Using risk as a way to improve assurance

Risk is a wildly misunderstood concept. First of all most people do not understand what is meant by the term 'risk' and secondly many folks think of it as a way to make certification easier for big, rich clients and harder for small, poor ones.

When used properly, neither of these are true.

What is risk?

Risk is the relationship between the impact, and the frequency of a threat; that is the likelihood that the threat will occur and the consequences if it does. I'll try to break it down further....

A threat is a negative event. It is something that can happen and have a negative impact. An asteroid hitting Earth is a threat.

The impact of a threat is what happens when the threat occurs. Space rocks can vary in size from bits of dust to planet size rock and everything in between. The impact of dust, sand and rocks that are smaller than a car is usually nill. A really big rock can be catastrophic (just ask the dinosaurs...)

Frequency is how often the threat occurs. Thousands of bits of stuff from space hits Earth every year and almost all of it burns up before it hits the planet surface. A few survive being incinerated in the atmosphere and hit the surface; they usually do so in the oceans or in places where there are few humans. Once every few million years something really big hits Earth and causes major problems. The last really big one was 65 million years ago.

So in terms of risk, there is a very high chance that the Earth will be hit by stuff from space and an extremely small chance that the impact will disrupt our lives. The risk to my life from space rocks hitting earth is very, very low.

Risk and certification

First of all, let's be really clear; certification is about risk. 

At its most basic, certification is a way to provide assurance that a particular set of specifications are found in a product, service, process or production method. It provides assurance that you are getting what you are paying for - as such it helps to manage the risk that you will receive a product that does not conform to your needs. 

Risk can occur at many levels - within the certification world risk can be found in a number of places, including:

  • the audit and certification process
  • the client who is certified
  • the chain of custody
  • and the certification scheme itself

A well designed certification scheme has identified the threats that may occur at each step and determined which pose significant risks. 

Once the risks are known, the certification scheme should consider each risk and, where practicable, put in place steps to eliminate, mitigate or otherwise manage those risks so that the frequency of occurrence is reduced, the impacts are minimized or both. In some cases a risk can be completely eliminated (but this is rare).

Pitfalls in the process

The biggest problem that can occur in this whole process is bias. Sometimes folks will assume that other people will make mistakes while somehow they themselves are immune to error. Sometimes we will decide before hand where the problems are and completely ignore other areas.

A teacher may decide that the risk of failure by their students are due to the school, the student's families, the school administration, the government but not due to their own failing. A school board may decide the teacher is the biggest risk and that board policy or curriculum is never an issue.

A certification scheme may assume that problems are due to bad auditors or lying clients but never consider that their own standard and certification requirements are vague and unclear.

A note on reputation and risk

One of the fundamentals of business is that a risk to your reputation can be one of the biggest risks that a company can face. The risk that your customers loose trust in you can be devastating to a product line or an entire company.

A consequence of this is that certification schemes must pay close attention to risks to their own reputation; but that is not all. Certification schemes must recognize that all of the players in the system, including the accreditation bodies, certification bodies, certified clients, processors who use certified products, and retailers that sell the final product all are relying on your certification as a way to manage or mitigate risks to their own reputations.

As with other types of risk the certification scheme should identify risks to players at each stage in the value chain and consider how their scheme can best manage or mitigate the risks that their users may face. 

There are many other ways that risk can be used to better manage a certification scheme; but for certification schemes whose currency is assurance, managing the aspects of reputational risk is a significant priority.