The High Level Structure (HLS) for management systems (which could be ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018), states the following requirements for clause 6.1,
6.1 Actions to address risks and opportunities
When planning for the management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
- give assurance that the management system can achieve its intended outcome(s);
- prevent, or reduce, undesired effects;
- achieve continual improvement.
The organization shall plan:
- actions to address these risks and opportunities;
- how to:
- integrate and implement the actions into its management system processes;
- evaluate the effectiveness of these actions.
ISO 9001:2015 Quality management systems has introduced only a slight change with the inclusion of ‘enhancing desirable effects’ as a requirement to be addressed, with of course a focus on actions taken to address risks and opportunities being proportionate to the potential impact on the conformity of products and services. Additionally, a couple of NOTES have been added to clause 6.1.2:
NOTE 1: Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.
NOTE 2: Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using new technology and other desirable and viable possibilities to address the organization’s or its customers’ needs.
ISO 14001:2015 Environmental management systems have included that when planning for the EMS, an organization shall also consider the scope of its environmental management system (as per clause 4.3). Potential emergency situations impacting the environment can also be determined at this stage. ISO 14001 also required documented information to be maintained of its:
ISO 45001:2018 Occupational Health and Safety has of course included the consideration of the effective participation of workers, as well as a requirement to take into account
This process will help to:
In the context of a quality management system, this might be:
A person is considering borrowing a large sum of money to open a coffee shop,
The opportunity is that lots of customers will come and they will make lots of money and will be able to open more stores in the foreseeable future.
Some of the risks are;
In the context of an environmental management system, this might be:
If a business operates a fleet of trucks, part of that service would include routine maintenance (servicing and oil changes etc.).
An Aspect of this would be the discharge of oily wastes with an impact of soil pollution.
Risks might be:
Opportunities might be:
Once risks and opportunities are identified, they need to be documented.
This documentation is often in the form of a risk register, and normally includes such things as,
…and then depending upon the severity of the risk,
Finally, the risk rating is calculated after the controls have been applied (which is typically called the Residual Risk.
Image source: iStock/ilkercelik & iStock/Peter_Polkorab