Risk assessment

ISO 31000:2018 37 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/11/Risk-Assessment_-Identifying-and-Evaluating-Risks.wav

Risk management is the process of identifying, analyzing, and evaluating risks. The first part of this process, called risk assessment, involves spotting risks and rating them to understand which ones are most important for the organization, project, or strategy. Since risk management helps improve decision-making, risk assessment plays a major role in strategy planning. Risks can relate to company goals, stakeholder needs, key processes, or critical resources. No matter where you start, the goal of risk assessment is to identify the most important risks that could affect these areas. Risk assessment is only useful if its results are used to guide decisions or create suitable responses to the identified risks. It should be seen as the beginning of managing risk, not the end. When assessing risk, it’s important to decide if you should look at the inherent risk level (the risk without any controls in place) or the current level (the risk with existing controls). Internal auditors often recommend looking at inherent risks because it shows how much risk is reduced by controls. This comparison helps auditors identify which controls are essential and set audit priorities. Though helpful, it’s not always easy to determine inherent risk levels. Some, like health and safety professionals, prefer assessing risk based on current controls, as it’s simpler and assumes controls will always work effectively. For example, when assessing an x-ray machine, a safety specialist would assume the protective enclosure is working correctly. However, an auditor would note that this enclosure is a crucial control and should be regularly inspected to ensure it remains effective.

When planning a risk assessment, there are different approaches to consider, including who should be involved in the process. Risk assessments can sometimes be led by the board of directors in a top-down approach, where leadership identifies the main risks. Alternatively, a bottom-up approach can involve input from staff and department managers, which is also valuable. The CEO’s input is especially important, as it shapes the organization’s overall attitude towards risk. However, a CEO’s perspective might focus more on external risks, while internal risks like financial management or infrastructure might not receive as much attention. The risk assessment approach chosen should align with the organization’s culture. For example, if the organization usually communicates through reports rather than meetings, a written report might be better suited for risk assessment than a workshop. Some organizations use voting software in risk workshops, which can be useful for getting clear feedback on risks, as well as seeing the spread of opinions. If opinions are widely varied, this could indicate that participants have different understandings of the risk, which may need further discussion. Organizations also need to decide if the risk assessment should be top-down, bottom-up, or a combination of both. A top-down approach typically focuses on strategy, tactics, operations, and compliance, while a bottom-up approach usually focuses on compliance, hazards, controls, and opportunities. Combining both methods allows input from many stakeholders and is common for most organizations. However, a bottom-up approach often takes more time, as the risk management team must attend or facilitate multiple sessions to gather input from various levels. Ultimately, the organization should choose the risk assessment approach that best supports its goals and culture, balancing leadership input with broader employee involvement.

The advantage of Top down risk assessment is that this approach likely leads to a business-wide view of risk, as the main risks at the top level will affect the entire organization. Major strategic risks can be identified quickly, and the number of these key risks will be manageable. When leadership supports risk management, it encourages everyone in the organization to accept and follow risk management practices. Since it starts from the top, the methods used for managing risk are likely to be consistent across the organization. The disadvantage of Top down risk assessment is that Senior managers and directors often focus more on risks outside the organization and may not be as aware of internal risks or how different risks within the business connect. There’s a risk that their approach might be too shallow, as they may feel confident in handling crises as they arise. This focus could also mean that new risks coming from the organization’s daily operations might not be fully recognized.

The advantage of Bottom-up risk assessment is that everyone in the organization is likely to support this approach. It can follow the existing organization structure, allowing for discussion of risks beyond day-to-day operations. Operational staff have a strong understanding of local risks and their causes, which higher management might not fully see. The methods can also be adapted to fit local practices and culture, which is helpful for a multinational company. The disadvantage of Bottom-up risk assessment is thatThis approach may pay little attention to external or strategic risks. It can take a lot of time, which might be discouraging if it slows down getting results for the whole organization. There’s a risk it could become too detailed and narrow, causing different areas to assess risks in isolation. New risks arising from daily operations may also go unreported by staff.

Risk assignment techniques

The ISO/IEC 31010 standard, Risk Management: Risk Assessment Techniques, offers a range of methods for assessing risk. Here are some common techniques:

  1. Flow Charts and Dependency Analysis: These analyze processes and operations to identify critical elements for success.
    • Pros: Creates useful insights that can be applied in other areas and helps in understanding processes.
    • Cons: Hard to apply to strategic risks, and can be very detailed and time-consuming.
  2. Questionnaires and Checklists: These use structured forms to gather information on key risks.
    • Pros: Consistent format ensures uniformity and allows for broad participation.
    • Cons: The rigid structure might overlook certain risks, and questions rely on past knowledge.
  3. Workshops and Brainstorming: These sessions bring people together to share ideas about events that could affect objectives, main processes, or essential resources.
    • Pros: Brings together views from various participants and encourages interaction, leading to more ideas.
    • Cons: Senior leaders might dominate, and some issues could be missed if the right people aren’t involved.
  4. Inspections and Audits: These involve on-site inspections and reviews of compliance with established procedures.
    • Pros: Observations are based on physical evidence, and audits offer a clear structure.
    • Cons: Best for hazard risks, and audits tend to focus on past experiences.

The most common methods for risk assessment are checklists/questionnaires and brainstorming in workshops. Checklists and questionnaires are usually easy and quick to complete but may miss risks not covered by specific questions. Since risks can be connected to different aspects of an organization, a simple way to analyze them is by identifying the key factors essential for success. Most employees can point out these crucial aspects, or “key dependencies,” and then examine what might affect each one. For example, if focusing on hazards, ask, “What could threaten these key dependencies?” For control risks, ask, “What might create uncertainty around these dependencies?” For opportunity risks, ask, “What could strengthen them?” In many organizations, especially financial institutions, quantifying risk exposure is critical, so the chosen method should support this. This need for quantification is often part of operational risk management (ORM). Workshops with brainstorming sessions are also popular. Here, people can share views on the main risks the organization faces, helping to build a shared understanding of each risk. However, senior staff may dominate these discussions, and it can be hard to challenge their views. Structured brainstorming formats, like SWOT or PESTLE analysis, are often used in these workshops. SWOT analysis looks at strengths, weaknesses, opportunities, and threats, providing a chance to consider both risks and opportunities. It’s especially helpful for strategic decisions, though it might miss some risks since it doesn’t categorize them precisely. PESTLE analysis covers political, economic, social, technological, legal, and ethical/environmental risks. For organizations that need to measure the likelihood of risks more precisely, quantitative techniques like hazard and operability (HAZOP) studies and failure modes effects analysis (FMEA) are common. These methods provide a structured approach, ensuring no risks are overlooked. However, they require input from many experts for accurate results. HAZOP and FMEA are well-suited to industries like manufacturing, where they’re often used for chemical plants, railways, nuclear facilities, or product safety. These methods are detailed and time-consuming but necessary for certain complex or high-risk situations.

Risk Matrix

A Risk Matrix is a tool used in risk management to evaluate and prioritize risks by comparing the likelihood of an event occurring with its potential impact. It’s a visual representation that helps organizations assess which risks need more immediate attention and resources.

  1. Likelihood: How likely it is that a specific risk event will occur. This is typically ranked from Unlikely to Almost certain.
  2. Impact: The potential effect or consequence of the risk on the organization. This also ranges from low to high.

Example of Criteria for likelihood

  1. Unlikely-Can reasonably be expected to occur, but has only occurred 2 or 3 times over 10 years in this organization or similar organizations.
  2. Possible– Has occurred in this organization more than 3 times in the past 10 years or occurs regularly in similar organizations, or is considered to have a reasonable likelihood of occurring in the next few years
  3. Likely– Occurred more than 7 times over 10 years in this organization or in other similar organizations, or circumstances are such that it is likely to happen in the next few years
  4. Almost certain– Has occurred 9 or 10 times in the past 10 years in this organization, or circumstances have arisen that will almost certainly cause it to happen

Example of Criteria for Impact

  • Small: No impact on health; minor reduction of reputation in the short run; no violation of law; negligible economic loss which can be restored
  • Moderate: Minor temporary impact on patient health; small reduction of reputation that may influence trust for a short time; violation of law that results in a warning; small economic loss that can be restored.
  • Severe: Serious impact on health; serious loss of reputation that will influence trust and respect for a long time; violation of law that results; large economic loss that cannot be restored.
  • Catastrophic: Death or permanent reduction of health ; serious loss of reputation that is devastating for trust; serious violation of law; considerable economic loss that cannot be restored

Here’s a risk matrix structure based on the likelihood levels of Unlikely, Possible, Likely, and Almost Certain, combined with impact levels of Small, Moderate, Severe, and Catastrophic. This structure helps determine the level of risk by placing each risk on the matrix grid according to its likelihood and impact.

Explanation of Each Category

  • Low Risk: Minor concern, may not require immediate action but should be monitored.
  • Moderate Risk: Medium priority, needs some attention to reduce risk or monitor developments.
  • High Risk: Significant concern, requiring action to mitigate or manage.
  • Critical Risk: High priority; immediate action is required to address or control the risk.
  • Extreme Risk: Top priority; must be addressed urgently to prevent severe consequences.

This risk matrix structure helps organizations assess where they need to allocate more resources or take preventative measures based on the likelihood and impact of various risks. Once a risk is identified as important, the organization needs to rate it to pinpoint which risks are top priorities. There are established methods to rate risks, but it’s also essential to assess if there’s room to further improve control over each risk in a cost-effective way. This helps prioritize significant risks. The organization must define how it measures both the likelihood and impact of risks consistently across the company. Using four clear options can prevent people from always choosing a middle option, though some organizations may opt for more than four, depending on their size and complexity. A common risk matrix visually shows the relationship between how likely a risk is to happen and the impact if it does. Other factors can also be added, such as the potential for further risk control. In this setup, a matrix can show the current level of risk and the target level, reflecting what more can be done to manage it. The matrix offers a simple visual of the organization’s most critical risks. During risk assessment, risks should also be ranked against the company’s risk tolerance or set criteria. Rating risks is called risk analysis, while ranking them based on importance is risk evaluation. A risk is considered significant if it exceeds a set threshold for impact. To identify key risks, it’s essential to assess:

  • How severe the event would be if the risk occurs,
  • The size of its impact on the organization,
  • The likelihood it will happen at or above the set threshold,
  • Opportunities for further improvement in managing it.

Usually, workshops identify between 100 and 200 risks, which are then narrowed down to about 10–20 top-priority risks. ISO 31000 uses the term “level of risk” based on likelihood and impact, though it’s sometimes called “risk severity.” Organizations need to develop their own definitions for these terms, tailored to their specific needs and structure.

During risk assessment workshops, people may have different views on a given risk. There are several ways to handle these differences. One option is to use voting software to find the group’s average opinion while showing the range of views. However, it’s often helpful to discuss why people see the risk differently. Talking it over can lead to a shared view, making it easier to choose effective control measures. People’s perception of risk can be influenced by factors like:

  • Whether the risk is involuntary (like pollution) versus voluntary (like extreme sports),
  • If the risk affects some people unfairly,
  • Whether personal precautions can prevent it,
  • If the source is new or unfamiliar,
  • If it’s human-made rather than natural,
  • If it causes hidden, irreversible harm, like long-term health effects,
  • If it especially endangers vulnerable groups like children or pregnant women, and
  • If it involves a dreaded outcome like severe illness.

People at different levels in a company may see the same risk differently, so it’s helpful to gather perspectives from all levels. This approach improves communication, understanding, and helps find practical ways to manage the risk. Accurately assessing risks for an organization requires thorough knowledge of it. Doing a complete assessment to identify significant risks and essential controls can take time and resources. The public’s perception of risk may be shaped by limited information or the influence of lobbying groups. This can make their understanding less informed or biased. Journalists have a responsibility to report objectively, which can be challenging when the audience lacks full context on the risks involved.

Level of Risk

Inherent, current and target levels of risk

Most risk managers evaluate risk at its current level, also known as the “residual” level. However, internal auditors often prefer assessing risk at its “inherent” level (the level without any controls) since it helps to see how much control measures actually reduce the risk. The idea is that, by looking at the inherent risk, the effect of individual controls can be better understood. In a risk matrix, three key levels of risk are shown. The “inherent” or “gross” level is the risk without any controls. The “current” level, also called the “residual” level, is the risk with the existing controls in place (like Control 1 in the example). Control 1 mainly reduces the likelihood of the risk happening. The “target” level is the risk level the organization aims for, often achieved by adding new controls (such as Control 2, which reduces the impact of the risk but has little effect on likelihood). Using “current level” rather than “residual level” makes risk management seem more active, as it suggests the organization can keep reducing risk if needed. The target level of risk usually falls in a lower-risk area on the matrix, often in a “comfort” or “acceptable” zone. In health and safety, practitioners aim to keep risks as low as reasonably practicable (ALARP), meaning risks should be reduced as much as possible without excessive cost for further control measures. Organizations need clear definitions for “likelihood” and “impact,” which are often rated as low, medium, high, or very high. However, organizations may need to be more specific based on the type of risk and their own needs. Since “impact” describes the range of possible consequences, it’s essential for organizations to define low, medium, high, and very high impact levels clearly.The ALARP (As Low As Reasonably Practicable) principle means that risks should be reduced as much as possible, as long as it’s reasonable to do so. Usually, this doesn’t involve a detailed comparison of costs and benefits but instead relies on following established good practices and standards. These standards are often designed with ALARP in mind, so meeting them is usually enough. However, if there are no clear standards, or they don’t fully apply, additional measures should be taken until the costs (in money, time, or effort) are clearly too high compared to the safety benefits or further risk reduction they would bring.

Level of RiskLevel for vertical axis
Gross or Inherent i.e. the level of risk before controls are appliedImpact
Current or Net. residual i.e. the level of risk after the application of existing controlsMagnitude
Target i.e. the desired level of risk after the application of planned controlsMagnitude

For example in FIRM risk Scorecard,

  1. the typical benchmark test for risk significance for Financial may be
    • Impact on balance sheet of 0.25%
    • Profit and loss impact of 2.5% annual profit
  2. the typical benchmark test for risk significance for Infrastructural may be
    • Disruption to normal operations of ½ day
    • Increased cost of operation exceeds 10% budget
  3. the typical benchmark test for risk significance for Reputational may be
    • Share price falls by 10%
    • Event is on national TV, radio or newspapers
  4. the typical benchmark test for risk significance for Marketplace may be
    • Impact on balance sheet of 0.5% turnover
    • Profit and loss impact of 1% annual profit

Risk Matrix application

A risk matrix is a simple tool for showing how much risk a particular event poses to an organization. It’s usually used to show the current or “residual” level of risk (also called “net risk”) after controls are applied, with the vertical axis labeled as “impact.” It can also show the “gross” or “inherent” level of risk, meaning the level of risk before any controls are put in place, where the vertical axis may instead be labelled “magnitude.” The term “consequences” is slightly different from “impact.” “Impact” reflects the overall level of risk the organization faces, while “consequences” provides more detail on how effectively the risk is managed. For example, a warehouse fire might represent a high-magnitude event, but if the organization is fully insured, the financial impact could be minimal. However, the consequences might still be serious if nearby stakeholders are affected or the organization’s reputation suffers. Using this risk matrix or “issues grid,” people can identify which risks are most critical and prioritize them accordingly. After risks are placed on the matrix, the organization can see whether the overall risk profile is within acceptable levels and fits within the organization’s risk appetite and capacity. Large organizations often use a risk matrix to summarize their risk profile. This tool is flexible, helping not only to assess risks but also to decide the most suitable responses. Importantly, impact isn’t the same as magnitude. A risk event may be high in magnitude, but the impact and consequences might be smaller. For example, if a transport company loses a vehicle, the magnitude of the loss is high, but the overall impact might be small if that type of vehicle wasn’t in full use.

Control Confidence

An organization can’t always be sure that controls will work exactly as intended. Controls need to be audited to confirm they’re well-designed, properly applied, and delivering the desired results. On a risk matrix, the level of confidence in a control’s effectiveness can be shown by using a circle or ellipse around a risk point instead of a single point. This shape shows any uncertainty in how well the control will manage the risk in terms of likelihood and impact. When assessing risks and evaluating controls, it’s important to consider how confident we are that the control chosen is the right one and that it’s fully effective in practice. If there’s limited confidence in a control, internal audit can step in to test it and provide information on how much the outcome might vary if the risk occurs. Internal auditors ensure that the correct controls are chosen and that they work effectively and efficiently in practice. Testing controls is an essential function of internal audit, and risk managers also need to recognize the importance of this testing. Management needs assurance that controls are adequate, which can come from audits, activity and project performance, and management reports. Risk management documentation should outline who is responsible for designing, implementing, and auditing controls.

Risk Attitude

The figure above illustrates an organization’s attitude toward risk using a standard risk matrix. This example represents a risk-averse organization and is typically divided into four sections, referred to as the 4Cs: comfort, cautious, concerned, and critical. These sections reflect the organization’s long-term approach to handling risk. They can also describe short-term risk decisions on a “risk appetite matrix.” In the matrix, the red zone includes critical risks. For a risk-seeking organization, fewer risks are flagged as critical, so the “risk universe” that leaders monitor is more limited, often just the red zone. The term “risk universe” is sometimes used by auditors to define audit priorities. A narrow “risk universe” can increase the chance of missing important risks. Different stakeholders will view the risk universe differently. A risk manager, for instance, considers both identified risks and emerging ones. Each organization has a comfort level with certain risks that have minimal impact or are very unlikely, so they are deemed acceptable. For example, most businesses do not plan for the rare event of a plane crashing on their site. The global financial crisis highlighted how some risks—like the collapse of money markets—were seen as too unlikely to consider, leading to a lack of contingency planning. Typically, low-impact, low-likelihood risks are acceptable; medium-impact, medium-likelihood risks may need careful judgment; and high-impact, high-likelihood risks are usually intolerable. An organization’s overall risk approach is set by “risk criteria,” and risk attitude is more stable or long-term, while risk appetite is the immediate willingness to take on risk to meet goals. The risk attitude, much like a general preference for food, is consistent over time, whereas risk appetite is more situational. Organizations often review all risks together (cumulative risk assessment) to determine if the combined risk exposure aligns with their risk tolerance. Differences in individual risk concerns can affect risk prioritization; for instance, some people may worry more about a likely, low-impact event than about a rare, high-impact one, which influences how risks are ranked. Once significant risks are identified, they can be prioritized either by likelihood or by impact. In the first approach, risks are ranked by how likely they are to exceed the significance threshold (high, medium, or low likelihood). In the second approach, they’re ranked by impact if they occur (high, medium, or low impact). Which method is used depends on the organization’s risk criteria and board preferences. The impact of a risk is usually measured in terms of finances, infrastructure, reputation, or marketplace (FIRM). Effective risk management requires that the effects of high-impact events on strategy, tactics, operations, and compliance (STOC) are well-managed.

The graph visually represents three types of risk attitudes:

  1. Risk-Seeking (Green):
    • High willingness to take risks for potentially greater rewards.
    • The curve rises steeply, showing a preference for high-risk, high-reward scenarios.
  2. Risk-Neutral (Blue):
    • A balanced approach weighs risk and reward equally.
    • The relationship between risk level and potential reward is linear.
  3. Risk-Averse (Red):
    • Preference for caution, avoiding risks even if it means lower rewards.
    • The curve flattens as risk increases, showing reluctance to take on higher risks.

These curves illustrate how organizations or individuals might approach risk differently depending on their risk attitude. ​​

Risk significance

An organization can’t always be sure that controls will work exactly as intended. Controls need to be audited to confirm they’re well-designed, properly applied, and delivering the desired results. On a risk matrix, the level of confidence in a control’s effectiveness can be shown by using a circle or ellipse around a risk point instead of a single point. This shape shows any uncertainty in how well the control will manage the risk in terms of likelihood and impact. When assessing risks and evaluating controls, it’s important to consider how confident we are that the control chosen is the right one and that it’s fully effective in practice. If there’s limited confidence in a control, internal audit can step in to test it and provide information on how much the outcome might vary if the risk occurs. Internal auditors ensure that the correct controls are chosen and that they work effectively and efficiently in practice. Testing controls is an essential function of internal audit, and risk managers also need to recognize the importance of this testing. Management needs assurance that controls are adequate, which can come from audits, activity and project performance, and management reports. Risk management documentation should outline who is responsible for designing, implementing, and auditing controls.

When an organization decides how much risk to take, it has to consider several things. Different types of risks require different responses:

  • Hazard risks need a tolerance level.
  • Control risks need an acceptance level.
  • Opportunity risks need an investment appetite.

Together, these create the organization’s total risk exposure or the overall amount of risk it is taking. Additionally, there are compliance risks—risks related to legal and regulatory standards—which most organizations try to minimize by building compliance controls into their processes. The actual risk exposure may differ from the risk appetite (the amount of risk the board is comfortable with), and the organization also has a risk capacity—how much risk it can afford to take based on its resources. The board’s risk appetite should fit within this capacity and ideally should match or exceed the actual risk exposure. Some financial institutions during the global financial crisis took on risks that exceeded their capacity, which led to trouble. An organization’s capacity to handle risk depends on factors like its finances, infrastructure, reputation, and market competitiveness. Rapidly changing markets require organizations to handle higher risks. For instance, a company making DVD players would face high risk if streaming technology became popular. Adapting to this change would require new business strategies, equipment, and skills. If these adjustments exceed the company’s resources, it may need to explore options like finding a partner, selling the business, or even exiting the market. Sometimes, organizations face risks that, if realized, could destroy them. In such cases, risk management needs to identify situations that could trigger these major risks.

Risk classification

A risk classification system is a method for categorizing risks into different types or groups to help an organization understand, evaluate, and manage them effectively.To identify all the risks an organization faces, a structured approach is needed. A formal risk classification system helps the organization find similar risks across different areas. It also makes it clear who should set the strategy for managing related risks. Additionally, classifying risks in this way helps the organization better understand its risk tolerance, capacity, and overall risk exposure for each risk type or group of similar risks. Here are some common ways risks are classified:

  1. By Source:
    • External Risks: Risks originating from outside the organization (e.g., economic downturns, regulatory changes, natural disasters).
    • Internal Risks: Risks arising within the organization (e.g., process failures, fraud, employee errors).
  2. By Impact Area:
    • Financial Risks: Risks affecting an organization’s finances, such as market risk, credit risk, and liquidity risk.
    • Operational Risks: Risks associated with day-to-day operations, such as system failures, supply chain disruptions, or quality control issues.
    • Strategic Risks: Risks impacting long-term goals and objectives, such as competition or changes in customer demand.
    • Compliance Risks: Risks related to failing to adhere to laws, regulations, or standards.
    • Reputational Risks: Risks that affect public perception and trust in the organization.
  3. By Likelihood and Impact:
    • High Likelihood, High Impact: Risks that are likely to happen and could significantly harm the organization. These are typically prioritized for control and mitigation.
    • High Likelihood, Low Impact: Risks that are frequent but cause minor harm; often managed but with less focus.
    • Low Likelihood, High Impact: Rare but severe risks (e.g., natural disasters), often with contingency planning.
    • Low Likelihood, Low Impact: Risks that require minimal management and are often accepted.
  4. By Control Type:
    • Hazard Risks: Risks that can cause harm and are usually managed through safety and preventive measures (e.g., occupational hazards).
    • Control Risks: Risks managed through policies, procedures, and internal controls.
    • Opportunity Risks: Risks that may present potential for gain if managed well (e.g., entering a new market).
  5. By Risk Response:
    • Avoidable Risks: Risks that can be eliminated by avoiding certain actions.
    • Transferable Risks: Risks that can be transferred to another party, often through insurance or outsourcing.
    • Retainable Risks: Risks that are accepted due to their low impact or likelihood, with no specific action taken.
    • Mitigated Risks: Risks reduced through specific actions to minimize impact or likelihood.
  6. ISO 31000 Classification:
    • Strategic Risks: Aligned with high-level objectives.
    • Operational Risks: Connected to internal processes.
    • Financial Risks: Affecting revenue, costs, and financial stability.
    • Compliance Risks: Related to regulations and ethical standards.
  7. COSO ERM:
    • Strategic:
    • Operations:
    • Reporting:
    • Compliance:
  8. IRM standard:
    • Financial
    • Strategic
    • Operational
    • Hazard
  9. FIRM risk scorecard
    • Financial
    • Infrastructure
    • Reputational
    • Marketplace

A structured risk classification system helps ensure a comprehensive approach to identifying, assessing, and managing risks across the organization. It also enables prioritization by focusing on the most impactful risks and allocating resources efficiently.Like many decisions in risk management, an organization needs to choose a classification system that best meets its needs. Risks can be grouped by the timing of their impact, their type, their source, or the nature and scale of their consequences. An organization should select a system that fits its size, nature, and complexity. For instance, banks and financial institutions usually classify risks as market, credit, and operational risks. Other widely used systems, like SWOT and PESTLE analysis, can also help organize risk assessment workshops.

The advantage of risk classification system is

  • Enhanced Risk Visibility: By categorizing risks systematically, organizations can more easily recognize and track different types of risks across departments, making it easier to maintain an organization-wide view.
  • Improved Prioritization: Risk classification helps identify which risks require immediate attention, enabling organizations to focus on those with the highest impact or likelihood.
  • Efficient Resource Allocation: Resources for risk management can be allocated more effectively by focusing on risk categories that pose the most significant threat, saving time and money.
  • Better Communication: A structured classification system creates a common language for discussing risks, improving understanding among stakeholders at all levels and promoting consistent messaging.
  • Consistent Risk Management: Classification systems encourage a standardized approach to risk assessment and management, ensuring that similar types of risks are managed consistently throughout the organization.
  • Facilitates Compliance and Reporting: Many regulations and standards require organizations to identify and categorize risks. A classification system supports compliance efforts and simplifies the reporting process to regulators and stakeholders.
  • Enhanced Decision-Making: By grouping risks, leaders can make more informed strategic decisions based on an organized view of risks and their potential impacts on objectives.
  • Supports Strategic Alignment: Risk classification aligns risk management activities with strategic goals, as it highlights which risks impact critical areas like strategy, operations, or compliance.
  • Encourages Proactive Management: Classifying risks can help identify emerging risks within each category, allowing for early intervention and preventative action.
  • Facilitates Performance Measurement: A classification system allows organizations to track the effectiveness of risk mitigation measures across different types of risks, supporting continuous improvement in risk management processes.

Classification based on impact due to time.

Dividing risks into short, medium, and long-term categories can be useful, even though it’s not a strict system. Generally, short-term risks relate to operations, medium-term risks relate to tactics, and long-term risks relate to strategy. However, this isn’t a perfect split. Sometimes, short-term risks can affect strategic processes, and longer-term risks might impact operations. All three areas—operations, tactics, and strategy—must also meet compliance standards, and most organizations aim to keep compliance risks low. Short-term risks are those that can immediately disrupt the organization’s goals, critical processes, and operations when they happen. They are often sudden and unexpected events, mainly hazard risks, but they can also relate to cost control. These risks can quickly impact the organization’s ability to keep operations running smoothly, so it’s important to reduce them. Medium-term risks usually show effects a few months to a year after the event occurs. These risks impact the organization’s ability to manage tactical initiatives like projects and change programs. They are often tied to ongoing projects or enhancements, and it’s important to actively manage them to prevent issues. Long-term risks tend to have an effect one to five years (or more) after the event. These risks impact the organization’s ability to sustain core processes that support its long-term strategy. While they are connected to strategic goals, they aren’t just about opportunities—they can significantly harm an organization if not managed well. Long-term risks that threaten the success of strategic plans can cause more damage than operational or tactical risks, though a balanced level of strategic risk is essential to support growth.

Risks come from an organization’s operations, tactics, strategy, and compliance needs. Compliance is included as a separate category alongside the other three. To handle risks, we can match each type to a response approach: strategic risks are to be embraced, tactical risks managed, operational risks mitigated, and compliance risks minimized (EM3). The risk management model shows how sources of risk can lead to events that then have consequences. When a risk event happens, it affects specific parts of the organization, which may disrupt its functions. These impacted areas are grouped into four main components: people, premises, processes, and products (4Ps). The 4Ps can also serve as a system for classifying different types of risks.

Example Damage to premise

The main risk classification systems include COSO, IRM, BS 31100, and the FIRM risk scorecard, each with its similarities. However, simple labels like “hazard,” “control,” or “opportunity” and terms like “high, medium, or low” or “short-, medium-, or long-term” aren’t formal classifications. Many organizations struggle with classification because they don’t fully consider the specific nature of the risks involved. The bow-tie model shows that risks can be categorized by their source, the affected area in the organization, and the potential impact. Short-, medium-, and long-term risk labels generally reflect operational, tactical, and strategic risks, respectively.

Each classification system has unique features; for instance, FIRM refers to operational risk as “infrastructure risk,” while COSO focuses heavily on financial and reporting risks. The systems were developed by different organizations for different purposes, so while they share common aspects, they aren’t identical. British Standard BS 31100 highlights that a classification system can help define the scope of risk management, organize risk identification, and group similar risks across the organization. Unlike BS 31100, ISO 31000 doesn’t suggest a specific classification system, recommending instead that each organization tailor categories to its size, nature, and complexity. COSO and IRM are widely used frameworks, although COSO has limitations, such as the potential overlap of strategic risks across operations, reporting, and compliance. Despite this, COSO is widely used due to its alignment with Sarbanes–Oxley Act requirements. In short, a well-defined risk classification system can:

  • Make it easier to spot groups of risks that could threaten key objectives or dependencies.
  • Clarify who is responsible for managing different risk types.
  • Support informed decisions on risk controls.
  • Highlight when risks exceed the organization’s risk appetite or don’t align with risk criteria.

FIRM risk scorecard

The FIRM Risk Scorecard is a risk classification system designed to help organizations categorize and manage risks across different areas of their business. The acronym “FIRM” stands for:

  • Financial Risks – Risks associated with financial performance, such as cash flow, capital availability, market risks, credit risks, and other financial exposures.
  • Infrastructure Risks – Often synonymous with operational risks, these involve the organization’s internal structures, systems, and processes. Infrastructure risks include issues related to equipment, technology, facilities, and logistical processes.
  • Reputational Risks – Risks that could affect the organization’s public perception and reputation. This category includes risks from customer satisfaction, corporate governance, ethics, and compliance, as well as any issues that could impact the trust and credibility of the organization.
  • Marketplace Risks – These risks relate to the external business environment, including changes in competition, customer preferences, industry trends, regulatory changes, and other market forces that can affect the organization’s strategic position.

The FIRM Risk Scorecard provides a structured approach to identifying, categorizing, and prioritizing risks by dividing them into these four areas. By doing so, organizations can better understand where their biggest vulnerabilities lie and take focused action to manage them. This system also encourages balanced attention to both internal and external risks, supporting comprehensive risk management across different business functions.

1) Financial

  • Description – Risks that can impact the way in which money is managed and profitability is achieved
  • Internal or external risk– Internal
  • Quantifiable– Usual
  • Measurement (performance indicator)– Gains and losses from internal financial control
  • Performance gap– Procedures Failure of procedures to control internal financial risks
  • Control mechanisms– CapEx standards Internal control Delegation of authority

2) Infrastructure

  • Description– Risks that will impact the level of efficiency and dysfunction within the core processes
  • Internal or external risk– Internal
  • Quantifiable– Sometimes
  • Measurement (performance indicator)– Level of efficiency in processes and operations
  • Performance gap– Process Failure of processes to operate without disruption
  • Control mechanisms– Process control Loss control Insurance and risk financing

3) Reputational

  • Description– Risks that will impact desire of customers to deal or trade and level of customer retention
  • Internal or external risk– External
  • Quantifiable– Not always
  • Measurement (performance indicator)– Nature of publicity and effectiveness of marketing profile
  • Performance gap-Perception Failure to achieve the desired perception
  • Control mechanisms-Marketing, Advertising, Reputation and brand protection

4) Marketplace

  • Description– Risks that will impact the level of customer trade or expenditure
  • Internal or external risk– External
  • Quantifiable– Yes
  • Measurement (performance indicator)– Income from commercial and market activities
  • Performance gap– Presence Failure to achieve required presence in the marketplace
  • Control mechanisms-Strategic and business plans Opportunity assessment

Financial and infrastructure risks are seen as internal to the organization, while reputational and marketplace risks come from external factors. Financial and marketplace risks are relatively easy to measure in monetary terms, whereas infrastructure and reputational risks are harder to quantify. Including reputational risks as a separate category in the FIRM scorecard is sometimes debated. Some argue that reputational damage is just a result of other risks and shouldn’t be its own category. However, reputation is crucial, especially when a company relies on its brand to expand into new markets or broaden its brand presence. More broadly, all risks can be viewed as a result of business decisions. Choosing a strategy, starting a project, or maintaining operations all involve risks, and if these activities weren’t undertaken, the risks wouldn’t exist.

PESTLE risk classification system

The PESTLE Risk Classification System is a framework that helps organizations categorize risks by considering external factors in six key areas.PESTLE stands for political, economic, social, technological, legal, and environmental risks. In some versions, the last “E” refers specifically to environmental factors. This classification system is mainly used to assess hazard risks and is less suited for financial, infrastructure, and reputational risks. “PESTLE” stands for:

  1. Political Risks – Risks arising from changes in government policies, regulations, political stability, trade restrictions, and other factors related to government actions that can impact the organization’s operations. Tax policy, employment laws, environmental regulations, trade restrictions and reform, tariffs and political stability are some examples.
  2. Economic Risks – Risks related to economic conditions, such as inflation, currency fluctuations, economic growth or recession, interest rates, and unemployment rates, which can affect the organization’s financial health and market conditions. Economic growth/decline, interest rates, exchange rates and inflation rate, wage rates, minimum wage, working hours, unemployment (local and national), credit availability, cost of living, etc are some examples.
  3. Social Risks – Risks associated with societal changes and trends, such as shifts in demographics, cultural values, consumer behaviors, and lifestyle changes, which can influence demand for the organization’s products or services. Cultural norms and expectations, health consciousness, population growth rate, age distribution, career attitudes, emphasis on safety, global warming are some examples.
  4. Technological Risks – Risks stemming from changes in technology, including advances, cyber threats, and technology obsolescence, which can affect operational efficiency and competitive positioning. Technology changes that impact your products or services, new technologies, barriers to entry in given markets, financial decisions like outsourcing and supply chain are some examples.
  5. Legal Risks – Risks related to changes in laws, regulations, and legal actions that could impact the organization’s compliance, liability, or operating environment. Changes to legislation that may impact employment, access to materials, quotas, resources, imports/exports, taxation, etc are some examples.
  6. Ethical or Environmental Risks – Risks associated with Ethical or Environmental aspects, environmental factors, such as climate change, natural disasters, resource scarcity, and sustainability pressures, which can affect operations, reputation, and compliance.

The PESTLE classification system encourages organizations to look beyond internal factors and consider the wider environment in which they operate. By analyzing these areas, organizations can better understand how external forces might pose risks to their strategies and operations, helping to inform their risk management and planning activities.The PESTLE system helps analyze risks from external factors—things the organization can’t fully control but can take some steps to manage. It’s often recommended to use PESTLE with a SWOT analysis (strengths, weaknesses, opportunities, and threats) for each of the six PESTLE areas. PESTLE guides organizations in focusing on key external issues and is especially useful in the public sector, where outside factors greatly impact operations. It’s a popular tool in risk assessment workshops and helps classify different types of risks.

