A risk matrix generated with JIRA software. JIRA is an excellent tool to create an ISO 9001 compliant risk management. — Image created with Canva by author

13.05.2021

How to Build an ISO 9001 Compliant Risk Management Tool Using JIRA

Build an ISO 9001 risk management system using standard JIRA software. No extra tools needed, yet still fully compliant with ISO 9001.

ISO 9001 used to be a static, heavy norm designed to produce folders full of paper processes that collected dust after the certification audit. Not so anymore. With its 2015 update, the ISO 9001:2015 norm became more actionable and practical, with more focus on living the processes in daily life rather than on completeness on paper.

With this update, ISO 9001:2015 has become more attractive for startups and SMEs, namely because more and more enterprise customers expect their suppliers to be ISO 9001 certified.

As the Founder & CEO of Yonder, a B2B SaaS company, improved risk management was one of the key benefits of our ISO 9001 certification. We created an actionable process to lead our company through the present times of uncertainty.

Coping with risks in a world of uncertainty requires having people, processes, and tools that are up to this task. Having a military background myself, I am regularly hiring military guys, one of the reasons being that they are used to coping with a complex and ambiguous world. The processes for effective risk management come from a successful ISO 9001 certification, and the tools required for risk management will be covered in this article.

Spoiler: Don’t buy yet another tool!

Here is the first thing that might jump to your mind when you think of risk management:

“Let’s buy that risk management tool I found when googling for ISO 9001 compliant risk management tool.”

After checking the prices of such tools on the internet, your second thought might be:

“Let’s just use Excel to create a risk matrix that will get us through the ISO 9001 audit”.

I wouldn’t advocate either of the above thoughts, but a solution that is dynamic, powerful, able to handle complexity, yet low-cost: JIRA. Most software companies use JIRA anyway, so the cost of fully-fledged risk management comes at a few hours invested in setting up a risk inventory in JIRA.

This article is intended to explain the exact steps we took to create a risk inventory using JIRA. Of course, you might want to customize the risk inventory for your specific business needs, but I hope our experience serves you as a useful blueprint.

Furthermore, I assume you have administrator privileges in your JIRA tenant, and am therefore not covering the required steps to get yourself administrator privileges.

Step-by-Step Setup Guide

1. Set up a new JIRA project

I would recommend setting up a new JIRA project for your risk management — in our company, we call it “risk inventory”, and we use the standard JIRA software project template.

2. Define JIRA statuses for your risks

All your risks will be JIRA tickets. Since every JIRA ticket must have a status, you need to define the statuses you want to use to track your risks. In our company, we have chosen the following statuses:

Backlog: mitigating the risk has not started yet
In Progress: mitigating the risk is in progress
Eliminated (External): the risk was mitigated externally
Resolved (Internal): the risk was mitigated internally
Accepted by Informed Decision: some risks cannot be mitigated, but need to be accepted

These statuses are configured in the Kanban Board Settings as displayed below.

JIRA Kanban Board Settings for risk statues — JIRA Kanban Board Settings for Risk Statutes (source: author)

3. Create a JIRA ticket for each risk

Now it’s time to create a JIRA ticket for each risk in your company. We have created a new issue type “risks” and defined a few custom fields to gather information for each risk:

Description: What’s the risk?
Scenario: What could happen?
Mitigation Measures: What can we do?
Reason for Closure: What did we do that made us believe we have resolved or eliminated the risk?
Risk Source: What was the occasion we discovered the risk?
Risk Reporter: Who reported the risk?
Risk Owner: Who is responsible for the risk mitigation?
Risk Assignee: Who is working on the risk mitigation?
Identification Date: When was the risk discovered?
Due Date: When does the risk need to be resolved?
Severity: We use a 4-category scale (“minor”, “moderate”, “significant”, “catastrophic”) and attach financial impacts to each category
Probability: We use a 4-category scale (“rare — yearly”, “unlikely — quarterly”, “likely — monthly”, “very likely — weekly”)

While this might sound like too much information, collecting all those information helps you get an accurate picture of risks, and to generate meaningful dashboards instead of boring and useless lists.
Of course, depending on the nature of your business, the above custom fields might need customizing.

