about how to cope with the Volatile, Uncertain, Challenging and Ambiguous conditions challenging business performance. Specifically, decision makers must understand the nature and source of the uncertainty, the related potential deviations which could occur, the likelihood of such deviations and the impact of those deviations on expected outcomes.
Risk-based thinking does not demand advanced or complex risk assessments or formal risk management processes and systems. Risk-based thinking requires only that decisions taken to satisfy requirements (customer, legal or any other stakeholder requirement) are taken with consideration of the effect that uncertainty may have on the intended outcomes. In practice it would be near impossible to consistently make the right decision without a formal means of acquiring the information needed to do so. As a result, although formal risk management and assessments are not explicitly required by ISO 9001:2015, ISO 14001:2015 or most other High Level Structure international standards they are highly recommended.
The trick for every organisation is to understand their risk environment. They should decide whether a rudimentary or detailed risk programme would best suit their stakeholders needs and expectations, whether qualitative or quantitative assessments would be most appropriate, understand the quantity and detail of data available for assessments and the capabilities of their employees to support the risk management processes. ISO 31000:2009 is the most widely used guide for risk management and is a framework appropriate to any organisation, of any size, in any industry.
So if you’re wondering where to begin, here’s what you should do:
- Start by learning about risk and risk assessments, but be wary of courses or info that’s limited to one or two risk types, like compliance or health and safety. To be truly beneficial your risk assessments should be designed and performed to create value in all areas of the organisation and to allow decisions to be taken about all the risks affecting performance. Specifically, look for dealing which enterprise risk management or enterprise risk assessments.
- Next, apply what you have learned to analyze the risk related needs of your organisation. Here you should pay attention to the resources available and the outputs required so you can decide which and which combination of assessment techniques you should be using.
- Once you know what you want and how you plan to achieve it, start performing your risk assessments, gathering the necessary information and making recommendations. As you do this you will most probably find the need to formalize aspects of the decision making as well and may also find an opportunity to improve the risk assessments through a defined risk management process.
- Finally, you should evaluate the results of your efforts and make changes and improvements to your risk management and risk assessment processes. Here you will already see value, but will identify ways of growing or increasing that value. This needs to be shared internally to help promote wider adoption of the risk-based approach.
The intention of risk-based thinking is not to make anything more complicated or to create extra work. Rather, risk-based thinking makes decision making easier by removing the biases that prevent us from acting consistently. See this move as one of value creation, keep the end in mind and make the right choices for all of your organisation’s stakeholders.
For more information about enterprise risk assessments, enterprise risk management, corporate governance or ISO management system standards you can contact Risk ZA Corporate Sustainability by email (firstname.lastname@example.org) or by phone (0860 642 435 / 031 569 5900)