ISO Standards and Risk Management for an LSP

If you’re like most small- to medium-sized businesses, risk management is probably low on your list of priorities. However, in the new ISO 9001:2015 standard, risk is a major feature.

To some extent, we always think about risk, but we don’t necessarily do it in a formal way. I know that crossing the street with my eyes closed is a big risk (and so I don’t do it!), but I don’t have my personal life policies written down anywhere. And I certainly don’t fill out paperwork to assess the risk in my life. We do the same in business. We know that using a new vendor on a project has risks, and we try to plan for that accordingly. Maybe we have a more experienced, trusted vendor review their work or maybe we ask for an earlier delivery to build some slack into the schedule. The point is that we do risk management all the time, but now we need to formalize our thinking.

With the ISO 9001:2015 standard, there are few other things we need to do too. We need to consider the stakeholders involved in each aspect of our business, their needs, and the internal and external factors that might affect the smooth operation of our businesses. For translation work, the major stakeholder is the customer, but understanding their needs is not always easy. Because they may be unfamiliar with languages and other cultures, it’s up to us to help them figure out their needs. However, the customer is not the only stakeholder. The Project Manager (PM) and translator, among others, also have needs that must be considered, and their needs sometimes conflict with those of the customer. There isn’t always an easy solution when this happens, but understanding everyone’s requirements is a necessary first step to understanding risk.

Once all stakeholders and their needs are identified, we need to think about all the risks associated with each need and activity. The risks involved with estimating the budget and schedule of a project, for example, are going to be different than those involved with vendor recruitment, technology requirements, and company management. Further, the risks for a translation project are going to be different than those for an interpreting project. You can create some templates for risks that are more common, but every project is unique and can pose different risks.

It’s important to note though that the ISO 9001:2015 standard isn’t just concerned with project performance, as risk can occur elsewhere in the business. Decisions made by company management, marketing, sales, or accounting can also have impacts on our production work. Agreeing to contracts with lower rates or requirements to perform new services or use new/different technology, for example, incur more risk during production and might require new vendors and additional training and/or time. Because of this, it’s good practice to break down all the areas where risk can occur in your business and understand the relationships between each area.

Although it might seem daunting to think of risks for each aspect of your business, it’s not all that bad because not all risks are created equally. Some risks have much greater impacts on business and are more likely to occur. These types of risks definitely need to be prioritized, but the risks that are more nuisances than major problems can be ignored, for the most part. We still want to think about these smaller risks, but at some point we need to stop listing everything that can go wrong and focus on bigger problems.

After we prioritize the risks, we can think about how to deal with them. Can we avoid them? Can we make the impact or probability of occurrence lower? Can someone else help with it? Do we just have to accept it? These are the questions you should ask yourself when planning your responses.

And remember, risk isn’t just a negative thing! Although I have talked about risk in the negative here, risk is just uncertainty, which can also have positive effects. Maybe you can plan to deliver a project early. Or maybe you can leverage previous content better. Regardless, we need to think about positive effects of everything we do and plan ways to exploit or enhance these effects.

Finally, you need some way to measure the effectiveness of your risk-based thinking to make sure it’s working. Anything from occasional meetings to formal reports or audits will work, but choose something that works well for you. All companies can benefit from having some mechanism by which it can improve.

Blog written by Tommy Tomolonis
Quality Manager
CETRA

Editor’s Note: CETRA was recently recertified under the ISO 9001:2008 international quality management standard, and is currently updating its certification to the 2015 standard.  ISO 9001 is the international standard that specifies requirements for an organizational QMS.  It was originally published in 1987 by the International Organization for Standardization (ISO), an international agency composed of the national standards bodies of more than 170 countries.