2 2018mac20 Risk Management and Assessment Programme

Download as pdf or txt
Download as pdf or txt
You are on page 1of 36

ISO 9001:2015

RISK MANAGEMENT
AND ASSESSMENT

PRESENTED BY :
Puan Zainorni Bte Mohd Janis
SIRIM STS Sdn Bhd
1

COURSE OBJECTIVE

To explain the concept of “risk” in


the context of ISO 9001:2015
To explain how risk is addressed in
ISO 9001:2015
To explain risk management
principles, framework and process
requirements as per ISO
31000:2018

1
ISO 9001:2015 vs ISO 31000:2018

ISO 9001:2015, Quality Management


Systems – Requirements

Vs

ISO 31000:2018, Risk Management –


Guidelines

Session 1

Introduction to
ISO 9001:2015

2
BACKGROUND OF ISO 9001

MAJOR MINOR
CHANGE CHANGE
Inspection Based ISO 9000:1987 ISO 9000:1994

Process Based ISO 9001:2000 ISO 9001:2008

Risk Based ISO 9001:2015 ISO 9001:20??

What’s new?

Used of High Level


Structure
Understand the context
Strengthen
ISO 9001:2015 Process approach
Less emphasis on
documentation
Risk Based thinking

Leadership
6

3
ISO 9001:2015 INTERACTION

Customer and Legal Requirements

Risk and opportunities

ISO 9001:2015 Standard Requirement

Integrating Risk Element in ISO


A common format that has been developed for use in all
management system standards

•ISO 22301:2012 Business continuity management systems


•ISO 39001: 2012 Road safety management system
•ISO 27001: 2013 Information security management system
•ISO 55001: 2014 Asset management system
•ISO 14001: 2015 Environment management system

4
Session 2

Introduction to Risk Management

DEFINITION OF RISK
(ISO 9000:2015, Quality Management Systems – Fundamentals and Vocabulary)

RISK
effect of uncertainty
NOTE 1 : An effect is a deviation from the expected — positive or
negative.
NOTE 2 : Uncertainty is the state, even partial, of deficiency of information
related to, understanding or knowledge of, an event, its consequence, or
likelihood
NOTE 3 : Risk is often characterized by reference to potential events and
consequences or a combination of these
NOTE 4 : Risk is often expressed in terms of a combination of the
consequences of an event (including changes in circumstances) and
associated likelihood of occurrence
NOTE 5 : The word “risk” is sometimes used when there is the possibility
of only negative consequences

10

5
Risk
Risk = Likelihood x Consequence

Likelihood

(*chance of something happening)

 Consequence
(*outcome of an event affecting
objectives)
(*Clause 3.6 & 3.7 , ISO 31000:2018 Risk Management - Guidelines)
11

DEFINITION OF RISK MANAGEMENT

Coordinated activities to direct and control an


organization with regards to risk.

(Clause 3.2, ISO 31000:2018 Risk Management - Guidelines)

12

6
WHY THE NEED TO MANAGE RISK?
• Organization face internal and external factors that make it uncertain to
achieve objective
• The effect of these uncertainties in achieving objective is known as
“risk”.
• The process of managing these risks is known as “ risk management”

13

WHAT IS RISK BASED?


Integrating risk and opportunities in the overall process of the quality
management system.

Establish
Plan Operate Evaluate
Context

Improvement

14

7
WHAT IS “RISK-BASED THINKING”?

• Risk-based thinking is something we all do automatically


and often sub-consciously
• The concept of risk has always been implicit in ISO 9001 –
this revision makes it more explicit and builds it into the
whole management system.
• Risk-based thinking is already part of the process
approach
• Risk-based thinking makes preventive action part of the
routine
• Risk is often thought of only in negative sense. Risk-based
thinking can also help to identify opportunities.

15

REPRESENTATION OF ISO 9001:2015


STRUCTURE IN THE PDCA CYCLE
Quality Management System (4)
ORGANIZATION
& ITS CONTEXT
(4)
SUPPORT &
OPERATION
(7,8)
PLAN DO CUSTOMER
SATISFACTION

CUSTOMER PERFORMANCE
RESULTS OF
REQUIREMENTS PLANNING LEADERSHIP EVALUATION
(6) (9) QMS
(5)

ACT CHECK PRODUCTS


NEEDS & &
EXPECTATIONS SERVICES
OF RELEVENT IMPROVEMENT
INTERESTED (10)
PARTIES (4)

16

8
RISK-BASED IN ISO 9001:2015 CLAUSES -1
Clause Details
4.1 Organization shall determine external & internal issues… that affect its ability
to achieve the intended result(s) of QMS

4.2 Due to their effect or potential effect on the organization’s ability to meet
requirements, the organization shall determine the interested parties and the
requirements.

4.4.1 QMS – Address the risk & opportunities


5.1.1 Leadership – promoting risk-based thinking
6.1.1 & Actions to address risk and opportunities
6.1.2
6.3 Planning of changes – purpose & potential consequences
7.4 Communication – internal & external

17

RISK-BASED IN ISO 9001:2015 CLAUSES - 2


Clause Details
8.1 Operational planning & control – control changes, review consequences &
taking mitigation action
8.4.2 Type & extend of control – determine potential impact and evaluation
effectiveness of the controls to external providers
8.5.1 Control of production & service provision – action to prevent human error

9.2 Internal audit – program shall considered changes affecting the organization

9.3.2 Management review input – the effectiveness of action taken to address risks
& opportunities.

18

9
WHY WE NEED RISK ASSESSMENT?

The only alternative to risk management is crisis management --- and


crisis management is much more expensive, time consuming and
embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003

Without good risk management practices, government cannot manage its


resources effectively. Risk management means more than preparing for
the worst; it also means taking advantage of opportunities to improve
services or lower costs.
Sheila Fraser, Auditor General of Canada

19

RISK MANAGEMENT OBJECTIVES

To protect assets and valuable resources.


To protect and improve organization reputation or
image.
To establish processes for identifying, assessing,
measuring, monitoring, controlling and managing risks.
To create risk management culture in the organization.
To provides a framework of business continuity
management system that can be used in the event of an
incident or crisis.

20

10
A COHERENT SET STANDARDS

ISO 31000:2018 “Risk management – Guidelines”


ISO Guide 73 “Risk management – Vocabulary”
IEC/ISO 31010 “Risk management – Risk assessment
techniques”
HB 327:2010 – Communicating and consulting about risk
AS/NZS 5050:2010 Business Continuity – Managing
disruption-related risk
HB 266:2010 – Guide for managing risk in not-for-profit
organization

21

Session 3
Risk Management Based On
ISO 31000:2018

22

11
23

ISO 31000:2018

SCOPE:
This standard provides guidelines on managing risk
faced by organizations. These guidelines can be
customized to any organization and its context. This
document provides a common approach to managing
any type of risk and is not industry or sector specific. It
can be used throughout the life of the organization and
can be applies to any activity, including decision-
making at all levels.

(Clause 1, ISO 31000:2018)


24

12
ISO 31000:2018

INTRODUCTION:
Managing risk is based on principles, framework
and process outlined in this document. These
components might already exist in full or in part
within the organization, however, they might
need to be adapted or improved so that
managing risk is efficient, effective and
cocsistent

25

ISO 31000:2018

26

13
ISO 31000:2018 - Principles

Principles for effectiveness risk management:


a) Integrated
b) Structured and comprehensive
c) Customized
d) Inclusive
e) Dynamic
f) Best available information
g) Human and cultural factors
h) Continual improvement
27

ISO 31000:2018 - Principles

28

14
ISO 31000:2018 - Framework

The purpose of the risk management framework is to assist the


organization in integrating risk management into significant
activities and functions.

The effectiveness of risk management will depend on its integration


into governance of the organization, including decision making.
This requires support from stakeholders, particularly top
management

Framework development encompasses integrating, designing,


implementing, evaluating and improving risk management across
the organization.
29

ISO 31000:2018 - Framework

30

15
ISO 31000:2018 - Process

The risk management process involves the systematic


application of policies. Procedures and practices to the
activities of communication and consulting, establishing
the context and assessing, treating, monitoring,
reviewing, recording and recording risk.

31

ISO 31000:2018 - Process

32

16
Session 4
Scope, Context, Criteria

33

ISO 31000:2018 - Process

34

17
SCOPE, CONTEXT AND CRITERIA
Scope
The organization should define the scope of its
risk management activities. It is important to be
clear about the scope under consideration, the
relevant objectives to be considered and their
alignment with organizational objectives.

35

SCOPE, CONTEXT AND CRITERIA


Context
Defining the external and internal parameters to be
taken into account when managing risk, and setting
the scope and risk criteria for the risk management
policy.
External Context – understand business environment
Internal Context – strategic, objective
Can be found in business strategic planning.
Popular method - SWOT Analysis (strength,
weakness, opportunities and threats)
36

18
RELATION BETWEEN STRATEGY,
OBJECTIVES AND RISK MANAGEMENT

SWOT Analysis
Objectives
Strategies

Identify Risks

Action / Mitigation Analysis


Plan

37

SWOT ANALYSIS

Helpful for Harmful for


Achieving the Achieving the
Organization’s Organization’s
Vision Vision
Internal Strengths Weaknesses
attributes
External Opportunities Threats
attributes

38

19
SCOPE, CONTEXT AND CRITERIA
Criteria
The criteria should be defined in order to evaluate the
significance of risk and to support decision-making processes
It should be aligned with the risk management framework and
customized to the specific purpose and scope of the activity
under consideration
It should reflect the organization’s values, objectives and
resources and be consistent with policies and statements
about risk management
The criteria should be defined taking consideration the
organization’s obligations and the views of the stakeholders
The criteria should be established at the beginning of the risk
assessment process, they are dynamic and should be
continually reviewed and amended, if necessary 39

Session 5
Risk Assessment

40

20
ISO 31000:2018 - Process

41

RISK ASSESSMENT
 Risk assessment is the overall process of risk
identification, risk analysis and risk evaluation
 Risk assessment should be conducted
systematically, iteratively and collaboratively,
drawing on the knowledge and views of
stakeholders
 It should be use the best available information,
supplement by further enquiry as necessary

42

21
RISK IDENTIFICATION
 Identification of risks through brainstorming
method.
 To consider the risks that are beyond
organizational control (external factors).
 To understand the organization's objectives that
need to be achieved.
 Take into account the knowledge and experience
of those involved in risk management.

43

Clause 6.1 of ISO 9001:2015


Action to address risk and opportunities

When planning for the QMS, the organization


shall consider the issues referred to in 4.1 and
the requirements referred to in 4.2 and
determine the risks and opportunities that need
to be addresses to:
• ensure the QMS can achieve its intended
result
• enhance desired effects
• prevent or reduce. undesired effects
• achieve improvement 44

22
4 Context of the organization
4.1 Understanding the organization
and its context
Organization shall determination external and
internal issues that are relevant to the
organization’s purposes and strategic direction
and that affect the ability to achieve the intended
result of its quality management system.

Must monitor and review the issues

45

4.2 Understanding the needs and


expectations of interested parties

The Organization Shall determine:


• The interested parties that are relevant to the
quality management system
• The requirements of these interested parties that
are relevant to the quality management system.

Must monitor and review information about


interested parties and their requirement

46 46

23
Summary

6.1 Address risk and opportunities

4.1 4.2

Interested Parties
External Issues Internal Issues
requirements

47

RISK ANALYSIS
 Involve input to evaluate the risks and decide whether
the risk can be treated with a certain method.
 Took into account the source of risk and risk effect,
either positive or negative.
 the method used depends on the existing information
and data
 Organizations need to develop an appropriate risk
assessment methodology

48

24
RISK ANALYSIS METHODOLOGY
1) Using qualitative or quantitative methods
2) Developing the likelihood scale (e.g: 1-low, 5-high)
3) Developing risk consequences scale (e.g: 1-low,
5-high)
4) Develop risk assessment format (template)
5) Training and test personnel to ensure proper
understanding on risk assessment methodology

49

Probability Index (e.g)


Rating Probability Likelihood Description
Almost
Expected to occur in most circumstances and
Certain > 50%
has occurred frequently within the entity
(Rating 5)
Likely Probably to occur in many circumstances and
31% - 50%
(Rating 4) has occurred a few times within the entity

Possible Might occur at some time and has occurred


16% - 30%
(Rating 3) once in previous years within the entity
Unlikely
(Rating 2) 1% - 15% Could occur or has occurred in the industry.

Remote May occur only in exceptional circumstances


< 1%
(Rating 1) and has never occurred in the industry.

