Risk-Based Thinking for ISO 9001, ISO 14001, ISO 27001, ISO 45001

In every ISO standard, the main theme that drives the process of the management system implementation is risk. Leaders must evaluate the risks their businesses face, determine their sources, and develop methods for controlling risk outcomes.

Traditionally carrying a negative association, risk in business – especially as it relates to ISO certification – is looked at more as an unknown than a threat. How companies choose to handle the risks is known as their risk management strategy and requires close tracking of procedures to insure positive outcomes. By acknowledging risk and facing it head on, companies are able to increase their likelihood of success.

The individualized approach to risk varies from business to business and is largely driven by the company’s appetite for growth and their risk tolerance. From ultra-conservative tactics to bold steps into unknowns, all risk management strategies are as unique as the people involved in the company.

Once a company has evaluated the context of their business as it pertains to the specific ISO certification they’re working toward, they will evaluate the risks specific to that facet and the needs and requirements of the interested parties they work with. They must examine both internal and external issues and focus on areas of highest concern or opportunity. The idea isn’t to tackle every single risk all at one time, but to provide frame work and direction that helps to prioritize their risk strategy for the best possible outcome.

To develop a clear picture of their risk position, companies evaluate the issues they face, how they apply to their business, their significance on their goals, and the repercussions associated with addressing or not addressing the issues. They then work collaboratively with their team to decide what kind of treatment should be given to each risk.

Active participation from the larger workforce is important to creating effective risk solutions. As the driving force behind all activity within a company, employees are knowledgeable with regard to the specifics of their duties, and therefore have the best understanding of the impact of the identified risks. Through that understanding, they will be able to give input for truly effective solutions. Additionally, being involved in the process will boost their sense of ownership and cause them to be truly invested in the improvement process.

Deciding how to address each risk takes careful consideration. With mutual cooperation, companies work to develop a strategic improvement plan that outlines their intentions for handling significant risks. They may choose a variety of approaches for each risk and their direction is impacted by the projected outcome.

  • Companies can choose to avoid risk by putting safeguards in place or by working to eliminate the source of the risk.
  • They could choose to take the risk, focusing their efforts on ensuring a positive outcome from their actions.
  • Sharing the risk is another option, and some companies call in external stake holders to strategically manage the effects of the risk.
  • For low-priority issues, risks may simply be retained and care taken to document the natural progression that follows the inaction.

The purpose of the improvement plan is to narrow down the top areas of concern where the most effort and energy is needed and to create aggressive plans to address those areas.

Companies choose to take risks as part of their pursuit of new growth and opportunities. Adopting new products, launching new technology or practices, opening in new markets, and acquiring new customers are all calculated risks that companies can take in an effort to improve. The success of those risks is dependent on how they are managed.