If ever there was a time for risk-based thinking, it would be now. During this strange season, the entire world seems to be shutting down as the pandemic disrupts lives and businesses.

If you’re familiar with ISO 9001, you’re no stranger to risk based thinking. But what exactly is risk?

“Risk is now defined as the “effect of uncertainty on objectives,” which focuses on the effect of incomplete knowledge of events or circumstances on an organization’s decision making. This requires a change in the traditional understanding of risk, forcing organizations to tailor risk management to their needs and objectives,” according to ISO.

In other words, make risk management work for your organization.

It’s never been clearer that risks are all around us. Now we’re steering clear of people on the street—during the rare times when we’re outside—and keeping our distance from friends and family. Today’s most obvious risk is a virus sweeping the globe. This was most likely an unforeseen circumstance for your organization, but perhaps you had considered other potential disruptions. After this is over—hopefully soon—there will be more risks in the future to keep in mind. And thus, thinking about risks is important.

As Toby Ord writes in The Guardian, “Because we cannot come back from extinction, we cannot wait until a threat strikes before acting – we must be proactive. And because gaining wisdom takes time, we need to start now.”

Have current events have made your organization realize that the risk based thinking done in the past could use some fine-tuning? Or perhaps you were already prepared for supply chain disruptions, business shutdowns, and enhanced health and safety practices. Either way, it’s not too late to start thinking about risks. Besides the more obvious health risks, there are a range of others to consider.

In these heightened times, it might help to look to WHO for guidelines in navigating this new world. The WHO offers some guidance on risk that is worth considering. In a document on quality risk management, it states: “It is not always appropriate nor always necessary to use a formal risk management process (using recognized tools and/or internal procedures, e.g. standard operating procedures (SOPs)). The use of an informal risk management process (using empirical tools or internal procedures) can also be considered acceptable. The two primary principles of QRM are that:

- The evaluation of the risk to quality should be based on scientific knowledge and ultimately linked to the protection of the patient.

- The level of effort, formality and documentation of the QRM process should be commensurate with the level of risk”

In other words, informal risk assessment can also get the job done. Talking it out with your colleagues and staff can be a helpful step when it comes to potentially minor disruptions. Consider procedures while someone is out of the office for business travel or a vacation, for example. Or, more seriously, a potentially unplanned medical leave. When considering natural disasters or more dramatic scenarios, obviously a more stringent approach is required.

The good news is, you may already be thinking about risk more than you realize. If you adhere to ISO 9001 requirements, you may be ahead of the game. According to BSI, “Risk-based thinking is something we all do automatically and often sub-consciously to get the best result. The concept of risk has always been implicit in ISO 9001 – this revision makes it more explicit and builds it into the whole management system.

• Risk-based thinking ensures risk is considered from the beginning and throughout the process approach

• Risk-based thinking makes proactive action part of strategic planning

• Risk is often thought of only in the negative sense. Risk-based thinking can also help to identify opportunities. This can be considered to be the positive side of risk.”

Once you’ve done your risk assessment and concluded the meetings and planning sessions, you can give yourself a pat on the back. But know that this is not the end of the process. Much like continuous improvement, there’s really no finish line when it comes to considering and acting upon risks.

As Miriam Boudreaux of Mireaux Management Solutions writes, risk assessment is not a one-time thing. She suggests it could be a yearly event but also offers suggestions on how to keep risk assessment up to date:

  • Schedule a review of the Risk Assessment matrix once a year. 
  • Schedule a risk assessment with every MOC [management of change].
  • Special circumstances. 
  • Management Review.

The current COVID-19 situation seems to be a perfect example of special circumstances. Let’s hope we don’t have to face another pandemic for a long, long time to come. Imagine a time when face to face human contact is natural and doesn’t feel so fraught. The world is obviously changing, in new and unexpected ways. But if you’re ready for the changes, it isn’t such a scary landscape.

As we now know, organizational threats can come from competing businesses, disruptive new technologies, or even a global health crisis. But with enough foresight and planning, your organization will be prepared to weather any kind of storm.