ISO 9001 2015 RISKs Element By KAMARRUDIN ALI
ISO 9001: 2015 (RISKs Element) By KAMARRUDIN ALI 18 April 2018
ISO 9001: 2015 • Risk-based thinking enables an organization to determine the factors that could cause its processes and its quality management system to deviate from the planned results, to put in place preventive controls • to minimize negative effects and to make maximum use of opportunities as they arise
ISO 9001: 2015 REQUIREMENTS • ISO 9001: 2015 requires for the organization to determine the risks and opportunities based on the knowledge of the organization’s context (4. 1 & 4. 2)
Template A EXTERNAL ANALYSIS (PESTEL) (including issues from interested parties) NO. ISSUES 1 POLITICAL • Trump’s Muslim countries ban 2 • (Risk) MQA accreditation withdrawal ENVIRONMENT • Raining season 6 • (Risk) Student demonstration TECHNOLOGY • Outdated equipment 5 • (Risk) could not renew licenses SOCIAL • Staffing problem • ELB implementation 4 • (Opportunities) Increase international students application ECONOMIC • Reduced operational budget 3 RISK/OPPORTUNITIES FOR KCDIO • (risk) Flood at certain areas LEGAL • Intro of ICGPA • (Risk) Decreasing intake from international students due to • stringent procedure in getting VAL. implementation of i-CGPA and VAL procedure • Not following procedures • (Risk) accreditation withdrawal 4
Template A INTERNAL ANALYSIS (SWOT) STRENGTH • 1. • 2 Issues Risk/Opportunities WEAKNESSES • 1. • 2 Issues OPPORTUNITIES • 1. • 2 Issues Risk/Opportunities THREATS • 1. • 2 Issues Risk/Opportunities Note: As a guide to do a thorough analysis for each of the above quadrants, a normal tool used is FITCOW which is Financial, Infrastructure, Technology, Competency, Operation (Process) and work environment) 5
6. 1. 1 When planning for the quality management system, the organization shall consider the issues referred to in 4. 1 and the requirements referred to in 4. 2 and determine the risks and opportunities that need to be addressed to: a) give assurance that the quality management system can achieve its intended result(s); b) enhance desirable effects; c) prevent, or reduce, undesired effects; d) achieve improvement. ISO 9001: 2015 REQUIREMENTS
Identifying Risks are determined to prevent or reduce undesired effects, and to give assurance that quality management system can achieve its intended results. ISO 9001 does not define specific types of risks that need to be determined and addressed Types and categories of risks are commonly used: Processes: Quality: Suppliers: Operation: risks of nonconforming output, process breakdown, process inefficiency, excessive variability, etc. risk of defects and non-attainment of specified requirements risks to business continuity, data loss, public relations, etc. ;
What about Opportunity? Apart from the risks, the organization has to also identify the opportunities that may come in its way. Opportunities can be in form of adoption of new practices, launching of new products or services, opening new markets, addressing new clients, building partnerships, using new technology and other desirable and viable possibilities to address the organization’s or its customers’ needs.
Why Risks are considered? • Risk : Effect of uncertainties • Risk Level: Likelihood x consequences • Risks and opportunities can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed
Managing Risks Step 1: Identify the Risk. . Step 2: Analyze the risk. . Step 3: Evaluate or Rank the Risk. . Step 4: Treat the Risk. . Step 5: Monitor and Review the risk.
