Risk management is a high priority within every company, regardless of certification efforts. This does not mean that risks are avoided at all costs, just that risks are identified, evaluated, and decisions are made based on these evaluations.
Risk identification is not part of ISO9001:2008, but will be included in ISO9001:2015, and is included in OHSAS18001 and ISO14001. Despite subtle differences, the latter certifications will pave the way for the ISO9001:2015 certificate for companies which already have those in place.
While the importance of risk identification is unquestionable, and implementation of strategies to perform this identification differ wildly, at their core they all deal with the following questions:
- What are the odds of an incident?
- What is the impact of that incident?
- What options do we have to reduce either odds or impact?
Simple on the surface, yet hard questions to answer. Thankfully the exercise of risk identification is equally important, not just the answers to those questions. Identification opens the door to making informed decisions, reducing either occurrence or impact where risks are involved and can’t be mitigated. Below are examples of employee risk identification and evaluation used in OHSAS18001 or ISO45001:
- What hazard does an employee face?
- What are potential consequences of a hazard?
- If no control measures are in place, what is the likelyhood of occurrence? (Pure Risk)
- Given current control measures, what is the likelyhood of occurrence?
- What is the effectiveness of current control measures? (Hierarchy)
- How can we improve upon current control measures? (Continuous Improvement)
In addition to the identification and evaluation of risks, these questions force a company to evaluate control mechanisms reducing risk. Every step of the PDCA cycle is embedded in these questions, and revisiting the questions makes for continuous improvement.
These questions should be asked and answered throughout the company to get a complete picture of all risks involved, and allow for the best decision making process based on identified risks.