Strategy serves as a critical foundation for enterprise risk management. Establishing and comprehending organizational objectives stem from the strategy, with risk management concentrating on the uncertainties that could impact the realization of those objectives. Strategy is emphasized in the initial stage of the ISO 31000 process (defining scope, context, and criteria) and in the second element of the updated COSO ERM Framework (strategy and objective setting). It is also a key component of the risk management (RASP) framework. A clear grasp of an organization’s mission, vision, and core values, along with the formulation of its strategy and objectives, is essential for identifying, understanding, and managing risks in alignment with the organization’s risk appetite. We will explore strategy and objectives in depth, presenting approaches to crafting business strategy and expanding on this foundation to examine the interplay between risk and strategy processes. Lastly, we will assess the role of risk within various strategy models.

Business strategy outlines what an organization aims to accomplish and the methods it will use to do so, rooted in decisions about its future direction. It articulates where the organization envisions itself in three to five years, often expressed through strategic objectives. A well-defined business strategy allows the organization to fulfill its mission, objectives, strategies, and plans. According to the Oxford English Dictionary, strategy is a plan designed to achieve a specific goal. It is a vital component of success for both individuals and organizations. While a solid strategy doesn’t ensure success, it significantly boosts the likelihood. Effective strategies typically feature four key aspects: clear long-term goals, a deep understanding of the external landscape, a sharp evaluation of internal resources and strengths, and strong execution. Strategy is a recognized business discipline that has been extensively studied. Notable insights on strategy include:

• Lee Bolman: “A vision without a strategy remains an illusion.”
• Lewis Carroll: “If you don’t know where you are going, any road will get you there.”
• Stephen Covey: “Begin with the end in mind.”
  Grasping the concept of strategy is fundamental to enterprise risk management.

7.1 The board’s role in defining strategy

A primary goal of a governance structure is to ensure that an organization’s strategy is effectively executed. The strategy originates with the organization’s Shareholders, Members, or Trustees. By establishing and sustaining the organization, they define its fundamental purpose. They delegate the responsibility of overseeing this purpose to a board of directors, who establish the strategic objectives. The board, leveraging its authority, then empowers the executive team to develop and implement a plan to achieve these strategic goals. As such, when discussing risk management, it is crucial to revisit and understand the strategic objectives set by the board on behalf of the Shareholders, Members, or Trustees.

Formulating Strategy

Strategy develops over time and varies in focus depending on an organization’s lifecycle stage. To guide the development and evaluation of strategy, organizations employ a range of management models. The following widely recognized management models assist in designing, validating, implementing, and reviewing organizational strategy:

Design – crafting potential strategic pathways for the organization:

• Ansoff Model
• Business Model Canvas
• CORR (Customer, Offering, Resources, and Resilience)

Validation – evaluating strategic options to determine the most suitable course of action:

• SWOT (Strengths, Weaknesses, Opportunities, Threats)
• Porter’s Five Forces
• PESTLE (Political, Economic, Social, Technological, Legal, Environmental)

Implementation – converting the selected strategy into actionable objectives and tasks:

• VMOST (Vision, Mission, Objectives, Strategy, Tactics)
• Value Chain Analysis

Review and Repurpose – periodically assessing existing strategies and objectives to ensure ongoing relevance:

• BCG Matrix
• Kotter’s “Our Iceberg Is Melting”
• McKinsey 7S Model

Typically, organizations establish a 3-to-5-year strategy to fulfill the vision and mission set by shareholders, which is then endorsed by the board. Alongside this, they create an annual plan and financial budget, which form a shorter-term subset of the broader strategy, focusing on immediate goals. The 3-to-5-year strategy documents and annual plans are generally internal resources and not publicly released. However, many organizations issue a strategy statement or report, often included in their annual report. In larger organizations, there may be legal or regulatory obligations to disclose strategy details. In the UK, the Financial Reporting Council’s “Guidance on the Strategic Report” outlines requirements for what must be included in a strategic report. This ensures shareholders receive a comprehensive and clear overview of the organization’s business model, strategy, development, performance, position, and future outlook, including a description of key risks and their potential impact on future prospects. While the FRC guidance is tailored to UK public limited companies, it has been widely adopted as a best practice standard across other countries and organization types. Organizations are often hesitant to share detailed strategy documents broadly, even internally. Publicly available strategy statements tend to emphasize marketing angles and are sometimes referred to as business plans. Many smaller organizations lack formal strategy statements or documentation altogether.

A critical aspect of strategy is how an organization manages its reputation. To evaluate an organization’s reputation and understand the potential sources of reputation risk, it’s useful to break down and map out the elements that shape its reputation. Reputation risk is a major concern for business leaders because it acts as a meta-risk—capable of emerging and escalating rapidly from both internal and external sources. For organizations with a strong reputation or those that depend on it to draw investment and talent, reputation risk poses a significant threat. Organizations possess a ‘reputation premium,’ which reflects their earning potential beyond what is accounted for in their brand or net assets. Many leading global brands rely heavily on this premium. Should this organizational value be jeopardized or undermined, the consequences could be severely damaging.

7.2 Risk Management Strategy

Having explored organizational strategy, we now examine how risk management integrates with it. Below is a straightforward 4-step process for managing risk. When aligned with an organization’s strategy, it appears as follows:

• Step 1 – Evaluate the context, strategy, and objectives, and determine the level of risk the organization is prepared to pursue or tolerate to meet these goals (risk appetite).
• Step 2 – Identify and evaluate the risks tied to achieving the strategy and objectives.
• Step 3 – Implement the necessary controls and measures to address these risks.
• Step 4 – Continuously monitor and reassess the risks and controls, reporting to stakeholders on their impact on the strategy and objectives.

This 4-step process is cyclical. If the proposed risk management approach does not align with the organization’s risk appetite, a strategy review may be necessary. In such cases, two options emerge:

• Adjust the strategy, objectives, and/or risk appetite, or
• Enhance the management efforts, such as increasing investment in controls.

When examining how strategic risk is handled within organizations, it’s critical to recognize that the board should either take ownership of or maintain close oversight over the organization’s strategic risks. In certain organizations, a dedicated strategic risk register exists, typically managed by the Chief Risk Officer or a similar role, reflecting the connection between the board and the organization’s risk data.

The following strategic risk categories are typical examples found in strategic risk registers:

• Succession planning for the CEO and key C-suite executives.
• Risks posed by competition.
• Existential threats or evolutionary shifts within the industry.
• Arrangements for shareholder exits.

Boards should address four essential strategic questions regarding risks to the strategic plan:

1. How do we align enterprise risk management (ERM) with the organization’s strategic direction and plan?
2. What are our primary business risks, both those arising from the strategic plan and those that could either jeopardize or bolster it?
3. Are we accepting an appropriate level of risk?
4. Are we aware of which risks, if effectively managed, could enhance or diminish the organization’s value or performance?

These questions are part of a broader set of board inquiries designed to steer discussions toward ensuring that risk management processes and frameworks are suitable for achieving the intended ERM goals, rather than merely confirming compliance with those processes and frameworks.

Strategy and Risk Management standards

Risk management standards place significant emphasis on strategy. We reviewed key standards, primarily ISO 31000 and COSO, both of which underscore the need to comprehend an organization’s context and objectives, including its strategy.

In ISO 31000, strategy is addressed within the “Scope, context, and criteria” phase of the risk management process. This step involves:

• Outlining the purpose and scope of risk management efforts.
• Assessing the organization’s external and internal context.
• Establishing risk criteria by determining the acceptable level and nature of risk.
• Setting criteria to assess risk significance and aid decision-making.

The COSO (2017) framework highlights the centrality of strategy in enterprise risk management (ERM), noting that “enterprise risk management is as much about understanding the implications from the strategy and the possibility of the strategy not aligning as it is about managing risks to set objectives.” COSO elaborates on strategy and objective-setting with the following components:

6. Analyzes Business Context – The updated framework evaluates the business context, considering internal and external stakeholders. It stresses that management must account for risks arising from shifts in the business environment and adjust strategy execution accordingly.
7. Defines Risk Appetite – The organization sets its risk appetite in the context of creating, preserving, and realizing value. This appetite is factored into strategy formulation, articulated by management, endorsed by the board, and embedded throughout the organization.
8. Evaluates Alternative Strategies – Different strategies rest on varying assumptions, which may be vulnerable to change. The organization assesses strategic options, selecting one that enhances value while factoring in risks tied to the chosen strategy.
9. Formulates Business Objectives – Management defines objectives at various business levels that align with and support the strategy, ensuring they reflect and conform to the organization’s risk appetite.

Other standards addressing strategy and its associated risks include:

• Banking – Basel III
• Insurance – Solvency II
• Health and Safety – ISO 45000 family (Occupational Health and Safety)
• Legal – ISO 31022 (Guidelines for Managing Legal Risk)
• Business Continuity – ISO 22301 (Business Continuity)
• Projects – Association for Project Management PRAM Guide
• UK Public Sector – The Orange Book 2020

While risk registers typically list numerous operational and project-related risks, it’s critical that they also include high-level strategic risks, which are a priority for senior management and the board. In some organizations, due to confidentiality concerns, a separate strategic risk register may be maintained by the Chief Risk Officer or a similar role.

RASP

RASP stands for Risk Architecture, Strategy and Protocols. Strategy in the context of RASP refers to the risk management strategy that the organisation has adopted. This is not the overall strategy of the organisation itself but the strategy for how risk will be managed in the organisation. The strategy an organization chooses can shape its approach to risk management. This strategy is typically influenced by the organization’s current stage in its lifecycle, as illustrated in the Organizational Lifecycle figure. For instance, during the startup and growth phases, the strategic emphasis is usually on expansion and development. Operations at this point are often streamlined and flexible, with risk management largely handled by frontline teams and limited centralized support. In contrast, during the maturity stage, the focus often shifts to boosting margins for existing products or services and fostering innovation for new offerings. By this stage, organizations typically have established a more structured risk management framework, including a strong, professional risk function within the second line of defense. Thus, as an organization progresses through its lifecycle stages, there is an opportunity for its risk management practices to evolve and mature accordingly.

Risk management framework consists of

1. Risk management Architecture
   • Committee structure and teems of reference
   • Roles and responsibilities
   • Internal reporting requirements
   • External reporting controls
   • Risk management assurance arrangement
   • Budget and agreement on resources
2. Risk Management strategy
   • Risk Management Philosophy
   • Arrangements for embedding
   • Risk management
   • Risk appetite and attitude to risk
   • Benchmark tests for significance
   • Specific risk statements/policies
   • Risk assessment techniques
   • Risk priorities for present year
3. Risk Management Protocol
   • Tools and techniques
   • Risk classification system
   • Risk assessment procedures
   • Risk control rules and procedures
   • Responding to incidents, issues and events
   • Documentation and Record keepings
   • Training and communications
   • Audit procedures and protocols
   • Reporting/disclosures/Certificate

Up to this point, we’ve examined the risks stemming from an organization’s strategy and its strategic objectives. Another significant way strategy impacts risk management is through the establishment of the organization’s risk appetite. Risk appetite refers to the level of risk an organization is prepared to pursue or tolerate to achieve its goals. To fully leverage the benefits of risk management, it’s essential that the strategy and risk appetite statements are in sync. This alignment is typically evident in the formal delegation of powers and authority within the organization.

7.3 Strategy Model

Organizations are increasingly integrating enterprise risk management (ERM) into their strategy-setting processes. Rather than developing a strategy and then identifying the risks it generates, they are incorporating risk considerations directly into the strategy formulation stage. We explored this interplay between risk management and strategy within the COSO (2017) ERM Framework.

The COSO (2017) ERM Framework highlights that “the role of risk in strategy selection” involves making decisions and embracing trade-offs. Applying ERM to strategy is logical, as it provides a structured way to balance the art and science of informed decision-making.

Risk often plays a role in strategy-setting, but traditionally, it is assessed mainly for its potential impact on a pre-established strategy. Discussions typically center on risks to the current plan: “We have a strategy—what might undermine its relevance or feasibility?” However, organizations are improving at asking broader, proactive questions: “Have we accurately forecasted customer demand? Can our supply chain meet deadlines and budgets? Will new competitors arise? Is our technology infrastructure sufficient?” These are daily challenges for executives, and addressing them is essential to executing a strategy effectively.

In this section, we merge strategy and risk management, exploring: How can risk management shed light on the application of strategy models? How can risk management tools aid in strategy development?

We examine how risk management can enhance our understanding of strategy models across the following stages:

Design – Generating potential strategic options for the organization:

• Ansoff Model
• Business Model Canvas
• CORR (Customer, Offering, Resources, and Resilience)

Validation – Assessing the identified strategic options to choose the most suitable one:

• SWOT (Strengths, Weaknesses, Opportunities, Threats)
• Porter’s Five Forces
• PESTLE (Political, Economic, Social, Technological, Legal, Environmental)

Implementation – Converting the selected strategy into actionable objectives and tasks:

• VMOST (Vision, Mission, Objectives, Strategy, Tactics)
• Value Chain Analysis
• SMART (Specific, Measurable, Achievable, Relevant, Time-bound)

Review and Repurpose – Periodically evaluating existing strategies and objectives to ensure they remain appropriate:

• BCG Matrix
• Kotter’s “Our Iceberg Is Melting”
• McKinsey 7S Model

1) The Ansoff Product / Market Grid Model

The Ansoff Model is a tool for crafting strategy. Various models are available to organizations for strategy design, and in this course, we’ve chosen models widely applied across industries globally. The design phase typically occurs in these situations:

1. Launching a new organization – Depending on the size and complexity, strategy design might involve a highly structured, formal process or a more casual approach that develops as the concept for the new organization solidifies.
2. Introducing a new product or service, or
3. Experiencing a major shift in the organization’s internal or external environment.

This model provides a systematic approach to defining the scope and direction of an organization’s strategic growth within the marketplace. It serves as a framework to pinpoint growth directions and opportunities. From a risk management standpoint, the Ansoff Model pairs effectively with the positive aspect of risk (opportunities) and aligns with risk appetite considerations. For instance, if the chosen strategy is Market Development, the organization may need to embrace a higher risk appetite to pursue greater risk. The model is illustrated below.

2) Business Model Canvas

This model provides a structure for designing and evaluating how an organization interacts with its market, utilizes its resources, and delivers its customer offerings. It outlines the process by which an organization generates, provides, and secures value. The framework consists of nine elements: customer segments, value propositions, channels, customer relationships, revenue streams, key resources, key activities, key partnerships, and cost structure. From a risk management perspective, this model supports risk identification by examining the organization through nine distinct perspectives, each presenting its own set of risks. It also aids in considering critical controls—specifically, what actions are necessary to ensure each component functions effectively.

3) CORR

This tool is used for shaping strategy. CORR, which stands for Customer, Offering, Resources, and Resilience, views an organization’s business model as centered on delivering specific customer offerings. These offerings are supported by the organization’s resilience and mechanisms to ensure its long-term sustainability. The model can be broken down as follows:

• Customer encompasses analysis of customer segments, acquisition, retention, and the methods for delivering products or services.
• Offering refers to the value proposition for customers and the associated benefits provided to them.
• Resources cover the organization’s data, capabilities, assets, as well as its partnerships and networks.
• Resilience reflects the organization’s reputational strength (rooted in ethos and culture) and financial stability (based on revenue and expenditure).

From a risk management standpoint, this model promotes a perspective focused on risk resilience within the organization.

4) SWOT

This model aids in validating proposed strategies by providing insight into how well the strategy’s key components align with the organization’s strengths and opportunities. SWOT, an acronym for Strengths, Weaknesses, Opportunities, and Threats, is a framework—sometimes called situation analysis—used to assess an organization’s competitive standing. It evaluates both internal and external factors, offering a lens to examine current capabilities and future possibilities. The model is effective in brainstorming settings and is relatively easy to grasp and apply. From a risk management perspective, it effectively highlights the internal and external context related to risk and serves as a valuable tool in risk workshops to encourage discussions about risk.

5) Porters five forces

Porter’s Five Forces is a tool for evaluating the competitive landscape surrounding an organization. It considers factors such as the number and strength of competitive rivals, the threat of new entrants, the influence of suppliers and customers, and the availability of substitute products or services. These elements shape the competitive environment and, consequently, affect an organization’s capacity to generate value, as illustrated. From a risk management viewpoint, this model encourages a thorough assessment of strategic risks arising from external competition. It also informs risk appetite decisions by prompting consideration of competitive areas where significant risk-taking might be necessary to secure market share.

6) PESTLE (Political, Economic, Social, Technological, Legal, Environmental)

PESTLE analysis offers a structure for recognizing external influences impacting an organization. Represented by the acronym, it covers six key external factors: political, economic, sociological, technological, legal, and environmental. These elements can significantly influence an organization, with effects that vary in scope, such as short-term or long-term impacts.

“PESTLE” stands for:

1. Political Risks – Risks arising from changes in government policies, regulations, political stability, trade restrictions, and other factors related to government actions that can impact the organization’s operations. Tax policy, employment laws, environmental regulations, trade restrictions and reform, tariffs and political stability are some examples.
2. Economic Risks – Risks related to economic conditions, such as inflation, currency fluctuations, economic growth or recession, interest rates, and unemployment rates, which can affect the organization’s financial health and market conditions. Economic growth/decline, interest rates, exchange rates and inflation rate, wage rates, minimum wage, working hours, unemployment (local and national), credit availability, cost of living, etc are some examples.
3. Social Risks – Risks associated with societal changes and trends, such as shifts in demographics, cultural values, consumer behaviors, and lifestyle changes, which can influence demand for the organization’s products or services. Cultural norms and expectations, health consciousness, population growth rate, age distribution, career attitudes, emphasis on safety, global warming are some examples.
4. Technological Risks – Risks stemming from changes in technology, including advances, cyber threats, and technology obsolescence, which can affect operational efficiency and competitive positioning. Technology changes that impact your products or services, new technologies, barriers to entry in given markets, financial decisions like outsourcing and supply chain are some examples.
5. Legal Risks – Risks related to changes in laws, regulations, and legal actions that could impact the organization’s compliance, liability, or operating environment. Changes to legislation that may impact employment, access to materials, quotas, resources, imports/exports, taxation, etc are some examples.
6. Ethical or Environmental Risks – Risks associated with Ethical or Environmental aspects, environmental factors, such as climate change, natural disasters, resource scarcity, and sustainability pressures, which can affect operations, reputation, and compliance.

From a risk management perspective, PESTLE supports the development of a risk taxonomy or classification system within the organization. It also enhances the thoroughness of risk identification by providing diverse external perspectives.

7) VMOST

VMOST is a tool for putting strategy into action, particularly when we explored the objectives and purpose of risk management within an organization. The VMOST Analysis helps a business assess whether its core strategies are supported by corresponding activities. It addresses this by examining five key components: vision, mission, objectives, strategies, and tactics. Notably, while the COSO (2017) ERM framework positions objectives as part of strategy, VMOST reverses this, treating strategy as a component of objectives. From a risk management perspective, this model is effective for identifying key risk indicators (KRIs). It bridges strategy and objectives to actionable steps (tactics), enabling the creation of a robust top-down framework for measuring risk management.

8) Value chain analysis

The value chain model, used for executing strategy, outlines the complete set of activities an organization undertakes to deliver a product or service from its conception to its final use. This includes functions such as research and development, human resource management, production, marketing, and distribution. The model enhances organizational efficiency by optimizing these activities. It’s worth noting that the Extended Enterprise offers a simplified version of an organization’s value chain. From a risk management standpoint, the value chain model is useful for assessing risks within internal processes. Many organizations consider risks tied to “the customer journey” or the “front-to-back process,” making this perspective valuable for ensuring operational processes align with the strategy. It serves as an effective foundation for identifying the controls required at each stage of the process.

9) BCG Matrix

The Boston Consulting Group (BCG) matrix, employed for reviewing and refining strategy, assists an organization in determining which products to retain, sell, or further invest in. While it is commonly applied by commercial entities, its principles are also applicable to services offered by government and non-governmental organizations (NGOs). From a risk management perspective, this model aids in establishing key risk appetite and tolerance thresholds for an organization’s products and services. It’s critical that risk reporting and monitoring stem from the insights and decisions generated by this model, with those decisions subject to ongoing review.

10) Kotter Model

The Kotter Model, a framework for reviewing and repurposing strategy, is an 8-step change management approach crafted by John Kotter, a Harvard Business School professor, to guide organizations in achieving effective transformation. It highlights the importance of leadership, urgency, and engaging stakeholders.

Kotter’s 8-Step Change Model:

• Create a Sense of Urgency – Highlight the need for change to motivate action among stakeholders.
• Build a Guiding Coalition – Assemble a group of influential leaders to steer the change effort.
• Develop a Vision and Strategy – Formulate a clear vision and strategy to direct the change process.
• Communicate the Vision – Consistently share the vision across various platforms to secure support.
• Empower Employees for Action – Eliminate barriers and authorize employees to enact the change.
• Generate Short-Term Wins – Achieve and celebrate early victories to sustain momentum.
• Sustain Acceleration – Leverage initial successes to fuel ongoing progress.
• Anchor the Change in Culture – Integrate the change into the organization’s culture for lasting impact.

From a risk management perspective, this model supports risk scenario planning and stress testing by prompting the organization to explore plausible yet challenging future scenarios.

11) McKinsey 7S model

The McKinsey 7S Model is a review and repurpose tool that evaluates an organization’s design by analyzing seven critical internal components—strategy, structure, systems, shared values, style, staff, and skills—to determine if they are well-aligned to support the organization’s goals. Developed by McKinsey & Company, this strategic framework helps align these elements to drive success, making it valuable for organizational change, strategy execution, and performance enhancement.

It is commonly applied in scenarios such as:

1. Managing organizational transformation.
2. Adapting the organization to a new strategy.
3. Supporting mergers or acquisitions.
4. Boosting company performance.
5. Anticipating the impact of future internal changes.

The 7 Elements of the McKinsey 7S Model:
The model categorizes elements into Hard and Soft groups:
Hard Elements (more tangible and manageable):

1. Strategy – The organization’s approach to securing a competitive edge.
2. Structure – The framework of hierarchy and reporting lines.
3. Systems – The processes, workflows, and procedures that drive operations.
   Soft Elements (less tangible but vital for success):
4. Shared Values – The core beliefs and culture of the organization.
5. Style – The approach to leadership and management.
6. Staff – The workforce’s capabilities, skills, and growth potential.
7. Skills – The expertise and competencies of employees.

