ISO/IEC 17025:2017

RISK ANALYSIS

Sumaira Nosheen
Scientific Officer/Asst. Quality Manager
PCSIR-LLC
Objectives of Training
➢ To explain risk based thinking in ISO/IEC 17025
➢ To understand the risk management process

Establishing context
Risk identification
Risk analysis and evaluation
Risk treatment
Monitoring and review
 Changes to ISO 17025:2005
• Complete restructuring of Clause Numbers
• Interaction with ISO 9001:2015
• Impartiality Risk Assessment
• Risk and Opportunities
• Management reviews-Agenda addition
• Reporting-Enhanced requirements
Terminology--

REMOVED INTRODUCED
Preventive Action Risk and
Opportunities
What do we know about RM (risk management)
RM is part of our every day lives:

➢ Crossing the road Risk of getting run over

➢ Managing our finances Risk of going broke your budjet
➢ Purchase of Insurance Risk of fire, theft, storm
➢ Choosing to smoke Risk of Cancer
➢ Going for a swim Risk of drowning

--The choice we make in choosing to accept these risks is part of who we are
Understanding Risk Management
✓ Risk arises from uncertainties that can deviate our goals
✓ Risks are to be managed
A risk is a potential future event that could result in adverse
and unplanned consequences

Note:- Risk is usually expressed in terms of risk sources, potential

events, their consequences and their likelihood
 Definition of Risk Management
• Coordinate activities to direct and control an organization with
regards to risk
(Taken from ISO 31000:2018 Risk Management-principles and guidelines)

• Risk management comprises a framework and process that enable

an organization to manage uncertainty in a systematic way from
strategic, programme, project and operational perspectives, as well as
supporting continual improvement
(BSI British standard risk management-code of practice BS 31100:2008)
Risk Assessment Process
IDENTIFY

ANALYZE

EVALUATE
 A Coherent Set Standards
• ISO 31000: 2018-Risk Management- Principles and Guidelines
• ISO Guide 73- Risk Management Vocabulary
• ISO/IEC 31010-Risk Management-Risk Assessment Techniques
• HB 327: 2010-Commmunicating and consulting about risk
• HB 266:2010- Guide for managing risks in not for fit organization
• ISO/IEC 27005-ISMS- Risk Management
 WhyLifeRisk Management???
is full of uncertainties……………………….

Risk management is to reduce the uncertainties in order to

❑ Increase the likelihood of achieving the objectives

❑ Improve the identification of opportunities and threats
❑ Effectively allocate and use resources for risk treatment

Internal & external

Risk identification Risk Assessment Monitor and review
factors
Why Risk Management
In today’s world, organizations cannot afford to be caught off-guard
by unexpected events that can cause:-
Understanding Risk Management
What is risk based thinking
Understanding Risk Management
RISK MANAGEMENT PROCESS
COMMUNICATION AND CONSULTATION
RISK MANAGEMENT PROCESS
Establishing the context

Monitoring and review

Risk Assessment
Risk Identification

Risk Analysis
Risk Evaluation

Risk Treatment
Establish Context ….
It means define the external and internal parameters to be taken into account when
managing risk and setting scope for risk policy

Understanding the organization

Understanding the needs &
and its context
expectation of interested parties
✓ The organization shall
✓ Due to the affect on
determine external and
organizations ability, the
internal issues that are
organization shall
relevant to its purpose and
determine, monitor and
its strategic direction and
review parties associated
that affect the quality
with quality management
management system
system
 Sources of
risk

internal external

resources processes
Inadequate internal controls Market risk
e.g. human errors Country risk
(incompetency ,inexperienced, Currency risk
corruption) Environmental risk
IT failure?? Interest rate risk
Operational risks??
RISK IDENTIFICATION
 Types of Risks (Risk Category)
Political √
Selection of risk category
Financial √ as input for risk
identification
Operation √ Parameter must consider
Established context that
Manpower √ Influence objective
achievement
Information √

Strategy √

Stakeholder √
Some Common Laboratory Errors
Label Error
Lost sample

Contaminated sample
Sample delay in transit
Wrong test performed

Proficiency testing error

False negative results
Late reports
Missing reports
complaints
Laboratory accident
Risk management process…..risk identification

Do you know your Risk??

Describe the Risk !!!

Identify key process

Identify objective of key process

What is the risk and how it affects the process
Who owns the risk??

What is the root cause of the risk??

What is the consequence of the risk?

