What are risks and opportunities?
What risks and opportunities I hear you ask? Well, do you remember those risks and opportunities that came from performing a PESTLE analysis at clause 4.1? This clause is asking you now to make plans to address those risks and opportunities. By doing this you are adopting a proactive approach to managing risk.
Of course, the alternative approach is to simply react to the results of risk when something bad happens. This might be the loss of a contract due to poor communication because the responsibility and authority for this task were not clearly assigned. Is all of this beginning to make sense now?
Consider the needs and expectations of interested parties.
In clause 4.2, we also are asked to consider the needs and expectations of interested parties. Consequently, there is the risk of not meeting or serving the needs of those interested parties, and so what are you going to do to mitigate this? Well, some risk-management planning might be a good idea. For example, if the weather causes heavy snow at certain times of the year and that affects logistics and stock levels, we should plan to increase stock levels in the months prior to this.
Sounds simple? Well, yes it is! In this simple example, you would also ensure that your vehicle fleet is well maintained and ready for the change of weather by fitting snow tyres etc, and reviewing the risk assessments for the winter driving conditions. There might also be the opportunity for purchasing stock at a discount price during the summer months when demand for the items is traditionally low.
The corrective action process.
Also, let’s not forget the corrective action process of clause 10.2 where nonconformities might exist. If left uncorrected, a nonconformity can put the brakes on your management system from achieving its intended outcomes. I would interpret that as ‘risk’, wouldn’t you? The risk of failing to deliver that parcel under your ‘guaranteed’ next day delivery service, and losing a customer because of this, is risky. If the internal audit process has identified this nonconformity, and not corrected it effectively with root-cause analysis, then the risk of a repeated failure is ‘high’.
Trying to fix the pieces after they have been broken will be a time-consuming and costly task. Unfortunately, things will go wrong from time to time, but you need to realise this by being proactive with your risk management efforts and planning. Planning for financial risk in the stock market and banking industry can get wildly complicated, but thankfully, for the rest of us, things are much simpler.
Risk is the effect of uncertainty.
What exactly is risk? Well, the definition of risk can be interpreted differently depending upon the context. From a management system perspective, risk has its own unique definition as provided in ISO 9000:2015:
- Clause 3.7.9 Risk: “the effect of uncertainty”
Does that definition of risk make you feel ‘uncertain’? A reason why management systems can be frightening for many people is due to the language that it’s written in. Although, there is no requirement for you to adopt any of the language from a management system into your own documentation as explained under sub-section A.1 p.30, of ISO 9001:2015.
The concept that risk can be both ‘good and bad’ can be a difficult thing to understand. In the business environment, risk is often closely related to resources. For example, if you were planning to expand your business by opening a new site, you would require the resources to do this. If the result of opening this new site, through planning and forecasting was a guarantee of increased profit, then the risk outcome is good. However, if the opening of a new site was poorly planned and under-resourced, then the risk can be considered bad.
There might also be an opportunity to steal some customers from your competition by opening a new site. This would also contribute to the risk being evaluated as ‘good risk’ and one that carries the potential for positive reward. You can interpret the word ‘opportunity’ as the positive side of a negative risk. It’s this concept that guided the authors of the modern management systems, that have adopted the high-level structure, to focus on both ‘risks’ and ‘opportunities’ equally. You might also make a commitment to reduce risk in your quality policy.
The 4Ts of risk explained.
You will quite often hear risk management categorised under the ‘4Ts’. This phrase describes the following:
Tolerate
Sometimes there may be a situation where the negative impact from a particular risk is that small that the risk can be ignored. It would be a good idea to ensure that someone has the responsibility to monitor the effects of the risk over time. For example, the supply of a key ingredient from a supplier is beginning to run low however, you currently have the same ingredient supplied from 3 alternative sources. It would be wise to monitor the national (or global) supply of the ingredient ‘just to be safe’ in case of a change to the situation.
Terminate
You might encounter a situation related to the above example where the supply of a key ingredient is produced in a country that has suddenly been affected by civil unrest or war. The ‘appetite’ for this new risk is too high for you to tolerate and so you terminate the risk by switching the supply to a more stable environment.
Treat
Through your corrective action process, can you reduce the likelihood of the risk occurring or the severity of the impact resulting from the risk? For example, could you increase the height of bunding to a storage area and also change the from oil to a water-based alternative?
Transfer
A common way to describe this is by transferring risk by purchasing insurance against the negative impact of the risk. You could also outsource a particular function to a 3rd party however, be sure to establish that even after outsourcing, that liability might still remain with you.
It’s wise to remember that not all risk is created equally and so you need a way to evaluate and categorise risk. Clause 6.1 of ISO 9001:2015 does not require you to address all risks and opportunities by stating:
- “determine the risks and opportunities that need to be addressed”
The key thing to remember here is that ‘YOU’ determine the risks and opportunities that need to be addressed, and not a 3rd party auditor. You do this by using observation, discussion, internal audits, management review and with such tools as PESTLE and SWOT analysis.
What is a risk matrix?
A standard approach for representing risk in an easy to understand graphical form is with a ‘risk matrix’.
The common model for a risk matrix is resented by using a 5×5 matrix where the x-values could be used to describe the ‘likelihood’ of an event occurring and the y-value describing the severity of the consequences should the event happen.
Let’s now examine the sub-clauses of clause 6.1of ISO 9001:2015 beginning with clause
6.1.2: The organisation shall plan:
- (a) Actions to address risks and opportunities
- (b) Integrate the plans into your management system and evaluate the effectiveness of your planning.
What about documented information?
Oddly, ISO 9001:2015 does not require you to maintain the efforts and results of your planning process to be maintained as documented information. Considering that this is a fundamental, crucial part of a management system, I find this rather strange. Strategic planning for risk is a top management activity, normally conducted at management review. If this sounds familiar, then I would very much recommend you document your planning process, any related objectives and targets, and the analysis of results.
During my work as a management system lecturer for the British Standards Institute, I was always trying to highlight the interconnections within the standard to my courses delegates. Understanding these connections is important for your knowledge of how the standard works and was also very important for my delegates when preparing for their lead auditors exam.
To fully implement the requirements of clause 6.1.2 you must recognise where and how the concept of risks and opportunities lie with ISO 9001:2015 and how they are interconnected.
Here are the clauses you need to consider:
- 4.1 Understanding the context of the organisation: Remember that PESTLE analysis that you performed in order to identify both the internal and external issues that could affect your organisation? The output from this exercise will translate to the risks and opportunities that you are now making plans for.
- 4.2 Understanding the needs and expectations of interested parties: A failure to service these will result in a risk, but going above and beyond could also provide opportunities for long term relationships.
- 4.4.1(f) QMS processes: requires you to address the risks and opportunities to those processes.
- 5.1.1(d) Leadership: requires you to promote risk-based thinking: Something you have already addressed at clauses 4.1, 4.2 and 4.4. From a health and safety and environmental perspective this also includes the concepts of risk assessments and near-miss incident reporting.
- 5.1.2(b) Customer focus: requires you to consider the risks and opportunities associated with product conformity and customer satisfaction.
- 9.1.3(e) Analysis and evaluation: Are you measuring and analysing the results from your plans to address risks and opportunities? I hope so, because this is where you are being specifically required to do so.
- 9.3.2(e) Management review: This is where the standard is asking you to perform this evaluation and it even highlights the direct link back to clause 6.1 within some brackets.
- 10.2.1(e) Corrective action: Another great topic for discussion at management review; how and what you are doing to correct nonconformities and therefore mitigate risk. You might also highlight the opportunity to purchase new technology that results in long-term cost reductions.
These connections are not explicit, I’ve simply highlighted them so that you can begin to think where clauses of the standard are interconnected. Why not choose a topic such as ‘communication’ and see if you can find for yourself where there may be connections within the standard that are related and connected to it. By doing this, you will soon begin to gain a deeper understanding of the high-level structure and how to better plan for internal audits.
ISO 45001:2018
The emphasis on the continual improvement section of this clause takes on particular significance as we remember the intended outcomes for ISO 45001:2018 ‘to prevent injury and ill-health’. There are many opportunities for continual improvement when considering the safety of workers including:
- Inspections, observations and audits.
- Risk assessments, method statements, standard operating procedures and permits to work.
- Corrective actions that investigate near-miss incidents, accidents and hazards.
- Shift patterns and piece-related work rates.
- Ergonomic designs of workstations and equipment.
As explained in section A.6.1.1 of the standard, it’s good to consider health and safety into the early stages of the life cycle of facilities, equipment, working practices and work environments. When planning for change, it’s very important to consider the proposals from a health and safety perspective. By doing this, you are avoiding introducing new hazards into the workplace as a result of the change.
The general statement for clause 6.1 remains largely the same as that for ISO 9001:2015, but it does begin to make reference to hazard identification. Before you can control a possible hazard, you must be able to identify the hazard(s) in the first place. The requirements for hazard identification begin at clause 6.1.2.1:
(a) Routine and non-routine activities
- Routine activities can be described as things you do every day such as the loading and unloading of freight.
