Process Risk Assessment

Risk assessment is very topical in the modern world. All organizations need to manage risks but the good news is that many of the risks that face organizations on a daily basis are those that are within their own control. Few organizations have adopted a structured approach to risk assessment. Risk assessment does not necessarily require sophisticated tools. They can be conducted simply by asking some key questions. Even for those events that are outside your control, there are steps you can take to avoid, contain or reduce adverse impact on the organization.

If you were to ask your management team about risk, would it know:

If you were also to ask your management team about the provisions it has made to mitigate against risk would it be able to explain what provisions had been taken to safeguard the organization from:

Certain techniques can identify potential risks and assist in their elimination, reduction or control if the provisions are built into process design as shown the table below.

Risk, Failure Mode or Hazard

Results from the question, “How could this process fail to achieve the process objectives?”


Results from the question, “What effect would this failure have on the performance of the process?”


Results from the question, How likely is it that this will occur regardless of any controls in place at this time?”

Inherent Probability

The criteria for establishing the probability of occurrence regardless of any controls in place is as follows:

Very High: Failure is almost inevitable

High: Failure often occurs in this type of process

Moderate: Failure occasionally occurs in this type of process

Low: Failure occurs only in isolated cases

Very Low: Failure is unlikely – failure of this type has yet to be observed


These are the actions taken to change the process design to:

a). Eliminate the failure by process redesign

b). Detect and remove the failure by inspection/review measures

c). Reduce the effect by additional provisions


This is a link to the part of the BMSD that describes the provisions that have been made to mitigate risk

Many rules and regulations or requirements have their roots in the elimination of failures, disasters, accidents and the like. When such requirements are imposed upon us we sometimes forget what risk they were intended to prevent from happening. Often The risk is not present in our organization or its probability of occurrence is negligible, but the requirements are imposed just the same. By working backwards from the requirement, a relevance analysis would establish what it was designed to accomplish, the probability of this event happening in the organization and what impact it would have if it did happen. A common example is the raft of requirements there used to be in ISO 9001 on document control. Why so many requirements when in a computerized environment, document control is a given? Why would anyone want to use an unauthorized document? The use of Intranets has made this requirement obsolete. The requirements appear more relevant to an age when information was produced on a typewriter and documents were distributed manually. While computerization may have solved some of the issues concerned with controlling paper documents, it has brought in new risks such as computer viruses and data security threats.

More information of process risk assessment may be found in Chapters 10 and 21 in the ISO 9000 Quality System Handbook 7E

Previous Next
Previous Next

© Transition Support Last edit  12/12/2022 







Transition Support

A flexible approach to business improvement