4. Create a JIRA epic for each risk type

JIRA tickets belonging to the same topic can be grouped into epics. We have defined an epic for each risk type in the company, where we used and extended the PESTEL analysis framework as a basis:

Political
Economic
Social
Technological — IT Security
Technological — IT Infrastructure
Technological — Cloud Tools
Environmental
Legal
Organizational — Incident Response
Organizational — Processes
Organizational — Staffing
Organizational — Key Man
Organizational — Leadership

Again, I wouldn’t recommend copying the above epics without customizing them for your organization!

5. Link risks and epics

Now link each risk to an epic, and you will get your first overview of all the (reported) risks in your company by using JIRA’s roadmap feature. This is the view I use to prepare management board meetings, to get an overview of all the (reported) risks in the company, and the status of those risks.

Here is an excerpt of our risk roadmap:

Excerpt of the JIRA roadmap linking all risk tickets to PESTEL epics (source: author)

The green bar shows that all (reported) process risks are mitigated, and the blue bar shows that most of the staffing risks are in progress. Furthermore, there is quite a way to go in key man and leadership risks, as the grey bar indicates there are reported risks that nobody has worked on so far.

6. Create a dashboard

Most risk management systems use a risk matrix with lots of green, yellow, and red fields to determine the status of the risk. Here is the risk matrix we used before we set up our JIRA risk inventory:

Although such a representation is a standard, I don’t think it is useful because it is static and hence not actionable. This is why we created a JIRA dashboard with the most important metrics, whereas a click on each element allows us to drill down on the underlying risk tickets.

Our risk matrix looks much more boring than the colored risk assessment matrix, but it allows us to drill down and see the risks contained in each field:

JIRA dashboard risk matrix (source: author)

Besides the risk matrix, our risk dashboard contains a few more elements that help me manage risks effectively.

The risk count shows how many open risks there are, and how many are being worked on. If I see that the backlog is growing and progress is dying, I can take action with my management team.

JIRA dashboard risk count (source: author)

The unassigned risks report shows if any reported risks are unassigned. Our goal is to always assign all JIRA tickets to a person — because nobody will take ownership of an unassigned ticket. So therefore, to make things happen, assign all JIRA tickets to somebody in your organization.
When the unassigned risks report looks like it does in the below screenshot, I’m happy. If it doesn’t, I am taking action by assigning all unassigned tickets to the right person.

JIRA dashboard unassigned risk report — JIRA dashboard unassigned risks report

Last but not least, we use a report showing the risks due in the next 4 weeks to make sure we are not missing important deadlines. It works like a task list but is generated and updated dynamically.

JIRA dashboard risks due in the next 4 weeks — risk details omitted for confidentiality reasons (source: author)

And that’s it. There is no more to do to produce an effective, dynamic, and actionable risk management system that is tailored to your organization!

Benefits

The complexity and ambiguity of today’s world do not provide room for static lists anymore. Creating dynamic dashboards helps you stay on top of things by refreshing information in real time. Risks do change faster than one thinks, so the dynamics shouldn’t be underestimated.

JIRA is a great example of how static lists can be migrated to dynamic dashboards at a low cost — it is worth mentioning that all the steps explained above are covered by the standard JIRA functionality.

Last but not least, using a dynamic risk management system allows for a new management style. Risk management has become a central component of our management board meetings, and preparation takes a split-second thanks to the dynamic dashboards. And as the world is complex and ambiguous, we continuously work on improving and amending our risk management in an agile way — which is just as easy as setting up the risk management in JIRA in the first place.

Article written by

Tom Vogel

Growing a company in uncertain times is like running a marathon — it demands grit, strategy, and resilience.

As a tech entrepreneur, active reserve officer, and father of three, I share practical insights and write about entrepreneurship, leadership, and crisis management — no AI bullshit, no promos, just my thoughts in plain text.

When I’m not solving problems, I recharge and find inspiration in the breathtaking mountains around Zermatt.

Do you like this perspective? Here is how you can get more:
📌 Sign up to read from me every Friday — just my thoughts in plain text.
📌 Go deeper with my eBooks — practical guides for tough times.

Don’t like any of these options? You can also tip me for my writing.

Digital Transformation Entrepreneurship

Tom Vogel's Blog