Risks come in two varieties – threat and opportunity

ISO 41001 Facility Management Systems

A risk is an event that might or might not occur. If it has occurred or will occur, it is not a risk but an issue to be dealt with as a part of day-to-day facility management. There are two kinds of risk: downside risks, commonly referred to as threats, and upside risks, which are opportunities. So how does this square with ISO 41001 and its emphasis on risk?

For now, and in line with earlier management system standards such as ISO 9001 (quality management) and ISO 14001 (environmental management), requirements have referred to risks and opportunities. The publication of ISO 31000 Risk Management in early 2018 made a clear distinction between downside and upside risks – threats and opportunities – as well as various risk treatments. It is just a pity that it was too late to influence the text of many management system standards including ISO 41001.

The trouble with referring to risks and opportunities is it implies that risks are negative. A risk can have an upside or a downside: it does not have to be negative. A risk event has a cause and there is a consequence or effect if it occurs. We might speculate on the likelihood (or probability) of the risk occurring and, if it did, what its impact would be. In many businesses where risk management is a key function, any risk event attracting a likelihood of 50% or more would be taken on as an issue. You do not wait to see if it might or might not happen and then find that you are unprepared for the consequences.

You might be wondering how this affects ISO 41001 and your Facility Management System. The requirements in ISO 41001 refer to risks and opportunities and the actions to address them. Strangely, the wording includes the need to “prevent, or reduce, undesired effects”. Nowhere does it use words such as exploit or enhance, for example, which is what you would want to do if an upside risk presented itself. Your Facility Management Manual includes expected practices and a procedure to help you deal with risks and issues separately. In the case of risks, a distinction has be drawn between threats and opportunities. A risk register is provided to help you monitor risks – good as well as bad.