The global economy has provided organizations with many opportunities that didn’t exist even ten years ago. But it also presents organizations with many risks because of the flattening of the Earth via the Internet and extensive outsourcing to countries such as China, Mexico and other nations.The designers of COSO, the guidance commonly used for compliance support of Sarbanes-Oxley Law (SOX), recognized as early as1992 the importance of risk management by including it as one element of the system of internal control. And now ISO 9001 developers are including risk in the 2015 revision. In this article I describe an assessment process that can be used to manage risk to an organization’s objectives. The process consists of defining the objectives, specifying the risks to the objectives and defining methods of managing the risks. The objectives should be measurable so that the effect on them can be determined. I will also describe commonly used risk management tools .FOUR TYPES OF RISK For strategic risk assessment management should consider technology changes, creditor’s demands, competitor’s actions, economic conditions, political conditions and customer needs. Operational risk factors are the management system, customer satisfaction, supply chain and revenue recognition. Other operational risks include risks from Natural Disasters, information security risks, and the logistics risks of homeland security. Compliance risks focus on financial, environmental, health & safety and security factors. Government mandated environmental and health & safety requirements cause concern because of risk of fines, shutdowns or criminal prosecution. There is also a concern with conformance to quality and environmental standards and specifications. Finally organizational risks appear on the entity and activity levels. External factors affecting organizational risks include technology developments, competition and new legislation. While internal factors are information system processing, quality of personnel hired and changes in management responsibilities. RISK METHODOLOGY Once this is decided, there are tools to determine the risk level and manage the risks of concern. One key tool is an organization’s set of financial and quality controls. These are especially important for use of COSO in the compliance to SOX and will be important for certification to the next revision of ISO 9001. RISK CONTROLS Quality Controls are built around quality records and decision points. In ISO 9001 controls appear as shall statements. For example, clause 5.6.1 requires top management to ”review the organization’s quality management system at planned intervals, to ensure its continuing suitability, adequacy and effectiveness.” Compliance to SOX includes financial controls at the entity and activity levels. The controls are used in a top down, risk-based approach defined in the PCAOB auditing standard AS5 and the SEC Management guidance. I will close with an example from my book[i] of risk management at a teaching hospital and an indication of the new required structure of ISO standards. One of the major risks at hospitals is that of patients falling, which is a major contributor to the average length of stay. The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) has developed tools to help manage the risk and requires use of the tools to maintain accreditation. The results of the study conducted by the hospital required more detailed patient intervention procedures and additional training in fall prevention. As another example of the expansion of the risk management philosophy, all management system standards will now have to adopt the structure defined in ISO Guide 83. This will directly affect ISO 9001 and ISO 14001 as well as other ISO standards. In ISO 9001, the first three clauses will remain the same as in ISO 9001:2008. However, Clauses 4 to 10 will be very different. Clause 6 is the one that will include risk management. HOW TO START |
[i] Sandford Liebesman, “Competitive Advantage: Linked Management Systems,” 2011, Paton Professional, PO Box 44, Chico, CA 95927-0044