The Risk Management

Handbook — Supporting a
Quality Culture Across
Your Business

Risk-based thinking is fundamental to quality culture,

and involves extending risk management across all your
operations. In this guide, we show you how.

etq.com
Risk-based thinking applies the concept of risk
to quality and EHS processes, so that there is
a common language and metrics for assessing
how those processes are meeting their goals

Tim Lozier, Director of Product Strategy, EtQ

2
 etq.com

Foreword

There is now a high level of

complexity in how companies are
organized – there are more mergers
and acquisitions, production is
executed on a global scale, supply
chains are more complex and
competition is intensifying.

Add to this the increasing pace of change in the

The big challenge now

business environment. Competition is leading to
shorter product lifecycles, increases in product
complexity and a wider variety of goods in

for many businesses is a broader range of areas. At the same time,

regulations are constantly evolving to reflect
these changes.

how to implement risk.

Tim Lozier, Director of Product Strategy, EtQ

3

The current challenge for businesses is how
to maintain a strong level of compliance
where there is greater uncertainty,
complexity and ambiguity in both the
internal operational context and the broader
external environment. Businesses have
begun to recognize that succeeding under
these conditions will involve a company-wide
commitment to realizing strategic goals,
where there is a high degree of coordination
and collaboration between functions, with
quality as a common principle.
This is leading to a shift in mindset around
quality and compliance. Quality is extending
its scope from the development and delivery
of products and services, and is addressing
strategic objectives across the organization. A
broader range of stakeholders now engages
in quality management, and this is how quality
has become a culture. This quality culture
involves setting high bars for performance
throughout the organization, whether that’s
for quality, environmental performance or
safety.
As a result, businesses need a systematic
and objective way to measure themselves,
not just within quality and compliance but
across all operations. Risk-based thinking is
etq.com
establishing itself as the proven approach.
Risk is a concept that is universal to most
organizations – most people speak risk, even
if they don’t speak quality or environmental
performance.
Risk-based thinking applies the concept of
risk to quality and EHS processes, so that
there is a common language and metrics for
assessing how those processes are meeting
their goals. It allows a company to normalize
how it communicates its measures of
operational efficiency to more people within
the organization.
4

So risk is no longer confined to Governance,
Risk and Compliance (GRC) but instead is
becoming embedded in all aspects of the
business, as operational risk management.
Quality, EHS and compliance are viewed
through the lens of risk to improve the
efficiency of their processes. There is greater
visibility and more control, leading to better
decisions. Businesses are able to translate
what they do on an operational level to a risk-
based paradigm.
The big challenge now for many businesses
is how to implement risk. This guide will help
you start your risk journey. We will provide an
overview of the most critical risks businesses
face today and show you how to apply risk-
based thinking to your processes. We’ll look
etq.com
at a real life example and take you through
the issues you need to address in order to
develop the people, processes and systems
essential to establishing a risk-based quality
culture across your business.
Tim Lozier, Director of Product Strategy, EtQ
5
 etq.com

EtQ’s Tim Lozier and Richard Steurer explain how risk-based

thinking leads to better business decisions.

Watch now

6
 etq.com

Fostering Risk-Based Thinking

Across Your Business

7

Starting Your Risk Journey
Many companies express a certain trepidation when it comes
to understanding and starting their risk journey.
etq.com
They are unsure of how to find risks and how
to measure them.
However, the reality is that most companies
already undertake some sort of risk
management. All that the risk-based approach
requires is to apply that to your existing
processes. That’s the real value of risk
management.
Risk, in a nutshell, is the identification of
hazards and harms to an organization. You
start your implementation by simply asking
– what is the hazard? What is the likelihood
that something like this will happen, and
how severe might the outcome be? And then
you measure it quantitatively using a risk
assessment tool, such as a risk matrix.
This enables more systematic and objective
decision-making, while helping to translate
the concepts of quality and EHS to a larger
group of people in the organization so that
everybody is involved.
8

