Interconnection And Changes In The Standards Of Risk Management And Quality Management

Abstract

The article reveals the relation between quality management and risk management standards. The assessment of the quality management system in organization and their certification for compliance with the requirements of international standards of ISO 9001 series is given and the reasons for the transition to its new version of ISO 9001: 2015 are determined. The need for the introduction of risk-based thinking and the implementation of the process approach: “plan – do – check – act” are described. The formal nature of the certification of quality management system (QMS) of an organization for compliance with the requirements of ISO 9001 is shown. The problems in the effectiveness of the risk management system of an organization in the post-crisis period and the need to changes the risk management methodology reflected in ISO standards. The importance of corporate governance codes in the development of a corporate risk management system (CRMS) and QMS in public companies – public joint-stock companies is shown. The recommendation to amend the quality management standards in accordance with new versions of risk management standards that ensure risk management in the framework of managing organizational activities as a single process is proposed. The necessity of leveling the differences in the issue of obligatory CRMS for public companies, regardless of the type of their economic activity, while maintaining the recommended CRMS format for non-public companies, including financial institutions, is substantiated.

Keywords: Standardqualityriskintegrationculture

Introduction

Modern economic relations are subject to a variety of risks. Therefore, the activity of an economic entity is carried out on risk management standards, generated by it on the basis of national and international quality standards and risk management standards – as a set of international best practices in the field of quality and risk management.

The fact of increasing instability of market environment is becoming more and more obvious, and as a result, an opinion is being formed about the need to conduct a business in line with the regulation of its risk level. This led to the formation in 2015 of the fifth version of the international standard ISO 9001, which provides the transition of ISO 9001 to a risk-based model of quality management. The developers declare that it will enhance the effect of risk prevention: increasing customer satisfaction, ensuring the stability of the quality of products and services, introducing a proactive culture of prevention and developing the principles of lean manufacturing.

The potential advantage of the new version is the use by an organization of quality management system (hereinafter QMS) and “... directing efforts to risks and opportunities associated with the environment and goals of an organization” (ISO 9001, 2015), as well as the fact that a process approach is applied here, including the cycle “Plan – Do – Check – Act” and risk-based thinking. The last aspect allows an organization identifying factors that can lead to the deviations from the planned results of the processes and QMS of an organization, as well as use warning management tools to minimize negative consequences and maximize the use of emerging opportunities.

Problem Statement

ISO 9001: 2008 provided the implementation of preventive actions aimed at the elimination of potential inconsistencies, and ISO 9001: 2015 aimed at the assessment of risks and opportunities (risk management is directly related to the technique of managerial decision-making), which allows quickly overcoming the zone of uncertainty in case of occurrence, reliably controlling risks and identifying new opportunities for organizational growth. In addition, if in ISO 9001: 2008 there were requirements for planning, analysis and improvement, then according to the new version of the standard “... in order to meet the requirements of this standard, organizations must plan and implement actions associated with risks and opportunities” (ISO 9001, 2015).

The new version of quality management standard requires an economic entity to have a clear understanding of the reality surrounding it, that is, manage its risks within an effective QMS. However, it does not require formalization of corporate risk management, that is, the corporate risk management system (hereinafter referred to as CRMS), which covers all its activities, as a condition for the certification of QMS of an organization, approved by the board of directors of a public company.

The systematic approach to risk management in the activities of an organization began to be applied from the beginning of the 2000s (Tsakaev, 2011), when on the one hand, European (FERMA, 2002), American (COSO ERM, 2004), Australian (AS / NZS 4360, 2004), British (BS 31100, 2008) and other national risk management standards were approved and published. On the other hand, when in 2009 the first version of two international risk management standards ISO 31000: 2009 “Risk management – Guidelines” and IEC / ISO 31010: 2009 “Risk management – Risk assessment techniques focuses on risk assessment” and an updated version of IEC / ISO Guide 73: 2009 “Risk management – Vocabulary” appeared.

The transformations that took place in recent years in economic relations in the context of globalization and trade wars (sanctions and protectionism) have actualized the urgent need to reflect in these existing corporate, national and international standards of risk management completely new types of risks, their assessment, analysis and generation of adequate measures to their localization based on the revision of principles, tools, methods, techniques and mechanisms of risk management. The authors consider these changes (transformations) in the international standards of the ISO and IEC.

Research Questions

Today the work of Technical Committee No. 262 "Risk Management" ISO continues successfully in this direction. Thus, in 2016, a new version of the terms and definitions in risk management appeared (ISO / IEC Guide 73, 2016), in 2018 a new version of risk assessment methods appeared (ISO 31000, 2018), and in 2019 a new version of the principles and guidelines in risk management was published (IEC / ISO 31010, 2019). The goal of the new version remains the same – “to integrate the risk management process into general management, strategy and planning, administration, reporting processes, policies, values and culture” (ISO 31000, 2018).

The new version of the international standard on principles and guidelines for risk management (ISO 31000, 2018) is applicable to any organization, as it provides a general approach to risk management of any type and does not depend on which industry and / or sphere of economic activity this organization belongs to. The new version of the ISO 31000 standard is recommended for the use throughout the entire life cycle of an organization and at all its levels – both at the level of functional and linear units. Therefore, this version is relevant for the organization and its units in terms of increasing the possibility of achieving their risk management goal, optimizing their risk appetite and the level of cost-effectiveness of risk management in their activities. It is necessary to note that although ISO 31000: 2018 is not intended for certification of organizations according to their level of risk and corporate risk management system (hereinafter, CRMS), but contains extensive guidance for the development and implementation of internal and external audit programs. Now organizations have a real opportunity to compare their risk management practices to the parameters of this version of ISO 31000, as to a standard.

In addition, the ISO 31000: 2018 standard, on the one hand, significantly simplifies risk management, since it is obvious to everyone that risk arises from each management decision. On the other hand, some management decisions require a structured approach, since today risk management is a part of organization operations and is crucial in the management of any organization (productive, financial and otherwise). Past risk management practices (albeit highly effective) are no longer suitable for combating modern threats (damage to reputation or brand, cybercrime, political risk, terrorism, etc.), which organizations (commercial and non-commercial) and publicly-legal institutions are increasingly facing.

This circumstance led to the need to adopt a new version of ISO 31000: 2018. A new version of this standard offers a clearer, shorter guidance to the management of modern risks. This, of course, will help private and public organizations to use risk management principles in order to improve planning and make better management decisions. Significant changes in the new version of the international standard include: a review of risk management principles, as these are key criteria for successful risk management; increasing the importance (significance) of the initiative to integrate risk management with the management of all activities of an organization; significant emphasis on the iterative nature of risk management, on the use of new experience, knowledge and analysis when reviewing elements of risk management process, actions and controls at each stage of this process; content optimization with increased attention to the support of the model of open systems model, which supports feedback from the external environment.

According to ISO 31000: 2018 standard the information on risks (both traditional and new) in the activities of an organization (and its structural divisions) is an essential element of risk management infrastructure, which allows integrating risk management into the management system of this organization. ISO 31000:2018 version focuses on the integration of CRMS with QMS within an organization and the role of the leaders of organizations and their responsibilities, and also puts more emphasis on the creation and protection of value as a key driver of risk management. This version of the international standard includes other related principles, such as: continuous improvement, involvement of stakeholders, adaptation to the organization and consideration of human and cultural factors.

According to the new version of the standard, risk is now defined as “the impact of uncertainty on goals,” which focuses on the impact of an incomplete knowledge of events or circumstances on the decision-making of an organization. This requires a change in the traditional understanding of risk, forcing organizations to adapt risk management to their needs and goals, which is a key advantage of the new version of this standard. The updated standard ensures the creation of such a risk management system that supports all the types of activities, as well as the adoption of management decisions in an organization at all its levels. This is reasoned by the fact that risk management system should be integrated with the management system of organization in order to ensure consistency and effectiveness of management control in all the areas of its activities, including: strategy and planning, organizational sustainability, information technology, corporate management, personnel management, compliance with requirements, quality, health and safety.

The systematic use of updated information on risks (both traditional and new) in the mode of its exchange between stakeholders allows, on the one hand, adjusting the goal (goals) of risk management, and on the other hand, carrying out quantitative and qualitative assessment and analysis of risks, generating adequate (with taking into account the risk appetite of an organization) preventive and other (insurance, etc.) measures to influence risks, monitor the process and document the results of risk management. All this according to ISO 31000: 2018 is a risk management process. In addition, risk management process, according to the new version of this standard, is, on the one hand, considered as an integral part of the unified management process of an organization (and its divisions), and on the other hand, should be integrated into all the processes carried out by an organization (and its structural divisions).

This fact, of course, implies that risk management is a basic (integral) component of the management of organization, since any activity of an organization is exposed (associated) to the risk of deviation from the goal of this activity. Risk management process, according to the updated version of the standard, on the one hand is applicable at the strategic, tactical and operational (program and / or project) levels of management of an organization (and its structural divisions). On the other hand, it can have a multiple application format (different application options), taking into account the goal of risk management and the interests of external and internal stakeholders in organization (and its structural divisions).

The updated version of international standard recommends that, throughout the entire risk management process, the dynamic and changeable nature of human behavior and culture should be taken into account. Therefore, the general outline of risk management process of an organization, according to ISO 31000: 2018, also includes the “Leadership and Responsibility” section.

The new ISO 31000: 2018 standard is not just an updated version – it goes beyond a simple revision, as it gives new meaning to how risks should be managed tomorrow – in the near and distant future.

The most important aspects of the transition of industries and departments in modern Russia to risk-oriented thinking include, first of all, the following four aspects: the digitalization of Russian economy, the centralization of risk management, maximum data disclosure and the work with taxpayers. Most experts in the field of risk management believe that risk management in the early stages of business process is much cheaper for organization. Therefore, a risk-based approach to business management, and especially financial, is an effective tool to achieve the goals of organizations. For this, it is necessary to form a risk-oriented thinking in organization, which should smoothly grow into an organizational culture of risk management (Grishina, 2016).

The IEC / ISO 31010: 2019 standard “Risk management – Risk assessment techniques” (IEC / ISO 31010, 2019) is an updated version of IEC / ISO 31010: 2009. It contains guidance on the choice and application of risk assessment methods in a wide range of situations. The methods are used to assist in decision making when uncertainty exists and in order to present information about specific risks and as part of risk management process. The updated document provides a summary of a number of methods with links to other documents that describe methods in more detail. New standard, published in June 2019, represents a technical revision of IEC / ISO 31010: 2009 and includes the following significant changes compared to the previous issue: it provides more detailed information on the process of planning, implementation, verification and validation of the use of methods; the number of risk assessment methods has been increased and their scope has been expanded; the concepts described in ISO 31000 are no longer repeated in this standard.

Nowadays, manufacturing enterprises and financial organizations are faced with many problems associated with new phenomena, such as cloud computing, and this requires new methods for the assessment of new, previously unobservable risks, such as cybercrime, international and other terrorism, political risk, damage to reputation or brand. Therefore, ISO / IEC 31010: 2019 focuses on risk assessment methods in terms of their concept, process and choice. Thus, in the overall risk management process, it is the choice of risk assessment methods that is of high importance, since the use of different assessment methods can give different results, which affects the subsequent actions in risk management. The assessment of risk, as a stage of risk management, is a structured sequence of actions that determine the possible ways to achieve the generated risk management goal (preventive measures program and / or insurance program), conduct a quantitative and qualitative analysis of the possible consequences of the implementation of the preventive measures program and / or insurance programs of risks significant for an organization, as well as the assessment and analysis of possible consequences; the adoption of certain decisions on the impact (processing ) of risks (significant for an organization from the position adopted by it risk appetite). All these aspects, undoubtedly, required a revision of the list of methods for risk assessment and take into account accumulated experience and best practices in this stage of risk management process, which was previously fixed in the ISO / IEC 31010: 2009 standard.

The risk assessment methods presented in new version of the standard (ISO / IEC 31010, 2019) are generally recognized and are successfully used today in risk management practice. They form the basis of the management of the activities of any organization. The measurement of risk and quantitative tools are critical means to support risk management, but only quantitative tools can not replace judgment, wisdom, and knowledge. Managers in organizations should be, above all, managers in risk management.

The standard ISO / IEC Guide 73: 2016 Risk Management – Vocabulary – Guidelines for use in standards (ISO / IEC Guide 73, 2016). The last time this standard was revised in 2016, and therefore this version remains relevant today. The updated version of the standard is a conceptual apparatus of risk management – that is, the terms and concepts that reveal the essence and content of risk management methodology, risk management system, as well as risk management process and its stages. This standard provides a logical link in understanding the relationships and dependencies in the field of risk management in the activities of organization, on the basis of a uniform construction of terms and definitions in the field of risk management.

The terms and definitions reflected in ISO / IEC Guide 73: 2016 have a broader meaning and application than the terms established in a previous version of this standard (ISO / IEC Guide 51, 2014), which are limited only by safety aspects, i.e. its negative consequences, and are intended for those involved in risk management, those involved in ISO and IEC, and developers of national or industrial standards, guidelines, procedures and codes of practice related to risk management. The provisions of ISO / IEC Guide 73: 2016 supplemented the provisions of ISO 31000: 2009, and since 2018 they began to supplement ISO 31000: 2018. At the same time, in order to avoid duplication from ISO 31000: 2018, the provisions regarding terminology and definitions of risk management were removed.

The improvement of international and national standards for risk management is carried out in line with the adoption and revision of international and national codes of corporate governance. Thus, the Financial Stability Board (FSB), created by G20 countries at the London Summit in April 2009. Firstly, on March 9, 2018, it issued an addendum to the principles and standards of the FSB on good remuneration practices – “Supplementary Guidance to the FSB Principles and Standards on Sound Compensation Practices The use of compensation tools to address misconduct risk”(FSB, 2018), which contains general principles for the use of compensation tools such as adjusting the annual bonus and refunding previously paid remuneration to reduce the risk of unfair behavior. Secondly, on April 20, 2018, FSB published the report “Strengthening Governance Frameworks to Mitigate Misconduct Risk: A Toolkit for Firms and Supervisors” (FSB, 2018), which sets out a list of risk management tools of fraud.

On July 6, 2018, the Financial Reporting Council of the United Kingdom published a new version of the UK Corporate Governance Code, which became shorter and more flexible, and the main changes affected the functions and composition of the Board of Directors, taking into account the corporate culture in organization, revising the terms and mechanisms of remuneration to members of the Board of Directors. (FRC, 2018). The Hong Kong Stock Exchange announced on July 27, 2018, the amendments to the listing rules, the Corporate Governance Code, the Guidelines for the board of directors and its members (in terms of their role and responsibilities), which entered into force on January 1, 2019. (HKEX, 2018)

In Russia, a clear example of summarizing the experience of еру implementation of corporate governance, taking into account the consensus that has been formed, in understanding the appropriateness and effectiveness of the principles recommended by the Corporate Governance Code (Bank of Russia, 2014), was the adoption on July 19, 2017 of the Federal Law “On Amendments to the Federal Law On joint stock companies”. Developed with the active participation of the Bank of Russia, this Code enshrined the principles of corporate governance, which determine the key role of the board of directors in corporate governance and recommendations on the creation of corporate credit control systems, corporate systems of internal control and internal audit in public joint-stock companies. Many Russian public joint-stock companies (PJSC) engaged in production and trading established CRMS on a voluntary basis, and financial PJSC created CRMS due to the requirements of special legislation.

The consolidation at the legislative level of the need to organize risk management and internal control systems only confirms their importance and significance as elements of an effective corporate governance mechanism for all public joint-stock companies. Today, the Bank of Russia monitors the implementation by the Russian public joint-stock companies of the principles of the Code and prepares annual reviews based on the data disclosed by joint-stock companies whose shares are included in the quotation lists of the first (QL1) and the second (QL2) level of Moscow Exchange PJSC.

Purpose of the Study

Nowadays, in the context of the development of digital economy, the requirements for an organization with a certified QMS should increase significantly. It becomes an obvious goal of certification of QMS of an organization for compliance with ISO 9001 is to increase the efficiency of its activities. However, this is not achievable without adequate risk and opportunity management. This circumstance was the basis for our study of the relationship between ISO 9001 series and ISO 31000 standards – determining the degree of transformation dependence in international quality management standards, depending on changes made to international risk management standards.

Research Methods

During the research in CRMS of identifying relationships and interdependencies, the methods of system analysis were used, namely, methods aimed at the use of intuition and experience of a specialist – methods of expert assessments. In the course of the analysis of the standards of quality management and risk management, the capabilities of the method of associations were used. Comparing different versions of one series of international standards, the method of pair (binary) comparisons was used, and when correlating different series of a particular type of standard, the method of preference vectors was used.

Findings

The study showed that there is a strict connection between quality management system and risk management system at organization level as the effectiveness of CRMS determines the effectiveness of QMS. It is this circumstance that formed the basis of the study of how changes in international standards of risk management affect changes in international standards of quality management. It was revealed that changes in the provisions of ISO 31000 standards entail certain changes in international quality standards. At the same time, the lack of the required level of harmonization between these standards leads in practice to the adoption of less efficient, albeit certified, QMS organization. Touching upon the issue of harmonization of ISO 9001 standards with ISO 31000 standards, it should be noted that there is a need to mitigate differences in the issue of obligation for public companies of CRMS, regardless of the type of economic activity, while maintaining the recommended format of CRMS for non-public companies. Otherwise, the certified QMS of public companies will not be effective and will be formal.

Conclusion

Corporate quality management (defined by national and international standards of ISO 9001 series) in financial and other organizations objectively needs to adapt (transform) to both the conditions of digital economy and the new realities in the field of globalization and trade warriors – sources of new risks. It is reasoned by the fact that ISO 9001 standards are based on harmonization with ISO 31000 series risk management standards, otherwise it is impossible to ensure the effectiveness of QMS of organizations. Nowadays, public organizations are building their corporate risk management based on national risk management standards, formed on the basis of ISO 31000: 2018, ISO / IEC 31010: 2019 and ISO / IEC 73: 2016.

In Russia, national quality management standards should be linked to national risk management standards in line with the provision of the unity of risk management process and the activities of organization and the formation of risk-based thinking among managers at all the levels of public and non-public companies. External effects of globalization of commodity and financial markets, generating new risks, should be taken into account as a sufficient condition for the formation of a balanced CRMS and effective QMS in organizations and enterprises. This requires a significant reduction in the time lag both in the transformation of the latest versions of ISO 9001 standards to changes in the latest versions of ISO 31000 standards, and corporate standards of organization quality management to the latest changes in corporate risk management standards.

References

• AS/NZS 4360. (2004). Australian/New Zealand Standard. RISK MANAGEMENT. Retrieved from file:///C:/Users/User/Downloads/4360-2004.PDF
• Bank of Russia (2014) Letter of the Bank of Russia “On the Corporate Governance Code”. Retrieved from http://base.garant.ru/70640276/
• BS 31100. (2008). Risk management. Code of practice. Retrieved from https://technospub.wordpress.com/2011/02/18/bs-311002008-risk-management-code-of-practice/
• COSO-ERM. (2004). Enterprise Risk Management – Integrated Framework: Executive Summary. Retrieved from https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf
• FERMA. (2002). A RISK MANAGEMENT STANDARD. Retrieved from https://www.ferma.eu/ app/uploads/a-risk-management-standard-english-version.pdf
• FRC. (2018). UK Corporate Governance Code. Retrieved from https://www.frc.org.uk/directors/ corporate-governance-and-stewardship/uk-corporate-governance-code
• FSB. (2018). Strengthening Governance Frameworks to Mitigate Misconduct Risk: A Toolkit for FiCRMS and Supervisors. Retrieved from https://www.fsb.org/wp-content/uploads/P200418.pdf
• Grishina, N. P. (2016). Risk-based management. Mathematical and computer modeling in economics, insurance and risk management (pp. 187–191). Voronezh: Publ. house LLC Sci. Book.
• HKEX. (2018). Guidance for Boards and Directors. Retrieved from https://www.hkex.com.hk/-/media/HKEX-Market/Listing/Rules-and-Guidance/Other-Resources/Listed-Issuers/Corporate-Governance-Practices/guide_board_dir.pdf?la=en
• IEC/ISO 31010. (2019). Risk management – Risk assessment techniques focuses on risk assessment. Retrieved from https://www.iso.org/standard/72140.html
• IEC/ISO Guide 73. (2016). Risk management – Vocabulary. Retrieved from https://www.iso.org/ standard/44651.html
• ISO 9001. (2015). Quality management systems – Requirements. Retrieved from https://www.iso.org/ standard/62085.html
• ISO/IEC Guide 51. (2014). Safety aspects – Guidelines for their inclusion in standards. Retrieved from http://docs.cntd.ru/document/1200140424
• Tsakaev, A. K. (2011). Risk management in a credit institution. In 2 volumes. Vol. 1. Theory and methodology of risk management. Moscow: Ekon-inform Publ. House.