Risk Management Guide

1
 Risk Management Guide

1.0 Risk

Risk is the possibility of loss. It is a function of both probability of occurring of an adverse

event and its impact on the various related things; the impact can occur in a combination of
factors such as, time delay, performance loss, financial loss, etc.

A risk can be defined as any internal or external situation or event that has a potential to
impact upon organization, preventing the organization from successfully achieving its
objectives, delivering its services, capitalizing on its opportunities, or carrying out its projects
or events.

A risk is a pre-cursor to a problem, which has a probability to occur at any given point of time,
occurrence of which will impact the predicted objectives and goals of a project with the
available resources.

Risk cannot be eliminated from the organization, but it can be managed with a proper risk
mitigation plan. Risk management is critical to the success of any company, and it is always a
strategic side of companies

2.0 Risk Management

What is Risk Management?

Risk management is defined as: “A process of identifying, controlling and minimizing or
eliminating organization’s risks that may affect management system, to an acceptable cost”.

The management of risk is an integral part of a good management practices. There is a direct
relationship between risk and opportunity in all business activities. An organization should be
able to identify measure and manage risks to be able to capitalize on those opportunities and
to achieve its goals and objectives.

Risk management is simply the practice of systematically identifying and understanding risks
and the control mechanisms that are in place to manage them. Ultimately, the process gets
you to a point of deciding whether, in the context of a particular strategy, activity or function,
a risk is acceptable or requires an action or not.

2
 Risk Management Guide

The risk management process does not encourage management team members / managers
to be risk averse. In fact, it is designed to provide project team members / managers with a
degree of confidence to be able to manage risk to an acceptable level and to take a level of
risk commensurate with the opportunity. The key element in managing risk is correctly
balancing risk and reward. An organization which is risk averse will create inflexibility in the
business and erect barriers to the achievement of the organization’s goals.

Risk Management Is Identifying and Preventing the Causes Before They Happen.

Why Use Risk-based Thinking?

Successful organizations intuitively apply risk-based thinking because it brings benefits that:

 Improve governance
 Establish a proactive culture of improvement
 Assist with compliance
 Assure consistency of quality of products and services/test results/ calibration / sampling
services
 Improve customers’ confidence and satisfaction.

Risk Management Approach

Risk management approach is dependent on:

 Type of organization
 Type of customers
 Type of assets and processes
 Management commitment

3
 Risk Management Guide

3.0 How We Do Risk Management?

The ISO 9001:2015 requirements around risk and opportunities do not require a formal risk
management system. However, it does require that organisations should determine what they are
and how they will be addressed.

By adopting Risk-Based thinking, organisations can then prioritize the way processes are managed
by:
 Identifying, what the risks and opportunity are.
 Analysing and then prioritizing the risks
 Planning appropriate actions to address the risks
 Implementing the plan and taking the necessary action
 Checking the effectiveness of the action; does it work?
 Learning from experience; Improve.

4.0 Risk Management Process

This section will define the details of the risk management for the risks, expected to arise.

Identifying possible risks is an important step in being prepared for potential problems that can
occur within organization. During the risk identification, if a potential risk is identified, a solution or
plan of action should also be developed.

Following are the fundamental risk management functions that must be taken care of to effectively
manage the risks attached to a project:

a. Identify: Project Team / Manager should analyse classification of potential risks to identify
an applicable list of risks specific to the organization.

b. Analyse: Project Team / Manager should update the impact of risks on cost, schedule,
product quality, and probability, followed by a discussion for reaching on a common
consensus for each risk. This will include following tasks:
a. Analysing Risks
b. Prioritizing Risks

c. Plan: Project Team / Manager should prepare a plan to determine what steps and actions
to be taken against risks. This will include identification of mitigation/ contingency plan
and implementation of mitigation/contingency plan.

4
 Risk Management Guide

d. Track: Project Team / Manager / Leader should continuously monitor the risks in the
organization.

e. Control: Project Team / Manager should execute the appropriate risk mitigation plan
upon identification of identified risk reached to its threshold value.

f. Communicate: Provide visibility and feedback data to internal and external key interested
parties‟ members on current and emerging risk activities.

