The risk mentality in organizations: an analysis of inserting risk management in ISO 9001 and ISO 14001: 2015 standards

Abstract: Risk management is related to both the external and the internal environments of organizations. Thus, the risk mentality enables the identification and minimization of negative effects, maximizing the opportunities and potential of the business. The aim of this paper is identify how the insertion of risk management requirements in ISO 9001 and 14001standards may contribute to spreading the risk mentality in organizations. We interviewed 11 auditors and consultants, with experience and training in the area, who were working in certified companies in the brazilian state of Espírito Santo. To analyze the data, the technique of content analysis was used to identify thematic categories and to relate the data to the literature. The results indicate that the certified companies have undergone a process of incorporation of risk management requirements that can be catalyzed by environmental aspects: size and nature of the company, barriers to risk management, professionalization and standardization of processes and client influence. We conclude that for companies with more complex structure, dynamic and more subject to ruptures, the integration of risk management in the business strategy represented a value, and for smaller companies in stable markets represents a cost to meet the requirements of the standard.


Introdution
Tough competition and the turbulent environment expose each organization to unexpected situations that can disrupt its operations (Annarelli & Nonino, 2016). Therefore, the understanding of how companies can manage interruptions in operations, developing capability 1 (or operational capability) and becoming more prepared to face adversities is an important issue for both professionals and academics (Chung et al., 2015;Jüttner et al., 2003). Risk management is embedded in a systemic concept, related to the external and internal environment of organizations. From the point of view of the internal environment, risk management assumes a compliance perspective. In the view of the external environment, the risk is assumed from a performance perspective. Thus, the risk mentality enables an organization to identify the factors that could cause deviations in the processes and the quality management system, according to the planned results, allowing to put into practice controls that can minimize the negative effects and maximize the business opportunities (ABNT, 2015b).
Although the literature points out that quality management and environmental management are closely linked to the risk management of an organization (Arenhart et al., 2013;Nabavi et al., 2014;Srinivasu et al., 2010), it is surprising that by 2015 the standards NBR ISO 9001 (Quality Management Systems -QMS) e ISO 14001 (Environmental Management Systems -EMS) did not have mandatory requirements for linking quality management to risk management actions. Based on this shortcoming, this study examines how the new revisions to the standards published in the second half of 2015 incorporate risk-minded requirements to reorient organizations into their business operations, how they perceive and integrate those requirements with company intelligence.
Many researches on the subject aim at improving methods of identification, evaluation, mitigation and implementation of risks (Jüttner et al., 2003;Hubbard, 2009;Fahimnia et al., 2015;Taroun, 2014). Although such research has relevance, they do not investigate organizational aspects that motivate the insertion of risk management by companies and how they perceive the importance to the organization, to the point of generating value and competitive advantage (Oehmen et al., 2009;Trkman et al., 2016). While managers need tools that quickly address the decision-making process, the literature focuses on the complexity of risk assessment and the inclusion of evidence-based and firm theoretical elements.
In a first step, a detailed verification of the changes of the standards proposed by the International Organization for Standardization (ISO) was done. Then, 11 interviews were conducted with auditors of the standard, consultants and auditors of certified companies, which operate with ISO 9001 and ISO 14001 standards. Thus, the research problem to be answered by this study is presented: How can the insertion of risk management requirements in the ISO 9001 and ISO 14001 standards, launched at the end of 2015, contribute to spread the risk mentality in organizations?
The work sought to evaluate the implications of this review, through the perception of the reviewers of the standard, consultants and auditors of certified companies, in order to understand how organizations have received and inserted the changes in strategy and its operations. The study is characterized as a qualitative research, collecting data through interviews and using content analysis to interpret the data. Thus, it has tried to identify gaps in the literature that deserve to be explored (Alvesson & Sandberg, 2011), among them the recent updating of standards and the need to explain how they are prepared to deal with these issues, which justifies the need to develop the topic of risk management. We chose the theoretical seam between contingency theory and resource dependence theory because we understand that they are complementary approaches that can offer an advance on the researched subject. The relationship between size and organizational structure was explained by contingency theory, in which the organizational structure varies according to the organization's strategy and its size (Donaldson, 1999). This theory evidences that the external environment establishes different requirements to the organization that by itself did influence the organizational structure. Theories of resource dependence argue that organizations are in a relationship of interdependence with the environment, so organizations change their structures and behaviors to acquire and maintain the resources needed (Pfeffer & Salancik, 1978).
In addition, to providing greater understanding of the different perceptions of companies about the risks of the business and how to develop strategies to prepare before them. Therefore, the study aimed to understand how the new revisions made to NBR ISO 9001 and NBR ISO 14001 incorporated the requirements of the risk mentality and whether these updates collaborated to reorient organizations, as well as whether they all received the same updates or if there exist differences in adoption.
Among the research findings, we emphasize that larger organizations, with greater normative requirements and exposed to greater vulnerability, are more clearly concerned with risk management, while smaller companies, belonging to more stable segments, procrastinate in inserting the management of risks as practice within the organization. Another relevant point identified was the influence of the client, that can promote the anticipated or late insertion of the risk management requirements when demanding or not the standards.

ISO 9001 and ISO 14001
The International Organization for Standardization (ISO) originated in 1946, has its headquarters in Geneva -Switzerland -and develops international standards with the objective of inserting good practices in the organizations, making them more efficient and effective (ABNT, 2015a). The initials ISO refers to the Greek term isos, whose meaning is "equal", and demonstrates the unifying character of the entity. The Organization has elaborated several standards, among which stand out the ISO 9001 and the ISO 14001. The ISO 9001 standard was created in 1987 to standardize quality control standards in industries and its updates promoted changes focused on process control, customer satisfaction, continuous improvement through risk prevention and quality management. On the other hand, ISO 14001 arose from concern for environmental issues motivated by the scientific community and Stockholm Conference in 1972, which increased the pressure for the adoption of management systems that take into consideration environmental aspects. The revisions of ISO 9001 and 14001 mainly occur because they are non-technical standards that cover management issues and can be applied in any type of organization.
Regarding the focus of this research, it was observed that the only reference the previous version of ISO 9001 (ABNT, 2015b) had about the risk was in the introductory part, which mentioned (emphasis added): The adoption of a quality management system should be a strategic decision of an organization. The design and implementation of an organization's quality management system are influenced by: a) its organizational environment, changes in this environment and the risks associated with this environment (ABNT, 2015b -p. vi).
The ISO 14001 standard (ABNT, 2015c) describes only that the standard [...] does not include specific requirements of other management systems, such as those for quality, occupational health and safety, finance or risk management, although their elements can be aligned or integrated with those of other management systems (ABNT, 2015c -p. iv).
It is noted that, although risk management was mentioned, it was not required in the implementation and maintenance of the certification of QMS's and EMS's. This fact has therefore been an important motivator for the revision of ISO 9001: 2015 and ISO 14001: 2015 standards.

Risk management
Competition, the turbulent environment and market uncertainties expose each company to unexpected situations that may disrupt its operations (Annarelli & Nonino, 2016). Thus, the understanding of how companies can manage interruptions, risks and uncertainties, becoming more prepared to face adversities, is a topic that has been gaining attention in operations management surveys (Chung et al., 2015;Jüttner et al., 2003;Trkman et al., 2016). Risk is expressed in terms of a combination of the consequences of an event and the associated probability of occurrence of that event, that can be considered as uncertainty about the severity of the consequences of an activity or the two-dimensional combination of consequences and uncertainties (Aven, 2012). These consequences may be more or less serious, depending on the relationship between expected values, objectives or other references. ABNT (2015b, p. 4) defines risk management as the structured mapping of risks inherent to the business, containing four elements: sources, events, causes and consequences.
In risk management, in addition to the need to adapt and influence the internal and external context, the actions of those involved influence the other. Thus, the decisions taken influence the future through learning, which can generate the need to develop new skills, characterizing a complex system where organizations need to adapt to overcome difficulties (Teece & Pisano, 1994). Cost pressure influences collaboration between firms to increase competitiveness, requiring an analytical approach to manage information and risk, and decisions to avoid, mitigate, or address them.
Supply Chain Risk Management (SCRM) involves the identification, assessment and control of internal/external risks that can affect chain performance through the coordinated and economical application of resources to minimize, monitor and control the likelihood or impact of events that may interfere in the chain as a whole (Hubbard, 2009;Jüttner et al., 2003). There are risks that can be prevented and others that must be mitigated to avoid major consequences. It should be noted that internal risks are more likely to occur, while external ones have a greater impact on the chain, since they are usually associated with events with serious consequences (Thun & Hoenig, 2011).
In this context, the supply chain risk management has been considered a critical issue for organizations, due to globalization, outsourcing, resource sharing, the need for more agile operations and the increase of terrorist threats that have contributed to the importance of SCRM (Trkman et al., 2016;Chung et al., 2015). Although organizations can adopt risk management procedures (identification, assessment, mitigation and control), and develop management skills, the ideal is to improve both.

Contingency theory
Contingency theory has emerged as an attempt to explain that there is no ideal model of structure that can be used by all organizations, contrary to the classic school of management, which emphasizes that there is a unique type of structure that could be deployed by any company, of any segment or size (Donaldson, 1999). Therefore, Woodward (1965), Burns & Stalker (1961) e Lawrence & Lorsch (1967) were the forerunners of contingency theory, demonstrating that organizational performance was affected by organizational structure, technology, and the external environment.
The relationship between size and organizational structure is explained by contingency theory and, according to theory, there is no single organizational structure model for all types of organization, but variations according to the organization's strategy and size. That is, a small organization will have a more centralized structure, while larger organizations, with greater complexity, will have more hierarchical levels and a more decentralized structure (Donaldson, 1999). Morgan (1996) characterized the contingency theory as the adaptation of the organization to the environment, evidencing that the external environment establishes different requirements to the organization that in turn influence the organizational structure. The studies of Woodward (1965) showed that there is evidence that technology played a role as important as process structure. In these studies, the output of firms differed according to the activity and the way in which they had driven growth. Where production grew in the form of large lots, the organization was more formalized and had standardized production.

Resource dependence theory
The theory of resource dependence has as its basic premise that decisions are made within organizations. Its focus is on the external environment and argues that organizations live a relationship of interdependence with the environment. For resource dependency theory, there is an organizational need to adapt to environmental needs by managing and controlling the flow of resources (Pfeffer & Salancik, 1978). Thus, it is assumed that certain changes in the environment occur in part by the determination of the managers of the organization, when they reconcile environmental aspects with the specific interests of their organizations (Aldrich & Pfeffer, 1976). To obtain external resources that cannot be generated internally, organizations must engage in exchange relationships with other organizations in the environment, that is, organizations change their structures and behaviors to acquire and maintain the necessary resources. They strive to form mutually beneficial coalitions and capture resources that enable them to achieve satisfactory performance.
Another aspect of this perspective is that organizations try to relate to the environment and, whenever possible, try to manipulate the environment for their own benefit. A key element from the Resource Dependency perspective is the strategic choice (Chandler, 1962). In this perspective, Child (1972) notes that there are three ways in which strategic choices operate in relation to the environment. The first is based on the autonomy of the decision maker. The second is how strategic choices interact with the environment, when, for example, there is an intention to manipulate the environment or when organizations try to create demand for their products. The third way is based on how environmental conditions are perceived and evaluated differently by different people. Based on these perceptions, interpretations and evaluations it is possible to understand how the different organizations act in different ways against the same conditions.
In summary, resource dependence interprets the environment as a system of individuals and organizations that form an interrelated network. The environment influences organizational structure and individual behavior, while organizational behavior receives influences from internal factors (leadership, organizational culture, social interactions) and external factors. Each type of resource that the organization needs has a bearing, influencing the elaboration of the strategies and the way it deals with the dependence of these resources.

Type of research
Based on Vergara's (2009) classification, this research has a descriptive nature. Regarding the approach, this study is of a qualitative nature, being a documentary analysis, carried out in the updating of the NBR ISO 9001 and 14001: 2015 standards and semi-structured interviews with specialists who act as auditors, auditors or consultants of said standards. The perception of the auditors and consultants was chosen as a basis for analyzing the data because they experienced the changes in the organizations in which they operate and for having a comprehensive view regarding the phenomenon, size and type of organization where risk management was or not implanted.
The study, therefore, aims to analyze how the risk management requirements, inserted in ISO 9001 and ISO 14001 through the last update in 2015, have contributed to the construction of a risk mentality, that is, a more professional vision, based on the formalization, mapping and control of the risks inherent to the processes of each organization. To relate the size of the company with aspects of standardization, formalization and centralization of decision processes, the contingency theory (Donaldson, 1999) and, in a complementary way, the theory of resource dependence (Pfeffer & Salancik, 1978) was used to analyze how environmental norms influence organizations. In order to represent the method of this approach, we have chosen to combine the steps presented by Glaser & Strauss (2006) e Corbin & Strauss (1990): data collection, coding procedures or data analysis; open coding, axial coding or concept formation and development, and selective coding or modification and integration of the concept.

Data collection
The semi-structured interviews comprised questions presented in Appendix A and were applied to the participants from September to October 2016. The questionnaire involved 10 questions about three moments of insertion of risk management requirements: before the implantation, during and afterwards as imagined that risk management will be dealt with by companies in the future. Eleven auditors and consultants were interviewed, selected by the following criteria: experience (minimum of 5 years), training in the area of study (senior level with a leading auditor training in at least one of the standards in question) and performance in companies certified in the state of Espírito Santo. The professionals interviewed are associated to Federation of Industry of Espírito Santo -FINDES, to ABNT/CB-25 -Brazilian Quality Committee 2 and to ABNT/CB-38 -Brazilian Committee for Environmental Management 3 , both from the Brazilian Association of Technical Standards (ABNT).
The literature indicates that the number of participants can be from 10 to 15 if the group is homogeneous (Richardson, 1989). Therefore, in order to meet the proposed criteria, 11 interviews were carried out, being 4 auditors of ISO 9001, 1 consultant of ISO 9001, 1 auditor of ISO 14001, 1 who are both auditors and consultants of ISO 9001 (quality management) and 4 who are auditors and consultants of ISO 9001/14001 (environmental management). The interviews were conducted in person, through Skype and e-mail, and lasted from 20 minutes to 40 minutes, following the recommendations of Spradley (1979), that is, informing the objectives of the research, contextualizing on the subject and starting from semi-structured questions to introduce new questions, as the interview went through. In this way, it was possible to aggregate a large volume of information, perceptions and experiences of these professionals.
As for the experience, the interviewees have between 9 and 26 years of experience in their area of activity. Therefore, they are professionals with considerable experience and have followed the updates, in some cases collaborating to update the Brazilian version and the understandings regarding ISO 9001 and ISO 14001. In addition, they operate in different production segments, mainly in the mining, metallurgy and forestry, in large, medium and small companies, whether manufacturing or providing services.
The Table 1

