Section 7 Slides 2022

Risk: Definition
❖ Effect of uncertainties on objectives (ISO

31000:2018)
Risk: Definition (ISO 9000:2015)
❖ effect of uncertainty
❖ An effect is a deviation from the expected
— positive or negative.
❖ Risk is often characterized by reference to
potential events and consequences or a
combination of these.
❖ Risk is often expressed in terms of a
combination of the consequences of an
event and the associated likelihood of
occurrence.
❖ The word “risk” is sometimes used when
there is the possibility of only negative
consequences.
Opportunity
❖ Positive risks is called opportunities.
❖ You would like to take maximum

advantage of these positive risks.
Issue
❖ Risk is associated with future event,
which has not happened yet.
❖ A risk which has already occurred is

considered as an “issue”.
Why Take Risk?
❖ There is a balance between risk and
rewards.
❖ Generally more risks lead to more

rewards. But that is not true always.
❖ You want more rewards with less risk

Risk Management
❖ Risk management is the identification,
assessment, and prioritization of risks
(positive or negative) followed by
coordinated and economical application
of resources to minimize, monitor, and
control the probability and/or impact of
unfortunate events or to maximize the
realization of opportunities.
Risk Management
minimize monitor control
Identification
of risks
probability and/or impact of unfortunate
events
Assessment
of risks Resources
maximize
Prioritization realization of opportunities
of risks
Risk Management Steps
Plan Risk Plan Risk Monitor and

Identify Risks Analyze Risks
Management Response Control Risks
1. Plan Risk Management

1. Plan Risk Management
❖ Define risk related terms
❖ Define roles and responsibilities
❖ Tools and template for risk management
❖ Planning includes how to:
❖ Identify risks
❖ Analyze risks
❖ Plan risk responses
❖ Monitor and control risks
2. Identify Risks

2. Identify Risks
❖ Risk identification is systematic, and
methodic process.
❖ It is best done in a group environment.
❖ Wide number of people participate in
this process including
❖ Management, Employees, Customer, Other
stake holders
2. Identify Risks
❖ Tools Used:
❖ Brainstorming is the most common
approach.
❖ Other tools include:
❖ Ishikawa Diagram (Cause and Effect)
❖ Flow Diagram
❖ SWOT Diagram (Strengths, Weaknesses,
Opportunities and Threats)
❖ FMEA (Failure Mode and Effects Analysis)
2. Identify Risks
Risk Register
❖ Output of Identify Risks process is a risk
register.
❖ This lists down all the risks identified
❖ In the next process these risks are
prioritised and action plan is created to
address these risks.
3. Analyze Risks

3. Analyze Risks
❖ Risks are analyzed to set priority
❖ Sets focus on high priority risks
3. Analyze Risks
Quantitative Risk
Qualitative Risk Analysis
Analysis
Quick and easy to Detailed and time

perform consuming
Subjective Analytic
Expected Monitory Value Analysis

Probability and Impact Matrix Monte Carlo Analysis
Decision Tree
3. Analyze Risks
Probability and Impact Matrix
❖ This is a qualitative risk analysis tool

❖ This evaluates
❖ Likelihood (probability) that a particular risk
will occur
❖ Potential impact on an objective if it occurs
Flashback
Failure Mode and Effects Analysis (FMEA)
❖ Risk Priority Number (RPN) is the
multiplication of:
❖ Severity
❖ Probability
❖ Detection

❖ Combination of:
❖ Impact (similar to severity)
❖ Probability
3. Analyze Risks
❖ Each risk is analyzed for probability and
Impact and is assigned
❖ a nine point rating: a score between 1 to 9
❖ a five point rating: Very Low, Low, Medium,
High, Very High
❖ or a score of 1 to 5
❖ a three point rating: Low, Medium, High
❖ or a score of 1 to 3
❖ Risk score = Probability x Impact
3. Analyze Risks
Probability and Impact Matrix Example
❖ If the risk has low probability and is

assigned a score of 1
❖ If the impact is significant and is
assigned an Impact value of 9
❖ Risk score = Probability x Impact = 1 x 9

=9
3. Analyze Risks
Sample Probability Table
Probability Probability Description
Category Number
Very High 9 Risk event expected to occur

High 7 Risk event more likely than not to occur
Probable 5 Risk event may or may not occur
Low 3 Risk event less likely than not to occur
Very Low 1 Risk event not expected to occur
3. Analyze Risks
Sample Impact Table
Project Objective Very Low Low Moderate High Very High
1 3 5 7 9
Cost Insignificant cost < 10% cost 10-20% cost 20-40% cost > 40% cost
impact impact impact impact impact
Schedule Insignificant < 5% schedule 5-10% schedule 10-20% schedule > 20% schedule
schedule impact impact impact impact impact
Scope Barely noticeable Minor areas Major areas Changes Product becomes
impacted impacted unacceptable to effectively
client useless
Quality Barely noticeable Minor functions Client must Quality reduction Product becomes
impacted approve quality unacceptable to effectively
reduction client useless
3. Analyze Risks
1 3 5 7 9
Probability
9 9 27 45 63 81
7 7 21 35 49 63
5 5 15 25 35 45
3 3 9 15 21 27
1 1 3 5 7 9
Impact
3. Analyze Risks
Very Low Medium High Very
Low High
Very Medium Medium High High High

Probability
High
High Low Medium Medium High High
Medium Low Medium Medium Medium High
Low Low Low Medium Medium Medium
Very Low Low Low Low Medium

Low
Impact
4. Plan Risk Response


Responding to Risks
❖ How to decrease the possibility of

❖ Negative risk affecting the objectives
❖ How to increase the possibility of
❖ Positive risk helping the objective
Negative Risk Positive Risk

Avoid Exploit
Mitigate Enhance
Transfer Share
Accept Accept
Avoid the risk
Negative Risk
Examples:
Avoid
❖ Plan is changed to avoid the risk
❖ Adopting a proven approach instead of a Mitigate
new approach Transfer
❖ Improving team communication
Accept
Reduce the probability and/or impact of
the risk
Negative Risk
Examples: Avoid
❖ Simplify the processes Mitigate
❖ Develop prototype Transfer
❖ Additional inspections
Accept
❖ Lessons Learned from past
Transfer the risk to a third party
Negative Risk
Examples:
Avoid
❖ Insurance
❖ Performance warranty Mitigate
❖ Subcontract Transfer
Accept
Accept the risk if:
❖ no action is feasible or
❖ the probability and/or impact is too small.
Negative Risk
Avoid
❖ Two types of acceptance: Mitigate
❖ Passive Acceptance: No plan created to
deal with these Transfer
❖ Active Acceptance: Contingency plan is Accept
created and risks are monitored
Exploit: Make sure that positive risk
happens and make best use of the
opportunity Positive Risk
Exploit
Examples: Enhance
❖ Put best team members and more
Share
resources
Accept
Enhance: Increase the probability and/or
impact of the risk
Positive Risk
Examples: Exploit
❖ Put best team members and more Enhance
resources
Share
Accept
Share the opportunity with a third party
Positive Risk
Examples:
Exploit
❖ Forming team, Joint Venture or a
company with a third party. Enhance
Share
Accept
Accept the opportunity when it happens
but not actively pursuing it
Positive Risk
Examples: Exploit
❖ Probability and rewards are not Enhance
attractive.
Share
Accept
5. Monitor and Control Risks

❖ Regularly review the identified risks and
ensure that these are still relevant
❖ Identify new risks
❖ Remove risks that are not relevant
❖ Risk audits may be conducted to ensure
that the plan is being implemented and
is effective.
Unexpected Risks
❖ Use workarounds to deal with

