Why taking a risk-based approach is a requirement of ISO 9001
Risk-based thinking is a sore point among many Quality professionals. Even so, identifying risk, analysing the consequences, probability and level of risk (i.e. risk analysis) and risk evaluation using formal techniques are becoming increasingly important tasks in the global business world.
ISO 9001:2015 incorporates what the draft version of the International Standard has termed "Risk-based Thinking" in its requirements for the establishment, implementation, maintenance and continual improvement of the quality management system. If you are already familiar with the DIS or have read the many discussions on the subject that have appeared on LinkedIn groups and elsewhere, you will already be aware that formal risk management is not mandated. However, organizations can, in the words of the TC 176 Committee's draft standard (May 2014) "...choose to develop a more extensive risk-based approach than is required by this International Standard, and ISO 31000 provides guidelines on formal risk management which can be appropriate in certain organizational contexts".
I am sceptical about the subject of demonstrating risk-based thinking to a certification auditor when they assess your quality management system. Of course, it's possible that you won't be subject to an intensive grilling if the Standard does not require you to produce the outputs from your risk assessment processes or evidence of a formal risk management system. Although if risk-based thinking is required by ISO 9001:2015 to plan and control the quality management system (QMS) and component processes and activities, it is unlikely to be ignored in the certification audit process.
Which begs the question:
How do you show risk-based thinking during a certification audit?
Assessing “Risk-based thinking" is likely to form a sizeable section of the ISO 9000 Guidance documents that, along with the ISO 9001:2015 Standard, are yet to be published. And since waiting until September may not be an option for those of you looking to transition from the 2008 Standard as rapidly as possible in 2015-2016, I thought that it would be a 'fun' idea to look at how you might go about this interesting 'thinking' task so as to produce (a) evidence that you could show to an assessor [HEALTH WARNING: nobody yet knows exactly what they will be asking for - and they don't know themselves either, unless they are the ones writing the guidelines!], and (b) a useful way of identifying, evaluating and treating the kind of risks that apply to the processes used in Quality Management.
Starting point for risk-based approach applied to quality processes
In my post ISO 9001:2015 – The likely impact (Part II), February 4, 2015, I suggested the following basic checklist of tasks...
Analyse and prioritize the risks and opportunities in your organisation:
- What is acceptable?
- What is unacceptable?
Then plan actions to address the risks. Ask yourself:
- How can I avoid or eliminate the risk?
- How can I mitigate the risk?
- Implement the plan – take action
- Check the effectiveness of the actions – does it work?
- Learn from experience – continual improvement
However, this list presupposes that you have identified risks and opportunities.
So if you haven't yet, how do you approach risk identification in your context?
Will ISO 31000:2009 help in taking a 'risk-based approach' to the quality management system, component processes and activities?
Short answer: it can do, depending [entirely?] on your organization's context.
The ISO 9001 DIS says that ISO 31000 provides guidelines on formal risk management which can be appropriate in certain organizational contexts.
This fact will be well understood by those working for large, indeed global entities that have long since adopted risk management methodologies and have risk managers on their team who are familiar with ISO 31000.
But what is ISO 31000 attempting to achieve, and is it relevant to the majority of organizations that are trying to gain or transition to ISO 9001?
ISO 31000 describes an "overall approach to risk management, not just risk analysis or risk assessment. It deals with the links between risk management process and both strategic direction and day to day actions and treatments1." Which on the face of it sounds an ideal recipe for risk-based thinking. Pick up the Standard and read it, and this thought is quickly dispelled, since ISO 31000 takes a generic approach that has to be developed - in considerable detail - to be useful in a given context.
Great for the Strategic aims of the senior management, but not of any great value to the 'poor bloody infantry' of quality managers out there.
Perhaps the first (and most frustrating) conclusion that you will come to, having spent £120 ($180 USD) on your personal copy is that you next need to buy ISO.IEC 31010:2009 – Risk management – Risk assessment techniques. A slightly steeper £226 from BSI, or $337 USD, on 24/03/15.
So your boss says, "OK, buy the one that you actually need, but don't come back to me asking for any more. We've got by without 'risk-based thinking' in the past [insert number of years or decades]; surely we will do so this time?" And you thank her or him for authorizing the purchase.
The pdf arrives on your machine. You open it. There are 92 pages, 6 of which in Annex A are a comparison of risk assessment techniques (some useful tables here) before you arrive at Annex B, consisting of 61 pages describing the 31 risk assessment techniques; all for the kind of people who enjoyed Mathematics (statistics especially) at school... but who may not be that interested in helping you to design effective quality processes.
Yes, there's a worthy (absorbing even?) preamble about risk assessment concepts and processes. There also a Clause describing how techniques for risk assessment may be selected, which starts with the valid advice:
Risk assessment may be undertaken in varying degrees of depth and detail and using one or many methods ranging from simple to complex. The form of assessment and its output should be consistent with the risk criteria developed as part of establishing the context. [Clause 6.2]
There is no point in making life more complicated than it needs to be; thus:
In general terms, suitable techniques should exhibit the following characteristics:
- it should be justifiable and appropriate to the situation or organization under consideration;
- it should provide results in a form which enhances understanding of the nature of the risk and how it can be treated;
- it should be capable of use in a manner that is traceable, repeatable and verifiable. [Ibid]
By now, you're probably fired up with the possibility of finding a suitable risk assessment technique that fits the context of your organization and its quality management system? You can't wait to get started on the job.
(Come on ... humour me!)
You turn to...
Comparison of risk assessment techniques
And quickly realize that there are more risk assessment techniques than you thought existed, and even a cursory reading suggests that some are complex. Notable the ones that are strongly applicable to each step of the full risk assessment process; specifically:
- risk identification;
- risk analysis – consequence analysis;
- risk analysis – qualitative, semi-quantitative or quantitative probability estimation;
- risk analysis – assessing the effectiveness of any existing controls;
- risk analysis – estimation the level of risk;
- risk evaluation.
Below is the list of the 31 tools. Depending on the industry you are working in, you will almost certainly recognise at least some of them, even if you haven't actually used any of the techniques to assess risk.
Table A.1 – Tools used for risk assessment
- Structured or semi-structured interviews
- Primary hazard analysis
- Hazard and operability studies (HAZOP)
- Hazard Analysis and Critical Control Points (HACCP)
- Environmental risk assessment
- Structure « What if? » (SWIFT)
- Scenario analysis
- Business impact analysis
- Root cause analysis
- Failure mode effect analysis
- Fault tree analysis
- Event tree analysis
- Cause and consequence analysis
- Cause-and-effect analysis
- Layer protection analysis (LOPA)
- Decision tree
- Human reliability analysis
- Bow tie analysis
- Reliability centred maintenance
- Sneak circuit analysis
- Markov analysis
- Monte Carlo simulation
- Bayesian statistics and Bayes Nets
- FN curves
- Risk indices
- Consequence/probability matrix
- Cost/benefit analysis
- Multi-criteria decision analysis (MCDA)
Not everybody of course will have the resources and capabilities within the organization to attempt some of these - e.g., Fault tree analysis, Cause / consequence analysis, Monte-Carlo analysis, Bayesian analysis.
Quality managers working for smaller enterprises (SMEs) may only dream of conducting analysis at the level required by some techniques in the list. The sheer complexity of some types of risk assessment will render the tool useless in most organizations employing between 1 and 250 people. However, that doesn't mean to say that ISO 31010 isn't a valuable reference should you ever be required to think about risk in these terms.
Bear with me, though, because in the next few posts, I am going to show you a method to assess risk by turning Complexity into Simplicity!
1 Project risk management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F Cooper, et al, Wiley, 2014.
There are twelve posts in this series. To read Part II, please click here.
This post was written by Michael Shuff