One of the major changes in ISO 9001:2015 is the addition of risk-based thinking. Technically it has always been there, but now risk management takes center stage, replacing preventive actions and feeding the corrective action and improvement systems. Done poorly, this is one more piece of paper to gather dust in a file; done well, risk management can generate meaningful improvements in doing business.
The first step in managing risks is to identify what risks are relevant to your company. A machine shop that provides products for the oil fields will have very different risks than a food producer. Exporters will have to worry about exchange rates more than a company that sells to local customers. The potential risks should be analyzed; some will need to be fleshed out (possibly using root cause techniques) in order to find something that can be evaluated.
To evaluate risks, consider the likelihood and impact of each one; a risk matrix is most commonly used for this. Some risks will be so unlikely that there is no point in worrying about them; some are common but have so little impact that they aren’t worth worrying about. You will probably need different matrices for different parts of your business, with scales that are appropriate to the risks. The scales should spread out the kinds of risks from 1-5; if all the risks are 5s, you don’t learn anything useful.
Once you know which risks are the most critical to your business, you can look at how you want to handle them: avoid, transfer, mitigate, or accept. You might avoid currency risks by not exporting; transfer risks to a supplier by tightening requirements; implement an Integrated Pest Management plan; or decide to live with the threat of terrorism. Some actions, especially mitigation, may become part of the corrective action system and be tracked in the same way.
The last step is the usual one: monitor and review. Review the risks annually to see if the risk factors have changed; if mitigations have been successful, then the likelihood or impact of the risk should have gone down. Are there any new risks? What are the new priorities? Once the process is set up, it doesn’t need to be painful to maintain it; it just takes some thought periodically.