You may think that you grasp the idea of risk and ISO management; but as you study risk in greater depth, you begin see it as a word of many colors.  Here’s an example from ISO 19011:2011.  It says that ISO management system auditors need to realize the risk associated with auditing.  This includes the risk that comes with the audit program and auditing risk.  In other words, there is a risk that the auditors are looking for and there is risk that comes in the process of doing the audit.

ASQ CERTIFIED QUALITY AUDITOR BOK
ASQ’s 2004 certified quality auditor body of knowledge (CQA BoK) included the topics of evaluating risk that are associated with:

• Management and the organization as part of the audit purpose or objective.
• Managing the audit program.
• Collecting audit evidence.

The 2012 CQA BoK expands and clarifies risk to include:

• How the audit program affects an organization’s risk.
• How the audit organization’s risk can influence the number and frequency of audits performed.
• The use of risk management tools, such as failure mode and effects analysis, hazard analysis and critical control points, critical to quality analysis and health hazard analysis.

So what we see is that the organization has risks inherent to the occupation.  You can see the results of poor risk identification in the Fukushima Nuclear Plant disaster.  And, of course, the audit program itself can create a risk as auditors who are strangers to the system go places where they could be hurt or cause someone else to be hurt.

SO, WE HAVE TO ASK OURSELVES: WHAT IS RISK?
Risk is a part of business every day. It can be defined as the possibility of loss, injury, destruction and loss of product.

J.P. Russell explains it in Managing and reporting the risks associated with auditing like this:

“For example, in marbles, if I make a shot, I can add a marble to my bag. If I miss the shot, I could lose five marbles.  So what’s the risk?  I think I have a 90% chance of making the shot—or a 10% chance of missing it.  The product of the amount that may be lost (five marbles) and probability of losing it (10%) equals 0.5—half a marble.

Based on this, I should go ahead and take the risk to add another marble to my bag. But if my shot is more risky and has only a 30% chance of success, I risk 3.5 marbles instead of half a marble.  In that case, I may decide to play it safe and not take the shot or opt for an approach that will obstruct my opponent.

In business school, I took a class on risk that described it as I did with the marbles, except we were dealing with business ventures and the marbles were money. Due to a lack of statistics or adequate information, we brainstormed the probability of failure and estimated the resources—or revenue—that could be lost.”

Risk, as depicted by mayhem, is defined in insurance businesses and lending institutions as this concept: the higher the probability of loss, the higher the premium or interest on a loan.  The higher rate is meant to compensate for the higher chance of loss. If the risk is 15 % return on investment (ROI), that is manageable; but the organization might be more willing to take a riskier investment if the ROI is 25%.

This makes sense, right?  But confusing the issue ISO offers only partial information to define risk: the effect of uncertainty on objectives.

The definition of “effect” has to do with how much deviation from expected objectives can have that causes different levels of risk.

Organizations using the ISO definition are unable to have explicit objectives for each possible risk because there are often not sufficient specifications.  To add to the confusion there are no objectives for the effect of uncertainty on objectives that are not stated, but are necessary for the ISO management of the organization.

There are a lot of negatives in that sentence.  To break it down it says: ISO management has certain objectives for risks.  If objectives are not explicitly stated, but should be part of ISO management, there is no way to explicitly create the objectives.  Now think about it. If there is no explicit objective, there can be no way to manage the risk.

RISK MANAGING IS NOT RISK REPORTING
ISO 31000 says that the risk management process entails:

• Establishing context (scope and objectives).
• Identifying risk.
• Analyzing risk.
• Evaluating risk.
• Treating risk.

If you are the ISO manager or an auditor who is asked to manage risk, you follow risk management procedures; but if you are asked to report risk, you have to know a risk when you see one.  This includes those without explicit objectives. I  hope you see the beauty of this system. It allows for whistle-blowing for the good of the organization when ISO Quality Management is followed correctly as long as the company is a fair and equitable organization.

The job of auditors, who hopefully know a risk when they see one, is to monitor or report what they see as to risk treatments, risky activities or processes.  In this case they need to be able to report risk as a probability of loss, disadvantages or destruction, injury or the effect of uncertainty of the objectives, giving the organization the chance to create an explicit objective for the risk.  Meanwhile, the auditor could be creating a risk and has to be able to recognize that when he sees it as well.

A manager or auditor reporting risk might report during any of the risk assessment steps: identification, analysis and evaluation.  You might have to report based on intuitive assessment, like a finding that an action might result in loss of customer orders, loss of certification or even loss of license.  Auditors also might be directed to report that risk treatments have been implemented and whether they are effective.

So we see that risk is not a simple matter of percentages and chance, but involves the very continued existence of an organization.

Bio: