Risk management

All Norwegian businesses are subject to the Internal Control Regulations. Section 5.6 requires that every business must map hazards and problems and, on this basis, assess risk, as well as prepare associated plans and measures to reduce risk conditions. This must be documented in writing. In addition, many companies have one or more ISO standards that they manage according to, which also require an assessment of the risks related to the themes in the standard. Working with risk consists of two main elements: Risk mapping and risk assessment.

In order to carry out a good risk mapping, you need to know all the processes in your business. There are various ways to get an overview of your processes. In our experience, we find it very helpful to draw up a process map, which we write about in our article on process mapping. When you have a comprehensive process map, it's easy to see which work processes are carried out in the business, and thus ask questions about the risks associated with each of these.

As mentioned above, the Internal Control Regulations state that all Norwegian companies are required by law to assess HSE risks and take the necessary measures to reduce them.

If you want to achieve ISO 9001 certification, you need to carry out risk mapping with regard to customer quality. Similarly, risk mapping for ISO 14001 with risk elements that threaten the external environment. Other standards deal with other risk categories such as IT security, food safety, finance, etc.

Note that ISO is clear that risk is not only negative, but can also be positive - in other words, you risk something in order to achieve something. If you want ISO certification, you also need to think about positive risks.

Our experience in 4human QM365 states that risk mapping is not a solo activity. One person can easily be blind to one angle. Several participants with knowledge of different aspects of the business often form a good working team. Note down all suggestions that come uncritically. Afterwards, they are merged and you can delete those that are not relevant.

Example of a risk matrix in 4human QM365's systems showing both positive and negative risk. (Click on the image to see a larger version.)

There are many types of matrices and tables where this is widely used. It is important that the meaning of each number in the scale is known. Those that end up green are under control. The yellow ones need action or improvement targets, and the red ones are intolerable and require immediate action. A good management system will give you an immediate opportunity to register measures and targets for a risk.

Risk assessment is not for individualists either. Here, teams should work together and assess each individual risk. These assessments are always subjective and therefore require multiple points of view to make them as realistic as possible. Again. Don't forget to consider positive risks if it's an ISO certification.

Through years of risk identification and risk evaluation together with customers, we have 4human QM365 has built up a solid experience that helps our customers do this work efficiently, thoroughly and systematically. With proper risk management, the possibility of damage and other losses to the business is significantly reduced.

Using our management system also provides a good overview of quality, the environment, HSE, emergency preparedness and other desired risks. Manage has a well-developed module for risk management that makes it possible to identify and work with measures in a structured methodology. All risks can be linked to one or more processes in the process map, making them visible to all employees in a simple and user-friendly way.

The risk overview in QM365 Manage gives you an easy overview of current risks in your business. You can also see trend graphs for each risk and the impact of implemented measures (Click on the image to see a larger version).