ISO clause 6.1 - Actions to address risks and opportunities
Context and guidance when using risk registers
First, in the context of ISO 9001 - Quality management, there is no requirement for formal methods for risk management or a documented risk management process. However, the bibliography refers to ISO 31000 which is a formal risk management framework; the risk assessment process from ISO 31000 (see below) can be adopted and critiqued to suit your requirements.
Business risk assessment
Risks can come from a myriad of sources such as external market surveillance activities and internally focused management analysis tools; process and or risk owners should proactivity work with the custodian of the register to capture issues.
Statements of risk, contributing factors, and early warning mechanisms should be considered together.
The analysis is based on likelihood and consequence, often referred to as an impact; the register should automatically profile risks with a Red, amber, or green (RAG) status according to the scores given for likelihood and consequence. Bespoke consequence matrices are often used across different industries.
Evaluation can now be considered in accordance with the acceptance criteria (see below) along with any existing controls e.g., terms of reference or an insurance policy. Risk treatment options such as accept, reduce, transfer or exploit can now be selected, if applicable, additional action and or mitigation determined.
Note: Risk can potentially be exploited by considering any opportunities and possibly becoming SMART objectives.
Risk acceptance criteria
Red category risks, 16 and above, are deemed unacceptable and are required to be actively monitored by a senior manager at a board level; they should be reduced within three consecutive reviews.
Amber is tolerable and is to be escalated as a potentially unacceptable risk; they are to be monitored at the discretion of a senior manager.
Green is acceptable and can be maintained within day-to-day operations by a competent process/risk owner.
Monitoring and review
Once a baseline has been set the risk should be re-analysed determining the effectiveness of controls and any mitigating actions taken; the status should be updated at each management review, at least annually, as a minimum.
Other disciplines of risk assessment
The above process can be applied to other disciplines such as environmental for analysing aspects & impacts or information security - threats & vulnerabilities. A third dimension is sometimes needed such as severity. For information security, this is realized by attributing a value to an information asset.
Advise and consultancy
Contact us using the form below for a free template, to include a consequence matrix, or for advice on risk management methods; we can help you demonstrate risk based thinking and consult on how to audit this area effectively.