5.0 Risk Management Phases

Risk management is done in four phases:
 Phase 1. Risk Analysis – Planning
 Phase 2. Risk Evaluation
 Phase 3. Risk Monitoring and Control
 Phase 4. Post-test Operation Information

5
 Risk Management Guide

Phase-1: Risk Identification Analysis – Qualitative method

Risks are identified based on categories and sources defined. Possible risk identification can
be done by various methods, for example:

Brainstorming: This process encourages a group of people meeting face-to-face to put

forward all their thoughts and ideas on a specific topic. During a brainstorming session, all
input is encouraged without evaluation. Evaluation of ideas occurs at the completion of the
session when the ideas are analysed. The diversity of participants will have an impact on the
nature of the ideas and perspectives, so some thought will need to be given to who will
participate in the process.

Focus groups: A focus group is made up of individuals who are invited to attend one or more
meetings, to focus their attention and provide information and feedback on a specific topic
or area of concern.

Experience judgment: It is the information or opinion given, based on an individual's

experience and knowledge in his/her field of expertise.

Analysis of systems: This involves studying the way a system or process functions and
interacts within an organization to find any weaknesses. System may refer to the
management processes as well as to the policies and procedures that support those
processes. It may also refer to an operational system of interlinking procedures or processes.

Audits: This is the name given to the process of analysing a management system, checking to
see that the documented procedures and operational methods are the same.

Scenario building: In this process a situation or condition is created either on paper or as a

model to reflect potential outcomes. These fictitious situations allow an analysis and
treatment option to be considered where, for example, an event has not occurred before and
no data is available.

Accident investigation or failure analysis: This process involves looking at previous accidents
and incidents and analysing them to determine what went wrong or why the process failed
or broke down. This will highlight risk areas for future situations.

Feedback and communication: This includes meetings, feedback forms or phone calls,
complaints handling, etc. Identify intended users and area-wise risks and opportunities and
analyse them against likelihood and impact.

6
 Risk Management Guide

Risk Analysis – Quantitative method

A. Probability of occurrence or likelihood

Likelihood on a risk matrix represents the likelihood of the most likely consequence
occurring in the event of a hazard occurrence. To put it another way, if a hazard occurs,
what are the chances the most likely safety mishap will occur.

Impact It means the degree of harm to the business and potential consequences likely to
result from a failure to protect business interests.

Example: Rating of Risk Severity/Impact

Rating Consequence Criteria (Impact of risk on business)

Negligible business impact. Local media attention.
1 Very Low / Incidental Quickly remedied. Nothing reportable to regulator. No
injuries to employees or third parties. Isolated staff
Slight business impact. Local damage to reputation.
2 Low Reportable incident to regulator with no follow-up. No
or minor injuries to employees or third parties.
Limited business impact. Short-term negative media
coverage. Report of breach to regulator with immediate
3 Medium/ Moderate correction, out-patient medical treatment for employees
or third parties. Widespread staff morale problems and
high turnover. Financial loss.
Serious business impact. Negative media coverage.
Significant loss of market share. Report to regulator
4 High requiring major correction action. Limited in-patient care
for employees or third parties. High turnover of
experienced staff. Financial loss.
Disastrous business impact. Long-term negative media
coverage. Dramatic loss of market share. Significant
5 Very high/ Extreme prosecution, fines. Significant injuries or fatalities to
employees or third parties. Multiple leaders leave,
potential closure of business. Financial loss.

7
 Risk Management Guide

In the above example, the rating of risk severity at a scale from 1 to 5 is given in first
column. The second column establishes the consequences corresponding to the ratings,
with the third column determining the impact for each rating given.

Rating of risk is assigned according to the highest consequence criteria anticipated. For
example, risk rating is 1, when consequence is very low and impact on business is negligible.
Such risk draws only local media’s attention; the risk is quickly remedied, and nothing is
required to be reported to regulator. There are no injuries to employees or third parties.
Such risk impacts only isolated staff.

B. Risks Probability (Likelihood / Probability)

This section describes how to define probability, depending upon the criticalness of their
occurrence.

Risk Assessment- Degree of Risk

The likelihood of a threat harming the business should be identified and the suitable value
should be assigned, as per the below given categorization

Probability Category Rank Description

1 Rare 1 Risk event not expected to occur
2 Unlikely 2 Risk event less likely than not to occur
3 Possible 3 Risk event may or may not occur
4 Likely 4 Risk event most likely to occur
5 Almost Certain 5 Risk event expected to occur

Probability / Likelihood

 5 - A very high probability band (continuous, every day, every batch, etc.)
 4 - A high probability band
 3 - A medium probability band
 2 - A low probability band
 1 - A very low probability band (never happened, once in lifetime).

