Risk-based thinking is not just a feature of ISO 9001:2015. Risk-based thinking is a business tool since shortly after the Public Company Accounting Reform and Investor Protection Act of 2002 (or “Sarbanes-Oxley”, or just “SOX”) was enacted.
Before the SEC issued guidance on risk control in 2007, public companies feared they might have to show they could control every possible accounting/financial risk they faced. The guidance was that these companies could implement a risk hierarchy – address the greatest risks first, then the next-greatest, and so on.
ISO defines risk as “the effect of uncertainty on objectives”. To me, it reads as if the author meant to confuse us. (What do you mean by “uncertainty”? What objectives and whose are they?) In my mind, that definition muddies the waters. It creates confusion. It certainly doesn’t help the average person make the distinction between risks and threats.
I’ll try to help you make that distinction. Basically, I see it like this…
Threats exist. They are not “likely” or “probable”; they simply are. For instance, there is “the threat of expulsion” if we egregiously violate school policy. There is “the threat of termination” if we flout company policy, like copying confidential or secret company information for use outside the company. There is the “threat of a fine and possible jail time” for violating the law.
Threats pose risks; risks are possibilities. Threats may materialize – become real – if conditions are met, inadvertently or purposely. Threats materialize when causes materialize and converge. Table 1 illustrates the relationship between certain threats and risks:
|Thunderstorm||Large amounts of rain; wind; flash flooding; hail; lightning||Humidity; unstable air masses; lift||Fair-to-low||Death; homelessness; illness, injury; disruption of services|
|Terrorist attack||Death/ destruction; overreaction; feeding prejudices; perpetuation of terrorism; isolation; losing freedoms; being caught or killed||People; social conditions; perceptions||Fair-to-low||Psychological trauma; death; injury; property destruction; disruption of services; disruption of social order|
|Cyberattack||Data loss/ corruption; denial of service; becoming part of a botnet; legal action||Malware; poor cybersecurity; untrained, unaware users; human nature||Excellent-to-low||Slowed system throughput/ response; lost business; loss of reputation; increased expenses; added security measures|
Consider this a “starter kit”, or a tool to prompt discussion of threats and risk management in your organization. What risks does your company face, now and in the future? Should you attempt to control these risks? What threatens your company’s well-being? Which risks should you address first? What would you add to the Risks, Causes, or Impacts in Table 1?
 Risk-based thinking is not an “add-on” or “enhancement”; instead, it reflects a major change in philosophy.
 I leave the question of whether certain company policies are ethical or justifiable for another time.