EXAMPLE OF PROCESS RISK
Process Equipment maintenance

Process objective Minimize Equipment downtime, increase operator/user/

Analyst satisfaction and control fleet maintenance costs

Risk Poor equipment maintenance

RC1 Non compliance to equipment maintenance SOP

Root Cause
RC2 Incompetent people

C1 Frequent Equipment breakdown

Consequences
C2 Increase in Equipment maintenance cost
 EFFECT OF PROCESS RISK

✓ Brainstorming the effect of risk--- how does the risk effect

the customer
✓ Describe the effects of the risk in terms of what the customer
might notice or experience
✓ State clearly if the risk could impact safety or cause
non compliance to regulations
✓ Customer may be external or internal
RISK ANALYSIS AND EVALUATION
 Risk analysis and evaluation
Type of Control Description Example

Preventive These controls are designed to limit the • Elimination or removal of source
possibility of an undesirable outcome being of hazard
realized • Substitution of hazard with
something which is less risky

Corrective These controls are designed to limit the • Exposure reduction by job
scope for loss and reduce undesirable rotation or limitation on hours
outcomes that have been realized worked
• Post implementation review
Detective These controls are designed to identify • Medical check up to seek early
occasions of undesirable outcomes having symptoms
been realized (audit, inspections)
 Risk analysis methodology

✓ Use qualitative or quantitative methods

✓ Develop a scale (e.g. 1 for low and 5 for high)
✓ Develop a risk assessment format
 Risk analysis methodology
Risk analysis can be calculated in this way

Level Level of likelihood Description

1 Rare The event may occurs only in exceptional circumstances e.g. once in three
years
2 Unlikely The event could occur at some times e.g. once in two years

3 Possible The event might occur at sometimes

4 Likely The event will probably occur in most circumstances

5 Almost certain The event is expected to occur or chance of probabilities is 75%

RISK Evaluation
 Risk Evaluation
Level of Level of impact
likelihood
insignificant minor moderate major catastrophic
Almost Significant significant high high extreme
certain
Likely moderate significant Significant high High

Possible Low Moderate Significant High High

Unlikely Low Low moderate Significant High

Rare low low moderate significant significant

How to calculate:
For example likelihood X Impact significant
unlikely significant
RISK Treatment
 Risk treatment

AVOID REDUCE TRANSFER ACCEPT

• Likelihood • Involves • Identified risks

• not taking or
and impact by another cannot be
continuing the
Testing, control, Party to share eliminated
activities
Improve the In whole or in
Management parts through
system Contract and
MOU
 Transfer and Avoid the Risk

• When the likelihood of a risk is low but the consequence is high,

the organization will wish to transfer that risk
• When a risk is both of likelihood and high sequences, the organization
will wish to avoid or eliminate the risk

Accept and Reduce the Risk

• When the risk is considered to be within the risk appetite of the organization,
the organization will accept the risk
• When the level of risk (likelihood) is high but the potential loss (impact) associated
with it is low, the organization will wish to treat to reduce the risk
 Development of Risk Management Culture

CULTURE MANAGE TRAINING

• Risk • Include • Train

the risk in Employee
way of all to seek risk
work planning during
done conducting
job
 Communication and Reporting

Risk Level Communication

Critical • Notify to top management

• Immediate action to be taken
High • Notify to top management
• Refer to strategic planner
Medium • Action to be taken without notifying to top management

Low • Accept risk but need monitoring

 Monitoring and Review

Effectiveness Detail

Excellent Monitoring conducted at planned interval, audit and

reviews has been conducted to measure the
effectiveness of system
Good Monitoring conducted. Action has been taken

Moderate Monitoring conducted but no action taken

Weak No monitoring been done

EXAMPLE OF PROCESS RISK
Form Name: ______________ Doc No:________________ Version:_______________________________
Organization:________ Date of Issue: __________ Date of Review:___________ Process Name:_______
Prepared By: ___________ Review By:______ Approved By:___________ Date of Approval:___________

Risk Identification Risk Analysis and Evaluation Risk Treatment Status

Category Activity Task Root Consequence Existing Likelihood and Impact Rating Additional Due Date
Cause Control justification Control
Enter the determin Type Detecti Effect of risk Determine Level of probability of Level of Level of risk To do list if any Target date In progress or
Risk e activity of on of action risk conseque and person completed
category in the risk risk already taken nces responsible
core
process
 Audit

✓ See the involvement of management

✓ See the methodology used
✓ See the members of the group involved
✓ See what kind of risks are taken into account
✓ See how the marks given
✓ View the data used
✓ See action treatments
✓ See follow up actions