• Brainstorming • Environmental/Horizon Scanning • Interviews • Past data Analysis
Causes of Risk Consequence/Impact
According to a leading global provider of risk management services AON in their 2011 Global Risk Management Survey (AON, 2013) the top three risks for higher education are ranked as follows: 1. Regulatory and legislative changes 2. Economic slowdown 3. Damage to brand or reputation Online Journal of Applied Knowledge Management, Volume 2, Issue 1, 2014
Samples: Common risks • Food poisoning • Theft • Fire • Flood
Samples: Common risks in University Issue Risks Student Enrolment • • Information System • • unpopular programs bad information about Kulliyyah Consequence Measure Low enrollment • Data Loss due to Technical • breakdown • Data theft • • student’s dissatisfaction the University’s reputation issue financial loss • • • market research in order to introduce new and update existing study programs Improve quality work of the staff additional activities offered to students, continuous promotions Ensure staff obey the rules on the access to data Acquire appropriate software and hardware train staff periodically test the equipment periodically perform a weekly backup Ensure physical protection of workstation Ensure saving and frequent changing of passwords Do frequent updating of antivirus software avoid using unverified external data media Conduct comprehensive testing and fixing of program flaws
Samples: Common risks in University Issue Risks Teaching low quality of the teaching because • of the teaching staff • • • Dissatisfaction bad experience of the students loss of Kulliyyah reputation low enrollment rate • poor teaching quality due to nonexistence or non-use of contemporary devices and electronic means • • • bad experiences of students school reputation low enrollment rate • • Acquisition of the equipment continuous training of academic staff Student practical: Bad choice of organizations in terms of the activity and process and poor support • • bad experience of students bad experience of associated from the situation which jeopardize Kulliyyah reputation • students’ awareness about the significance of the practical work and the possibilities it offers (acquiring precious experience, accumulating data for the placement) Certain programmes could not be run due to budget issue • • Bad reputation Accreditation withdrawal • finding other sources of finance by introducing alternative short programs or courses which are in demand Misappropriation of fund • • Bad reputation Financial loss • • Strengthen work process Continuous reminders to staff Financial process Consequence Measure • hiring the highest quality teaching staff, Continuous assessment of the academic staff’s work
Samples: Common risks in University Issue Risks Management • • Bad assessment of the management in relation to type and content of the study programs High-quality teaching staff leave the Kulliyyah bad results of scientific research work because of the poor quality of the teaching staff or bad support due to lack of funds Programmes run not according to university or government requirements due to bad documentation or awareness Consequence • • • impossibility or withdrawal of accreditation bad experience of students lower financial income jeopardized University or Kulliyyah reputation lower enrollment rate Measure • • introducing or improving a quality system (e. g. ISO) in order to improve University elements in all processes and intensify the conditions for their successful implementation plan for hiring the teaching staff in accordance to the need of the Kulliyyah motivate staff towards further improvement by supporting them to visit conferences, write articles and books, participate in projects, and by awarding them according to an assessment of their work periodical review and update of documents for conducting the Kulliyyah programmes in accordance to practice and update the staff
Template C 18
Risk Category Type Description Strategic Losses due to error or misjudgment in the selection of strategy or the execution of the strategy or exposure to loss resulting from a strategy that turns out to be defective or inappropriate Operations Risk arising from execution of a company's business function which focuses on the risks arising from the people, assets, systems and processes through which the University operates Finance Risk associated with the finances of the Universityy, including loan interest charges, echange rates, taxation, borrowings & credit, government grant, error in asset valuation (over or undervaluation), liabilitiies, spending beyond limit, negative cash flows or any other direct and indirect losses affecting other elemnets of the University's finances Reputation Risk of impact to the business attribute/related to the trustworthiness of the business and/or the education industry as a whole Information Risk arising from the flow of information and availability of new or existing technology to the business and the impact of it being adopted or not to the business Regulation Risk due to non-compliance or failure to adhere to sets of rutles and regulation as set out by the University, Government or legislation
Qualitative Measure of Consequences of Likelihood Level Descriptor Probability 5 Almost certain >50% 4 Likely 31% - 50% 3 Possible 16% - 30% 2 Unlikely 1% - 15% 1 Rare <1% Description The event is expected to occur in most circumstances - will occur on an annual basis The event will probably occur in most circumstances - will occur once in every 3 years The event might occur at some time - will occur once in every 10 years The event could occur at some time - will occur in every 20 years The event may occur only in exceptional circumstances - will occur once in every 50 years
Qualitative Measure of Consequences of Impact Level 1 Description Insignificant 2 Minor 3 Moderate 4 Major 5 Catastrophic Example detail description No injuries, low financial loss, no risk to reputation. Minor First aid treatment, on-site release immediately contained, medium financial loss, some customer dissatisfaction. Medical treatment required, on-site release contained with outside assistance, high financial loss and public visibility. Major Extensive injuries, loss of production capability, invocation of disaster recovery with no detrimental effects, major financial loss. Death, off-site with detrimental effect, huge financial loss.
