26.0 Kmu-Eis-Ims-Q-6.1-Qms-Rac-P01 (Risk Assessment and Control)

Document Title : RISK ASSESSMENT
IMS AND CONTROL

Document No :
KMU-EIS/IMS/Q/6.1/QMS/RAC/P01
KOTA MENARA UFUK SDN BHD EISCON CONSTRUCTION SDN BHD Rev : 0
23-0,23-1,23-2, Jalan Kasuarina 5/KS07, Bandar Botanik, Date : 31st December 2019
41200 Klang, Selangor Darul Ehsan Page : 1 of 14
RISK ASSESSMENT AND

CONTROL
Prepared By: Verified By: Approved By:
Name : Aisah Sanai Razali Name : Mr.Alan Swee Name : Mr.Ng Chor Huat
Position : Assistant Quality Manager Position : General Manager Position : Managing Director
Date : 31st December 2019 Date : 31st December 2019 Date : 31st December 2019
IMS AND CONTROL
Document No :
HISTORY OF REVISION
Rev.No Date Page Description of Recorded Approved

Revision by by
Integration of
31st December ISO9001 & ISO Ng Chor
0 All Aisah
2019 45001 and reset the Huat
revision number to 00
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
IMS AND CONTROL
Document No :
CONTENTS
SECTION PAGE
1.0 Purpose 4
2.0 Scope 4
3.0 References 4
4.0 Definitions 4
5.0 Procedures 4
6.0 Records 13
IMS AND CONTROL
Document No :
PROCEDURE RISK ASSESSMENT AND CONTROL
1. Objective
The purpose of this procedure is to establish a guideline to be used in the

identification of risks and opportunities in the Organization and to establish
plan action to address these risks and opportunities.
2. Scope
This procedure is applicable for major and critical activities including external
and internal issues that are relevant to company purpose and its strategic
direction and that affect the company ability to achieve the intended result(s) of
its quality management system
3. Reference
ISO 9001:2015 Clause 4.1, 4.2,6.1
4. Definition
HOD/PIC - Head of Department / Person In Charged
Risk - the possibility of events or effects of uncertainty that

impact the organization to meet its objectives and
intended results. It may both impact the organization
negatively (called risk) or positively (called opportunity).
Risk - coordinated activities to direct and control an
management organization with regard to risk.
RAT Plan - Risk Assessment Treatment Plan.
5. Procedure Outline
IMS AND CONTROL
Document No :
PIC / Input Process Flow Records /

Output
HOD /
Establish Context
Personnel In
Charge List of Internal &
External Issues
Determine
List of Interested
Determine Determine Determine
external / requirements process risk complianc Parties and
internal of interested and e Requirements
issues parties that are opportunitie obligations
HOD / related to relevant to s related to
Personnel In QMS QMS QMS
Charge
HOD / Risk
Identify of Risks Management
Personnel
In Charge Matrix
HOD / Risk Assessment

Personnel Conduct Risk analysis & Action Plan
In Charge
HOD / Risk Assessment

Personnel Co Evaluate Risk Assessment & Action Plan
m
In Charge mu
nic
ati
HOD / on Treat the risk - Plan action to address the Risk Assessment
Personnel an risk and opportunities & Action Plan
In Charge d
Co
ns Relevant
ult records,
HOD / ati Implementation
Mo Internal audit
Personnel on nit report,
In Charge or
Management
an
d review minute
rev
iew
IMS AND CONTROL
Document No :
5.1 Risk Management Flow Chart

5.2 Risk Management Flow Description
5.2.1 Determine internal and or external issues that are relevant to purpose
of the processes or activities:
a) Top Management shall provide leadership and direction to Heads of
department or process owner to identify external / internal issues that
are relevant to the purpose that affect Organization’s ability to achieve
the intended outcomes of its quality management system,
b) Internal and external issues which can be relevant to the context of the
organization may include:
i. External context such as cultural, social, legal, technological,
economic, and competitive circumstances, market, whether
international, national, regional or local;
ii. Internal context or conditions of the organization, such as values,
culture, knowledge and performance of the QMS.
5.2.2 Determine interested parties that are relevant to the quality

management system:
a) Top Management Head of department or process owner shall
identify the needs and expectations (requirements) of interested
parties that are relevant to the quality management system.
5.2.3 Determine process risk and opportunities

a) Process owners shall determine the process risks and come out
with Risk Analysis Treatment Plan (RAT) to address the issues.
5.2.4 Determine compliance obligations

a) Compliance obligations include legal requirements that an
organization has to comply with and other requirements that the
organization has to or chooses to comply with.
b) Mandatory legal requirements related to an organization can
include, if applicable:
IMS AND CONTROL
Document No :
i. Requirements from governmental entities or other relevant

authorities.
ii. International, national and local laws and regulations.
iii. Requirements specified in permits, licenses or other forms of
authorization.
iv. Orders, rules or guidance from regulatory agencies.
v. Judgments of courts or administrative tribunals.
5.2.5 Identification of risks (includes both risks and opportunities).

a) Based on the Clauses 5.2.1, 5.2.2, 5.2.3 and 5.2.4 above, the
organization should identify risks that need to be addressed,
b) Comprehensive identification is critical to ensure all potential risks
are addressed.
5.2.6 Conduct risk analysis and evaluate risk:

a) Every identified risks shall be analysed it causes and sources of risk,
their positive or negative consequences, and the likelihood that those
consequences can occur. Existing controls and their effectiveness and
efficiency should be taken into account when analyzing the risk.
b) The purpose of risk assessment is to assist in making decisions, based
on the outcomes of risk analysis, about which risks need treatment and
the priority for treatment implementation.
c) To evaluate the risk, firstly determine what is the likelihood (or
probability / frequency) of the impact occurring (refer to Table 1). The
frequency-based score will either be Low, Medium , High or Extremely
high (L, M, H or E).
d) Secondly, assess severity for each domain listed in Table 2. which is
may have quality impact, effect on human, assets loss, operational
disturbance, reputation and statutory duty / inspection. The level shall
be chosen dependent on the degree of severity that will potentially
impact. Note its significance of consequence will either be rated Low,
Medium , High and Extreme categories.
e) Once the likelihood and severity has been determined, the overall Risk
Rating (RR) is calculated using the formula;
IMS AND CONTROL
Document No :
Likelihood (L) x Severity (S) = Risk Rating (RR)

f) Refer the Risk Rating (RR) to the risk matrix in Table 3 to identify its
risk grade,
5.2.7 Treat the risk - Plan action to address the risk and opportunities:
a) Risk Treatment involves selecting a Treatment option, assessing

the appropriateness and effectiveness of the Treatment option,
preparing Treatment plans and implementing them.
b) Risk treatment is a process to modify risk and it may include the
following response:
i. Accept the risk or increasing the risk in order to pursue an
opportunity. Risks may be also be retained by default, for
example a low-level Risk that is considered acceptable for the
company to carry or where there is a failure to identify and / or
appropriately transfer or otherwise treat a Risk.
ii. Reduce by changing the likelihood. Exposure to Risk may
be limited by reducing or controlling the Likelihood of an event
occurring. Management may take action to reduce or control
the Likelihood of a Risk occurring:
− Policies and procedures
− Audit, compliance, inspections and process controls
− Contractual conditions
− Formal reviews of requirements, specifications,
engineering and operations
− Project management
− Preventive maintenance
− Quality assurance, management and standards
− Improvement
IMS AND CONTROL
Document No :
iii. Reduce by changing consequence.

Preparations to reduce control or mitigate the Consequences of a
Risk can aid in making a particular Risk more acceptable. The
following may reduce or control the Consequences of a Risk:
− Contingency planning
− Contractual arrangements/conditions
− Design features
− Engineering and structural barriers
− Fraud control planning
− Minimization of exposure to sources of Risk
− Separation or relocation of an activity and resources
− Reserving resources
− Public relations
iv. Transfer the risk involves another party bearing or sharing some
part of the Risk. Risk transfer mechanisms include the use of
contracts, insurance arrangements and organizational structures
such as sub-contact, partnerships and joint ventures.
Note: Transferring Risk to other parties or physically transferring
the source of Risk to another location may reduce the Risk to
company but not necessary reduce the overall level of Risk to its
Constituents.
v. Avoid the Risk. Occasionally a Risk will be able to be avoided by

not proceeding with the activity likely to generate the Risk. This
should not be the automatic preferred option (unless the Risk is
evaluated as High with no mitigating options). Risk avoidance can
occur inappropriately and may increase the significance of other
Risks.
IMS AND CONTROL
Document No :
5.2.8 Preparing Risk Treatment Plan
a) The objective of treatment plan is to reduce the levels of Risk as

much as is reasonably possible.
b) Selection of the most appropriate Treatment plan must consider
balancing the benefits against the cost of implementation. Options
should be assessed on the basis of the extent that Risk is reduced
and any additional benefits or opportunities created.
c) The responsibility for Treatment of Risk should be borne by those
is the best person to control the Risk.
d) For each of the risks, (and especially high risks) the controls must
be identified and in place. For risks that have been identified as
preventing achievement of organizational objectives then the
control is likely to be a management action plan.
e) Treatment plans should be integrated with the management
processes of the organization and discussed with appropriate top
managements.
f) Details information of risk treatment plan shall be documented.
5.2.9 Implementation of Risk Treatment Plan

To implement risk control and actions, the following process is followed:
a) Schedule each action for implementation,
b) Implement each action schedule,
c) Review the success of each action implemented,
d) Communicate the success of each action implemented,
e) Communication with Top Management and external parties if
required.
IMS AND CONTROL
Document No :
5.2.10 Monitor and Review

a) Risk monitoring and review occurs concurrently throughout the risk
management process. This can be made through periodically
inspection, internal audit, customer feedback, measurement and also
analysis.
b) The QMS Committee shall periodically conduct below activities:
i. Review existing identified risk and ratings,
ii. Identify gaps in the risk identification process,
iii. Review newly identified risk, the rating and the effectiveness,
iv. Allocate risk mitigating actions,
v. Monitor the progress of all risk mitigating actions assigned,
vi. Review risk identification from submissions and provide
appropriate feedback,
vii. Report at least once a year to Top Management,
viii. Make recommendations for improvement to the Top
Management,
ix. Review training provisions.
c) The results of monitoring and review shall be recorded and reported as

appropriate and should also be used as an input to the review of the
risk management framework.
5.2.11 Communication and Consultation

a) Appropriate communication and consultation with internal and
external parties should occur at each stage of the risk
management process as well as on the process as a whole.
b) The process owner shall ensure that all Risks are responded to in
an appropriate time-frame with a completed assessment returned
to the person who highlighted the risk and relevant supervisor.
IMS AND CONTROL
Document No :
c) The QMS Team Leader shall then periodically report to the Top
Management the stats of key risks and success of control measures and
the outcomes of the review process.
5.3 Control Table
5.3.1 Table 1 – Likelihood Critieria
Likelihood Rating Description
Almost certain d High likelihood of occurrence unless controlled

Likely c The risk is almost certain occur within the next 12
months
Possible b Some likelihood of risk occurring unless controlled
Unlikely a Conceivable but low potential for occurrence
5.3.2 Table 2 - Severity Criteria
Impact Rating Description
Catastrophic 4 Critical financial loss, significant business

interruption of major impact on company standing.
Major 3 Major financial loss, some business interruption and
major impact on company standing.
Moderate 2 High financial loss, some disruption and modest
impact on company standing.
Minor 1 Medium financial loss, minor business disruption
and minor impact on company standing.
IMS AND CONTROL
Document No :
5.3.3 Table 3 – Risk Matrix (RR)
Severity
(Consequences)
1 2 3 4
d M H E E
Likelihood
c M M H E
(Frequency
to occur) b L L M H
a L L M M
5.3.4 The scores obtained from the Risk Matrix are assigned grades
as follows:
Level Description
Immediate action required, senior management involvement

E Extreme risk
required and /or ED convened
Management responsibility should be specified and
H High risk
appropriate action taken
Risk managed by routine procedures, close monitoring
M Moderate risk
required
Risk managed by routine procedures
L Low risk
IMS AND CONTROL
Document No :
6. RECORDS
6.1 RISK PROFILE AND ACTION PLAN
- (KMU-EIS/IMS/Q/6.1/QMS/RAC/F01)
6.2 LIST OF INTERNAL & EXTERNAL ISSUES
6.3 LIST OF INTERESTED PARTIES AND REQUIREMENT

26.0 Kmu-Eis-Ims-Q-6.1-Qms-Rac-P01 (Risk Assessment and Control)

Uploaded by

Copyright:

Available Formats

You might also like

26.0 Kmu-Eis-Ims-Q-6.1-Qms-Rac-P01 (Risk Assessment and Control)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

26.0 Kmu-Eis-Ims-Q-6.1-Qms-Rac-P01 (Risk Assessment and Control)

Uploaded by

Copyright:

Available Formats

Document Title : RISK ASSESSMENT

IMS AND CONTROL

RISK ASSESSMENT AND

Prepared By: Verified By: Approved By:

Rev.No Date Page Description of Recorded Approved

PROCEDURE RISK ASSESSMENT AND CONTROL

The purpose of this procedure is to establish a guideline to be used in the

ISO 9001:2015 Clause 4.1, 4.2,6.1

HOD/PIC - Head of Department / Person In Charged

Risk - the possibility of events or effects of uncertainty that

PIC / Input Process Flow Records /

HOD / Risk Assessment

HOD / Risk Assessment

5.1 Risk Management Flow Chart

5.2.2 Determine interested parties that are relevant to the quality

5.2.3 Determine process risk and opportunities

5.2.4 Determine compliance obligations

i. Requirements from governmental entities or other relevant

5.2.5 Identification of risks (includes both risks and opportunities).

5.2.6 Conduct risk analysis and evaluate risk:

Likelihood (L) x Severity (S) = Risk Rating (RR)

a) Risk Treatment involves selecting a Treatment option, assessing

iii. Reduce by changing consequence.

v. Avoid the Risk. Occasionally a Risk will be able to be avoided by

5.2.8 Preparing Risk Treatment Plan

a) The objective of treatment plan is to reduce the levels of Risk as

5.2.9 Implementation of Risk Treatment Plan

5.2.10 Monitor and Review

c) The results of monitoring and review shall be recorded and reported as

5.2.11 Communication and Consultation

5.3.1 Table 1 – Likelihood Critieria

Likelihood Rating Description

Almost certain d High likelihood of occurrence unless controlled

5.3.2 Table 2 - Severity Criteria

Impact Rating Description

Catastrophic 4 Critical financial loss, significant business

5.3.3 Table 3 – Risk Matrix (RR)

Immediate action required, senior management involvement

6.1 RISK PROFILE AND ACTION PLAN

6.2 LIST OF INTERNAL & EXTERNAL ISSUES

6.3 LIST OF INTERESTED PARTIES AND REQUIREMENT

You might also like