Risk management from multiple models' perspective

Opportunity for a risk lies in every field of operation.  Risk could arise from different contexts related to project management, safety, security, quality of product etc. But in majority of the cases risks are not identified on time and thereby leading it to become a problem in future.

There are a wide variety of standards or models emphasising the importance of risk management, using frameworks like Quality Management Systems (QMS), Information Security management System (ISMS), Environmental Management System (EMS), Safety Management System etc. Among the different standards which talk about risk management, the standard- ISO 31000 tries to build a uniform platform for the risk management activities irrespective of the industry or sector. ISO 31000 does not enforce any framework; it just codifies some good practices.

The contextual definition of risk could be varying from standard to standard. But every risk management procedure starts with risk identification, then risk assessment (assessment includes analysis and evaluation) and ends with risk treatment activities.

This article tries to analyse the perspectives of risk management from a QMS, ISMS, and safety management System framework constituted by different standards/models. We need to know how each standard / management system treats the risk. For this first of all we need to know the crux of each standard. A brief overview is given in the below diagram.

Definition of risk varies based on different management systems as stated above.

  • ISMS talks about risks associated with the security of information assets.
  • QMS talks about risks associated with the quality , scope and time related aspects of product
  • SMS talks about risks associated with the safety of product.

Information Security management and Risk Assessment

  • Risks assessment starts with asset management. Identify the various assets in the organization. Rate the assets numerically based on their Confidentiality, Integrity and Availability values.
  • Define a threshold value for assets above to which risk analysis and further actions needed.
    • i.e. if the assets value is greater than the threshold value, do the risk analysis
  • Identify all possible sources of threats and vulnerabilities which cause adverse impact to the asset.
  • Compute the risk value based on probability of occurrence of each cause, impact and detectability of the risk.
  • Define a threshold value for risks above to which further actions needed.
    • i.e. if the risk value is greater than the threshold value, do the risk treatments which include risk acceptance, avoidance or transfer.
  • Even low value of risk over long time will become a problem. So business continuity needs to be planned accordingly.

Quality Management and Risk Assessment

CMMI provides a proactive management through the level 3 process area “RSKM”.

The QMS defined using ISO 9001 addresses risk management indirectly. It has got a clause on Preventive action. Actually it is the same risk management.

For more information, refer the article Risk Management

Safety Management and Risk Assessment

  • There are a number of standards giving emphasis to safety aspects. Food and Drug Act (FDA) talks about risk assessment for food safety. ISO 13485 talks about hazard analysis and risk classification of medical devices or services
  • These Standards recommends FMEA kind of analyses and corresponding treatment plans.
    •  Identify all the safety related requirements, analyse their failure modes, analyse their impact ( FMEA kind of analysis)

Clause or Process Area mapping of standards/model against risk management process