Risk Management

Although I've called this section 'risk management' we need to be clear right away: formal "Risk Management" is not a requirement of the Standard. What is required is something called 'risk based thinking'. For simplicity, I will refer to risk management, but please remember, we are not talking formal risk management, but 'thinking about risk' or 'taking risk into account when planning, operating and reviewing your quality management system'.

Now, having a suitable method or methods to manage risk in any business or other organisation makes good sense.  And it isn't as complicated as some people try to make it.  

The view that the Standard takes is that 9001 was always about risk - after all, having a robust quality management system is one way of reducing risk.  The difference is that now there is a specific requirement to consider risk and that a new and somewhat vague term was introduced;'risk based thinking'.

Now there's a couple of things in this version of the Standard that I think could have been done better.  This is one of them, coming up with a new definition of risk as 'the effect of uncertainty' (ISO 9000:2015 3.7.9) rather than using the one that is already in the Risk Management Standard, ISO 31000.

And leading on from that new definition, the Standard also wraps risks and opportunities in together, on the basis that risks aren't always negative and that opportunities can involve risk. Incidentally, this led to lots of spluttering and spirited debates across the world, especially from professional risk managers.

Let's leave that aside, and look at  what the Standard actually says about risk based thinking, in the Introduction  and an Appendix.  

Neither the Introduction nor the Appendix are part of the actual requirements of the Standard (the specific things you get audited on), but they do give important context and background, to help you read and understand the requirements. The next step is to look at what the requirements are, to see what you actually have to do. That mostly is set out in clause 6.1 and it covers what sensible organisations have always done. Note they may not have done it formally and they probably didn't think of it as, or call it: 'risk based thinking'. This is what you are required to do:

Let's run through an example, to illustrate what all this might mean in practice. Consider a small architectural practice, with 2 owners and a small staff. The owners - practising, registered architects - do their planning for risks on two main levels.

First, there is the project-based level, where they analyse each project they bid for, to help them consider their pricing and whether there is anything that suggests they need to build in a greater buffer (contingency), in their fee structure. For example, a design job for a builder they haven't worked with before, and don't know anything about versus a job for a local government. They would identify financial risk/nonpayment as a much more likely risk with the builder, than with the government job, but with the latter, there is much more likelihood of an extended engagement period, given that local governments often ant to build in consultation periods with local people. And they 'promote' this kind of thinking with their own staff, through example and project discussions.

The other level they plan at is the company level: risks to the company itself. Here, they have identified professional liability as an obvious risk, but also losing key staff. Finding and attracting suitably qualified young architects is difficult.

They have integrated this kind of thinking into their practice:  a risk assessment is part of the brief and thinking for every project. At the company level, they do an annual risk assessment, and revisit it during the year if things change. 

There are various ways they address these risks.  They balance their projects portfolio, to ensure a mix of work from builders and developers with government jobs.  They require an initial deposit up front from all clients, break the work into stages, and manage finances to ensure that payments are received on agreed milestones. They put a lot of attention on staff development and coaching, to help make the practice an exciting place to work for young architects, and give them a chance to stretch their skills and learn. They have regular staff events, and actively seek feedback from their staff, and take it into account in their practice.

Their evaluation to date gives them confidence that this approach has worked for them, as they have had no major financial losses, they have been able to manage the flow of work, and they do not have high staff turnover.

Resources

DIY ISO 9001 Kit

How to get ISO 9001 without breaking the bank. The practical cost-effective solution to get ISO 9001 certification. Current for 2015 and better than ever.

(read more)