#9 – ISO 9001 RISK CHALLENGES – SANDFORD LIEBESMAN

The global economy has provided organizations with many opportunities that didn’t exist even ten years ago. But it also presents organizations with many risks because of the flattening of the Earth via the Internet and extensive outsourcing to countries such as China, Mexico and other nations.The designers of COSO, the guidance commonly used for compliance support of Sarbanes-Oxley Law (SOX), recognized as early as1992 the importance of risk management by including it as one element of the system of internal control. And now ISO 9001 developers are including risk in the 2015 revision.
In this article I describe an assessment process that can be used to manage risk to an organization’s objectives. The process consists of defining the objectives, specifying the risks to the objectives and defining methods of managing the risks.  The objectives should be measurable so that the effect on them can be determined. I will also describe commonly used risk management tools

.FOUR TYPES OF RISK
There are four types of risk that worry an organization. Strategic risk is concerned with the inability to achieve high-level goals. Operations risk concentrates on factors that prevent the efficient use of resources. Compliance risk affects the ability to comply with legal and regulatory requirements. The fourth risk, organizational risk is based on the organization’s structure and is found on two levels, the entity level and the activity level.

For strategic risk assessment management should consider technology changes, creditor’s demands, competitor’s actions, economic conditions, political conditions and customer needs. Operational risk factors are the management system, customer satisfaction, supply chain and revenue recognition. Other operational risks include risks from Natural Disasters, information security risks, and the logistics risks of homeland security.

Compliance risks focus on financial, environmental, health & safety and security factors. Government mandated environmental and health & safety requirements cause concern because of risk of fines, shutdowns or criminal prosecution. There is also a concern with conformance to quality and environmental standards and specifications.

Finally organizational risks appear on the entity and activity levels. External factors affecting organizational risks include technology developments, competition and new legislation. While internal factors are information system processing, quality of personnel hired and changes in management responsibilities.

RISK METHODOLOGY
As the first step in the development of the methodology is to determine the risk appetite and risk tolerance. This is necessary so that all members of the organization can understand the risk philosophy. Risk appetite is the amount of risk, on a broad level, an entity is willing to accept; while risk tolerance relates to the entity’s specific objectives. It is the amount of variation relative to specific objectives that an entity is willing to accept.

Once this is decided, there are tools to determine the risk level and manage the risks of concern. One key tool is an organization’s set of financial and quality controls. These are especially important for use of COSO in the compliance to SOX and will be important for certification to the next revision of ISO 9001.

RISK CONTROLS
What are controls? A control is a tool that can be used to identify and manage risks. Financial controls are prepared in accordance with general accepted accounting principles (GAAP).  They provide reasonable assurance that transactions are recorded as necessary and include accurate maintenance of records. They also may be used to provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition or disposition of assets or other examples of fraud.

Quality Controls are built around quality records and decision points. In ISO 9001 controls appear as shall statements. For example, clause 5.6.1 requires top management to ”review the organization’s quality management system at planned intervals, to ensure its continuing suitability, adequacy and effectiveness.”

Compliance to SOX includes financial controls at the entity and activity levels. The controls are used in a top down, risk-based approach defined in the PCAOB auditing standard AS5 and the SEC Management guidance. I will close with an example from my book[i] of risk management at a teaching hospital and an indication of the new required structure of ISO standards.

One of the major risks at hospitals is that of patients falling, which is a major contributor to the average length of stay. The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) has developed tools to help manage the risk and requires use of the tools to maintain accreditation. The results of the study conducted by the hospital required more detailed patient intervention procedures and additional training in fall prevention.

As another example of the expansion of the risk management philosophy, all management system standards will now have to adopt the structure defined in ISO Guide 83. This will directly affect ISO 9001 and ISO 14001 as well as other ISO standards. In ISO 9001, the first three clauses will remain the same as in ISO 9001:2008. However, Clauses 4 to 10 will be very different. Clause 6 is the one that will include risk management.

HOW TO START
I suggest that organizations start their risk management development with an open discussion of risk management and its effect on their organizations. The discussion attendees should take away the following: (1) a basic understanding of the risk management methodology, (2) an understanding of common risk management tools, (3) a case study that illustrates the use of the methodology, and (4) a preliminary look at the new ISO 9001 risk management requirements.

 


[i] Sandford Liebesman, “Competitive Advantage: Linked Management Systems,” 2011, Paton Professional, PO Box 44, Chico, CA 95927-0044

Leave a Reply

Your email address will not be published. Required fields are marked *