Risk Management Part 1 – Concepts and Definitions
The latest modifications of the ISO 9001, IATF 16949 and ISO 14001 standards have incorporated Risk Management as a requirement to be considered in the processes that make up the organizations management systems. The intention is to ensure that the objectives of the management systems are achieved, to increase the desired effects, to prevent or reduce undesirable effects and to accomplish the improvement.
With this first chapter of a series of articles, we propose a simple and logical methodology to meet the new regulatory requirements for risk management in management systems within organizations.
It is important to define and understand a couple of concepts before starting the risk analysis:
- Risk: “Effect of uncertainty” as defined in ISO 9000:2015 Fundamentals and vocabulary
- Uncertainty: “State, even partial, of information deficiency related to the understanding or knowledge of an event, its consequence or probability”
- Risk is, then, the effect of not understanding or ignoring an event, its consequence or probability
In this definition, we find 3 basic elements of risk analysis:
- Event: Something that happens or can happen (potential) that is a deviation from what is expected
- Consequence: Effect or impact of the event on the stakeholders of the management system
- Probability: Estimated occurrence or possibility of event occurring
From the understanding of these concepts we conclude that:
- The greatest risk is not knowing what events can happen in the management system processes
- The risk is higher when we don’t understand the events that can happen in the management system processes
- The risk increases as the severity of the consequences increases if the event occurs
- The risk increases when the probability of the event increments