1.

SCOPE
The purpose of this procedure is to manage the business risks and opportunities that arise from the
context of xxx and the requirements of interested parties.

2. PURPOSE
This procedure applies to all the activities within the scope of the XXX Quality Management
System.

3. REFERENCE DOCUMENTS
3.1 XXX Quality Manual,
3.2 ISO 31000:2018 standard
3.3 Procedure for Context of organization
4. TERMS & DEFINITIONS
RM- Risk Management
R-Risk
O-Opportunity
SOP- Standard Operating System

5. RESPONSIBILITY AND AUTHORITY

The Management Representative (MR) and HOD’s of all departments are responsible for the
effective implementation of this procedure.
6. DETAILS OF PROCEDURE

6.1 Management of Risks

6.1.1 XXX considers and manages risks and opportunities differently and based on the overall
context of XXX, requirements of stakeholders, and internal & external issues of concern affecting
XXX.
6.1.2 Risks are managed with a focus on decreasing their likelihood and minimizing their impact if
they should occur.
6.1.3 Opportunities are managed to increase their likelihood, and to maximize their benefits if they
should occur.
6.1.4 Where risks and opportunities overlap, the best appropriate method for managing them shall
be ascertained, given the situation at hand.
6.1.5 Risks are considered during the execution of various processes using the Risk and
Opportunities Register. Additional risks may be identified by any employee at any time.
When using the Risk Register, the following steps are to be followed:
1. Identifying the risk.
2. Identifying the process for which the risk most likely dominates.
3. Assigning a Probability rating to the identified risk:Probability: Provides an assessment of
how likely it is that this risk will occur. Examples are:
L-Low (≤30%), M-Medium (31-70%), H-High (>70%)
 4. Assigning a consequence/Impact rating if the risk were to be encountered:
Severity: Provides an assessment of the impact that the occurrence of this risk would have
on the project. Examples are: L-Low (≤30%), M-Medium (31-70%), H-High (>70%)
5. Based on risk, analyze and prioritize the risks and opportunities in the process and Calculate
the final Risk Factor based on the equation:
PROBABILITY RATING x IMPACT RATING = RISK FACTOR
6.1.6 For risks with a final Risk Factor rating equal to or greater than the threshold set in the Risk
Register, management will decide whether to reject the subject due to the risk or accept the risks
after the development of a risk mitigation plan. The mitigation plan must be documented, either in
the Risk Register or in another document which must be referenced on the form.
6.1.7 Risks with a factor less than the risk threshold may be accepted without a mitigation plan
unless otherwise directed by management.
6.1.8 The Risk Register includes the identification and mitigation plans for key risks associated with
the defined process. The CEO and HODs review these risks and take actions to minimize them. The
methods for risk assessments may vary, but should always include a means of identifying the risk
under examination, and a description of the result of the risk assessment.
6.1.9 Assign Risk Owner: The individual responsible for ensuring that risks are appropriately
engaged with countermeasures undertaken. Methods may include brainstorming, structured or semi-
structured interviews, SWOT or other tools. No single method is used for all risk assessments; the
tool selected should be the best tool applicable to that particular risk analysis.
6.1.10 Check the effectiveness of the actions – verify does it work.
6.1.11 Risk review: The frequency of any review should be based upon the level of risk. Risk
review might include reconsideration of risk acceptance decisions.
6.1.12 Learn from experience – continual improvement

6. 2. Management of Opportunity
6.2.1 As part of the different core and support processes, XXX shall seek out opportunities which
could enhance its financial viability and market position. For example:
• Obtaining new registrations
• Obtaining access to new markets
• Development of new offerings that are within the scope of capabilities of XXX
• Streamlining existing processes to improve efficiency and reduce cost

