Risk Based Thinking
“Opportunity and risk come in pairs” - Bangambiki Habyarimana
If you engage more with a video medium, check out our CEO Kobi Simmat’s concise wrap-up of risk based thinking, and how to incorporate it in your management systems.
With all of this, in one sense, you want to start with the end in mind. That is, you want to have a clear idea of your desired outcomes, or an output in the terminology of ISO. The new versions of the quality management systems are looking for an outcomes-based approach, so you’ll need to ask yourself: have I got an appropriate set of controls in place, and more importantly, have I achieved the outcomes. One of the first things to consider while refining your risk-based approach is to ask:
‘Are we doing something that could make our customers feel angry, or violated?’
Who's it for? It's for everyone in the business, but particularly your management team to talk about and do some self reflection. Once you’ve laid this out in your quarterly strategic planning meeting, or entered into your risk register, you’re more capable to now address some of the preventative measures, or new strategies to mitigate the risk. In terms of your controls to minimise risk, one of the most effective means to tackle these head-on is to outline the who, what, where, when, and how. This is all about prevention. If you can essentially retrace the footsteps of that upset client, you’ll hopefully be able to isolate what went wrong, where it went wrong, when did it go wrong, and how did it go wrong.
Next up, let’s talk about the promises that you’re making to your customers. What are you promising? More importantly, what could go wrong in the process between that customer making contact - or you making contact with that potential client - and the final delivery of that service.
Each and every day of operating a business throws up a new challenge, and even small to medium-sized businesses have many moving parts that contribute to the organism as a whole.
Because of the fact that accidents happen, and you can’t completely rule out this universal law of doing business, the most effective means to minimise the chance of something going wrong is to take a step back, and look at all the promises, and pose a million or more hypotheticals to your staff. This approach works regardless of the quality management system we’re talking about. ISO14001: what potential environmental damage are you risking in your operations? ISO27001: how could your system be potentially compromised, and what would the result of a wide-scale outages of your network look like.
What's it for? These little thought exercises are particularly useful to picture to drive home the damaging impact of what might seem like a minor inconvenience, but could seriously upset some of your customers and stakeholders.
We encourage the use of a risk register, or any type of document with the purpose of identifying your risk issues, and track your agreed - possibly implemented - set of controls to mitigate the risks; this is what is meant by that outcomes-based approach to the latest ISO standards. This is in combination with a SWOT analysis, which takes into account your strengths, weakness, opportunities and threats. Sit down with your team and map out a SWOT analysis for your operations, and feed this into your register.
What change are we seeking to make? Well, our CEO Kobi Simmat makes a great point in his clip (https://www.youtube.com/watch?v=oDYaLloylPg), likening this whole process to going the gym. “You don’t go to the gym for a week once a year, because you’ll near-on kill yourself.” What you - and your business - should be doing, Kobi argues, is “if you can go to the gym once, twice, three times a week, you’ll see a better result.”
Kobi isn’t saying you should be having a specific management review targeting your risk factors three times a week, but he is driving home the point that this should become embedded in the team, part of the culture, and a prevalent part of your team’s behaviour. If you can encourage this culture in your business and you and your staff are considering things like strengths, weaknesses, your risk areas, where you’ve upset customers previously, and where you could potentially upset customers in the future, you’re embracing all of the potential benefits of a risk-based approach to business.
You’ll be quicker to adapt to disruptions, implement damage-control of sorts to avoid upsetting your customers, and be better equiped to deal with situations as they arise, rather than pick up the pieces in the aftermath.