There are twelve posts in this series. To read Part I, please click here.
Risk-based thinking and the resulting actions to address risk are what business is arguably all about. And now it's officially a requirement of ISO 9001 in the much anticipated revised version due to be published in 2015.
Just to recap: among the key changes almost certain to be coming in the ISO 9001:2015 quality management system standard, and available to read in the Draft International Standard (DIS) published in May 2014, are:
- The emphasis on leadership
- The focus on risk management
There are many good reasons for your organisation to invest in a quality system. I suggest that the 'top ten' reasons are:
- Cutting costs
- Saving time
- Increasing customer satisfaction
- Developing better business processes
- Improving product quality
- Reducing response times
- Creating competitive advantage through investment in quality
- Utilizing best practice through collaboration and focus
- Helping you grow your business (as opposed to fighting fires)And, yes...
- Reducing risk.
How does ISO 9001 help you to achieve your business goals?
The central purpose of a quality management system (QMS) is to provide confidence in the organisation’s ability to consistently provide customers with conforming goods and services. The concept of “risk” in the context of ISO 9001:2015 relates to the uncertainty in achieving these objectives. By giving much greater emphasis to risk and opportunity management, the approach is in line with the current thinking of many senior managers.
Risk, as Clause 0.5 of the Introduction to the DIS states, "...is the effect of uncertainty on an expected result and the concept of risk-based thinking has always been implicit in ISO 9001." ISO 9001:2015 permits organisations to choose whether or not they develop a more extensive risk-based approach than is required. ISO 31000 Risk Management standard is referenced as being able to provide "guidelines on formal risk management which can be appropriate in certain organisational contexts", it is not mandated. You choose the method by which you assess your risk.
The new version of the standard recognises that not all the processes of the quality management system represent the same level of risk in terms of the organisation’s ability to meet its objectives. The consequences of process, product, service or system nonconformities are not the same for all organisations. In particular contexts, the consequences of delivering nonconforming products and services can result in minor inconvenience to the customer; in others, the consequences can be far-reaching, and even fatal.
“Risk-based thinking" means "...considering risk qualitatively (and, depending on the organisation’s context, quantitatively) when defining the rigour and degree of formality needed to plan and control the quality management system, as well as its component processes and activities." [Clause 0.5].
I suspect this could potentially cause problems during the audit when objective evidence of risk-based thinking in the form of documented information cannot be produced. After all, although the risks and opportunities will have to be determined and addressed, there is no requirement for any formal risk management process. All that is needed is an "...overall focus on "Risk-based thinking" aimed at preventing undesirable outcomes (see 0.5)" [Source: 0.3 Process Approach, line 258 of the DIS]. So how will “thinking” be assessed?
The FDIS (final draft international standard) may contain a clearer definition of risk-based thinking and there is of course the question of whether the range of ISO 9000 Guidance documents to be published (presumably in 2015?) will address the auditing of this requirement?
I watch with interest. No doubt, so will you - and your ISO assessors!
Why should your organisation adopt “Risk-based Thinking”?
Well, if "thinking" here means adequately assessing risk for the purposes of planning and control (and I think it does!) then the result should be to:
- improve customer confidence and satisfaction
- assure consistency of quality of goods and services
- establish a proactive culture of prevention and improvement.
The key point being: successful companies take a risk-based approach.
Personally, I would like to know exactly what evidence should be recorded in documented information about whatever type of risk is being assessed. The rigour of documenting your risk assessment process and recording, as they are made, the management decisions to address those risks will be of more practical value than simply thinking about the risks involved.
Documented information of this kind properly controlled and updated in a document management system has its uses in decision making processes.
In Clause 4, Context of the organization, the requirement is to determine the issues which can affect the organisation's ability to meet its quality objectives:
"The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system."
It could be argued here that "issues" are not necessarily "risks"; however, the Notes in this Clause would suggest that our "understanding" of the organisation's external and internal context is necessary in assessing risk:
NOTE 1 Understanding the external context can be facilitated by considering issues arising from legal, technological, competitive, market, cultural, social, and economic environments, whether international, national, regional or local.
NOTE 2 Understanding the internal context can be facilitated by considering issues related to values, culture knowledge and performance of the organization.
Clause 5, Leadership requires that top management commit to ensuring Clause 4 is followed - so they will need status and progress reports based on documented information from the management system to achieve this.
A graphical presentation of key management information, updated in real time from a document management system saves a lot of report writing!
Clause 8, Operation requires the organization to "plan, implement and control" processes 6.1 Actions to address risks and opportunities - see further down.
- Processes for planning and consideration of risks and opportunities (Clause 6)
- Processes for support, including resources, people and information (Clause 7)
- Operational processes related to customers and products and services (Clause 8)
- Processes for performance evaluation (Clause 9)
- Processes for improvement (Clause 10).
Risk-based thinking is considered integral to an ISO 9001:2015 QMS.
"This International Standard makes risk-based thinking more explicit and incorporates it in requirements for the establishment, implementation, maintenance and continual improvement of the quality management system." [Clause 0.5]
ISO 9001:2015 is about managing change processes in your business, based on an understanding the risks and challenges which may impact on your organization's ability to meet customer requirements and taking a preventative approach supported by relevant documented information.
Effective planning and consideration of risks and opportunities will be a key (critical?) factor for successful certification to ISO 9001:2015. Senior management should be able to demonstrate that they understand the business risks and opportunities, and how they could impact. They will need to ensure that the management system can achieve its intended results (6.1.1 a), prevent or reduce undesired effects (6.1.1. b), achieve continual improvement (6.1.1. c); and, that actions to address risks and opportunities are integrated into processes (see 4.4); and their effectiveness evaluated.
Wikipedia says that Risk management "...is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities".
Clause 9, Performance Evaluation, includes a requirement that top management shall "review the organization's quality management system". The management review has to take into consideration:
"... the effectiveness of actions taken to address risks and opportunities (see clause 6.1);"
Surely, in order to evaluate (a) whether the actions (i.e. the selected controls) are still applicable and effective, and (b) whether the possible risk-level in the business environment has changed since the last review, senior management will need to see the results from a 'risk analysis'?
How otherwise could they assess the effectiveness of actions taken to address risks (threats) and opportunities? Unless they are simply content to do so based on opinions and/or anecdotal evidence?
Maybe this will be acceptable to managers in some 'low risk' environments, but not in high risk ones like product design, development and manufacturing such as silicon, military software, the aerospace industry ... the list will be a very long one!
Clause 10, Improvement does not specifically mention risk, however, BSI say in one of their white papers that ...
"In Clause 10 the organization is required to improve by responding to changes in risk." [Source: ISO 9001 White Paper: The importance of risk in quality management- Approaching change, BSI Group, July 2014]
When a nonconformity occurs, the organisation is required to evaluate the need for action to eliminate the cause(s), by reviewing the nonconformity; determining its causes, and "determining if similar nonconformities exist, or could potentially occur" - Risk-based thinking again?
Clause 6.1 Actions to address risks and opportunities reads like 'risk management' to many people on that basis - me included!
Clause 6.1 Actions to address risks and opportunities is where the ‘what, who, how and when' concept of this risk management is defined. The organisation should plan the actions that are necessary to address these risks and opportunities as well as working out how to integrate and implement actions into management system processes. In achieving this, they need to ensure actions are "proportionate to the potential impact on the conformity of products and services", and evaluate their effectiveness.
Risk-based thinking in ISO 9001:2015 will extend to your organisation's supply chain: a risk-based approach is required to determine the type and extent of the "controls appropriate to particular external providers and externally provided products and services". You will need to identify risk wherever it arises and have the necessary controls in place to manage it.
This means that senior managers will need to be able to demonstrate an understanding of the wider business environment, social, cultural and regulatory and how that impacts or could impact on the organisation’s ability to meet customer requirements. They will also need to have a grasp of the organisation’s internal strengths and weaknesses and how these could impact on its ability to deliver quality products or services.
ISO 9001:2015 will serve to strengthen business process management by underlining the need to (1) allocate specific responsibilities for processes, (2) demonstrate an understanding of the key risks associated with each process and the approach taken to 'manage, reduce or transfer the risk'.
Is this 'risk-based thinking' new to ISO 9001:2015? I would argue not. It's true that ISO 9001:2008 does NOT include requirements specific to other management systems such as "risk management", ... however, 0.1 General clearly states that the design and implementation of an organisation's quality management system is influenced by ...
"a) its organizational environment, changes in that environment, and the risks associated with that environment,"
Hence, in designing and implementing your organisation's quality management system, you are thinking about the risks.
The risk-based approach to drafting this International Standard has also had a beneficial effect in that it facilitated some reduction in prescriptive requirements and their replacement by performance-based requirements.
Many people, including myself, think there has always been an element of risk based thinking in ISO 9001, and that it is now just more explicit. Not every critic of ISO agrees with that, however.
What should you do in order to adopt "Risk-based thinking"?
I would suggest the following...
Analyse and prioritize the risks and opportunities in your organisation:
- What is acceptable?
- What is unacceptable?
Then plan actions to address the risks. Ask yourself:
- How can I avoid or eliminate the risk?
- How can I mitigate the risk?
- Implement the plan – take action
- Check the effectiveness of the actions – does it work?
- Learn from experience – continual improvement
To gain a better appreciation of the extent of these important changes and the effect on your existing quality management system, you should read the FDIS.
[Note: the text above relating to Clause 6.1 draws on the wording in the BSI white paper referenced as well as the ISO 9001/DIS and various ISO publications available on their public website to explain the concept of risk-based thinking. A section containing references to published sources (citations) together with a recommended reading list for ISO 9001:2015 will follow in Part III of this blog post.]
There are twelve posts in this series. To read Part III, please click here.
This post was authored by: Michael Shuff
CogniDox is designed for Document Control. It provides ISO-compliant procedures for information governance; including version control, document lifecycle, review/approval workflows, access control, and auditability.
It also enables you to create a graphical Quality Management System (QMS) as a collection of interlinked web pages. The gQMS provides a strong focal point for your quality initiative, and demonstrates Leadership and commitment. By making the process visual, it dramatically improves end-user adoption.
Contact us to find out more.