The current landscape of international ISO/IEC requirements is shifting to allow organizations to take a more flexible approach on areas of standards that were once more prescriptive. With these changes on the forefront, the topic on most everyone’s mind is risk.
The term “risk” is a bit more robust than some initial thoughts regarding negative consequences. Risk is multifaceted and can impact organizations, their products, and their clients in both negative and positive ways.
Risk, at the core, is quintessentially the effect of uncertainty. When looking at a problem, system, process, or area of growth, any action we take will have associated consequences, positive or negative. A positive risk is simply an opportunity, while a negative risk would be how most perceive risk: a negative effect on themselves or their business.
Let’s say your organization wants to expand the capabilities of its scope of accreditation to cover a new parameter. Adding this new parameter not only takes time and effort to develop on the organizational end but includes the process of adding it to one’s scope of accreditation through conformity assessment. This addition may have opportunities for growth in new industries and expand your customer base. On the other hand, you may have some concerns as well about the addition to the scope. It may cause issues with training staff on the new material, the new technology could be hard to digest, or the capital required up front for the equipment may be higher than anticipated. These are all aspects of risk, both positive and negative, that our risk analysis process leads us to see. This process can be as minimal or as expansive as needed.
The current ISO standard landscape requires that organizations perform appropriate risk analysis for areas impacting the organization but does not indicate how these analyses must be performed. However, for organizations following normative requirements from regulatory bodies or other entities, there may be more stringent requirements for risk analysis.
In this article, we will break down the mindset of looking at risk through one dimensional, two-dimensional, and three-dimensional lenses.
One-Dimensional Approach
The most simplistic way of looking at risk using this structure would be the one-dimensional approach. In a one-dimensional approach, one can either qualitatively or quantitatively define risk using the following equation.
Risk (R) = Severity (S)
Here we are defining the overall level of risk as however severe the potential effect is. In using this approach, an organization is deciding how to act on their risks based strictly on the severity or the impact of something going wrong.
In this method and the following approaches, we have flexibility in how we approach the overall risk. This typically is seen within risk charts highlighting a scale on which the risk is evaluated. It could be something as simple as ranking things from low, medium, high, and critical; or could be identified using a scale, number ranking system (1-10, 1-5), or even the beginning of the Fibonacci sequence. Whatever criteria is used to identify the level of risk, whether qualitative or quantitative, will need to be consistent within your organization no matter which of the three approaches are used. To alleviate any worries of staff getting mixed up on what the intent of the rankings means, many organizations will make a legend on their risk analysis to highlight what a low risk is or what it means to have a certain risk value.
For each of the three approaches, it is also important to determine a proper cutoff point in which your organization considers it essential to act upon the risk to properly eliminate or mitigate the issues per the standards followed. An organization may have a statement along the lines of “any risk quantified as a high risk or higher must be addressed with undue delay.” The level at which this cutoff point is determined is dependent upon how risk averse or how large an organization’s risk appetite is.
Essentially, it comes down to how much risk an organization is willing to take on for themselves and their customers. Some organizations may be highly risk averse while others may have a bit larger risk appetite to allow for more flexibility in the decision-making process.
Two-Dimensional Approach
Due to the different approaches in how risk scales are determined, or how much risk is taken on, an organization might want to flesh out their risk analysis with further information. This can be done by looking at risk from a two-dimensional approach or even a three dimensional approach. For two-dimensional risk analysis, one can define the overall risk (R) as the following:
Risk (R) = Severity (S) x Probability of Occurrence (PO)
In the two-dimensional approach, we are not only accounting for how much of an impact an effect may cause, but also how often this effect may occur. Please keep in mind that when referring to the probability of occurrence, the number would not strictly be how many times it will happen with certainty, but the potential for occurrence. If something has a high severity, but rarely occurs, it might have less of a risk value in comparison to something with a reasonable level of risk that is more likely to occur. The scenario in which an issue rarely occurs may require less action to minimize the issue, as the occurrence itself may inherently help in reducing the overall factors influencing the risk impact.
Additionally, with expanding to a two-dimensional approach, one may have to look at the overall cutoff points in which we determined it is needed to address risks, as the values we are working with have shifted and have more depth. In cases like this, utilizing numbers can be more beneficial than using terminology, as it is easier to identify an appropriate action point numerically than trying to determine if a risk identified as medium x high needs action or if a medium x medium action would.
Three-Dimensional Approach
The three-dimensional approach to risk analysis is something which was pioneered through the Failure Modes & Effects Analysis (FMEA) process and has since been applied to many different analysis methods for risk. FMEA was pioneered by Six Sigma and is strictly an approach to understand and address potential issues or concerns within a system, process, product or service, prior to implementation. Although designed to act as a preventative measure, it can also be used in a reactionary method when findings occur.
Here, one not only looks at risk in terms of how severe the potential effect is and how frequently the issue would potentially occur, but in terms of detection as well. When utilizing the term “detection,” it is more apt to state it as latency of detection. The lower the value for detection is, the sooner an organization can catch the issue.
A prime example would be issues with the certificates or reports produced by an ISO/IEC 17025 accredited organization. These issues may have a lower detection rate due to the authorized staff member who reviews and approves certificates and reports before publication. There are potentially several areas that could go wrong for certificates or reports, but in using the multiplicative of the three terms indicated, we can see our risks a bit clearer than the other examples when defined as follows:
Risk (R) = Severity (S) x Probability of Occurrence (PO) x Detection (D)
FMEA defines the overall risk using this three-dimensional approach as the Risk Priority Number or RPM. The benefits of having taken the extra steps for detection can allow for further comparison, leading to stronger decision making in the long run.
In a scenario for a calibration laboratory where there are two risks in which both have severity levels of 5 and occurrence levels of 5, they look equal from a two-dimensional approach or even a one-dimensional approach. If the detection limits are applied to the two risk scenarios, we can see that if one has a low detection level of 1 and the other has a higher detection level or 5, the overall risks are exponentially different.
Integrating the detection rate allows us to have a better understanding of the overall risks taken on by a company as well as their clients. The difficulty is that anything that would fall under the detection limits will most likely be an unknown risk factor taken on by the client.
Based on these methods, one can see that there are quite a few ways to approach risk. These brief examples are only the beginning of a multitude of possibilities. Risk is something that impacts us all and is inherently based on an organization’s understanding of itself. There is significant flexibility regarding addressing risks if organizations can properly justify how they are mitigating it.
With all the information available for risk analysis, it is critical to take the time to digest the material we have and utilize a consistent approach in how they are evaluated or determined in order to ensure continued success and growth.