ISO 9001:2015 - How to apply Risk-based Thinking to Quality Processes [Part VII]

There are twelve posts in this series. To read Part VI, please click here. 

Steps 1-3 in the method

If you have been reading this blog recently, you will know we have been considering the problem of how organizations could apply Risk-based thinking (RBT) to Quality Processes. In the previous post (part VI), we started to introduce our own proposed Risk Management method that may help.

In this post we shall deal with the first three Steps in the methodology, namely: (1) The Context of the Organization, (2) Risk Identification processes, and (3) Qualitative risk assessment.

Step 1: Establish the Context

The 'context' of the organization is essentially its business environment.

That is to say, context is a term that is used to describe a combination of internal and external factors and conditions that can have an effect on an organization's (3.01) approach to its products (3.47), services (3.48) and investments and interested parties (3.02).¹

An organization needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements and aims to enhance customer satisfaction.²  Therefore, it is necessary to determine both the external and internal context before designing and implementing quality processes that take account of the risks and opportunities that apply in a particular context.

The risk-based approach of ISO 9000:2015 requires the organization to understand its context (see clause 4.1) and determine the risks and opportunities that need to be addressed (see clause 6.1). When applying risk-based thinking to the planning and consideration of quality processes, we should take into account the organization's understanding of the...

• External context; which can be facilitated by considering issues arising from legal, technological, competitive, market, cultural, social, and economic environments, whether international, national, regional or local.
• Internal context; which can be facilitated by considering issues related to values, culture knowledge and performance of the organization.³

The Standard also requires that "...the organization shall maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned".⁴

Scope and responsibilities for specific risk management activities

The scope and responsibilities of persons responsible for risk management and the risk assessment methods employed will need to be documented.

Risk is defined as "the effect of uncertainty on objectives"⁵, so it follows that it is necessary to articulate the objectives of the organization and the processes that it uses. In other words, you must define and document what is 'at risk', and how you intend to address risk in your quality management system; specifically, who is to be made responsible for identifying, analyzing (if you chose to analyze risk), evaluating and treating the risk to your QMS and its associated processes.

It is valuable to be as specific as possible in articulating the organization's business objectives as this will assist with the risk identification process (defined in Step 2).⁶

How should we document the "context of the organization"?

The context of an organization can include internal factors such as organizational culture, and external factors such as the socio-economic conditions under which it operates; consequently all the requirements of ISO 9001:2015 are generic but the ways in which they are applied can differ from one organization to another.⁷

Risk-based thinking as it is defined in ISO 9001:2015 requires you to consider risk qualitatively (and, depending on the context that has been identified, quantitatively) when defining the rigour and degree of formality needed to plan and control the quality management system, as well as its component processes and activities⁸.

Taking the above definitions into account, I would suggest that it would be appropriate for a ISO 9001-compliant organization - and especially one adopting a more formal risk management approach based on ISO 31000 - to document the context in what I am terming a Statement of Context.

To establish the context, you need to:

Establish the external and internal organisational context in which the risk assessment is taking place (see ISO 9001:2015 Clause 4.1);

Specify the main objectives and outcomes that are uncertain and, therefore, represent a risk;

Develop criteria against which the consequences and likelihoods of identified risks can be measured; and

Define the key elements for structuring the risk assessment process.

Process inputs

Key process documents, scope definitions, pre-existing analyses and other relevant documented information such as organisational policies, processes and structures.

Method

1. Review organisational and process documentation.
2. Review the external and internal contexts.
3. Develop criteria for evaluating consequences and likelihoods.
4. Prepare briefing material for the risk assessment process.

What information should the Statement of Context contain?

The organization's Statement of Context would include internal factors such as organizational culture, and external factors such as the socio-economic conditions under which it operates [ISO 9001:2015, Introduction 0.1].

Establishing the context will provide information that is essential to risk identification, analysis, and evaluation activities if they are to efficient and effective. Components of the context could be summarised as follows:

1. Organisational objectives;
2. Process objectives;
3. The internal environment;
4. The external environment;
5. The context of the risk management process;
6. Risk criteria⁹.

Risk criteria for Quality Management Systems

In this risk management methodology:

The risk criteria should reflect the objectives and context for the risk assessment. Consideration should be given to stakeholder views and risk perceptions, the legal and regulatory framework that applies in the organization's context, and the time and resources that are available.

These criteria should be continually reviewed.

Categories for which risks in a quality management system and associated processes will be evaluated need to be defined and documented, taking account of all associated activities from which risks could arise that would adversely affect the organization or any of its stakeholders. These could include:

• Human health and safety;
• Environmental protection;
• Legal and regulatory compliance;
• Cost;
• Production schedule / deadlines;
• Reputation;
• Performance.

However, this list will depend on context and the risks being evaluated.

When defining risk criteria, you should consider:

• The nature and type of causes;
• The consequences that can occur;
• How consequences will be measured;
• How likelihood will be defined (for example qualitatively or as a quantitative probability);
• The timeframe;
• How the level of risk is to be determined;
• What is an acceptable (or tolerable) level of risk.

For the risk criteria to be adequate to support the decisions made at the risk treatment stage, they should:

• Assist in decision-making leading to actions that reduce risk to levels that are as low as reasonably practicable;
• Be capable of being communicated, understood and applied within the organization and to an external organization (ISO 9001:2013, 3.01) where it performs part of an organization's function (Ibid. 3.25) or process (Ibid. 3.12);
• Be unambiguous in their formulation;
• Not evidence any bias towards particular risk treatment options in the way in which risk is expressed.

A closer look at Document Control for ISO 9001

Documented information:

Statement of organization context - including its size and complexity, a general outline of the external and internal risks and opportunities that it needs to address, and how that knowledge is to be made accessible.

Step 2: Risk identification

Having established the organization's context, we need to identify the specific risks and opportunities that need to be addressed (see clause 6.1) through the quality management system and its associated processes. Risk identification is the process to determine what might happen that could result in undesirable outcomes (see 0.5) that have a negative impact on the organization's ability to "...consistently provide products and services that meet customer and applicable statutory and regulatory requirements or the organization's aim to enhance customer satisfaction"¹⁰.

The risk identification process should be as comprehensive and systematic as possible in order to ensure that risks affecting quality are not ignored.

Process inputs

Information used may include:

• Historical data;
• Theoretical analysis;
• Empirical data and analysis;
• Informed opinion of the project team and other experts;
• The concerns of stakeholders¹¹.

Method

1. Use one or more of the Look-up and/or Supporting Methods described in ISO/IEC 31010 designed for Risk identification.

These techniques include:

• Structured interviews
• Brainstorming
• Examination of similar quality processes
• Delphi technique
• SWIFT technique

[See my previous blog post about ISO/IEC 31010 for more information: ISO 31000 Risk management techniques Attributes of a selection of risk assessment tools ].

2. Produce a comprehensive list of possible risks to successful outcomes.

Process outputs

See item 2 above.

Steps 3 - 5 will analyse and evaluate these risks and prioritise treatment.

Documented information:

1. Risks and opportunities register (R&O register) - recording identified risks, controls, and ratings.

Techniques for risk identification

The International Standard, ISO/IEC 31010 describes the techniques for risk identification that could be used in Quality Management Systems.

Along with examining any check-lists that identify the causes of risk that have led to preventive actions, and the experience of other quality managers in similar contexts, you should also consider conducting structured interviews with individuals, focus and discussion groups, scenario analysis, and surveys and questionnaires to help identify risks.

The recommended method is Brainstorming - see previous blog post.

Brainstorming is significantly more effective than superficially attractive mechanisms such as checklists. The process draws on the creative capacity of the participants, reducing the danger of over-looking new and emerging issues¹².

The quality manager/lead writes the initial risk list on a whiteboard without comments from the other participants, who then make their contributions. The team reviews the list, classifying and grouping the similar risks where appropriate and adding new ones as ideas are generated. The aim is usually to generate a list of 10 risks associated with each quality process being assessed, although this number will vary depending on the organizational context and complexity of processes.

A structured workshop is the most effective format and adequate time should be allocated by key participants for all the risks to be considered.

How a DMS supports highly effective product development

Experience and knowledge will always form a valuable part of the process, however, historical information should not be allowed to block a creative assessment of the future where the situations that have never arisen before affect the balance between familiar risks may shift dramatically¹³.

Step 3: Qualitative risk analysis & risk evaluation

What is a `Qualitative analysis' of risk?

Qualitative analysis is based on ordinal and ranking scales for describing the consequences and likelihoods of risk. This method helps managers to understand risks and prioritise them for treatment, taking account of activities, processes and plans that act as controls. It is a useful approach in situations where there is insufficient reliable statistical data available, or where time and cost constraints prevent managers from undertaking a more resource-intensive semi-quantitative or quantitative analysis of risk.

In comparison:

Quantitative analysis uses numerical (ratio) scales for consequences and likelihoods, rather than descriptive or nominal scales, and requires more advanced skills.

Does ISO 9001:2015 require a qualitative risk assessment?

ISO 9001:2015 requires that we consider risk qualitatively (and, depending on the organization's context, quantitatively) when defining the rigour and degree of formality needed to plan and control the quality management system, as well as its component processes and activities. Qualitative risk analysis is the systematic use of available information - including documented information from the risk identification process in Step 2 - to develop an understanding of the risks to quality objectives¹⁴.

This includes:

• Assessing the effectiveness of existing controls;
• Determining the consequences that characterise each risk;
• The likelihood of those consequences arising; and
• The potential exposure were the controls to fail.

Sources of information for qualitative analysis

The quality management team is often the best source of information for assessing risks to quality in terms of their causes and consequences.

However, where the organizational context is high-risk and/or complex, additional information will most likely be required from other teams. When assessing high-priority risks and evaluating the most effective ways to mitigate them, quality managers/leads may include sources such as:

• Historical records;
• Process records; either specific to the kind of process being assessed, or where comparisons and inferences can be drawn regarding risk scenarios;
• Industry best practice;
• User experience (from quality records and other sources - e.g. customer service records, social media discussions, consumer satisfaction surveys);
• Published literature and research reports that contain theory and/or examples relating to failure modes or equipment reliability;
• Product brochures and technical manuals;
• Audit reports.

Process inputs

Information used in qualitative risk analysis and evaluation includes:

• Historical data;
• Theoretical analysis;
• Empirical data and analysis;
• Informed opinion of the project team and other experts;
• The concerns of stakeholders¹⁵.

Note: This simple list is intended to be identical to the list for risk identification in Step 1, although you can probably add further types of information based on your organization's experience of risks to outputs.

Method

Steps required for a Qualitative Risk Assessment include:

1. List process controls that are already in place and act to modify each risk and assess their effectiveness.
2. Determine the kind and level of consequences that characterise each risk.
3. Assess the likelihood of the consequences occurring, given the controls in place.
4. Combine levels of consequences and likelihoods to determine the level of risk.
5. Evaluate the potential exposure for each risk identified to desired quality outcomes.
6. Agree the management priorities for:
   • risk treatment;
   • control assurance; and
   • ensure top management oversight¹⁶.
7. In conjunction with Step 5 (Risk Treatment): use risk criteria to determine a) the risk treatment options available and b) whether any residual risk level in your quality processes will be tolerable.

Process outputs

A prioritised list of risks that takes account of uncertainty for:

• Quality process objectives
• Organizational objectives

For each risk, determine a rating for:

• Control effectiveness;
• Consequence;
• Likelihood;
• Level of risk; and
• Potential exposure.

Documented information:

1. Risks and opportunities register (R&O register) - Recording identified risks, controls, and ratings.

Summary:

In the first 3 Steps of this risk management process for quality systems, we have addressed three fundamental requirements of ISO 9001:2015; namely:

1. Understanding the context of the organization, its quality management system and processes (Clause 4).
2. Processes for planning and consideration of risks and opportunities (Clause 6)
3. Processes for support, including resources, people and information (Clause 7)

As ISO 9001:2015 states, the process for considering and controlling past, existing and additional knowledge needs to take account of the organization's context, including its size and complexity, the risks and opportunities it needs to address, and the need for accessibility of knowledge¹⁷. I propose documented information in the form of (1) Statement of Context, and (2) Risks and Opportunities Register (R&O register) used to record identified risks, controls, and ratings.

There are twelve posts in this series. To read Part VIII, please click here.

Notes:

¹  Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013: The new international standard for information security management systems, Transition Guide, BSI Group. 3.24, p.17.
²  Ibid. A.3, p.45.
³  Ibid. 4.1. p.25.
⁴  Ibid. 4.4 Quality management system and its processes, p.26
⁵  ISO 31000, 2 Terms and definitions, 2.1 risk, p.1
⁶  Project management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F Cooper, et al, John Wiley & Sons Inc, March 2014.
⁷  ISO/DIS 9001:2004, Clause 0.1 Introduction, p.6.
⁸  Ibid. Clause 0.5, p.9.
⁹  Ibid. Clause 0.1 Introduction, p.6.
¹⁰  Ibid. A.3 Context of the organization, p.43.
¹¹  Adapted from assessing risks to quality from Project management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F Cooper, et al, John Wiley & Sons Inc, March 2014
¹²  Ibid.
¹³  Ibid.
¹⁴  Ibid. Chapter 8: Qualitative Risk Analysis and Risk Evaluation.
¹⁵  Adapted from assessing risks to quality from Project management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F Cooper, et al, John Wiley & Sons Inc, March 2014
¹⁶  ISO/DIS 9001:2014, Clause 5.1.1 Leadership and commitment for the quality management system, pp.26-27.
¹⁷  ISO/DIS 9001:2014, A.7 Organisational knowledge, p.46.