DOCUMENT

Q MS – P ro c ed u re M a n u a l CONTROL STATUS
CONTROLLED COPY

QMS Manual No.

QP/MSA/07 Issue No 01
9001:2015 HCS/QM/ISO9001:2015

ORIGINAL ISSUE REV. LEVEL / Prepared & Approved

CLAUSE No. PAGE
DATE DATE Reviewed By By

6.1 01.02.2019 02 / 15.09.2023 Page 1of 5 MSA DIR

Change History 1.Rev 01 dt 07.02.2022_ New structuring of Document with provision to monitor revisions
2. Rev 02 dt 15.09.2023_ Review date & Next review due date monitoring added in the document

TITLE :- GUIDELINES FOR RISK MANAGEMENET

Responsibility:-
Driven by top management
Responsibilities of the risk assessment process are assigned to those parties that can provide meaningful
perspective on relevant risks.

Frequency:-
1. Review of all risks to be done once a year
2. After an organizational incident
3. Introduction or revision of processes, products, infrastructure.
4. In case of changing economic scenario.

Frame work for risk management

Identify
Determine Assesment
Identify events that Assesment
Determine risk of residual
relevant could affect of Likelihood
risk response impact and
business the and impact
tolerance after likelihood of
objectives achievement of risk
evaluation the risks
of objectives

1. Identification of relevant business objectives.

1.1 Risk assessment activities shall be initiated for relevant business objectives. These will provide a
basis for subsequently identifying potential risks that could affect the achievement of objectives, and

HARSHAL CONTROL SYSTEMS PRIVATE LIMITED

Last Review done: 25.02.2024 Next due: 24.08.2024
 DOCUMENT
Q MS – P ro c ed u re M a n u a l CONTROL STATUS
CONTROLLED COPY

QMS Manual No.

QP/MSA/07 Issue No 01
9001:2015 HCS/QM/ISO9001:2015

ORIGINAL ISSUE REV. LEVEL / Prepared & Approved

CLAUSE No. PAGE
DATE DATE Reviewed By By

6.1 01.02.2019 02 / 15.09.2023 Page 2of 5 MSA DIR

Change History 1.Rev 01 dt 07.02.2022_ New structuring of Document with provision to monitor revisions
2. Rev 02 dt 15.09.2023_ Review date & Next review due date monitoring added in the document

ensure the resulting risk assessment and management plan is relevant to the critical objectives of the
organization.
1.2 Objectives shall be defined at various levels of the organization (e.g., functional, location, organization
-wide).
1.3 The scope of the risk assessment may focus on objectives that are related to strategy, operations,
compliance, and/or reporting. Once the scope has been agreed and the relevant objectives identified,
it is important to understand how these fit in with the strategy and how much risk the organization is
willing to assume in pursuit of these objectives.
1.4 The focus on business objectives helps ensure relevance and facilitates the integration of risk
assessments across the organization.

2 Identify events that could affect the achievement of objectives

2.1 Based on the organization’s objectives, or the objective under consideration, the designated owners
of the risk assessment should develop a preliminary inventory of events that could impact the
achievement of the organization’s objectives or the objective under consideration.
2.2 “Events” refers to prior and potential incidents occurring within or outside the organization that can
have an effect, either positive or negative, upon the achievement of the organization’s stated
objectives or the implementation of its strategy and objectives.
2.3 Various distinctions or categories of common event types can help initiate the identification process. A
review of the external environment helps identify outside events that may have impacted the
organization’s shareholder value in the past or may impact it in the future. Drivers to consider include
economic, social, political, technological, and natural environmental events, which can be identified
through external sources such as media articles, analyst and rating agency reports, and insurance
broker assessments.
2.4 A review of the organization’s internal processes, people, technology, and data also helps identify
further events.
2.5 Customer grievances, customer feedback, incident of health and safety, internal audit results, key
performance indicators also provide strong inputs for identifying possible events.
2.6 Ensure availability of data for the above

3. Determine risk tolerance.

3.1 Risk tolerance is the acceptable level of variation relative to the achievement of a specific objective,
and should be weighed using the same unit of measure applied to the related objective.
3.2 Risk tolerance considers the relative importance of objectives and aligns with risk appetite.
Risk appetite must be clearly defined and reflected in risk tolerances and risk limits to help ensure that
organizational objectives can be achieved.
3.3 Risk tolerances should be defined for each key risk type. Looking at the tolerances for multiple
objectives such as customer retention and cost containment, management is better able to allocate
resources to ensure reasonable likelihood of achieving outcomes across multiple objectives.

HARSHAL CONTROL SYSTEMS PRIVATE LIMITED

Last Review done: 25.02.2024 Next due: 24.08.2024
 DOCUMENT
Q MS – P ro c ed u re M a n u a l CONTROL STATUS
CONTROLLED COPY

QMS Manual No.

QP/MSA/07 Issue No 01
9001:2015 HCS/QM/ISO9001:2015

ORIGINAL ISSUE REV. LEVEL / Prepared & Approved

CLAUSE No. PAGE
DATE DATE Reviewed By By

6.1 01.02.2019 02 / 15.09.2023 Page 3of 5 MSA DIR

Change History 1.Rev 01 dt 07.02.2022_ New structuring of Document with provision to monitor revisions
2. Rev 02 dt 15.09.2023_ Review date & Next review due date monitoring added in the document

4 Assess inherent likelihood and impact of risks.

4.1 Events identified as potentially hindering the achievement of objectives are deemed to be risks and
should be evaluated based on the likelihood of occurrence and the significance of their impact on the
objectives.
4.2 It is significant to first evaluate such risks on an inherent basis—that is, without consideration of
existing risk responses and control activities.
4.3 For example, in case of severe storm the possibility of roof damage at the manufacturing plant.
On an fundamental basis, it would consider the likelihood and impact of a storm on the roofing by
considering external data (such as the historical and projected frequency of storms and internal data
(such as the estimated damage to its physical assets in case of a storm).
4.4 An impact and probability rating should then be assigned using defined risk rating scales, as
described.
4.5 Individual risk ratings should then be brought together in the form of an inherent risk map (see Figure
5), which enables an analysis of risks not only on an individual level (e.g., high, medium, low) but also
in relation to one another (e.g., a concentration of certain risks that potentially creates a greater
overall risk exposure—for example, reputational damage—than the sum of the individual risk
exposures).
4.6 Additionally, as risk assessments are refreshed over time, a risk map can allow analysis over time
(e.g., upward or downward trend of risks, and extent of positive or negative correlations between
certain risks).

Likelihood Definition Description

The risk is seen as unlikely to occur within the time horizon
1 UNLIKELY contemplated by the objective.
The risk is seen as likely to occur within the time horizon
2 LIKELY contemplated by the objective.
The risk is expected to occur within the time
3 CERTAIN horizon contemplated by the objective

HARSHAL CONTROL SYSTEMS PRIVATE LIMITED

Last Review done: 25.02.2024 Next due: 24.08.2024
 DOCUMENT
Q MS – P ro c ed u re M a n u a l CONTROL STATUS
CONTROLLED COPY

QMS Manual No.

QP/MSA/07 Issue No 01
9001:2015 HCS/QM/ISO9001:2015

ORIGINAL ISSUE REV. LEVEL / Prepared & Approved

CLAUSE No. PAGE
DATE DATE Reviewed By By

6.1 01.02.2019 02 / 15.09.2023 Page 4of 5 MSA DIR

Change History 1.Rev 01 dt 07.02.2022_ New structuring of Document with provision to monitor revisions
2. Rev 02 dt 15.09.2023_ Review date & Next review due date monitoring added in the document

Impact Definition Description

The risk will not substantively impede the

achievement of the objective, causing minimal
1 Negligible damage to the organization’s reputation.

The risk will cause some elements of the objective to be

delayed or not be achieved, causing potential damage to the
2 Moderate organization’s reputation.

The risk will cause the objective to not be

achieved, causing damage to the organization’s
3 Critical reputation.

All ratings have a 0.2 scale of resolution

Heat map of a Risk Assessment exercise

High 3 AVOID
2.8
2.6
2.4 O1
IMPACT 2.2
Medium 2
1.8
1.6
1.4
1.2
Low 1 ACCEPT
1 1.2 1.4 1.6 1.8 2 2.2 2.4 2.6 2.8 3
low MED HIGH
LIKELIHOOD

O1 :- risk of failure of raw material supply due to supplier capacity problems

HARSHAL CONTROL SYSTEMS PRIVATE LIMITED

Last Review done: 25.02.2024 Next due: 24.08.2024
 DOCUMENT
Q MS – P ro c ed u re M a n u a l CONTROL STATUS
CONTROLLED COPY

QMS Manual No.

QP/MSA/07 Issue No 01
9001:2015 HCS/QM/ISO9001:2015

ORIGINAL ISSUE REV. LEVEL / Prepared & Approved

CLAUSE No. PAGE
DATE DATE Reviewed By By

6.1 01.02.2019 02 / 15.09.2023 Page 5of 5 MSA DIR

Change History 1.Rev 01 dt 07.02.2022_ New structuring of Document with provision to monitor revisions
2. Rev 02 dt 15.09.2023_ Review date & Next review due date monitoring added in the document

5. Evaluate the risks and determine risk responses (Mitigation Action).

5.1 Based on the defined risk tolerance and inherent risk assessment, management shall determine
how to address the identified risks.
5.2 Appetite for risk and tolerance for deviation from objectives must form the basis for determining how to
address risks, considering their expected impact and likelihood of occurrence.
5.3 Typical risk response strategies are to accept, share, reduce, or avoid.
5.4 For each risk category, the organization should have defined risk tolerance levels to be used in
relation to risk ratings to determine response strategies. While the thresholds vary by risk category,
risks that present impact and likelihood are typically to be avoided and risk mitigation actions should
be undertaken to halt and exit activities that create such risk.
5.5 Risks that present low impact and low likelihood are typically accepted as part of the cost of doing
business. No specification is deemed necessary to further address these risks.
5.6 Those risks that fall in between may require measures to reduce the impact and/or likelihood of
of these risks through strengthening or automation of controls.
5.7 Developing backup plans, alternate suppliers, and multi-skill training for necessary manpower may be
a means to reduce identified risk. Risk responses therefore often need to be prioritized based on
cost/benefit and relative importance to the organization’s objectives and availability of resources.
5.8 Risk responses are expected to bring the level of risk exposure down to defined risk tolerance levels.
Control activities should be put in place and evaluated to ensure that these responses to risks are
operating as intended.

6 Assessment of residual likelihood and impact of risks

6.1 Residual risk assessment considers both the risks as previously identified and the related risk
response mechanisms and control activities in place to determine the impact and probability of their
occurrence.
6.2 It evaluates the adequacy and effectiveness of the internal checks and balances in place, providing
reasonable assurance that the likelihood and impact of an adverse event is brought down to an
acceptable level.
6.3 Successful implementation should translate into reduced risk exposures on the organization’s risk
heat map

HARSHAL CONTROL SYSTEMS PRIVATE LIMITED

Last Review done: 25.02.2024 Next due: 24.08.2024