Open in app

Sign in

Write

Sign in

How To Use Planning To Address Company Risks

Russell Lawson
3 min readDec 7, 2023

Throughout ISO management systems, there is a reliance addressing your organisation’s risks and opportunities. These should be relevant to the context of your organisation as well as any interested parties.

You should ensure that your organisation has applied a risk identification methodology consistently and effectively. This is very important and at the heart of all four of our ISO standards which all take a risk-based approach. Indeed, in ISO 9001 alone, reference to risk-based thinking is present in all of the following clauses:

  • Determine and address risks (Clause 4.4.1);
  • Promote risk-based thinking (Clause 5.1.1);
  • Ensure risks determined and addressed (Clause 5.1.2);
  • Determine risks that need to be addressed to achieve intended results (Clause 6.1.1);
  • Plan actions to address risks; integrate into processes; evaluate effectiveness of actions (Clause 6.1.2);
  • Control those risks identified (Clause 8.1);
  • Evaluate effectiveness of actions on risks (Clause 9.1.3);
  • Review effectiveness of actions on risks (Clause 9.3.2);
  • Improve the quality management system responding to risk (Clause 10.3).

ISO defines a risk as the ‘effect of uncertainty on the expected result’. Effective management of risk is talked about well in advance to ensure there are less surprises, improved planning, effective decision making and better relationships with stakeholders. Effective management of risk leads to better performance, continual improvement and increases customer satisfaction. Opportunities are considered the positive side of risk which is why ISO 9001:2015 focuses on reducing risk and identifying opportunities.

External and internal issues, and relevant needs and expectations of relevant interested parties, may be sources of risks. All management system processes represent differing levels of risk in terms of your organisation’s ability to meet its objectives. Due to this reason, the consequences of failures or non-conformities in relation to processes, systems, products and/or services will not be the same for all organisations.

Risk and opportunity register

While not mandated by ISO 9001, ISO 14001, ISO 45001 or ISO 27001, risk and opportunity registers can help identify and record the risks and opportunities facing different areas of the business and identifying risk is a critical step in managing it. Risk and opportunity registers will allow your organisation to assess the risk in context with the overall context of your organisation, and will help to record the controls and treatments of those risks. Risk and opportunity registers can be developed in tiers:

  • Strategic level — risks and opportunities associated with the local, regional, and global economic, social, political, cultural, regulatory and competitiveness, key stakeholder strategies or strengths and weaknesses in attaining objectives.
  • Operational level — organisational structure and culture, existence of any operational constraints, business resilience vulnerabilities, issues relating to recent change management, stakeholder community concerns, regulatory and contractual requirements and constraints.
  • Process level — stability of IT systems, human error, measurement and inspection failures, environmental or workplace safety, mechanical failure, process quality, internal controls and compliance errors, ineffective processes with poor performance metrics, or process controls not functioning.

The risk and opportunity register or risk log becomes essential as it records identified risks and opportunity, their severity, and the actions and steps to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is a table. A table presents a great deal of information in just a few pages. As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.​

  • Description of the risk;
  • Risk type (business, project, stage);
  • Likelihood of occurrence which provides an assessment on how likely it is that this risk will occur;
  • Severity of effect which provides an assessment of the impact that the occurrence of this risk would have on the business;
  • Countermeasures and actions taken to prevent, reduce, or transfer the risk. This may include production of contingency plans;
  • Risk owner who is responsible for ensuring that risks are appropriately engaged with countermeasures undertaken;
  • Current status of whether this is a current risk or if risk can no longer arise and impact;
  • Other columns such as quantitative value can also be added.
Iso 9001 Certification
Iso 9001
Risk Management

--

--

Russell Lawson

Written by Russell Lawson

0 Followers

Founded The Ideas Distillery in 2011, IRCA-certified Lead Auditor trained in ISO 9001, ISO 14001, ISO 45001 and ISO 27001. A Chartered Practitioner of the ​CQI.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams