Risk management of business processes is a requirement imposed by the ISO 13485 standard on organizations operating in the medical sector that choose to adopt it as a tool for establishing their Quality Management System. This requirement is briefly outlined in point 4.1.2: “The organization must […] apply a risk-based approach to the control of the appropriate processes necessary for the Quality Management System.”
However, behind this simple statement lies a complex yet fundamental process for formulating business strategy and monitoring all activities carried out by the organization.
The process of managing risks in business processes can be conducted following the guidelines set out in ISO 31000 (Risk Management – Guidelines) and can generally be outlined as follows:
The risk management activity should be entrusted to a qualified team formed for this purpose, usually consisting of at least management and process owners.
Definition of Context
Constant communication and consultation with internal and external stakeholders is crucial to ensure that the organization has a comprehensive understanding of the risks it must face.
Before undertaking risk management activities for processes, it is essential to assess and understand the internal and external context of the organization, as both can significantly influence the parameters to be considered in risk management.
The internal context refers to any “endogenous” situation that may affect how the organization manages risk. The risk management process should align with the organization’s culture, structure, and strategy.
Parameters that can be considered in analyzing the external context include social and cultural aspects, legal and regulatory factors, technological considerations, as well as key trends that may impact the organization’s objectives.
Risk Management Process
Risk Identification
The purpose of this first step is to identify events and situations—along with their causes—that could influence the achievement of business objectives. It is important to identify all critical processes (and any subprocesses) and, for each of them, to pinpoint individual risks with higher criticality based on the potential damage they can cause (e.g., organizational discomfort, economic hardship, reputational damage, harm to human/environmental safety, etc.).
Risk Analysis
Risk analysis involves determining the consequences of each identified hazardous event, based on the severity of damage, the probability of occurrence, and considering any control measures already implemented.
Each hazardous event should be associated with a Severity Index (SI) and a Probability Index (PI), as well as an Effectiveness Index (EI) of the existing control measures.
By combining these three indices, the risk associated with each hazardous event can be determined, specifically:
Risk Index (RI) = SI × PI × EI
Risk Evaluation
In this phase, the risk indices obtained from the analysis described above are compared with the acceptability criteria established by the organization. Evaluated risks can be classified as:
- Acceptable, therefore manageable
- To be managed
- Unacceptable, therefore intolerable
Acceptable risks should be those that are already adequately controlled, while unacceptable or manageable risks require specific treatment to be mitigated.
Risk Treatment
Risks evaluated as unacceptable or to be managed should be addressed by implementing additional appropriate mitigation actions. The risk treatment plan should describe at least the actions to be taken, the responsible parties for implementation and effectiveness verification, as well as the expected timelines. Each action should correspond to an Additional Effectiveness Index (AEI).
The Residual Risk Index (RRI) can then be calculated:
RRI = RI × AEI
The RRI should fall within the acceptable threshold or at least within the manageability threshold; otherwise, the organization should implement further risk mitigation actions.
Monitoring and Review
The management of risks in business processes must be appropriately documented within a Quality Management System document. This document should be reviewed periodically and whenever changes are made to the organization’s processes.
In the case of a change, its impact on the company’s Quality Management System and on the products and/or services offered by the organization should be evaluated. For each change, any introduction of new risks or changes in the probability of occurrence of previously identified and evaluated risks should be analyzed.
If necessary, the organization should take appropriate actions to control new or modified risks.
Benefits for the Organization
In addition to meeting a requirement, the correct application of an adequate procedure for managing risks in business processes provides various business benefits, such as:
- Increased likelihood of successfully achieving set objectives
- Improvement of corporate governance
- Establishment of a reliable basis for decision-making and activity planning
- Effective use of resources for addressing critical issues
- Protection of company values such as know-how and reputation
- Implementation of effective control measures
- Enhanced performance and efficiency of the business
- Satisfaction of customer requirements
