Every business encounters risk – indeed it can be where the money is – but organisations have often been all-too happy to fall back on an ad hoc approach to dealing with it. These days, however, business is being forced to play by new rules: everything from the impossible burden of legislation to the complexity of modern supply chains and the scrutiny of social media demand a more formalised approach to quality and compliance.
Which leads us to risk-based thinking. If that concept has you scratching your head, don’t worry – it’s all pretty logical. It’s about tackling the root causes of risk right at the top of the organisation, while making sure everyone else involved shares that same commitment to quality, through a centralised process of spotting, categorising, monitoring and mitigating all the risks facing the organisation.
Risk-based thinking works because it’s systematic, measurable and repeatable, unlike guesswork, personal hunches or claims of "well, that’s how we’ve always done it".
So why should we care?
As of last year, risk-based thinking was brought in to ISO 9001, the standard for quality management systems. That may not sound like the world’s most thrilling revelation – and the standard is more about offering casual guidance than rigid scripture – but it shows a fundamental shift in how companies are expected to operate if they want to be considered compliant.
How you go about it
Risk-based thinking is all about building a framework for how you think about risk. This involves identifying the risks in your operations – what they are, how severe they are, and how likely they are to crop up. After that you need to figure out how you’ll treat those risks, and eventually implement actions and controls to handle each of them. You can accept the risk, look for ways to reduce it, find ways to insure yourself against it, transfer it, or choose to avoid it altogether. Finally, it’s about methodically evaluating how effective this all was.
Of course it’s important to consider these factors in the context of your specific organisation. Consider all the groups who may come into contact with your product or service, and everyone who has a direct or indirect impact on your quality. So we’re talking everyone from suppliers and vendors to the various departments within the business, and the general public. How are they affected by everything from culture to law, technology to the market? It’s a big list, but the more comprehensive you make it, the better.
Finally, who’s involved?
Risk needs to be considered at the very top of the business, as your execs are the ones with the strategic knowledge about the threats it’s facing. They’re also the only people in a position to get policies rolled out across the whole business. But it’s not just about dictating from the top: employees may be sitting on valuable information that management may otherwise not be privy to.
So this means providing a space for management to discuss risk, in order to send the message down the company, and also providing employees with a channel through which they can communicate their experience of risks up to that management team.
The crucial thing is that this isn’t just an exercise in ticking flame-retardant boxes. Done properly, the systematic and consistent processes that risk-based thinking brings in should drive other positive change in your company, whether that’s improving the communication between departments or creating a means for those on the coalface of your business to feel they’re being listened to. These changes can all help the bottom line, which is of course something that’s not worth taking your chances over.