Documentos de Académico
Documentos de Profesional
Documentos de Cultura
The Requirement
Before API Spec Q1 9th Edition or API Spec Q2 came up with the concept of Risk
Assessment, it had already been prescribed by two perhaps not-so-common
standards: OHSAS 18001 Occupational Health and Safety Management Systems and ISO
27001 the Information Security Management System. While the first one placed emphasis
on assessing safety hazards in your processes, the second one focused on assessing risks
that could affect the confidentiality, integrity and availability of information. Based on our
experience, risk assessment is an exercise that you want to do right the first time and every
time, so you dont end up having to activate your emergency or contingency plans.
Once you have selected your risk assessment methodology and crafted your risk
assessment procedure, the next step is to carry out the actual risk assessment. Make sure
you invite the management team and any process owner, to ensure they not only feel
involved but also that they take ownership of the management system being implemented.
Using this simple premise of doing it right the first time and every time, when should we
really do a risk assessment? Here are some ideas.
Schedule a review of the Risk Assessment matrix once a year. This will
promote awareness as well as help ensure that new risks are included in the
Risk Assessment matrix and that old risks are re-assessed for possible
changes. Basically we live in a changing world so risks and their impact should
be regarded as changing also.
2.
the change be assessed to ensure you have considered any potential risks. If
there is a change that merits MOC, you know Risk Assessment will follow.
3.
Special circumstances. You have to recognize when there are new factors
that may need to be assessed for potential risks due to their influence in the
quality of your products and services; or safety of your processes; or
confidentiality/integrity/availability of your information. While most of them may
be already included as part of the MOC process, there may be other factors that
could trigger this as well. As indicated above, these are special circumstances,
so they may be uncommon, but your team needs to be aware of them.
4.
The API Specification Q1 9th Edition or API Specification Q2 do call for a review of Risk
Assessment during the Management Review, which could help to ensure that Risk
Assessment was done well or to identify any risks not correctly assessed. Perhaps this
meeting is also an opportunity to have management agree on the treatment of any residual
risk.