Professional Documents
Culture Documents
Risk MGT Training Based On ISO 22000 and 31000 - HMAMC2022-09-544-B
Risk MGT Training Based On ISO 22000 and 31000 - HMAMC2022-09-544-B
Consulting
WELCOME PARTICIPANTS!
Course No. HMAMC2022-09-544-B (October 19-20, 2022)
For HMAMC training purposes only
Group Profile
5
About the Trainer
INTRODUCTION
◼ Name
◼ Position
Important Notes:
• It is not the intent of this course to develop Risk Management experts
amongst participants at the end of the training session.
• Competency and added expertise may be developed through continual
practice and effective implementation and compliance to the
requirements of the international standard.
Training Course
Attendance
10
11
About ISO
✓ International Organization for Standardization (ISO) – a worldwide
federation of national standards bodies (ISO member bodies).
12
Reference: http://www.srac.ro/en/stiri/revision-iso-22000-food-safety-management-underway
13
14
15
Excerpted portion from Article 5 Hazard analysis and critical control points
1. Food business operators shall put in place, implement and maintain a permanent
procedure or procedures based on the HACCP principles.
2. The HACCP principles referred to in paragraph 1 consist of the following:
(a) identifying any hazards that must be prevented, eliminated or reduced to acceptable levels;
(b) identifying the critical control points at the step or steps at which control is essential to prevent or
eliminate a hazard or to reduce it to acceptable levels;
(c) establishing critical limits at critical control points which separate acceptability from unacceptability for
the prevention, elimination or reduction of identified hazards;
(d) establishing and implementing effective monitoring procedures at critical control points;
(e) establishing corrective actions when monitoring indicates that a critical control point is not under control;
(f) establishing procedures, which shall be carried out regularly, to verify that the measures outlined in
subparagraphs (a) to (e) are working effectively; and
(g) establishing documents and records commensurate with the nature and size of the food business to
demonstrate the effective application of the measures outlined in subparagraphs (a) to (f).
When any modification is made in the product, process, or any step, food business
operators shall review the procedure and make the necessary changes to it.
16
17
ISO 22000:2018
ISO 22000:
2018
vs
Codex
Alimentarius
Reference:
ISO 22000:2018
Annex A
(informative)
Cross references
between the CODEX
HACCP and this
document
18
19
Process Approach
Plan
• establish the objectives of the system and its processes, provide the
resources needed to deliver the results, and identify and address risks and
opportunities;
Do
• implement what was planned;
Check
• monitor and (where relevant) measure processes and the resulting
products and services, analyse and evaluate information and data from
monitoring, measuring and verification activities, and report the results;
Act
• take actions to improve performance, as necessary.
HMAMC2022-09-544-B (Oct 15, 2022)
20
For HMAMC training purposes only
20
Reference: https://www.quality.org/knowledge/iso-220002018-set-impact-global-food-sector
21
22
23
______________________
SESSION 2:
ISO 22000:2018 Structure
______________________
24
25
37
NOTE 1 Issues can include positive and negative factors or conditions for
consideration.
NOTE 2 Understanding the context can be facilitated by considering external and
internal issues, including, but not limited to, legal, technological, competitive,
market, cultural, social and economic environments, cybersecurity and food
fraud, food defence and intentional contamination, knowledge and
performance of the organization, whether international, national, regional or
local.
38
39
40
41
42
Sample Template
HMA AND ASSOCIATES
Whereroad, Fantaplace, Neverland
Mobile: +639206365598
Email: harviabangan@yahoo.com
Eligibility number: 02-052837 <11011463>
43
44
45
46
NOTE In the context of this document, the concept of risks and opportunities is
limited to events and their consequences relating to the performance and
effectiveness of the FSMS. Public authorities are responsible for addressing
public health risks. Organizations are required to manage food safety hazards
(see 3.22) and the requirements related to this process that are laid down in
Clause 8.
HMAMC2022-09-544-B (Oct 15, 2022)
47
For HMAMC training purposes only
47
48
NOTE 1 Actions to address risks and opportunities can include: avoiding risk,
taking risk in order to pursue an opportunity, eliminating the risk source,
changing the likelihood or consequences, sharing the risk, or accepting the
presence of risk by informed decision.
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
6.2.2 When planning how to achieve its objectives for the FSMS,
the organization shall determine:
a) what will be done;
b) what resources will be required;
c) who will be responsible;
d) when it will be completed;
e) how the results will be evaluated.
64
65
66
67
68
So on…
HMAMC2022-09-544-B (Oct 15, 2022)
69
For HMAMC training purposes only
69
2021
2020
2019
2018
June 2018: Updated standard published marking the start of
the three-year transition period to June 2021
76
77
78
79
80
81
82
How do I do it?
• Identify what your risks are – it depends on context
• Use risk-based thinking to prioritize the way you manage your
processes
• ISO 9001:2015 does not require formal risk management
• ISO 31000 Risk management — Principles and guidelines may
be a useful reference for organizations that want or need a
more formal approach to risk (but its use is not obligatory)
• Balance risks and opportunities
• Analyse and prioritize your risks
– what is acceptable?
– what is unacceptable?
• Plan actions to address the risks
– how can I avoid, eliminate or mitigate risks?
• Implement the plan; take action
• Check the effectiveness of the action; does it work?
• Learn from experience; improve
83
Risk-based thinking:
• is not new
• is something you probably do already
• is on-going
• ensures greater knowledge of risks and improves
preparedness
• increases the probability of reaching objectives
• reduces the probability of negative results
• makes prevention a habit
L
84
85
86
Introduction
The management of risk enables an organization to, for example:
• increase the likelihood of achieving objectives;
• encourage proactive management;
• be aware of the need to identify and treat risk throughout the
organization;
• improve the identification of opportunities and threats;
• comply with relevant legal and regulatory requirements and
international norms;
• improve financial reporting;
• improve governance;
• improve stakeholder confidence and trust;
• establish a reliable basis for decision making and planning;
• improve controls;
• effectively allocate and use resources for risk treatment;
• improve operational effectiveness and efficiency;
• enhance health and safety performance, as well as environmental
protection;
• improve loss prevention and incident management;
• minimize losses;
• improve organizational learning; and
• improve organizational resilience.
HMAMC2022-09-544-B (Oct 15, 2022)
87
For HMAMC training purposes only
87
88
National Guidance
on Implementing ISO 31000:2018
From NSAI in Ireland
89
90
91
92
d) Inclusive
Appropriate and timely involvement of stakeholders enables their
knowledge, views and perceptions to be considered. This results in
improved awareness and informed risk management.
HMAMC2022-09-544-B (Oct 15, 2022)
93
For HMAMC training purposes only
93
h) Continual improvement
Risk management is continually improved through learning and experience.
HMAMC2022-09-544-B (Oct 15, 2022)
94
For HMAMC training purposes only
94
95
96
97
98
5.3 Integration
Integrating risk management relies on an understanding of
organizational structures and context. Structures differ depending on
the organization’s purpose, goals and complexity. Risk is managed in
every part of the organization’s structure. Everyone in an organization
has responsibility for managing risk.
Governance guides the course of the organization, its external and internal
relationships, and the rules, processes and practices needed to achieve its
purpose. Management structures translate governance direction into the
strategy and associated objectives required to achieve desired levels of
sustainable performance and long-term viability. Determining risk
management accountability and oversight roles within an organization are
integral parts of the organization’s governance.
99
100
5.4 Design
5.4.1 Understanding the organization and its context (continued)…
101
102
5.4 Design
5.4.3 Assigning organizational roles, authorities, responsibilities and
accountabilities
Top management and oversight bodies, where applicable, should ensure that
the authorities, responsibilities and accountabilities for relevant roles with
respect to risk management are assigned and communicated at all levels of
the organization, and should: — emphasize that risk management is a core
responsibility; — identify individuals who have the accountability and
authority to manage risk (risk owners).
103
104
5.5 Implementation
The organization should implement the risk management framework by:
— developing an appropriate plan including time and resources;
— identifying where, when and how different types of decisions are
made across the organization, and by whom;
— modifying the applicable decision-making processes where necessary;
— ensuring that the organization’s arrangements for managing risk are
clearly understood
105
106
5.7 Improvement
5.7.1 Adapting
The organization should continually monitor and adapt the risk
management framework to address external and internal changes.
In doing so, the organization can improve its value.
107
108
6.1 General
6.1 General
The risk management
process should be
• an integral part of
management,
• embedded in the
culture and
practices, and
• tailored to the
business processes
of the organization.
109
110
111
112
113
114
115
116
117
118
Samples of Issues/Risks
Scope Cost Management
5. Scope is ill defined 11. Cost forecasts are inaccurate
The general risk of an error or omission in scope Inaccurate cost estimates and forecasts.
definition.
6. Scope creep inflates scope 12. Exchange rate variability
Uncontrolled changes and continuous growth of When costs are incurred in foreign
scope. currencies exchange rates can have a
7. Gold plating inflates scope dramatic impact.
The project team add their own product features
that aren't in requirements or change requests.
8. Estimates are inaccurate
Inaccurate estimates is a common project risk.
9. Dependencies are inaccurate
Dependencies dramatically impact the project
schedule and costs.
10. Activities are missing from scope
Required activities are missing from scope
definition.
HMAMC2022-09-544-B (Oct 15, 2022)
119
For HMAMC training purposes only
119
120
Samples of Issues/Risks
Stakeholders
22. Stakeholders become disengaged
When stakeholders ignore project communications.
121
29. Communication overhead - When key project resources spend a high percentage of their
time engaging stakeholders on project issues and change requests their work may fall behind.
122
Samples of Issues/Risks
Resources & Team
33. Resource shortfalls - Inability to secure sufficient resources for the project.
34. Learning curves lead to delays and cost overrun - When your project team need to
acquire new skills for the project there's a risk that productivity will be low.
35. Training isn't available - Quality training for certain skills can be difficult to secure.
36. Training is inadequate - Training is often a poor substitute for professional experience.
Projects shouldn't assume that resources will be fully productive in a new skill.
37. Resources are inexperienced - Resources who are just out of school or who are new to
your industry or profession tend to make more mistakes and be less productive.
38. Resource performance issues - Resources who perform below expectations.
39. Team members with negative attitudes towards the project - Resources who are negative
towards the project may actively or passively sabotage project efforts.
40. Resource turnover - Resource turnover leads to delays and cost overrun.
41. Low team motivation - Your team lacks motivation. This is a particularly common risk for
long running projects.
42. Lack of commitment from functional managers - In a matrix organization your team may
report to functional managers. These functional managers are important stakeholders whose
support is critical.
123
124
Samples of Issues/Risks
Technical (1)
51. Technology components aren't fit for purpose - Technology components are low quality.
52. Technology components aren't scalable - Components that can't be scaled to meet
performance demands.
53. Technology components aren't interoperable - Components that lack standard interfaces.
54. Technology components aren't compliant with standards and best practices - Non-
standard components that violate best practices.
55. Technology components have security vulnerabilities - Security vulnerabilities are key
technology risks.
56. Technology components are over-engineered - A component that's bloated with
unneeded functionality and design features.
57. Technology components lack stability - Components that crash.
58. Technology components aren't extensible - Components that are difficult to extend with
new capabilities.
59. Technology components aren't reliable - Components that fail after a short time.
60. Information security incidents - The risk of a a security incident during the project (e.g.
information is leaked).
61. System outages - Critical systems such as your test environments go down.
125
126
Samples of Issues/Risks
Integration
67. Delays to required infrastructure - Delays to infrastructure such as hardware or software.
68. Failure to integrate with business processes -The risk that your product will fail to fit into
the existing business.
69. Failure to integrate with systems - The risk that your product will fail to integrate with
existing systems.
70. Integration testing environments aren't available - The risk that environments won't be
available to test integration.
71. Failure to integration with the organization - The risk that your project fails to integrate
with the organization. This happens when the project is focused on delivering something
specific and fails to look at the organization as a whole. For example, you deliver a sales
system but your organization doesn't have a sales team.
72. Failure to integrate components - The risk that product components will fail to integrate
with each other. This can represent a significant risk when you've outsourced work to a large
number of vendors.
73. Project disrupts operations - The last thing you want is for your project to disrupt business
operations and damage the firm's financial results. Think about risks beyond project failure.
74. Project disrupts sales - The risk that the project disrupts sales effectiveness.
75. Project disrupts compliance - The risk that the project disrupts compliance processes such
as audits and reporting.
HMAMC2022-09-544-B (Oct 15, 2022)
127
For HMAMC training purposes only
127
128
Samples of Issues/Risks
Decisions & Issue Resolution
83. Decision delays impact project
Establish guidelines for decision turnaround time. Identify the risk that guidelines will be
exceeded.
129
130
Samples of Issues/Risks
Authority
100. Project team lack authority to complete work
If you lack specific authorities required to deliver the project list this as a risk.
101. Authority is unclear
It's unclear who has the authority to accomplish a project objective.
131
132
Samples of Issues/Risks
External
110. Legal & regulatory change impacts project
If your project spans areas that are compliance-sensitive you may want to list regulatory
change as a risk.
133
Secondary Risks
118. Counterparty risk
The risk you get back when you transfer a risk.
134
Samples of Issues/Risks
User Acceptance
119. Users reject the prototype - One of the key methods of improving user acceptance is to
get regular prototypes in front of users. There's always a risk that these prototypes will be
rejected (require significant rework).
120. User interface doesn't allow users to complete tasks - The risk that the user interface
doesn't allow users to complete end-to-end tasks.
121. User interface is low quality - The user interface is buggy, slow or difficult to use.
122. User interface isn't accessible - In many jurisdictions, user interfaces must be accessible
(e.g. employment or consumer law). Many organizational cultures require accessible user
interfaces.
123. Project reduces business productivity - Users identify your product(s) as reducing their
productivity.
124. Project reduces innovation - Users identify your product(s) as a roadblock to innovation.
125. Product disrupts business metrics (measurements of objectives) - Your product launch
causes business KPIs to worsen. For example, if you launch a new ERP and Supply Chain Cycle
Times jump.
126. Users reject the product - The general risk that users will reject your product.
135
136
PESTEL
ANALYIS
137
Other tools:
FMEA (FMECA)
HACCP/ HARPC
ORM Matrix
FDPB/ CARVER SHOCK+
DSA
Environmental Aspect/ Impact,
etc.
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
6.5.1 General
Risk treatment involves selecting Risk treatment options are not necessarily mutually
one or more options for modifying exclusive or appropriate in all circumstances. The options
risks, and implementing those can include the following:
options. Once implemented, a) avoiding the risk by deciding not to start or continue with
treatments provide or modify the the activity that gives rise to the risk;
controls. b) taking or increasing the risk in order to pursue an
opportunity;
Risk treatment involves a cyclical c) removing the risk source;
process of: d) changing the likelihood;
• ⎯ assessing a risk treatment; e) changing the consequences;
• ⎯ deciding whether residual f) sharing the risk with another party or parties (including
risk levels are tolerable; contracts and risk financing); and
• ⎯ if not tolerable, generating a g) retaining the risk by informed decision.
new risk treatment; and
• ⎯ assessing the effectiveness
of that treatment.
153
154
155
• Treatment plans should be integrated with the management processes of the organization
and discussed with appropriate stakeholders.
• Decision makers and other stakeholders should be aware of the nature and extent of the
residual risk after risk treatment. The residual risk should be documented and subjected to
monitoring, review and, where appropriate, further treatment.
156
157
158
159
160
161
162
Other interested stakeholders can also benefit from the risk process,
such as quality assurance, security, safety & environment
management. The process is all about facilitating linkages between
different stakeholders across the organisation
163
164
165
166
R
G2 %
E
S
U
G3 %
L
T
S
G4 %
167
168
169
170