Professional Documents
Culture Documents
RISK MANAGEMENT
SUM
organization, but
it doesn’t outline
how quality
managers and
technicians can
apply it to organi-
zational processes
and integrate it
into the organiza-
tion’s culture.
This article
describes how
to achieve those
goals and pro-
vides a practical
ING
introduction to
organizational
risk management,
including the con-
cept of risk, the
basic elements of
risk management
and a review of
the most-used
risk management
methods.
Reason two: There wasn’t a clear now is that organizations manage risk Understanding the root risk factors
method available for identifying and in a holistic, coordinated, intelligent and allows you to establish or improve ade-
addressing potential nonconformities. systematic way. quate preventive controls. Understanding
Solution two: Apply a method, such The term “risk” has different meanings the possible consequences allows you to
as that outlined in ISO 31000—Risk and definitions, but as it relates to risk establish or improve mitigating controls.
management—Guidelines. management in organizations, it means,
Reason three: Correction sells better “uncertainty that an event that occurs in Risk management methods
than prevention, especially in organi- the future will affect the achievement of ISO 9001:2015 specifies that an orga-
zations that manage in the short term. an organization’s objectives.” nization must plan actions to address
A correction solves an existing problem So, managing risk means dealing with risks, but it doesn’t indicate any require-
and the worry that comes with it, while uncertainty and the future. And there’s ments regarding formal methods of
prevention stops the problem from an unexpected ally: the universal princi- risk management or a documented
ever occurring, which means preventive ple of causality. risk management process.
actions go unnoticed and, therefore, The universe we know—which has This methodological vacuum
are undervalued. been studied by the philosophers of causes some confusion and dismay
Solution three: Demonstrate to and classical Greece—is governed by the for quality managers and managers
convince top management that it is principle of causality, which is formu- of organizations who can choose to
better to prevent than to cure. lated as: Everything is caused and, either limit themselves to the text of
The concept of risk helps quality in turn, is the cause of something. the standard, or seriously and rigor-
management return to prevention. It seems a truism, but it is of great ously address risk management, which
The following sections not only explain importance to understanding and man- is highly recommended and—I would
how to understand the risk, they also aging risk. It means that an event, such argue—mandatory.
outline different risk management meth- as a traffic accident, doesn’t happen by Among the most widespread methods
ods and a risk management process. itself. Rather, it’s caused by the random are those created by the Committee
action of multiple and diverse factors, of Sponsoring Organizations of the
Understand the risk such as excessive speed, lack of atten- Treadway Commission (COSO), the Open
Before applying a method, you must tion or adverse weather. And when the Compliance and Ethics Group (OCEG)
understand its elements and reasons— event occurs, it’s the cause of multiple and the International Organization for
something the immediate demand of and diverse consequences, such as Standardization (ISO).
the current world doesn’t always allow property damage, injuries and victims. COSO. This method is the most used
us to do. Instead, it pushes us to apply This is the basic formula of risk: factors + worldwide because it is the most vet-
standard recipes that often create event = consequences. eran—the first edition was released in
problems bigger than those we’re Albeit a simplified diagram, Figure 1 1992 and its fourth revision, Enterprise
trying to solve (or prevent). illustrates the elements of risk as: Risk Management—Integration of Strat-
Risk management isn’t new—we’ve Due to (risk factors), (event) egy and Performance, was published in
Elements of risk
Dissatisfaction of
Greed
interested groups
Economic, personal
Ignorance or environmental
Event damages
The COSO method was initially used to for government, risk, compliance— “To grow and succeed, there are
prevent fraud in financial and insurance was launched more than a decade ago. many functions of an organization that
organizations through internal audits The GRC capability model is an integrated must operate together, and all must use
and controls. The subsequent revisions set of capabilities that enables an organiza- many of the same data and contribute
have opened up the method to all tion to achieve its objectives by addressing to the collection and generation of
types of risks, organizations and sec- uncertainty and acting with integrity. others, but in different ways; just as the
tors. This framework complements the The components of the GRC capability separate functions of a living organ-
approach and vocabulary of ISO 31000. model are outlined in Figure 3 (p. 31). ism that uses the same amino acids in
OCEG. This method—well known It is based on the concept of a complex, different combinations and provides
by the acronym GRC, which stands dynamic and adaptive system: information for the global organism.”1
FIGURE 2
Information,
Governance Strategy and Review
Performance communication
and culture objective-setting and revision and reporting
ISO. In 2009, ISO published ISO ISO 31000:2018 provides a process understanding how your organization
31000, which was revised in 2018 to for risk management, as shown in is (internal) and where it’s trying to go
make it easier to understand and more Figure 4 (p. 32). The process includes by achieving its goals (external). For risk
concise. It has become an international the following steps: management, the context is a source
reference standard for risk management Scope, context and criteria. Although of risk factors and opportunities, so it’s
because it is integrated into ISO man- the process can be applied at differ- important to analyze it in detail.
agement systems (quality, environment, ent levels (program, process, product, The criteria are terms of reference
health and safety, compliance, informa- service and project, for example), it is used to assess the importance of risks
L1 External context
L2 Internal context
L3 Culture
L4 Stakeholders
Learn
R1 Monitoring
A1 Direction
R2 Assurance
A2 Objectives
R3 Improvement
Review Align A3 Identification
A4 Assessment
A5 Design
Perform
P1 Controls P5 Incentives
P2 Policies P6 Notification
P3 Communication P7 Inquiry
P4 Education P8 Response
Managing risk is vital in all areas of life. Doing it right or wrong can
mean achieving goals or failing, subsisting or disappearing.
FIGURE 4
Risk assessment
Communication
and consultation Identification
Monitoring and
Analysis
review
Report and
registration
Evaluation
Treatment
the events that can hinder or impede the achievement of the This process helps identify events that haven’t
objectives (risks), or facilitate or allow them (opportunities). happened and events that are likely to happen,
if they did happen. Look for causes that can trigger Achieve and survive
the event and the consequences if it is triggered. Managing risk is one of the most important and profitable
If your organization already has established controls tasks an organization can do. To do it most effectively
to avoid risk events, also consider the effectiveness and efficiently:
of such controls. 1. Recognize that everything is interconnected and interacts.
Evaluation. The purpose of this step is to decide Therefore, to manage risk, you must stop departments from
which event should be addressed, according to operating in silos.
the analysis carried out. Typically, a probability/ 2. Contemplate risk management holistically. Consider all
impact matrix or heat map is drawn and configured types of risk (operational, financial, strategic, reputational
according to the level of acceptable risk where the and external, for example). There will be common risk
events are located. This is the risk map of the orga- factors and consequences among the different types of risk,
nization, area, product, project or process. so don’t classify them in silos.
Treatment. Preventive actions are applied at 3. The key to the vault isn’t the systems or the methods—
this step. They consist of establishing or improving it’s the people.
preventive controls (or accelerators, if the event Start with one system, such as ISO 31000, and add to it
represents an opportunity) and mitigating controls. the ideas and methods of COSO or GRC that best suit the
Communication and consultation. An environ- organization. Don’t forget that regulations are means and
ment of open communication that’s free of the fear not ends—they’re tools that help achieve the objectives.
of repercussion is essential. All interested parties Managing risk is vital in all areas of life. Doing it right
should have the right and duty to identify possible or wrong can mean achieving goals or failing, subsisting
risks. To create such an environment, use every or disappearing.
means at your disposal, such as email, anonymous
REFERENCE
channels, interviews and workshops. 1. Open Compliance and Ethics Group (OCEG), “Introduction to
Report and registration. Risk management Principled Performance and GRC,” GRC Capability Model, version 3.0.
identifies vital information that helps senior
management, among others, accurately allocate
resources. That’s why it’s essential to record the
risks and their treatment, and to report them to
the functions and levels that have been defined,
according to their importance. Technology is
a convenient tool for this task. Vicente Córdoba Galve is a freelance
trainer and consultant in Madrid. He
Monitoring and review. This step ensures and received a master’s degree in total
improves the quality and effectiveness of the quality management from Know How
risk management process. “Monitoring” refers to Business College in Madrid and is a senior
member of ASQ.
continuously verifying process compliance, while