Many organizations are getting prepared for the upcoming ISO 9001 changes 2015. There are many…
The Effects of Uncertainty
ISO 9001:2015, clause 6.1 requires an organization to identify its risks and take actions to address identified risks. It is very tempting to start with a huge list of potential risks for the organization, but is the organization focusing on the actual risks that have an effect on their operations? To perform an effective risk assessment, an organization must first identify the uncertainty in its processes. Once the uncertainties are identified, then mitigation controls can be targeted at the effects of the identified uncertainty. Failure to identify the uncertainty first could lead to flawed risk identification and non-value-added risk mitigation controls. The approach defined in this article will lead to more effective and meaningful risk identification and mitigation. How does an organization identify its uncertainties?
What is Uncertainty?
Before we go any further, there are two definitions that I must define to put this concept in perspective. These terms are uncertainty and risks. Uncertainty is defined as, “something that is uncertain or that causes one to feel uncertain”. Risk is defined as, “the effects of uncertainty”. Now that these two terms have been identified, its clear why an organization must start with defining the uncertainty within its processes, before attempting to identify its risks or the effects of that uncertainty. An organization that doesn’t start with identifying uncertainty, will define false risks and miss actual risks that are actually having an effect on their organization. There is uncertainty in all organizational processes. The effect of this uncertainty is what plagues the organization and its interested parties, so we must identify the uncertainty first.
Identifying Uncertainty Then Effects
The identification of uncertainty first, is critical to effective risk identification. Here is a simple example, to explain the importance of identifying the uncertainty first. Let’s say an employee identifies the risk of being late to work, but doesn’t start with identifying the uncertainties involved with the risk of being late to work. Some uncertainties of being late to work may include: traffic, mechanical issues, weather, running out of gas, getting into an accident and many other uncertainties. The effect of any one of these uncertainties, could result in the risk of the employee being late to work. Each of the uncertainties of being late, will require its own risk mitigation to address the effect of being late to work. The employee may have put a risk mitigation in place for traffic, but failed to think about getting into an accident; therefore, the risk of being late to work, may not be effectively mitigated. If the employee identifies all of the uncertainties first and then develops risk mitigation and contingencies for each uncertainty, the employee will drastically reduce the probability and the effect of being late for work. Let’s apply this concept to an organizational process.
Mitigating Effects of Uncertainty
Here is an example of an uncertainty that can impact every organization. Consider the uncertainty involved in the employee hiring process. There are many effects of uncertainty or risks involved in this process, which can have an effect. As explained above, the organization should first start with identifying the uncertainties and then identifying the effects of the uncertainties or risks. Here are a couple of uncertainties involved with the employee hiring process.
-Candidate may not fit organizational culture
-Candidate may not be qualified
The effect of these uncertainties or risk, is that the organization may not hire the right candidate, but the organization can’t start with the risk, the organization must start with identifying the uncertainties, to reduce the probability and effect of the risk on the organization. If the organization simply starts with the risk, it may fail to put risk mitigations or contingencies in place, to address the effects of the uncertainties listed above. For example, what if the organization simply attempts to mitigate the risk by having candidates complete an application and go through an interview? This mitigation control may help reduce the probability and effects of the risk, but there are many organizations that hire candidates using these controls and employee don’t fit their culture and are not qualified. This is because the risk mitigation was focused on the risk and not the uncertainty. To address the uncertainty of the candidate not fitting the organizational culture, the organization may conduct a committee interview or have the candidate take a personality test. To address the uncertainty of the candidate not being qualified, the organization may call references and request proof of credentials. Both of these risk mitigations, would go a bit further than the application and interview controls. Once the uncertainties and their effects are identified, the organization is now in a position to identify effective risk mitigations, which will target the effects of uncertainties, as opposed to a list of risks.
In conclusion, risk mitigation is more than simply writing a random list of risks. An organization must first identify the uncertainties within its processes. Once the uncertainties are identified, the organization must then identify the effects of the uncertainties. These are the risks that will and most likely are having an effect on the organization. Focusing on the uncertainties and their effects will allow an organization to implement a more robust and proactive risk mitigation program.
Oscar Combs, Senior Consultant of The ISO 9001 Group, a management consulting, auditing and training firm based in Houston, Texas. Oscar has over 23 years of experience working with management systems. Oscar has worked with clients throughout North America, South America, Europe, The Middle East, Asia and Africa helping companies manage risk and improve their business operations. Oscar holds an MBA from the University of Houston. He is certified by Exemplar Global as a Principal Management Consultant and Lead Auditor. Oscar is also a Senior Member of the American Society for Quality and has served as the Programs Committee Chair for ASQ’s Houston Chapter 1405.