KEYBOND INDUSTRIES LLP

Doc. No. KILLP/A&O-2023 ISSUE:1 REV. 2 DT: 10-02-2023

Title: RISK & APPORYUNITY Page 01 of 02

RISK AND APPORTUNITY AND ACTION PLAN FOR INTERNAL AND EXTERNAL
ISSUE

Contents
 Should You Document your Risks & Opportunities Procedure?
 How Do You Address Risk and Opportunities?
 Why is Risk Management Important?
 Risk Management Methodology
 Risk Management Information
 Communication of Risks
 Outsourced Processes
 Design & Development
 Risk Registers
 Auditing Risk Management
 Clauses that Promote Risk-based Thinking
 Risk Evaluation Process
 Clauses that Promote Risk-based Thinking
 Risks & Opportunities Procedure - What Might You Document?
 Risks & Opportunities Procedure [ISO 9001, ISO 14001 & ISO 45001]

Should You Document your Risks & Opportunities Procedure?

We recommend yes.

The purpose of the procedure is to outline your organization’s risk and

opportunity management framework and the activities within.

The risk and opportunity management framework define the current risk
management process, which includes; methodology, risk appetite, methods for
training and reporting.

Reference to risk-based thinking is present in the following clauses of the

standards:

 Determine and address risks

 Promote risk-based thinking
 Ensure risks determined and addressed
 Determine risks that need to be addressed to achieve intended results
 Plan actions to address risks; integrate into processes; evaluate
effectiveness of actions
 Control those risks identified
 KEYBOND INDUSTRIES LLP

Doc. No. KILLP/A&O-2023 ISSUE:1 REV. 2 DT: 10-02-2023

Title: RISK & APPORYUNITY Page 01 of 02
 Evaluate effectiveness of actions on risks
 Review effectiveness of actions on risks
 Improve the QMS responding to risk
 KEYBOND INDUSTRIES LLP

Doc. No. KILLP/A&O-2023 ISSUE:1 REV. 2 DT: 10-02-2023

Title: RISK & APPORYUNITY Page 01 of 02

The risks and opportunities should be relevant to the context of your

organization, as well as any interested parties.You should ensure that your
organization has applied this risk identification methodology consistently and
effectively.

How Do You Address Risk and Opportunities?

In the absence of documented processes/procedures, you may need to use
observations and interviews (and a review of the process output, which may
contain documented evidence) to assess the processes that determine whether
or not undocumented processes are being carried out as planned.

External and internal issues, and relevant needs and expectations of relevant
interested parties may be sources of risks. Objective evidence may be in the
form of a dedicated risk matrix, risks added to other forms such as an aspect
register, corrective/preventive action log and forms, etc.

Each of the processes of a QMS do not represent the same level of risk in terms
of your organization’s ability to meet its objectives. Due to this reason, the
consequences of failures or non-conformities in relation to processes, systems,
products and/or services will not be the same for all organizations.

When deciding how to plan and control the QMS, including its component
processes and activities, your organization needs to consider both the type and
level of risk associated with them. Ensure that your organization is taking a
planned approach to addressing risks and realizing opportunities, and that any
actions taken have been recorded. Options to address risks and opportunities
can include:

 Avoiding risk
 Taking risk in order to pursue an opportunity
 Eliminating the risk source
 Changing the likelihood or consequences
 Sharing the risk
 Retaining risk by informed decision
 SWOT analysis by the organization as part of its business strategy to identify
the external risk and opportunities and action plan to address them
 Formal business risk assessment performed by the organization talking into
consideration its context, associated risk and opportunities and mitigation
plan
 Use of process approach by organization to identify sources of input,
activities, output, receiver of output, performance indicators to control and
monitor processes, the risks and opportunities associated with them and
action plan to address them
 KEYBOND INDUSTRIES LLP

Doc. No. KILLP/A&O-2023 ISSUE:1 REV. 2 DT: 10-02-2023

Title: RISK & APPORYUNITY Page 01 of 02
Why is Risk Management Important?
The concept of risk in the context of ISO 9001:2015 relates to the uncertainty in
achieving the objectives of the QMS. Risk will influence every aspect of your
 KEYBOND INDUSTRIES LLP

Doc. No. KILLP/A&O-2023 ISSUE:1 REV. 2 DT: 10-02-2023

Title: RISK & APPORYUNITY Page 01 of 02

organization’s operations and by understanding the risks you face, managing

them appropriately will enhance your ability to make better decisions and to
achieve your objectives.

Your organization should begin to view the management of risks to its people,
assets and all aspects of its operations as an important responsibility. Implement
and maintain a risk management process to protect and support your
organization’s responsibilities. An effective risk management approach is not
only good business practice but provides organizational resilience, confidence
and benefits, including:

 Provides a rigorous decision-making and planning process

 Provides the flexibility to respond to unexpected threats
 Takes advantage of opportunities and provides competitive advantage
 Equips managers with tools to anticipate changes and threats, and to
allocate appropriate resources
 Provides assurance to Top Management and stakeholders that critical risks
are being managed
 Enables better business resilience and compliance management

Risk Management Methodology

Risk will influence every aspect of your organization’s operations. Understanding
the risks and managing them appropriately will enhance your organization’s
ability to make better decisions, safeguard assets, and enhance your ability to
provide products and services and to achieve your mission and goals.

By considering risk throughout your organization the likelihood of achieving

stated objectives is improved, output is more consistent and customers can be
confident that they will receive the expected product or service. Risk-based
thinking therefore helps to:

 Improve customer confidence and satisfaction

 Assure consistency of quality of goods and services
 Establishes a proactive culture of prevention and improvement
 Intuitively take a risk-based approach
We suggest that you use the familiar Plan-Do-Check-Act (PDCA) methodology to
manage your organization’s transition to risk-based thinking; using this
approach:
 KEYBOND INDUSTRIES LLP

Doc. No. KILLP/A&O-2023 ISSUE:1 REV. 2 DT: 10-02-2023

Title: RISK & APPORYUNITY Page 01 of 02

Risk Management Information

Documented information resulting from risk management activities such as risk
management processes, plans and reports, etc. should be maintained or
referenced in either a risk management file or other appropriate sources:

 Design history file

 Technical file/documentation
 Device master record
 Device history record
 Process validation files
Your organization should consider the benefits of integrating the risk
management processes, documents and records directly into your quality
management system. The advantage of this could be a single document control
system, ease of use and review, accessibility, retention, etc.

Document controls, including document change controls, for risk management

system documentation should be the same as the controls for quality
management system documentation. This documentation can be in any form or
type of medium.
 KEYBOND INDUSTRIES LLP

Doc. No. KILLP/A&O-2023 ISSUE:1 REV. 2 DT: 10-02-2023

Title: RISK & APPORYUNITY Page 01 of 02

Communication of Risks
 KEYBOND INDUSTRIES LLP

Doc. No. KILLP/A&O-2023 ISSUE:1 REV. 2 DT: 10-02-2023

Title: RISK & APPORYUNITY Page 01 of 02

Within your quality management system, consideration needs to be given to

internal and external communication of risk. Internal communication is
necessary for all appropriate personnel to be aware of the remaining risks even
after implementing risk control measures.

Outsourced Processes
Your organization might outsource the provision of some processes or the
manufacture of components, sub-assemblies or entire units. In order to maintain
control over the processes, your organization should incorporate appropriate risk
management activities for these processes and products by planning and by
ensuring risk control measures are appropriately applied. Before the approval
and implementation of a change to any outsourced process or product, your
organization should:

1. Review the change;

2. Assess if new risks have been discovered; and,
3. Determine if current and/or new individual residual risks and/or the overall
risk is acceptable according to the predetermined existing acceptability
criteria.
If risk control measures are applied to outsourced process or products, the risk
control measures and their importance should be documented within the
purchasing data or information and clearly communicated to the supplier.

Design & Development

Risk management activities should begin as early as possible in the design and
development phase, when it is easier to prevent problems rather than correcting
them later.

For each identified hazard, the risk in both normal and fault conditions is
estimated. In risk evaluation, you should decide whether risk reduction is
needed. The results from this risk evaluation such as the need for risk control
measures then become part of the design input.

Risk Registers
While not mandated by ISO 9001:2015 or ISO 14001:2015, risk registers can
help identify and record the risks and opportunities facing different areas of the
business and identifying risk is a critical step in managing it.

Risk registers will allow your organization to assess the risk in context with the
overall context of your organization and will help to record the controls and
treatments of those risks. Risk registers can be developed in tiers:

 Strategic level
 Operational level
 Process level
 KEYBOND INDUSTRIES LLP

Doc. No. KILLP/A&O-2023 ISSUE:1 REV. 2 DT: 10-02-2023

Title: RISK & APPORYUNITY Page 01 of 02
The risk registers or risk logs become essential as it records the identified risks,
their severity, and the actions steps to be taken. It can be a simple document,
spreadsheet, or a database system, but the most effective format is a table.
 KEYBOND INDUSTRIES LLP

Doc. No. KILLP/A&O-2023 ISSUE:1 REV. 2 DT: 10-02-2023

Title: RISK & APPORYUNITY Page 01 of 02

A table presents a great deal of information in just a few pages. As the register
is a living document, it is important to record the date that risks are identified or
modified.

 Description of the risk

 Risk Type (business, project, stage)
 Likelihood of occurrence which provides an assessment on how likely it is
that this risk will occur
 Severity of effect which provides an assessment of the impact that the
occurrence of this risk would have on the project
 Countermeasures and actions taken to prevent, reduce, or transfer the risk.
This may include production of contingency plans
 Risk owner who is responsible for ensuring that risks are appropriately
engaged with countermeasures undertaken
 Current status of whether this is a current risk or if risk can no longer arise
and impact
 Other columns such as quantitative value can also be added
 Optional dates to include are the target and completion dates

The primary objective of auditing the risk management process is to provide an

assurance framework that underpins the risk management process.

This should include reviews of processes and controls over high risks as
determined through the risk planning process. The internal audit function
provides independent appraisal of the adequacy and effectiveness of internal
controls. Recommendations should be provided, where applicable, for
improvements to controls, efficiency and effectiveness of processes.

Clauses that Promote Risk-based Thinking

Risk-based thinking is probably already part of your organization’s process
approach as it forms a key part of preventive action routines. Risk is often
thought of only in the negative sense but risk-based thinking can also help to
identify opportunities and advantages, this is the positive aspect of risk
management.

There are six clauses in ISO 9001:2015 that require your organization to
consider risk:

1. Clause 4.4.1 requires your organization to determine the risks which can
affect its ability to meet the system objectives. Risk-based thinking means
considering risk quantitatively as well as qualitatively, depending on the
business context.
2. Clauses 5.1.1 and 5.1.2 require Top Management to demonstrate
 KEYBOND INDUSTRIES LLP

Doc. No. KILLP/A&O-2023 ISSUE:1 REV. 2 DT: 10-02-2023

Title: RISK & APPORYUNITY Page 01 of 02
leadership and commit to ensuring that risks and opportunities that can
affect the conformity of a product or service are determined and addressed.
 3. Clauses 6.1.1 and 6.1.2 each require your organization take action to
identify risks and opportunities, and plan how to address the identified risks
and opportunities.
4. Clause 8 requires your organization to plan, implement and control its
processes to address the actions identified in Clause 6.
5. Clause 9 requires your organization to monitor, measure, analyze and
evaluate the risks and opportunities.
6. Clause 10 requires your organization to improve by responding to changes
in risk.
The adoption of risk-based thinking will, over time, improve customer confidence
and satisfaction by assuring the consistency of the quality of goods and services
brought on by establishing a culture of prevention and improvement.