- Non-routine activities are infrequently performed such as maintenance and repair.
(b) Human factors
- Fatigue, loss of concentration, physical strength, speed of movement
(c) New or changed hazards
- Resulting from unplanned modifications/adaptations, job rotations, time pressure, new contract requirements
(d) Emergency situations (potential)
- Fires, explosions, floods that might affect onsite/off-site or outsourced locations
(e) People
- Including contractors, visitors, neighbours and the general public.
(f) Changes in knowledge and information
- Manufacturer’s instructions, risk assessments, method statements, work permits, training procedures, HSE guidelines
As one can imagine, hazard identification is an important and ongoing process that should be formalised and reviewed for effectiveness by the internal audit process. It’s also good practice to perform regular observations and obtain feedback from workers or their representatives concerning possible hazards and hazardous situations.
Clause 6.1.2.2 requires you to make an assessment of those risks and ‘other’ risks to the management system. This assessment includes:
- The risks that were identified at 4.1 through the PESTLE analysis
- The risks associated with your interested parties at 4.2
- The risks at 6.1 from your hazard identification activities
The ‘other’ risks might include:
- Risks to the integrity of the management system
- Risks to contract requirements
- Risks from legal requirements
- Risks to requirements from interested parties
Clause 6.1.2.3 requires you to make an assessment of H&S opportunities and ‘other’ opportunities for the management system. Opportunities can be thought of as the flipside to risk, where there’s a risk, there’s an opportunity to mitigate it. There are many options for assessing opportunities and these include:
- Conducting regular PESTLE and SWOT analysis activities.
- Assessing H&S communication strategies (including training)
- Evaluating opportunities through observations, internal audits and reporting.
- Assessing opportunities in relation to the corrective action process
- Identifying new technologies that offer improvements to safety.
- Creative leadership and commitment.
Clause 6.1.3 requires you to make a determination of both ‘legal’ and ‘other’ requirements. We already know what the term ‘other’ requirements refers to as explained earlier. For a comprehensive list of legal and other requirements turn to p.39 of ISO 45001:2018.
This requirement includes you:
(a) Have access to up-to-date legal information
The subject of health and UK and European safety law is beyond the scope of this document. I’m going to assume that your organisation has a dedicated health and safety advisor, and also a legal department for managing this.
(b) Determine how the law applies to you and how you communicate it.
How and where the legislation applies to you will depend on your organisational context and the operational environment in which you exist. This requirement is asking you to be aware of all H&S legislation that might affect you.
There is a requirement for you to maintain/retain documented information of this. In practical terms, this usually manifests itself in the form of a legal register, although you will not find the term ‘legal register’ contained within ISO 45001:2018. You can refer to this document by any name that suits the purpose of your management system.
In small organisations, it’s quite common to find that the creation and maintenance of a legal register is outsourced to a 3rd party. Please remember, outsourcing this function does not result in the transferring of liability!
I’m going to assume that you are communicating your legal requirements in practical terms through your risk assessments, method statements, work permits, emergency procedures and health and safety training.
(c) Take your legal requirements into account while planning, maintaining and improving your management system.
The key to this is being able to demonstrate direct links from your legal register (If that’s what you call it) through to your management system. For example, if the context of your organisation dictates that under ‘The Personal Protective Equipment (Enforcement) Regulations 2018’ your workers require a specific type of RPE to perform a task, you can write this into the risk assessment, method statements and permit to work documents. For the audit trail, I would also ensure that you can demonstrate how you communicated this requirement to those workers affected in personnel training records.
Clause 6.1.4 requires that you take plan action to:
(a) Address risks, opportunities and legal and other requirements. Address legal and other requirements Prepare and respond to emergencies
(b) Implement and integrate your plans into the management system Evaluate your planning actions
You might have noticed that the requirements for this clause mostly reflect those for 6.1.2 of ISO 9001:2015. The notable differences are:
- Prepare and respond to emergencies
You can do this by:
- Preparing an emergency response plan
- Practising that emergency response plan
- Evaluating the effectiveness of the plan
The most important part to the above is the evaluation of the emergency response plan. You must hold a post-practice meeting to discuss both what went wrong, and what went correctly and according to the plan.
I was once delivering some ISO 9001:2015 training in an upstairs boardroom when the fire alarm went off. The managers I were training immediately sprang into action and within minutes all occupants of the building were lined at muster points in the car park. Upon returning to the training the same managers were fuming because large parts of their emergency response plan had failed. Unfortunately, the fire alarms activated another 3 times over the next hour and the training was abandoned for that day.
However, this incident was regarded as highly valuable to the managers as it highlighted the failings of the emergency response plan. I’m sincerely hoping that there was a management review meeting of the plan after that day, where lessons learned could be corrected and improved.
ISO 14001:2015
Although they read slightly differently on the page, the requirements for the general statements in clause 6.1.1 are the same as those for ISO 9001:2015. Listed there you will find references back to clauses 4.1 (context), 4.2 (interested parties) and 4.3 (scope). One can see the usefulness of the high-level structure here, and how it can make the construction and maintenance of an integrated management system far more achievable than before.
Clause 6.1.2 requires you to determine your environmental aspects that shall take into account:
(a) Planned changes, modified activities, products and services
(b) Abnormal conditions and ‘reasonable’ foreseeable emergencies
What are environmental aspects I hear you ask? Here’s the definition from ISO 14001:2015:
- 3.2.2 “Element of an organisation’s activities or products or services that interacts or can interact with the environment “
Your activities might interact with the environment by:
- Creating noise
- Creating fumes
- Creating spills
- Creating dirt
- Creating radiation
The list above only becomes a problem when these aspects are ‘uncontrolled’ and cause a ‘negative’ impact upon the environment. This requirement asks you to maintain documentation of your organisations ‘aspects’ and record how they ‘impact the environment’. You are only required to record those environmental aspects that you consider ‘significant’.
Interestingly, the requirement doesn’t distinguish between ‘significantly good’ and ‘significantly bad’ environmental impacts. I’ll be the first to admit that the phrase ‘environmental impact’ tends to have negative connotations. The default position for most people when hearing it is to associate it with uncontrolled releases that harm the environment. However, certain aspects of your organisation might have a positive environmental impact such as:
- The creation of green spaces
- Reduction in use of oil-based products
- The adoption of green energy sources
- A comprehensive recycling program
- Life-cycle planning for both products and facilities management
- Sponsoring green initiatives
- Converting to electric vehicles
I suppose the list above could be considered as ‘opportunities’ from an environmental impact perspective and this is referred to in the Note section of this clause requirement.
One might be asking “when is a release uncontrolled?” and what are acceptable levels? The answers to these questions will be dictated by your organisation context and your significant aspects. There might be environmental legislation that applies to the aspects of your business activities. The requirements of this legislation will normally be controlled by release permits that are issued and managed by your local council borough.
For example, you might be under a permit to release a certain amount of waste product over a certain time period into the groundwater drain. If the valve that measures and controls that release goes faulty and remains open, then you have an ‘uncontrolled release’ happening. This will almost certainly result in a fine and/or legal proceedings depending upon the size of the negative impact upon the environment.
For Auditors:
ISO 9001:2015:
I’ve just described a perfect audit trail for you to investigate from clause 4.1 through to clause 10.2.1(e) so go ahead and have some fun!
ISO 45001:2018:
- Check for a formal hazard identification process and associated roles, responsiblities and authorities.
- Check for documented information describing criteria and methodologies for assessing risks and opportunities.
- Check if worker representation is involved in hazard identification and the assessment of risks.
- Check for maintained documentation of legal requirements.
- Check how legal requirements are being applied and managed through the management system.
- Check how plans have been applied to mitigate risks and hazards.
- Check how these plans have been communicated.
ISO 14001:2015
As above but also to include:
- Check for documented information in the form of an aspects/impacts register
Note: although consultation and participation of workers is not a requirement of ISO 14001:2015, for the risk management process to be effective, I would expect worker input to the process essential. You might also consider the ultimate point to all of this, by keeping clause 10.3 in mind and remembering the concept of continual improvement.
Some further questions that I will be answering in future articles include:
- How do you change risk to opportunity?
- How do you analyse risks and opportunities?
- How do you manage opportunities?
- Can a risk be an opportunity?
- What is opportunity in risk assessment?
References:
- www.iso.org
- ISO 9000:2015
- ISO 9002:2015
- ISO 14001:2015
- ISO 45001:2018
Please be kind, share and create a link back to this article.
(c) All content is copyrighted to ISO Training UK – All rights reserved 2022.
Author Bio
Paul Ingram has over 15 years of experience working in quality, health and safety and environmental management. Specialising as a trainer, he has provided training to thousands of delegates for small and multi-national businesses across the globe. A specialist in management system training and able to design and deliver courses for ISO 9001, 45001 & 14001. This includes implementation, Introduction, Internal Auditor, Lead Auditor, Remote Auditing, Management Brief and many more. For more information about booking a course visit: ISO Training & Consultancy