In short, yes. It doesn’t matter who you are or where you sit in an organisation, EVERYONE is responsible and accountable for risk-based thinking.
Businesses today face increasing levels of complexity and risk. Organisations are under pressure to deliver profitable business outcomes while operating in a socially and environmentally responsible way.
According to a study conducted in 2019 by the American Institute of Certified Public Accountants, 59% of respondents perceived a significant increase in the volume and complexity of risk for their business in the last five years.
Modern management systems Standards, like ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, define risk as “the effect of uncertainty.” This is understood in relation to achieving planned or expected business outcomes and goals. Under the Annex-SL structure, risk incorporates both negative risks and positive risks, or opportunities.
To remain competitive, businesses MUST incorporate risk-based thinking across the entire organisation. It’s not just the responsibility of the quality manager, or individual process owners. Leadership sets the tone for risk identification and management during the strategic planning cycle.
So, what is risk-based thinking, and how do you enable a risk-based thinking culture?
Risk-based thinking brings a systematic approach to managing and controlling risk. It’s something we all do automatically, and quite often, sub-consciously. As an example, consider the drive you take to get to and from work. While you’re driving, you are considering what speed you need to go, which roads will get you there the fastest as well as actioning on any hazards you encounter on the road.
Risk-based thinking highlights the critical topics and issues that an organisation must address. It also helps an organisation understand how well it is adapting to change. A proven, best-practice approach to manage and achieve any objective is to measure, evaluate and, where necessary, improve the actions taken. This approach is equally important for managing actions in response to targeted and constantly evolving risks and opportunities.
Organisations now need to evaluate the level of risk in each business process by taking steps to manage and control the identified risks to a level the organisation deems acceptable.
Those steps include:
- Identify risks in operations and determine how to evaluate those.
Are you weighing risks emerging from both external and internal factors? Do you have an organisational environment that encourages risk detection and communication? How can you make processes more effective and efficient while managing risk? - Assess the level of risk and determine your risk profile and comfort level.
A method including criteria to evaluate the risks along with a method to determine the effectiveness of the actions taken to control the risk will also need to be defined. - Prioritise and control those risks.
Consider how those risks will be prioritized and controlled through treatment options. Implementation of actions to address each risk will have to be developed and tested for effectiveness.
Similar to the critical success factors of ISO 9001:2015, ISO 14001:2015and ISO 45001:2018, embedding a risk-based thinking culture starts at the top. Senior management is responsible to effectively monitoring the changing business environment of the organisation to determine if the strategic plan remains relevant and cascade the business strategy throughout the entire organisation.
The key to successful implementation is engaging and ensuring individuals feel their contributions are helping improve the organisation. By requiring all employees to adopt a risk-based thinking mindset to their everyday functions and empowering authorised persons at all defined levels in the organisation, every employee can clearly link how they manage their tasks and risks to how their work enables the organisation to achieve its goals.
Risk-based thinking therefore:
- Builds a strong knowledge base
- Establishes a proactive culture of improvement
- Assures consistency of quality of goods or services
- Improves customer confidence and satisfaction
About the Author
Carmine is a 30-year veteran at SAI Global Assurance working as an industry leader, principal consultant and one of the lead trainers in the Training and Improvement Solutions division. He works with business of all sizes, coaching in all aspects of developing, implementing and integrating management systems including ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, the Aerospace and Automotive standards.