8
 Risk Management Guide

Phase 2: Risk Evaluation

The risk evaluation and risk acceptance are done based on decision table given below. The
decision table is made of probability vs. severity from 1 to 5 scale of rating. On multiplication
of these two ratings, we get risk ranking number.

Risk ranking number = S x P Decision

 Red: Risk reduction is essential

 Yellow: Risk can be retained at current level
 Green: Risk is acceptable

Risk Evaluation- Managing and Qualifying Risks

To manage risk, risk assessment documents are used, an example is shown below.

You need to identify risk in your organization and rate it against Probability and
Consequence (impact) from 1 to 5 scales. Multiply them and based on your risk evaluation
process define each risk as high, low, or medium. In the last column, the organisation will
then document their proposed mitigation action against each risk as a preventive tool.

9
 Risk Management Guide

Phase-3: Risks Monitoring and Control

Monitor the organization’s risk periodically (monthly/weekly) and take appropriate

mitigation action to control the risk.

Risk Treatment:

 Select actions and implement to reduce the risks to an acceptable level

 Measures can be physical, procedural or product
 Balance the cost with risks and potential impacts
 Accept the risk with management approval or even transfer the risk
 Eliminate the risk source, change the likelihood or consequences
 Share the risk or retain risk by informed decision and management acceptance.

10
 Risk Management Guide

Phase-4: Post-test Operation Information

The effectiveness of action taken should be reviewed and checked as follows:

1. Review effectiveness of actions selected and implemented to reduce the risks to an
acceptable level
2. If action is found to be not effective, then accept the risk with management approval
3. Share the risk or retain risk by informed decision and management acceptance.
4. Discuss effectiveness of actions undertaken during management review meetings
5. Identify any new risk areas and update the risk assessment

6.0 Risk Categories and Sources

Sources of risk can be organized into categories, such as, customer risk, technical (product)
risk, and delivery risk. Within each category, specific sources of risk can be identified, and
risk reduction techniques applied, for example:

 Product-related Risks
 Business Impact Risks
 Customer/User-related Risks
 Developmental/ Environmental Risks
 Process Issue Risks
 Organizational Risks
 Staff size and Skill experience Risks
 Technical Issue Risks

Risk sources should be monitored for signs of risks materializing. Risk sources are
fundamental drivers that cause risks events to arise within organization.

7.0 Where Risk is addressed in ISO 9001:2015 Standard

 Clause 4.4.1 Organization shall take account of /address the risks and opportunities as
determined in accordance with the requirements for QMS processes.
 Clause 5.1.1 Leadership - top management to promote risk-based thinking
 Clause 5.1.2 For customer focus, consider risks and opportunities that can affect
conformity of products and services
 Clause 6.1.1 Determine risk and opportunities

11
 Risk Management Guide

 Clause 6.1.2 Actions to address risk and opportunities and various options to take
actions for risk
 Clause 9.1.3 Analyse and evaluate the effectiveness of actions taken to address risks
and opportunities
 Clause 9.3.2e Management review: determine risks and the effectiveness of actions
taken to address risks and opportunities
 Clause 10.2.1 Once nonconformity occurs then update risks and opportunities
determined during planning.

12
 Risk Management Guide

APPENDIX 1: Examples of possible risks found in an organisation

Risk area Possible risks

Lack of supervision or poor supervision
Personnel Incompetent staff or managers
Inadequate training
Capacity or accuracy of equipment not suitable
Equipment
Improper installation
Shortage of fund or delayed payments
Finance
High cost of finance
Non-maintenance of required conditions
Inadequate space
Environment
Contamination
Interference
Foreign exchange fluctuation
Non-compliance to legal and statutory requirements and
Business
change in various country laws
High competition
Low-capacity utilization
Operation control High cost of manufacturing
More process cycle time
More rework and rejection
Quality issues Laboratory and testing equipment problems
Inadequate storage condition for samples
Conflict of interest
Resources not provided
No leadership and direction from top management
Management system
Poor operational performance
Internal audit not undertaken
Management review not undertaken
Commercial or financial pressure from customers
Customer High demanding customer and delay in communication of query
Contract review not done adequately

13