ISO 31000 Risk Based Thinking Management Guideline
In February 2018 a revised edition of ISO 31000 Risk Management Guidelines was issued. Although compliance to this standard is not mandated by IATF, it provides some useful guidance in developing a structured approach to risk management. Let’s start with the definition of risk management: “Coordinated activities to direct and control an organization with regard to risk.”
At the beginning of the standard the importance of top management commitment is stressed and that management have to commit to a structured Plan, Do, Check and Act (PDCA) process to manage risk, including:
Integration: This section stresses the importance of integrating a risk management approach into the organization business processes, not as a stand-alone initiative.
Design: When designing a framework for management of risk this needs to be linked to the organization strategic direction and context. There is not an “off the shelf” solution that will suit all!
Articulating risk management commitment: Top Management should communication their commitment to risk management through a policy (could be integrated with the Quality Policy) and ensure the policy is communicated and understood throughout the organization.
Assigning organizational roles, authorities, responsibilities and accountabilities: Top Management should ensure that the authorities,responsibilities and accountabilities for managing risk and clearly assigned and communication. In the context of ISO9001 and IATF 16949, this should be linked to the owners of the QMS processes (IATF 16949: 2016, 18.104.22.168).
Allocating resources: As well as showing their commitment, Top Management need to allocate the appropriate resources to ensure the risk management process is
implemented. From my experience this is an issue in many organizations in the automotive supply chain, especially in committing the resources for the effective implementation of FMEA!
Establishing communication and consultation: In implementing the risk management approach, there needs to be effective internal and external communication (customers, suppliers, regulatory bodies, insurers, etc.) and where relevant consultation, to ensure the risk management process meets the needs of all stakeholders.
Implementation: Once the process is designed and the resources are assigned and available, the next phase is the implementation, which could include developing timing plans and including key review milestones. Evaluation: Once implementation has started Top Management then need to monitor the ongoing effectiveness of the risk management process though review (in ISO9001 and IATF 16949 integrated into the
management review process).
Improvement: Based on the evaluation and the results, the risk management approach then needs to be continually improved and developed, in light of results, or internal or external changes in context. Once the framework for a risk management approach has been developed, we now need to consider the detailed process to apply in practice.
The Core Process in ISO 31000
Scope, context and criteria: The organization should de ne the scope of its risk management activities. The risk management process may be applied at different levels (e.g. strategic, operational, programme, project and other activities). When defining this, ISO31000 suggests consideration is given to:
objectives and decisions that need to be made;
outcomes expected from the steps to be taken in the process;
time, location, speci c inclusions and exclusions;
appropriate risk assessment tools and techniques;
resources required, responsibilities and records to be kept;
relationships with other projects, processes and activities.
Risk assessment including risk identification, analysis and evaluation:
Risk identification: The purpose of risk identification is to find, recognize and
describe risks that might help or prevent an organization achieving its objectives.
The organization should identify risks, whether or not their sources are under its
Risk analysis: The purpose of risk analysis is to understand the nature of risk and
its characteristics including, where appropriate, the level of risk. Risk analysis
involves a detailed consideration of uncertainties, risk sources, consequences,
likelihood, events, scenarios, controls and their effectiveness.
We hope this newsletter brings lots of benefit to your knowledge towards IATF169489. Thank you.