Historically the word Risk has been associated with the negative – ‘what could go wrong.’ The very definition of risk within ISO 31000:2018 Risk Management, as the ‘effect of uncertainty on objectives,’ is inherently negative with uncertainty not generally being associated with positive connotations or outcomes.
However, in the new suite of ISO standards using the Annex SL format, the concept of ‘opportunities’ is now embedded when referring to risk in clause 6.1 ‘Actions to address risks and opportunities.’ It is included within:
- AS/NZS ISO 9001:2016 Quality Management Systems
- AS/NZS ISO 14001:2016 Environmental Management Systems
- ISO 45001:2018 Occupational Health and Safety Management Systems
- AS ISO/IEC 27001:2015 Information security management systems
ISO 31000:2018 adds to the definition of risk with a note, ‘An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.’
Whilst these standards generally require a formal approach to the identification, assessment and control of risk (with the exception of ISO 9001), the approach to identifying and managing opportunities is generally less formal and, in most cases, only mature organisations use a structured approach when looking at opportunities.
A risk assessment should be a process that assists in identifying and then mitigating, avoiding and managing risks. However, organisations should also be looking at how to benefit from opportunities that arise in a more structured manner. To this end, a standard risk assessment matrix that considers only negative consequences may need to be restructured to include a review of opportunities and how an organisation may derive benefit from them.
Whilst not applicable to all risks assessments, descriptors of ‘positive consequences’ or opportunities can be developed relevant to the organisation’s operations, and then included so as to be able to formally assess opportunities, thereby assisting prioritisation and decision-making in planning and associated processes.
Typically, the negative consequences are ranked from Insignificant to Catastrophic, with the ‘People Safety’ consequence ranging from ‘no injuries or first aid (only)’ up to the Catastrophic outcome of ‘fatality / fatalities’. Considering the positive consequences or the opportunity, these could be expressed as Insignificant being (for example) ‘minimal positive impact on safety initiatives, staff morale and attitudes or safety culture’ through to Significant (being the positive version of the catastrophic risk) representing ‘significant positive improvement in staff morale, health & wellbeing, culture or organisation efficiency’.
Please contact QRMC for more information.