Data analysis
In order to analyze the data collected through the interviews with specialists in the ISO 9001 and 14001 standards, the content analysis technique was used to identify thematic categories and to relate the data to the existing literature, problematizing aspects related to risk management and construction of risk-taking in brazilian companies through the insertion of new risk management.
The interviews were initially analyzed by means of a previous reading, in which the concepts and words repeated or similar that were relevant to explain the insertion of the risk management by the organizations were followed, following the recommendation of Corbin & Strauss (1990). According to these authors, coding or analysis is the procedure by which data are divided, conceptualized and related. The whole analytic process has four objectives: to build the theory, to give the scientific process the necessary methodological rigor, to help the researcher detect the biases, to develop the foundation, the density, the sensitivity and the integration necessary to generate a theory.
From there, labels were established based on the literature on risk management and on contingency theories (Donaldson, 1999) and dependence on resources (Pfeffer & Salancik, 1978) which will be used to analyze the research data, relating to the categories identified through the data processing, following the steps mentioned by Ryan & Bernard (2003). By the nature of the data, semi-structured interviews recorded and transcribed, we opted for processing through the open, axial and selective coding types. The text clippings were classified into conceptual labels for later relationship with conceptual aspects of the literature.
From a preliminary reading, we identified areas that were relevant to explain the perception of certified companies regarding risk management and how they wanted to insert those requirements into the organization. Thereafter, a second reading was carried out with the objective of labeling these passages in concepts related directly or indirectly to risk management. Thus, throughout the 11 interviews, were identified 25 conceptual labels related to organizational aspects such as formalization of processes, mapping of risks, concern with standardization of processes, visible pressures of the norm and of clients, concern with process adaptation, challenges for the implementation of risk management, performance and size of companies. The labels of all the interviews were grouped according to the repetition and relationship between them to create broader concepts that could explain the identified aspects. The next step was the creation of thematic categories from the analysis of the labels and the relationship with more comprehensive concepts. In this way, the open coding was performed, identifying six aspects: (1) size of the company, (2) barriers to risk management, (3) formalization of processes, (4) process improvement and security, influence of the institutional client and (6) organizational culture.
After the open coding, axial encoding was performed. This technique, according to Glaser & Strauss (2006) is the mean that assists the researcher to perform the integration of the categories, reducing the data and making connections between the thematic categories found through data analysis and literature (Table 2). Four categories were identified and each subdivided into two subcategories according to the relation established between them: (1) Company size and branch, related to two subcategories, large companies, and medium and small companies; (2) Barriers to risk management, subdivided in lack of a systemic view and vision based on cost; (3) Professionalization and formalization of processes, subdivided into formalization and standardization and process safety; (4) Influence of the institutional client that, through the pressure of the standard and the pressure of the clients, stimulates the adaptation of the organizational structure.

Categories Perception of value Cost Perception
Size and nature of the company Large companies subject to vulnerability already develop risk mapping and control tools, perceived as a critical factor to the business.
They emphasize only the cost to tailor processes and operations to the requirements for risk management. Barriers to risk management Benefits greater than costs with the implementation and monitoring of risk management.
Tendency to visualize the costs as superior to the benefits generated by the implementation of controls, standardization and formalization of processes. Professional and standardization of processes Greater standardization and formalization of processes, resulting in greater knowledge about the risks of the business.
Low standardization and formalization of processes, resulting in unawareness of the risks inherent in the business. Influence of the institutional client Adoption of risk management to make processes safer, increase product quality, reduce waste and keep customer.
Adequacy only on paper, without major structural changes. Just to meet the standard and certification.
Source: The authors. The next step of analysis was the selective coding, which emerges at the end of the analysis and forms the pivot or the main theme around the conceptual aspects found. The causal conditions, the context, the intervening conditions, the strategies and consequences form the theoretical relations by which the categories are interrelated, establishing some relation to explain the phenomenon researched (Corbin & Strauss, 1990). Thus, the four categories identified in the axial coding were maintained, and the category construction of the perception of value by the management demonstrated a relationship with the other categories, establishing the role of central category in the relationship, since it was identified as influencing the insertion of requirements for risk management.

Discussion and analysis of results
In the analysis of the interview results, we sought to relate the categories identified in the content analysis with aspects that influence the insertion of risk management in certified companies. For that, the theory of contingency was considered (Donaldson, 1999) as a theoretical lens to explain organizational behavior through organizational structures, differentiating large, medium and small companies and establishing a relationship between the branch of activity and the need for process control. In a complementary way, the resource dependency theory (Aldrich & Pfeffer, 1976;Pfeffer & Salancik, 1978) to explain how organizations adapt their structures to access important resources such as customers, markets, and credibility.

Size and branch of company activity
The size and branch of the company, considered as the size of the certified companies, is based on the organizational structure, level of centralization of decisions and complexity of the organization. Thus, larger and more risky companies, whether environmental, process or accident related, according to the nature of the activity performed, were more concerned about knowing the risks, developing ways to mitigate and prevent the occurrence of potential ruptures in processes that can cause harm and interfere in the entire production chain (Jüttner et al., 2003). As can be identified from the following report, risks in larger companies are better known: In the large company the risk management was approached in light of the ISO 31.000 standard. The maintenance of risk management was developed at all hierarchical levels, being constantly analyzed in periodic meetings of critical analysis (strategic, tactical, operational risks, control measures, indicators, audits, etc.) [...] already developed risk management (E5).
In medium and small companies that operate in more stable markets, the formal concern with risk management was not addressed or was not identified, as a formalized concern compared to larger companies and more exposed to risks. As the number of processes increases, it becomes more difficult to control centrally, evidencing the need to decentralize decisions, which increases the complexity of the business and insertion of risk control tools, corroborating with the contingency theory (Donaldson, 1999). In addition, small businesses do not have an integrated view of the processes and therefore are not yet ready to apply the risk management requirements.
In small and medium-sized companies, risk management was not addressed by companies [...] are not prepared for this change [...] In the first moment, they will basically develop the items requested only for compliance with the audits / certifications. [...] will need to develop in a more structured way the company's strategies, as well as its operations (E5).
Such evidence is in line with the contingency theory, which argues that there is a difference between large, medium and small companies in adopting risk management requirements. Such differences are related to the organizational structure (Donaldson, 1999), leading to the realization that large companies perceived more clearly the benefits of developing risk management than implementation costs. The contingency theory argues that there is no single organizational structure capable of functioning indistinctly in any and every organization (Donaldson, 1999) and that the best way to manage it depends on the type of task and the environment where it is operating.
The research has shown that large companies, in areas of activity that require greater process control, already develop business risk mapping and control tools, as they identify as a critical factor of the organization the need to map processes to identify and treat risks, controlling the likelihood or impact of undesirable events in the chain (Hubbard, 2009;Jüttner et al., 2003;Thun & Hoenig, 2011), while smaller organizations of nature where risk management is not absolutely necessary perceive the updating of standards as a cost to the company, which results in reluctance to adopt criteria for formalization and development of a mentality directed to the management of business risks.

Barriers to risk management
There are numerous challenges for the implementation of risk management requirements and the creation of a risk mentality in certified organizations, among them the lack of a systemic view that makes it difficult to perceive the organization in an integrated way and the risks that involve more than one department or process. Certified companies postpone the necessary adaptations to meet the standards updates, according to the costs involved, lack of a strategic vision, and to understand that the requirements do not add value to the business, being an additional "bureaucracy" inherent in the standards. When interpreting risk management as cost, companies have difficulty inserting the requirements, as follows: [...] risk management is only part of the day-to-day operations of organizations [...] when the organization does not perceive these requirements as cost but as value for organization, something that will add to the product or process and not just as a amount that must be paid to be certified (E3).
This perception based on cost rather than value makes it difficult to develop a proactive approach to risk management, which allows for anticipation of disruptions, avoiding interruptions in processes and not just correcting failures after failures have already occurred, causing any interference or failure in the production or performance of the services. Thus, this perception hinders a proactive behavior to anticipate the risks (Jüttner et al., 2003). Therefore, organizations are waiting for the mandatory to implement the requirements of the standard, and should start the process in the coming years, as can be observed in the following report: The main challenges for implementing risk management are the resources to start implementing [...] understanding risk management as a management opportunity that can help companies grow and better understand their processes, avoiding accidents, waste and increasing productivity. The [...] challenge is to make risk management a value of the company [...] part of the organizational culture (E9).
The difficulty of aligning the strategic thinking of companies with their strategic partners in relation to risk management is another relevant factor that interferes with the implementation and control of risks. The risk mapping and control must be shared with the company's employees, because in a supply chain all are interdependent. According to the following report, among the challenges to risk management is the "[…] difficulty of maintaining the standard when service providers change" (E1). Thus, most certified companies have difficulty strategically perceiving the benefits of implementing risk management within processes, so as to make it inherent to day-to-day and part of strategic, tactical and operational levels planning, raising and dealing with the risks, as can be perceived in the following section: [...]  According Guerra (2007), the proposal of the Contingency Theory is that for each set of organizational and contingent factors there will also be an adequate accounting system that, if properly adjusted, will contribute to the performance of the company. Thus, it was found that a barrier to migration to the new standards lies in the perception of the updates of the norms as costs to adjust the processes and structure of the company.

Customer influence
Larger companies exert influence over the supplier by requiring a level of conformity and quality of purchased inputs. While the standards update has a 3-year rule-making period (until 2018), companies must begin the adequacy process in the coming years, pressured by new standards requirements and customer pressure in safer processes. This influence can stimulate a critical vendor to adopt a certain level of formalization of processes that meet the requirements of that company through the pressure of a certification of a specific level of quality.
We do everything the norm says, because if a mill breaks, one hour represents millions and millions of dollars. So, because we are exclusive suppliers of inputs to some customers, if we do not manage risk of the production process we can generate a huge problem for the customer, and can even 'break' the customer (E3).
The obligatoriness is a factor that will allow the insertion and formalization of risk management, however it is not the only factor that will influence the insertion as part of the "culture" of the company. The requirement of clients, which in this case are other companies, seems to have an influence in inserting the risk mentality and making these requirements aggregate to the organizational "culture", as can be observed in the following report: "Some companies are adequate to the requirements of risk management, mainly due to the requirement of its customers" (E11). Depending on the complexity of the processes and the type of company it serves, a supplier may be required to meet certain criteria. The pressure of the clients forces the adaptation of the organizational structure and the adequacy of the processes (Pfeffer & Salancik, 1978), especially when the supplier is crucial to your business because it represents a valuable resource that needs to be managed for business success.
Risk management requirements have always been present in the company because it is a supplier of steel for the automotive sector and this requires that it be certified [...] with this certification the company can obtain a license to negotiate internationally and expand its business, besides reducing waste, thus represents a mandatory rule, since without it does not serve its main customers (E3).
Thus, depending on the high management understanding about the importance of mapping and controlling the risks as well as the pressure of the standard and strategic clients, the processes can be remodeled. That is, depending on the environmental contingencies, the company will adopt a more proactive or reactive stance regarding the insertion of risk management into operational processes and company planning. If risk management is perceived as an investment, it will be easier to insert requirements into the daily business, and then improve your products and processes and gain advantages (Chandler, 1962).
It is observed that the requirement of the norm obliges the companies to adopt in a first moment greater formalization of the processes and control of the risks, but, as defended by the theory of the Dependence of resources (Pfeffer & Salancik, 1978), the most important stakeholders are the customers, exerting influence when charging the company that fulfills certain quality requirements of the product or service. Large companies, especially those that are suppliers of other companies, have already adhered for some time, due to their clients' demands and because they understand that they are contingencies that can favor the maintenance of the structure and obtainment of resources that would not be possible without these guarantees. This is the case, for example, of the automotive sector, which requires a high level of conformity of parts supplied by steel companies and finishes, due to the need for safety of the final product.

