Categories
ISO 9001 Management Quality management

Risk management framework – how to understand it


Qualitywise.pl, Agata Lewkowska, Risk management

Qualitywise’s mission is to respond to the needs of its readers and followers of my profile in various social media. That’s why I recently asked you a question, what should the next article be about. Risk management framework was your answer:

Qualitywise.pl, Agata Lewkowska, Zarządzanie ryzykiem

The clear advantage of risk management indicates that it is a very important aspect of management for the organization that requires greater understanding. The topic is very wide, so unfortunately in this article I will not be able to include all the elements. Hence, please expect future posts on this topic. In this article, we will learn the essence of risk management. On the other hand, the development of this topic will be risk management required by the ISO 9001: 2015, ISO 31000: 2018 or even IATF 16949 standard and risk management methods.

Let's get started

While writing this article, I asked myself: “Since when has risk analysis gained importance in quality management?” The answer is actually simple … you know maybe?

Quite recently, in 2015, the last update of the ISO 9001 standard took place. It was almost radical in nature, introducing a lot of changes to the previous edition from 2008.

ISO 9001 since 2015 became a “risk-based” standard[1].

This means the implementation of mechanisms enabling the determination of factors. In other words, these factors may cause deviations from the planned results, both in individual processes and in the entire system[2].

Risk definition

ISO 9000: 2015 in clause 3.7.9 defines risk as “the influence of uncertainty”[3]. Further is this clause it is said that it is “the impact of uncertainty causing deviation from expectations”. Uncertainty, on the other hand, is defined as “a state, (…), lack of information related to the understanding or knowledge of an event, its consequences or probability”.

Therefore, risk is often presented as a combination of the event consequences and the associated probability of occurring[4].

A similar definition of risk appears in ISO 31000: 2018 “Risk Management – Guidelines” which states “the effect of uncertainty on goals”[5]. It is important to say, the risk defined in this way relates to the establishment of management mechanisms in the organization. This should result in increased effectiveness in achieving success by the organization[6].

Risk management framework

The ISO 31000: 2018 standard also defines risk management as “coordinated activities related to the management and supervision of an organization in relation to risk[7].

In terms of activities risk management in an enterprise can be defined as a process aimed at “identifying potential events affecting the company’s operations and taking actions aimed at achieving its goals”. In connection with the above, the stages of the enterprise risk management process will be[8]:

  • identification, determining the area in which the risk is associated and considering all threats to which the company is exposed.
  • measurement, i.e. quantitative determination of the risk level in identified areas.
  • steering that consists in making decisions regarding specific action strategies using such exemplary criteria as: risk size, risk sensitivity, risk limitations or opportunities.
  • monitoring and verification of the correctness of the adopted solutions, i.e. risk assessment procedures.

Two approaches to risk management

The impact of uncertainty can be negative or positive. This implies two approaches to risk management.

The first one is related to the possibility of a harmful event called risk.

The second, on the other hand, is related to the possibility of gaining benefits, therefore it is called an opportunity.

Qualitywise.pl, Agata Lewkowska, Risk management, risk, opportunity

Risk management strategies

The primary goal of risk management is to improve financial results and to ensure such conditions that the organization does not incur losses greater than assumed[9].

 Therefore, risk management is based on estimating and responding to risk (handle the risk). Its estimation is based on identification and analysis. On the other hand, responding to risk involves taking an appropriate strategy[10].

If we are talking about risk, the following strategies are possible:

  • avoiding risk by deciding to discontinue or not to pursue actions that result in the risk,
  • taking a risk in order to seize an opportunity,
  • removing the source of risk,
  • change in probability,
  • change of consequences,
  • risk sharing with another party or parties (including contracts and risk financing),
  • stopping risk on the basis of an informed decision.

Similarly, when we talk about opportunities, the following strategies are possible:

  • adopting new practices,
  • introduction of new products,
  • opening new markets,
  • acquiring new customers, building partnerships,
  • application of new technologies and other possibilities.Simi

Can the risk be measured?

We can talk “effectively” about risk management “only when it is quantified”[11].

Depending on the type of risk, moreover various measures of risk (e.g. dispersion, sensitivity) and methods of analysis (e.g. quantitative, qualitative) are applicable[12].

Referring to its quantitative definition, it will be the greater, the more the tolerance limit is exceeded and the greater the probability of an event[13].

As already mentioned, risk is a combination of the after-effects of an event and the associated probability of it occurring. On this basis, criteria for the level of intensity of each of these factors, i.e. severity and occurrence, should be adopted. For example, this could be an appropriate scale. An example of such a three-level scale is presented below. Of course, it is possible to quantify the risk even more precisely by using more levels of its assessment.

Qualitywise.pl, Agata Lewkowska, Risk management, severity, occourance

Having defined criteria for occurrence and severity, you can quantify the risk by multiplying these values by yourself.

occurrance * severity = risk

Therefore on this basis, we obtain a specific risk level in order to be able to choose the appropriate strategy. Therefore below I present a risk matrix with a proposal to determine the risk level based on the obtained result. Simply depending on it, it is necessary to define what strategy of action should be taken.

Qualitywise.pl, Agata Lewkowska, Risk management, risk, matrix
Qualitywise.pl, Agata Lewkowska, Risk management, risk, matrix 2

In conclusion

Firstly, nowadays it can be assumed that risk management has become an element of organizational culture thanks to the amendment of ISO 9001 in 2015. Secondly, in practice this means, inter alia, its translation into strategic, tactical and operational goals of the organization.  Moreover, it entails the precise definition of risk management mechanisms in order to take additional actions to handle and document risks.

Thirdly, systemic mechanisms should be considered as a tool aimed at influencing the effective goals achievement. Therefore, it is so important to develop and improve patterns of thinking and acting in the field of organizational culture. This culture shall be based on implementation and effective use of risk management.

Let's download risk management template

I encourage you to download the risk management template that I have prepared for you. You can use it in your work by editing it as you like.

Hope you found this article interesting.

Let me know in the comment!

Thank you for your presence.

Agata Lewkowska Ph.D.

PS. If I can help you with quality management issues, please contact me. You may also join me in my private group on Facebook: ISO 9001 & IATF 16949 QualityWise Group

For people who want to know more

Knowledge must have a solid foundation in order to avoid information noise.

Therefore, the article was based on the following literature:

[1] Medić S., Karlović B., Cindrić Z., New standard ISO 9001:2015 and its effect on organisations, Interdisciplinary Description of Complex Systems 2016, nr 14 (2), s. 191

[2] Roszak M., Wdrażanie w organizacji wymagań normy ISO 9001:2015 w zakresie ryzyka, Napędy i Sterowanie, nr 7/8, Lipiec – Sierpień 2018, s. 120

[3] PN-EN ISO 9000:2016, Systemy zarządzania jakością. Podstawy i terminologia, Polski Komitet Normalizacyjny, Warszawa 2016,, pkt. 3.7.9, s. 26

[4] Ibidem.

[5] PN-ISO 31000:2019, Zarządzanie ryzykiem. Zasady i wytyczne, Polski Komitet Normalizacyjny, Warszawa 2019, pkt.3.1, s. 9

[6] Roszak M., Wdrażanie w organizacji wymagań normy ISO 9001:2015 w zakresie ryzyka, Napędy i Sterowanie, nr 7/8, Lipiec – Sierpień 2018, s. 119

[7] PN-ISO 31000:2019, Zarządzanie ryzykiem. Zasady i wytyczne, Polski Komitet Normalizacyjny, Warszawa 2019, pkt. 3.2, s. 9

[8] Kuziak K., Pomiar ryzyka przedsiębiorstwa. Modele pomiaru i ich ryzyko, Uniwersytet Ekonomiczny, Wrocław 2011, s. 33

[9] Szczepańska K., Zarządzanie jakością. Koncepcje, metody, techniki, narzędzia, Oficyna Wydawnicza Politechniki Warszawskiej, Warszawa 2015, s. 38

[10] Szczepańska K., Zarządzanie jakością. Koncepcje, metody, techniki, narzędzia, Oficyna Wydawnicza Politechniki Warszawskiej, Warszawa 2015, s. 38

[11] Medić S., Karlović B., Cindrić Z., New standard ISO 9001:2015 and its effect on organisations, Interdisciplinary Description of Complex Systems 2016, nr 14 (2), s. 191

[12] Tarczyński W., Mojsiewicz M., Zarządzanie ryzykiem, PWE, Warszawa 2001, s. 15

[13] Szczepańska K., Zarządzanie jakością. Koncepcje, metody, techniki, narzędzia, Oficyna Wydawnicza Politechniki Warszawskiej, Warszawa 2015, s. 38

[14] Miller P., Metodyka badania zmienności i skuteczności procesów ciągłych,  Oficyna Wydawnicza Szkoła Główna Handlowa w Warszawie, Warszawa 2014, s. 84

All content on the qualitywise.pl website is a private interpretation of publicly available information. Any convergence of the described situations with people, organizations, companies is accidental. The content presented on the website qualitywise.pl does not represent the views of any companies or institutions.


One reply on “Risk management framework – how to understand it”

Great article. Thank you Agata. Even if you are aware of the principles of a subject it is always good to review them again, as well as reminding yourself of some points you also pick up on points you may have missed previously. This is made easier especially where the author has great knowledge and communicates things well.