Darwin said that it was not the strongest species that survived, nor the most intelligent, but the one that best adapted to changes. In the natural selection of business organizations, survival can only be achieved if each day one is prepared for each challenge that arises. One must adapt to changes in order to be competitive, and changes have come in the form of new rules, with a new structure and with new approaches.
Among these changes, one of the most important and most bothersome to organizations already certified according to ISO 9001 or 14001 standards, or those aspiring to obtain ISO 27001 certification, is the need to adopt a risk-based approach to become certified according to the new editions of these standards.
Although there were honourable exceptions, most organisations that had and still have a Quality and/or Environmental Management System implemented with the previous version of the standard had become accustomed to a reactive culture in response to problems . Controls, monitoring or audits are carried out, customer complaints instagram data and employee suggestions are processed or indicators are evaluated and with all this, non-conformities and appropriate corrective actions are drawn up. It is a reactive system, perhaps very effective, but reactive. Firefighter organisations, which put out fires when they appear in the shortest possible time.
The honourable exceptions, which I mentioned in the previous section, used, in addition to corrective actions, the often forgotten preventive actions. But normally their appearance was something anecdotal and almost collateral to the functioning of the system itself, despite the fact that preventive actions were a fundamental tool for continuous improvement, something basic to move from reacting to promoting.
New high-level standards such as ISO 27001:2013, ISO 9001:2015 and ISO 14001:2015, to which the long-awaited ISO 45001 designed to implement an Occupational Health and Safety Management System will soon be added (which will also have a high-level structure to align with the rest and which is expected to be ready by the end of this year), incorporate the establishment of a systematic approach to risks instead of treating them as one more element of a management system. In other words, they adopt a risk-based approach whose purpose is to make organizations become proactive, which means that they: foresee, eliminate or reduce the undesired effects of detected risk situations, the materialization of which jeopardizes business results, the operation of certified systems, customer satisfaction or any other organizational objective. Or, put even more simply: to become organizations that anticipate events.
Companies have immediately turned to the ISO 31000:2010 standard, which defines the Principles and Guidelines for Risk Management, to find support in this new requirement that had arisen and that, with all certainty, they will include among their obligations for obtaining and maintaining certification. But, in many cases, the implications of something that is much more than a new requirement have not been adequately assessed. It has not been considered for what it is: a different approach, a different way of thinking, thus minimising its potential.
With the risk-based approach permeating all points of the standards and being part of all processes, preventive action becomes automatic because a continuous dynamic of identification, assessment and action on potential non-conformities is created. In other words, a continuous action on something undesirable that may happen, but has not yet happened.
It seems obvious that, from this approach, not only risks will be detected. The analysis of the organization's processes, visualizing its weak points, will also reveal its strong points, providing opportunities for improvement, which, managed in the same way as the risks, but seeking their materialization instead of avoiding them, will lead to changes for the better that would have been difficult to achieve with the old system.
The standards that underpin the systems must be useful and at the service of the organization, not as until now, when the organization was forced to be at the service of the systems in order to comply with the standards. They must be tools and not barriers. That is why it should be noted that risk and opportunity management will provide companies with the opportunity to implement a preventive, proactive and leading culture in each of the organization's processes and in relation to each objective, purpose or interested party of the same. It is not one more bureaucratic obligation that the standard requires me to do, it is a powerful tool in a company that wants to be a leading player.