50

25
Financial Risk Impact Rating Table (e.g.)
Impact Insignificant Minor Moderate Major Catastrophic
Perspective (Rating 1) (Rating 2) (Rating 3) (Rating 4) (Rating 5)
Business as
Unable to sustain Unable to sustain Unable to sustain Unable to sustain
usual, able to
Working working capital working capital working capital working capital
manage
Capital requirements for requirements for requirements for requirements for
working
≤ 1 Quarter 1 – 2 Quarters 3 – 4 Quarters > 1 year
capital
Net Profit Net Profit
Net Profit erosion Net Profit erosion Net Profit erosion
erosion erosion
amounting to amounting to 6% amounting to 9%
* Net Profit amounting to amounting to >
3% – 5% NPBT – 8% NPBT – 17% NPBT
< 3% NPBT 17% NPBT
** Assets/ Asset damage Asset damage Asset damage Asset damage
Asset damage
amounting to amounting to amounting to 7% amounting to >
Shareholder < 1% Total 1% – 4% Total
amounting to 4%
– 10% Total 10% Total
Equity – 7% Total Assets
Assets Assets Assets Assets

Cash flow Requires once-off Require periodical Requires capital


impact Impact is resolved funding from funding from restructuring
resolved with internal PETRONAS PETRONAS within
Financial without any arrangements Holding Holding OPU/BU or may
Assistance financial within the Company or Company or require external
assistance OPU/BU parent/ holding parent/ holding funding (financial
perspective company company Institutions) 51

Non-Financial Risk Impact Rating Table (e.g.)


Non-Financial Insignificant Minor Moderate Major Catastrophic (Rating
Parameter (Rating 1) (Rating 2) (Rating 3) (Rating 4) 5)
Trust
Trust dented – Trust diminished Trust severely
1 Loss of questioned – Trust completely lost
recoverable with time recoverable at damaged – never
stakeholder trust but recoverable – not recoverable
and good PR considerable cost fully recovered
speedily
Major injury Single fatality Multiple fatalities
2 HSE:-
Slight Injury Minor injury Major Health Permanent Total
i) People Total Disability*
Effects* Disability*
Slight damage Minor damage Local damage Major damage Extensive damage
Asset
Considerable Major national Major international
Slight impact Limited impact
Environment impact impact impact
Considerable Major National Major International
Reputation Slight Impact Limited Impact
Impact Impact Impact
There are incidents in
Incidents/ Events
the area, which may Incidents/ Events
Stable are escalating Incidents/ Events
require have direct impact on
environment which requires escalating to a
higher security level the security of staff
3) Security where business constant security point whereby
of (Injuries/ Fatalities)
operations are monitoring of business operations
PETRONAS staff/ /operation (Corporate
uninterrupted further are disrupted
dependents and the crimes)
developments
business operation

52

26
RISK EVALUATION
• Next step is to assess whether the risk is acceptable
or not.
• Acceptable risk is not necessarily low risk but it
need to be in line with the treatment.
• The risk assessment must take into account the
following:
1. The importance of the activities in which the
risk is be managed
2. The level of control over these risks
3. Potential and actual losses of risk to be faced
4. The advantages and opportunities of such risks
53

- Risk Rating
Risk Level Risk Scale Risk Rating
- Risk is not tolerable
-

- Risk requires immediate controls in place with the


highest priority, with the target of lowering the risk
Extreme 10,12,15,
16

20,25
rating to an acceptable level.
- Immediate and drastic action/s may be required to
safeguard the company.
- Risk is not tolerable
-

- Risk requires controls with high priority with the target


High 10,12,15,16 of lowering the risk rating to an acceptable level.
-

- Risk is still tolerable.


- Risk requires controls with a low priority, monitored
Medium 5,8,9

5,8,9 against any escalation and managed for continual


improvement.

- Risk is tolerable.
- Risk is monitored against any escalation and managed
Low 1,2,3,4,6
-

for continual improvement. 54

27
Risk Level

L
Almost Certain
I Risk Level
K
Likely Very High
E
L High
Possible
I Medium
H
Unlikely Low
O
O
Remote
D
Insignificant Minor Moderate Major Severe

IMPACT

55

Session 6
Risk Treatment

56

28
ISO 31000:2018 - Process

57

RISK TREATMENT
• The purpose of risk treatment is to select and
implement options for addressing risk

• Selecting the most appropriate risk treatment


option involves balancing the potential benefits
derives in relation to the achievement of the
objectives against costs, effort or disadvantages of
implementation

58

29
RISK TREATMENT
• The purpose of risk treatment plans is to specify how the
chosen treatment options will be implemented. So that
arrangement are understood by those involved, and
progress against the plan can be monitored

• The treatment plan should be clearly identify the order in


which risk treatment should be implemented

• Treatment plans should be integrated into the


management plans and processes of the organization, in
consultation with appropriate stakeholders
59

Treatment strategy (RATA) Types of mitigation


Reduce risk (Minimize)  Preventive (reduce likelihood)
Minimizing the likelihood of the risk from happening  Recovery (reduce impact)
and/or the severity of the loss after the risk occurs
Accept risk  Recovery (reduce impact)
Informed decision to take a particular risk
Accepting the loss, or benefit of gain, from a risk when it
occurs.
Transfer risk (Sharing)  Recovery (reduce impact)
Form of risk treatment involving the agreed distribution
of risk with other parties
Sharing with another party the burden of loss or the
benefit of gain, from a risk, and the measures to reduce a
risk.
Avoid risk  Review/ reconsider the
Informed decision not to be involved in, or to withdraw objective
from, an activity in order not to be exposed to a
particular risk
Involves taking steps to:-
i. Remove a threat / hazard,
ii. Engage in alternative activity, or
iii. Manage a specific exposure. 60

30
Session 7

Communication, Monitoring & Review

61

ISO 31000:2018 - Process

62

31
COMMUNICATION AND CONSULTATION
The purpose is to assist relevant stakeholders in
understanding risk, the basis on which decisions
are made and the reasons why particular actions
are required.
Communication seeks to promote awareness
and understanding of risk
Consultation involves obtaining feedback and
information to support decision-making.

63

MONITORING & REVIEW


• The purpose is to assure and improve the quality and
effectiveness of process, design, implementation and
outcomes
• Ongoing monitoring and periodic review of the risk
management process and its outcomes should be a planned
part of the risk management process, with responsibilities
clearly defined
• Monitoring and review should take place in all stages of the
process, it includes planning, gathering and analysing
information, recording results and providing feedback
• The result pf monitoring and review should be incorporated
throughout the organisation’s performance management,
measurement and reporting activities
64

32
MONITORING & REVIEW
Rating Description
Management is aware and manages risks well.
Very Good Mitigations are strong and sufficiently robust to manage
risks adequately. Compliance is in place.
No major issues with controls & compliances. Mitigations
Good
are adequate and sufficiently robust.
Mitigations and compliances are generally in place.
Satisfactory
Minimum mitigation issues.
Mitigations are inadequate and not sufficiently robust to
Unsatisfactory manage risks. A large number of mitigation lapses and/or
non-compliance issues.
Absence of mitigations. Non-compliance to policies and
Poor
procedures. General lack of compliance culture. 65

RECORDING AND REPORTING


• The risk management process and its outcomes should be
documented and reported through appropriate mechanisms
• Recording reporting aims to:
• Communicate risk management activities and outcomes
across the organization
• Provide information for decision-making
• Improve risk management activities
• Assist interaction with stakeholders, including those with
responsibility and accountability for risk management
activities

66

33
Session 8

RISK MANAGEMENT CULTURE

67

Culture-Internal risk to projects


Building culture is a process of developing:
People in Organization who thinks and plan
projects effectively
Support by company systems
Encourage people to think and plan effectively
Culture of “what-if” approach
Inculcating a culture of theoretical (could
happen) and practical risks (likely to happen)

68

34
DEVELOPMENT OF RISK MANAGEMENT
CULTURE

CULTURE MANAGE TRAINING

• Risk is the • Include • Train


way of risk in all employee
work done planning to see risk
during
conducting
their job

69

Preparing the Organization

Culture is the way of doing work


Risk management is likely to fail if
organization does not address risk the
way work is done;
Risk management/ risk matrix is part of
planning process in organizations.

70

35
Zainorni Mohd Janis
03- 5544 6231
email :
[email protected]

71

36

You might also like