To conform to the requirements of this International Standard, an organization needs to plan and implement actions to address risks and opportunities. Addressing both risks and opportunities establishes a basis for increasing the effectiveness of the quality management system, achieving improved results and preventing negative effects.
RISKS AND OPPORTUNITIES
PURPOSE
The purpose of this document is to demonstrate the detailed approach to identifying, assessing, and managing risks and opportunities that might have a positive or negative impact on the organisation Aims and Objectives.
RISK MANAGEMENT FRAMEWORK
The Organisation’s Risk Management Framework adopts the principles of ISO 31000: 2018 and is the foundation for integrating risk management into the organisation’s processes and managing uncertainty effectively articulates the organisation ‘s Aim,s and Objectives and requirements for identifying, managing and monitoring risks. It clarifies how risk and opportunity are considered in strategic planning, approval, monitoring and review of operational performance.
Definitions
BENEFITS OF RISK MANAGEMENT
Effective risk management can improve organisational performance and contribute to the achievement of aims and objectives by:
RISK IDENTIFICATION
When identifying risks and opportunities, the organisation considers the context of the organisation, including Interested Parties and its strategic direction. Risks and opportunities may be identified as a result of:
The management system planning follows risk-based thinking. Although there is no standard clause that requires the adoption of a formal method for risk management (see A4 of ISO 9001), the organisation has decided to introduce a Risk and opportunities register.
The organisation has considered:
and has determined the risks and opportunities that need to be addressed to:
Risks and opportunities are described in the MS (Management System) Toolbox Tool and evaluated according to their risk rating, which considers their gravity/impact on the company performance and frequency/probability of occurrence.
(ISO 27001) The description of the criteria used to evaluate the risk rating related to the loss of Confidentiality, Integrity and Availability of information is in the Information Security Risk Assessment section of this document. This includes the methodology for assessing ISO 27001 Annex A as a central controls checklist, which can be exported to Excel as a Statement of Applicability when completed.
The MS (Management System) Toolbox Tool shows the risks and opportunities identified for each process. The Strategic risks and opportunities are managed by the organisation’s top management.
Using the risk register, it has been possible to consider risks related to processes, top management (strategic risks) and interested parties.
IMPACT FACTORS (AIMS)
The organisation has identified Aim’s, which refer to the general direction or intent of the organisation management system (Located on Toolbox). Aims are not time bound, i.e. there is no time frame within which the aim of the entity must be achieved as it is hard to say accurately how much time it will take to achieve. On the other hand, the organisation’s objectives are always accompanied by a time frame in which they must be achieved.
CONSEQUENCES
The source or event is assessed for its effect on the achievement of the organisation’s Aims and objectives. An event can have multiple causes (Description column) with negative and positive consequences affecting multiple objectives. The organisation has identified the following consequences:
CATEGORISING RISKS AND OPPORTUNITIES & CATEGORISING ASPECTS & IMPACTS
Individual risks and opportunities (Quality, Environmental, Health & Safety and Information Security) are subject to a risk assessment which considers the probability of occurrence (P), and the significance of the Impact (I).
Probability (P) x Impact (I) = Risk Rating (9001,27001 & 45001)
Probability (P) x Impact (I) = aspect significance rating (14001)
RISK PROBABILITY
Each risk source or event is given a Risk Probability rating between 1 to 4 representing the effectiveness of the existing controls in place.
Probability (or likelihood) definitions are described in the below table. It should be noted that these criteria are subjective in nature, and opinions may vary from person to person on where within the table a risk may sit. It is, therefore the responsibility of the Risk Owner to determine/agree this rating, based on their own judgement and the information they have to hand at the time of assessment.
The criteria for the categorisation are listed below.
RISK AND OPPORTUNITY TREATMENT
RISK RATING
This score, when combined with the Probability rating (Impact x Probability), will determine the overall risk rating as red, amber or green (RAG), as indicated in the below Probability and Impact Diagram (PID).
RISK ACCEPTANCE
The Risk rating and acceptance criteria is determined by:
Risks with the highest impact rating are prioritized first.
RISK ANALYSIS
Once a risk or opportunity has been identified, it should be recorded on a register at the level most appropriate to manage it, e.g. strategic, location or operational. It will then be assessed through the Change Management process (e.g. management meetings), allocated an owner, and given an initial (inherent) assessment rating.
All opportunities should initially be given an Impact rating of (4) Very High to ensure they are considered by Top Management.
Risk analysis involves a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness. An event can have multiple causes and consequences and can affect multiple objectives. Risk analysis considers factors such as:
RISK EVALUATION
The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required. This can lead to a decision to:
Decisions should take account of the wider context and the actual and perceived consequences to external and internal stakeholders.
RISK TREATMENT
The responses available for the effective management of risks and opportunities are detailed in the table below. The most appropriate response should be determined by the risk owner.
For ISO 27001, risk treatment includes comparing the controls determined in 6.1.3 with those in Annex A to verify that no necessary controls have been omitted.
RESIDUAL RISK RATING
Once an appropriate risk treatment plan is agreed upon, an Objective is recorded and followed up in the Objectives Register. Progress of the objectives is monitored in the management meetings. On completion of the treatment plan, the risk probability is re-evaluated with the risk owner to represent acceptance of the residual risk rating.
RETIRING A RISK OR ISSUE
When an opportunity or risk has been fully mitigated, is no longer a risk and no residual risk remains, it can be retired. Retirement should be agreed upon by the owner. All mitigation actions should be marked as complete, and the status on the register should be changed to ‘retired’. This does not mean that the risk should be entirely removed from the register. It should remain on the register for audit purposes, with reference to the justification for the retirement included in the risk comments RISK
MONITORING AND REVIEW
The Risks and Opportunities Register is at the heart of the MS (Management System) and of the continual improvement process. Ongoing monitoring of risks includes evaluating Key Performance Indicators (KPIs). Periodic reviews by risk owners are completed under the following circumstances:
ENVIRONMENTAL ASPECTS & IMPACTS (ISO 14001)
A procedure for identifying the environmental aspects and impacts of the organisation activities, products, and services across all the life cycle stages and all the organisation’s processes has been established.
When considering their environmental aspect, the organisation takes into account:
The organisation also considers a life cycle perspective, thinking carefully about the life cycle stages that can be controlled or influenced. These can be identified in the toolbox, Risk & Opportunities register under:
Therefore, the aspects encompass design, training, production, facilities, procurement, suppliers’ performance, transportation, end-of-life treatment and final disposal.
Using the risk register (Toolbox), it has been possible to consider environmental aspects related to operations, products and services, as well as aspects associated with the business and building.
RISK / ENVIRONMENTAL ASPECT TREATMENT
The score of the environmental aspect will determine the type of actions that will be implemented to address it. The scoring structure has been identified previously in Risk Acceptance.
MONITORING AND MEASUREMENT
The organisation will monitor and measure significant aspects over which it has influence. This will be achieved through a number of methods (for which records will be maintained), including:
ISO 27001 RISK ASSESSMENT PROCEDURE
The organisation has developed an asset-based ‘Checklist’ and ‘Scenario Analysis’ methodology (as presented by ISO 31010 and the guidance provided in Annex A - ISO 27002 Code of Practice). This increases the consistency and completeness of risk identification and ensures that the company has identified all issues that are relevant to its purpose and its strategic direction.
The methodology ensures that the organisation has identified risks associated with the loss of Confidentiality, Integrity, Availability and Privacy (CIAP) in the event of a security incident:
The organisation classifies assets that process or store information into the following asset types (as listed in the Assets Register):
RISK ASSESSMENT METHODOLOGY
The risk assessment considers each asset type; the CIAP impact, and the potential consequences based on the risk scenario. Existing controls are then assessed on their effectiveness of controlling the risk. For example:
The risk assessment is conducted on three levels:
CONTROL MATURITY LEVELS
The assessment uses the TISAX Information Security Assessment (VDA ISA) definitions of maturity levels, which are based on the organisation aspects of the international standard ISO/IEC 27001.
CYBER SECURITY LEVELS OF THREAT
The assessment identifies five levels of threat, which can be determined by monitoring the latest threats through Cyber Awareness newsletters such as SANS
RISK ACCEPTANCE CRITERIA
The Risks identified are evaluated by the scoring structure identified previously in the Risk Acceptance section.
RISK TREATMENT PLAN
Risks are then addressed using the following categories:
Once an appropriate risk treatment plan is agreed upon, an Objective is recorded and followed up in the Objectives Register. Progress of the objectives is monitored in the management meetings, and their implementation leads to risk control, using opportunities to improve the organisation information security.
HAZARD IDENTIFICATION AND ASSESSMENT OF OH&S RISKS AND OPPORTUNITIES (45001)
The organisation will assess operations at the office, to identify foreseeable hazards to which persons may be exposed, and to seek to control these by eliminating or reducing the risk, so far as is reasonably practicable. Completion of this hazard identification is an ongoing process and is proactive. This can be demonstrated through the risk assessments and the training provided to employees in hazard identification and risk assessment.
The Management team provide clear direction to create a positive attitude and culture towards health and safety. This is achieved by providing clear direction and through monitoring of the health and safety performance to identify how we are controlling risks and how well we are developing a positive health and safety culture.
To effectively control hazards, the organisation:
HAZARD IDENTIFICATION
Completion of the hazard identification and the development of the appropriate actions and control measures are the responsibility of the management team at the organisation. Both routine and non-routine activities and situations are assessed, including:
Human factors, including capabilities, competencies, attitude and behaviour, are assessed on an individual basis and training is provided to employees as required. The organisation recognises that hazards may change, or new hazards may be identified. All employees are encouraged to identify hazards and bring these to the attention of the IMS Manager and the Partners.
Previous relevant incidents (both internal and industry-specific) and potential emergency situations are assessed. Near misses and accidents reported internally are investigated, and a root cause analysis, and corrective and preventative actions are taken as appropriate. Further training may be delivered as a result of an accident or near miss. All near misses, accidents and incidents are discussed with employees at the 6-monthly Health & Safety Meeting.
Potential emergency situations are expected to be infrequent. However, their possibility and potential effect have been identified in the risk assessments. When working on a client site, all employees work in accordance with the site rules as laid out by the client or principal contractor.
The organisation recognises that its activities may affect others in the vicinity of the workplace (other contractors, visitors, neighbours etc). The organisation takes the necessary measures to protect staff and visitors from any accidents or incidents that may occur. All visitors must be authorised to access the premises, adhere to the health & safety instructions of the organisation and follow all instructions in the event of an emergency situation.
New information about hazards and health & safety risks may come from sources of knowledge such as published literature, guidance notes, research and development, feedback from employees, as well as a review of the operational procedures. The investigation of accidents, near misses and emergency drills might also lead to the review of the hazards and health and safety risk evaluation. Risk assessments and method statements will be reviewed in the event of new hazards being identified and all employees informed.
For successful hazard identification, the organisation utilises the following documents:
ASSESSMENT OF OH&S RISKS
The organisation assess the OH&S risks from the identified hazards, whilst taking into account the effectiveness of the existing controls to reduce the risk of injury and/or ill health. The purpose of the risk assessment is to address the hazards that might arise and ensure that the risks to people are assessed, prioritised and controlled.
The Management Team are responsible for ensuring that adequate provisions are made, and arrangements put into place to ensure that risks are reduced as low as reasonably practicable. Enough resources, time, effort and finances will be provided to deal with the risk control measures and the implementation of Risk Assessments.
Working standards (e.g. British Standards, HSE Approved Codes of Practice and Industry Guidance) will be produced, referred to and implemented as required.
All employees will be provided with information about the risk assessments and control measures applicable in their work areas and will be asked for feedback as to their suitability and effectiveness. The IMS Manager retains a signed briefing record of these actions so as to provide traceable evidence that persons affected are fully aware of all hazards, correct control procedures, safe systems of work and method statements (as applicable) and what they are to do in the event of new hazards being identified during the course of their work.
The organisation retains all necessary records of risk assessments and actions to be taken to deal with recognised significant health and safety risks to employees and others at the workplace.
The Risk and Opportunity register (Toolbox) refers to where all identified risks and opportunities are documented and is reviewed at management review. Further reviews are undertaken following a significant change to the business.
ASSESSMENT OF OH&S OPPORTUNITIES
The organisation proactively seeks opportunities that can improve OH&S performance. These includes (but are not limited to):
The organisation utilises the following documents for the assessment of OH&S opportunities:
ELIMINATING HAZARDS AND REDUCING RISK
The organisation adheres to the Hierarchy of Controls and, wherever possible, eliminates hazards and reduces OH&S risks. For each hazard, the following hierarchy will be applied first to consider the controls that are most effective:
The conclusions of this analysis are formalised in the Risks Register. This document also records the preventative actions put in place to minimise and/or mitigate the risks and to promote opportunities for improvement.
The actions described in the Risks Register and Objectives Register to underpin the Policy commitments of the organisation, including the ones related to continual improvement and information security enhancement, allowing the organisation:
The actions related to Objectives have a specific timescale for implementation and evaluation, whereas the preventative actions identified in the Risk Assessment Register are already systematically implemented by the organisation.
These can relate to different processes, such as:
The effectiveness of the actions is evaluated through:
ROLES AND RESPONSIBILITIES (RISK)
The roles and responsibilities associated with the management of risks and issues are defined below.
Top Management:
Risk Improvement Coordinator:
Risk Owner:
Risk Champion:
The Documentation guide has been designed in conjunction with the how-to guides to explain how these one to ten steps correlate with ISO standards (ISO 9001, 14001, 27001 & 45001).
When implementing your ISO Management system by using the “How to Guides”, the “Document Guide” (one to ten steps) offers an explanation of the documented procedures that an organisation is recommended to follow based on the clauses from the ISO 9001,14001, 27001 & 45001. In conjunction with the required ISO standard, the organisation will be able to produce its own ISO Management System, which will offer guidance and controls to the business.
If you would like a demo of the ISOvA (Risk Compliance Software and) Integrated Management System (IMS) software fill out our form below: