With ISO 9001:2015 came the risk based approach, and with ISO 9000:2015 came a definition of risk:
"Risk - effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected"
It took me just over two years to realize the importance of Note 1 and formulate this approach:
"Therefore, in a strategic approach, the policy must be broken down into objectives for the management system (MS). These objectives cannot be established in a vacuum, but must consider the external context of the organization, its internal reality, and the expectations and values of relevant interested parties.
...
Assessing the external context, internal reality, and interested parties expectations and values allows for the identification of a set of risks that could hinder the company's ability to achieve its performance objectives, as well as a set of opportunities that could potentially benefit the company's ability to reach its performance targets. These risks and opportunities should be evaluated, and actions should be taken to minimize risks and capitalize on opportunities, based on priorities. These actions will be part of achieving the objectives of the desired future MS.
...
Thus, clauses 4.1 and 4.2 of ISO 9001:2015 refer to a moment prior to defining objectives aligned with the policy, influencing it. Meanwhile, clause 6.1 of ISO 9001:2015 refers to a moment after defining objectives, which may contradict or benefit their fulfillment."
This means that we should not determine risks and opportunities in the abstract, but rather by considering the objectives of the management system. Failing to do so runs the serious risk of generating long lists of risks and opportunities resulting from free brainstorming, but with little added value for organizations.
I had never looked for the definition of risk in ISO 31000 ... until some weeks ago.
According to ISO 31000, risk is defined as the effect of uncertainty on objectives. This implies that risk is the possibility of a positive or negative impact on an organization's objectives. Uncertainty refers to the state of having incomplete or imperfect information about something.
The relationship between risk and uncertainty is that uncertainty is the source of risk. In other words, risk cannot exist without uncertainty. For example, if you know with certainty that something will happen, then there is no risk. However, if you don't know with certainty what will happen, then there is a risk.
ISO 31000 defines risk as the effect of uncertainty on objectives. This definition is important because it emphasizes the fact that risk is not just about the probability of something happening. It is also about the impact that something happening will have on an organization's objectives.
Here are some examples of how uncertainty can lead to risk:
- A company that is planning to launch a new product is uncertain about how the product will be received by consumers. This uncertainty could lead to risk if the product is not well-received and the company loses money.
- A bank is uncertain about the future of the economy. This uncertainty could lead to risk if the economy takes a downturn and the bank loses money.
- A government is uncertain about the future of the political climate. This uncertainty could lead to risk if there is a coup or other political instability.
As you can see, uncertainty can lead to risk in many different ways. It is important for organizations to understand the different types of uncertainty that they face and to develop strategies for managing them.
Uncertainty is generated by the internal and external context.
How do you determine risks in your MS, do you take objectives into account?
Sem comentários:
Enviar um comentário