Risk Management

Risk Management

Although I have called this section ‘risk management’ we need to be clear right away: formal “Risk Management” is not a requirement of the Standard. What is required is something called ‘risk-based thinking’. For simplicity, I will refer to risk management, but please remember, we are not talking formal risk management, but ‘thinking about risk’ or ‘taking risk into account when planning, operating and reviewing your quality management system’.

Now, having a suitable method or methods to manage risk in any business or other organization makes good sense. And it isn’t as complicated as some people try to make it.

The view that the Standard takes is that 9001 was always about risk – after all, having a robust quality management system is one way of reducing risk. The difference is that now there is a specific requirement to consider risk and that a new and somewhat vague term was introduced; ‘risk-based thinking’.

Now there’s a couple of things in this version of the Standard that I think could have been done better. This is one of them, coming up with a new definition of risk as ‘the effect of uncertainty’ (ISO 9000:2015) rather than using the one that is already in the Risk Management Standard, ISO 31000.

And leading on from that new definition, the Standard also wraps risks and opportunities in together, on the basis that risks aren’t always negative and that opportunities can involve risk. Incidentally, this led to lots of spluttering and spirited debates across the world, especially from professional risk managers.

Let’s run through an example, to illustrate what all this might mean in practice. Consider a small architectural practice, with 2 owners and a small staff. The owners – practicing, registered architects – do their planning for risks on two main levels.

First, there is the project-based level, where they analyze each project they bid for, to help them consider their pricing and whether there is anything that suggests they need to build in a greater buffer (contingency), in their fee structure. For example, a design job for a builder they haven’t worked with before, and don’t know anything about versus a job for a local government. They would identify financial risk/nonpayment as a much more likely risk with the builder, than with the government job, but with the latter, there is much more likelihood of an extended engagement period, given that local governments often ant to build in consultation periods with local people. And they ‘promote’ this kind of thinking with their own staff, through example and project discussions.

The other level they plan at is the company level: risks to the company itself. Here, they have identified professional liability as an obvious risk, but also losing key staff. Finding and attracting suitably qualified young architects is difficult.

They have integrated this kind of thinking into their practice: a risk assessment is part of the brief and thinking for every project. At the company level, they do an annual risk assessment, and revisit it during the year if things change.

There are various ways they address these risks. They balance their projects portfolio, to ensure a mix of work from builders and developers with government jobs. They require an initial deposit up front from all clients, break the work into stages, and manage finances to ensure that payments are received on agreed milestones. They put a lot of attention on staff development and coaching, to help make the practice an exciting place to work for young architects and give them a chance to stretch their skills and learn. They have regular staff events, and actively seek feedback from their staff, and take it into account in their practice.

Their evaluation to date gives them confidence that this approach has worked for them, as they have had no major financial losses, they have been able to manage the flow of work, and they do not have high staff turnover.