Building an ISO 9001 Compliant Risk Management Tool Using?JIRA

JIRA standard software provides everything you need to build up a fully-fledged risk management tool

ISO 9001 used to be a static, heavy norm designed to produce folders full of paper processes that collected dust after the certification audit was over. Not so anymore. With its 2015 update, the ISO 9001:2015 norm became more actionable and practical, with more focus being put on living the processes in daily life rather than on completeness on paper.

With this update, ISO 9001:2015 has become more attractive for startups and SMEs, namely because more and more enterprise customers expect their suppliers to be ISO 9001 certified (read about my experience with procurement departments… I should maybe add their constant quest for ISO 9001 and ISO 27001 certifications to this article!).

As the Co-Founder & CEO of a software company, improved risk management was one of the key benefits of our ISO 9001 certification. We created an actionable process to lead our company through the present times of uncertainty.

Coping with risks in a world of uncertainty requires having people, processes, and tools that are up to this task. Having a military background myself, I am regularly hiring military guys, one of the reasons being that they are used to coping with a complex and ambiguous world. The processes for effective risk management come from a successful ISO 9001 certification, and the tools required for risk management will be covered in this article.

Spoiler: Don’t buy yet another?tool!

Here is the first thing that might jump to your mind when you think of risk management:

“Let’s buy that risk management tool I found when googling for ISO 9001 compliant risk management tool.”

After checking the prices of such tools on the internet, your second thought might be:

“Let’s just use Excel to create a risk matrix that will get us through the ISO 9001 audit”.

I wouldn’t advocate either of the above thoughts, but a solution that is dynamic, powerful, able to handle complexity, yet low-cost: JIRA. Most software companies use JIRA anyway, so the cost of fully-fledged risk management comes at a few hours invested in setting up a risk inventory in JIRA.

This article is intended to explain the exact steps we took to create a risk inventory using JIRA. Of course, you might want to customize the risk inventory for your specific business needs, but I hope our experience serves you as a useful blueprint.

Furthermore, I assume you have administrator privileges in your JIRA tenant, and am therefore not covering the required steps to get yourself administrator privileges.

Step-by-Step Setup?Guide

1. Set up a new JIRA?project

I would recommend setting up a new JIRA project for your risk management?—?in our company, we call it “risk inventory”, and we use the standard JIRA software project template.

2. Define JIRA statuses for your?risks

All your risks will be JIRA tickets. Since every JIRA ticket must have a status, you need to define the statuses you want to use to track your risks. In our company, we have chosen the following statuses:

• Backlog: mitigating the risk has not started yet
• In Progress: mitigating the risk is in progress
• Eliminated (External): the risk was mitigated externally
• Resolved (Internal): the risk was mitigated internally
• Accepted by Informed Decision: some risks cannot be mitigated, but need to be accepted

These statuses are configured in the Kanban Board Settings as displayed below.

3. Create a JIRA ticket for each?risk

Now it’s time to create a JIRA ticket for each risk in your company. We have created a new issue type “risks” and defined a few custom fields to gather information for each risk:

• Description: What’s the risk?
• Scenario: What could happen?
• Mitigation Measures: What can we do?
• Reason for Closure: What did we do that made us believe we have resolved or eliminated the risk?
• Risk Source: What was the occasion we discovered the risk?
• Risk Reporter: Who reported the risk?
• Risk Owner: Who is responsible for the risk mitigation?
• Risk Assignee: Who is working on the risk mitigation?
• Identification Date: When was the risk discovered?
• Due Date: When does the risk need to be resolved?
• Severity: We use a 4-category scale (“minor”, “moderate”, “significant”, “catastrophic”) and attach financial impacts to each category
• Probability: We use a 4-category scale (“rare?—?yearly”, “unlikely?—?quarterly”, “likely?—?monthly”, “very likely?—?weekly”)

While this might sound like too much information, collecting all those information helps you get an accurate picture of risks, and to generate meaningful dashboards instead of boring and useless lists.? Of course, depending on the nature of your business, the above custom fields might need customizing.

4. Create a JIRA epic for each risk?type

JIRA tickets belonging to the same topic can be grouped into epics. We have defined an epic for each risk type in the company, where we used and extended the PESTEL analysis framework as a basis:

• Political
• Economic
• Social
• Technological?—?IT Security
• Technological?—?IT Infrastructure
• Technological?—?Cloud Tools
• Environmental
• Legal
• Organizational?—?Incident Response
• Organizational?—?Processes
• Organizational?—?Staffing
• Organizational?—?Key Man
• Organizational?—?Leadership

Again, I wouldn’t recommend copying the above epics without customizing them for your organization!

5. Link risks and?epics

Now link each risk to an epic, and you will get your first overview of all the (reported) risks in your company by using JIRA’s roadmap feature. This is the view I use to prepare management board meetings, to get an overview of all the (reported) risks in the company, and the status of those risks.

Here is an excerpt of our risk roadmap:

We can see from the green bar that all (reported) process risks are mitigated, and from the blue bar that most of the staffing risks are in progress. Furthermore, there is quite a way to go in key man and leadership risks, as the grey bar indicates there are reported risks that nobody has worked on so far.

6. Create a dashboard

Most risk management systems use a risk matrix with lots of green, yellow, and red fields to determine the status of the risk. Here is the risk matrix we used before we set up our JIRA risk inventory:

Although such a representation is a standard, I don’t think it is useful because it is static and hence not actionable. This is why we created a JIRA dashboard with the most important metrics, whereas a click on each element allows us to drill down on the underlying risk tickets.

Our risk matrix looks much more boring than the colored risk assessment matrix, but it allows us to drill down and see the risks contained in each field:

Besides the risk matrix, our risk dashboard contains a few more elements that help me manage risks effectively.

The risk count shows how many open risks there are, and how many are being worked on. If I see that the backlog is growing and progress is dying, I can take action with my management team.

The unassigned risks report shows if any reported risks are unassigned. Our goal is to always assign all JIRA tickets to a person?—?because nobody will take ownership of an unassigned ticket. So therefore, to make things happen, assign all JIRA tickets to somebody in your organization. When the unassigned risks report looks like it does in the below screenshot, I’m happy. If it doesn’t, I am taking action by assigning all unassigned tickets to the right person.

Last but not least, we use a report showing the risks due in the next 4 weeks to make sure we are not missing important deadlines. It works like a task list but is generated and updated dynamically.

And that’s it. There is no more to do to produce an effective, dynamic, and actionable risk management system that is tailored to your organization!

Benefits

The complexity and ambiguity of today’s world do not provide room for static lists anymore. Creating dynamic dashboards helps you stay on top of things by refreshing information in real-time. Risks do change faster than one thinks, so the dynamics shouldn’t be underestimated.

JIRA is a great example of how static lists can be migrated to dynamic dashboards at a low cost?—?it is worth mentioning that all the steps explained above are covered by the standard JIRA functionality.

Last but not least, using a dynamic risk management system allows for a new management style. Risk management has become a central component of our management board meetings, and preparation takes a split-second thanks to the dynamic dashboards. And as the world is complex and ambiguous, we continuously work on improving and amending our risk management in an agile way?—?which is just as easy as setting up the risk management in JIRA in the first place.

Growing a company ?? in uncertain times ???? is like running a marathon?—?it demands grit, strategy, and resilience.

As a tech entrepreneur ??, active reserve officer ??, and father of three ??????, I share practical insights and experience on entrepreneurship and resilience in The Resilient Entrepreneur, my weekly newsletter.

When I’m not solving problems, I recharge and find inspiration in the breathtaking mountains ??? around Zermatt ????.

Subscribe to my newsletter The Resilient Entrepreneur for actionable insights?—?delivered every Friday afternoon!