Over the years there have been many changes and additions to ISO 9001. In my opinion some have been, at best, neutral (see: all of ISO 9001 : 2008), while others have been potentially extremely useful game-changers (see: ISO 9001:2015 clause 4, the Context of the Organisation).
Clause 6.1 is one of those changes that falls into the potentially very useful game-changing category. Prior to this change, ISO 9001 didn’t even address the issue of risk. Not once. Not even to perpetuate the view that risk is nothing more than a dangerous grab-bag of big, scary negatives.
ISO 9001’s new approach to risk is well-fleshed out, usefully structured, and much more reflective of what risk actually means for your organisation.
ISO 9001 recognises not only that risk exists and that it poses challenges for organisations, but also that it presents organisations with many potential opportunities. Like community worker Bangambiki Habyarimana said in his book The Great Pearl of Wisdom, “opportunity and risk come in Pairs”.
Changing Your Mindset Around Risk
Here at Mango we’ve had to change our mindset around risk, too. Our business mentor John Barr convinced us not to see risk as a negative chore to be waded through several times a year. Rather, he encouraged us view risk as something positive: he told us to “Celebrate risks. Celebrate weaknesses”. Risk is not just where you’ll find the things that could bring you down. Risk is also the place where you’ll find a myriad of opportunities that can lift you up.
Let me give you an example. Let’s say that in your business that you don’t have particular product that some of your customers have stated a need for. Without this product you risk losing those existing customers. Even worse, without this product you risk being unable to attract new custom. Without this new product the risk to the health of your business is definitely there. But – and it’s a big but – your customers’ new need also presents an opportunity. If you develop a product to meet this need, you could keep existing customers – dare I say, you’ll be delighting them - as well as win new ones. New product = potential profit loss. On the other hand, new product = potential profit gain.
This is where things can get tricky. Say, for example, that your team decides accentuate the positive and go ahead and develop the new product. All of a sudden a new set of risks is revealed…for example, you run the risk of not having enough competent staff to do the work. You may not deliver what is needed on time. You run the risk of diverting resources away from other product lines. But – there’s that word again – on the upside, hiring and training new start may unlock a whole new set of potential products. New staff may actually make it easier to meet other deadlines. Again, risk and opportunity come in pairs.
It’s very important that you realise that it’s your duty as an organisation to have an action plan for your both risks and opportunities. The good news is, if you’ve been following along with Mango on our journey towards certification, you will have already done a lot of the groundwork relating to risk and opportunity. Remember the work you did when you determined the context of the organisation and the interested parties for clause 4? During that process you will have carried out a SWOT analysis. From your SWOT analysis you’ll be able to firstly identify the risks associated with the context of your organisation and with third parties. Second, you can use the SWOT analysis to identify the opportunities that your organisation can act on to enhance your desired results.
Once you’ve identified the risks and opportunities, you’ve always got a variety of choices in how to proceed. When dealing with risk, you can at any time chose one or more of these options:
- Eliminate the risk source
- Change the likelihood or consequence/s
- Avoid the risk
- Share the risk
- Retain the risk by informed decision
- Take risk in order to pursue an opportunity
When dealing with opportunities, you also have a number of options on the table:
- Adopt new practices
- Launch new products
- Open new markets
- Address new customers
- Build partnerships
- Use new technology
- Other desirable and viable possibilities to address the organisation’s or its customer needs
Here’s how the process worked at Mango - we reviewed the work we did during our SWOT analysis. We then held a brainstorming session with our staff. We talked through our risks and opportunities and documented all of them into the Risk module in Mango. From there Mango has a workflow that documents action plans to prevent/minimise risks or enhance the opportunities. This became our action plan.
One of the risks we identified for Mango is currency fluctuations. If the New Zealand dollar was to drop significantly against other currencies then Mango would be exposed. This would negatively impact Mango’s profits. To manage this risk we have chosen to review the international exchange rate on a daily basis. Mango may hedge against this drop. This approach is a combination of changing the consequences and retaining the risk by informed decision.
One of the opportunities we identified was if Mango developed a new feature that increased the chance of closing some sales deals. As a result we have created a development roadmap to enhance Mango so that some sales deals may close faster.
We then captured all the risks and opportunities and their associated actions onto a risk register in Mango. On a monthly basis we review these risks and opportunities - and any others that have popped up - in a management team meeting to ensure that they are being well managed. It’s not just about avoiding being blindsided, it’s also about being ready to seize opportunities when they arise. A big pat on the back to ISO 9001 for acknowledging this important game-changer.
Here is a list of takeaways that will help you achieve this clause:
- Review your SWOT analysis
- Meet with your team and brainstorm
- Outline how you will reduce or remove risks from occurring
- Outline how you will take advantage of new opportunities
- Continually re-evaluate risks and opportunities at management meetings
- Encourage and allow your employees to contribute towards the risk register
View previous blogs in this series "How to Implement a QMS and Achieve ISO 9001 Certification":
How to Implement a QMS and Achieve ISO 9001 Certification - Part 1: Introduction
How to Implement a QMS and Achieve ISO 9001 Certification - Part 2: Customer Focus
How to Implement a QMS and Achieve ISO 9001 Certification - Part 3: Leadership
How to Implement a QMS and Achieve ISO 9001 Certification - Part 4: Engagement of People
How to Implement a QMS and Achieve ISO 9001 Certification - Part 5: Process Approach
How to Implement a QMS and Achieve ISO 9001 Certification - Part 6: Improvement
How to Implement a QMS and Achieve ISO 9001 Certification - Part 7: Evidence Based Decision Making
How to Implement a QMS and Achieve ISO 9001 Certification - Part 8: Relationship Management
How to Implement a QMS and Achieve ISO 9001 Certification - Part 9: Clauses 0.1, 0.2, 0.3, 1, 2 and 3 of ISO 9001:2015
How to Implement a QMS and Achieve ISO 9001 Certification - Part 10: Clauses 4.1, 4.2, 4.3 and 4.4 – Context, Interested Parties, Scope, QMS
How to Implement a QMS and Achieve ISO 9001 Certification - Part 11: Clauses 5.1 Leadership and Commitment
How to Implement a QMS and Achieve ISO 9001 Certification - Part 12: Clause 5.2 Policy
How to Implement a QMS and Achieve ISO 9001 Certification - Part 13: Clause 5.3 Roles, Responsibilities and Authorities