Apply Risk-Based Thinking in ISO 9001:2015 Quality Processes - Part II

ISO 31000 Risk management techniques:
A selection of risk assessment tools you might like to consider

Part 1 in this series is available here.

Although risks and opportunities have to be determined and addressed, there is no requirement in ISO 9001:2015 for a formal risk management or a documented risk management process. Even so, the concept of preventive action is expressed in the 2015 wording through the risk-based approach to formulating quality management system requirements. It follows that we will most probably want to show our reasoning in this respect. In other words, how our thinking about risk led to these actions?

9019301e-8c90-4d4b-8844-a8ee6c8484e2 (1)In my view, this doesn't have to be an onerous task even at the high-risk end of the context spectrum. However, to completely ignore the risks and opportunities aspect of planning your QMS [see 6.1], regardless of the degree of risk involved, would surely be to risk a major non-conformity?

ISO 9001 Risk-based thinking could (and I am not saying that it should) be demonstrated by showing the outputs from one or more of the risk assessment tools in ISO 31010 in your "documented information".

To give you a flavour of what these tools are intended to achieve and how they work, I intend to describe a selection of the 31 listed in ISO 31010. At the same time and over the next two posts, I will attempt to link these tools to QMS processes in a meaningful way; however, I do not anticipate my work in this respect to be in any way definitive as a reliable reference. There is no common consensus on how best to employ risk assessment techniques in quality management - at least none that I am aware of yet!

[That said, I am studying with interest the ICH guideline Q9 on quality risk management, which provides principles and examples of tools for quality risk management applied to different aspects of pharmaceutical quality. If you have experience of this guideline, I'd welcome your input!]

Note: the text is based on the contents of Table A.2 – Attributes of a selection of risk assessment tools [Source: IEC/FDIS 31010:2009].



A simple form of risk identification. A technique which provides a listing of typical uncertainties which need to be considered. Users refer to a previously developed list, codes or standards.

Check-lists and reviews of historical data are, naturally enough, a sensible step if you are serious about identifying the risks and opportunities in accordance with the requirements of ISO 9001:2015 Clause 6.1, and intend to plan and implement the appropriate actions to address them. Although you could enhance the quality of the output by following a systematic process to identify risks by means of a structured set of prompts or questions for the experts - see Structured interview below.

Personally, I would start by making a check-list of the known issues in the environment that can (a) affect conformity of products and services [risk] and (b) have the ability to enhance customer satisfaction [opportunity].

No ISO 9001 assessor is likely to fault you for making this much effort; whether or not you have addressed these risks and opportunities in the design of your quality management system and its associated processes.

However, it is also worth remembering that check-lists are most useful when applied to check that everything has been covered after a more imaginative technique that identifies new problems has been applied.

Preliminary hazard analysis

A simple inductive method of analysis whose objective is to identify the hazards and hazardous situations and events that can cause harm for a given activity, facility or system.

Note: the term 'hazard' is always used in the context of physical harm.

At first sight, not a very promising tool but it does have advantages; namely: it is able to be used when there is limited information; and it also allows risks to be considered very early in the system lifecycle. In some organizational contexts, preliminary hazard analysis could be appropriate as a risk assessment tool for quality when its use helps prevent Critical Non-conformities; which could, for example, result in hazardous or unsafe conditions for individuals using, maintaining or depending on the product.


Structured interview and brainstorming

A means of collecting a broad set of ideas and evaluation, ranking them by a team. Brainstorming may be stimulated by prompts or by one-on-one and one-on-many interview techniques.

b3116eff-f78a-4a27-86df-0c02240774c3 (1)So what should we plan to collect in terms of "ideas and evaluation"?

Let's remind ourselves first of what ISO 9001:2015 says we should do.

When planning for the quality management system, ISO 9001:2015 requires organizations to consider the issues referred to in 4.1 [Understanding the organization and its context] and the requirements referred to in 4.2 [Understanding the needs and expectations of interested parties] and determine the risks and opportunities that need to be addressed, in order to:

a) give assurance that the quality management system can achieve its intended result(s);
b) prevent, or reduce, undesired effects;
c) achieve continual improvement.

We should integrate and implement the actions into the organization's quality management system processes (see clause 4.4) and evaluate their effectiveness.

Brainstorming as a technique could be particularly useful when, for example, identifying risks of new technology where there is no data or where novel solutions to problems are needed. To quote ISO 31010 " encourages imagination which helps identify new risks and novel solutions". However, it is not applicable to risk analysis tasks of consequence, probability or level of risk. It therefore has its limitations and along with the 'Look-Up Methods' of Check-lists and Primary hazard analysis, and most of the 'Supporting Methods' of Structured interviews, Delphi technique, SWIFT (Structured "what if") and, it does not provide any quantitative output - although this is not a requirement of ISO 9001.

[Note: in the section 'Supporting Methods', Human reliability analysis (HRA), which deals with the impact of humans on system performance and can be used to evaluate human error influences on the system, is able to provide quantitative output and is 'strongly applicable' to risk analysis and 'applicable' to risk evaluation - see Table A.1 in ISO 31010.]

However, before we get bogged down in too much detail with regard to the other Supporting Methods, Scenario Analysis, Function Analysis, Controls Assessment and Statistical Methods, we should ask what are we trying to achieve here, and how will any of these assessment tools help?

Let's take a step back.

If I were considering risks in relation to a quality management system and its associated processes, I would be asking the following questions:

  1. What are the risks associated with the organization's context and objectives - and why does each risk occur? [identifying the risk and the reason for its occurrence].
  2. What would be the likely negative consequences of process, product, service or system nonconformities? [consequences if the risk occurs].
  3. How likely is it that the organization will deliver nonconforming products and services in relation to the risks we have identified? [probability of the risk occurring].

There are other possible questions worth considering at this stage - for example, 'How effective are our existing controls?' - in order to identify factors that reduce the consequences or probability of the risk; however, in terms of what we actually need to know, these will make a good start.

What can we learn from ISO 31000 risk assessment processes?

ISO 31000 states that risk assessment attempts to answer the following fundamental questions:

•    what can happen and why (by risk identification)?
•    what are the consequences?
•    what is the probability of their future occurrence?
•    are there any factors that mitigate the consequence of the risk or that reduce the probability of the risk?

Providing that you adhere to this basic structure, you are following the framework that is set out in the International Standard ISO 31000:2009.

Rather than spending several days reading the Standard and having long meetings with colleagues to see how it might be applicable, why not look for methods that would help you to meet the requirements of ISO 9001?

For me, a good start would be:

Documenting the results of any 'consideration of risks and opportunities' exercise as evidence of your management team's "risk-based thinking".

Even if it is clear from the design of your processes that you have taken account of Clause 6.1 and determined the risks and opportunities that need to be addressed, having a record of your risk assessment processes might prove useful, if only as a reminder to keep matters under review!

Then, evaluate the risk assessment tools (numbering 31 in total) in ISO 31010 to see if they are applicable to your organizational context.

It's probably not the time to use them in anger yet (see below), but at least you will know they exist and that some tools could help to identify risks and opportunities and be useful in carrying out risk analysis (if you consider consequences, probability and level of risk) and risk evaluation?

Are structured interviews and brainstorming 9001 requirements?

No, of course not. Although if you don't currently use risk assessment tools to identify the typical uncertainties that need to be considered, and there is no previously developed list available of hazards, risks or control failures, either resulting from a previous risk assessment or past failures,- where do you begin? This is likely to be a especially vexing question for organizations that are new to ISO 9001 quality management and have to develop appropriate documented information for their quality processes.

However: a cautionary note:

Before you despair and start writing out check-lists based on your own observations in an effort to tick the box, remember that your colleagues in other departments and business units may already be using some of the formal techniques of risk assessment and risk management process (in a 'silo-centric' way of course), without you even knowing about this.

To quote from the Introduction to ISO 31000:2009:

"The current management practices and processes of many organizations include components of risk management, and many organizations have already adopted a formal risk management process for particular types of risk or circumstances"1.

It follows therefore that it is worth interviewing them (in a structured or unstructured way) or bringing them together for a brainstorming session - if only to find out what qualitative and quantitative risk assessments have been made that could help you to address the requirements of ISO 9001!

Whether or not though anyone is carrying out risk assessments, with or without the use of the tools in ISO 31010, ISO 9001:2015 expects the organization to understand its context (see clause 4.1) and determine the risks and opportunities that need to be addressed (see clause 6.1).

For example:

The ISO assume that one of the key purposes of a quality management system is to act as a preventive tool, taking account of identified risks. Consequently, ISO 9001:2015 does not have a separate clause or sub-clause titled 'Preventive action’. Rather, the wording states unequivocally:

"The concept of preventive action is expressed through a risk-based approach to formulating quality management system requirements".2

Although there are undoubtedly a number of quality professionals who feel uncomfortable talking about risk in relation to preventive actions, assessing risk is something that managers in most (all?) organizations do already in one form or another. They may not always use the term risk to describe their activities, - which could include for example conducting a sensitivity analysis of a financial projection, or scenario planning for a project appraisal, assessing the contingency allowance in a cost estimate, negotiating contract conditions, or developing contingency plans - ; but even so, thinking about risks and opportunities is central to their work3.

IF it can reasonably be argued that managing risk is an integral part of good management (and I think that it can) and that risk-based thinking is fundamental to achieving good business and project outcomes and the effective procurement of goods and services, THEN identifying, analysing and evaluating risk should be processes familiar to all quality managers?

Not everyone agrees with this statement of course, but understanding the context (see clause 4.1) and determining the risks and opportunities that need to be addressed (clause 6.1) are requirements of ISO 9001:2015. Therefore, before you reject the idea of using risk assessment tools on the grounds that they are too complicated and "not part of your job", it's worth pondering this quote from the Introduction to the ISO 31000:2009:

"The generic approach described in this International Standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context".4


1 ISO 31000:2009 - Principles and Guidelines on Implementation
2 Draft BS EN ISO 9001 Quality Management Systems - Requirements, Date: 14 May 2014, A.4 Risk-based approach
3 Project risk management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F Cooper, et al, Wiley, 2014.
4 ISO 31000:2009 - Principles and Guidelines on Implementation, Introduction, p.V

Next time:  More risk assessment tools described in ISO 31010 - How useful could they be to quality professionals in different contexts?

This post was written by Michael Shuff

Tags: ISO 9001:2015, Quality Management System, Compliance, ISO 13485:2016

Paul Walsh

Written by Paul Walsh

Paul Walsh was one of the founders of Cognidox. After a period as an academic working in user experience (UX) research, Paul started a 25-year career in software development. He's worked for multinational telecom companies (Nortel), two $1B Cambridge companies (Ionica, Virata), and co-founded a couple of startup companies. His experience includes network management software, embedded software on silicon, enterprise software, and cloud computing.

Related Posts

The Importance of Document Control Systems in Business Operations

What does it mean to 'control documents'? And who needs a formal document control system to manage ...

8 Tips for Effective SOP Documentation

There are many reasons why organisations need to document their SOPs. From ensuring uniformity in ...

Building Your Digital QMS: Is Microsoft Software the Right Choice?

SMEs creating a digital Quality Management System (QMS) will often reach for the most familiar ...

10 Steps for Seamless EQMS Data Migration

Transferring data to a new electronic Quality Management System (eQMS) can seem like a daunting ...

Mastering Non-Conformance Reports: A Guide for Quality Management

How do you log and deal with non-conformities so that faulty products don't end up in the hands of ...

The Vital Role of ALCOA Principles in Data Integrity for Life Sciences

Data integrity is central to the safe development and manufacturing of every life-science product ...

Navigating UKCA Marking for Medical Devices: What You Need to Know

Post-Brexit, there is still confusion about the future use of the UKCA (UK Conformity Assessed) ...

5 Steps to a Robust Corrective Action Process

It’s the job of your corrective action process to identify and eliminate the systemic issues that ...

5 Challenges in Building a Pharmacovigilance System Master File

Managing the integrity and accessibility of a PSMF (Pharmacovigilance System Master File) is a key ...

Medical Device Technical File requirements: what you need to know

What is the medical device technical file? What should it contain and how should it be structured? ...

Understanding the Differences: ISO 9001 vs ISO 13485

ISO 9001 is the internationally recognised standard for quality management used in many sectors ...

Streamlining Medical Device Design Controls for FDA and ISO Compliance

30 years ago the FDA introduced robust new requirements for medical device design control following ...