Today I want to explain how your organization should take control of risk factors and ensure that your organization take opportunities instead of missing them.

When planning for a management system, the organization must consider the issues referred to in understanding the organization and its context (4.1) pertinent internal and external issues as well as requirements referred to in understanding the needs and expectations of interested parties. (4.2) Determine the risks and opportunities that need to be addressed to give assurance that the management system can achieve its intended results. Prevent or reduce undesired effects and lastly achieve continual improvement.

Following types and categories of risks are determined and addressed:

NB. ISO (International Organization for Standardization) does not define specific types of risks that need to be determined and addressed. In determining the scope of risk management, remember that risk related requirements replace the requirements for preventive actions that were required in the previous editions of standards.

The list below is probably the most minimalist scope acceptable:

 Processes: risks of nonconforming output, process breakdown, process inefficiency,excessive variability, etc.

 Quality: risk of defects and non attainment of specified requirements

 Suppliers: risk of defects and non attainment of specified requirements

 Business: risks to business continuity, data loss, public relations, etc.;

Risk Evaluation Process: Risk evaluation should become embedded into your organization’s day-to-day operations and should be addressed at all levels throughout your organization. The overall aim of risk evaluation is to ensure that organizational capabilities and resources are employed in an efficient and effective manner to manage opportunities and threats. Risk evaluation can be represented as a seven step, cyclical process:

Risk levels are evaluated using appropriate risk evaluation and analysis methods. When risk levels are high, appropriate risks reduction actions are implemented and integrated into system processes. Risk reduction actions are proportionate to the potential impact on the conformity of products and services.

The assessment of the severity of a risk should drive management attention and supports the planning for risk mitigation. Quantitative Risk Assessments (QRA) can be undertaken to provide an improved understanding of the risk profile and derive a more detailed understanding of certain cost and time risks. The output of QRA can also support decision making and monitoring of risk management activities.

Opportunities:An opportunity is a set of circumstances which makes it possible to do positive things, for example:

- Develop new products and services

- Develop new markets and/or increase market share

- Improve work environment

- Improve productivity

Opportunities may be identified as positive effects of risks, forcing implementation of a risk reduction measure that is beneficial in a broader context than just reducing this particular risk. For example, health risks may require measures to improve working environment. These measures also create opportunities to attract better qualified employees, improve morale and job satisfaction, and reduce expenses.