Recent revisions to compliance standards and regulations have introduced changes to the way we think about and manage risk. You can look at: ISO 9001:2015, ISO 31000:2009, ICH Q9, API RP 1173, CSA, NEB, and many others and notice that risk is no longer what it used to mean. You will also notice that the risk tools have also changed, and risk management has taken a different path. Risk is no longer just about managing loss, it has become an optimization strategy to increase the certainty of achieving objectives.
Here are 5 ways in which risk management has changed:
1. Risks are tied to outcomes
Risk management up until now has been focused on loss prevention. Attention is given to understand the probabilities of events that may negatively impact our programs, systems or processes. This has been helpful but often results in risk registers being filled with risks, many of which, that do not really matter. Connecting risks to objectives allows risk managers to know which risks to address and which ones to ignore.
2. The focus of risk is on the effects on objectives
Risk management has also primarily focused on the probabilities of risk events. ISO 31000 changed this focus to "the effects of uncertainty on objectives." This does not remove the consideration of probabilities, however, it does move the analysis more on how objectives will be effected by uncertainty.
One of the benefits of taking this approach is that it can help with risks where prediction is very difficult. For those who are familiar with Black Swans, we know that probabilities are a poor predictor of outcomes. Prioritizing on effects may result in better mitigation than only looking at likelihoods.
3. The effects of risks are both negative and positive
Consideration of both negative and positive effects substantially transforms the value of risk management. Analyzing threats and opportunities advances risk management beyond just driving down risk. Instead, it allows risk to be used as an optimization strategy to increase the certainty of achieving outcomes.
This requires, among other things, that many of the current risk tools (which were significantly influenced by the focus on loss prevention), change to support positive risk and opportunity enablement. Risk managers may also need to take on a more active posture in seeking out opportunities rather than only addressing existing hazards or the effects of failure modes.
4. Risk moves further into operations
Traditional as well as enterprise risk management has until recently focused on extrinsic risk. These are external risks that may impact our business. However, the attention has now moved further into the operations of the business where the focus is on intrinsic risk.
Intrinsic risks are those that are internal to our programs, systems and processes. Identifying these may require an increased knowledge of management systems and manufacturing processes to understand how to best prevent threats or enhance opportunities.
The maturity of applying risk management to production processes is far along in some industries. At the same time, understanding how to identify risks embedded in quality, health and safety, and environmental programs may require additional training and expertise.
5. The role of risk is elevated by risk-based thinking
Some folks have criticized ISO for using the phrase "risk-based thinking" in their ISO 9001:2015 revision of the quality management standard. The major issue has been the lack of prescription on how risk-based thinking should be done. This criticism is reasonable given the fact that many companies up until now have worked mostly with prescriptive regulations using a check-boxed approach to compliance. They have not yet had to deal with the shift to performance-based approaches that many standards and regulatory bodies have recently taken.
The onus is now on each company to figure out the "how" part of risk-based thinking. While this maybe challenging in the short term, it should result in a more comprehensive approach to risk management tailored to each company's risk profile. This is a good thing.
For those that are familiar with "Design Thinking", or "Lean Thinking" will know, the advantage of this type of approach is that it focuses first on the mindset before tools are ever considered. A tools-first approach has often led to inadequate risk assessments due to the lack of understanding of the limitations of the preferred tool. On the other hand, using a risk-based thinking approach will help risk practitioners choose the best tools for each risk context.
Here is a definition for risk-based thinking that captures the essential aspects from recent changes to risk management:
Risked-based thinking requires companies be proactive instead of waiting for audit findings to identify areas of risk and improvement. The latter is what we call the, The Reactive Uncertainty Trap™. As many have commented about quality, you cannot inspect your way to quality – you need to design it in. The same is true for compliance. You cannot audit your way to better compliance. Instead, you need to apply proactive strategies like risk-based thinking to make certain you are always in compliance.
If you are an ethical, ambitious company and want to avoid, The Reactive Uncertainty Trap™ consider joining The Proactive Certainty Program™