Procedure for Addressing Risk and Opportunity


The purpose of this procedure is to manage the business risks and opportunities that arise from the context of xxx and the requirements of interested parties.


This procedure applies to all the activities within the scope of the XXX Quality Management System.


3.1 XXX Quality Manual,
3.2  ISO 31000:2018 standard
3.3  Procedure for Context of the organization

RM- Risk Management
SOP- Standard Operating System


The Management Representative (MR) and HOD’s of all departments are responsible for the effective implementation of this procedure.


XXX has documented procedure to identify & control risk associated with impact on delivery & quality of products. This procedure identifies techniques, tools & their application for risk identification, assessment and mitigation.


Risk Assessment Associated with Delivery of product shall generally include, but not limited to following:

  1. Availability of facilities & their maintenance
  2. Availability of equipment
  3. Breakdown / preventive maintenance of equipment
  4. Material availability
  5. Timely Supply of material
  6. Quality of supplied material
  7. Suppliers performance in terms of Quality, Delivery & Other capabilities
  8. In adequate QA / QC activities

Risk assessment Associated with product Quality shall generally include, but not limited to following:

  1. Competencies & Performance of critical, non-critical suppliers, sub-contractors, and outsourced vendors
  2. Delivery of non-conforming products to customers
  3. Maintenance of  Facilities, equipment including testing equipment
  4. Incoming, Inprocess, and final inspection and its controls.
  5. Addressing the non-conformance of the product in process at all levels to avoid the effect or potential effects on the final product.
  6. Availability of competent personnel.

Risk assessment provides a structured process for analyzing risk in terms of consequences and likelihood before deciding on further actions.

Records of risk assessment and management including actions taken are maintained.

This structured process attempts to answer some fundamental questions:

  1. What may happen and why (risk identification)?
  2. What might be the consequences?
  3. What is the likelihood of them happening? And
  4. Is there anything that might mitigate the consequences or reduce the likelihood?

Risk identification:

It is defined as the process of finding, recognizing and describing risk. It could be a historical data or theoretical analysis which involves identification of risk sources, events, causes and their potential consequences which delay the origination’s objectives

Risk analysis:

It is the process of analyzing the nature of risk and determining the level of risk associated with the relevant activity. RPN (Risk Priority Number) is used for analyzing the impact. Risk analysis provides an input to risk evaluation and decisions on whether risks need to be treated and on the most appropriate risk treatment strategies and methods. Risk analysis also provides an input into making decisions where choices must be made and the options involve different types and levels of risk. Risk analysis involves consideration of the causes and sources of risk, their positive and negative consequences and the likelihood that those consequences can occur. Factors that affect consequences and likelihood identified. Risk is analyzed by determining consequences and their likelihood, and other attributes of the risk. An event can have multiple consequences and can affect multiple objectives. Existing controls and their effectiveness and efficiency are taken into account. The way in which consequences and likelihood are expressed and the way in which they are combined to determine a level of risk to reflect the type of risk the information available and the purpose for which the risk assessment output is to be used.

The significant risk associated with each process are segregated based on the below 5 categories,


Human resource is one of the important and mandatory requirements for product realization which includes workmen, staff and managers.


A machine is an important resource to meet the required product realization and possible risk like breakdown / out of tolerance is considered while carrying out risk analysis.


Risk related to material handling and preservation of the product is considered in method.


Risk related to material rejection, delayed shipment from the supplier, raw material shortage considered for carrying out risk assessment.


Risk related to natural disaster and their impact on quality or delivery of the product with required communication is considered.

Risk evaluation:

The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need control / mitigation and the priority for control / mitigation implementation. Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established. Based on this comparison, the need for control /mitigation can be considered

Risk control / mitigation involves,

  1. Deciding whether residual risk level are tolerable, if the XXX feels that the present non-significant risk become significant in future, then it is treated as significant.
  2. If not tolerable, generating a new risk treatment and assessing its effectiveness Further, activities pertaining to the below criteria is called as significant which requires proper action plan.


The guideline followed at XXX to determine RPN while performing risk assessment includes the following important terms.

Severity evaluation criteria (S):

Severity for the each activity / problem is worked based on the amount of impact it creates on the equipment / legal / customer satisfaction (delivery and product quality). The value range is between1 to 5. The tabulation 01 used to plot the applicable severity number for the relevant activity is given in Guideline 2. When the severity is 5, it is defined as critical class (CC), and for the values 4 it is called significant class (SC) and less than 3 are common activity are left unfilled.

Occurrences evaluation criteria (O):

Occurrence for each activity / problem is worked based on the number of repeated cases in the past history or assumptions based on experience. The value range is between 1 to 5.The tabulation 02 used to plot the applicable occurrences number for the relevant activity is given in Guideline 2.

Detection evaluation criteria (D):

Detection for each activity is defined as the possibility of capturing the problem / defect with the present existing controls. The value ranges from 1 to 5. The tabulation 03 used to plot the applicable detection number for the relevant activity.

Risk assessment output:

The output of risk assessment is used as an input for contingency planning and also the same is considered in corrective and preventive actions

Risk assessment Frequency

The Risk assessment at SOS is carried out once in a year for all the relevant processes and the records are documented with necessary actions. Re-evaluation can be done, whenever there is need due to Management requirement, major process change and customer request, changes in the RPN number and major quality or delivery issue.


EffectCriteria: Severity of Effect  Ranking
CatastrophicVery high severity & multiple effect on product quality or delivery. Severe & wide spread damage to the customer with respect to delivery & quality of product5
CriticalMajor Severity & Multiple  effect on product quality or delivery4
SeriousSingle severe impact & Multiple Minor impact on product quality and delivery3
 MinorLow or minor impact and short term effect on product quality and delivery2
LowNegligible or trivial effect and or impact on product quality and delivery1


Frequent : Persistent Failures (shall occur Several times )5
 Probable :  Frequent Failures (Occurs Repeatedly / an event to be expected ) 4
Occasional : Occasional Failures (Could take place or occur sometimes)3
 Remote : Relatively unlikely & Few Failures2
 Improbable : Failure so is unlikely that probability not there1


DetectionCriteriaSuggested Range of Detection MethodsRanking
Almost ImpossibleAbsolute certainty of non-detection of problemCannot detect or is not checked5
LowControl have poor chance of detection of problemControl is achieved with visual inspection only4
ModerateControls may detect the problemControl is based on variable gauging after parts have left the station, or Go/No Go gauging performed on 100% of the parts after parts have left the station3
HighControls have a good chance to detect the problemError detection in station or error detection in subsequent operations by multiple layers of acceptance: supply, select, install, verify. Cannot accept discrepant part2
Very HighControls certain to detect the problemDiscrepant parts cannot be made because the process or the equipment / item have been error-proofed by process / product design.1

Based on above criteria given in Table No. 1, 2 & 3 severity, occurrence and detection rating for each potential risk is determined. While determining this potential causes for failures are taken into account for severity rating, current process control prevention are considered while doing occurrence rating.

Risk Priority Number (RPN):    RPN = S X O X D where S – Severity Rating, O – Occurrence rating and D – Detection Rating. RPN no. for each potential risk is determined. Value of RPN is always from 1 to 125. The RPN value is used to rank the order of concern in the Product delivery and Product Quality.  Special attention is to be given when the value of RPN is 80 or more than 80 or alternatively if Severity value is more than 4. The highest severity of effect should be taken for calculating risk priority number.

In SOS we have set a cut off limit of RPN value as 80. Appropriate corrective actions are recommended & Implemented in all such cases where RPN value exceeds 80. And also risks having RPN number more than 80 are considered for contingency planning and entered in the risk assessment register.

Recommended action and or Mitigation

After completion of the steps described above, the RPNs are to be analyzed to identify the priority areas for control and mitigation.  Higher risk priority numbers generally requires immediate action and contingency planning, however the severity ranking more than 4 are to be considered with high priority irrespective of the RPN value.

The recommended actions are to be taken to prevent / eliminate the causes to reduce the occurrence ranking. The general steps for risk mitigation are:

  1. Where Possible risk elimination
  2. Substitution by alternate man , material , machine or method as applicable
  3. Segregation of products and or  material
  4. Changes in the system of working that reduces the risk to an acceptable level ( This includes having written procedure , adequate supervision , training and information & instructions

Verification of implementation:  QA / QC Engineer has to verify the action for implementation. After the corrective action have been implemented estimate & record the resulting ‘Severity’, ‘Occurrence’ and ‘Detection’ rankings. Calculate the “Resulting RPN”. If no actions are taken, leave the related ranking columns blank.

Risk Assessment review & updating: This document is a dynamic document, this is to be reviewed whenever there is a change in process, customer requirement, on identification of new failures & causes, when the process becomes unstable & / or incapable. Whenever Risk Assessment  is reviewed the concerned process related documents like Quality  plan, operating instructions, setup instructions, maintenance instructions etc. are to be reviewed and updated as required.



  • SOS considers and manages risks and opportunities differently.
  • Risks are managed with a focus on decreasing their likelihood, and minimizing their impact if they should occur.
  • Opportunities are managed to increase their likelihood, and to maximize their benefits if they should occur.
  • Where risks and opportunities overlap, the best appropriate method for managing them shall be ascertained, given the situation at hand. Elements of such “blended” uncertainties may require methods which both address the negative risk and positive opportunity.


  • Risks are identified as part of the “Context of the Organization Exercise”
  • Additional risks are identified department wise by doing brain storming by concerned department heads. Risk also can be identified by any employee of XXX.
  • Each process owner identifies the risk/Opportunities associated with different activities in their department and record them in Risk Assessment format. 
  • Risks identified as part of the Context of the Organization are recorded in the Risk Assessment format for Top Management 
  • The methods for risk assessments vary, but should always include a means of identifying the risk under examination, and a description of the result of the risk assessment.
  • Detailed methods may include FMEA (failure mode effects analysis), SWOT (strength, weakness, opportunity and threat) or other tools. But right now we are not following these methods and use simple method of identifying risk and taking actions to reduce or eliminate the risk & to increase or encourage the opportunities.
  • When doing the risk treatment an entry shall be made in the Risk format. When using the Risk format , the following steps are to be followed
  • Identifying the risk.
  • Identifying the process for which the risk most likely dominates.
  • After entering the Risk in Risk Assessment format, the concerned management will decide whether to reject the subject due to the risk, or accept the risks after the development of a risk mitigation plan. The mitigation plan must be documented, either in the Risk Assessment format.
  • The concerned Management will review & revised the Risk Assessment time to time
  • If a risk includes a potential positive aspect, management may elect to conduct an opportunity pursuit assessment on the positive aspect, as defined below.


XXX actively seek out opportunities which could enhance its financial viability and market position. For example:

  • obtaining new contracts
  • obtaining access to new markets
  • identification of new industries which may be served by XXX 
  • development of new offerings that are within the scope of capabilities of XXX
  • streamlining existing processes to improve efficiency and reduce costs

Opportunities are identified as part of the “Context of the Organization Exercise” and as part of the corrective action program. Discussing and analyzing opportunities shall be done by top management. If made part of the management review activities, these shall be recorded in the management review records.

To help determine which opportunities should be pursued, the Opportunity column within the Risk Assessment form may be used to conduct an “opportunity pursuit assessment.”

The opportunity pursuit assessment is conducted by:

  • Identifying the opportunity.
  • Identifying the process for which the opportunity most likely falls under.

For opportunities recorded in Risk & Opportunity Form, management will decide whether to pursue the opportunity through an “opportunity pursuit plan” or to abandon the opportunity altogether. The opportunity pursuit plan must be documented, either in the Risk & Opportunity form.

Analysis of any opportunity will generally result in one of the following possible determinations:

  • Pursue the opportunity
  • Explore the opportunity in greater detail before proceeding
  • Accept the opportunity, but under limited and controlled conditions
  • Decline the opportunity, typically based on a high expected cost or low anticipated benefit

If an opportunity includes a negative aspect, management may elect to conduct a risk assessment on the negative aspect, as defined above.


7.1 Risk and Opportunity Register
7.2 Management Review Record

For example of the Risk and opportunity click here

Back to Home Page

If you need assistance or have any doubt and need to ask questions contact me at You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion are also welcome.

3 thoughts on “Procedure for Addressing Risk and Opportunity

Leave a Reply