Professional Documents
Culture Documents
RISK MANAGEMENT
TRAINING COURSE
Speaker: Ms. Cynthia Jose
cynthia.e.jose@gmail.com
+63 917 480 4232, +63 920 475 2502
No recording please…
Quality Management System
ISO(QMS)
9001:2015
Quality Management System (QMS)
a set of policies, processes and
procedures required for planning and
execution (production, development,
service) in the core business area of an
organization. (i.e. areas that can impact
the organization’s ability to meet
customer requirements).
No recording please…
Intended Outcomes/ Results of the
QUALITY MANAGEMENT SYSTEMS
• enhancement
of customer
satisfaction;
• Assurance of
the conformity
to customer
requirements,
and;
• compliance to
applicable
statutory and
regulatory
requirements
Risk
Effect of uncertainty on an expected result
4
Terms and Definition
The picture
can't be
displayed.
5
Removing the specific
“Preventive Action” clause from the standard.
6
Preventive Action vs Risk Management
q One of the key purpose of implementing a quality management system is to
act as a preventive tool.
q As a result the formal requirement related to preventive action is no longer
existing .
q This is being replaced with risk based approach.
Although it is required by the organization to determine and address risks,
there is no requirement for implementing a formal risk management process
q The corrective actions needed for potential non conformities were
incorporated in the clause:
§ Nonconformity and corrective actions (cl. 10.2)
q Preventive measures are also indirectly incorporated the cl. 6.1 for risk based
thinking
7
Risk-based thinking is in:
• Introduction - the concept of risk-based thinking is
explained
• Clause 4 - organization is required to determine its QMS
processes and address its risks and opportunities
• Clause 5 – top management is required to
– Promote awareness of risk-based thinking
– Determine and address risks and opportunities that can
affect product /service conformity
• Clause 6 - organization is required to identify risks and
opportunities related to QMS performance and take
appropriate actions to address them
8 8
Risk-basedRisk-based
thinking isthinking
in: is in:
• Clause 7* – organization is required to determine and provide
necessary resources
• Clause 8* - organization is required to manage its operational
processes
• Clause 9 - organization is required to monitor, measure, analyse
and evaluate the effectiveness of actions taken to address risks
and opportunities
• Clause 10 - organization is required to correct, prevent or reduce
undesired effects and improve the QMS and update risks and
opportunities
• Note, risk is implicit whenever suitable or appropriate is
mentioned (clause 7 and 8)
9 9
What are the relevant clauses of
Risks and Opportunities?
4 Clause 4.4.1
Context of organization
The organization shall establish, implement, maintain and continually
improve a quality management system, including the processes needed
4.1
Understanding context and their interactions, in accordance with the requirements of the
International Standard.
4.2 The organization shall determine the processes needed for the quality
Interested parties
management system and their application throughout the organization,
4.3 and shall:
Scope
a) determine the inputs required and the outputs expected form these
4.4 processes
QMS
b) determine the sequence and interaction if these processes
c) determine and apply the criteria and methods ( including
monitoring, measurement and related performance indicators)
needed to ensure the effective operation and control of these
processes.
d) determine the resources needed for these processes and ensure
their availability
e) assign the responsibilities and authorities for these processes
11
4 Clause 4.4.1
Context of organization
Continuation…
4.1
Understanding context
Clause 4.4.2
a) maintain documented information to support the operation of
its processes
b) retain documented information to have confidence that the
processes are being carried out as planned.
12
6 Clause 6.1 Actions to address risks and opportunities
Planning
13
Clause 6.1 Actions to address risks and opportunities
6
Planning
6.1.2 The organization shall plan:
6.2 1) integrate and implement the actions into its QMS processes (see 4.4);
Objectives and planning
14
Clause 8.1. Operational planning and control
The organization shall plan, implement and control the processes (see
4.4) needed to meet the requirements for the provision of products
8 Operation
and services, and to implement the actions determined in
Clause 6,by:
a) determining the requirements for the products and services;
b) establishing criteria for:
8.1 Operational planning and
control 1) the processes;
2) the acceptance of products and services;
8.2 Requirements for c) determining the resources needed to achieve conformity to the
products and services
product and service requirements;
8.2.1 Customer
d) implementing control of the processes in accordance with the
communication criteria;
8.2.2 Determination of
e) determining, maintaining and retaining documented information to
requirements related to the extent necessary:
products and services
1) to have confidence that the processes have been carried out
8.2.3 Review of
requirements related to
as planned;
products and services 2) to demonstrate the conformity of products and services to
8.2.4 Changes to their requirements.
requirements for products
and services The output of the planning shall be suitable for the organization’s
operations.
The organization shall control planned changes and review the
consequences of unintended changes, taking action to mitigate any
adverse effects, as necessary.
The organization shall ensure that outsourced processes are
controlled (see 8.4).
15
Clause 9.1.3
9
Performance The organization shall analyse and evaluate appropriate data
Evaluation
and information arising from monitoring and measurements.
9.1
Monitoring, measurement,
The results of analysis shall be used to evaluate.
analysis and evaluation
a) Conformity of products and services;
9.1.2
b) the degree of customer satisfaction;
Customer satisfaction
c) The performance and effectiveness of the quality
9.1.3
management system;
Analysis and evaluation
d) if planning has been implemented effectively;
9.2 e) the effectiveness of actions taken to address risks and
Internal audit
opportunities;
9.3
Management review
f) the performance of external providers;
g) the need for improvements to the quality management
9.3.1
General system.
9.3 .2
Note: Methods to analyse data can include statistical
Management review input
techniques.
9.3.3
Management review output
16
Clause 10.2 Nonconformity and corrective action
10.2.1 When a nonconformity occurs, including any arising from
10 complaints, the organization shall:
Improvement
a) react to the nonconformity and, as applicable;
10.1
1) take action to control and correct it;
General 2) deal with the consequences;
b) evaluate the need for action to eliminate the cause(s) of the
nonconformity, in order that it does not recur or occur
10.2 Nonconformity and
corrective action
10.3
elsewhere, by:
Continual improvement
1) reviewing and analysing the nonconformity;
2) determining the causes of the nonconformity;
3) determining if similar nonconformities exist, or could
potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken;
e) update risks and opportunities determined during
planning, if necessary;
f) make changes to the quality management system, if necessary.
Corrective actions shall be appropriate to the effects of the
nonconformities encountered.
17
Activity : Audit Trailing (Risks and Opportunities)
PLAN
DO
8.1- Actions implemented
4.1 Internal /External 8.7 Nonconformity 6.1 – R&O Identified and and controlled
of Outputs
issues list/SWOT Planned
Process (Clause 6)
Internal/ External context
Risk Management Process
Control
What can
Developing Risk Criteria •Analysis of
Determine Roles and happen, where,
Responsibilities workflows and
how and why processes
(including
Stakeholders) •List risks and
1 causes
Determine
•Probability
Selection of risk 2 controls; Estimate
•Consequence
treatment option; 3
level of risk
•Ranking Score
Preparing and
4 Compare against
implementing risk criteria;
5 •Adequacy
treatment plans Identify and assess of
6 options; controls
Accept Decide on •Action
,Control/Mitigate response;
Emergency Plan, Establish priorities
Insurance, Waivers,
Contracts
20
Internal context
T E C O P
• Technological • Economic • Culture • Organizational • Political
• material, • behavior, • objectives, • governance,
• viability, attitude, e.g. policies,
equipment, profitabilit decision-
absenteeism, standards,
know-how, y, cash tardiness, procedures
making,
skills demographic problem
flow solving
The external context
• consists of the organization’s immediate operations and
how they affect its performance and decision-making.
22
PESTLE
p E S T L E
• Political • Economic • Legal • Environmenta
• Social l
•Technological • laws ,
• national, • growth, • population • new • climate,
local inflation, demographi regulation
materials, weather,
governance cs, trends
interest innovations, earthquak
advancement
rates in e fault
equipment, proximity
and
processes
Activity 2
Information Technology
TECHNOLOGICAL
FACTORS R&D
Equipment
Cash Flow
ECONOMIC
Capital Reserves
FACTORS
Viability
Demographics
CULTURAL
Collective Attitude
Capabilities
Policies/
standards/guidelines
ORGANIZATIONAL
FACTORS
Strategies
Management systems
Structures
Objectives.
Governance
POLITICAL FACTORS Decision Making Systems
Roles and Accountabilities
25
Do your SWOT analysis…
EXTERNAL ISSUES OPPORTUNITIES THREATS
POLITICALFACTORS Legislation
Exchange rate
Economic
Business Activity
Weather
ENVIRONMENTAL
FACTORS Ecological factor
26
27
Activity 2
Interested Parties
Process (Clause 6)
Internal/ External context
Risk Management Process
Control
What can
Determine Roles and
Developing Risk Criteria happen, where, •Analysis of
Responsibilities workflows and
how and why processes
(including
Stakeholders) •List risks and
1 causes
Determine
•Probability
Selection of risk 2 controls; Estimate
•Consequence
treatment option; 3
level of risk
•Ranking Score
Preparing and
4 Compare against
implementing risk criteria;
5 •Adequacy
treatment plans Identify and assess of
6 options; controls
Accept Decide on •Action
,Control/Mitigate response;
Emergency Plan, Establish priorities
Insurance, Waivers,
Contracts
RISK
35
36
1 2 3 4 5
never rare occasional often frequent
1 Nothing or 1 2 3 4 5
negligible
Consequence
Severity of
2 slight 2 4 6 8 10
3 medium 3 6 9 12 15
4 serious 4 8 12 16 20
5 catastrophic 5 10 15 20 25
Risk Classification
Category Risk Classification Description Measures Remarks
Rating
Ordinary work
Potential risk does
practice, QMS No reduction
L 1-11 acceptable not have serious
training and shall measures required
impact to QMS
be implemented
Reassessment
shall be done to
Potential risk may Risk reduction
confirm the risk
have undesirable measures shall be
M 12-19 undesirable
impact to QMS established and
becomes
acceptable by the
implemented
risk reduction
measures
Reassessment
shall be done to
Risk reduction
Potential risk may confirm the risk
measures shall be
have serious impact becomes
H 20-25 unacceptable
to QMS
established and
acceptable by the
implemented
risk reduction
measures
39
Process (Clause 6)
Internal/ External context
Risk Management Process •Analysis of
Risk
Control workflows and
Identification
Developing Risk Criteria processes
Determine Roles and What can •List risks and
Responsibilities happen, where, causes
(including how and why
Stakeholders)
1
Determine
•Probability
Selection of risk 2 controls; Estimate
•Consequence
treatment option; 3
level of risk
•Ranking Score
Preparing and
4 Compare against
implementing risk criteria;
5 •Adequacy
treatment plans Identify and assess of
6 options; controls
Accept Decide on •Action
,Control/Mitigate response;
Emergency Plan, Establish priorities
Insurance, Waivers,
Contracts
40
Risk Terminologies
• A risk is the effect of uncertainty to objectives;
may be positive or negative; deviation from
expected
• A risk source (or cause) has the potential,
alone or in combination, to give rise to risk,
• An event is the occurrence or change of a
particular set of circumstances
• A consequence (or effect) is the outcome of an
event affecting objectives
41
WHY? WHY?
Risk
Cause Effect
Event
Risk
Cause Event Effect
WHY? WHY?
MAN MAN
MACHINE MACHINE
MEASUREMENT MEASUREMENT
MATERIAL MATERIAL
METHOD METHOD
MILIEU MILIEU
(ENVIRONMENT) (ENVIRONMENT)
Example
IDENTIFY RISKS
1) Let’s go back to our SWOT analysis and
identify possible risks (pick 3)
2) Analyze your process and identify 2
potential risks
3) Use the structures Risk Statement to define
Risks
Welcome to day 2!
RISK MANAGEMENT
TRAINING COURSE
Speaker: Ms. Cynthia Jose
cynthia.e.jose@gmail.com
+63 917 480 4232, +63 920 475 2502
No recording please…
Welcome to day 2- RECAP
Process (Clause 6)
Internal/ External context
Risk Management Process
Control
What can
Developing Risk Criteria •Analysis of
Determine Roles and happen, where,
Responsibilities workflows and
how and why processes
(including
Stakeholders) •List risks and
1 causes
Determine
•Probability
Selection of risk 2 controls; Estimate
•Consequence
treatment option; 3
level of risk
•Ranking Score
Preparing and
4 Compare against
implementing risk criteria;
5 •Adequacy
treatment plans Identify and assess of
6 options; controls
Accept Decide on •Action
,Control/Mitigate response;
Emergency Plan, Establish priorities
Insurance, Waivers,
Contracts
CONTROL MEASURES
• Eliminate risks
• Engineering/Technology
No recording please…
55
Process (Clause 6)
Internal/ External context
Risk Management Process
Control
What can
Developing Risk Criteria •Analysis of
Determine Roles and happen, where,
Responsibilities workflows and
how and why processes
(including
Stakeholders) •List risks and
1 causes
Determine
•Probability
Selection of risk 2 controls; Estimate
•Consequence
treatment option; 3
level of risk
•Ranking Score
Preparing and
4
implementing risk Compare against
5 •Adequacy
treatment plans criteria;
of
Identify and assess
6 controls
Accept options;
•Action
,Control/Mitigate Decide on
Emergency Plan, response;
Insurance, Waivers, Establish priorities
Contracts
Risk Classification
Category Risk Classification Description Measures Remarks
Rating
Ordinary work
Potential risk does
practice, QMS No reduction
L 1-11 acceptable not have serious
training and shall measures required
impact to QMS
be implemented
Reassessment
shall be done to
Potential risk may Risk reduction
confirm the risk
have undesirable measures shall be
M 12-19 undesirable
impact to QMS established and
becomes
acceptable by the
implemented
risk reduction
measures
Reassessment
shall be done to
Risk reduction
Potential risk may confirm the risk
measures shall be
have serious impact becomes
H 20-25 unacceptable
to QMS
established and
acceptable by the
implemented
risk reduction
measures
57
Risk Evaluation
• The purpose of risk evaluation is to support decisions. Risk
evaluation involves comparing the results of the risk analysis
with the established risk criteria to determine where additional
action is required. This can lead to a decision to:
— do nothing further;
— consider risk treatment options;
— undertake further analysis to better understand the risk;
— maintain existing controls;
— reconsider objectives.
58
Process (Clause 6)
Internal/ External context
Risk Management Process
Control
What can
Developing Risk Criteria •Analysis of
Determine Roles and happen, where,
Responsibilities workflows and
how and why processes
(including
Stakeholders) •List risks and
1 causes
Determine
•Probability
Selection of risk 2 controls; Estimate
•Consequence
treatment option; 3
level of risk
•Ranking Score
Preparing and
4
implementing risk Compare against
5 •Adequacy
treatment plans criteria;
of
Identify and assess
6 controls
Accept options;
•Action
,Control/Mitigate Decide on
Emergency Plan, response;
Insurance, Waivers, Establish priorities
Contracts
q Risk Treatment
3) Treat the risks
(Clause 6.5)
59
Options for risk treatment:
60
61
Risk Treatment Plan
• The information provided in the treatment plan should include:
— the rationale for selection of the treatment options, including the expected benefits to
be gained;
— those who are accountable and responsible for approving and implementing the
plan;
— the constraints;
SUMMARY
• Let’s summarize together our learning
for this training course
• ISO 31000:2018
• Risk and Opportunity
• Risk and Opportunity Matrix
• Treatment of Risk
Q&A
The picture can't be displayed.