The problem is that
people’s assessment of
risk and approach to
managing it are dependent
on how they experience it.
Compliance professionals
will focus on regulation,
the IT department on
cybersecurity, quality
managers on eliminating
human error.
The result is too many
subjective judgments and
internal silos managing
multiple risks, which
The Risk Conversation though all different, are all
related. With little or no
communication between
the groups, or an integrated
methodology to holistically
Risk is pervasive throughout all areas within an organization, manage the risk, the
from quality to EHS, to IT and the supply chain. business is left exposed.
etq.com
Risk management provides
a unified understanding
and universal methodology
for addressing these
varying factors.
The risk conversation brings
together all your key risk
people who then ask – how
do we find our risks? How
do we identify what’s a risk
and what’s not a risk? And
then how do we measure
that? Cutting across
functional boundaries to
understand how various
risks interrelate will help
you develop a system to
identify, assess and judge
the collective effect they
have on the organization’s
overall level of risk. This is
how risk management can
be brought into line with the
business’s strategic goals.
9
 etq.com

Identifying Critical Risks

In today’s volatile business environment, risks are becoming more unpredictable
and harder to identify. Even worse, new technologies are serving to amplify their
negative effects. To help you focus your risk conversation, we’ve identified the three
most critical risks emerging from current conditions.

10

Reputational Risk
Damage to brand and reputation is
the highest ranking concern globally,
according to Aon’s 2017 Global Risk
Management Survey.
Reputational risk has been greatly amplified
by new technologies, such as social media,
where a crisis could spread globally within a
matter of hours, or even minutes.
New threats are emerging alongside the
traditional threats of defective products,
poor customer service, workplace accidents
and the like. Damage to reputation can now
occur because of an inappropriate tweet by
an employee, or through social media posts
complaining of poor workplace practices. As a
etq.com
growing number of people are choosing social
media over traditional sources as their main
source of news, fake news has emerged as a
significant risk to reputation.
The speed with which damage to reputation
escalates means that businesses are often
forced to respond in real time. It is therefore
critical that your business has a robust
reputational risk strategy in place.
11
 etq.com

Regulatory Risk

Significant changes to regulations are occurring

in response to the growing threats posed by
cyber crime and data breaches. Companies
are now held to account for securing digital
infrastructure and sensitive information.

In 2016, the EU adopted the Network and Information

Security Directive (NIS), commonly known as the EU
Cybersecurity Directive, which sets minimum security
standards and incident reporting requirements for
critical infrastructure operators such as energy,
health, transport and financial services, as well as for
key internet companies and public bodies.

Where the security of personal data has been

compromised, the EU’s new General Data Protection
Regulation (GDPR) applies, which requires the data
controller to report a data breach without undue
delay and notify data subjects in the event that they
could be adversely affected by the breach.

12
 etq.com

The regulation proposes stiff penalties

for non-compliance:
5% of a firm’s annual
turnover or €100 million,
whichever is greater.

Despite leaving the EU, UK companies will
still be subject to these regulations if they do
business with EU companies. Most likely, the
UK will implement similar domestic laws in
order to remain competitive, otherwise they
may face restrictions on the transfer of data
from the EU.
Both these measures will require businesses
to take appropriate technical and
organizational risk management measures,
including measures to prevent and minimize
the impact of incidents, as well as report
serious incidents to national competent
authorities.
Effective regulatory compliance management,
especially in heavily regulated industries such
as life sciences, has become a competitive
advantage for today’s businesses. For this
reason, regulatory risk should feature in the
risk conversation as well as the formulation of
business strategy.

13
 etq.com

Environmental Health & Safety

Risk (EHS)

Aon’s global risk survey indicates a growing risk of third

party liability – the injury, loss or damage caused to a third
party as a result of action, inaction or negligence.

Consumers worldwide are the services they provide or the

becoming increasingly litigious,
especially since many more
governments have broadened
their consumer rights laws and
are imposing stricter liability on
product and service providers.
Compensation culture is
spreading globally, so that class
actions and punitive damage
awards are now more evident
outside of the U.S., particularly
in Europe and Latin America.
Businesses face heightened
exposure to this risk, through
products they manufacture. Aon
reports that that life sciences
and healthcare companies
around the world have reported
the highest incidence of lawsuits
against them in recent years.
As a result, businesses need
to implement preventative
measures when it comes to
EHS. It is no longer effective to
respond tactically to incidents
after they have occurred. Risk
management provides the
means for a proactive approach.

14
 etq.com

Risk Assessment Tools

After identifying your risks, you need to quantify them. Risk assessment
tools take the subjectivity out of this process by providing the means to
systematically measure risk.

15
 etq.com

Risk assessment is effective because it is:

Repeatable Objective Consistent

It uses the same methodology for
categorizing all adverse events within
the system, regardless of how and when
they occurred.
It systematically quantifies the necessary
action to be taken as opposed to more
subjective methods, which can differ
depending on perceptions, human factors
and similar constraints.
The tools are formulaic in nature and
are designed to produce an objective
and consistent result every time.

16
 etq.com

Which risk assessment tool you use depends on the complexity of the
risk you are trying to measure and how much data you have to guide your
decision. The four main risk assessment tools are:

Decision Tree of action. Each possibility branches

out into further possibilities until
you reach defined endpoints,
often with a total cost assigned
A Decision Tree looks like a flow
to each outcome. Change
chart and typically can take one of
management is one area where it
two forms:
can help mitigate risk.

1. Exploring the outcomes of

In addition, it can help people
various alternatives
apply company policies to a
situation, through a series of yes/
2. Providing a set of questions
no questions. This is an effective
to help people make the right
means of managing the complaint
choice. It is easier to integrate
management process. Each
with everyday processes where
question is a different node on the
there are limited options
Decision Tree, where the endpoint
tells the person how to handle
The Decision Tree can be
the situation, for example raising
used to quantify the costs and
a Corrective Action (CAPA) or
consequences of different modes
notifying the regulators.

17
 etq.com

Risk Matrix

The Risk Matrix is designed to help you calculate risk across various
outcomes, which then gives you clear guidelines on whether that
risk is acceptable or unacceptable. It defines risk as the probability
of a hazard occurring, multiplied by its impact. It plots five levels of
severity against five levels of frequency in a color-coded chart to show
overall risk for different situations, like so:

The quantified risk falls into one Management System (EQMS)

of three zones:
• Red – High risk, considered
unacceptable
• Amber – Moderate risk,
which may or may not be
considered acceptable
or Safety Management System
will allow you to quantify the risk
associated with adverse events
and incidents. You can then
filter and search for the high-risk
issues that need to go through
the Corrective Action (CAPA)
process first.

• Green – Low risk, Be sure to vet the matrix using

considered acceptable real-world examples drawn from
historical data so that you can
Using the Risk Matrix tool from be confident it fits the context of
within your Enterprise Quality your actual operations.

18
 etq.com

Bowtie Risk to minimize the impact if the event

actually occurs.
• Poor storage of flammable materials

• Bad maintenance of electrical points

An example could be fire safety in a storage
Bowtie Risk is a proactive risk assessment
facility, where the undesired event would be Then you would put in controls to block
tool. It helps overcome the situation where
an out of control fire. You would first consider those threats to reduce the risk of them
the business has very little data on the
potential threats that could lead to this occurring. If, despite this, a fire does break
potential of a critical event, where the
outcome: out, you would have recovery controls in
consequences of that event are catastrophic.
place to prevent it becoming catastrophic
The tool constructs a scenario where such
• Smoking – fire alarms, fire extinguishers, a sprinkler
an event might occur, then puts preventative
system, a fire marshal. So even if the event
controls in place to mitigate the risk of it
• Poor storage of packaging waste still occurred, there would be barriers in place
happening. It also plans recovery controls
to make sure the risk was minimized.

19

Failure Modes and Effect Analysis (FMEA)
FMEA enables you to identify risks early on
in your design process. It is far more cost-
efficient than finding adverse events post-
market. It is particularly effective if you have a
lot moving parts in your supply chain.
This tool looks into the design of a product to
determine potential failure points and then
outlines steps to mitigate the effects of
these failure points. FMEA is used to foresee
failure and allows an organization to take
action before the product is even produced.
It approaches risk from every possible angle
of product design, considering each and every
element and asking – where are the potential
failure points of the component? It then looks
into how these failures can be avoided. The
end result is a product that has been
etq.com
analyzed to the core, with the risk assessed at
each possible point of failure.
Analyzing risk in design helps to anticipate
failures, serving as a proactive approach
to risk.
20
 etq.com

They are there to support decision-

making by reducing subjectivity,
standardizing responses and providing
quantitative justification for them. For
true effectiveness, you need people on
the other end interpreting the results.
They know the business, understand the
hazards and can help determine how to
make risk work for your organization.

A good approach is to assemble a risk

team, drawn from across all functions
of your organization, to review the
different risk outcomes, build risk
treatment options and define actions

Risk Management to treat those risks. Treatment of risk

should be a combination of people,

Best Practices process and tools.

Furthermore, effective risk management

depends on a high level of visibility and
control. These three best practices
These risk assessment tools on their own are
are essential for delivering mature risk
not the solutions to managing risk.
capabilities:

21
 etq.com

Incident Reporting

Introducing risk-based thinking into

incident reporting will change it from a
reactive process into a more powerful
means of improving safety. Rather than
focusing on incidents that have already
happened, it will help you look forwards,
to stop problems occurring in the future.

The risk-based process tracks leading

indicators, like near-misses, which
provide valuable data helping to identify
where incidents might occur in the future.
By expanding your definition of incidents
to include near-misses, you immediately
increase the size of your dataset and its
predictive power. Near-misses should
not be passed off as just a lucky break.
Viewed from a risk perspective, they are a
warning of things to come.

22

Corrective Action (CAPA)
Applying a risk-based methodology to the
CAPA process ensures that the CAPA has
been truly effective, thereby lowering the
likelihood of the problem persisting or
recurring. According to this method, once
an intolerable risk has been treated via the
CAPA process, a second risk assessment is
carried out to measure risk mitigation as a
result of the corrective action.The Risk Matrix
is applied to the Corrective Action (CAPA) to
measure its severity and frequency in order
to determine whether it has reduced risk to
within acceptable risk tolerances.
If so, then the event is considered to be
corrected. If not, then it is sent back to the
beginning of the CAPA process and reworked
until it is corrected within the business’s risk
etq.com
tolerance and quality standards.
This concept of risk mitigation provides
objective evidence that the event was
corrected effectively and within acceptable
risk levels.
The risk mitigation history is automatically
displayed throughout the lifecycle of the
complaint, so that any risks associated with
the complaint are traceable and reportable.
23

Risk Register
The effectiveness of your people’s ability to
manage risk rests on the quality of the data
available to them. As the business measures
risks and takes actions, it is building its own
risk history. It should draw data from all its
operational areas to see the full picture, and
record all types of data, including near misses,
not just the critical ones. This data should
then be stored in a centralized location – the
Risk Register – to provide visibility into risk
within the whole organization.
The Risk Register is literally a library of hazards
that takes risk data from all events, such as
Job Safety Analyses, incidents and adverse
events. As a centralized hub, it will give you
visibility into risks within all operations. Events
with similar risks can be handled in the same
etq.com
manner, meaning that problems can be
handled more efficiently.
Your Risk Team will use this historical data
to help fine-tune its risk picture and ensure
accurate results. They can examine how risk
management has evolved over time, spot
trends, analyze high risk areas and determine
those areas needing more oversight. The
Risk Register helps the business refine its
operations, informed by its risk history.
24
 etq.com

Risk-Based Quality Culture

Risk-based thinking is fundamental to building a quality culture. The
overall goal of risk management is to identify risk, mitigate that risk and
then prove that the risk was reduced.

25

It recognizes that risk is not just limited to
quality management or EHS, but is pervasive
throughout the organization.
With concepts and language already widely
understood and systematic, repeatable
processes, it is possible to manage risk from
an enterprise perspective and implement
controls on a strategic level to mitigate it.
By taking a holistic view of risk, businesses
can see how risks that occur in one area of
the enterprise can be tied to risks in another.
Pinpointing these similarities can help the
organization to identify trends in risk, and put
processes in place to mitigate the chance of
these risks recurring.
Furthermore, defining risk across its operations
allows an organization to standardize risk
across the enterprise and come up with a
common method for managing it.
etq.com
Risk management grants the business control • Generating actionable data from key
over its processes to drive improvements performance indicators (KPIs)
and the visibility needed to make better
decisions. It drives operational excellence by • Collaboration among cross-
promoting efficiency and consistent execution functional teams
of operations through:
• Standardization of systems to
increase reliability
• Closed-loop processes that enable
continuous improvement
• Proactive risk management that goes
beyond compliance
26
 etq.com

Standard in Focus
ISO 31000 Risk Management
ISO 31000:2009, Risk Management – Principles and Guidelines, provides
the principles, a framework and a process for managing risk.

27
 etq.com

In order to develop and thrive, all enterprises need to

identify, understand and manage risk. However, many ISO 31000:2009
of them lack guidance on how to manage risk and as
provides a proven, robust and
result do not engage in a formal risk management
process or develop effective means of treating risk. reliable approach to managing risk.
ISO 31000:2009 provides a proven, robust and reliable
approach to managing risk. It can be used by any
organization, regardless of its size, activity or sector.

ISO 31000:2009 is a high-level By aligning risk management with

set of principles and guidelines
on how to implement risk
management. The standard cannot
be used for certification, but
instead organizations can compare
their risk management practices
with its internationally recognized
benchmark, providing a sound set of
principles for effective management
and corporate governance.
ISO 31000:2009, organizations
will implement risk management
consistently and effectively. Using ISO
31000:2009 can help organizations
of all sizes increase the likelihood of
achieving their objectives, improve
their identification of opportunities
and threats, and allocate and use
resources more effectively for
risk treatment.

28

ISO 31000 is currently being
revised in order to make it even
easier to use. The revision seeks
to make risk management as
straightforward as possible
by using simple language to
express the fundamentals of
risk management in a way that is
coherent and understandable to
users. The text has been reduced
to its fundamental concepts to
create a shorter, clearer and
more concise document that is
easier to read whilst remaining
widely applicable. It aims to
help risk experts and other
stakeholders communicate
better with each other.
More complex terms will move to
ISO Guide 73, Risk management
– Vocabulary, which deals
specifically with risk management
etq.com
terminology and is intended
to be consulted alongside ISO
31000.
The revised standard includes
a number of substantial
improvements, such as the
importance of human and
cultural factors in achieving an
organization’s objectives and an
emphasis on embedding risk
management within the decision-
making process. However, the
overall message of ISO 31000
remains the same – integrating
the management of risk into
a strategic and operational
management system.
29
 etq.com

Case Study
Maple Leaf Farms Selects EtQ Reliance
to Standardize Enterprise-Wide

30

Maple Leaf Farms, Inc. is a
leading producer of quality
poultry products, supplying
retail and foodservice markets
throughout the world with
innovative, value added foods.
Founded in 1958, Maple Leaf
Farms, Inc. is a fourth generation
family-owned company that
also markets innovative natural
animal health products and
services through its MLF Biotech
division, and an integrated duck
production system, INDUX®
through its international division.
The company was aiming to
become a Global Food Safety
Initiative (GFSI) facility, yet had a
growing problem with document
control and record keeping. It
also lacked an effective system
to organize data, monitor
training and generate reports in
a timely fashion.
etq.com
EtQ was able to help
the business with our
automated Enterprise
Quality Management
System (EQMS) that
offered them integration,
flexibility, the ability to
customize, a Web-based
portal, mobility and
extended software uses
beyond the initial model.
31
 etq.com

Now the business has Maple Leaf Farms, Inc. plans

overcome its initial
challenges. Customer Service
is able to use the platform
to enter complaints directly
into the quality system,
while Quality Assurance can
directly initiate Corrective
Actions (CAPAs) from the
system. Not only has this
vastly reduced their use
of paper, but it has helped
them resolve events faster
and more effectively.
to fully integrate its risk
management processes into
its EQMS. They recognize
that Risk and Quality go
hand-in-hand. Reducing
risk leads to higher quality
products – higher quality
leads to lower costs, stronger
brand equity and increased
demand.

The business has also

implemented Document
Control in order to
standardize documents
worldwide. This will help
them prepare for GFSI audits
as well as with customer and
supplier audits.

32
 etq.com

Innovation Trend
The Risk Register

33
 etq.com

As you measure risk and take actions you’re

building a history of risk within your organization.
This is valuable data that can help you fine-tune
operations based on your history of risk.

The Risk Register automatically gathers this
risk data from all operational areas and stores
it in a central repository. Not all areas will
assess risk in the same way, but when data is
stored in a common location, businesses can
see how risk management has evolved over
time and analyze trends to identify high risks
that would otherwise remain hidden. With
greater visibility, the business can improve
operations using risk as a benchmark for
overall compliance.
The second function of the Risk Register
is to provide a library of hazards. This is
a centralized reference for all the known
hazards in different areas of the business. It
provides a useful collection of information
for using hazards to identify risks. The Risk
Register helps the business make better
decisions faster. As more and more events,
incidents or complaints enter the system, a
risk history is building – a growing knowledge
base of events with similar risk levels.
This becomes a crucial reference point for
building a quality culture. Any event with
a similar risk can be handled in a similar
fashion, standardizing and streamlining the
process. By referring to the knowledge base,
the business can take action much more
quickly, and handle problems more efficiently.

34

An automated Risk Register is a very
powerful tool for planning your risk
management efforts and managing them
over time. It can be linked to modules within
Quality, EHS and Compliance Management
Software systems. The result is an integrated
risk assessment tool that calculates the
risk of quality events at every step of the
process, thereby improving overall quality
and reducing recurrence of critical events.
This risk-based filtering allows businesses to:
• Automatically segregate and
categorize events at the source
module level (Complaints, Audits, etc.)
• Automatically identify and display
risk assessment for related events
• Perform an initial risk assessment
to allow early closure of non- risk-based quality culture.
critical events
etq.com
• Calculate risk assessments
throughout the process to guide
decision-making
• Fully investigate the overall impact
of events with step-by-step root
cause analysis
• Automate lookup and display of
related investigations and Corrective
Actions (CAPAs)
• Generate a comprehensive risk-based
CAPA ‘action and effectiveness check’
plan with risk mitigation history
The Risk Register provides the business
with a means of checking and refining the
effectiveness of all its risk management
procedures and the controls it has
implemented. It is therefore essential to any
35
 etq.com

Frequently Asked Questions

About Risk Management

36

What is a quality culture?
A quality culture is one that pursues
continuous improvement across all the
organization’s activities through a program
of operational excellence. Operational
excellence is about executing the business’s
strategy more efficiently, consistently and
reliably than its competitors.
What role does risk-based thinking
play in a quality culture?
Risk is a concept that is universal to most
organizations – most people speak risk, even
if they don’t speak quality or environmental
performance. Risk-based thinking provides
a systematic and objective methodology for
measuring performance, not just within quality
and compliance but across all operations.
What are the core benefits of the
risk-based approach?
Risk provides metrics and a common
language for assessing your businesses
processes. It allows a company to normalize
how it communicates its measures of
operational efficiency to more people within
the organization. Risk management delivers
greater visibility and more control, leading to
better decisions.
What’s the difference between a
hazard and a risk?
The terms hazard and risk are often used
interchangeably, but they mean different
things. A hazard is a condition or situation
that creates the opportunity for a problem to
occur – a potential, but not a possibility. Risk is
the likelihood that the hazard will lead to that
negative consequence. Some hazards pose
no risk, if there is no probability of exposure
etq.com
to that hazard. Risk management is knowing
what those hazards are and estimating the
probability of each one manifesting itself.
What is the risk conversation?
This is a collaboration between key risk people
from across your organization, including your
supply chain, to identify risks and use objective
and systematic means of measuring them. Its
purpose is to cut across functional boundaries
to understand how various risks interrelate, in
order to develop a system to identify, assess
and judge the collective effect they have on the
organization’s overall level of risk.
What are currently the three most
critical risks that every business
should address?
Reputational risk, compliance risk and
EHS risks.
37

What are the most effective risk
assessment tools?
Decision Tree, Risk Matrix, Bowtie Model
and Failure Modes and Assessment Analysis
(FMEA). Hazard Analysis (HACCP) is also widely
used in the food and drink industry.
After performing a risk
assessment, can I consider my risk
effectively managed?
No. Risk tools alone will not solve your risk
problem. You need people to interpret the
results. Assemble a risk team, drawn from
across the functions of your organization, to
review the different risk outcomes, build risk
treatment options and define actions to treat
those risks. Treatment of risk should be a
combination of people, process and tools.
etq.com
How can I make my risk What process should I use to
management team more effective? implement a risk-based approach?
Provide them with a high level of visibility Use the Plan-Do-Check-Act (PDCA) protocol
and control with automated tools and best central to operational excellence programs.
practices, such as incidence reporting that It is an iterative process which you can keep
includes near-misses, a centralized Risk reapplying to your risk management practices
Register and a CAPA process that includes to continuously improve your approach to risk.
risk-based verification to ensure the risk has
been effectively managed.
Are there published guidelines for
adopting a risk-based approach?
Yes, the ISO 31000 standard provides a high-
level set of principles and guidelines on how to
implement risk management. By aligning risk
management with the standard, your business
will increase the likelihood of achieving your
objectives, improve your identification of
opportunities and threats, and effectively
allocate and use resources for risk treatment.
38
 etq.com

Implementing risk-based
thinking across your business
may seem like a daunting task.
However, by breaking down the
process into four basic stages
using the Plan-Do-Check-Act
(PDCA) methodology that
makes operational excellence
programs so effective, you can
make meaningful progress.
What’s more, PDCA is an
iterative process – you can
keep reapplying it to your
risk management practices

Industry Tearaway to continuously improve your

approach to risk.

We’ve outlined an essential

A Checklist for Strengthening checklist to help you along.

Risk-Based Thinking in Your Business

39
 etq.com

Assemble your key risk people from across all areas

of your organization – including your supply chain.

Identify hazards in your business. Remember, a

hazard is a condition or situation that creates the
opportunity for a problem to occur – a potential,
but not a possibility.

Estimate the probability of each hazard occurring,

in order to identify your risks. Risk is the likelihood
that the hazard will manifest itself and lead to a
negative consequence.

Determine how to quantify those risks in a

systematic and objective way. Severity and

1. Plan probability are useful scales.

Understand how to leverage technology to support

your risk management system.

40
 etq.com

Train your people on how to execute your plans,

including senior management. Good leadership is
essential to the risk-based approach.

Record your identified hazards in your Risk Register,

so everyone has access to them.

Implement a process for evaluating and assessing

the risk using risk assessment tools, such as the Risk
Matrix or Bowtie Risk.

Integrate your risk assessment tools with your

management systems, such as Quality and EHS, so
you can quantify the risk associated with adverse
events and incidents.
2. Do
Filter and search for the high-risk issues that need to
go through the Corrective Action (CAPA) process first.

41

Vet your risk assessment
tools using real-world
examples drawn from
historical data to ensure
the tools fit the context of
your actual operations.
Audit your risk processes
to ensure that high-risk
events are not being
overlooked.
Encourage open
communication.
Employees should be
3. Check confident in flagging
issues and exposing
problems.
etq.com
Ensure that you collect
enough data. As your
operations improve and
number of incidents
and events decreases,
so will your historical
data. You will need an
expanded dataset to
make predictions about
risk and implement
preventative measures.
Include near-misses.
Collecting and analyzing
near-miss data helps you
find patterns and trends
that signal increased risk.
Analyze your Risk Register
to identify high-risk areas,
trends and correlations.
42

Assemble your Risk Team to review
the different risk outcomes, build risk
treatment options and define actions
to treat those risks. Responses typically
include:
• Acceptance – Leave it if it’s worth
the risk
• Reduction – Take steps to mitigate
the risk
• Compensation – Take steps to
insure yourself against the risk
• Transfer – Outsource the risk to a
partner/supplier
• Avoidance – Stop the process
altogether
Take immediate action on critical
issues through your Corrective Action
(CAPA) process.
etq.com
Follow up with a risk-based verification
check to assess if the corrective action
taken was effective.
For actions which are found to be
ineffective, run the Corrective Action
(CAPA) process again until the risk is
reduced to within the business’s
risk tolerance.
Document your treatment of risk into
your Risk Register, so risks with a similar
profile can be identified and prevented.
4. Act
Document your treatment of risk into
your Risk Register, so risks with a similar
profile can be identified and prevented.
Implement long-term improvements on
unacceptable trends.
43
 etq.com

Takeaways

Risk-based thinking Too many subjective Risk management Risk assessment tools The Risk Register
is a systematic and judgments and internal provides a unified will allow you to identify automatically gathers
objective way to measure silos relating to understanding and and reduce potential and stores data from
performance across the multiple risks can leave universal methodology risks. all operational areas,
organization, not just businesses exposed. for addressing numerous allowing businesses
regarding quality and risk factors. to analyze trends to
compliance. identify high risks that
would otherwise remain
hidden.

44
 etq.com

Find out how to break down the silos that stand in the way of
enterprise-wide quality culture by downloading our free eGuide

Enterprise Quality Management –

How Systems Can Break Down Silos

Download the eGuide now

About EtQ
EtQ is the leading Quality, EHS, Operational Risk and Compliance management software provider for identifying, mitigating and preventing
high-risk events through integration, automation and collaboration. At the core of EtQ’s framework is a compliance management platform that
enables organizations to implement best-in-class compliance processes configured to meet their existing processes, create new compliance
processes and automate and control their compliance ecosystem. EtQ was founded in 1992 and has main offices located in the U.S. and
Europe. To learn more about EtQ and its various product offerings, visit www.etq.com or blog.etq.com.

45