Is Risk Identification and Treatment a Process?

[Peter Fraser]

I have been promoting that concept for over 20 years now.

Sidney
A pity that ISO has not been as enlightened...!

 

[Jen Kirley]

The problem with calling it a process is that some registrars have an expectation that this process would also have KPI/objective/target(s). What would that be?

It could depend on how this is done. Does a responsible, competent person/group periodically perform it on a wide scale using inputs and generate output for all those other processes? (clause 8.1 links back to clause 6) I would expect this approach in a less mature system. We could recognize it as a process, which would be audited on its own like we have done with other standards for many years.

Or, is it done by responsible persons within the processes to address identified risks and opportunities as they arise? A more mature system might succeed with this approach, as long as the actions don't negatively impact other processes or activities. This could be included as an input in process auditing, and as such the output of the process represents a success metric.

The standard does not stipulate either of these or any other specific way to handle it, but the Auditing Practices Group guidance paper on Risk Based Thinking lists many options, almost none of which could be pointed to as requiring it to be called a process.

 

[Sidney Vianna]

Sidney
A pity that ISO has not been as enlightened...!

9001:2015 5.1.1.c) would give us a glimpse of hope. In my opinion, one of the most important new requirements in the standard, but, based on my experience it is one of those requirements that will be selectively disregarded.

 

[Jen Kirley]

9001:2015 5.1.1.c) would give us a glimpse of hope. In my opinion, one of the most important new requirements in the standard, but, based on my experience it is one of those documents that will be selectively disregarded.

I can imagine 5.1.1c) is not meant to apply to this, but to make it clear that the ISO clauses don't run like a list of checklist "shalls" running in tangent to (we hope, even in parallel if not "in conjunction with" or "as a part of" or, dare I hope, "as a critical component of") business processes. We have been laboring for quite some time to clarify that QMS principles are not only sensible, but profitable. My take is that the standard is trying to add credibility to that assumption. Of course, I am not in the Technical Committee so I am just guessing...

 

[randomname]

9001 has the purpose of embedding controls in business processes to help ensure that the product/service is conforming and customers get what they want. 14001 has the intent of building in controls to ensure that environmental requirements are met. Same is true for financial controls, safety controls, etc. That's why many say that 9001 has always been about risk management, it's just that the writers didn't have the cajones to use those words. What a shame.

 

[melshahat]

Whether you're going to call it a process or an activity or whatever it's up to you. To address risks and opportunities just take into your account:
1- The size of your organization and its context,
2- The complexity of your processes,
3- The competencies of the people who’re doing the job.

Risk identification and treatment are two sub-processes of any typical risk management process. If you're working in a small business, just filling a risk registrar after a brain storming session about associated risks to your company might be helpful.

On the other hand, if you're working in a medium or large corporation, a detailed risk management process should be implemented, a certain budget will be needed, risk workshop will be held, etc.

I hope this is helpful to your question.

Mohammad Elshahat