Step 9 – Risks and Opportunities
To conform to the requirements of this International Standard, an organization needs to plan and implement actions to address risks and opportunities. Addressing both risks and opportunities establishes a basis for increasing the effectiveness of the quality management system, achieving improved results and preventing negative effects.
See how ISOvA software makes your life easierWhy you need to define Risk and Opportunities for your ISO Management System (MS)
6.1 Actions to address risks and opportunities
6.1.1 When planning the quality management system, the organization shall consider issues referred to in 4.1 and the requirements referred to in 4.2 and determine risks and opportunities that need to be addressed to:
a) give assurance that the quality management system can achieve its intended result(s);
b) enhance desirable effects.
c) prevent, or reduce, undesired effects.
d) achieve improvement.
6.1.2 The organization shall plan:
a) actions to address these risks and opportunities.
b) how to:
1) integrate and implement the actions into its quality management system processes
2) evaluate the effectiveness of these actions.
How the ISOvA software does 80% of the work for you
The three videos below show how the ISOvA software makes your life easier by handling 80% of the work involved in addressing risks and opportunities for your ISO Management System.
ISO 9001
ISO 14001
ISO 27001
The headings below match the columns provided in your IMS Toolbox:
The majority of this exercise is choosing the relevant information you have inputted from Steps 1 to 7.
Once you have become familiar with this process, it is up to you to add other associated risks to your business, including risks on operations, interested parties, infrastructure and competencies.
Relevant
This section is for the risks that have been included with the Toolbox. You need to choose whether this risk is relevant to your business.
Issue
By assessing the risk, you must choose whether this is an internal or an external issue. An example of an internal issue is employee competencies, and an example of an external issue is if a supplier has not delivered a quality product.
Risk
This section is where you communicate the headline of the risk.
Detail
This section is where you put the explanation (Scope) into the headline. Remember that a third party should understand your description.
Consequence
From the dropdown, selection chooses what could be the consequence of the risk. An example of this would be a delay caused by a supplier that can cause poor service delivery consequently. You can choose multiple consequences if needed.
Risk Implications
Give a scoring (1 is Low Risk, and 4 is High Risk) of the impact of the risk on your business should this happen.
Controls
From following Step 3 of the “How To Guide”, allocate the controls, you have in your business to minimise this risk. To be honest, this step is important, as if you don’t have controls in place, you have found your business objectives (which is your opportunity).
Risk Probability
Give a scoring (1 is Low Risk, and 4 is High Risk) of the probability that this risk will happen in your business.
Risk Rating
From issuing scores for the Risk Implications (I) and the Risk Probability (P), the Toolbox automatically calculates the Risk Rating (R) by using the formula I x P = R.
The score of the risk or opportunity will determine the type of actions that will be implemented to address it:
Objectives
Any risk scoring of 10 and above requires an objective (this will be communicated in Step 9 Objectives). For now, choose from the selected categories that this objective falls under.
Please do not forget this Risk for Step 9.
Interested Parties
By following Step 5 Interested Parties, allocate the relevant interested party that this Risk would affect. You can choose more than 1.
Legal Categories
By following Step 2 Legal register, allocate the relevant statutory and regulatory legislation to this individual risk. It is not easy, so try and think from a top-level perspective. Alternatively, please speak to one of our ISOvA assistants, who will be happy to help.
Performance Evaluation
By following Step 7 Performance Evaluation, allocate the relevant KPI that will help to monitor and evaluate the risk. Potentially this could alter the scoring.
The risk and opportunities register does change throughout the year, so we advise you to review on a quartile basis and re-evaluate the scoring based on the controls you have in place or the objectives you have completed. Also, your business changes, and with that, you will encounter new risks. It is advisable to use the Toolbox to assess these unknown risks and what controls you have in place to minimise the impact.
Next Step…
Having determined roles, responsibilities, and authorities for your ISO MS, you can now move to the next step:
Step Implementation Guides:
1: Roles & Responsibilities
2: Aims and objectives
3: Controls
4: SWOT Analysis
5: Interested Parties
6: Legal Register
7: Processes & Procedures
8: Key Performance Indicators
9: Risks & Opportunities
10: Audit Programme
If you would like a demo of the ISOvA (Risk Compliance Software and) Integrated Management System (IMS) software fill out our form below:
