Step-by-step risk analysis
‘Risk based thinking’ currently dominates the world’s most popular quality standard, the ISO 9001. Whoever wants to comply with ISO9001:2015 has to have a risk management process in place within their organisation.
How do I establish a process for risk management?
Step 1. Risk management – target
- Which (quality) requirements, (quality) targets have been established?
- What are the risks when these requirements and targets cannot be met?
- What are the opportunities for improvement?
Example
Requirement: Supply to the customer within two days after the order has been placed.
Risk: Due to an outdated logistics system, the two day target is often exceeded.
Step 2. Method
- The method to be used needs to be established, as well as acceptance criteria.
- Frequently used method (deliberately simplified here): Risk = probability x impact.
- Probability (scale 1-5), impact (scale 1-5) and risk (scale 1-25).
Example
Supply > 2 days: probability (high, 4) x impact (severe, 3) = risk (12)
If acceptance criterion is 10, measures need to be taken to reduce risk (migitation). For example, a better logistics system, to reduce the probability of issues. (when probability = 2, risk = 6 < acceptance criterion 10)
Step 3. Risk treatment plan
- Perform risk analysis and implement measures if necessary.
- Monitor progress of the measures to be carried out and establish effectiveness.
- Accept the residual risk.
Example
In May next year, a new logistics system will be introduced. The person accountable is the logistics manager. Estimated delivery period in June next year. Management accepts a residual risk of 6.
Step 4. Update risks.
- Re-evaluate the risks periodically, for example ahead of the annual management review.
Example
After the implementation of the logistics system, 96% of all deliveries is carried out within 2 days. By implementing a different supply system, delivery time can be reduced to 1 day.
Click on the video (in Dutch) below for an impression based on the Proware module RiskManagement or try it yourself.
The principles and guidelines for the risk management process are described in detail in the ISO
31000 Standard.