Risk is about uncertainty that matters as it impacts the achievement of corporate objectives & growth.
Risk Management is a process approach for managing of potential problems and disasters that could happen. It is about planning ahead on how to response to such problems and disaster if or when they occur by working towards eliminating, avoiding or mitigating their impact on the organization and business.
Risk Management has become a global importance after the following disasters;
- 1997 Asian Financial Crisis
- 2001 911 Commercial Airline Terrorist Attack
- 2008 Subprime & Lehman Brothers
- 2011 Japanese Tsunami & Bangkok Floods
- 2011/2 European Debt Crisis
These disasters had disrupted businesses and organizations far away from the disaster zone to an extent that the world had never witness before. It disrupted global supply chains causing world shortages and business downturns.
Since then many organizations and international bodies have adopted the use of Risk Management approaches and processes to help make supply chains more robust and resilient to withstand economic and natural disasters.
The International Organization of Standardization (ISO) publish its ISO33001 in 2009 to provide a framework and implementation guidelines on Risk Management. Risk Based Thinking, a part of Risk Management, was included in the ISO9001:2015 as a replacement to Preventive Action. (Preventive action is still an integral part of Risk Based Thinking and Corrective Action). Implementing any process method that identifies, evaluates and takes action to manage risks is accepted as meeting with the Risk Based Thinking requirement in ISO9001:2015 and does not specifically require ISO33001 to be implemented as a process.
The typical Risk Management process will include the following steps:
- Risk Identification – Is a process to list all the uncertainties or issues that could negatively (and positively) impact the organization.
- Risk Analysis – Is a process to quantify the chances of risk event on occurring and the level of damage to the organization if the event was to occur.
- Risk Evaluation – Is a process of comparing the results of the risk analysis against the organizations set of risk criteria to determine the type of actions to be taken on a risk event. Organizations have different approach to the level of risk they are willing to ignore or accept.
- Risk Treatment – Is a process where a range of actions are recommended and implemented to mitigate the risks.
- Review & Monitor – It is a process where internal and external risks are monitored and reviewed on a periodical bases to keep up to date with the changes that occur overtime. New risks may be identified and existing risks may become more significant or make be occurring more.
It is common to see organizations use a Risk Register to capture all the output results from the four above processes. Examples of Risk Registers and Excel templates can be seen and downloaded from the internet.
Risk Register is sometimes called a living document. The reason is because it is continually reviewed and updated/revised as new information on organizational uncertainties come to light. The Risk Register is also updated when risk probability of occurrences changes or new mitigation actions is being implemented.