ISO 9001:2015 - How to apply Risk-based Thinking to Quality Processes [Part VI]

There are twelve posts in this series. To read Part V, please click here.

Risk based thinking is the new 'preventive actions' for QMS

If you have been reading this blog recently, you will know we have been considering the problem of how organizations could apply Risk-based thinking (RBT) to Quality Processes. To briefly recap the position to date:

ISO 9001 Risk-based thinking could (and I am not saying that it should) be demonstrated by one or more of the risk assessment tools in ISO 31010:2010. But that still leaves you with the dilemma of selecting the most appropriate tools to help you to identify, analyze and evaluate risk in your organizational context and with the resources at your disposal.

In ISO 9001:2015 there is no requirement for risk management. However, organizations can choose to develop a more extensive risk-based approach, and the Standard refers to ISO 31000, which provides guidelines that can be appropriate in "certain organizational contexts".

It remains to seen whether assessors for the various Certification Bodies will expect you to produce documented evidence of risk-based thinking.

There are, it seems to me, only three possibilities:

ISO 9001:2015 Assessors will...

1. Carry on as if ISO 9001:9008 was still the published version of the Standard, perhaps for a year or two after the publication date of ISO 9001:2015, effectively ignoring the risk-based thinking requirements of Clause 6 in the way that preventive actions have (some claim) been ignored in the past. In other words, assessors will effectively turn a blind eye to the need to consider risk when defining the rigour and degree of formality needed to plan and control the quality management system.
2. Report on non-conformances and corrective actions which would probably have been unnecessary with proper consideration of the risks. They will further regard the failure to show evidence of risk-based thinking in an organization's quality processes as a non-conformity (maybe a major non-conformity) and will judge the quality system to be ineffective because it has failed to reduce or eliminate the risks to process outputs.
3. Highlight in their report any good practices seen in the application of risk-based thinking to the planning and consideration of quality processes; showing how this has helped to achieve continual improvement of the system and provide the assurance of conformity to customer and applicable statutory and regulatory requirements. If you show evidence, it will be positively noted.

Regarding 3) above, it is worth reflecting upon the number of times the words "continual improvement" appear in the clauses of the new Standard.

Aside from the definition that appears in Normative References, the term "continual improvement" is used in Clause 5: Leadership, Clause 6: Planning, Clause 7: Support, Clause 9: Performance Evaluation, and - unsurprisingly - in Clause 10: Continual Improvement; which states that:

"...the organization shall consider the outputs of analysis and evaluation, and the outputs from management review, to confirm if there are areas of underperformance or opportunities that shall be addressed as part of continual improvement."  ¹

A closer look at Document Control for ISO 9001

Whilst there is considerable doubt about which of the three scenarios above best describes the future response of external auditors/assessors, this blog is intended to help put your organization in a position where 3) is the more likely outcome, because your quality processes reflect the fact that you have taken account of the risk and opportunities in your context.

Planning and considering risks in quality system processes

Notwithstanding the concerns about what ISO 9001 assessors may or may not be looking for with regard to applying risk-based thinking (RBT), there are good reasons to put in place...

"Processes for planning and consideration of risks and opportunities"

There is already a significant precedent in the ISO family of management system standards that explains the need for the risk-based approach.

BSI's Product Guide, ISO/IEC 27001 Information Security Management, sets out the case for RBT in the context of improving information security:

"ISO/IEC 27001 takes a risk-based approach to the planning and implementation of your ISMS, resulting in an appropriate and affordable level of organizational security. In this way, it ensures that the right people, processes, procedures and technologies are in place to secure your organization’s information assets." ²

I suggest that we could readily substitute "ISO 9001:2015" for "ISO/IEC 27001"; "ISMS" for "QMS"; "quality" for "organizational security"; and  "achieve the intended results of the quality management system" for "secure your organization's information assets" to arrive at the following:

"ISO 9001:2015 takes a risk-based approach to the planning and implementation of your QMS, resulting in an appropriate and affordable level of quality. In this way, it ensures that the right people, processes, procedures and technologies are in place to achieve the intended results of the quality management system."

