High Level Structure – Actions to address risks and opportunities
The High Level Structure (HLS) for management systems (which could be ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018), states the following requirements for clause 6.1,
What does the High Level Structure (HLS) say?
6.1 Actions to address risks and opportunities
When planning for the management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
- give assurance that the management system can achieve its intended outcome(s);
- prevent, or reduce, undesired effects;
- achieve continual improvement.
The organization shall plan:
- actions to address these risks and opportunities;
- how to:
- integrate and implement the actions into its management system processes;
- evaluate the effectiveness of these actions.
How have the specific standards addressed these requirements?
ISO 9001:2015 Quality management systems has introduced only a slight change with the inclusion of ‘enhancing desirable effects’ as a requirement to be addressed, with of course a focus on actions taken to address risks and opportunities being proportionate to the potential impact on the conformity of products and services. Additionally, a couple of NOTES have been added to clause 6.1.2:
NOTE 1: Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.
NOTE 2: Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using new technology and other desirable and viable possibilities to address the organization’s or its customers’ needs.
ISO 14001:2015 Environmental management systems have included that when planning for the EMS, an organization shall also consider the scope of its environmental management system (as per clause 4.3). Potential emergency situations impacting the environment can also be determined at this stage. ISO 14001 also required documented information to be maintained of its:
- Risks and opportunities that need to be addressed
- Process (es) needed in 6.1.1 to 6.1.4, to the extent necessary to have confidence they are carried out as planned
ISO 45001:2018 Occupational Health and Safety has of course included the consideration of the effective participation of workers, as well as a requirement to take into account
- OH&S hazards, risks and opportunities and
- Applicable compliance obligations
So, what does this mean in the real world?
This process will help to:
- Develop an understanding of the risk
- Consider the positive and/or negative consequences
- Determine the likelihood of those consequences occurring
- Determine if an event may have multiple consequences
- Take into account existing controls
What’s an example of this?
In the context of a quality management system, this might be:
A person is considering borrowing a large sum of money to open a coffee shop,
The opportunity is that lots of customers will come and they will make lots of money and will be able to open more stores in the foreseeable future.
Some of the risks are;
- Not enough customers will come
- Someone else may also open a coffee shop
- A supplier may not be able to supply the coffee beans
- The shop may get broken into
- Staff may leave
- They will not be able to pay the bank back the money
In the context of an environmental management system, this might be:
If a business operates a fleet of trucks, part of that service would include routine maintenance (servicing and oil changes etc.).
An Aspect of this would be the discharge of oily wastes with an impact of soil pollution.
Risks might be:
- Fines
- Clean-up costs
Opportunities might be:
- Recycle oily wastes and then this would lead to,
- Reduced operating costs
Documenting identified risks and opportunities
Once risks and opportunities are identified, they need to be documented.
This documentation is often in the form of a risk register, and normally includes such things as,
- The risk source
- The possible event that could happen (and there may be more than one)
- The likelihood of the event occurring
- The consequence/impact if the event occurred (and there may be more than one)
- The risk rating for each possible event
…and then depending upon the severity of the risk,
- Appropriate controls to manage or mitigate the risk
Finally, the risk rating is calculated after the controls have been applied (which is typically called the Residual Risk.
Image source: iStock/ilkercelik & iStock/Peter_Polkorab