I actually found it quite difficult to form a clear opinion about this new requirement when all we had to go off was academic discussion and argument, now we have the benefit of a few concrete worked examples to play with, my thoughts are becoming clear and … it could work.
The New Definition of Risk
Redefining “risk” as the effect of uncertainty caused me both confusion and concern. Frankly I didn’t see the point in messing with a definition based on likelihood x severity – it actually works and is hard wired into so many business processes. But I’m now coming round to it …
The penny dropped when I was working with the API Q9 standard earlier in the year. This standard has risk treatment ingrained front to back, more or less, and requires that uncertainties (risks) are identified, assessed and covered with contingency as appropriate. That’s it. Deming said years ago that not all management information was known or even knowable and all the standard is asking is that companies take account for the unknown and unknowable in the form of planning contingencies. A company, let’s say, could be reliant on a single supplier – what happens if that supplier has problems or starts abusing its position? In this case a contingency of a back up supplier would be prudent. Do the distribution processes take account of transport infrastructure disruption or weather? Can the production facility cope with infrastructure failure or a loss of internet access?
Upside and Downside Risk
This thought process also helped me to get to grips with another concept I’d been struggling with – upside risk. I had no problem understanding that upside risk was a piece of good fortune, but I did struggle to understand how a management system could be expected to plan for it, but again here’s an example. Let’s say a company launches a new product. In basic terms things can go OK, or they can go less than OK, or they can go better than OK. Just as a management system is expected to apply appropriate contingency to account for undesirable events (downside risks), it naturally should also take reasonable account for better than desirable events, because that sometimes happens. In other words, if things go brilliantly well, how does the company cope? There’s your upside risk. I’ve actually had numerous clients that have found themselves victims of their own success when demand has outstripped their ability to supply. It isn’t uncommon.
The treatment of the requirement to manage “Opportunities” is a car crash waiting to happen, in my opinion. The reason I say this is because there is no normative reference for the term “Opportunity” in either Annex SL or ISO 9000:2015, so we are very much at the mercy of the linguistic interpretations of our auditor .. Oh dear.
How would I interpret it? Well, in my working life, the closest thing I’ve encountered to a systematic management of “Opportunities” has been an Investment Appraisal process. That’s a process by which, prior to any decisions being made at a high level, the management are presented with projections that usually outline best, worst and most probable case scenarios, along with projected costs, benefits, risks and obstacles. Management will then usually make a judgement based on that information, along with a few other considerations, such as whether the venture fits with current Policy or the Brand, whether the company has cash on hand to fund the project and so on. As an example, British Nuclear Group may spot an Opportunity to make a killing by opening a bakery on each of its major facilities. Financially that might make good sense, but is it something an organisation like that should be doing?
Often the result of discussion is the approval of a pilot or a controlled trial and error project, but it is a hugely complex decision making process, much more complex than weighing up cost versus benefit and seeing which is bigger.
What will happen as ISO 9001:2015 assessments begin in anger? My fear is that a lowest common denominator will be found. That is, what is the least a company need do to comply? If I were a betting man I would put a decent amount on that being a retitling of the the “Preventive Action” procedure to something like “Management of Risks” and a superficial and pointless SWOT analysis being pasted into the Management Review process. Let’s hope we’re better than that.
You can find more ISO 9001:2015 articles here
And more articles on a range of risk management themes, techniques and approaches here
Find out more about Capable People, our work, and our fantastic clients at CapablePeople.net
IRCA Approved ISO 9001:2015 Transition Courses delivered worldwide.