Risk Evaluation Process

Risk evaluation should become embedded into your organization’s day-to-day

operations and should be undertaken at all levels throughout your organization.

The overall aim of risk evaluation is to ensure that organizational capabilities and
resources are employed in an efficient and effective manner to manage
opportunities and threats.

Risk evaluation can be represented as a seven step, cyclical process:

Step 1: Planning

Your organization should develop and document a plan that briefly describes
how and when risk, in the form of strengths, weaknesses, opportunities and
threats, will be assessed, and who will be involved. This should reflect
the scope (including its complexity, interfaces, etc.), policies and objectives.

Step 2: Identification

In this step, your organization should systematically identify those risks

associated with the scope of the process that could significantly affect the
achievement of objectives and product conformity.

Risk identification should be carried out with the full involvement of the relevant
parties to ensure the relevant perspectives and expertise should be represented
(e.g. appropriately qualified representatives from various functions, contractors,
stakeholders, suppliers and specialists as appropriate.

Risk identification involves the relationship between your organization and the
broader, external environment or community.

A range of issues should be considered in examining the strategic content,

including:

 Opportunities and threats associated with the local, regional, state and
global economic, social, political, cultural, environmental, regulatory and
competitive environments
 Key thrusts of stakeholder strategies
 Strengths and weaknesses of in attaining objectives
Operational risk identification involves gaining an understanding of the
organization’s capabilities, goals, objectives, strengths and weaknesses by
considering:

 organizational structure and culture

 Geographical/demographical
 The identity and nature of interaction with key internal or external
stakeholders
 The existence of any operational constraints
 Objectives and key performance indicators
 Business resilience vulnerabilities
 Relevant issues relating to recent change management risk, performance or
audit reviews
 Relevant stakeholder community concerns or requirements
 Regulatory and contractual requirements and constraints
 Quality management systems

Step 3: Assessment
Having identified all hazards and associated risks which could impact on
occupational health and safety, the process of rating the risks for significance
can be carried out.

This crucial process, together with a thorough knowledge of legal and other
similar requirements, provide the foundations of the management system.

This assessment process is vital in determining the need for controls aimed at
either reducing risk to levels deemed to be tolerable or meeting the
requirements of legislation.

The significance level (or risk rating) should then be used to prioritize actions.

Remember that the importance of this process cannot be overestimated. If you

get this process wrong, the whole system will be suspect.

The assessment of the severity of a risk should drive management attention and
supports the planning for risk mitigation. Quantitative risk assessments (QRA)
can be undertaken to provide an improved understanding of the risk profile and
derive a more detailed understanding of certain cost and time risks. The output
of QRA can also support decision making and monitoring of risk management
activities.

Step 4: Response

For each risk, the risk owner must establish an appropriate level of mitigation.
Control measures in addition to those already existing may be needed to achieve
this level of mitigation.

When a response action is completed, the risk should be reassessed (i.e. repeat
Step 3) to reflect any newly introduced existing control measure.

Step 5: Review

Regular review and challenge is essential to ensure that risks are being
appropriately managed, and that the risk data remains accurate and reliable,
reflecting any changes in circumstances or management activities.

Step 6: Reporting

Regular reports are necessary to inform and provide assurance to Top

Management and other key stakeholders, that risks are being appropriately
managed. Reporting must be based on current process data, which must be
updated and reviewed in good time for the reporting cycle (see Step 5 above).

On occasion, it may be appropriate to escalate a risk to ensure it is assessed

and/or managed by the person or party best placed to do so (able and with
appropriate authority). For example, where a more substantial or coordinated
response is required than the current owner can authorize or implement, or
where the risk severity or its effects on the wider project justify higher level
assessment and/or management.

Step 7: Monitoring

Continuous systematic and formal monitoring of implementation of the risk

process and outputs will take place against appropriate performance indicators
to ensure process compliance and effectiveness. Monitoring may take a variety
of forms and range from self-assessment and internal audit to detailed reviews
by independent external experts.