To conform to the requirements of this International Standard, an organization needs to plan and implement actions to address risks and opportunities. Addressing both risks and opportunities establishes a basis for increasing the effectiveness of the quality management system, achieving improved results and preventing negative effects.
Why you need to define Risk and Opportunities for your ISO Management System (MS)
6.1 Actions to address risks and opportunities
6.1.1 When planning the quality management system, the organization shall consider issues referred to in 4.1 and the requirements referred to in 4.2 and determine risks and opportunities that need to be addressed to:
a) give assurance that the quality management system can achieve its intended result(s);
b) enhance desirable effects.
c) prevent, or reduce, undesired effects.
d) achieve improvement.
6.1.2 The organization shall plan:
a) actions to address these risks and opportunities.
b) how to:
1) integrate and implement the actions into its quality management system processes
2) evaluate the effectiveness of these actions.
How ISOvA MS software helps you determine Risk & Opportunities
The ISOvA IMS Toolbox provides you with a template list of risks to evaluate. Lookup columns to add context to those risks from your controls (Step 3), Interested Parties (Step 5), Performance Evaluation (Step 7) and to the high-end risks, add your objectives (Step 9). This section of the software brings all the steps together and is the hub of the system.
The headings below match the columns provided in your IMS Toolbox:
The majority of this exercise is choosing the relevant information you have inputted from Steps 1 to 7.
Once you have become familiar with this process, it is up to you to add other associated risks to your business, including risks on operations, interested parties, infrastructure and competencies.
This section is for the risks that have been included with the Toolbox. You need to choose whether this risk is relevant to your business.
By assessing the risk, you must choose whether this is an internal or an external issue. An example of an internal issue is employee competencies, and an example of an external issue is if a supplier has not delivered a quality product.
This section is where you communicate the headline of the risk.
This section is where you put the explanation (Scope) into the headline. Remember that a third party should understand your description.
From the dropdown, selection chooses what could be the consequence of the risk. An example of this would be a delay caused by a supplier that can cause poor service delivery consequently. You can choose multiple consequences if needed.
Give a scoring (1 is Low Risk, and 4 is High Risk) of the impact of the risk on your business should this happen.
From following Step 3 of the “How To Guide”, allocate the controls, you have in your business to minimise this risk. To be honest, this step is important, as if you don’t have controls in place, you have found your business objectives (which is your opportunity).
Give a scoring (1 is Low Risk, and 4 is High Risk) of the probability that this risk will happen in your business.
From issuing scores for the Risk Implications (I) and the Risk Probability (P), the Toolbox automatically calculates the Risk Rating (R) by using the formula I x P = R.
The score of the risk or opportunity will determine the type of actions that will be implemented to address it:
Any risk scoring of 10 and above requires an objective (this will be communicated in Step 9 Objectives). For now, choose from the selected categories that this objective falls under.
Please do not forget this Risk for Step 9.
By following Step 5 Interested Parties, allocate the relevant interested party that this Risk would affect. You can choose more than 1.
By following Step 2 Legal register, allocate the relevant statutory and regulatory legislation to this individual risk. It is not easy, so try and think from a top-level perspective. Alternatively, please speak to one of our ISOvA assistants, who will be happy to help.
By following Step 7 Performance Evaluation, allocate the relevant KPI that will help to monitor and evaluate the risk. Potentially this could alter the scoring.
The risk and opportunities register does change throughout the year, so we advise you to review on a quartile basis and re-evaluate the scoring based on the controls you have in place or the objectives you have completed. Also, your business changes, and with that, you will encounter new risks. It is advisable to use the Toolbox to assess these unknown risks and what controls you have in place to minimise the impact.
Having determined roles, responsibilities, and authorities for your ISO MS, you can now move to the next step: