ISO 9001:2015 – How to apply Risk-based Thinking to Quality Processes [Part IX]

How to apply Risk-based Thinking to Quality Processes - a Summary

There are twelve posts in this series. To read Part VIII, please click here.

Over the past weeks we've been looking at the topic of risk-based thinking (RBT) in the context of ISO 9001:2015. This is something of a sore point among Quality professionals. Some believe that RBT is an ill-considered introduction in the latest revision of the standard. Others are more positively inclined towards it. Either way, the Standard revision (at least in draft form) is not at all clear on what needs to be done.

One approach could be to look to the ISO 31000 family of standards for guidance. If you do, then ISO/IEC 31010:2009 – Risk management – Risk assessment techniques would be a key input.

After introducing the problem and ISO 31010 in Part 1, we summarise some of the 31 risk assessment techniques in that standard in Part 2, Part 3, Part 4, and Part 5.

In Part 6, we introduced a Six Step methodology that could be suitable for ISO 9001. Part 7 outlines Steps 1-3 of the method in more detail, and Part 8 covered Steps 4-6.

Now, here in Part 9, we will summarise the previous posts, in an effort to bring it all together.

The need for Risk-Based Thinking (RBT)

We began by saying in Part I that identifying risk, analysing the consequences, probability and level of risk (i.e. risk analysis), and evaluating risk using formal techniques, are becoming increasingly important in the global business world.

Formal risk management is not mandated by ISO 9001:2015 (at least not in the draft published in 2014). However, organizations can, in the words of the TC 176 Committee’s draft standard (May 2014) “…choose to develop a more extensive risk-based approach than is required by this International Standard, and ISO 31000 provides guidelines on formal risk management which can be appropriate in certain organizational contexts".

So what will actually be required by ISO 9001 assessors as evidence of risk-based thinking? At this point in time (June 2015), we don't really know. You could read the DIS to suggest that the outputs from your processes to consider risk will need to be shown as evidence of RBT. Whether this is the case when the ISO 9001:2015 Standard is published in September, risk-based thinking is likely to be required to plan and control the quality management system (QMS) and component processes and activities, and unlikely to be ignored in certification audits.

Why think about risks in the context of Quality Processes?

Apart from the obvious answer that most ISO 9001:2008-registered organizations would like to continue to comply with the Standard, there are several good reasons for analyzing and prioritizing the risks and opportunities, and planning the actions necessary to address the risks.

To achieve that often complex task, ISO 31000:2009 can help in taking a ‘risk-based approach’ to the quality management system, component processes and activities - although the ISO 9001:2015 standard will not (or is unlikely to) mandate the use of formal risk management processes.

Unfortunately, ISO 31000 has not been specifically designed to explain how you should apply "risk based thinking" to quality systems. Instead, it takes a generic approach that has to be developed – often in considerable detail – to be useful in a given context. In practice, risk management using ISO 31000 is not likely to be intuitive.

Risk assessment in ISO 31000 may be undertaken in varying degrees of depth and detail and using one or many methods ranging from simple to complex. When applying these ideas to quality systems, it would surely be appropriate to select a form of risk assessment method with an output that is consistent with the risk criteria developed as part of establishing the context? [Clause 6.2]. Assuming that you do not have a method in place already: which one should you choose from the bewildering array?

A risk assessment process needs to include the following task activities:

• risk identification;
• risk analysis – consequence analysis;
• risk analysis – qualitative, semi-quantitative or quantitative probability estimation;
• risk analysis – assessing the effectiveness of any existing controls;
• risk analysis – estimation of the level of risk;
• risk evaluation.

The tools necessary to achieve these steps are listed in ISO 31010:2009; especially Table A.1 – Tools used for risk assessment - see Part I of this series of blog posts. And it has to be said, the list is daunting to many quality professionals who are unfamiliar with risk management processes.

The sheer complexity of some types of risk assessment will render the tool useless in most organizations employing between 1 and 250 people. However, that doesn’t mean to say that ISO 31010 isn’t a valuable reference should you ever be required to think about risk in these terms.

ISO 31010 risk assessment techniques - how can they help quality managers to apply RBT to the QMS and its associated processes?

In this series we have described a selection of the 31 techniques listed in ISO 31010. We have attempted to link these tools to QMS processes in a meaningful way; however, our approach is not intended as a reliable reference source, since a great deal will depend on the organization's context and there are a considerable number of possibilities (potentially many thousands for different types and/or sizes of organization). There is also no common consensus as yet regarding which ISO 31010 risk assessment techniques are the most appropriate to apply to ISO 9001:2015 quality processes; although this is certain to be covered in future books and journal articles on how to comply with the standard.

Our selection from ISO 31010 includes the following methods, which are described more fully in Parts II, III and IV of this series of blog posts.

The content below is intended as a summary of each risk assessment technique. Follow the links for more information, including notes on how these might be applied to a QMS and associated quality processes:

Look-up Methods

Check-lists
A simple form of risk identification. A technique which provides a listing of typical uncertainties which need to be considered. Users refer to a previously developed list, codes or standards.

Preliminary hazard analysis
A simple inductive method of analysis whose objective is to identify the hazards and hazardous situations and events that can cause harm for a given activity, facility or system.

Supporting Methods

Structured interview and brainstorming
A means of collecting a broad set of ideas and evaluation, ranking them by a team. Brainstorming may be stimulated by prompts or by one-on-one and one-on-many interview techniques.

Delphi technique
A structured collaborative communication technique, originally developed as a systematic, interactive forecasting method which relies on a panel of experts.

SWIFT (Structured “what-if” )
SWIFT is a system for prompting a team to identify risks, normally used within a facilitated workshop and linked to a risk analysis and evaluation technique.

Human reliability analysis (HRA)
Human reliability assessment (HRA) deals with the impact of humans on system performance and can be used to evaluate human error influences on the system.

Scenario Analysis

Root cause analysis (RCA)
RCA uses a specific set of steps, with associated tools, to help find the primary cause of the problem; so that you can:

• Determine what happened;
• Determine why it happened.

And then decide what to do to reduce the likelihood of a reoccurrence.

Scenario analysis
Scenario analysis is a process of analyzing possible future events by considering alternative outcomes (sometimes called “alternative worlds”).

Toxicological / Environmental / Ecological risk assessment
An ecological risk assessment tells what happens to a bird, fish, plant or other non-human organism when it is exposed to a stressor, such as a pesticide.

Business impact analysis (BIA)
A Business Impact Analysis identifies an organization’s exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization, while maintaining competitive advantage and value system integrity.

Fault tree analysis
A technique used in safety engineering and reliability engineering, mostly in the aerospace, nuclear power, chemical and process, pharmaceutical, petrochemical and other high-hazard industries.

Event tree analysis
A forward, bottom up, logical modelling technique for both success and failure that explores responses through a single initiating event and lays a path for assessing probabilities of the outcomes and overall system analysis.

Cause and consequence analysis
A combination of fault and event tree analysis that allows inclusion of time delays. Both causes and consequences of an initiating event are considered.

Cause-and effect analysis
An effect can have a number of contributory factors which can be grouped in Ishikawa diagrams. Contributory factors are identified often through a brainstorming process.

Function Analysis

FMEA (Failure modes and effects analysis) and FMECA (Failure modes and effects and criticality analysis)
FMEA/FMECA is an inductive reasoning (forward logic) single point of failure analysis and is a core task in reliability engineering, safety engineering and quality engineering. Quality engineering is especially concerned with the “Process” (Manufacturing and Assembly) type of FMEA.

Reliability-centred maintenance (RCM)
A technique that is used to achieve the required safety, availability and economy of operation (safe minimum levels of maintenance), so that assets continue to do what their users require in their operating context.

Sneak analysis (SA) and sneak circuit analysis (SCA)
Sneak analysis is aimed at uncovering design flaws that allow for ‘sneak conditions’, i.e. those that may cause unwanted actions or may inhibit a desired function, and are not caused by component failure to develop.

HACCP
HACCP a systematic preventive approach to food safety from biological, chemical, and physical hazards in production processes that can cause the finished product to be unsafe, and designs measurements to reduce these risks to a safe level.

LOPA (Layers of Protection Analysis)
A technique for analysing whether there are sufficient measures to control or mitigate the risk of an undesired outcome.

Bow-tie analysis
Bow-tie analysis is a simple diagrammatic way to display the pathways of a risk showing a range of possible causes and consequences.

Statistical Methods

Markov analysis
A method named after a Russian mathematician, best known for his work on stochastic processes, where a collection of random variables represents the evolution of some system of random values over time.

Monte-Carlo analysis
Monte Carlo analysis consists of a broad class of computational algorithms that rely on repeated random sampling to obtain numerical results. This method can address complex situations that would be very difficult to understand and solve by an analytical method.

Bayesian analysis
Referring again to Table A.1 from ISO 31010, Bayesian analysis is a statistical procedure which utilizes prior distribution data to assess the probability of the result. These are often called conditional probabilities.

How will ISO Assessors attempt to assess RBT in Quality Systems?

The short answer at the moment is: we don't know. However, as we have postulated, there are three possibilities:

Option 1:

They will ignore the risk-based thinking requirements of Clause 6 in the way that preventive actions have (some claim) been ignored in the past.

(Note: Clause 6, as it appears in the DIS published in 2014 requires "Processes for planning and consideration of risks and opportunities").

Option 2:

They will regard the failure to show evidence of risk-based thinking in an organization’s quality processes as a non-conformity (perhaps even a major non-conformity) and will judge the quality system to be ineffective because it has failed to reduce or eliminate the risks to process outputs; that is, assuming that they find evidence of non-conformities that the required consideration of, and planning for, risks would have prevented?

Option 3:

Highlight in their report any good practices seen in the application of risk-based thinking to the planning and consideration of quality processes; showing how this has helped to achieve continual improvement of the system and provide the assurance of conformity to customer and applicable statutory and regulatory requirements.

You may decide differently, but in our view Option 3 is more likely in the majority of cases. Ergo, it can't hurt your case to show documented evidence of RBT, - regardless of whether documented information is a requirement or not.

However (HEALTH WARNING!), it will be your assessor that decides this, not us!

Proposed Risk Assessment Methodology for applying RBT to QMS

Accepting the above fact, that nobody can 100% sure of how RBT will be assessed in any given QMS, we have proposed in this series of posts a method for applying RBT in the form of a basic risk management model, inspired by the work of established risk management gurus, including Dale F Cooper, but also taking account of continual process improvement models, such as those used in ITIL. This breaks down into 6 simple Steps.

They are:

1.    Establish the context

Referencing 4.1 Understanding the organization and its context, and 4.2 Understanding the needs and expectations of interested parties: this step determines the issues and requirements that can impact on the planning of the quality management system; including: (a) the main objectives and outcomes that are uncertain / subject to risk; and (b) the needs and expectations of the organization’s customers and other relevant interested parties; the products and services it provides; the complexity of processes it employs and their interactions; the competence of persons within or working on behalf of the organization; and its size and organizational structure.

2.    Risk identification

This step involves selecting a suitable process for risk identification (see below) and for each quality process, identifying and numbering the risks. The activity is designed to be carried out in a group situation where each risk is described in terms of what could happen and what that could lead to, the causes of the risk – both external and internal to the organization – and the existing controls that could prevent, transfer or mitigate risks. This process records the risks in a Risk and Opportunities Register (R&O Register) that would form an integral part of the Quality Management System.

3.    Qualitative risk analysis & risk evaluation

The systematic use of available information regarding probability, consequence and exposure will lead to a better understanding of the risk and the controls that are needed. For each risk we would then: assess the effectiveness of the existing controls using a suitable effectiveness scale; determine the consequences (impact) for each risk; the likelihood of these consequences occurring; and the potential exposure were the controls that we have in place to fail. For example, the consequence of a failure to control the quality of production outputs through an adequate inspection process could result in the customer rejecting the goods or services supplied as unfit for purpose; causing the organization to suffer a financial loss that can measured in penalties under the terms and conditions of contract, and reputation damage.

4.    Semi-Quantitative risk assessment for systems and processes

Qualitative analysis is used to determine the probability and impact of risks, however, by its nature and definition, lacks quantitative precision. In comparison, a semi-quantitative measure of risk is an estimate derived using a scoring approach. Risk indices are used to rate a series of risks using similar criteria so that they can be more easily compared. Scores are applied to each component of risk, to assess both the consequence (impact) and likelihood of the risk occurring and to derive an average consequence score and average likelihood score for the risks associated with each process analysed. These risk scores are then used to determine the comparative ‘risk factors’ (RFs) associated with different processes to aid decision-making by plotting the RFs on a graph overlaid with iso-contours.

5.    Risk-treatment

This step brainstorms options for treating the risk that fit the following categories: avoiding or seeking the risk; changing the likelihood; changing the consequences; sharing the risk; and explicitly accepting the risk without further treatment. The benefits and costs, advantages and disadvantages of each treatment option are taken into account and where the benefits determined exceed the known/likely costs of action, treatment options are selected for implementation. The brainstorming process is repeated after implementation to determine whether the level of risk after risk treatment has been completed is tolerable; and if this is not the case, then further risk treatment actions are sought and considered.

6.    Monitoring & review

A monitor process is developed for each risk by the risk owners and each relevant control (control owners). Decisions are made about the time intervals at which the risks and controls will be reviewed. At the same time, a monitoring process will be put in place for each risk treatment plan under the direction of the relevant risk owners. Progress will be monitored in respect to the objectives of the risk treatment plan, and the resulting successes and failures recorded. Periodically, the team will assess whether new risks are affecting or could affect quality processes and systems as part of the cycle of continuous quality process improvement (see Figure 1.0 below).

Figure 1.0:

There are twelve posts in this series. To read Part X, please click here.

Next time:  Suggested documented information for applying risk based thinking in a QMS - starting with:

1. Statement of organization context

2. Risk description worksheet.

This post was written by Michael Shuff.