How to Apply the 7S Model:

1. Evaluate the current condition of each element.
2. Detect any misalignment among the elements.
3. Pinpoint necessary adjustments to achieve alignment.
4. Execute changes and track progress.

From a risk management perspective, this model is helpful for assessing control design, implementation, and effectiveness. It addresses both the “hard” aspects (such as design) and the “soft” aspects (like implementation and effectiveness, which depend on human factors).

7.4 Risk management tools

Risk management can significantly contribute to shaping strategy. During the strategy development process, organizations often reach a stage where they have more strategic options or initiatives under consideration than they can realistically pursue. At this point, they must select the options or initiatives that offer the greatest value. Several risk management tools can assist in evaluating the comparative advantages of different strategic options or initiatives. The two most pertinent tools are:

• Suns and Clouds
• Impact vs. Manageability

1) Suns and Clouds

Vaughan Evan’s Suns and Clouds chart, created in the early 1990s, provides insight into two key aspects of strategy:

1. The presence of significant risks or opportunities, and
2. Whether the overall mix of risk and opportunity is advantageous.

The tool involves two steps:

• For each strategic option, identify the primary threats (clouds) and opportunities (suns) it presents.
• Map these threats and opportunities on a chart, with their potential impact on the organization’s value on the y-axis and their likelihood of occurring on the x-axis.

This produces a visual representation of the threats and opportunities tied to the strategy. For instance, a cloud positioned in the upper right corner might indicate that the strategy carries excessive risk. Like many risk management tools, the real benefit lies in the discussions sparked by determining the placement of suns and clouds. These conversations help ensure alignment among participants regarding the potential threats and opportunities each initiative might pose to the organization. Moreover, if a cloud represents a critical strategy for the organization, the task becomes figuring out how to effectively manage that risk.

2) Impact vs. Manageability

This risk management tool, also developed by Vaughan Evans, employs a matrix to evaluate risks linked to a strategic option or initiative based on two factors:

1. The potential impact a risk could have on the anticipated value the initiative might deliver to the organization (y-axis), and
2. The ease or difficulty of managing that risk (x-axis).

The matrix categorizes manageability into four levels:

• High – The risk can be easily managed.
• Medium – The risk is manageable with effort.
• Low – The risk is challenging to manage.
• Zero – The risk is effectively unmanageable.

If the risks tied to a strategy fall into the unmanageable category, it may be prudent to abandon that strategy. Conversely, if the risks are manageable, the organization can address them, making the strategy more viable. When analyzing this model, it’s also important to consider the effort or resources needed to manage the risks effectively.

Risk practitioner competencies refer to the skills, knowledge, and abilities required by individuals responsible for managing risks within an organization. These competencies enable risk practitioners to identify, assess, manage, and mitigate risks effectively, ensuring that the organization achieves its objectives while minimizing potential threats. Competencies typically cover technical, analytical, interpersonal, and strategic aspects of risk management. To determine risk practitioner competencies, organizations can follow several steps:

1. Define Core Competencies: Identify the essential skills and knowledge areas required for effective risk management in the organization. These may include risk assessment techniques, regulatory compliance, financial analysis, strategic planning, and communication skills.
2. Use Established Frameworks: Leverage industry standards or frameworks such as ISO 31000, COSO ERM, or the IRM Risk Management Professional Competency Framework to outline specific competencies and proficiency levels expected from risk practitioners.
3. Role-Based Competency Mapping: Different roles in risk management require different competencies. For example, a risk analyst may need strong data analysis skills, while a Chief Risk Officer (CRO) requires strategic thinking and leadership. Organizations can create role-specific competency profiles.
4. Assess Current Skills: Conduct assessments to determine the current skill levels of risk practitioners. This can be done through self-assessments, manager evaluations, or third-party audits.
5. Gap Analysis: Compare the current competencies against the desired competency framework to identify areas where practitioners need improvement or additional training.
6. Training and Development: Develop targeted training programs to address competency gaps. This could include workshops, certifications, on-the-job training, or mentoring programs.
7. Performance Metrics and Feedback: Implement systems to measure the effectiveness of risk management activities and provide ongoing feedback to practitioners. This ensures continuous improvement and alignment with organizational goals.
8. Adapt to Organizational Needs: As the organization evolves, so do the risk management challenges. Regularly update the competency framework to reflect changes in the business environment, regulatory landscape, and organizational objectives.

Risk management is now seen as a professional field rather than just a set of tasks. Like any profession, it requires a clear framework of skills and abilities (competencies) that practitioners need to perform their roles effectively. These frameworks outline the key stages of the profession and define the skill levels needed at various levels of responsibility. Professionals in risk management must have both technical (hard) skills and interpersonal (soft) skills to succeed. Technical skills are essential for handling specific risk management tasks, while soft skills, such as communication and collaboration, are equally important for effectively implementing risk management strategies within an organization. Risk practitioners need expertise in two key areas. First, they must have a strong understanding of risk management practices and processes. Second, they must possess business skills to understand the organization’s internal and external environment. This knowledge helps them design and implement a risk management framework that aligns with the organization’s goals and operations. While developing business skills is important, the primary focus for a risk practitioner is building technical skills directly related to risk management. These technical skills are closely tied to the steps involved in implementing a successful risk management program.

Risk management technical skills

1. Skills associated with planning risk management strategy
   • Evaluate status: Evaluate the organizational context and objectives and map the external and internal risk context
   • Develop strategy :Develop risk strategy and risk management policy and develop the common language of risk
2. Skills associated with implementing a risk management architecture
   • Design architecture: Design and implement risk management architecture, roles and responsibilities
   • Develop processes: Develop and implement the risk management processes, procedures and protocols
   • Build awareness : Build a culture of risk awareness aligned with other management activities
3. Skills associated with measuring risk management performance
   • Facilitate assessments: Facilitate the identification, analysis and evaluation of risks, and design record-keeping procedures
   • Evaluate controls: Evaluate existing performance and evaluate efficiency and effectiveness of existing controls
   • Improve controls : Facilitate the design and implementation of necessary and cost-effective control improvements
4. Skills associated with learning from risk management experience
   • Evaluate framework: Evaluate risk management strategy, policies and processes, and introduce improvements
   • Design reports: Develop understanding of reporting requirements, design reporting formats and produce appropriate reports

Risk Skills

Risk competency refers to the ability of an individual or organization to effectively understand, assess, manage, and communicate risks. It encompasses a combination of knowledge, skills, experience, and judgment that enables someone to perform risk-related tasks effectively. Risk competency is broader than technical expertise; it involves applying critical thinking, understanding the context of risks, and aligning risk management activities with organizational goals. Competency is also about consistently demonstrating the ability to handle risks professionally and efficiently in varying circumstances. Risk skills, on the other hand, are specific abilities or techniques that contribute to effective risk management. These can include skills such as risk identification, risk assessment, data analysis, stakeholder communication, and scenario planning. Risk skills are often developed through training, practice, and exposure to real-world situations. While skills are actionable and task-specific, they do not guarantee competence unless they are applied appropriately and effectively within a broader framework of knowledge and understanding. The difference between risk competency and risk skills lies in their scope and application. Risk skills are individual components that contribute to performing risk-related tasks, whereas risk competency represents the overarching ability to integrate these skills with knowledge, experience, and judgment to achieve successful outcomes. Competency is the result of combining various skills in a coherent and effective manner, supported by a strong understanding of the organizational and external environment. In essence, while risk skills are building blocks, risk competency is the complete structure that ensures effective risk management.

A successful risk management practitioner needs a mix of technical and interpersonal (soft) skills. Technical skills can be split into two categories: risk management-specific skills and broader business-related skills. Risk management skills can be outlined in a competency framework, while business skills will vary depending on the organization. These typically include knowledge in areas like finance, accounting, legal matters, human resources, marketing, operations, and IT. Soft skills, or people skills, have become increasingly important as communication within and between organizations evolves. Technical skills are often linked to intellectual intelligence, while soft skills rely on emotional intelligence. To excel, a risk practitioner needs both types of intelligence and skillsets. In addition to technical and interpersonal skills, a good risk manager must also focus on self-management and personal development. These skills are common among professionals and are often guided by a code of ethics or conduct. Self-development involves improving one’s abilities and potential, leading to greater job satisfaction and future opportunities. It also includes helping others grow, whether as a teacher, mentor, trainer, or coach. The people skills needed in a business environment can be grouped into communication, relationship-building, analytical thinking, and management (CRAM) skills. While technical skills can be learned through training and experience, people skills depend more on an individual’s personality, making them harder to develop. Mastering these interpersonal skills is often a greater challenge for risk practitioners but is crucial for success.

People skills for risk management practitioners

1. Communication
   • Excellent written and oral skills
   • Presentation and public-speaking skills
   • Committee and meeting participation skills
2. Relationship
   • Influencing skills to work with ‘challenging’ behaviour
   • Negotiating skills to defuse conflict and identify solutions
   • Networking skills across organizational silos
3. Analytical
   • Strategic thinking skills and creativity skills
   • Data-handling skills to get to the heart of a problem
   • Research skills to present arguments based on facts
4. Management
   • Time-management skills to manage teams and projects
   • Leadership skills to motivate and develop staff
   • Facilitation skills to assist with setting priorities

Soft Skillls: Calling them “soft” might make people skills seem less important than technical skills, but they are actually vital for any business and can determine its success or failure. Employees with strong people skills are more effective when interacting with others, which is especially crucial for businesses that rely on face-to-face client interactions. Just like technical skills, people skills can be learned and improved. While these skills naturally develop over a lifetime, businesses can actively support this growth through workshops, seminars, and encouraging employees to share their ideas, suggestions, and advice during discussions. This helps foster continuous improvement and collaboration.

Clear communication about risk is essential. Within an organization, internal communication happens through the risk architecture, which serves as the formal structure for sharing information about risk control activities and gathering data for external reporting. For instance, a road haulage company might focus on operational efficiency and give proper attention to risk management by introducing measurable loss-control programs. The board may request regular reports on metrics like road accidents, vehicle breakdowns, fuel consumption, and delivery incidents. These reports allow the board to compare performance against competitors and the company’s past performance. However, while the board monitors these results, it is the responsibility of line management to implement and manage improved risk performance.

Communication skills

In some cases, risk communication within organizations can be informal, such as discussions during risk assessment workshops or training sessions. These communication practices are part of the organization’s risk culture. Externally, risk communication involves engaging with stakeholders like the media, the public, and other groups. For example, if a road haulage company plans to expand its storage depot, it must communicate with local stakeholders and planning authorities. This involves preparing honest, clear arguments that address concerns about community risks, ensuring stakeholders that adequate risk controls are in place. Public perception of risk may differ from scientific evidence, so communications should go beyond facts and address emotional concerns to build trust. Effective communication skills also include running training sessions and facilitating workshops. Risk practitioners often lead risk assessment workshops, which require clear structure and inclusive discussions where all participants can contribute equally. A common technique in such workshops is using sticky notes to capture ideas, which are then grouped based on the questions posed. The facilitator plays a crucial role in identifying common themes and consolidating similar ideas into a manageable list of issues or risks. This process requires skill to ensure productive and meaningful discussions.

Running training courses requires a specific set of skills, but the main goal is always to keep all participants engaged. A common method for structuring training sessions is the three-step approach: first, explain what will be covered, then go through the content, and finally, summarize what has been discussed. While this method might seem overly simple or repetitive, it is often the most effective way to make sure the key messages are clearly communicated and understood. Essentially, training sessions are best broken into three clear parts for better organization and learning.

• Stage 1 Set up: This stage will describe what the course will provide. It is often achieved by delegate introductions and expectations, a group exercise or a simple quiz to get everybody thinking about the topic of the day.
• Stage 2 Set out: This stage provides the detailed information that the training course is intended to impart. It can be a combination of structured inputs, group tasks, discussion exercises, feedback sessions and training films.
• Stage 3 Set down: This stage summarizes what the course has covered and confirms general understanding. It will often ask delegates to confirm what they have learnt and/or indicate what actions they will take following the course.

Effective communication also includes strong verbal and written presentation skills. This involves the ability to write reports tailored to the organization’s needs, whether for internal use or external distribution. The format and style of reports can vary widely depending on the organization. Many organizations prefer short summaries for the board, supported by detailed documents available if needed. A risk practitioner should align their communication style with the organization’s culture. If reports typically include graphics, risk information should also use visuals. If reports are text-based, it becomes a challenge to make the content engaging without visuals. Similarly, presentations to the board should match the usual style of other board presentations. Thorough preparation and familiarity with the topic are crucial. When presenting to the board, the risk practitioner should clarify the purpose of the presentation. A simple informational update requires a different approach than a report seeking approval for action. Understanding the audience’s expectations is essential, especially when communicating with the board. To ensure effective communication, it helps to follow the “5Cs”:

• Complete: Provide all the necessary information so the audience can take the appropriate action.
• Clear: The message should be easy to understand, making your purpose obvious.
• Concise: Stick to the point and keep it brief to maintain attention.
• Coherent: The message should flow logically, with all points connected to the main idea.
• Credible: Show that you understand the audience’s concerns and priorities to build trust.

Relationship skills

Relationship skills are essential, especially the ability to influence and negotiate effectively. These skills also include motivation and navigating workplace dynamics, which must be used in a way that aligns with the organization’s culture and internal environment. Listening skills are equally important, as understanding the perspective of someone you are negotiating with or trying to influence is vital. Influence is often achieved through positive energy and enthusiasm for the changes being proposed. Successful influencing requires the ability to gain support, inspire others, form strong connections, and engage people’s imaginations. Improving risk management often involves ongoing negotiation, which calls for an understanding of established negotiation techniques. Political skills, though sometimes misunderstood, are also critical. They involve understanding group dynamics, handling difficult individuals, and managing conflicts with flexibility. These skills also require sensitivity to cultural differences and varying stakeholder needs. Political skills become especially important when chairing meetings. The chairperson must allow all attendees to express their views clearly and concisely while maintaining neutrality and guiding the group toward a fair consensus. The core of relationship skills is building and maintaining connections with diverse stakeholders, including customers, staff, financiers, suppliers, regulators, and society (CSFSRS). Each stakeholder group has unique interests, and not all will prioritize risk management. This makes excellent communication and relationship skills essential for the risk practitioner. Addressing differing opinions requires a high level of interpersonal skill and tact.

Analytical skills

Analytical skills cover a wide range of abilities, including strategic and logical thinking. Sometimes, especially in problem-solving situations, creative and out-of-the-box thinking is essential for risk practitioners. Many practitioners work with numbers, such as calculating risk for compliance with regulations like Basel II or determining appropriate insurance coverage. However, not all analytical skills involve mathematics; strong problem-solving abilities are also crucial. Research skills are another valuable tool for risk practitioners. Being able to quickly find and analyze information is an asset, especially when large amounts of data need to be evaluated. Practitioners often need to identify patterns or connections in the data and present their findings clearly and logically, whether in reports, training sessions, or presentations. Analytical skills are especially beneficial during risk assessment workshops, where participants may have differing opinions about the risks involved in a specific situation. A skilled facilitator listens carefully, identifies the assumptions underlying each perspective, and challenges these assumptions to help the group reach a shared understanding. Analytical skills involve understanding, questioning, and clearly defining problems to make informed decisions based on the available data. This includes applying logical thinking to gather, analyze, and test potential solutions. The goal is to evaluate different options critically and develop the best course of action. Problem-solving and decision-making are closely related and essential for business success, particularly in risk management. Some individuals may naturally excel at making decisions but may need to focus on improving their quality, while others might have strong analytical abilities but need to act more decisively. Creativity is vital in generating and exploring options, often using tools like SWOT and PESTLE analysis. Effective decision-making combines creativity, clear judgment, decisive action, and practical implementation.

Management skills

Risk management teams are often small, but this isn’t always the case. Regardless of team size, even if a risk practitioner doesn’t directly manage others, they still need to understand management skills. These skills are useful for influencing other managers to consider alternative actions and for handling tasks like team management and delegation of authority. Many people skills, such as those discussed earlier, are equally relevant for management. Among these, motivation stands out as particularly important for risk practitioners, especially when promoting a risk-aware culture or encouraging changes in behavior. Practitioners must inspire individuals, managers, and directors to adopt different approaches and mindsets. Self-management skills are also critical. These include setting clear priorities, meeting deadlines, and maintaining personal motivation. Time management, organization, and staying motivated are essential throughout a risk practitioner’s career. It’s also important to understand the distinction between management and leadership. A manager might focus on controlling a team’s activities to ensure everything is done as planned. A leader, on the other hand, sets clear priorities, empowers the team to take ownership of their tasks, and involves them in developing goals. Effective leadership combines guidance with collaboration, ensuring everyone works towards shared objectives.

Leadership Skills

The main difference between managers and leaders lies in how they motivate people, which influences their overall approach. Managers typically have subordinates who work under their authority, following instructions to achieve specific tasks. Their focus is on getting things done efficiently, maintaining control, and avoiding conflicts. Managers tend to be cautious and prefer to minimize risks as part of their role. Leaders, on the other hand, inspire followers rather than commanding subordinates. While some leaders may also hold managerial positions, when they lead, they rely less on formal authority and more on influence and vision. Leaders are open to challenges, embrace risks, and view obstacles as opportunities. They may take unconventional paths and, at times, bend rules to achieve their goals. This distinction highlights the difference in mindset and approach between managing and leading.Leadership skills are essential in Enterprise Risk Management (ERM) as they enable risk practitioners to guide organizations in navigating uncertainties while aligning risk strategies with overall business objectives. A strong leader in ERM demonstrates the ability to influence decision-making processes at all levels, from senior management to operational teams. This requires clear communication, strategic thinking, and the capacity to articulate how risk management supports the organization’s goals and enhances its resilience. An ERM leader fosters a risk-aware culture by promoting open dialogue about risks and encouraging all employees to take ownership of their role in managing risks. They inspire confidence and collaboration, ensuring that stakeholders understand the importance of integrating risk management into daily operations. By building trust and credibility, ERM leaders can motivate teams to adopt proactive risk practices and implement changes that may initially face resistance. Decision-making is another critical aspect of leadership in ERM. Effective leaders analyze complex information, weigh alternatives, and make informed decisions while balancing risk and opportunity. They use analytical and problem-solving skills to address challenges, anticipate potential disruptions, and develop strategies that mitigate risks without stifling innovation or growth. Adaptability and vision are also vital leadership traits in ERM. Leaders must be agile in responding to rapidly changing environments while maintaining a forward-looking perspective. They ensure that ERM frameworks evolve to address emerging risks and align with the organization’s strategic direction. By demonstrating resilience and a commitment to continuous improvement, ERM leaders set an example for others and help organizations thrive in uncertain conditions. Ultimately, leadership in ERM involves not only managing risks but also inspiring teams, building a strong risk culture, and aligning risk practices with the broader objectives of the organization. This holistic approach ensures that ERM becomes an integral part of the organization’s success.

Development of risk Communication

Risk communication as a field started developing in the late 1970s, mainly in response to public concerns about nuclear and chemical technologies in the United States. At the time, the belief was that providing clear, simple information would be enough to convince people that these risks were not as serious as they feared. However, this approach has largely failed. Experts now recognize that understanding risk involves more than just facts—it also depends on emotions, instincts, and personal experiences. Simply sharing factual information without considering these emotional and psychological factors is incomplete and often ineffective. Many people associate risk communication with what to say during a crisis, but this view is too narrow. While communication during emergencies is important, experience shows that its effectiveness depends heavily on the groundwork laid beforehand. Preparing and building trust before a crisis makes communication during the event much more effective.

The main goal of sharing risk information and providing risk training is to ensure the organization responds consistently to similar risk events. Achieving this requires sharing knowledge and experiences. A consistent approach is needed for handling hazard, control, and opportunity risks. If an organization has an intranet, it can be a great tool to provide access to relevant information and ensure uniform responses. It’s also important to define and communicate clear risk protocols and maintain a consistent approach to individual risks. This includes identifying risks ahead of time and confirming the controls in place for them. This method applies to strategic, project, and operational risks. Providing training and establishing clear communication practices helps the organization maintain consistency in how it handles risks. For every capital expenditure request, a risk assessment should be included. This assessment should address both the risks the project aims to manage and the risks within the project itself, such as potential delays, budget overruns, or failure to meet specifications. Similarly, attaching risk assessments to strategic analyses is critical to maintaining consistency in risk management. Creating an “issues manual” can be a useful tool for identifying risks, circumstances, or events that require action. This manual helps communicate risks across the organization and supports consistent responses. Providing the necessary information, supervision, and training further ensures that risk management procedures are followed effectively. When new risks emerge or existing risks change significantly, it’s crucial to have escalation procedures in place. These procedures ensure that senior management is alerted to the changes, and staff must be trained on how to handle risk escalation effectively. Consistency in risk response becomes especially critical during a crisis. Training is essential for directors, managers, and staff on how to follow disaster recovery and business continuity plans. Clear communication and thorough preparation ensure that everyone knows what to do in challenging circumstances. Establishing effective risk communication involves several key steps to ensure clarity, consistency, and engagement with stakeholders. These steps create a structured approach to sharing risk-related information and promoting a risk-aware culture within the organization.

1. Define Objectives: Clearly outline the purpose of risk communication. Objectives might include raising awareness, ensuring consistent responses to risks, or facilitating informed decision-making across the organization.
2. Identify Stakeholders: Determine the internal and external stakeholders involved in risk communication. Internal stakeholders could include employees, managers, and the board, while external stakeholders might be regulators, customers, suppliers, or the public.
3. Select Communication Channels: Choose the appropriate methods to deliver risk information. Internally, this could involve emails, reports, intranet updates, or workshops. Externally, it may include press releases, stakeholder meetings, or public announcements.
4. Develop Standardized Protocols: Create templates, guidelines, and standardized language for risk communication. This ensures consistency in how risks are described, assessed, and addressed across the organization.
5. Provide Training and Awareness: Train employees on risk communication protocols and their roles in the process. Workshops and awareness campaigns can help embed a consistent understanding of risks and responses.
6. Encourage Two-Way Communication: Establish mechanisms for feedback and discussion. Risk assessment workshops, surveys, or open forums can help stakeholders share their perspectives and raise concerns.
7. Align Communication with Context: Tailor messages to suit the audience and situation. For example, technical details may be appropriate for internal experts, while broader summaries might be better for public stakeholders.
8. Incorporate Risk Escalation Procedures: Define how risks are escalated to senior management when they are new or significantly changed. Provide training to ensure employees understand and follow escalation protocols.
9. Monitor and Evaluate: Regularly review the effectiveness of risk communication strategies. Use feedback and performance metrics to identify gaps and make improvements.
10. Adapt and Improve: Update communication practices as organizational needs evolve or external circumstances change. This ensures that risk communication remains relevant and effective over time.

By following these steps, organizations can establish a strong risk communication framework that enhances awareness, supports decision-making, and builds trust with both internal and external stakeholders.

Risk training and risk culture

Risk training refers to educating employees, management, and stakeholders about the principles, processes, and practices of risk management. It aims to build knowledge and skills needed to identify, assess, respond to, and monitor risks effectively within an organization. This training ensures that everyone understands their roles and responsibilities in managing risks and contributes to the development of a proactive and consistent risk-aware culture.The organization’s risk culture can be described using five key elements: leadership, involvement, learning, accountability, and communication (LILAC). These elements also highlight the steps needed to successfully integrate risk management into the organization. Involvement, learning, accountability, and communication are especially important when it comes to risk training and communication. Clear risk management documentation helps managers and employees understand their roles and responsibilities, as well as the level of accountability expected. Proper risk training fosters learning and communication, strengthening the organization’s overall risk-aware culture.

To foster a robust risk culture, specific types of risk training are necessary. These include:

1. General Risk Awareness Training
   • Educates employees and managers about the concept of risk, its types (strategic, operational, financial, etc.), and its potential impact on the organization.
   • Emphasizes the importance of risk management in achieving business objectives.
2. Role-Specific Risk Training
   • Provides tailored training for employees based on their roles and responsibilities. For example, frontline staff may receive training on operational risks, while senior management focuses on strategic risks and decision-making.
3. Risk Assessment and Analysis Training
   • Teaches employees how to identify and assess risks using tools like risk matrices, SWOT analysis, or PESTLE analysis.
   • Enhances skills in evaluating the likelihood and impact of risks and determining mitigation strategies.
4. Compliance and Regulatory Training
   • Covers industry-specific regulations, legal requirements, and compliance standards.
   • Helps ensure that all employees understand the importance of adhering to these guidelines to avoid penalties or reputational damage.
5. Crisis Management and Business Continuity Training
   • Prepares employees and leaders to handle crises and emergencies effectively.
   • Focuses on disaster recovery plans, communication protocols, and maintaining operations during disruptions.
6. Risk Communication Skills Training
   • Develops skills for clear and effective communication about risks to internal and external stakeholders.
   • Includes training on delivering concise, coherent, and credible messages.
7. Ethics and Decision-Making Training
   • Encourages ethical decision-making in risk management.
   • Promotes transparency and accountability in identifying and responding to risks.
8. Cultural and Behavioral Training
   • Encourages behaviors that align with the organization’s risk culture, such as open communication about risks, proactive reporting, and collaboration.
   • Includes workshops or activities that reinforce the organization’s values and attitudes toward risk.
9. Scenario-Based Training
   • Uses simulations or real-life scenarios to test risk responses and decision-making in a controlled environment.
   • Builds confidence in handling risks and prepares employees for real-world challenges.
10. Leadership and Change Management Training
    • Focuses on leaders’ roles in driving a risk-aware culture.
    • Equips leaders with the skills to inspire, motivate, and guide their teams in embracing risk management practices.

Consider a company managing health and safety risks. To address these risks, the organization should create clear guidelines, protocols, and procedures, which include awareness training for all staff. Detailed processes for managing specific risks, such as libel and slander, should reflect the level of exposure. The focus on these risks may vary depending on the nature of the business, and the following steps could be suitable:

• Provide all employees with basic health and safety training.
• Implement specific review procedures for politically sensitive topics.
• Require legal reviews for every issue of a satirical publication.

Staff should be trained on updated procedures, and information should be made available on the company’s intranet. Managers and employees should be encouraged to provide feedback on these procedures to improve them as part of the company’s learning culture. Risk training is crucial for fostering understanding and communication about risks and for engaging managers, staff, and stakeholders. It should cover various topics, enhance awareness of risk-related issues, and provide information on control measures. Employees should understand their critical role in implementing these controls effectively. When determining health and safety training needs, consider the following:

• Assess employees’ abilities, knowledge, and experience to ensure they can perform their tasks safely.
• Make sure job demands align with employees’ capabilities to avoid risks to themselves or others.

Some employees may need specific training, such as:

• New hires requiring basic safety induction, including first aid, fire safety, and evacuation protocols.
• Employees transitioning to new roles or responsibilities needing training on potential safety impacts.
• Young or inexperienced employees, who are more prone to accidents, requiring extra attention, supervision, and prioritized training.
• Workers needing refresher training to update their skills.

Your risk assessment should identify any additional training needs to ensure everyone can perform their duties safely and effectively.

Examples of when risk training is needed:

• When a manager is newly hired or takes on new or extra responsibilities.
• When an employee starts a new role or when procedures have been updated.
• After a recent incident or loss within the organization or at a competitor’s site.
• As a refresher, which might be required by law in some cases.

Risk information and communication

Risk communication begins by identifying the stakeholders involved or affected by a specific risk. Once they are identified, it’s important to decide what information needs to be shared and why it’s important for each group to receive it. Stakeholders usually have their own views on risks, so any communication should take these perceptions into account. Clear guidelines help set rules for sharing risk information with a wide range of stakeholders, and these become even more crucial when dealing with external parties. However, they are just as useful for communicating with internal teams. Internal stakeholders, like managers and staff, often need risk information because they are expected to actively participate in managing those risks, unlike external stakeholders who may not have such responsibilities. Risk training should be integrated with the organization’s other training programs and tailored to fit job requirements. It is needed in situations such as when new risks arise, existing risks change significantly, an individual takes on a new role or additional duties, or after an incident that leads to updated procedures. Training ensures that everyone understands their role in managing risks effectively.

Risk communication guidelines

• Identify the stakeholders, both inside and outside the organization, and understand their interests and concerns.
• Use simple language and presentation, but don’t oversimplify complex topics when detailed explanations are necessary.
• Share objective information, clearly separating facts from opinions.
• Communicate honestly and clearly, considering how much the audience already understands.
• Address uncertainties by explaining what isn’t known and what can be done to resolve these gaps.
• Be careful when comparing risks, but use familiar examples to help explain unfamiliar ones.
• Focus on a few key messages that are clear, concise, and limited to three points at a time.
• Be ready to answer questions and offer additional information later if needed.

Whistleblowing investigation process: An important part of risk communication is making sure there are proper systems for “whistleblowers.” Employees and others may have confidential information about the organization that should not normally be shared, but there should be a way for them to report concerns if they believe serious wrongdoing has occurred. The person receiving the report will review the information and decide if there is a valid case. They will then determine if an investigation is needed and how it should be conducted. Depending on the issue, the investigation might be:

• Done within the organization,
• Referred to external auditors,
• Investigated by an independent party.

After the investigation, some issues may need to be reported to outside authorities, such as the police or funding bodies. If the person handling the report decides not to investigate, they should explain their decision to the person who raised the concern. The individual can then choose to report the issue again to someone else or to the audit committee chair.

Shared risk vocabulary

To communicate effectively about risk, it’s important to develop a common language around risk. Sometimes, an organization needs to create its own specific risk vocabulary for unique situations. What’s more important than the exact meaning of a term is that everyone within the organization has a shared understanding of risk, based on the language they use. To make sure risk management is part of daily operations, the risk manager might use the existing terminology within the organization. Even if that language doesn’t match formal risk management definitions, it’s better to use the familiar terms to improve communication. A standard vocabulary can help explain risk management concepts, even if it doesn’t fully align with ISO Guide 73. Creating and agreeing on definitions can take time and may require compromises, but it’s crucial for everyone to have the same understanding when discussing risk. Having a shared language is especially important for building a strong risk culture. In any organization, different people at various levels and in different departments need to be involved in managing risk. A common language helps bridge gaps between layers of management and various departments. Without it, the risk management team would spend too much time fixing communication problems instead of focusing on their main tasks.

Risk information on an intranet

Risk information can be shared with stakeholders in various ways. Many organizations create simple guides or leaflets to inform stakeholders about current risk issues. The method of communication will depend on the stakeholder and how complex the message is. When an organization needs to report to financial stakeholders, formal risk communication methods are used. This could include a report to the stock exchange or other financial bodies, which might be supported by informal communication methods like videos, slide presentations, or conference calls. Another option for risk communication is an intranet, which many organizations use to share information with staff. Large organizations often use their intranet to communicate health and safety details and business continuity plans. The intranet can also provide information about general risk assessments, control measures, and updates on any current risks. It’s important that risk information aligns with other management information systems within the organization. Treating risk information as a separate system can lead to it becoming disconnected from other activities, making it less relevant to managers. A dedicated risk management information system (RMIS) can increase the risk of the information becoming irrelevant to the organization.

Risk management information systems (RMIS)

A Risk Management Information System (RMIS) is a specialized software or system used by organizations to collect, manage, and analyze risk-related data. It helps organizations track and monitor risks, assess their potential impact, and implement strategies to mitigate them. RMIS can store information about various types of risks (e.g., operational, financial, health, safety, compliance risks), the effectiveness of control measures, and any risk mitigation efforts that have been made.Risk management guidelines, protocols, and procedures can be shared using a Risk Management Information System (RMIS) software. This RMIS can be placed on the organization’s intranet. It helps collect and share risk information, including reports of incidents from local management as they happen. RMIS systems have been used for years to track insurance claims. Recently, their use has become more advanced. Now, RMIS can record details about risk exposure, risk controls, and action plans. For RMIS systems related to insurance, they can also store information about insurance policies, claim procedures, and claims history, which can be accessed by authorized users. These systems can also pool information about risk exposure and report incidents that may result in an insurance claim. In addition to basic information-recording systems, there are other RMIS software tools that support risk management. These include software packages for analyzing risks and systems that can perform risk analysis and dependency modeling. It is widely agreed that using RMIS software for enterprise risk management (ERM) can be very beneficial. However, a common challenge is that entering a large amount of risk data into a database can take a lot of time. Despite this, having the data available for in-depth analysis can make the effort worthwhile.

Sharing risk information throughout an organization is essential to raise risk awareness and improve risk management. In most cases, individuals within the organization have the best understanding of the risks and the practical actions needed to reduce them. Communication is also crucial for sharing details about incidents, lessons learned, and the steps taken to prevent them from happening again. The advantages and disadvantages of RMIS are summarized below. Generally, an RMIS becomes more valuable when risks are complex or there is a large amount of data to be recorded.

Features of RMIS

1. Data Collection: RMIS gathers data on risks across the organization, which can come from different departments and business units.
2. Risk Assessment: The system can assess and prioritize risks based on factors like probability, impact, and severity.
3. Risk Reporting: RMIS provides reporting tools to generate reports for management, stakeholders, and regulatory bodies.
4. Monitoring and Tracking: It helps track how risks evolve over time, monitor the effectiveness of control measures, and ensure that actions are taken to address risks.
5. Decision Support: RMIS offers tools to assist management in making informed decisions regarding risk responses and strategies.

How to Establish a Risk Management Information System (RMIS) in an Organization:

1. Define Risk Management Objectives: Before implementing RMIS, the organization must clearly define its risk management objectives. These objectives should align with the organization’s overall goals and strategies.
2. Identify Key Risk Areas: The organization should identify the different types of risks it faces (financial, operational, strategic, regulatory, etc.) and how they will be managed within the RMIS.
3. Select the Right Software or Platform: Choose an RMIS software that meets the organization’s needs. It should be capable of handling the types of risks identified, provide appropriate reporting capabilities, and be scalable as the organization grows.
4. Data Integration: Integrate RMIS with other existing management systems in the organization. This can help to ensure that risk data aligns with financial, operational, and other management systems, avoiding fragmented or irrelevant data.
5. Customization: Tailor the RMIS to the specific needs of the organization. This includes configuring the system to reflect the types of risks the organization manages, the roles and responsibilities of staff, and the processes for assessing and mitigating risks.
6. Train Employees: Training staff on how to use the RMIS effectively is crucial. They need to understand how to input data, assess risks, and generate reports. The training should also cover how to use the system for decision-making and risk mitigation.
7. Establish Data Collection and Reporting Protocols: Set clear guidelines on how risk data will be collected, stored, and reported. This includes determining who will provide risk data and how often the system will be updated.
8. Monitor and Evaluate the System: Once the RMIS is in place, monitor its effectiveness. Regularly evaluate whether it is meeting the organization’s risk management needs and make improvements as necessary.
9. Review and Update Regularly: As the organization’s risks evolve, the RMIS should be updated to reflect these changes. Periodic reviews help ensure that the system remains relevant and effective in managing risks.

The following types of information may be handled, stored, managed, distributed and communicated using a risk management information system (RMIS):

• Risk management policy and protocols
• Risk profile data, values and information
• Emergency contact arrangements and contact details
• Insurance values and cost of risk data
• Insurance claims handling and management protocols
• Historical loss/claims experience/information
• Insurance policy coverage and other information
• Risk management action plans (risk register)
• Risk improvement plans and implementation
• Business continuity plans and responsibilities
• Disaster recovery plans and responsibilities
• Corporate governance arrangements and reports

Without advanced RMIS technology, risk managers can only track the company’s risk data and past losses using methods like modeling and scenario simulations. Developing a strong RMIS to support Enterprise Risk Management (ERM) might cost more than the benefits it provides. While the costs are clear and immediate, the benefits are harder to measure or prove. Risk managers already find it challenging to show the value of preventing or covering a loss. Even if risk reduction is significant, it’s a potential future benefit, not an immediate reduction in costs. Whether the risk assessments from RMIS are worth the cost of data tracking and analysis depends on the company’s risk profile. Larger companies are likely to benefit the most, but as the cost of the technology used for data collection and modeling continues to decrease, even smaller companies can benefit. In the end, RMIS might pay for itself by helping the organization avoid or effectively manage a major loss that could otherwise seriously harm the company’s finances.

ISO 9001:2015 Requirements

The organization shall determine the requirements essential for the specific types of products and services to be designed and developed. The organization shall consider:

1. functional and performance requirements;
2. information derived from previous similar design and development activities;
3. statutory and regulatory requirements;
4. standards or codes of practice that the organization has committed to implement;
5. potential consequences of failure due to the nature of the products and services.

Inputs shall be adequate for design and development purposes, complete and unambiguous.
Conflicting design and development inputs shall be resolved.
The organization shall retain documented information on design and development inputs.

1) The organization shall determine the requirements essential for the specific types of products and services to be designed and developed.

This clause of ISO 9001 requires that the design and development inputs are identified and if there is any discrepancy in understanding these inputs, it should be resolved before proceeding further with the design process. Typical design inputs include customer contracts, statement of work, drawings and specifications, reusable information from design and development activities of previous projects, industry standards, competitor analysis, any applicable statutory and regulatory requirements, internal or external resource needs, etc. Design inputs may also be obtained considering the potential consequence of failure due to the nature of the product or service and the customer’s and other stakeholders projected level of control of the design and development process. Let’s take an example of an architecture company to understand this better. An architect will typically need inputs in form of Architecture Return Brief, Relevant standards, guides and codes (e.g. ISO, AS/NZS, Greenstar), Local and statutory requirements (e.g. National Construction Code and Development Approval), etc. These shall be gathered, documented and understood well before proceeding with the design. Design inputs requirements may include requirements related to functionality, performance, safety, regulations, maintainability, traceability, etc. from the customer or the regulatory body.

Determining the essential requirements for the design and development of products and services involves a systematic and thorough process. Here are the steps an organization can take to determine these essential requirements:

1. Identify all relevant stakeholders, including customers, clients, end-users, regulatory bodies, and internal teams. Gather input from these stakeholders to understand their needs, expectations, and requirements.
2. Research and review industry-specific regulations, standards, and legal requirements that apply to the product or service. Ensure compliance with these mandatory requirements.
3. Engage with customers and end-users to gather their specific requirements and preferences. This may involve surveys, interviews, focus groups, or direct communication.
4. Define the functional and performance requirements of the product or service. Consider what it needs to do, how it should perform, and any technical specifications.
5. Identify any quality standards or certifications relevant to the product or service. These may include ISO standards, industry-specific benchmarks, or internal quality guidelines.
6. Clearly define the scope of the project. Determine the boundaries of what the product or service will include and what it won’t. This helps prevent scope creep.
7. Conduct a risk assessment to identify potential risks and challenges that may impact the design and development process. Consider how to address these risks in the requirements.
8. Research industry best practices and benchmark against competitors or similar products or services. Identify features or attributes that are considered essential in the market.
9. Assess the technical, financial, and operational feasibility of meeting certain requirements. Ensure that the organization has the capability to fulfill them.
10. Consider environmental and sustainability requirements, such as eco-friendly materials, energy efficiency, or recycling initiatives, if relevant to the product or service.
11. Ensure that the design and development process includes requirements for accessibility and inclusive, making the product or service usable by individuals with diverse needs.
12. Take into account budgetary and resource constraints when determining requirements. Ensure that the project remains financially viable and resource-efficient.
13. Document all identified requirements and establish traceability between these requirements and their sources. This ensures that nothing is overlooked and provides a clear audit trail.
14. Prioritize the requirements based on their importance, impact on the project, and alignment with the organization’s goals. Focus on essential requirements first.
15. Plan for how each requirement will be validated and verified to ensure that it has been met during the design and development process.
16. Establish a change management process to handle any changes or updates to requirements that may arise during the project. Ensure that changes are assessed for their impact and feasibility.
17. Communicate the requirements to all relevant stakeholders, ensuring alignment and a shared understanding of what needs to be achieved.
18. Continuously monitor the requirements throughout the design and development process to ensure that they are being addressed and that any deviations are promptly addressed.

By following these steps, an organization can systematically determine the essential requirements for designing and developing products and services. This process helps ensure that the resulting products and services meet the needs of stakeholders, comply with regulations, and align with the organization’s goals and capabilities.

2) The organization shall consider functional and performance requirements

Considering functional and performance requirements is a crucial aspect of the design and development process. These requirements define what a product or service should do and how well it should perform its intended functions. Here’s how an organization can address functional and performance requirements in the design and development inputs:

1. Gather Requirements: Engage with stakeholders, including customers, end-users, and subject matter experts, to gather detailed functional and performance requirements. Ensure that all relevant parties provide input.
2. Functional Requirements: Clearly define the specific functions and features that the product or service must possess. This includes functionality, capabilities, and the expected behavior under different conditions.
3. Performance Requirements: Identify performance criteria that describe how the product or service should perform. This may include parameters such as speed, reliability, accuracy, scalability, and response times.
4. Quality Attributes: Consider quality attributes that are important to users, such as usability, security, maintainability, and availability. Define clear requirements for these attributes.
5. Use Cases and Scenarios: Develop use cases, scenarios, or user stories that illustrate how the product or service will be used. This helps in defining and validating functional and performance requirements.
6. Benchmarking: Benchmark against similar products or services in the market to identify industry standards and customer expectations. This can provide valuable insights into performance benchmarks.
7. Prioritization: Prioritize functional and performance requirements based on their criticality and impact on user satisfaction and the success of the product or service.
8. Quantitative Metrics: Specify quantitative metrics and thresholds for performance requirements. For example, response times should be less than a certain number of milliseconds under specific load conditions.
9. Non-Functional Requirements: Address non-functional requirements, which may include constraints related to technology, compliance with regulations, and resource limitations. Validation and Verification: Define how each requirement will be validated and verified during the design and development process. Establish test cases, scenarios, or validation procedures.
10. Traceability: Create traceability links between functional and performance requirements and their sources, such as customer requests, user feedback, or regulatory documents. This helps maintain accountability.
11. Change Control: Establish a change control process for handling changes or updates to functional and performance requirements. Ensure that changes are assessed for their impact on the project.
12. Documentation and Communication: Document all functional and performance requirements comprehensively. Communicate these requirements clearly to all team members and stakeholders.
13. Continuous Monitoring: Continuously monitor and track progress toward meeting functional and performance requirements throughout the design and development process. Address deviations promptly.
14. User Acceptance Criteria: Define user acceptance criteria that clearly specify how users will determine whether the product or service meets their functional and performance expectations.
15. Validation and Verification Protocols: Develop validation and verification protocols or plans to systematically test and validate that the requirements have been met.

By addressing functional and performance requirements in a systematic and comprehensive manner, organizations can design and develop products and services that not only meet user needs but also perform effectively and reliably in their intended environments. This approach helps ensure customer satisfaction and the successful delivery of high-quality products and services.

3) The organization shall consider information derived from previous similar design and development activities

Considering information derived from previous similar design and development activities is a valuable practice for organizations. Leveraging lessons learned and experience from past projects can lead to more efficient and successful design and development processes. Here’s how an organization can effectively incorporate information from previous similar activities into its design and development inputs:

1. Document Lessons Learned: Encourage project teams to document their experiences and lessons learned from previous design and development activities. This documentation should include both successes and challenges encountered.
2. Create a Knowledge Repository: Establish a knowledge repository or database where information from past projects is stored, organized, and easily accessible. This can include project reports, post-project evaluations, and relevant documentation.
3. Identify Common Patterns and Best Practices: Analyze the information from previous projects to identify common patterns, best practices, and recurring issues. This can help in making informed decisions during the current project.
4. Reuse Design Components: If applicable, identify design components, modules, or templates from previous projects that can be reused in the current project. This can save time and resources.
5. Risk Mitigation: Use historical data to identify potential risks and challenges that have arisen in similar projects. Develop proactive risk mitigation strategies based on this knowledge.
6. Performance Benchmarks: Establish performance benchmarks and targets based on the historical performance of similar projects. This can help set realistic expectations and goals.
7. Continuous Improvement: Promote a culture of continuous improvement by encouraging team members to suggest improvements based on their past experiences. Ensure that these suggestions are evaluated and implemented as appropriate.
8. Applicability Assessment: Assess the relevance and applicability of information from past projects to the current project. Not all lessons learned may be directly transferable, so prioritize the most relevant insights.
9. Documentation Standards: Ensure that documentation standards are consistent across projects, making it easier to compare and extract insights from historical records.
10. Benchmarking Against Competitors: Consider benchmarking your design and development efforts against similar projects carried out by competitors or industry peers. This can provide additional insights.
11. Training and Knowledge Transfer: Facilitate knowledge transfer sessions or training programs to share insights gained from past experiences with team members who may be less experienced.
12. Feedback Loops: Establish feedback loops between current project teams and teams that have worked on similar projects in the past. Encourage open communication and the exchange of knowledge.
13. Regular Reviews: Conduct regular reviews or retrospectives at key project milestones to assess progress, identify areas for improvement, and incorporate lessons learned into the ongoing design and development process.
14. Change Management: Be open to adapting processes, methodologies, and strategies based on the insights gained from past projects. Ensure that change management processes are in place.
15. Data Analytics: Use data analytics to analyze historical project data and extract meaningful insights. This can help identify trends, performance patterns, and areas for optimization.

By considering information derived from previous similar design and development activities, organizations can benefit from the collective knowledge and experience of their teams. This approach promotes efficiency, reduces risks, and contributes to the continuous improvement of design and development processes.

4) The organization shall consider statutory and regulatory requirements

Considering statutory and regulatory requirements when determining design and development inputs is crucial for ensuring that a product or system complies with legal and industry standards. Here’s a step-by-step guide on how an organization can effectively consider these requirements:

1. Identify Applicable Regulations: Begin by identifying all relevant statutory (legal) and regulatory requirements that pertain to your product or industry. These can include federal, state, or international laws, as well as industry-specific standards and guidelines.
2. Create a Compliance Team: Establish a cross-functional team that includes individuals with expertise in regulatory affairs, legal compliance, and product design and development. This team will be responsible for ensuring compliance throughout the design process.
3. Document Requirements: Carefully document all identified requirements. This includes both general requirements that apply to your industry and any specific regulations or standards that are relevant to your product.
4. Incorporate Requirements into Design Inputs: Review the documented requirements and incorporate them into your design and development inputs. These inputs should serve as the foundation for your product design, guiding decisions about its features, specifications, and performance criteria.
5. Risk Assessment: Conduct a risk assessment to identify potential compliance risks associated with the design inputs. Consider how deviations from the requirements could impact product safety, legality, or market acceptance.
6. Design Review and Validation: During the design process, conduct regular design reviews to ensure that the product is aligning with the regulatory and statutory requirements. Perform validation tests to verify that the product meets these requirements.
7. Document Everything: Maintain comprehensive records of how each design input is linked to specific regulatory or statutory requirements. This documentation will be crucial for audits and regulatory submissions.
8. Iterative Process: Design and development are often iterative processes. As you make changes and refinements to your product, ensure that these modifications continue to align with the identified requirements.
9. Consult Experts: If needed, consult with subject matter experts, legal counsel, or regulatory consultants to ensure that your understanding of the requirements is accurate and up-to-date.
10. Testing and Certification: Once the product design is complete, conduct testing and validation to confirm compliance with all relevant statutory and regulatory requirements. If applicable, seek certification or approval from relevant authorities or certification bodies.
11. Monitoring and Updates: Even after product launch, continue to monitor changes in regulations and standards. Update your product design and development processes as necessary to stay in compliance.
12. Training and Awareness: Ensure that your team is educated and aware of the importance of regulatory compliance in the design and development process. Training can help prevent compliance issues from arising.

By following these steps, organizations can systematically integrate statutory and regulatory requirements into their design and development processes, reducing the risk of legal issues, ensuring product quality and safety, and maintaining a positive reputation in the market.

5) The organization shall consider standards or codes of practice that the organization has committed to implement

Considering standards or codes of practice that the organization has committed to implement is an essential part of the design and development process. These standards and codes often serve as industry best practices and benchmarks for quality, safety, and performance. Here’s how an organization can effectively consider and implement them:

• Begin by identifying the specific standards or codes of practice that your organization has committed to implement. These could be industry-specific standards, international management standards, safety codes, or any other relevant guidelines.
• Integrate the requirements and guidelines outlined in the identified standards and codes into your design and development inputs. These should become an integral part of the product’s design criteria and specifications.
• Maintain clear documentation that demonstrates how each design input aligns with the relevant standards and codes. This documentation is essential for audits and ensuring that your product adheres to the committed standards.
• During the design process, conduct regular design reviews to ensure that the product is aligning with the standards and codes of practice. Perform validation tests to verify compliance.
• Assess the risks associated with not complying with the committed standards and codes. Non-compliance could result in legal issues, safety hazards, or quality problems. Address these risks in your design and development process.
• If necessary, seek guidance from experts or consultants who specialize in the relevant standards and codes. They can provide valuable insights and interpretations to ensure compliance.
• Ensure that your design and development team is knowledgeable about the standards and codes that apply to your work. Provide training and promote awareness to ensure everyone understands their importance.
• Conduct thorough testing and validation processes to confirm that your product meets the requirements outlined in the standards and codes. This may include laboratory testing, simulations, or field trials.
• Stay vigilant about changes in standards and codes over time. Continuously monitor updates and revisions to ensure that your product remains compliant throughout its life-cycle.
• If applicable, seek certification or issue compliance statements that confirm your product’s adherence to the committed standards and codes. This can enhance your product’s credibility in the market.
• Maintain records of compliance with standards and codes for regulatory, legal, and customer reference. Proper documentation is crucial for demonstrating compliance and resolving any disputes.

By considering and implementing the standards and codes of practice that your organization has committed to, you not only ensure compliance but also enhance the quality, safety, and reliability of your products or services. This commitment can also improve your organization’s reputation and competitiveness in the marketplace.

6) The organization shall consider potential consequences of failure due to the nature of the products and services.

Considering the potential consequences of failure is a critical aspect of the design and development process for products and services, especially when they have the potential to impact safety, health, the environment, or other significant factors. Here’s how an organization can incorporate this consideration into its design and development inputs:

1. Identify Critical Product or Service Characteristics: Begin by identifying the specific aspects or characteristics of your product or service that could have significant consequences in the event of failure. This could include factors like safety, reliability, performance, and environmental impact.
2. Conduct Risk Assessments: Perform thorough risk assessments to evaluate the potential consequences of failure for each identified characteristic. Consider both the likelihood and severity of these consequences. This may involve techniques such as Failure Modes and Effects Analysis (FMEA) or Hazard Analysis.
3. Set Design Criteria and Requirements: Based on the results of the risk assessments, establish design criteria and requirements that explicitly address the potential consequences of failure. For example, set performance targets, safety standards, and environmental impact limits.
4. Document the Consequences: Clearly document the potential consequences of failure for each characteristic and the corresponding design requirements. This documentation serves as a reference point throughout the design and development process.
5. Incorporate Mitigation Measures: Develop and integrate mitigation measures into the design to reduce the likelihood or severity of failure consequences. These measures could include redundancy, fail-safes, protective systems, and quality control processes.
6. Continuous Monitoring and Testing: Continuously monitor and test the product or service during the development process to ensure that it meets the established design criteria and effectively addresses potential failure consequences.
7. Cross-Functional Collaboration: Involve cross-functional teams in the design process, including experts in areas like safety engineering, quality control, and environmental impact assessment. Collaboration ensures a comprehensive approach to addressing failure consequences.
8. Regulatory Compliance: Ensure that the design and development process aligns with any relevant regulatory requirements related to the consequences of failure. Regulatory agencies often have specific standards for safety, quality, and environmental impact.
9. Feedback Loops: Establish feedback loops to capture and analyze data from real-world use or testing. This data can inform design refinements and improvements to further mitigate failure consequences.
10. Emergency Response Planning: Develop contingency plans and emergency response procedures to address potential failures that could have severe consequences. Ensure that your organization is prepared to respond appropriately in case of such events.
11. Customer Communication: Communicate the potential consequences of failure and any relevant safety or usage instructions to customers, where applicable. Transparency can help manage expectations and reduce risks.

By systematically considering the potential consequences of failure during the design and development phase, organizations can enhance the safety, reliability, and overall quality of their products and services. This approach not only mitigates risks but also demonstrates a commitment to customer satisfaction and responsible business practices.

7) Inputs shall be adequate for design and development purposes, complete and unambiguous.

Ensuring that Design and Development Inputs are adequate, complete, and unambiguous is a fundamental aspect of a robust design and development process. Ambiguity or inadequacy in inputs can lead to misunderstandings, errors, and inefficiencies in the development process. Here’s how the organization can achieve this:

1. Gather Comprehensive Requirements: Thoroughly gather all relevant requirements, specifications, and expectations from stakeholders, including customers, regulatory bodies, and internal teams. Consider all aspects, such as functionality, performance, safety, and quality.
2. Clarify Ambiguities: If any requirements or inputs are unclear or ambiguous, work closely with stakeholders to clarify them. This might involve holding meetings, conducting interviews, or seeking expert opinions.
3. Document Inputs in Detail: Document all inputs in a clear, structured, and detailed manner. Use precise language, avoid jargon, and provide examples or illustrations where necessary. This documentation should serve as a reference point throughout the design and development process.
4. Validation and Verification: Ensure that the inputs are validated and verified for accuracy and completeness. Validation involves confirming that the requirements meet the needs of stakeholders, while verification ensures that they are correct and free from errors.
5. Use Standard Templates and Formats: Standardize the format and templates used for documenting design and development inputs. This consistency makes it easier to understand, review, and update the inputs.
6. Cross-Functional Review: Involve cross-functional teams in reviewing the design and development inputs. Different perspectives can help identify gaps, inconsistencies, or potential issues that may not be apparent to a single department.
7. Traceability: Establish traceability matrices that link each input to specific design and development elements. This traceability ensures that all requirements are addressed and that changes are managed effectively.
8. Regularly Review and Update: Design inputs may evolve over time due to changes in customer needs, regulatory requirements, or project scope. Regularly review and update the inputs to ensure they remain relevant and aligned with project goals.
9. Version Control: Implement version control for design and development inputs to track changes and revisions. This prevents confusion and ensures that the latest requirements are being used.
10. Communication: Foster clear communication channels between all relevant stakeholders. Encourage open dialogue to address any questions or concerns related to the inputs promptly.
11. Training and Awareness: Train employees involved in the design and development process on the importance of clear and complete inputs. Make them aware of the potential consequences of inadequate or ambiguous requirements.
12. Continuous Improvement: Continuously seek feedback from teams involved in design and development to identify areas where inputs can be improved. Use lessons learned from previous projects to refine your approach.

By following these steps and emphasizing clarity, completeness, and lack of ambiguity in design and development inputs, organizations can reduce the risk of errors, rework, and misunderstandings, ultimately leading to more efficient and effective product development processes.

8) Conflicting design and development inputs shall be resolved.

Resolving conflicting design and development inputs is crucial for maintaining the integrity and efficiency of the design process. Conflicts can arise from differing stakeholder perspectives, changing requirements, or misunderstandings. Here’s how an organization can effectively address and resolve these conflicts:

1. Identify Conflicts Early: Encourage open communication among all stakeholders involved in the design and development process. Actively seek out conflicting inputs, and establish a mechanism for reporting and addressing conflicts as soon as they arise.
2. Document Conflicting Inputs: Clearly document the conflicting inputs, specifying the source of each conflicting requirement or expectation. This documentation serves as a reference point for resolution efforts.
3. Convene a Cross-Functional Team: Assemble a cross-functional team that includes representatives from all relevant departments, including design, engineering, marketing, quality assurance, and any other areas with a vested interest in the project.
4. Analyze the Nature of Conflicts: Investigate the reasons behind the conflicting inputs. Understand whether conflicts stem from technical limitations, differing stakeholder priorities, or miscommunications.
5. Prioritize Requirements: Work with stakeholders to prioritize conflicting requirements based on their importance to the project’s overall success, customer satisfaction, and compliance with regulations.
6. Seek Compromise and Consensus: Encourage stakeholders to engage in constructive discussions to find compromises or common ground. Be prepared to make trade-offs and concessions when necessary to resolve conflicts.
7. Apply Decision-Making Frameworks: Utilize decision-making frameworks such as cost-benefit analysis, risk assessment, or impact analysis to objectively evaluate conflicting inputs and make informed decisions.
8. Document Resolutions: Document the resolutions to conflicting inputs, including the rationale behind each decision. This documentation should be shared with all stakeholders to ensure transparency and understanding.
9. Update Design Inputs: Revise the design and development inputs to reflect the agreed-upon resolutions. Ensure that these updates are communicated clearly to the entire team.
10. Implement Change Management: If resolving conflicts results in changes to the project scope, requirements, or timelines, implement a robust change management process to ensure that all relevant parties are informed and aligned with the changes.
11. Continuous Monitoring: Continuously monitor the project to ensure that the resolved conflicts do not re-emerge or lead to new conflicts. Address any emerging issues promptly.
12. Lessons Learned: After project completion, conduct a post-project review to identify the root causes of conflicts and the effectiveness of the resolution process. Use these lessons learned to improve conflict resolution in future projects.
13. Stakeholder Communication: Maintain open and transparent communication with stakeholders throughout the conflict resolution process. Keep them informed of progress and decisions.

By proactively addressing and resolving conflicting design and development inputs, organizations can maintain project momentum, reduce the risk of delays and rework, and ensure that the final product or service meets the needs and expectations of all stakeholders.

9)The organization shall retain documented information on design and development inputs.

This clause outlines the requirements for defining and documenting the inputs necessary for the design and development of products and services. Here are the key documents and records required in ISO 9001:2015 Clause 8.3.3:

1. Customer Requirements: You must document and record all relevant information regarding customer requirements. This includes specifications, expectations, needs, and any other relevant information that defines what the customer expects from the product or service.
2. Regulatory and Statutory Requirements: Ensure that you have documented and recorded all applicable laws, regulations, and standards that apply to your product or service. This may include safety standards, industry-specific regulations, and legal requirements.
3. Functional and Performance Requirements: Document the functional and performance requirements of the product or service. This includes any specific features, capabilities, or performance criteria that need to be met.
4. Risk Assessment: Document the results of risk assessments related to the design and development process. This should include identification of potential risks, their impact, and any mitigation measures planned.
5. Scope and Objectives: Clearly define the scope and objectives of the design and development process. This helps ensure that everyone involved understands the purpose and goals of the project.
6. Standards and Guidelines: Document any relevant industry standards, guidelines, or best practices that need to be followed during the design and development process.
7. Resource Requirements: Identify and document the resources needed for design and development. This includes personnel, equipment, materials, and facilities.
8. Interactions and Interfaces: Document any interactions or interfaces with other processes, products, or services that are relevant to the design and development process.
9. Change Control Procedures: Establish and document procedures for managing changes to design and development inputs. This includes how changes are reviewed, approved, and communicated.
10. Traceability: Establish a system for tracing the design and development inputs throughout the entire process. This ensures that you can track how each input is addressed and incorporated into the final product or service.
11. Validation Criteria: Define the criteria for validating the design and development outputs. This helps ensure that the final product or service meets the specified requirements.
12. Records of Inputs: Maintain records of all documented design and development inputs. These records should be readily accessible for review and audit purposes.

It’s important to note that the level of documentation and record-keeping may vary depending on the complexity of the product or service and the organization’s specific needs. ISO 9001:2015 emphasizes the importance of maintaining documented information while allowing flexibility to tailor the documentation to the organization’s size and context. Always consult the standard and consider the guidance of a quality management expert when implementing these requirements in your organization.

Conceptual Design Statement (CDS)

The Conceptual Design Statement (CDS) includes a design statement that declares the inputs to be used in the design and the proposed design solution. A design statement illustrates the principles concepts and input data relevant to the design and allows relevant stakeholders to understand the thinking behind any chosen design solution. The Design Team will normally produce a Conceptual Design Statement that states the standards and requirements against which the design is to be developed, the processes to be applied and the level of independent checking to be carried out (if any) that is proportionate to the level of risk. The design activities are then carried out by the Design Team using the CDS as the basis. Design and development inputs are documented and controlled. Design and development inputs can be in any form, including data sheets, customer drawings and specifications, photographs, samples, references to standards, etc.

Design standards baseline

All designs are based on a list of approved design standards, referred to as the Standards Baseline. This list is owned and managed by the Engineering Manager. The Standards Baseline is made up of a combination of National and International Standards, National Engineering Specifications, and Approved Codes of Practice. The Standards Baseline should be reviewed monthly and any changes are controlled by the Engineering Manager. At the commencement of any given design package, the Design Team is required to specify the Standards Baseline that will be used in the design.  The Engineering Manager should be responsible for checking that the correct design standards have been specified and for verifying that the design output complies with these standards and design requirements. Due to the continuous review and updating of standards, the baseline between different design instructions may vary so a strict configuration control is maintained and only agreed changes are used in the assurance process. Once a design package has been instructed, the baseline for that element of work becomes fixed and will not reflect any subsequent changes in standards.

Design assumptions

Assumptions will normally be statements to fill uncertainties in available information. They are generated by the Design Team in order to allow designs to continue in the early stages. The anticipation is that assumptions are temporary and are closed out either by obtaining data or updating documents to confirm or change the assumption. Assumptions have the potential to be incorrect, and are therefore a source of risk, that require management. Any associated risk is identified and raised through the Risk Register. The assumption management activity is coordinated by Design Manager, with input from the Design Team. Assumptions regarding domain knowledge include facts about the application of the end product or service that allow requirements to be developed in a particular context. The assumptions are normally traceable to gaps or inconsistencies in the design inputs e.g. incomplete or conflicting functional requirements, inconsistencies between the applicable Standards, unclear scope of work, or demarcation issues. The Responsible Body; which might be another company, organisation, person, or team against which an assumption has been made or who are responsible for providing a feature or undertaking an action to resolve an assumption agreed by them. Qualifying criteria for design assumptions are based on the following:

• Assumptions on scope and allocation;
• Assumption regarding gap or conflict in the stated capabilities, systems or operational aspects;
• Conflict between standards;
• Assumptions due to missing design data;
• Assumptions regarding a design decision;
• Assumptions relating to interface issues.

Assumptions must not be raised on programme and cost related matters. The requirements or the design statement will be verifiable against the raised assumption or the origin of the assumption. Assumptions are accepted by the Resolving Body; they may be turned into design requirements or project risks. The process for managing design assumptions is summarised as follows:

• Assumptions are managed using an Assumptions Register;
• The Design Team propose an assumption to fill an uncertainty;
• The Engineering Manager reviews the suitability of the assumption against the criteria;
• Once agreed with the Resolving Body, the Design Team updates the assumption register;
• Action owner closes out assumption by agreed date, this could be done either by establishing additional data or confirming a decision;
• The Engineering Manager monitors that action owners are closing out assumptions and takes action to expedite if necessary;
• Any assumption remaining at the end of the design phase must be clearly recorded in the Assumptions Register and transferred to the Risk Register.

Assumptions are considered closed when they are successfully resolved i.e. accepted by the Resolving Body and the Resolving Body has taken an action that is documented in a resolving document. This resolving document must be properly reviewed, verified and issued before the closure of an assumption is accepted. The respective Gate Review Authority are the final authority to accept or reject the closure of an assumption. The confirmation of closure is noted in the Assumptions Register and a reference to the resolving document with the relevant clause is provided for verification purposes.

Design requirements

The design management process is geared towards meeting customer requirements, while providing a product cost, which enables organizations to have a satisfactory return on investment. The physical and performance requirements of a product used as a basis for product design and development; includes user requirements, regulatory requirements, and system requirements. The customer and user requirements are translated into design requirements and may either be hardware or software (according to intended use) and included in the design specifications and other design documents. The requirements are reviewed for adequacy by a cross functional, multidisciplinary team involving Design, Engineering, Sales, Manufacturing, Procurement, Sales and Quality to ensure the requirements are complete, unambiguous and not in conflict with each other. The Design Team notifies Engineering Manager if the requirements are ambiguous or conflict with each other. The Design Team produces evidence of the capture of and compliance with the requirements. This evidence is presented in the Requirements Register. The Design Team should provide compliance matrices and verification reports to demonstrate how the designs meet the requirements, supported by the compliance rationale, evidence, models and analysis as required, whilst ensuring that:

• All requirements are traceable to the identifier, author, rationale, source, requirement owner, allocation and stakeholder;
• All requirements have been validated and approved by identified personnel;
• All requirements set been reviewed and agreed with the customer;
• Are requirements are recorded into the project applicable database;
• All allocated requirements are understood and accepted by all the recipients.

In order to progress their close-out and acceptance, compliance statements are prepared and allocated to each requirement, commensurate to the design stage e.g. Gate 1, 2, or 3. Links and references to supporting drawings and documents are provided as the design progresses.

Customer supplied user requirements are transferred to the Requirements Review Checklist and additional requirements are addressed with the customer. The Marketing Manager and the Sales Manager should identify and document the markets’ need for new solutions in a requirement statement which serves as the input for design and development work. The requirement statement includes the following:

• What is required (features/functions, etc.);
• Why it is needed (customer demand);
• When it is needed;
• Assumptions needed to progress the design;
• Risk and opportunity, and hazard analysis;
• Requirements for performance, reliability, safety, statutory and regulatory, etc.;
• Pricing targets and design project milestones.

When a product is designed or modified to meet specific customer requirements, the Engineering Manager receives from Marketing Manager and the Sales Manager an outline design order with customer requirements and specifications. The Design Team translates the needs and expectations from the requirements and design statements to technical specifications for materials, products, services and processes.

Design interfaces

Where necessary, the Design Team should form working groups to develop interface control documents and record agreements for interfacing stakeholders in order to elicit their requirements and to provide feedback that may be important to your designs. Their emphasis should be on the identification and co-ordination of the important characteristics, parameters and configurations that need to be developed to deliver effective interface designs. The level of detail documented must be proportionate with the level of detail being developed in the design outputs.

1. Identify, specify and manage interfaces;
2. Assist in the resolution of interface issues relating to commercial or contractual issues;
3. Assist in the production of and agree interface documents with interfacing parties;
4. Ensure that the process of interface management is fully supported during the development of detailed designs;
5. Review and monitor the development of interface identification.