To conform to the requirements of this International Standard, an organization needs to plan and implement actions to address risks and opportunities. Addressing both risks and opportunities establishes a basis for increasing the effectiveness of the quality management system, achieving improved results and preventing negative effects.

RISKS AND OPPORTUNITIES

PURPOSE

The purpose of this document is to demonstrate the detailed approach to identifying, assessing, and managing risks and opportunities that might have a positive or negative impact on the organisation Aims and Objectives. 

RISK MANAGEMENT FRAMEWORK 

The Organisation’s Risk Management Framework adopts the principles of ISO 31000: 2018 and is the foundation for integrating risk management into the organisation’s processes and managing uncertainty effectively articulates the organisation ‘s Aim,s and Objectives and requirements for identifying, managing and monitoring risks. It clarifies how risk and opportunity are considered in strategic planning, approval, monitoring and review of operational performance.

Definitions

BENEFITS OF RISK MANAGEMENT

Effective risk management can improve organisational performance and contribute to the achievement of aims and objectives by:

• Informing decision-making through a good understanding of risks.
• Ensuring risks and opportunities are identified and acted upon at an early stage (fewer shocks and surprises).
• Aiding the prioritisation of tasks and utilising resources more efficiently.
• Increasing the likelihood of change initiatives being accepted and delivered.
• Providing the mechanism to escalate concerns to the correct level of oversight.

RISK IDENTIFICATION 

When identifying risks and opportunities, the organisation considers the context of the organisation, including Interested Parties and its strategic direction. Risks and opportunities may be identified as a result of: 

• Setting strategy and determining objectives
• Implementing change programmes / new projects
• Assurance activity (e.g. internal audit / regulatory assurance reviews)
• Engagement with stakeholders
• Operational feedback
• Lessons learned exercises
• SWOT analysis
• Internal or external meetings

The management system planning follows risk-based thinking. Although there is no standard clause that requires the adoption of a formal method for risk management (see A4 of ISO 9001), the organisation has decided to introduce a Risk and opportunities register. 

The organisation has considered:

• the external and internal issues analysed (SWOT);
• the H&S Risks (ISO 45001)
• the environmental aspects (ISO 14001);
• the loss of Confidentiality, Integrity and Availability of information (ISO 27001)
• the interested parties’ needs and expectations;
• compliance obligations;

and has determined the risks and opportunities that need to be addressed to:

• give assurance that the MS (Management System) can achieve its intended results;
• enhance desirable effects;
• prevent or reduce undesired effects;
• achieve improvement.

Risks and opportunities are described in the MS (Management System) Toolbox Tool and evaluated according to their risk rating, which considers their gravity/impact on the company performance and frequency/probability of occurrence.  

(ISO 27001) The description of the criteria used to evaluate the risk rating related to the loss of Confidentiality, Integrity and Availability of information is in the Information Security Risk Assessment section of this document. This includes the methodology for assessing ISO 27001 Annex A as a central controls checklist, which can be exported to Excel as a Statement of Applicability when completed.

The MS (Management System) Toolbox Tool shows the risks and opportunities identified for each process. The Strategic risks and opportunities are managed by the organisation’s top management.

Using the risk register, it has been possible to consider risks related to processes, top management (strategic risks) and interested parties. 

IMPACT FACTORS (AIMS)

The organisation has identified Aim’s, which refer to the general direction or intent of the organisation management system (Located on Toolbox). Aims are not time bound, i.e. there is no time frame within which the aim of the entity must be achieved as it is hard to say accurately how much time it will take to achieve. On the other hand, the organisation’s objectives are always accompanied by a time frame in which they must be achieved. 

CONSEQUENCES

The source or event is assessed for its effect on the achievement of the organisation’s Aims and objectives.  An event can have multiple causes (Description column) with negative and positive consequences affecting multiple objectives. The organisation has identified the following consequences:

CATEGORISING RISKS AND OPPORTUNITIES & CATEGORISING ASPECTS & IMPACTS 

Individual risks and opportunities (Quality, Environmental, Health & Safety and Information Security) are subject to a risk assessment which considers the probability of occurrence (P), and the significance of the Impact (I). 

Probability (P) x Impact (I) = Risk Rating (9001,27001 & 45001)

Probability (P) x Impact (I) = aspect significance rating (14001)

RISK PROBABILITY 

Each risk source or event is given a Risk Probability rating between 1 to 4 representing the effectiveness of the existing controls in place.  

Probability (or likelihood) definitions are described in the below table. It should be noted that these criteria are subjective in nature, and opinions may vary from person to person on where within the table a risk may sit. It is, therefore the responsibility of the Risk Owner to determine/agree this rating, based on their own judgement and the information they have to hand at the time of assessment.  

The criteria for the categorisation are listed below. 

RISK AND OPPORTUNITY TREATMENT

RISK RATING

This score, when combined with the Probability rating (Impact x Probability), will determine the overall risk rating as red, amber or green (RAG), as indicated in the below Probability and Impact Diagram (PID).

RISK ACCEPTANCE 

The Risk rating and acceptance criteria is determined by:      

Risks with the highest impact rating are prioritized first.

RISK ANALYSIS

Once a risk or opportunity has been identified, it should be recorded on a register at the level most appropriate to manage it, e.g. strategic, location or operational. It will then be assessed through the Change Management process (e.g. management meetings), allocated an owner, and given an initial (inherent) assessment rating. 

All opportunities should initially be given an Impact rating of (4) Very High to ensure they are considered by Top Management. 

Risk analysis involves a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness. An event can have multiple causes and consequences and can affect multiple objectives. Risk analysis considers factors such as:

• the likelihood of events and consequences
• the nature and magnitude of consequences
• complexity and connectivity
• time-related factors and volatility
• the effectiveness of existing controls
• sensitivity and confidence levels.

RISK EVALUATION

The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required. This can lead to a decision to:

• do nothing further
• consider risk treatment options
• undertake further analysis to understand the risk better
• maintain existing controls
• reconsider objectives.

Decisions should take account of the wider context and the actual and perceived consequences to external and internal stakeholders.

RISK TREATMENT 

The responses available for the effective management of risks and opportunities are detailed in the table below. The most appropriate response should be determined by the risk owner.

For ISO 27001, risk treatment includes comparing the controls determined in 6.1.3 with those in Annex A to verify that no necessary controls have been omitted.

RESIDUAL RISK RATING

Once an appropriate risk treatment plan is agreed upon, an Objective is recorded and followed up in the Objectives Register. Progress of the objectives is monitored in the management meetings. On completion of the treatment plan, the risk probability is re-evaluated with the risk owner to represent acceptance of the residual risk rating.

RETIRING A RISK OR ISSUE 

When an opportunity or risk has been fully mitigated, is no longer a risk and no residual risk remains, it can be retired. Retirement should be agreed upon by the owner. All mitigation actions should be marked as complete, and the status on the register should be changed to ‘retired’. This does not mean that the risk should be entirely removed from the register. It should remain on the register for audit purposes, with reference to the justification for the retirement included in the risk comments RISK ‍

MONITORING AND REVIEW

The Risks and Opportunities Register is at the heart of the MS (Management System) and of the continual improvement process. Ongoing monitoring of risks includes evaluating Key Performance Indicators (KPIs). Periodic reviews by risk owners are completed under the following circumstances: 

ENVIRONMENTAL ASPECTS & IMPACTS (ISO 14001)

A procedure for identifying the environmental aspects and impacts of the organisation activities, products, and services across all the life cycle stages and all the organisation’s processes has been established. 

When considering their environmental aspect, the organisation takes into account:

• The influence they hold over the aspects, i.e. the organisation considers aspects that it entirely controls but also the ones related to the supply chain, clients and final user’s behaviour, neighbourhood perception, etc.;
• The different operational modes, such as normal (occurring every day), abnormal (occurring every so often, like annual scheduled maintenance activities) and emergency conditions (non-planned activities, such as fires, spills, unusual air emissions, etc.).
• Applicable compliance requirements.

The organisation also considers a life cycle perspective, thinking carefully about the life cycle stages that can be controlled or influenced. These can be identified in the toolbox, Risk & Opportunities register under:

• Life cycle choice/column 
• The allocated operational processes communicated throughout the management system (Toolbox – Processes)

Therefore, the aspects encompass design, training, production, facilities, procurement, suppliers’ performance, transportation, end-of-life treatment and final disposal.

Using the risk register (Toolbox), it has been possible to consider environmental aspects related to operations, products and services, as well as aspects associated with the business and building. 

RISK / ENVIRONMENTAL ASPECT TREATMENT

The score of the environmental aspect will determine the type of actions that will be implemented to address it. The scoring structure has been identified previously in Risk Acceptance.

MONITORING AND MEASUREMENT 

The organisation will monitor and measure significant aspects over which it has influence. This will be achieved through a number of methods (for which records will be maintained), including:

• Internal audits;
• Significant Aspects Register
• Meter readings (electricity, gas, fuel, water, etc.); 
• Waste data, collated by the external Facilities Teams, when applicable.

ISO 27001 RISK ASSESSMENT PROCEDURE

The organisation has developed an asset-based ‘Checklist’ and ‘Scenario Analysis’ methodology (as presented by ISO 31010 and the guidance provided in Annex A - ISO 27002 Code of Practice). This increases the consistency and completeness of risk identification and ensures that the company has identified all issues that are relevant to its purpose and its strategic direction. 

The methodology ensures that the organisation has identified risks associated with the loss of Confidentiality, Integrity, Availability and Privacy (CIAP) in the event of a security incident:

• Confidentiality - accidental or malicious disclosure of information 
• Integrity - accidental or malicious modification of information 
• Availability - information not available to those who need it 
• Privacy - accidental or malicious disclosure of Personally Identifiable Information (PII)

The organisation classifies assets that process or store information into the following asset types (as listed in the Assets Register):

• People
• Hardware 
• Software 
• Software as a Service 
• Data
• Infrastructure 
• The Organisation Suppliers
• Legal
• Hard copy documentation

RISK ASSESSMENT METHODOLOGY

The risk assessment considers each asset type; the CIAP impact, and the potential consequences based on the risk scenario. Existing controls are then assessed on their effectiveness of controlling the risk. For example: 

The risk assessment is conducted on three levels:

CONTROL MATURITY LEVELS

The assessment uses the TISAX Information Security Assessment (VDA ISA) definitions of maturity levels, which are based on the organisation aspects of the international standard ISO/IEC 27001.

1. Incomplete - A process is not available, not followed or not suitable for achieving the objective.
2. Performed - An undocumented or incompletely documented process is followed, and indicators exist that it achieves its objective.
3. Managed - A process achieving its objectives is followed. Process documentation and process implementation evidence are available.
4. Established - A standard process integrated into the overall system is followed. Dependencies on other processes are documented, and suitable interfaces are created. Evidence exists that the process has been used sustainably and actively over an extended period.
5. Predictable - An established process is followed. The effectiveness of the process is continually monitored by collecting the organisation figures. Limit values are defined at which the process is insufficiently effective and requires adjustment. (The Organisation Performance Indicators)
6. Optimizing - A predictable process with continual improvement as a major objective is followed. Improvement is actively advanced by dedicated resources.

CYBER SECURITY LEVELS OF THREAT

The assessment identifies five levels of threat, which can be determined by monitoring the latest threats through Cyber Awareness newsletters such as SANS

• Low - An attack is highly unlikely
• Moderate - An attack is possible but not likely
• Substantial - An attack is likely
• Severe - An attack is highly likely
• Critical - An attack is highly likely in the near future

RISK ACCEPTANCE CRITERIA 

The Risks identified are evaluated by the scoring structure identified previously in the Risk Acceptance section. 

RISK TREATMENT PLAN 

Risks are then addressed using the following categories: 

• Apply Controls 
• Transfer to another party 
• Avoid risk by changing activity 
• Accept the risk

Once an appropriate risk treatment plan is agreed upon, an Objective is recorded and followed up in the Objectives Register. Progress of the objectives is monitored in the management meetings, and their implementation leads to risk control, using opportunities to improve the organisation information security.

HAZARD IDENTIFICATION AND ASSESSMENT OF OH&S RISKS AND OPPORTUNITIES (45001)

The organisation will assess operations at the office, to identify foreseeable hazards to which persons may be exposed, and to seek to control these by eliminating or reducing the risk, so far as is reasonably practicable.  Completion of this hazard identification is an ongoing process and is proactive.  This can be demonstrated through the risk assessments and the training provided to employees in hazard identification and risk assessment.

The Management team provide clear direction to create a positive attitude and culture towards health and safety.  This is achieved by providing clear direction and through monitoring of the health and safety performance to identify how we are controlling risks and how well we are developing a positive health and safety culture.

To effectively control hazards, the organisation:

• involves their employees, who often have the best understanding of the conditions that create hazards and insights into how they can be controlled
• identifies and evaluates options for controlling hazards, using a "hierarchy of controls"
• develops plans with measures to protect employees in both routine and non-routine activities and consider emergency situations that might arise from those activities or from external hazards
• evaluate the effectiveness of existing controls to determine whether to continue with the current controls or whether different controls may be more effective.

HAZARD IDENTIFICATION

Completion of the hazard identification and the development of the appropriate actions and control measures are the responsibility of the management team at the organisation.  Both routine and non-routine activities and situations are assessed, including:

• how work is organised
• infrastructure, equipment, materials, substances and physical conditions of the workplace
• hazards that arise as a result of product design
• social hazards including workload, working hours, bullying, victimisation, harassment or intimidation
• how the work is completed

Human factors, including capabilities, competencies, attitude and behaviour, are assessed on an individual basis and training is provided to employees as required.  The organisation recognises that hazards may change, or new hazards may be identified.  All employees are encouraged to identify hazards and bring these to the attention of the IMS Manager and the Partners.

Previous relevant incidents (both internal and industry-specific) and potential emergency situations are assessed.  Near misses and accidents reported internally are investigated, and a root cause analysis, and corrective and preventative actions are taken as appropriate.  Further training may be delivered as a result of an accident or near miss.  All near misses, accidents and incidents are discussed with employees at the 6-monthly Health & Safety Meeting.

Potential emergency situations are expected to be infrequent. However, their possibility and potential effect have been identified in the risk assessments.  When working on a client site, all employees work in accordance with the site rules as laid out by the client or principal contractor.

The organisation recognises that its activities may affect others in the vicinity of the workplace (other contractors, visitors, neighbours etc). The organisation takes the necessary measures to protect staff and visitors from any accidents or incidents that may occur.  All visitors must be authorised to access the premises, adhere to the health & safety instructions of the organisation and follow all instructions in the event of an emergency situation.

New information about hazards and health & safety risks may come from sources of knowledge such as published literature, guidance notes, research and development, feedback from employees, as well as a  review of the operational procedures.  The investigation of accidents, near misses and emergency drills might also lead to the review of the hazards and health and safety risk evaluation.  Risk assessments and method statements will be reviewed in the event of new hazards being identified and all employees informed.

For successful hazard identification, the organisation utilises the following documents:

• Health & safety meeting minutes
• Training plans and training sessions
• New employee inductions
• Risk assessments and method statements
• Health & safety policy

ASSESSMENT OF OH&S RISKS

The organisation assess the OH&S risks from the identified hazards, whilst taking into account the effectiveness of the existing controls to reduce the risk of injury and/or ill health.  The purpose of the risk assessment is to address the hazards that might arise and ensure that the risks to people are assessed, prioritised and controlled.

The Management Team are responsible for ensuring that adequate provisions are made, and arrangements put into place to ensure that risks are reduced as low as reasonably practicable.  Enough resources, time, effort and finances will be provided to deal with the risk control measures and the implementation of Risk Assessments.

Working standards (e.g. British Standards, HSE Approved Codes of Practice and Industry Guidance) will be produced, referred to and implemented as required.

All employees will be provided with information about the risk assessments and control measures applicable in their work areas and will be asked for feedback as to their suitability and effectiveness.  The IMS Manager retains a signed briefing record of these actions so as to provide traceable evidence that persons affected are fully aware of all hazards, correct control procedures, safe systems of work and method statements (as applicable) and what they are to do in the event of new hazards being identified during the course of their work.

The organisation retains all necessary records of risk assessments and actions to be taken to deal with recognised significant health and safety risks to employees and others at the workplace.

The Risk and Opportunity register (Toolbox) refers to where all identified risks and opportunities are documented and is reviewed at management review.  Further reviews are undertaken following a significant change to the business.

ASSESSMENT OF OH&S OPPORTUNITIES

The organisation proactively seeks opportunities that can improve OH&S performance.  These includes (but are not limited to):

• Consideration of hazards and risks during the planning stages
• Modification of working processes, including the alleviation of monotonous and repetitive work
• Introduction of new technology
• Improvement of the OH&S culture of the business
• Improving employee communication
• Promoting near misses to be reported
• Improving competencies in identifying hazards through training and awareness
• Conducting internal audits
• Ensuring the management review process promotes a strategic and critical evaluation, promoting continual improvement

The organisation utilises the following documents for the assessment of OH&S opportunities:

• Health & safety meeting minutes
• Training plans and training sessions
• New employee inductions
• Risk assessments 
• Health & safety policy
• Management review meeting minutes
• Risk and Opportunity Register (Toolbox)

ELIMINATING HAZARDS AND REDUCING RISK

The organisation adheres to the Hierarchy of Controls and, wherever possible, eliminates hazards and reduces OH&S risks.  For each hazard, the following hierarchy will be applied first to consider the controls that are most effective:

1. Eliminate the risk – remove the hazard altogether
2. Reduce the risk – try a less risky option
3. Engineering controls – preventing access to the hazards
4. Administrate controls – organising work to reduce exposure to the hazards
5. Personal Protective Equipment and Welfare facilities

The conclusions of this analysis are formalised in the Risks Register. This document also records the preventative actions put in place to minimise and/or mitigate the risks and to promote opportunities for improvement.

The actions described in the Risks Register and Objectives Register to underpin the Policy commitments of the organisation, including the ones related to continual improvement and information security enhancement, allowing the organisation:

• Improve the effectiveness of the MS (Management System), including its individual processes;
• Achieve the MS (Management System) intended results;
• Avoid negative effects;
• Avoid non-compliance to statutory and regulatory requirements.

The actions related to Objectives have a specific timescale for implementation and evaluation, whereas the preventative actions identified in the Risk Assessment Register are already systematically implemented by the organisation.

These can relate to different processes, such as:

• Procedures, instructions and other MS (Management System) documents;
• Plans related to different activities, such as communication, maintenance, inspection, audits, training, among others;
• Practices that are rooted in the organisation processes, not described in documents;
• Staff, supplier and subcontractors’ competence and knowledge;
• Infrastructure, equipment, measurement devices and tools;
• Data collection and analysis.

The effectiveness of the actions is evaluated through:

• Regular follow-up of actions plans;
• Indicator calculation and analysis;
• Internal audits;
• Identification and treatment of non-conformities;
• Management System review.

ROLES AND RESPONSIBILITIES (RISK)

The roles and responsibilities associated with the management of risks and issues are defined below. 

Top Management:

• responsible for the overall implementation of the Risk Management Framework
• ensuring that the necessary resources are allocated to managing risk.
• assigning authority, responsibility, and accountability at appropriate levels within the organisation.
• embedding the necessary risk management practices within the organisation.
• accountable for the management of risk and opportunity to achieve the right balance commensurate with the organisation’s business and risk appetite. 
• provide statements in the Annual Review relating to risk management and governance.

Risk Improvement Coordinator:

• provides a single point of contact for advice regarding the management of risks
• maintains and facilitates updates to the Risk and Opportunities Register.
• prepares and provides risk reports to Top Management
• reviews and updates the Risk Management Framework and associated processes and guidance.
• conducts periodic reviews of risk registers, including the development and maintaining risk improvement plans.

Risk Owner:

• responsible for the overall management of the risk or opportunity.
• develops the risk description, including cause(s), event and effect(s).
• decides the inherent, residual and target ratings for the risks they are responsible for.
• determines SMART mitigations/actions 
• assigns action owners to specific mitigations/actions, where required, and ensures expectations are clearly communicated with action owners.
• ensures mitigations/actions are progressed and are effectively mitigating/enhancing the risk or opportunity.
• escalates risks that are falling outside of their authority to effectively manage; in accordance with agreed escalation routes.
• provides regular and proportionate (quarterly as a minimum) updates on the status of risks to the Risk Champion or relevant governance board.

Risk Champion:

• Facilitates the management of risk within their area, including maintaining the risk register, coordinating items for escalation/de-escalation with the relevant areas and ensuring that the risk management process and guidance are adhered to.
• ensures their area has at least one risk register (at the location or operational level) as a minimum.
• coordinates regular and proportionate updates to the risk register (quarterly as a minimum).
• highlights gaps and inadequacies in risk register entries to the appropriate risk owner.
• ensures new risks are logged, notified to the appropriate Director, and regularly reviewed.
• provides advice in relation to the risk management framework in accordance with this process and guidance.
• ensures that any strategic risk mitigation/action that impacts their area, or contributes to the mitigation of another risk owner’s risk, is notified to the appropriate person, where required.