To determine potential risks and opportunities, the organization shall:
Actions to address risk shall be appropriate to the impact of the risk. To ensure this, there is a need to assess the risk for its risk impact. This will help to determine actions that will be appropriate to the impact of the risk.
To evaluate risk for its potential impact, the risk assessment matrix below is useful.
From the matrix, determine the likelihood rating of the risk. This refers to the frequency of occurrence of the risk. Determine the consequence rating of the risk and multiply the likelihood rating with the consequence rating to obtain the risk impact on the Quality Management System.
The risk impact can be categorized by the level of severity as critical, high, medium and low impact rating. Actions and responsibilities to address risks shall be appropriate to the severity of the risks.
To determine the likelihood rating of a risk, an organization may apply the matrix below.
To determine the consequence rating of a risk, the matrix below may be applied.
To determine the risk impact, the likelihood rating shall be determined from the occurrence assessment matrix and the consequence rating shall be determined from the risk consequence assessment matrix. Risk impact is the product of both likelihood rating and consequence rating of the risk.
From the risk impact rating matrix, low risk impact shall be managed by routine procedure or accepted by informed decision. Medium, high and critical risk impact shall be addressed as appropriate to the impact of the risk. For a likelihood rating of 4 and a consequence rating of 3, the risk impact is 12. From the risk impact rating matrix, this is high risk and shall be addressed by top management intervention.
Where a more substantial or coordinated response is required than the immediate risk owner can authorize or implement, such a risk shall be termed a critical risk and shall be escalated through established lines of management accountability to top management. The risk owner may provide key information such as statistical data on numbers of active hazards and risks, overdue actions, and others as appropriate.
The organization may recognize an opportunity as a circumstance that makes it possible to leverage positive factors and elements. For example:
Opportunities may be identified as positive effects of risks or a risk that is beneficial to the organization.
Your comment will be visible after approval.