There is no business without risk. Recognizing, evaluating and managing risk is a familiar, if under emphasized managerial function. A new version of the ISO 9001 Standard for Quality Management Systems will be released this year. The ISO 9001-2015 revision specifically requires “risk based thinking”.
This is the first of a series of posts on risk management. This post, part 1 of a three part series, reprises and updates a post from 2012, which provides an overview of risk management. Part 2 will provide some specific risk management suggestions for smaller manufacturers, while Part 3 will focus on the risk management aspects of the new ISO 9001Standard.
Downside Up – Managing Risks
From: 6 September 2012
“A ship is safe in harbor, but that’s not what ships are for” 
For a business unit to be Sustainable, that is, to thrive in perpetuity  it is clearly necessary to manage the downside of business as well as the upside. In today’s globalized economy, where social impacts and environmental impacts must be managed along with increasingly complex economic issues, managing the downside goes far past insurance coverage. Managing risk does not mean eliminating risk, because opportunity is often the flip side of risk — like the ship experiences at sea.
Last year, Greg Hutchins  made a presentation entitled Risk Management – The Future of Quality. He kindly provided a copy of the slides from his presentation, along with permission to quote. I take the pillars of his presentation to be:
> Businesses operate in an increasingly “VUCA” world, where Variation, Uncertainty, Complexity and Ambiguity too often prevail, and
> To cope with a “VUCA” world, risk management should follow the same course quality management has taken over the last quarter century. Four slides from Greg’s presentation illustrate the changes he recommends:
In essence, Greg borrows the structured, process focused, statistical approach that defines contemporary quality management and applies that approach to risk management. His presentation does a good job of introducing the concepts behind effective risk management. You might contact Greg through his website (www.qualityplusengineering.com) and request a copy of his slides.
The International Organization for Standardization (ISO) takes a similar approach in the ISO 31000 International Standard for Risk Management – Principles and Guidelines. Those familiar with the ISO 9001 standard for quality management systems will readily grasp its relationship to the new ISO 31000 standard. However, unlike ISO 9001, ISO 31000 provides guidelines, not requirements. So, there is no need to be certified to ISO 31000. Also unlike ISO 9001, ISO 31000 does not require another documented management system. Rather, ISO 31000 recommends that risk management be fully integrated with existing management processes and systems.
The guts of ISO 31000 are the Risk Management Framework and the Risk Management Process. The Framework “provides the foundations and arrangements that embed (risk management) throughout the organization and at all levels”. The Framework deploys the Risk Management Process. The Risk Management Process consists of a series of steps: Establishing the Context, Risk Identification, Risk Analysis, Risk Evaluation and Risk Treatment. The Process serves to determine the actions to be taken to address risks as they are encountered.
Establishing a policy for addressing risks is central to all of this. The policy expresses the organization’s level of risk tolerance in such a way that authorized decision makers at all levels have a common basis for making decisions on risk. Keep in mind that risk management decisions are exercises in assessing probabilities, conducted in a “VUCA” atmosphere. Beware of assessing probabilities intuitively. Daniel Kahneman  won a Nobel Prize for his work on decision making. He found that the intuitive part of human thought just doesn’t handle statistical matters very well. Do the numbers.
Part 2 of this post will make some specific risk management suggestions for smaller manufacturers. Part 3 will address the coming ISO 9100-2015 requirements for risk management.
Thoughtful comments and experience reports are always appreciated.
… Chuck Harrington (Chuck@JeraSustainableDevelopment.com)
P.S: Contact me when your organization is serious about prospering in the globalized 21st century … CH
This blog and associated website (www.JeraSustainableDevelopment.com) are intended as a resource for smaller manufacturers in the pursuit of Sustainability. While editorial focus is on smaller manufacturers, all interested readers are welcome. New blog posts are published on weekly.
 This quote is most often attributed to William G.T. Shedd (1820 – 1894). There is some controversy however. Others attribute the quote to John A. Shedd, from a 1928 book or to Admiral Grace Hopper.
 Werbach, Adam, Strategy for Sustainability, Harvard Business Press, Boston (2009), page 9
 See Kahneman’s remarkably readable new book, Thinking, Fast and Slow, Farrar, Straus and Giroux, New York (2011), especially Chapter 31 on Risk Policy