Professional and standardization of processes
With regard to benefits, the concern with risk management, as well as the use of own tools to raise, analyze and control the inherent risks of each business can have advantages such as less impact in the processes in cases of ruptures and mitigation of losses. These advantages can be obtained through the standardization and formalization of the processes, however this concern is not present in most companies, especially in micro and small companies. Therefore, the insertion of risk management has made it mandatory to formalize processes and consequently the inherent risks of companies, as may be observed in the following report.
The reviews were valid because they enable a systemic analysis of the business, leading companies to study their risks and control measures, not just their processes. In addition to this sustainability assessment, the issue of leadership engagement reinforces the 'responsibility' of everyone to know the business / department / processes / etc. with propriety, in all instances (E5).
Thus, the updates in the norms have brought a new requirement that can contribute to the formalization of the processes. Although companies are unfamiliar with this new perspective because they represent a new requirement that requires adjustments and investment, the insertion will depend on how the company's management understands the importance of professionalizing the processes and the company. These adaptations make companies more prepared to face adversities (Chung et al., 2015;Jüttner et al., 2003), as can be seen in the following report: [...] mapping the processes, detailing each one of them, inserting quality indicators and objectives to understand what is expected of the process [...] helps to identify the risks and opportunities [...] 'when a company has everything formalized it is easy to defend itself against risks, and to make the rules clearer for those who execute the actions' (E9).
Another advantage in relation to the new requirements for risk management is the greater process safety, which is related to less rework, reduction of waste and better quality in the final product, besides allowing greater preparation to deal with situations of uncertainty and ruptures. By applying resources to minimize, monitor and control the likelihood of disruptions, the company makes its processes more secure (Hubbard, 2009).
When standards are compulsorily charged, organizations will have to meet the requirements [...] when the risks are known, it is possible to decide between the urgent, the less urgent and the non-essential, and thus to draw up measures to ensure the continuity of the processes [...] in addition to mapping the risks, [...] they must update and monitor the risks related to their processes and everything that may interfere with them (E9).
It was identified that, for the organizations that inserted risk management, the formalization, standardization and control of the risks resulted in greater security and less rework. On the other hand, organizations that perceived only the costs of risk management presented a reactive position regarding the mapping and control of risks. They ended up avoiding expenses, adjusting the processes only when they were mandatory. This finding did not find support in any of the theoretical contributions used to verify the factors that influence the insertion of risk management in certified companies. It was noticed that all aspects were related to the construction of the perception of value by management, showing that in more complex structures, dynamic and more subject to ruptures, risk management represented a value, surpassing the vision centered only on cost. Risk management will only be part of management if it is perceived as value, allowing the delivery of better quality products.

Conclusion
In this research, we sought to understand the process of insertion of requirements for risk management by companies, considering a recent update in ISO 9001 and ISO 14001 standards that make these requirements a mandatory part of said standards. Based on the theory of contingency theory, which explains the differences in organizational structure, and through resource dependence theory, which investigates the strategic choices of organizations to obtain resources. The study sought to identify the main aspects that influence organizations, which facilitate the insertion of requirements for risk management and the development of a risk mentality. Among the most relevant aspects that have arisen, the legal requirement of the norm obliges the adequacy of the processes. However, the customer's requirement is a factor that goes beyond the legal norm, because if it imposes conditions for the maintenance of the supplier, that supplier feels obligated to make the suggested adaptations to maintain its market and its customers.
The view based solely on cost may hinder the implementation of risk management or at least delay implementation, as some managers have difficulty perceiving the organization as an integrated system (systemic view). The limitation in realizing that the formalization, standardization and increase of the security of the processes can be a value can hinder the insertion of the risk management. Thus, the requirements to implement risk management as part of the business depend on the size of the business and the complexity of the business, on the influence of the customer that may or may not require greater control of business risks. In addition, there are barriers to the insertion of risk management that reside in the fact of perceiving only the costs and not as an investment that will benefit the company.
A relevant aspect of this research is the insertion of risk management as part of the company's culture, which is related to the other conceptual aspects identified and depends on many factors, the main one of which is the construction of the perception of value by management. In this way, what will determine the implantation resides in how the management of the company perceives the risk management. In other words, despite the growing concern about risk mapping and control within organizations, whether through certification or customer requirements, it will only be an integral part of the management system if it is perceived as necessary and not as a cost or mere bureaucratization of processes. Those who perceive changes in standards as cost will procrastinate their implementation, leaving it to the deadline, until it is a requirement for renewal of certifications, while those who perceive it as a value, have already begun the process of insertion or already use as part of the company.