RISK & OPPORTUNITY

MANAGEMENT

By: Ishara Wijesuriya

 RISK & OPPORTUNITY MANAGEMENT

Training Outcomes

Identifying risks and opportunities

Understand the risk based thinking for quality management
Risk Analysis & Assessment
Risk mitigation and control

2
 RISK & OPPORTUNITY MANAGEMENT

Definition

What is Risk?
Risk available everywhere all the time. According to ISO a Risk is ;

Effect of uncertainty on objectives(Ref. ISO 9000:2015/ISO31000:2009).

- Effect is the deviation from the expectation.
- Uncertainty is the state of lack of information related to understand an event, its
consequences and likelihood.
- Objective may be financial, environmental, health, performance etc.

Effect (risk)/
Objective/ Deviate the
Uncertainty expectation
Expectation

Risk can bring both positive and negative outcomes. 3

 RISK & OPPORTUNITY MANAGEMENT

Definition cont..
Ex: Day to day..
Rain stops the match - Raining is the uncertainty. Match stopping is the risk.
Delaying arrival due to traffic Traffic is the uncertainty. Late arrival is the risk.
Smoking Kills?

Introduce a robot to automate the sewing process.

Expectation Effect (Risk) Uncertainty

High Efficiency Low Efficiency Technical failure

Reduce lost Time Increase Lost Time Technical failure

4
 RISK & OPPORTUNITY MANAGEMENT

Definition cont..
More Ex: List down risks with possible uncertainties.

1. Plan to increase the digital printing section efficiency up-to 80%

2. Objective is to maintain the rejection rate below 0.5%

3. Reduce the workplace accidents

4. Gain 1000 USD saving per annum.

5. Avoid major non-conformities in external audits

5
 RISK & OPPORTUNITY MANAGEMENT
Definition cont..
What is opportunity?

- A positive deviation arising from a risk can provide an opportunity, but not all positive
effects of risk result in opportunities.
Ex: Risk is over recruitments. Opportunity is over time can be reduce through proper
planning.
NOTE 2: Opportunities can lead to the adoption of new practices, launching new products, opening new
markets, addressing new customers, building partnerships, using new technology and other desirable
and viable possibilities to address the organizations or its customers needs (ISO 9001:2015 . 6.1.2)

- An opportunity is a set of circumstances which makes it possible to do something.

- Opportunity is a chance for promoting or improving something.

Ex: Introducing light weight tent for easy handling.

- Opportunities may increase risks.

- Outcome is uncertain in opportunities.

Ex: ? 6
 RISK & OPPORTUNITY MANAGEMENT

Risk Based Thinking

Simple Example:

If you wish to cross the road, you look for traffic before begin. You will not step in front of
a moving car.

Risk based thinking was in the ISO 9001:2008 under the preventive action clause. But now, this has
been built in whole management system (P D C A).
Ex:

Clause 4.4.1 Quality management system & its processes

Organization shall address the risks and opportunities as determined in accordance with
the requirements of 6.1
Clause 5.1.1 Leadership
Top management shall demonstrate leadership by promoting the use of the process
approach and risk-based thinking;

Clause 5.1.2 Customer focus

the risks and opportunities that can affect conformity of products and services
determined and addressed.
7
 RISK & OPPORTUNITY MANAGEMENT

Risk Based Thinking

Clause 6.1- Actions to address risks and opportunities [P]

6.1.1 When planning for the quality management system, the organization shall consider the issues
referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed to:
a) give assurance that the quality management system can achieve its intended result(s);
b) enhance desirable effects;
c) prevent, or reduce, undesired effects;
d) achieve improvement.
Ex:
Organizations Issues

Organization Issue Determined Risk

Employee Retention Retention rate is not enough to cater production demand.
Document control Document control process is not effective
Legal Compliance Factory does not comply with legal requirements

8
 RISK & OPPORTUNITY MANAGEMENT

Risk Based Thinking

Clause 6.1- Actions to address risks and opportunities [P]

6.1.1 When planning for the quality management system, the organization shall consider the issues
referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed to:
a) give assurance that the quality management system can achieve its intended result(s);
b) enhance desirable effects;
c) prevent, or reduce, undesired effects;
d) achieve improvement.
Ex:
Needs and expectations of interested parties.

Need & Expectation Determined Risk

Delivery on time Could not deliver on time
Comply to BOI Norms Breaching of a BOI norm
Submit Vat return to Inland revenue Could not submit vat returns before due date
before due date.

9
 RISK & OPPORTUNITY MANAGEMENT

Risk Based Thinking

Clause 6.1- Actions to address risks and opportunities [P]

6.1.2 The organization shall plan:
a) actions to address these risks and opportunities;
b) how to:
1) integrate and implement the actions into its quality management system processes (see 4.4);
2) evaluate the effectiveness of these actions.
Actions taken to address risks and opportunities shall be proportionate to the potential impact on
the conformity of products and services.
Ex:

RISK ACTION
Breaching a BOI norm Internal compliance review once a month
Human resource not adequate Broaden the recruitment program.
??? ???

10
 RISK & OPPORTUNITY MANAGEMENT

Risk Based Thinking

Clause 8.1 Operational Planning and Control [D]

The organization shall plan, implement and control the processes (see 4.4) needed to meet the
requirements for the provision of products and services, and to implement the actions determined in
Clause 6.

Clause 9.1.3 Analysis and Evaluation/ 9.3.2 Management Review Input [C]
The effectiveness of actions taken to address risks and opportunities;

Clause 10.1 Improvement, 10.2.1 Nonconformity and corrective action [A]

The organization shall determine and select opportunities for improvement by correcting, preventing or
reducing undesired effects
Update risks and opportunities determined during planning

11
 RISK & OPPORTUNITY MANAGEMENT

Risk Based Thinking

Risk-based thinking:

Improves business security

Ensures greater knowledge of risks and improves preparedness.
Creates opportunities for improvements.
Increases the probability of reaching objectives
Assists with statutory and regulatory compliance
Makes prevention a habit
Improves customer confidence and satisfaction

12
 RISK & OPPORTUNITY MANAGEMENT

Risk Analysis

Risk Analysis Tools

1. PESTLE
2. FMEA (failure mode and effect and effect analysis)
3. SWOT
4. SWIFT (Structured What if technique) Etc.

13
 RISK & OPPORTUNITY MANAGEMENT

Risk Assessment

There is no defined risk assessment method in ISO 9001. Organization has the freedom
select a suitable technique.

Ex: Risk Matrix

14
 RISK & OPPORTUNITY MANAGEMENT

Risk Analysis
Risk Assessment

Ex: Risk Priority Number (RPN)

Overall health of the risk then calculated using a risk priority number (RPN) which is the multiplication
of Severity, occurrence and detection
Severity
Fatal 10, Injured 7-9, Compliant 4-6, Internal Reject 1- 3
Occurrence
Frequent 7-10, Moderate - 4-6, Low - 2-4, Rare -1
>Detection
At application 10, by Customer 6-9, Internal QC 1-5

Ex:
A customer complained that one of his client has faced with a fatal accident due to a
structural failure of our Paraglider.
RPN?

15
 RISK & OPPORTUNITY MANAGEMENT

Risk Mitigation and Control

NOTE 1; Options to address risks can include avoiding risk, taking risk in order to pursue an
opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or
retaining risk by informed decision. (Ref: ISO 9001:2015 6.1.2)

1. Tolerating the risk

- Contingency plans shall be in placed for the controlling the risk
- Risk can not be mitigated cost effectively or risk may open great benefits.

2. Treating
- Bring down the overall effect of risk by either reducing the occurrence of the risk or
improving the detection by controls and actions.

3. Terminating the risk

- Doing something different to eliminate the risks

4. Transferring risk
- Transferring risk into third party (ex: outsource, Insurance etc.)
16
 RISK & OPPORTUNITY MANAGEMENT

Risk Mitigation and Control

Group Task: Build a simple risk register

Consideration Risk Possible Causes S O D RPN Controls Action Reaction

17
 RISK & OPPORTUNITY MANAGEMENT

Summary:

Identify Risks

Evaluating Assessing
effectiveness Risks

Controlling
Risks

18
 RISK & OPPORTUNITY MANAGEMENT

Further Reading:

ISO 9001: 2015 Quality management system requirements

ISO 9002: 2016 - Guidelines for the application of ISO 9001:2015
ISO 31000: 2009 - Risk management -- Principles and guidelines
www.iso.org/tc176/sc02/public - Technical paper Risk-Based Thinking

19
 RISK & OPPORTUNITY MANAGEMENT

QUESTIONS?

20