Risk Management with ISO 31000
BY GRAPHIC PRODUCTS STAFF
Running a business involves risk. Risk cannot be avoided, but it can be managed. ISO 31000 provides guidelines for managing risk in an organization, within the established management system, structure, and culture of that organization. ISO 31000 does not offer specific procedures, and there is no “ISO 31000 certification.” Instead, the standard focuses on basic principles and guidelines that can be applied worldwide.
Types of Risks
Risk management is the coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
The first step in managing risks is to understand the risks that need to be managed. In order to use the ISO 31000 guidelines, you need to understand that “risks” may not mean what you expect.
A traditional definition of risk involves the exposure to danger, with potential for injury or loss. ISO 31000 creates a new definition of risk as “the effect of uncertainty on objectives, whether positive or negative.” This definition shifts the understanding of risk away from the possibility of a negative outcome and toward the uncertainty itself. With appropriate risk management processes in place, ISO 31000 views risk as having the potential to provide opportunities.
Next, ISO 31000 divides risks into three categories:
- Hazard (if the uncertain event occurs, there will be negative outcomes)
- Control (the results of the uncertainty are themselves uncertain)
- Opportunity (if the uncertain event occurs, there will be positive outcomes)
Hazards are risks leading to a negative outcome. Examples of these would be safety concerns, such as hazardous chemicals, high voltage electricity, or moving machinery. A three-prong approach is typically used to address safety-related hazards.
- Eliminate the hazard through the use of engineering controls. This may involve redesigning equipment or processes to eliminate the hazard entirely, or providing guarding to make the hazard inaccessible. The objective of engineering controls is to eliminate all possibility of negative consequences.
- Reduce the hazard through the use of administrative controls. This involves implementing standards, procedures, and practices that prevent negative consequences. For example, pathways might be established with floor marking tape to keep foot traffic separate from forklift traffic. Work schedules could be arranged so that hazardous activities are performed when fewer employees are present.
- Protect individuals from the hazard using Personal Protective Equipment (PPE). For example, employees might be required to wear eye protection and a face shield when they grind welds on piping.
However, ISO 31000 also addresses risks that are not safety-related, such as theft. Because it is an uncertain event with a negative outcome, theft falls into the hazard category.
ISO 31000 addresses all forms of risk, including safety risks, financial risks, political risks, and marketing risks. As a result, phrases such as “risk tolerance” are used. While there may be zero tolerance for risk when it comes to safety, in other areas, such as financial risk, there is a certain level of tolerance – even for risks in the “hazard” category.
Some types of risks have uncertain outcomes; these are classified as “control risks.” An example of a control risk would be paving a road in early spring. The road may need to be completed by June in order to handle the anticipated heavy summer traffic. However, the progress of paving work is subject to the weather, and the risk of poor weather is greater in the spring. The outcome of the paving project is uncertain — and the results of a delay are also uncertain.
Control risks are most commonly associated with project management. Typically the project schedule, budget, and specifications are at risk due to unknown and unexpected events or conditions. Most organizations will strive to eliminate these control uncertainties. However, some projects must be undertaken with control risks, because the benefits still outweigh the risks. (Waiting until summer to start the paving project might eliminate the weather concern, but the roads would not be finished in time for the heavy seasonal traffic.)
Opportunity risks are those risks that an organization knowingly takes on in order to get a positive result. For example, investing in new technology involves some risk; it may have greater costs in the long run, or may be quickly replaced by another development. However, the benefits may be worth the risk.
All organizations take opportunity risk, but the tolerance for opportunity risk will vary from one group to another. Some organizations are aggressive, willing to take on more risk in return for the benefit of rapid improvement. Others may wait for an opportunity to have a proven track record before they adopt it.
Opportunity risks can't be avoided. There is a risk in taking advantage of any opportunity, and there is even risk associated with doing nothing. The best approach is to understand the risks, and make decisions that bring the greatest value to your organization.
Risk Assessment and the Risk Matrix
Two of the most significant aspects of a risk are the severity of its outcome and the probability of its occurrence. These two aspects should be considered during the process of risk assessment.
When assessing risks a consistent approach must used. Do not allow individual departments to rank the severity and likelihood of a risk according to standards of their own choosing. This can lead each department to focus on the risks that strongly affect them, and ignore any others. With varying standards for risk evaluation, it will be impossible to implement a facility-wide assessment of risks. One of the best approaches to resolve this problem is to create a “risk assessment team.” This team would establish uniform and measurable criteria for ranking risk, and use those criteria to assign rankings to each event being evaluated.
The Risk Matrix
One of the tools available for assessing risk is the Risk Matrix. The severity and likelihood of a given risk are quantified on a scale from 1 to 10, and presented on a chart. Placing “severity” on the X axis and “likelihood” on the Y axis gives a chart that presents risks in a simple and effective way. The most serious risks appear in the upper right section of the chart.
The risks can be compared against each other easily, because each risk’s seriousness is the product of its likelihood and its severity. Using general rules of comparison, the Risk Matrix can be divided into three color-coded areas:
- A low severity, low likelihood area (shown in green). Often, these risks are considered tolerable and do not require action. However, the type of risk must also be taken into account: in the area of safety, even low severity/low likelihood risks need to be addressed.
- In the middle are the moderate risks (yellow). These risks typically need to be monitored, but still may not require action unless they relate to safety.
- The upper right section (red) of the chart has the high severity, high likelihood risks. These risks must be addressed with control measures as soon as possible.
One of the major benefits of the Risk Matrix is that it provides a simple diagram of risk rankings that can quickly be understood. It is an excellent tool for presenting risks to upper management in a way the effectively communicates the need to address certain risks. Keep in mind, though, that a risk matrix alone is not a good decision making tool. It only provides guidance on which risks need to be addressed.
Risk communication is an ongoing and interactive process, in which risk-related information is shared between the decision-makers and other stakeholders. ISO 31000 addresses the need for an effective risk communication system. Clear and accurate risk communication is needed while developing a risk management plan, and it is essential for communicating that plan to others.
While ISO 31000 does not include specific communication requirements, there are many laws and standards that do. Knowing the requirements of these laws and standards is essential. For example, OSHA's Hazard Communication Standard (HCS) requires Safety Data Sheets and labeling that provides information about chemical hazards.
A key component of risk communication is the use of signs and labels to provide information visually. For example, with a DuraLabel Kodiak large-format printer, extra large, high visibility labels can be made for chemical storage drums.
Learn more about the DuraLabel Kodiak, as well as the complete line of DuraLabel printers and tough-tested supplies, by calling 888-326-9244.