12 Feb 2018 (QSE story 3/6) Analysis of risks and opportunities, added value for your integrated management systems
3rd article of our QSE story : users of QSE standards (ISO 9001, 14001, 45001) must now assess “risks and opportunities” and yet they don’t have a suitable method. Here are some key steps.
The voluntary standards on quality (ISO 9001) and environment (ISO 14001) in their 2015 versions, as well as the upcoming occupational health and safety standard ISO 45001 expected in March 2018, entail deployment of a management system enabling the organization to improve its performance, in particular by determining the organization’s context (we discussed it here) and through analysis of the consequent risks and opportunities.
What do these two notions cover? Risk is defined as the effect of uncertainty, which implies a cause-effect relationship involving a number of determining factors (legal, social, societal, etc.) and their consequences for the intended result. Whereas opportunities relate to measures that may be taken to achieve potential beneficial effects. If an organization has to put in a great deal of effort but the predicted associated gains are small, there is no great benefit in exploiting this opportunity. Conversely, if the potential benefit is considerable, then this is an opportunity worth seizing and addressing it will be a determining factor when planning actions.
QSE: target your actions better
The most important aspect of this approach is to focus on the issues identified by the organization as priority and strategic. It is better to take fewer actions but target them better in terms of desired performance rather than trying to address everything and spreading your efforts too widely. This temptation to tackle everything at once proved a weakness in management systems as interpreted according to the previous versions of ISO 9001 and 14001.
Taking the example of control of personal data, an opportunity exists to set up a simplified, centralized digital data management system. Then to accompany it with a targeted protection device according to the various types of data collected, in order to reduce risks of loss of particularly sensitive data. Thus there may be a suitable processing method corresponding to each type of data.
Analysis of risks and opportunities based on the external and internal issues and the needs and expectations of relevant interested parties should enable you to take account of four performance drivers for your management systems: your ability to provide a product or service that meets demand, your contribution to desirable or positive effects, your ability to prevent undesired effects, and determining how to improve your product or your service.
The standards do not impose any specific method to help you in your assessment of risks and opportunities. Very often the notions of frequency and severity are considered since they are commonly employed in the health and safety field to establish cause-effect relationships. For each risk in your management system you will be able to define an exposure frequency and the severity of the impact on the management system. Similarly, the questioning used to compile the “single document” on the risks identified in the organization and their rating will be useful to help you prioritize what needs to be taken into account. In the same vein, the significant environmental aspects arising from the environmental assessment will be taken account of when planning actions for improved performance.
A decision-making support tool
The risks and opportunities approach in fact serves as a very useful decision-making support tool, as well as helping you determine priorities. “Previously, certain preventive actions could be formalized based on chance circumstances and reflected a passive approach. On the contrary, the QSE standards, through this notion of opportunity, provide more clarity for organizations on the benefit of taking advantage of a situation”, explains Frédéric Mounier, expert trainer on QSE subject areas with AFNOR Competencies. This results in more proactive approaches since the mere act of addressing a risk is not necessarily enough to lead to seizing a related opportunity. ”
An example involving the introduction of remote working: this may lead to reduced road risk, a lower carbon footprint and even to offering customers more flexible contact hours.