Risk is everywhere. It impacts every aspect of life, including one’s work life. Whether or not management is aware of it, they have been managing risk for years. They were managing quality years before ISO 9001 came along, and they were managing risk long before ISO 9001 includes risk among its requirements.
Preventive action is one basic mechanism by which controlling risk is currently required of ISO 9001:2008. ISO 9001:2015 is expected to do away with the preventive action requirement, basically replacing it with a risk requirement more distinct from corrective action. Although similar requirements have been resident in the standard since it’s original release in 1987, consensus about corrective vs. preventive action among quality professionals still seems elusive to this day. The requirement will not likely be missed, especially since risk management is supposed to offer the proactive aspect that preventive action attempted to address.
So, now we will have risk. Risk ala ISO 9001 consists of risk to quality—product, process, system quality. These risks involve those associated with not identifying product, not employing competent personnel, not controlling documents, not inspecting product, etc.
REMEMBER BOB?
An article published in CERM Risk Insights in October of 2013 (#26) entertained risk in ‘Bob’s Machine Shop.’ This article contains an example of how top management of the small shop, Bob, manages risk. The article includes a ‘risk analysis form’ Bob uses to weigh risks to quality, determining what’s acceptable, what requires mitigation, etc. The items appearing on Bob’s risk form represent risks to quality; risk management has been incorporated into Bob’s management system designed to manage quality.
When ISO 14001 is involved, the risks under analysis are those to the environment—product, process, system environmental impact. Sparing the ‘nots,’ these risks involve those associated with energy usage, waste, dumping in the river, etc. Bob’s risk analysis form would now include these risks, too. The existing system is enhanced to now address also environmental management, raising any new processes (defined in procedures) and updating existing system documentation, including what was previously merely quality management system documentation.
The same operations (processes) are involved, but they are viewed from a different perspective. However, we might add a process for determining environmental aspects and impacts (if it didn’t naturally fit elsewhere). In that case, a ‘Environmental Aspects and Impacts’ procedure would be raised to describe how that process operates, much like an ‘Internal Audit’ procedure was raised to describe the internal audit process. Now system design is robust enough to meet not only quality objectives, but environmental objectives, too.
Under 27001, the risks are those to security (information). These risks involve those associated with logins/passwords, back-ups, network vulnerabilities, hackers, etc. Bob’s risk form would now include these risks. After enhancements are applied, the system is now robust enough to meet quality, environmental, and security objectives.
RESPECTIVE PERSPECTIVES OF RISK
ISO 9001, ISO 14001, and ISO 27001 each entertain risk from a different perspective; a management system focuses on risks to achieving the objective(s) that the management system(s) was raised to achieve.
A system designed to achieve quality objectives does just that. ISO 9001 is applied to a (quality) management system to see if the system meets basic requirements expected of a quality management system.
A system designed to achieve environmental objectives would be subject also to ISO 14001 requirements. If the system were designed only to achieve environmental objectives, the system wouldn’t need to be robust enough to also manage quality, but only robust enough to manage environmental impact. It would still require a basic support structure similar to a quality management system, only the operating procedures would be focused on operations’ impact on the environment.
DITTO FOR A SECURITY MANAGEMENT SYSTEM
One process-based management system could meet all three objectives and use each of the three standards to prove it. So rather than calling it a risk management system, a quality management system, an environmental management system and/or a security management system, why not just call it a management system, one that complies with ISO 9001, ISO 14001, and ISO 27001 (while also implementing the risk thinking of 31000).
Such a system happens to be designed to meet quality objectives, environmental objectives and security objectives. So, the same system simultaneously operates on the same operations to control risk to those operations from their respective perspectives.
Bio:
T. D. (“Dan”) Nelson is a quality management consultant, author, and trainer specializing in the process approach, ISO 9001, and related sector schemes. Dan has roughly 20 years of experience with ISO 9000 and over 15 years’ experience with the process approach. Dan holds an MA in Business Administration from the University of Iowa. Dan can be reached at:
dan@tdnelson.com
319.210.2642