The Greatest Risk to Every Organization Is…

ISO 9001:2015 is said to incorporate the idea of “risk-based thinking” throughout. But is this going to make companies function more effectively? Is the application of ISO 9001 going to ensure better governance? Are organizations going to manage change any better because of risk-based thinking?

What is risk-based thinking, anyway? Well, within the scope of ISO 9001:2015, risk-based thinking consists of:

  • Knowing what the greatest threats to organizational quality are;
  • Prioritizing those threats, because you cannot give equal weight or resources to all threats; and
  • Doing what can reasonably be done to avoid, reduce, mitigate, or prevent their likelihood and/or impact.

Risk is defined in a number of ways. ISO says risk is the effect of uncertainty on objectives[1]. Others define risk as a combination of the probability of, vulnerability to, and impact of a given threat.

Such is the nature of risk. You don’t think you know what, when, or where threats will materialize. We take what we believe to be educated, informed guesses and use that little bit of information to prepare.

Yet what is the biggest risk every organization faces? (Hint: It’s internal.)

Ethics becomes a problem in most companies
not because of ethical indifference or ignorance but rather
because it is just not part of the conversation.
(Solomon & Hansen, 1985)

We know – or think we know – about cybersecurity. It’s a big problem, and getting bigger by the hour. We buy or lease security software. We hire cybersecurity specialists to help ensure that we’re up-to-date. We enforce password changing. We use multifactor authentication, and even biomarkers. And cybersecurity lapses still happen, all the time. Why?

It’s the 800-pound gorilla in the room. Worse, actually – it’s us!

We are the weak link, the greatest risk to our organization’s well-being. We pose the greatest risk to product and process quality.

No matter what preventive measures your organization enacts, people will occasionally misbehave. They will not always play by the rules, they will do whatever is necessary to gain an edge[2], and they will, at times, prey on the weak and trusting, steal, or act on a perceived or real slight. Sometimes, they just do not know the rules.

Do we have "a certain moral flexibility" at times? (from "Grosse Pointe Blank", Hollywood Pictures, 1997)

Do we have “a certain moral flexibility” at times?
(from “Grosse Pointe Blank”, Hollywood Pictures, 1997)

Whether people act willfully, maliciously, carelessly, or out of ignorance…

…whether those people are in production, planning, logistics, customer experience, or top management…

…it’s about the organization’s culture. If people don’t know that “doing the right thing” comes first, every other risk management measure will eventually fail. With a strong sense of ethics, they won’t work 100% of the time but they are less likely to fail.

ISO 9001:2015 is promising to turn the business world on to “risk-based thinking” and maybe it will in a few isolated circumstances. However, I believe organizations that foster ethical behavior throughout and from the start will have a much easier time of adopting or certifying to ISO 9001 than will those for which ethics are inconsequential.


  1. “VW Emissions Scandal Hits 11M Vehicles”, BBC Business, 22 Sept 2015 –
  2. “When Turning a Blind Eye Leads to Disaster”, BBC Business, 3 Nov 2014 –
  3. Cordy, Neil, “Essendon’s New Slogan ‘Whatever It Takes’ Doesn’t Sit Well As Shadow Hangs Over Club”, Victoria Herald-Sun, 6 February 2013 –
  4. Solomon, Robert C., and Hansen, Kristine, It’s Good Business, Atheneum Publishers, 1985. ISBN-13 #9780689116469.


[1] See ISO 9001:2015, “Quality Management Systems-Requirements”, ISO (Sept., 2015).

[2] “Whatever It Takes” has been used as a marketing/advertising tag line or slogan by a number of organizations, including the St. Louis Blues Hockey Club.


We help small businesses improve their efficiency and effectiveness. Whether you're selling a product or a service, we'll show you how you can improve product and service quality, effectively and affordably. If you need quality, environmental, or health & safety management but can't afford a full-time manager or staff, call on Q9C and we'll pick up the slack. For information or a quote, call or write. Subscribe to the Q9C blog while you're at it.

Tagged with: , , , ,
Posted in ethical behavior, ISO 9001:2015, Risk Management

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: