Risk Management

Managing and assessing risks is

something we all do every day,
mostly without even thinking about it.
When the complexity increases
beyond our everyday experiences,
such as risks faced by a business or
a big project, a more formal approach
is needed. However, it really isn’t
difficult.

A generic risk management process has been set out in ISO standard
31000 and can be applied to any kind of risk by any kind of organisation.
Project management standards PMBOK and PMI both describe a similar
process for managing project risk.

Different kinds of risks need different assessments in terms of the

questions to ask or the exact technique you use, but the overall risk
management process is the same. Essentially, the steps are as follows:

• Establish the context – what activities are we talking about? What

are you trying to do?
o e.g., using a piece of machinery, making/building something,
collecting measurements, importing or exporting goods, staff,
data analysis and reporting.
• Identify risks – what might affect the outcome?
o e.g., a weather event, change to regulations, injury, staffing
shortages, lack of required skills, loss of a key supplier,
chemical exposure, theft, fraud, computer failure, human error.
• Analyse the risks – to prioritise them.
o What are the consequences if the risk actually occurs? How
likely is it to occur?
o minor injury, loss of life, schedule delays, change to reputation,
financial losses/gains, business growth/closure…
• Evaluate – can we live with this risk?
o is it a minor inconvenience? major problem? fantastic
opportunity?
o what’s our risk appetite? – risk averse? risk seeking? neutral?
o How could we change the consequences or change the
likelihood?
o Weigh up the cost/benefit balance for different options.
o for hazards, see the hierarchy of controls
 • Control/treat – actually implement what you decided should be done
to control the risk!
o changes to work practices
o extra monitoring to watch out for triggers
• Review – is it working?
o Can we do better?
o Has anything changed?
o Does this risk still apply?

Looking at past incidents will help you become aware of the different kinds
of risks and hazards to look for.

Some organisations have developed specific forms for particular hazards

they deal with, to make it easier to remember to ask all the relevant
questions.

The resources below include many example risk assessment forms that
follow the generic process.

Management Review

A common approach is to conduct the

review in a meeting. These Management
Review meetings are an important
opportunity to bring together an overview
of the management system, to assess it’s
performance, and to identify any
opportunities where it can be improved.
Held at least once per year, it’s also a
time to review the company’s quality
policy and set new objectives for the
coming year.

It’s essential that “top management” be

involved.

The agenda should include a review of:

• internal and external audit findings and reports

• customer feedback – look closely at the negative feedback, but don’t
leave out the positive feedback – it’s valuable data too (and nice to
hear!)
• supplier performance
 • all issues raised or resolved since the last review to make sure
problems are being resolved properly, and to look for trends in the
data
• process performance – is the process reaching/maintaining
performance targets?
• any changes to standards, regulations, technology, competition,
staffing, and other business activities that could affect the quality
system
• improvement requests

To be effective, attendees need to come to the meeting prepared with data,

and be ready with some conclusions drawn from the data.

It looks like a long list (!) but there’s no reason you can’t break it into
smaller chunks, and if you review some aspects in other meetings there’s
no need to repeat it. In fact, ‘Management Review’ does not even have to
happen in a ‘Management Review Meeting’. You will need to make sure
you have records that show you have covered everything, however you do
it.

At the end of the management review process you will need to record any
decisions and actions to be taken to improve the management system,
product, and/or processes, and what resource needs have been identified.