Risk based thinking is a big change in the new ISO 9001:2015 standard. Risk management is a proactive way to take action prior unfortunate events happen.
Where should you start? How can you detect risks and hazards in your organization?
After having determined the context of the organization, like stakeholder expectations, competitive analysis… you have to describe key processes in your organization with their input, output, activities and indicators. Risk factors can be identified with a SWOT analysis for any process. In the daily business, risk factors will be identified from any P-D-C-A improvement process, like objectives, KPIs, nonconformities, audits, management reviews, etc.
How to handle risks?
The Deming improvement wheel applies for risk management. Risks need to be identified, periodically assessed, treated and monitored.
How to assess risks? What is the cost of risks?
Risks can’t be measured but will be periodically assessed by your responsible team, based on impact (if the risk occurs) and probability (of occurrence). Additional factors can be added like a detection factor (used with FMEA). The risk severity is a multiplication of these factors. Based on the risk severity, controls and treatment actions will be done. The cost of a risk can be calculated based on severity multiplied by cost factors (e.g. number of non-production hours * cost of a non-production hour).
How to control risks?
Controls can be physical assets (e.g. sprinklers, detectors) or procedures (e.g. procedure in case of fire) to reduce the impact or probability of a risk. Controls need to be periodically verified.
How to treat risks?
Based on the risk severity or cost, treatment (corrective, preventive) actions will be declared and tracked. Effectiveness of actions will be verified. A prebuilt workflow makes sure actions are followed-up until resolution.
How to monitor risks?
A risk scorecard is ideal to monitor the risk severity and trends for the different periods (e.g. monthly or quarterly). A heat chart can be used to display the risk severity for specific risks.
Why Excel is not enough? What tools can you use?
Microsoft Excel is not a relational tool. You won’t be able to optimally track actions, tasks, emails or documents related to risks with a spreadsheet. More important, Excel is not a collaborative tool and you won’t be able to automate the risk treatment process, distribute tasks automatically or collaborate with you team to assess, treat or monitor risks.
BPA’s integrated QMS and risk management software is the ideal tool to identify, assess, treat and monitor risks. BPA is built on the #1 Microsoft SharePoint technology and brings a simple and powerful framework to help you to deploy a collaborative risk based thinking tool.
BPA’s risk based thinking software applies for any standard like ISO 9001:2015, ISO 31000, HACCP, FMEA or any other risk methodology.