6.2.2 Discussing and analysing opportunities shall be done by top management. If made part of the
management review activities, these shall be recorded in the management review records.
6.2.3 To help determine which opportunities should be pursued, the Risk and Opportunity Register
may be used to conduct an “opportunity pursuit assessment.” This register is similar to the Risk
Register but ranks potential positive opportunities by their likelihood of success and potential
benefit. The opportunity pursuit assessment is conducted by:
1. Identifying the opportunity.
2. Identifying the process for which the opportunity most likely falls under.
3. Assigning a Probability rating to the identified opportunity; this probability that the
 organization can achieve the opportunity. It is comprised of two elements: likelihood and
previous occurrences. Each element is given a score from 1 (lowest probability) to 5 (highest
probability).
4. Assigning a Benefit rating to assess potential benefits if the opportunity is won. This is
comprised of six elements: potential for new business; potential expansion of current
business; potential improvements in the organization’s ability to satisfy regulatory or
statutory requirements; potential improvements to the quality management system; potential
enhancements of XXX’s reputation; and the estimated cost of implementation. Again, each
element is given a score from 1 (lowest benefit) to 5 (highest benefit).
5. Calculating a final Opportunity Factor based on the equation:
PROBABILITY RATING x BENEFIT RATING = OPPORTUNITY FACTOR
6.2.4 For opportunities with a final Opportunity Factor rating equal to or greater than the threshold
set in the Opportunity Register, management will decide whether to pursue the opportunity through
an “opportunity pursuit plan” or to abandon the opportunity altogether. The opportunity pursuit plan
must be documented, either in the Risk and Opportunity Register or in another document, which
must be referenced on the form.
6.2.5 Opportunities with a factor less than the opportunity target rating may be abandoned outright
unless otherwise directed by management.
6.2.6 Analysis of any opportunity will generally result in one of the following possible
determinations:
• Pursue the opportunity
• Explore the opportunity in greater detail before proceeding
• Accept the opportunity but under limited and controlled conditions
• Decline the opportunity, typically based on a high expected cost or low anticipated benefit.

6.2.7 If an opportunity includes a negative aspect, management may elect to conduct a risk
assessment on the negative aspect, as defined above.

7. RETAINED DOCUMENTED INFORMATION

7.1 Risk and Opportunity Register (QMS F 010)
7.2 Management Review Record(QMS F011)
Actions to address risks and opportunities

01.Purpose
Make actions to address risks and opportunities a part of decision making on all
levels of the Organization and one of the improvement mechanisms of
processes and quality management system (QMS)

02.Scope
This procedure covers all processes of QMS and regulates the activity of the
Organization's Leadership , Quality Manager, Risk Manager,Process Owners
,Risk Owners, experts regarding risk management

03.Responsibility and Authority

The responsibility and authority of the Organization's Leadership , Quality
Manager, Risk Manager, Process Owners, Risk Owners, experts to ensure this
procedure are given below, in the sec. 4.2.4

4.1 General

Inputs:
Data of the processes operations, including criteria from QMS Processes;
Information flow about the internal and external context of the Organization
(see sec. 4.2.1); Information on changes and Risk management tasks in QMS
from the ‘Management Review Process.

Outputs :

Process control decisions to QMS Processes;

Data to evaluate effectiveness of the processes to QMS Processes;

Suggestions for changes to the QMS, including resource needs to ‘Management

Review’ Process;

Suggestions to initiate breakthrough projects to ‘Management Review’ Process;

Data to evaluate effectiveness of the processes and the QMS as a whole to

‘Management Review’ Process
Actions to address risks and opportunities
(Fig. 1) consist of carrying out the ‘PDCA’ cycles
related to risks on two levels:

QMS level

‘Actions to address risks and opportunities’ Process (1st level process);

Each Process Level

‘Risk management processes’ (2nd level processes

Risk management processes’ are the constituent parts of the

‘Actions to address risks and opportunities’ Process :

‘Actions to address risks and opportunities’ Process is implemented in four

phases:

Planning actions to address risks and opportunities. Project of risk

management framework.

Integration and implementation of actions to address risks and opportunities

into QMS processes.

Evaluation of the effectiveness of actions to address risks and opportunities.

Monitoring and analysis of risk management framework

Achieving improvement

4.2 Planning actions to address risks and opportunities. Project of risk

management framework.
4.2.1 Understanding the Context of the Organization It is a prerequisite for
the risk management framework project, defining the levels of risk and
risk criteria, as well as risk treatment

Information flows on internal and external context include:

Information on the applicable laws (‘Control of documented information’

Process);

Standards (‘Control of documented information’ Process);

Information on markets and market trends (‘Marketing Activity’ Process);

Information on competitors including technology (‘Marketing Activity’ Process);

Information about the policy, objectives, strategies, promising business

opportunities (‘Management Review’ Process);
Information about the organizational structure and resources (‘Management
Review’ and ‘Personnel Management’ Processes)

Information about the technologies and future developments (‘Design and

Development’ Process);

Information about the personnel qualification (‘Personnel Management’

Process);

Other information, specific to the particular case.