A Checklist for Adopting Risk-Based Thinking in Your Enterprise
To introduce risk-based thinking across your organization ‒ as mandated in ISO 9001 and other important standards ‒ follow our Plan-Do-Check-Act checklist.
Implementing risk-based thinking across your business may seem like a daunting task. However, by breaking down the process into four basic stages using the Plan-Do-Check-Act (PDCA) methodology that makes operational excellence programs so effective, you can make meaningful progress. What's more, PDCA is an iterative process – you can keep reapplying it to your risk management practices to continuously improve your approach to risk.
We've outlined an essential checklist to help you along.
- Assemble your key risk people from across all areas of your organization ‒ including your supply chain.
- Identify hazards in your business. Remember, a hazard is a condition or situation that creates the opportunity for a problem to occur ‒ a potential, but not a possibility.
- Estimate the probability of each hazard occurring, in order to identify your risks. Risk is the likelihood that the hazard will manifest itself and lead to a negative consequence.
- Determine how to quantify those risks in a systematic and objective way. Severity and probability are useful scales.
- Understand how to leverage technology to support your risk management system.
- Train your people on how to execute your plans, including senior management. Good leadership is essential to the risk-based approach.
- Record your identified hazards in your Risk Register, so everyone has access to them.
- Implement a process for evaluating and assessing the risk using risk assessment tools, such as the Risk Matrix or Bowtie Risk.
- Integrate your risk assessment tools with your management systems, such as Quality and EHS, so you can quantify the risk associated with adverse events and incidents.
- Filter and search for the high-risk issues that need to go through the Corrective Action (CAPA) process first.
- Vet your risk assessment tools using real-world examples drawn from historical data to ensure the tools fit the context of your actual operations.
- Audit your risk processes to ensure that high-risk events are not being overlooked.
- Encourage open communication. Employees should be confident in flagging issues and exposing problems.
- Ensure that you collect enough data. As your operations improve and number of incidents and events decreases, so will your historical data. You will need an expanded dataset to make predictions about risk and implement preventative measures.
- Include near-misses. Collecting and analyzing near-miss data helps you find patterns and trends that signal increased risk.
- Analyze your Risk Register to identify high-risk areas, trends and correlations.
- Assemble your Risk Team to review the different risk outcomes, build risk treatment options and define actions to treat those risks. Responses typically include:
- Acceptance – Leave it if it’s worth the risk
- Reduction – Take steps to mitigate the risk
- Compensation – Take steps to insure yourself against the risk
- Transfer – Outsource the risk to a partner/supplier
- Avoidance – Stop the process altogether
- Take immediate action on critical issues through your Corrective Action (CAPA) process.
- Follow up with a risk-based verification check to assess if the corrective action taken was effective.
- For actions which are found to be ineffective, run the Corrective Action (CAPA) process again until the risk is reduced to within the business's risk tolerance.
- Document your treatment of risk into your Risk Register, so risks with a similar profile can be identified and prevented.
- Implement long-term improvements on unacceptable trends.
Our in-depth handbook covers the latest processes and technologies in risk management – download it now