Risk based thinking is important to your organization!
More than just psychology
Risk based thinking (RBT) is one of the most profound changes to ISO management systems in recent years but is certainly not a psychological term. It is a clearly-bounded methodological approach that distributes risk across the full scope of a management system as an integrated business function. The International Organization for Standardisation (ISO) has this to say on RBT:
“Risk based thinking ensures these risks are identified, considered and controlled throughout the design and use of the quality management system”.
Although the function of risk based thinking is to manage risk at various critical stages, the true purpose of RBT is more than just creating a systematic, precautionary approach. Instead, you should look at risk based thinking as a form of organizational knowledge. This is important because a badly managed organizational system is immediately apparent to professionals and investors, who often look for more than just certification. This is one of the many reasons why risk based thinking features so heavily in updated standards like ISO 9001:2015 and ISO 14001:2015, and the highly anticipated ISO 45001 (new Health and safety management standard).
What is badly-managed organizational risk?
The problems start when an organization designs a purely linear process for risk management. This is appropriate and to some extent logical during the implementation of a new management system, but once the management system becomes established it can become a considerable burden. During the implementation process risks are considered and managed through a series of periodic fixes - as opposed to an iterative process, and the whole system becomes dogmatic. Systems like this suffer from a lack of agility.
In order for the organization to learn about new risk, it relies upon a programme of internal audits and management reviews. Risks are therefore considered too infrequently to capture and control emergent threats.
Risks are also often managed centrally by a firm. Organizations commonly lack the insight, scope and flexibility to handle risks that occur at a grass-roots level. Decisions to prevent and mitigate risk can sometimes be delayed as employees do not have the capability to assess risk. Often this happens because employees do not feel empowered nor confident to take preventative and corrective action in the first place.
What are the signs of poor risk management?
There are 5 common symptoms which could highlight to you that your approach to risk management could be improved:
1. Uncertainty - the organization struggles to collect the right, or enough information about its risks. Checks are too infrequent. The scope of information about the organizations risk is narrow.
2. Complexity - the organization is collecting enormous amounts of information about risk. Decision makers cannot interpret the information. Opportunities are overlooked.
3. Ambiguity - the organization is not able to formulate the correct questions in order to understand its risk. Additional information is useless because risk is not understood.
4. Equivocality - there are multiple interpretations of risk between individuals across the organization. Risk management is mutually exclusive or in conflict. A power struggle usually ensues between individuals with conflicting views and beliefs.
5. Silo mentality (larger organizations) - different business units resist communicating information about risks across the organization. This typically leads to a condition of both uncertainty and equivocality.
Centralised vs. Decentralised
Let’s apply some military style thinking as an example. During the Battle of Balaclava in 1854, William Howard Russel reported to The Times in London, that soldiers at the front of the column were starving and dropping ill from both famine and food contamination.
The government of the time had centralised food distribution. It took days for the chain of command to disembark food supplies from ship to shore. There was also no transport organised to bring the food inland, and communication was so slow that by the time food arrived – it had gone foul. This caused a scandal. The military had to step-in to decentralise the supply chain, providing more carts and horses.
The solution was to take all of the officers in charge of provisioning supplies that were working from fixed locations, and to distribute them across the army so that one officer was in-charge of each unit. This action saved thousands of lives.
You see, it is easy for us to assume that decentralisation always works – it does not. There could still be value in having a centralised approach for considering how risks are managed: these options can be less resource intensive, and can provide a smarter intelligence base. However the critical factor in Balaclava was the role that information played in preventing further risk. Ironically in this case, it took the intelligence of a single reporter to save countless thousands of lives.
Of course, the Battle of Balaclava happened many years before ISO management systems were first devised, but the principles remain the same: risk based thinking can enable your organization to gain information as quickly and effectively as possible.
Once you possess this information, you can begin to see risks as a strategic capability, and not a just hindrance. Organizational intelligence is simply your ability to gain information.
How to fix the problem
Choose the right risk management tools. Digitization, globalization, deregulation and the speed of competitive rivalry have changed the nature of business - almost beyond recognition in recent years. Risks are no longer linear, and many of the tools developed to provide risk management in the 1980s and 90s are now largely redundant.
This means that consultants and Integrated Management System (IMS) managers need to carefully evaluate which risk management tools they choose to employ. The right management tools enable organizations to evaluate risk, to share this information internally, and to provide legitimate intelligence that may aid business development.
It is also worth appraising new management tools and experimenting with different approaches while your management system is in operation: your management system needs to evolve = Never Stop Improving.
Understand the standards. You need to correctly interpret the terminology applied to ISO management systems. Risk is not always stated explicitly in each ISO standard. Terms like “suitable” and “appropriate” will often imply that you need to demonstrate a balanced approach towards risk based thinking.
You should also assume that risk identification can have a positive impact; and that it can even provide legitimate business opportunities. Fundamentally your approach must accept risk as a systemic property in a management system. You need to consider all of the functional aspects of your management system, and how effectively risks are identified and controlled in real-time.
Transitioning into a risk-intelligent business can take a considerable length of time and experience. The value of implementing an ISO management system (in particular the new 2015 standards) is that it determines the focus for a Risk-Based approach. But it does not tell you which business tools to apply – this choice is yours.
Risk is now a common thread within ISO standards and is weaved throughout ISO 9001:2015, ISO 14001:2015, OHSAS 18001 (soon to be ISO 45001) and ISO 27001:2013.
It is therefore of crucial importance that all systems and quality managers not only understand risk, but also adopt a risk based approach to both thinking and auditing.
Only then will you ensure that you proactively mitigate risks and strive towards continual improvement.
Authored by Simon Cole, Environmental Certification Manager at NQA