It is also worth bearing in mind that one of the key influences on the development of ISO 27001:2013 was the decision by the ISO to align ISO/IEC 27001 with the principles and guidance given in ISO 31000 (risk management). This was deemed to be, in the words of BSI, "good news for integrated management systems as now an organization may apply the same risk assessment methodology across several disciplines". ³

Earlier posts in this series have examined the different risk assessment techniques aligned to ISO 31000 and described fully in ISO 31010:2009.

What actions are required to plan for risks and opportunities?

Clause 6 of ISO 9001:2015 is likely to be explicit about the need for planned actions to address risks and opportunities in quality systems:

6.1.2 The organization shall plan:

a) actions to address these risks and opportunities;

b) how to:

1) integrate and implement the actions into its quality management system processes (see 4.4);

2) evaluate the effectiveness of these actions.

Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.⁴

Although not all the processes of the quality management system will represent the same level of risk in terms of the organization’s ability to meet its objectives, - and the consequences of process, product, service or system nonconformities are not the same for all organizations - there will be risks that you will need to address through the quality processes.

So how do you go about identifying, considering and planning for risks to quality - and how could risk analysis help you to achieve your objectives?

The simple answer is that before you can plan processes that address risk, you need to analyze the relative importance of risks in your system. In a world where risk factors determine the organization's success or failure, we need a detailed understanding of each of the specific risks posed to successful outcomes at the various stages of quality processes. With this knowledge, we can determine appropriate priorities for actions.

This full understanding should result in fewer unpleasant surprises arising and will enable managers to determine where the greatest effort should be focused in treating identified risks and for quality assurance purposes.

The alternative to decision-making based on risk analysis is a combination of experience and intuition. Experience, no matter how extensive, can be out of date and therefore fail to anticipate the potential risks in a system. Intuition is the ability to acquire knowledge without inference or the use of reason and is of questionable value to organizations when planning and considering processes in order to consistently produce desired outcomes.

By developing a better understanding of risk, risk analysis techniques help organizations facilitate structured action planning and resource allocation.

The following section of this blog post contains the first part of a Proposal for a formal methodology for making risk-based decisions when planning and considering quality processes. I have based some of the ideas on work by Dale F. Cooper et al in the book 'Project management guidelines: managing risk with ISO 31000 and IEC 62198' (John Wiley and Sons); however, I have simplified the approach therein as applied to international, large-scale project management. Furthermore, I have re-engineered these ideas into a method of risk assessment and continual process improvement for ISO 9001 quality management systems, based on the process improvement model from ITIL, which itself uses methods from quality management.

The CSI process in ITIL aims to continually improve the effectiveness and efficiency of IT processes and services, in line with the concept of continual improvement adopted in ISO 20000. It defines the specific initiatives aimed at improving services and processes, based on the results of service reviews and process evaluations. The improvement cycle takes into account the business perspective of service quality, although CSI aims to improve process effectiveness, efficiency and cost effectiveness. In ITIL 2011, the CSI Register was introduced as a central document or database where all improvement opportunities and initiatives are recorded. I propose to extend this idea to create a controlled documented information system (CDIS) for QMS which would contain a Risks and Opportunities Register (R&O Register), used to record and manage risks to, and improvement opportunities in, quality management processes throughout their lifecycle.

A key feature of my proposed design for the R&O Register would be outputs from a simple risk assessment process, following a six step risk assessment and continual process improvement model, which would be used to (1) establish the context, (2) identify possible risks to quality outputs, (3) carry out a qualitative risk analysis and risk evaluation, (4) extend this analysis to a semi-quantitative analysis used to assign a numerical risk factor (RF value) to each of the risks in order to determine the highest priority risks, before (5) determining a risk treatment plan, and (6) monitoring and reviewing the quality system processes to determine the effectiveness of the quality controls and identify as early as possible any new risks and opportunities.

