How to Work with the Chief Risk Officer
Many CRO’s come from compliance, legal, or finance areas. They do not know operations or quality. This person is critical to quality‘s success with ISO 9001:2015 in terms of providing risk approvals, direction, and resources. The quality department should be flexible and work with the CRO, specifically:
- Work with new risk stakeholders to obtain resources and establish credibility. Quality as a result of the new ISO 9001:2015 risk requirements will have additional responsibilities.
- Work with executives to establish the appropriate risk control environment, culture and tone at the top.
- Work with other executives to establish the appropriate risk appetite for areas addressed in the ISO 9001:2015.
- Establish and communicate how ISO 9001:2015 risk requirements fit into the ERM vision and RBT mission.
- Work with senior executives to define appropriate roles of quality risk management within the ISO 9001:2015 framework.
- Reframe the role of quality management, quality assurance, and quality control to include risk.
- Work with managers and executives in other areas of the organization such as finance, internal auditing, operations, and supply chain management to integrate ISO 9001:2015 requirements with existing RBT framework, organizational strategic direction, and risk management processes.
- Develop new risk management policies and procedures that are aligned with ISO 9001:2015 and the organization’s strategy.
- Communicate ISO 9001:2015 risk goals and requirements to ensure there is a seamless integration with other organizational risk frameworks.
- Identify process, project, and product risk ownership, responsibilities, and roles. While ISO 9001:2015 primarily deals with QMS business objectives, the scope of the standard may increase to incorporate other business areas such as supply management.
- Work with other functions to address ‘white space’ risks. Risk ownership gaps should be identified. Ownership and responsibility gaps are risks waiting to occur so controls need to be established to close the gaps.
- Ensure risk frameworks, methodologies, tools, and techniques are aligned with the organization. A common risk vocabulary is critical for ensuring controls are in place and working effectively.
- Consult with and facilitate a consistent deployment of ISO 9001:2015 risk vision, mission, and RBT.
Lesson Learned: Do not panic! Many of the above issues can be addressed over a period of time as more ISO management system standards integrate risk and your risk processes mature.