how to make risk based thinking matter to your business?

1. By Islam El-khateeb 25-3-2018
All Rights Reserved
Risk-Based Thinking That Matter
"Risk That Matter" this quote for Dr. David Hillson or as he likes to call himself
Risk Doctor
"That Matter"
Is the greatest motivation behind everything people and business are doing, and
leaving as well. So we are not doing this thing unless it matters.
Through my whole professional life, I tried to make every single ISO clause matter
to the business and add real value not only for external auditor satisfaction.
Like many who are working with ISO 9001standard, and after publishing the new
version of ISO 9001:2015, I found myself obliged to figure out the amount of
works I had to do to comply with the new version.
In addition to new structure and terms it can be said that Risk-Based thinking is at
those new things.
Moving Risk-Basedthinking from just a concept to applicationwas an exciting
journey. Through the following stages, I will share with you the barriers my
team faced trying to make “Risk-Based Thinking Matter”:
1. Discovering what “risk-based thinking means”
2. Spread the concept
3. Monitor the related activities
4. Reporting
5. Continual improvement

2. By Islam El-khateeb 25-3-2018
All Rights Reserved
Let’s have a deep look inside,
1. Discovering what risk-based thinking means?
Answer:
According to ISO interpretation, Risk-based thinking ensures these risks are identified,
considered and controlled throughout the design and use of the quality management
system.
Helping sources:
In order to have a detailed view I had to listen more from risk experts, and I was so
lucky to:
1. Read ISO 31000-2018 DIS and to understand the steps of managing risk,
check these 2 links for more details link 1 and link 2
2. Listen to Risk Experts like Dr. David Hillson and Mr. Alex
Lesson learned:
 Risk is everyone responsibility and must be an integral part of each process
 Risk management must enhance the way business run
Preparation for the next step were as follow:
In order to make lesson learned real, I had to work with each business area
responsible to:
 Introduce the new concept
 Identify the risk within their area
And in order to do that in the simplest way the team:
o Established simple risk policy document, which contains stages of risk
management system, riskevaluation criteria, riskmanagement responsibility
o Prepared different tutorial emails and videos
2. Spreading and Documenting the concept
On the next step we had to go through the following 3 simple risk management
steps:
1. Risk identification
2. Risk evaluation

3. By Islam El-khateeb 25-3-2018
All Rights Reserved
3. Plan to deal with risk (Action to Mitigate)
Every successful business manage risks, Even though it did not have a formal
risk register
As a running organization 3 decades ago, the business learned to manage most
frequent and dangerous risk which may affect business continuity, so in order to
document that we:
 Checked the reason of doing every single step on documented procedures,
then asking what if we did not do this?, how is this business area going to
be affected?
 Previous car log, customer complaints, and performance reports were a
good data source that assured the quality of conclusions we came up with
from the previous step
 The final result was a simple risk register like the data listed in the
following table for each business area:
Sn. Risk Code
Risk
Category
Risk
Details
Grade Action to mitigate
The clause that covers
details of mitigation
with the procedure
1 Maint.-R-01 Machine-related
Inability to
meet planned
dates because
of
inappropriate
machine
availability
xxx
Set an action plantomeet
machine availability goal
andfollowup this plan
Performdowntimeanalysis
andtake necessary
corrective andpreventive
actions
6/4
Maintenance procedures
3. Monitor the related activities
The aim of this step were to:
 Measuring the quality of actions taken to deal with risks
 Identifying the unidentified risks that take place
Source of data:
 Internal audits
 Customer complaints
 External audits notes
 Internal improvement projects

4. By Islam El-khateeb 25-3-2018
All Rights Reserved
Then, we started to link all the reporting systems to previously identified risks in
order to check how good company did against documented risk management
system
4. Reporting
In this stage, we tried to sum up what we came up with in order to:
 Raise the results of our risk management to the decision maker
 Figure out what we need to work on to enhance our risk management
system
The following table is a sample:
No. of Identified Risk in Procedures per
each category
No. of Identified from real Performance
Notes and
Improvement projectsBusiness
Area
Category
A
CategoryB
Category
C
Category
A
CategoryB
Category
C
Planning
Commercial
5. Continual improvement
Depending on the report results many decision can be taken to help the company to
better achieve its objectives, like
 Changing risk treatment method
 Holding improvement project in a certain area
 ….. etc.
Summary:
Finally
 I don’t claim that above model is not the best, however, the purpose is
to share my experience with you and receive your notes
 The article set a model only for the operational processes, however the
complete risk management shall cover all business aspects like finance,
corporate performance … etc.