These ideas are presented for DISCUSSION PURPOSES ONLY and are not intended to form any recommendations for actions needed to comply with the wording of ISO 9001:2015 in its published form (September 2015); however, we hope that you will receive them as a way to combine quality management systems and risk management processes so as to achieve continual process improvement that takes full account of the risks and opportunities in any given context.

Risk management methodology for quality management

The method that I am suggesting breaks down into 6 simple steps. They are:

1. Establish the context

Referencing 4.1 Understanding the organization and its context, and 4.2 Understanding the needs and expectations of interested parties: this step determines the issues and requirements that can impact on the planning of the quality management system; including: (a) the main objectives and outcomes that are uncertain / subject to risk; and (b) the needs and expectations of the organization's customers and other relevant interested parties; the products and services it provides; the complexity of processes it employs and their interactions; the competence of persons within or working on behalf of the organization; and its size and organizational structure.

2. Risk identification

This step involves selecting a suitable process for risk identification (see below) and for each quality process, identifying and numbering the risks. The activity is designed to be carried out in a group situation where each risk is described in terms of what could happen and what that could lead to, the causes of the risk - both external and internal to the organization - and the existing controls that could prevent, transfer or mitigate risks. This process records the risks in a Risk and Opportunities Register (R&O Register) that would form an integral part of the Quality Management System.

3. Qualitative risk analysis & risk evaluation

The systematic use of available information regarding probability, consequence and exposure will lead to a better understanding of the risk and the controls that are needed. For each risk we would then: assess the effectiveness of the existing controls using a suitable effectiveness scale; determine the consequences (impact) for each risk; the likelihood of these consequences occurring; and the potential exposure were the controls that we have in place to fail. For example, the consequence of a failure to control the quality of production outputs through an adequate inspection process could result in the customer rejecting the goods or services supplied as unfit for purpose; causing the organization to suffer a financial loss that can measured in penalties under the terms and conditions of contract, and reputation damage.

11 myths about ISO 9001 - busted!

4. Semi-Quantitative risk assessment for systems and processes

Qualitative analysis is used to determine the probability and impact of risks, however, by its nature and definition, lacks quantitative precision. In comparison, a semi-quantitative measure of risk is an estimate derived using a scoring approach. Risk indices are used to rate a series of risks using similar criteria so that they can be more easily compared. Scores are applied to each component of risk, to assess both the consequence (impact) and likelihood of the risk occurring and to derive an average consequence score and average likelihood score for the risks associated with each process analysed. These risk scores are then used to determine the comparative 'risk factors' (RFs) associated with different processes to aid decision-making by plotting the RFs on a graph overlaid with iso-contours.

5. Risk-treatment

This step brainstorms options for treating the risk that fit the following categories: avoiding or seeking the risk; changing the likelihood; changing the consequences; sharing the risk; and explicitly accepting the risk without further treatment. The benefits and costs, advantages and disadvantages of each treatment option are taken into account and where the benefits determined exceed the known/likely costs of action, treatment options are selected for implementation. The brainstorming process is repeated after implementation to determine whether the level of risk after risk treatment has been completed is tolerable; and if this is not the case, then further risk treatment actions are sought and considered.

6. Monitoring & review

A monitor process is developed for each risk by the risk owners and each relevant control (control owners). Decisions are made about the time intervals at which the risks and controls will be reviewed. At the same time, a monitoring process will be put in place for each risk treatment plan under the direction of the relevant risk owners. Progress will be monitored in respect to the objectives of the risk treatment plan, and the resulting successes and failures recorded. Periodically, the team will assess whether new risks are affecting or could affect quality processes and systems as part of the cycle of continuous quality process improvement (see Figure 1.0 below).

Figure 1.0:

There are twelve posts in this series. To read Part VII, please click here.

Notes:

¹ ISO/DIS 9001:2014, 10.3 Continual improvement, p.63.
² ISO/IEC 27001 Information Security Management Securing your information assets Product Guide, October 2012 (modified May 2013)
³ Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013: The new international standard for information security management systems, Transition Guide, BSI Group.
⁴ Ibid., p.28, lines 1054 to 1060.

This post was written by Michael Shuff