The UNI EN ISO 9001:2015 standard has introduced some innovations for managing the Quality System in companies, with the most significant being "Risk Based Thinking."
"Risk Based Thinking" is a systematic approach to risk management at all levels of the organization. Its innovative feature lies in risk assessment using an enterprise-wide, process-based logic that considers risk as a potential effect on the failure to achieve objectives.
The distinctive characteristics of "Risk Based Thinking" can be summarized into four main points, as detailed in the dedicated section. Essentially, the approach translates into a strategic risk management that identifies risks as opportunities involving an extensive dimension of the company beyond assigned roles. These risks can lead to positive actions concerning sales, finance, and many other areas, not just actions driven by compliance with laws and regulatory decrees.
The method of creating value from a mere compliance exercise is explained through an application example, as suggested by the guidelines in ISO 31000:2010 - Risk Management. Understanding this approach is crucial because the value generation resulting from "Risk Based Thinking" is now an internal necessity for companies and will increasingly become a market demand over time.
The first phase involves defining the context, mapping relevant processes, and providing an initial classification of risk categories as outputs: external risks (related to the organization's external environment and hardly influenced internally), strategic risks (impacting strategic decisions and business models), financial risks (linked to inconsistent management with liquidity goals, capital availability, and credit), and operational risks (related to inefficient/ineffective business processes and non-conformities, negatively affecting value creation).
For each risk category, specific risk areas are identified:
| Risk Category | Risk Area |
|
External Risks |
Evolution of demand |
| Competition | |
| Consumption contraction | |
| Technological evolution | |
| Regulatory changes | |
| Natural events | |
|
Strategic Risks |
Market |
| Business model | |
| Innovation | |
|
Financial Risks |
Credit |
| Interest | |
| Liquidity | |
| Exchange rate | |
|
Operational Risks |
Human Resources |
| Production | |
| Supply Chain | |
| Compliance | |
| Information Technology |
For each risk area, specific risks are identified; as an example, let's focus on the Operational Risks family, particularly on 4 Risk Areas: Human Resources, Production, Supply Chain, Information Technology, and map out the specific risks. The same approach can be applied to any other Risk Family/Area.
|
Risk Area |
Specific risks |
|
Human Resources |
Loss of key corporate resources for management and skills |
| Ineffective training related to required skills | |
| Inadequate incentive plans | |
| Events with potential impact on health and safety of workers | |
|
Production |
Loss/damage/malfunction of primary assets |
| Production inefficiency: waste, bottlenecks | |
| Errors in planning and resource allocation | |
| Product quality not meeting customer requirements | |
| Environmental impact events: pollutant leaks, contamination | |
|
Supply chain |
Dependency on critical suppliers for procurement |
| Availability, cost of essential raw materials | |
| Availability, cost of logistics services | |
| Service level adequacy: delivery delays | |
| Inventory stock levels criticality | |
|
Information Technology |
Risk of data privacy breach |
| Inadequacy of logical and physical security measures, access controls, and segregation of duties schemes | |
| Unavailability of systems and data | |
| Data alteration, manipulation, loss |
The next phase of the risk management process involves defining the evaluation criteria to be applied to the mapped risks. There are several criteria found in literature and applied based on the complexity of the assessment required; these can be based on calculation algorithms, two-dimensional matrices, or instrumental measurements. As an example, we present the multi-level two-dimensional matrix criterion, where the matrix elements are the likelihood of the event occurring and the impact:
Probability: expressed as the % likelihood of the event occurring within a 1-year time horizon.
Impact: financial impact on cash flows and net operating margin.
Once the risk evaluation criteria are defined, the assessment of the mapped risks follows with R = P x I, where the overall result is reproducible in a "heat map" (depicting risks R >= 6).
Fig. 2 – Heat Map
In the example provided, the risk assessment with its corresponding "heat map" has highlighted risks significantly impacting financial aspects:
- in supplier management
- in stock availability
- in delivery times
- in human resource management
These areas will therefore be targeted for risk treatment and improvement plans. Attention is also required, albeit less significantly, towards Information Technology where the risk of data alteration, manipulation, loss has been identified.
Thus, risk management, approached with the systemic "Risk Based Thinking" approach, generates value for the company well beyond mere compliance with regulations because it:
- Increases people's awareness in identifying and addressing risks collaboratively; workers at every level begin to reflect on the potential risks of their daily activities and to pool their know-how.
- ; viewing risk not only as a negative aspect of business life but also as an opportunity for continuous improvement.; il rischio visto dunque non solo come aspetto meramente negativo della vita dell’impresa ma anche come strumento di opportunità per il miglioramento continuo.
- Supports decision-making; enables a precise examination of what can grow the company and what could create problems, supporting timely and effective decisions.
