.FOUR TYPES OF RISK
There are four types of risk that worry an organization. Strategic risk is concerned with the inability to achieve high-level goals. Operations risk concentrates on factors that prevent the efficient use of resources. Compliance risk affects the ability to comply with legal and regulatory requirements. The fourth risk, organizational risk is based on the organization’s structure and is found on two levels, the entity level and the activity level.

For strategic risk assessment management should consider technology changes, creditor’s demands, competitor’s actions, economic conditions, political conditions and customer needs. Operational risk factors are the management system, customer satisfaction, supply chain and revenue recognition. Other operational risks include risks from Natural Disasters, information security risks, and the logistics risks of homeland security.

Compliance risks focus on financial, environmental, health & safety and security factors. Government mandated environmental and health & safety requirements cause concern because of risk of fines, shutdowns or criminal prosecution. There is also a concern with conformance to quality and environmental standards and specifications.

Finally organizational risks appear on the entity and activity levels. External factors affecting organizational risks include technology developments, competition and new legislation. While internal factors are information system processing, quality of personnel hired and changes in management responsibilities.

RISK METHODOLOGY
As the first step in the development of the methodology is to determine the risk appetite and risk tolerance. This is necessary so that all members of the organization can understand the risk philosophy. Risk appetite is the amount of risk, on a broad level, an entity is willing to accept; while risk tolerance relates to the entity’s specific objectives. It is the amount of variation relative to specific objectives that an entity is willing to accept.

Once this is decided, there are tools to determine the risk level and manage the risks of concern. One key tool is an organization’s set of financial and quality controls. These are especially important for use of COSO in the compliance to SOX and will be important for certification to the next revision of ISO 9001.

RISK CONTROLS
What are controls? A control is a tool that can be used to identify and manage risks. Financial controls are prepared in accordance with general accepted accounting principles (GAAP).  They provide reasonable assurance that transactions are recorded as necessary and include accurate maintenance of records. They also may be used to provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition or disposition of assets or other examples of fraud.

Quality Controls are built around quality records and decision points. In ISO 9001 controls appear as shall statements. For example, clause 5.6.1 requires top management to ”review the organization’s quality management system at planned intervals, to ensure its continuing suitability, adequacy and effectiveness.”

Compliance to SOX includes financial controls at the entity and activity levels. The controls are used in a top down, risk-based approach defined in the PCAOB auditing standard AS5 and the SEC Management guidance. I will close with an example from my book[i] of risk management at a teaching hospital and an indication of the new required structure of ISO standards.

One of the major risks at hospitals is that of patients falling, which is a major contributor to the average length of stay. The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) has developed tools to help manage the risk and requires use of the tools to maintain accreditation. The results of the study conducted by the hospital required more detailed patient intervention procedures and additional training in fall prevention.

As another example of the expansion of the risk management philosophy, all management system standards will now have to adopt the structure defined in ISO Guide 83. This will directly affect ISO 9001 and ISO 14001 as well as other ISO standards. In ISO 9001, the first three clauses will remain the same as in ISO 9001:2008. However, Clauses 4 to 10 will be very different. Clause 6 is the one that will include risk management.

HOW TO START
I suggest that organizations start their risk management development with an open discussion of risk management and its effect on their organizations. The discussion attendees should take away the following: (1) a basic understanding of the risk management methodology, (2) an understanding of common risk management tools, (3) a case study that illustrates the use of the methodology, and (4) a preliminary look at the new ISO 9001 risk management requirements.