Quantitative Measure of Consequences of Impact Level Description Example detail description 1 Insignificant Nil – Negligible 2 Minor Under RM 1 mil 3 Moderate Between RM 1 mil - RM 5 mil 4 Major Between RM 5 mil - RM 15 mil 5 Catastrophic Above RM 15 mil
Qualitative Risk Analysis Matrix Likelihood / Impact 1 2 3 5 4 3 2 1 M L L S M M L L H S M M L 4 5 H E H H S H Time Bomb
Qualitative Risk Analysis Matrix
Qualitative Risk Analysis Matrix Key E : Extreme H : High S : Significant M : Medium L : Low Time Bomb Description Immediately initiate action plan to reduce exposure Develop action plan to reduce exposure Consider if any action plan need to be develop Routine acceptance of the risk. / No action required *Develop action plan to reduce exposure *Are potential catastrophic risks that are not straight forward in ratings *May currently be well managed, but may potentially create significant problems to the organization in future
Strategy in Managing Risks • activities with a high likelihood of loss and large financial impact. The best response is to avoid the activity • if cost-benefit analysis determines the cost to mitigate risk is higher than cost to bear the risk, then the best response is to accept and continually monitor the risk. • activities with a high likelihood of occurring, but financial impact is small. The best response is to use management control systems to reduce the risk of potential loss • activities with low probability of occurring, but with a large financial impact. The best response is to transfer a portion or all of the risk to a third party by purchasing insurance, hedging, outsourcing, or entering into partnerships.
Issues/Risks Status Type Open Closed In progress Monitoring Resolved Description New item identified and awaiting action. Item closed e. g. no longer a concern, rejected, etc. Item undergoing treatment/mitigation activities. Treatment/Mitigiation activities complete and being monitored. Item resolved through treatment/mitigation actions and resolution accepted by stakeholders.
What’s next? Having the risks and opportunities identified, a proper plan of actions need to be laid out in order to mitigate these risks and grab the opportunities. Then, from time to time, the organization needs to assess the effectiveness of the actions taken.
Template C RISKS SUMMARY (From Risk Register) RISK CATEGORY 1. External Analysis 2. Internal Analysis DESCRIPTION OF RISK REGISTER NO. 1. Could renew licence 2. Decreasing intake from international students due to implementation of i-CGPA and VAL procedure 3. MQA accreditation withdrawal R 1. 1. 1 R 1. 3. 3 1. Decreasing intake from international students due to stringent procedure in getting VAL. R 2. 1. 1 Please refer to Risk register documents R 1. 3. 4 29
Template D CATEGORY OPPORTUNITY SUMMARY TYPE DESCRIPTION OF OPPORTUNITIES OPPORTUNITY REGISTER NO. 1. EXTERNAL ANALYSIS 2. INTERNAL ANALYSIS 30
Template E PLANNING TO ADDRESS THE RISKS Risks No: (From Risk Register) Strategy Initiatives Year/ Period PIC KPI Target Achiev ed % of Success 31
PLANNING TO ADDRESS THE OPPORTUNITIES Template F Opportunity No: (From Opportunity Summary) Strategy Initiatives Year/ Period PIC KPI Target Achieved % of Success 32
Treating Risk & Opportunity Workflow Identify External & Internal issues, risks and opportunities (including from interested parties) Use Template A Risks Opportunities List all risks in Risk Register List all opportunities in summary Use Template D Analyze Each Risk Use Template B Categorize Risk Accept Avoid Transfer Categorize Risk (L, M, H, E, TB) Reduce L = Low Medium, High, Extreme & Time Bomb List all Risks in summary Use Template C Monitor & Review Prepare & Execute Action Plans Use Template E & F
ISO 9001: 2015 Summary • ISO 9001: 2015 - Risk-based thinking standard • Intent - To ensure organizations consider risks and opportunities that could affect the results of their plan. • Objective Evidence: o Risk & Opportunity Analysis on External and Internal Factors o Risk Profile/Register o Risk & Opportunity Action Plan o Action Plans have been carried out
Thank You
- Slides: 35