unexpected risks to reduce the impact
❖ Workaround should be documented for
future reference
❖ Workarounds are unplanned responses
to the risks that were not identified or
expected
2022 – Changes in the BoK – 7
❖ Risk Management
❖ Definitions
❖ 5 Steps in Risk Management
1. Planning for Risk Management
2. Identifying Risks
3. Risk Assessment
4. Risk Control (Negative and Positive Risks)
2022 – Changes in the BoK – 7A
2022 – Changes in the BoK – 7A
❖ Topics removed from the BoK
❖ None
❖ Topics added to the BoK
❖ Risk-Based Thinking
❖ Types of Risk Management
2022 – Changes in the BoK – 7B
2022 – Changes in the BoK – 7B
❖ None
❖ Components of Risk Management Planning
2022 – Changes in the BoK – 7C
2022 – Changes in the BoK – 7C
❖ None
❖ Risk Management Evaluation (Auditing)
❖ Risk Monitoring Techniques
❖ Mitigation Planning
Additional Topics in Section 7
Risk Based Thinking
❖ “Risk Based Thinking” is a new term in ISO 9001:2015
❖ “Preventive Actions” requirement in the previous version of the standard has
been replaced with “Risk Based Thinking” in the 2015 version of the standard.
❖ There is no requirement to formally implement risk management.
❖ Some of the ISO 9001:2015 requirements related to risk-based thinking:
❖ Leaders to promote risk-based thinking.
❖ Identify risks during the planning stage
❖ Actions are taken proportionate to the impact on the conformity
❖ Analyze the effectiveness of actions taken to address risks
❖ Update risks identified during the planning
Types of Risk Management
❖ Enterprise Risk Management
❖ strategic, software, business, regulatory, medical, audit
❖ Operational Risk Management
❖ supplier, supply chain, safety, project, manufacturing,
operations, service, quality system
❖ Product Risk Management
❖ design, process, use, safety
Risk Management
❖ Accept risk when benefits outweigh the cost.
❖ Accept no unnecessary risk.
❖ Anticipate and manage risk by planning.
❖ Make risk decisions at the right time at the right level.
Enterprise Risk Management
❖ Enterprise Risk Management
❖ strategic, software, business, regulatory, medical, audit
❖ Examples:
❖ Strategic Planning – SWOT Analysis
❖ Compliance with regulatory requirements
❖ Physical and IT threats/issues (breach)
❖ Financial frauds/compliance
Enterprise Risk Management
❖ Enterprise Risk Management Standards
❖ ISO 31000:2018 – Risk Management
❖ COSO - the Committee of Sponsoring Organizations provides a
framework of internal controls.
❖ The five components of COSO internal control are risk assessment,
control activities, information and communication, control
environment, and monitoring activities.
❖ Sarbanes–Oxley Section 404: Assessment of internal control
Operational Risk Management
❖Operational Risk Management
❖ supplier, supply chain, safety, project, manufacturing,
operations, service, quality system
❖ Examples:
❖ Supply chain issues – Timeliness, Quality, Cost, Safety
❖ Poor quality, not following processes, lack of quality management
system, carelessness and frauds, technology
❖ Natural catastrophes and business discontinuities
Product Risk Management
❖Product Risk Management
❖ design, process, use, safety
❖ Examples:
❖ Failure to meet customer expectations
❖ Failure to meet code, and legal requirements
❖ Poorly designed products leading to liability issues
❖ Safety issues in use
Components of Risk Management
Planning
❖ Objective
❖ Risk Criteria
❖ Stakeholder identification
❖ Team member’s roles and responsibilities
Planning
❖ Set the Project or Enterprise Objective
❖ What is the purpose of the project or organization?
❖ Risk Criteria
❖ How much risk the organization is willing to take?
❖ Stakeholder Identification
❖ Engage stakeholders in risk identification, prioritization and
risk responses.
Planning
❖ Risk Management Key Team Members
❖ Risk Manager – Overall responsible for implementing the plan
❖ Risk Owners – Responsible for individual risk actions
❖ Management / Project Manages – Overall accountability
Risk Management Evaluation
Auditing and Testing of Controls
❖ The purpose of an audit is to ensure compliance
❖ The purpose of testing of controls is to assess the
effectiveness of internal controls in detecting and
preventing risks.
❖ If internal controls are less effective, the auditor might need to increase
the level of testing/samples in the audit.
4 Types of Test of Controls
❖ Inquiry (Least effective)
❖ Document Review
❖ Observation of the workplace
❖ Reperform an activity (by the auditor)
Risk Monitoring Techniques
❖ Risk Monitoring is to keep track of the status of risks
and the effectiveness of the risk responses.
Plan Risk Analyze Plan Risk Monitor and

Identify Risks
Management Risks Response Control Risks
Risk Monitoring Techniques
❖ Complaint Tracking
❖ Trending
❖ Service reports
❖ Customer surveys
❖ Post-market surveillance*
Post-market Surveillance
❖ This term is typically used by medical device companies to
ensure that the devices are safe and effective once on the
market.
❖ FDA requires:
❖ “Medical device manufacturers, as well as other firms involved in the
distribution of devices, must follow certain requirements and regulations once
devices are on the market. These include such things as tracking systems,
reporting of device malfunctions, serious injuries or deaths, and registering the
establishments where devices are produced or distributed.”
Post-market Surveillance
Mitigation: Reduce the probability
and/or impact of the risk
Negative Risk
❖ Examples: Avoid
❖ Simplify the processes Mitigate
❖ Develop prototype
❖ Additional inspections Transfer
❖ Lessons Learned from past
Accept

Section 7 Slides 2022

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Section 7 Slides 2022

Uploaded by

Copyright:

Available Formats

Risk: Definition

❖ Effect of uncertainties on objectives (ISO

❖ You would like to take maximum

❖ A risk which has already occurred is

❖ Generally more risks lead to more

❖ You want more rewards with less risk

Plan Risk Plan Risk Monitor and

Plan Risk Plan Risk Monitor and

Plan Risk Plan Risk Monitor and

Plan Risk Plan Risk Monitor and

Quick and easy to Detailed and time

Expected Monitory Value Analysis

❖ This is a qualitative risk analysis tool

Probability and Impact Matrix

❖ If the risk has low probability and is

❖ Risk score = Probability x Impact = 1 x 9

Very High 9 Risk event expected to occur

Very Medium Medium High High High

High Low Medium Medium High High

Medium Low Medium Medium Medium High

Low Low Low Medium Medium Medium

Very Low Low Low Low Medium

Plan Risk Plan Risk Monitor and

Plan Risk Plan Risk Monitor and

❖ How to decrease the possibility of

Negative Risk Positive Risk

Plan Risk Plan Risk Monitor and

❖ Use workarounds to deal with

Plan Risk Analyze Plan Risk Monitor and

You might also like