Tools for risk-based thinking

There is a prominent new chapter in the catalogue of requirements of the revised ISO 9001:2015 and ISO 14001:2015 standards. Under 6 "Planning", the first item is 6.1 "Measures to deal with risks related to hazards and opportunities". This means that a company that wants to comply with the standards must be able to demonstrate processes that serve to identify opportunities and hazards, to assess and evaluate their risks and to define and implement all measures that are necessary for the optimal use of opportunities or the prevention of hazards. Both the standardization and certification bodies assume that this risk-based thinking is not new in companies, but has always been implicitly present. What is new, however, is that it must be explicitly documented as part of the management system. In the following, a few tools are presented that can be used in the company to comply with the new requirement.

The stakeholder analysis

The stakeholder analysis is itself a new requirement of the revised standards. At the same time, it is a tool for identifying the relevant opportunities and risks from the expectations of the stakeholders. Fig. 1 shows the structure of such a stakeholder analysis. The relevant stakeholders are identified line by line. This involves thinking of all stakeholders who a) have particular expectations of the organization or b) have particular opportunities to influence the organization. These usually include customers, suppliers, employees, shareholders, certain associations, interest groups, NGOs, public authorities, etc. In two groups of columns, the interests and potential influence of each identified stakeholder are then noted and opportunities and threats for the organization are derived from them. In a final group of columns, possible courses of action towards this stakeholder are derived. These behavioural options are measures in the sense of the standard requirement. The aim is to influence the stakeholder in such a way that the opportunities identified can be exploited and the threats averted.

The environmental relevance analysis (within the framework of ISO 14001)

The long-established environmental relevance analysis (cf. Fig. 2) identifies the areas of the organisation with relevant effects on the environment and determines the environmental aspects into which the effects occur and how great they are. A large environmental impact is always associated with opportunities and threats. Failure to control the environmental impact leads to the risk of violations of the law and corresponding governmental reactions and/or damage to the company's image. On the other hand, good management of environmental impacts can strengthen the reputation of the organization. The environmental impact analysis should be taken into account when developing environmental goals and measures, and thus also how to deal with the opportunities and threats identified therein.

The risk management process

It is not a requirement to have and use a formal risk management process, even under the revised ISO 9001 and ISO 14001 standards. However, a formal risk management process ensures the required identification of opportunities and threats and the derivation of appropriate measures extremely well and is therefore highly recommended. Fig. 3 shows a risk management process that conforms to ISO 31000 and has proved very effective in practice. The process is suitable for any type of risk - the corresponding perimeter and the appropriate impact categories must be defined in each case in the "Define context" step. In general, an organization should apply the process to its strategy, its major investment projects, its survival-threatening risks, and possibly to its product development and procurement.

A risk management process requires that, in addition to tools for identifying opportunities and threats and methods for assessing risks, the organization also determines where the limit for accepting risks lies. Risks must not only be reduced with measures, but must also be assessed beforehand as to whether they are acceptable or not. This and also the monitoring and review of the identified and treated risks represent a surplus compared to the requirements of ISO 9001 and ISO 14001. However, it has great advantages for a consistent handling of opportunities and threats, which also includes decision-making processes.

Hazard identification along the Balanced Scorecard (BSC)

A recommended tool for identifying and documenting opportunities and threats is a mind map whose four main branches are assigned to the four core areas of the BSC. In a brainstorming session, these four areas are systematically examined and triggers or reasons for opportunities and threats are sought. The process is refined from the general to the specific by always asking the question "what could happen there". The corresponding results are entered on the mind map. The more interesting and potentially more significant of these opportunities and threats can then be assessed in terms of risk and treated with measures if the risk is not tolerable.

The Risk Portfolio

The risk portfolio is very suitable for classifying opportunities and threats, assessing the corresponding risks and deriving measures from them. The risk portfolio simply consists of a matrix, on one axis of which the probability of occurrence or frequency of an opportunity or threat scenario is entered. The extent/impact of the opportunity or threat scenario is entered on the other axis. The risk of an opportunity or danger scenario is derived directly from the position in the portfolio according to the formula Risk = Probability times Extent. Areas with tolerable, conditionally tolerable and intolerable risk can be marked as green, yellow and red areas in the risk portfolio. Scenarios that lie in the intolerable range must be treated with measures.

"The organization determines the risks associated with hazards and opportunities and ensures that the management system achieves the intended results and prevents or reduces undesirable effects." So much for the standards. The tools that can be used for this purpose often come from traditional risk management. The assembly of "sector-specific " (quality, environment ...) into integral management systems that include risk management is certainly encouraged by this, which makes perfect sense.