If, like me, you are involved with management systems standards (MSS) such as ISO 14001, the forthcoming ISO 45001 or, the daddy of them all, ISO 9001, you can’t help but be aware of the ‘risk and opportunity’ mantra among standards developers and users. All MSS are required to now use ISO’s high level structure and text (HLS) and ‘risk and opportunity’ features strongly. There is much uncertainty as to what this means and many are in a flap as to what the expectations are to demonstrate control, but when you talk to business leaders, this is all in a day’s work. Everyone involved in running an organisation looks at risk and opportunity on a daily basis – they are two sides of a coin.

When an entrepreneur starts their business, risk and opportunity are always front and centre in their mind, wherever they have come from, they have identified an opening to:

• Start a business,
• Make a living, and
• Grow it to the point where it gives them an income with the chance of a pot of gold for their retirement.

This future is, however, not certain. There will be difficulties along the way and these risks, left unmanaged, could lead to a loss of income and, ultimately, to their business failing. The entrepreneur recognises these risks come in many forms such as:

• Do I have the right products and services for my target customers?
• Can I control production and service delivery to consistently meet those customer needs?
• Can my suppliers keep up with my demands and maintain the quality levels I need?

 If s/he can manage those risks at that level then the business will succeed and s/he can grasp all the opportunities, including that elusive pot of gold.

Moving forward in time as the business continues to thrive and grow, our entrepreneur has moved upstairs to the boardroom as CEO and has managers and teams dealing with day-to-day business while they buy in high-priced consultants to lead some ‘blue sky’ strategy sessions. Strategic risks haven’t really changed – an incorrect strategy still has the capability to bring down our grown-up start-up.

Tactically the business can cope more easily with risk as it has multiple customers buying a range of products. On the downside, tactical errors can lead to an erosion of hard-earned brand reputation as all our customers inhabit the same system and talk to one another. Word spreads.

Moving out of the boardroom along to the shop floor and offices where ‘business as usual’ happens, ‘risk’ looks a little different but it is just as important it is recognised and managed.

With every customer order comes a risk that the organisation will misunderstand its customers’ needs. At this process level, therefore, there have to be checks and balances. Individuals working with their CEO’s delegated authority, accept orders and enter into contracts including the inherent risks that a legal contract carries.

At the same time on the shop floor, all employees are involved in managing risk. Some develop specifications and standards (perhaps in a separate design office), some manufacture products or deliver services that they believe meet those standards.

Throughout the process managing risks leads to delivered products and services meeting specification, satisfying customer needs and customers paying their bills, thereby allowing the organisation to realise the sales opportunity and contributing to our entrepreneur’s vision of a pot of gold.

If the above risks and opportunities are present in daily organisational life as part of quality management, why do we have concerns for the risk professional’s ability to inhabit this space? Most risk management in operational processes simply requires the individual or team to look at what is required and what could occur that will mean an emerging risk will harm the business. The IIRSM’s one day managing risk course is a good place to start. It emphasises that everyone within an organisation is responsible for managing risks, no matter their role or where they are within the hierarchy – they all play a vital part of the risk management process. No single risk expert or function can identify and manage all the interconnected risks facing organisations and within projects and change programmes.

Paul Simpson, IIRSM Council Member