Advantages of using PESTLE:

  • Simple and easy-to-use framework
  • Builds awareness of the broader business environment
  • Encourages strategic, externally-focused thinking
  • Helps foresee potential future threats
  • Identifies ways to reduce or prevent risks
  • Helps spot business opportunities

Disadvantages of using PESTLE:

  • Can oversimplify information for decision-making
  • Needs regular updates to remain useful
  • Requires input from diverse perspectives
  • Finding good external data can be time-consuming and costly
  • Difficult to predict future changes accurately
  • Risk of too much data, making it hard to prioritize
  • Relies on assumptions that may later prove inaccurate

The Orange Book – Risk Categories

  • Strategy– Risks arising from identifying and pursuing a strategy, which is poorly defined, is based on flawed or inaccurate data or fails to support the delivery of commitments, plans or objectives due to a changing macro-environment (e.g. political, economic, social, technological, environment and legislative change).
  • Governance– Risks arising from unclear plans, priorities, authorities and accountabilities, and/or ineffective or disproportionate oversight of decision-making and/or performance.
  • Operations– Risks arising from inadequate, poorly designed or ineffective/ inefficient internal processes resulting in fraud, error, impaired customer service (quality and/or quantity of service), non-compliance and/or poor value for money.
  • Legal– Risks arising from a defective transaction, a claim being made (including a defence to a claim or a counterclaim) or some other legal event occurring that results in a liability or other loss, or a failure to take appropriate measures to meet legal or regulatory requirements or to protect assets (for example, intellectual property).
  • Property– Risks arising from property deficiencies or poorly designed or ineffective/ inefficient safety management resulting in non-compliance and/or harm and suffering to employees, contractors, service users or the public.
  • Financial- Risks arising from not managing finances in accordance with requirements and financial constraints resulting in poor returns from investments, failure to manage assets/liabilities or to obtain value for money from the resources deployed, and/or non-compliant financial reporting.
  • Commercial– Risks arising from weaknesses in the management of commercial partnerships, supply chains and contractual requirements, resulting in poor performance, inefficiency, poor value for money, fraud, and/or failure to meet business requirements/objectives.
  • People-Risks arising from ineffective leadership and engagement, suboptimal culture, inappropriate behaviours, the unavailability of sufficient capacity and capability, industrial action and/or non-compliance with relevant employment legislation/HR policies resulting in negative impact on performance.
  • Technology: Risks arising from technology not delivering the expected services due to inadequate or deficient system/ process development and performance or inadequate resilience.
  • Information: Risks arising from a failure to produce robust, suitable and appropriate data/ information and to exploit data/information to its full potential.
  • Security: Risks arising from a failure to prevent unauthorised and/or inappropriate access to the estate and information, including cyber security and non-compliance with General Data Protection Regulation requirements.
  • Project/Programme: Risks that change programmes and projects are not aligned with strategic priorities and do not successfully and safely deliver requirements and intended benefits to time, cost and quality.

Boxes shaded in yellow denote the suggested risk appetite level.

  1. Strategy
    • Averse: Guiding principles or rules in place that limit risk in organisational actions and the pursuit of priorities. Organisational strategy is refreshed at 5+ year intervals
    • Minimal– Guiding principles or rules in place that minimise risk in organisational actions and the pursuit of priorities. Organisational strategy is refreshed at 4-5 year intervals
    • Cautious-Guiding principles or rules in place that allow considered risk taking in organizational actions and the pursuit of priorities. Organizational strategy is refreshed at 3-4 year intervals
    • Open-Guiding principles or rules in place that are receptive to considered risk taking in organizational actions and the pursuit of priorities. Organizational strategy is refreshed at 2- 3 year intervals
    • Eager– Guiding principles or rules in place that welcome considered risk taking in organizational actions and the pursuit of priorities. Organizational strategy is refreshed at 1-2 year intervals
  2. Governance
    • Averse– Avoid actions with associated risk. No decisions are taken outside of processes and oversight / monitoring arrangements. Organizational controls minimize risk of fraud, with significant levels of resource focused on detection and prevention.
    • Minimal– Willing to consider low risk actions which support delivery of priorities and objectives. Processes, and oversight / monitoring arrangements enable limited risk taking. Organisational controls maximise fraud prevention, detection and deterrence through robust controls and sanctions.
    • Cautious-Willing to consider actions where benefits outweigh risks. Processes, and oversight / monitoring arrangements enable cautious risk taking. Controls enable fraud prevention, detection and deterrence by maintaining appropriate controls and sanctions.
    • Open– Receptive to taking difficult decisions when benefits outweigh risks. Processes, and oversight / monitoring arrangements enable considered risk taking. Levels of fraud controls are varied to reflect scale of risks with costs.
    • Eager-Ready to take difficult decisions when benefits outweigh risks. Processes, and oversight / monitoring arrangements support informed risk taking. Levels of fraud controls are varied to reflect scale of risk with costs.
  3. Operations
    • Averse-Defensive approach to operational delivery – aim to maintain/protect, rather than create or innovate. Priority for close management controls and oversight with limited devolved authority.
    • Minimal– Innovations largely avoided unless essential. Decision making authority held by senior management.
    • Cautious– Tendency to stick to the status quo, innovations generally avoided unless necessary. Decision making authority generally held by senior management. Management through leading indicators.
    • Open- Innovation supported, with clear demonstration of benefit / improvement in management control. Responsibility for non- critical decisions may be devolved.
    • Eager– Innovation pursued – desire to ‘break the mould’ and challenge current working practices. High levels of devolved authority – management by trust / lagging indicators rather than close control.
  4. Legal
    • Averse -Play safe and avoid anything which could be challenged, even unsuccessfully.
    • Minimal– Want to be very sure we would win any challenge.
    • Cautious– Want to be reasonably sure we would win any challenge.
    • Open-Challenge will be problematic; we are likely to win, and the gain will outweigh the adverse impact.
    • Eager– Chances of losing are high but exceptional benefits could be realised.
  5. Property
    • Averse– Obligation to comply with strict policies for purchase, rental, disposal, construction, and refurbishment that ensures producing good value for money
    • Minimal– Recommendation to follow strict policies for purchase, rental, disposal, construction, and refurbishment that ensures producing good value for money.
    • Cautious– Requirement to adopt arrange of agreed solutions for purchase, rental, disposal, construction, and refurbishment that ensures producing good value for money.
    • Open-Consider benefits of agreed solutions for purchase, rental, disposal, construction, and refurbishment that meeting organisational requirements.
    • Eager– Application of dynamic solutions for purchase, rental, disposal, construction, and refurbishment that ensures meeting organizational requirements.
  6. Financial
    • Averse– Avoidance of any financial impact or loss, is a key objective.
    • Minimal– Only prepared to accept the possibility of very limited financial impact if essential to delivery.
    • Cautious– Seek safe delivery options with little residual financial loss only if it could yield upside opportunities.
    • Open- Prepared to invest for benefit and to minimise the possibility of financial loss by managing the risks to tolerable levels.
    • Eager– Prepared to invest for best possible benefit and accept possibility of financial loss (controls must be in place).
  7. Commercial
    • Averse-Zero appetite for untested commercial agreements. Priority for close management controls and oversight with limited devolved authority.
    • Minimal– Appetite for risk taking limited to low scale procurement activity. Decision making authority held by senior management.
    • Cautious– Tendency to stick to the status quo, innovations generally avoided unless necessary. Decision making authority generally held by senior management. Management through leading indicators.
    • Open-Innovation supported, with demonstration of benefit / improvement in service delivery. Responsibility for non- critical decisions may be devolved.
    • Eager– Innovation pursued – desire to ‘break the mould’ and challenge current working practices. High levels of devolved authority – management by trust / lagging indicators rather than close control.
  8. People
    • Averse-Priority to maintain close management control & oversight. Limited devolved authority. Limited flexibility in relation to working practices. Development investment in standard practices only
    • Minimal– Decision making authority held by senior management. Development investment generally in standard practices.
    • Cautious– Seek safe and standard people policy. Decision making authority generally held by senior management.
    • Open- Prepared to invest in our people to create innovative mix of skills environment. Responsibility for noncritical decisions may be devolved.
    • Eager– Innovation pursued – desire to ‘break the Mould’ and challenge current working practices. High levels of devolved authority – management by trust rather than close control.
  9. Technology
    • Averse– General avoidance of systems / technology developments.
    • Minimal– Only essential systems / technology developments to protect current operations.
    • Cautious– Consideration given to adoption of established / mature systems and technology improvements. Agile principles are considered.
    • Open- Systems / technology developments considered to enable improved delivery. Agile principles may be followed.
    • Eager– New technologies viewed as a key enabler of operational delivery. Agile principles are embraced.
  10. Data Info and Management
    • Averse-Lock down data & information. Access tightly controlled, high levels of monitoring.
    • Minimal– Minimize level of risk due to potential damage from disclosure.
    • Cautious-Accept need for operational effectiveness with risk mitigated through careful management limiting distribution.
    • Open– Accept need for operational effectiveness in distribution and information sharing.
    • Eager– Level of controls minimized with data and information openly shared.
  11. Security
    • Averse-No tolerance for security risks causing loss or damage to HMG property, assets, information or people. Stringent measures in place, including: Adherence to FCDO travel restrictions Staff vetting maintained at highest appropriate level.Controls limiting staff and visitor access to information, assets and estate.Access to staff personal devices restricted in official sites
    • Minimal– Risk of loss or damage to HMG property, assets, information or people minimized through stringent security measures, including: Adherence to FCDO travel restrictions All staff vetted levels defined by role requirements. Controls limiting staff and visitor access to information, assets and estate. Staff personal devices permitted, but may not be used for official tasks.
    • Cautious- Limited security risks accepted to support business need, with appropriate checks and balances in place: Adherence to FCDO travel restrictions Vetting levels may flex within teams, as required Controls managing staff and limiting visitor access to information, assets and estate. Staff personal devices may be used for limited official tasks with appropriate permissions.
    • Open- Considered security risk accepted to support business need, with appropriate checks and balances in place: New starters may commence employment at risk, following partial completion of vetting processes. Permission may be sought for travel within FCDO restricted areas. Controls limiting visitor access to information, assets and estate. Staff personal devices may be used for official tasks with appropriate permissions.
    • Eager– Organizational willing to accept security risk to support business need, with appropriate checks and balances in place: New starters may commence employment at risk, following partial completion of vetting processes Travel permitted within FCDO restricted areas. Controls limiting visitor access to information, assets and estate.Staff personal devices permitted for official tasks.
  12. Project / Program
    • Averse– Defensive approach to transformational activity – aim to maintain/protect, rather than create or innovate. Priority for close management controls and oversight with limited devolved authority. Benefits led plans fully aligned with strategic priorities, functional standards.
    • Minimal– Innovations avoided unless essential. Decision making authority held by senior management. Benefits led plans aligned with strategic priorities, functional standards.
    • Cautious– Tendency to stick to the status quo, innovations generally avoided unless necessary. Decision making authority generally held by senior management. Plans aligned with strategic priorities, functional standards.
    • Open– control. Responsibility for noncritical decisions may be devolved. Plans aligned with functional standards and organisational governance.
    • Eager- Innovation pursued – desire to ‘break the Mould’ and challenge current working practices. High levels of devolved authority – management by trust rather than close control. Plans aligned with organizational governance.

Challenges and Approaches to Risk Classification

Using just one system to classify risks may not always work well, as it’s not enough to just know the timing of risks. The type of impact matters, too, and that makes it challenging to rely on a single classification system. Each organization should find a risk classification method that fits its specific needs and the types of risks it faces. Risks should be categorized by their source, impact, and timing. To get a full picture, a mix of the FIRM risk scorecard and categorizing risks as hazard, control, or opportunity can be helpful. A custom risk matrix can combine the FIRM scorecard with classifications for short-, medium-, and long-term risks, creating an issues grid that makes it easier to identify key risks. Many risk systems overlook compliance risks, which don’t always fit neatly into timing-based categories. Compliance risks also often require a “trigger event,” making it hard to know exactly which compliance issues could become a problem. Hazard risks usually relate to infrastructure issues, while strategic risks are often linked to marketplace changes. The classification systems discussed here work best for analyzing hazard risks, although some frameworks, like IRM and COSO, include strategic risks as a separate category. Each organization needs to decide if it’s helpful to include strategic risks as a category. The FIRM scorecard classifies strategic and project risks based on their main impact if the risk happens. Classifying project risks is important to ensure the right response to each risk. For project requirements like timelines, budgets, and quality standards, risks can be classified as those that threaten timelines, those that affect the budget, and those that impact the final quality or performance. There’s no universal risk classification system that suits all organizations. For example, banks face a variety of risks, often grouped into three categories: market risk, credit risk, and operational risk. The framework for managing these risks varies. Market risk comes from changes in financial markets, such as interest rates or currency exchange rates, and is mainly seen as an opportunity risk for the bank. Credit risk, which is the chance a client won’t repay a loan, is a control risk that needs active management. Operational risk includes failures in systems, processes, or people and can involve external events like natural disasters. Basel II defines it as the risk of loss from inadequate or failed processes, people, or external events, making it a hazard risk that needs mitigation.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply