Risk-Based Thinking in ISO 9001:2015 Quality Processes - Part VIII

How to apply Risk-based Thinking to Quality Processes2 (1)


Steps 4-6 in the method

There are twelve posts in this series. To read Part VII, please click here.

If you haven't read the previous posts on risk assessment tools, you may like to go back and read Steps 1, 2 & 3 of a simple risk management methodology to apply to ISO 9001 quality processes.

Or carry on to Steps 4, 5 & 6 from the 6 Step Method below.

Just to recap:

The method has 6 Steps, which are:

  1. Establish the context
  2. Risk identification
  3. Qualitative risk analysis & risk evaluation
  4. Semi-Quantitative risk assessment for systems and processes
  5. Risk-treatment
  6. Monitoring & review

We shall now look at Steps 4, 5 and 6, starting with a suggested method for Semi-Quantitative risk assessment applied the requirements of Quality Management Systems and related Processes.

STEP 4: Semi-Quantitative risk analysis and risk evaluation

Semi-Quantitative risk assessments support decision-making by identifying potentially high-risk processes, without identifying risks explicitly.

Agreed priorities are used to determine those processes where the highest level of planning and consideration of risk should be focussed.

Process inputs

Documented information used in the assessment process may include process documents, such as:

  • quality plans, procedures and work instructions;
  • scope definitions;
  • cost and schedule assumptions pertaining to processes and outputs;
  • engineering process designs and studies;
  • economic analyses;
  • empirical data and analysis;
  • informed opinions of experts;
  • concerns and expectations of stakeholders and customers; and
  • relevant documented information about the QMS and its processes.


  1. Develop an appropriate structure for examining quality system processes;
  2. Use a semi-quantitative risk assessment tool (see example to follow) to assess the consequences and likelihood of risks arising in each process.
  3. Convert the consequence and likelihood of risks arising in each process to an initial priority level.
  4. Determine Risk Factors (RF) for each of the risks analysed - see below:
  5. P (Probability) and C (Consequence) values are plotted to show the risk factors affecting quality processes and their desired outputs.
  6. The risk factors, the ranking and the risk profile are then used to decide which of the identified risks may be deemed acceptable or unacceptable, and to enable resource priorities to be determined.   

Process outputs

A list of risks to outputs prioritised by risk factor; i.e. level of 'riskiness'.

Consequence and likelihood ratings and agreed priorities for each risk.

Risk contour diagrams (see example below) to plot risk factors and iso-contours; i.e., points of equal RF value, to give an indication of priorities.

Methods for calculating risk factors

Risk factors may be calculated as the product of the likelihood (probability) and consequence scores:

RF = P x C

There is a very good reason for being very cautious with this method: it is that risks with high consequence scores and low probabilities can be allocated low risk factors. The product formula may result in the risk being downgraded in terms of priorities. This is an important concern in quality management when considering possible critical non-conformities (i.e. any nonconformity which may result in hazardous or unsafe conditions for individuals using, maintaining or depending upon the product or prevent performance of a vital agency mission) and major non-conformities (any nonconformity other than critical, which may result in failure or materially reduce the usability of the product for the intended purpose); since however unlikely the undesired outcome, the purpose of the quality system will be undermined and the organization's reputation badly damaged in the event of this type of non-conformity ever arising.

By using score from 0 (low) to 1 (high), it is possible to assess whether the risk factor is high if the consequence is high, or if the likelihood is high by using the following method described in work by Dale F Cooper.1

RF = Likelihood (P) + Consequence (C) - Product of scores (P x C)


P     =     likelihood measure on a scale 0 to 1
        =    average of likelihood factors
C    =    consequence measure, on a scale of 0 to 1
       =     average of consequence factors
RF    =     risk factor
        =    P + C - (P x C)

[Figure 1: Risk factors and iso-contours for a quality process]

9423757d-7c3a-41c4-8903-a95e88c9eedb (1)

Iso-contours are curves on a graph connecting points of a constant value which is the function of two variables. A common example is map contours, which use points of equal height separated by distance. The curve in this example is the Risk Factor (RF), the two variables are L and C, and the constant values are e.g. RF = 0.20, RF=0.4, RF=0.6, RF=0.8, RF=0.9.

What is the value of the Semi-Quantitative approach in Step 4, following the Qualitative Assessment conducted in Step 3?

To quote Holger Schutz et al, in 'Comparative risk assessments: concepts, problems and applications.'2 "[In the qualitative approach to risk assessment] "An event is verbally described in relation to other events. Absolute reference points and specifications for the bandwidths are lacking (in which field is the term "high" to be classified?) so that no comparison of various processes / specifications is possible." In other words, the value of a qualitative risk assessment is limited since precise data is needed to make more accurate comparisons between the risks being analysed. The breadth of the classifications needs to be chosen so that "...the findings of imprecise data still lie within the bandwidth of the classes". A semi-quantitative classification of the type in the diagram above can assess the order of magnitude of the importance of individual risk scenarios, either at the quality process or wider organisational level. Because qualitative terms in this approach have been given numerical values, the verification of results is made possible by the comprehension of single steps of awareness3, enabling high priority risks to be prioritised.

This semi-quantitative approach to assessing risks in a Quality System has the advantage of allowing comparison of the various risks of non-conformities (minor, major and critical) on one or more risk attributes by one or more evaluators, resulting in a consensus view of what are the 'real' risks as measured by risk factors which are plotted on one graph.

In organisational environments where a degree of uncertainty makes it difficult to predict which risks to quality outcomes are the highest priority, this type of analysis supported by a consensus risk identification process, provides meaningful outputs to guide planning and consideration of risks.

To read more about the semi-quantitative risk analysis method, see:
Project management guidelines: managing risk with ISO 31000 and IEC 62198; Dale F Cooper, John Wiley & Sons Inc, March 2014.

Documented information

Assessment sheets, recording likelihood indicators (rated high-low), consequence indictors (rated high-low); plus the relevant discussions, assumptions and responses; and a risk score for each line entry made.

Diagrammatic representations of risk - e.g., a risk factor and iso-contour graph used to plot data from a semi-quantitative risk analysis.

STEP 5: Risk treatment

The risk identification and assessment process must translate into actions.

ISO 9001:2015 states that one of the key purposes of a quality management system is to act as a preventive tool. There is no longer a separate clause or sub-clause titled 'Preventive action’, since the concept of preventive action is expressed through a risk-based approach to formulating quality management system requirements.4

Although there is no requirement for formal risk management or a documented risk management process, risk and opportunities have to be determined and addressed. If the QMS is to act as a preventive tool, risks have to be identified and evaluated (by some method, whether through analysis or "intuitively"), priorities assigned and risk treatment actioned.

Risk treatment involves the following steps:

  1. Identifying feasible risk treatment actions;
  2. Selecting those risk treatment actions that create value;
  3. Develop risk treatment plans.5

Brainstorming is a supporting method for examining treatment options.

The options can be summed up as follows:

  • Avoiding or seeking the risk
  • Changing the likelihood
  • Changing the consequences
  • Sharing the risk
  • Explicitly accepting the risk without further treatment.6

Process inputs

The primary inputs are lists of:

  • Risks and their priorities from the risk analysis and evaluation step.
  • Resources, including budget, which can be applied to treating risks.


  1. Identify options to addressing high-priority risks;
  2. Determine the potential benefits and costs of the options;
  3. Select the best options to treat the high-priority risks;
  4. Develop and implement detailed risk action plans;
  5. Make appropriate provisions in budgets for actions.7

Process outputs

Risk action plan summaries for each proposed risk treatment action.

Example of Risk Treatment in a Quality Management System

Starting with a list of high-priority risks, we:

Identify options for addressing the risks. Let's say that the anticipated problem is a backlog in production indicated by the following RF values:

  1. Speed and feed rates too slow: RF = 0.8
  2. Machine breakdowns: RF = 0.6
  3. High absence and tardiness rate: RF = 0.4

Which risks should take priority? And what options are available to the organization to treat one or more of the risks using available resources? The highest level risk is number 1. Speed and feed rates are likely to be too slow at present to meet the delivery schedule of a customer order. The quality management team working with the operations team has identified, analyzed and evaluated this risk as having a Risk Factor of 0.8 (on a scale of 0-1). Through brainstorming, they have identified and analysed a problem with the production operatives' familiarity with new materials. There is a secondary factor in terms of unfamiliarity with new machines (RF = 0.6). Absence and tardiness are also potentially an issue as the operatives are reluctant to operate the new machines without proper training. However, the third anticipated risk: 'high absence and tardiness rate' has been assessed as a lower risk at RF = 0.4 than the risk factors for risks 1 or 2, so it is decided to prioritise treatment of 1 and 2.

The rationale:

Although lack of familiarity with new materials is thought a higher risk than machine breakdowns or high absence/tardiness rates, risks 1 & 2 taken together represent an unacceptably high risk within the context. Machine breakdowns due to poor maintenance by the supplier and/or operator error are known to have been a problem recently in a competing production facility, and are likely to reduce output rates at a critical time.

Risk 3 is thought to be a lower priority but merits consideration later on.

So what are the best options?

Strengthening the Operations team with an operator who is familiar with both the new materials and the machine is one possibility to consider.

Other options are:

Instigating a training programme to familiarise operatives with the new materials and improve their output performance using the new machines.

Increasing production hours through over-time to compensate for low output until the operatives are more familiar with the new materials, etc.

Outsourcing the manufacturing of the component made with the new material (either on a temporary or permanent basis) to avoid the risk.

Obviously, there could be other options available, but let's stick with these for now. The next action is to determine the potential benefits and costs of the options; and then select the best options to treat the risks.

The team next look at the possibility of hiring a skilled operative with experience of working with the materials in question and the machines. Although it's an attractive idea, they cannot be sure that they can hire the right person given the tight timescales they are working to; and although urgent enquiries could be made through Human Resources with specialist recruitment agencies, the expectation is that the only two viable options in the short-term are increasing production hours and outsourcing on a temporary basis. This is because a training programme will take longer to organise and will require a specialist trainer who has experience of the material and the machines. The trainer will not be available until over half way through the production of the customer's order; therefore, the only options are to increase production hours, accepting a high proportion of scrap that will be generated while operatives learn to work the material, or outsource to a manufacturer that has been using the material for two years and has successfully overcome their machine reliability problems.

The decision is made to avoid the risk by outsourcing in this instance; however, actions to design and implement a training course are agreed, so that the anticipated production problem will not re-occur in the future.

This risk treatment plan has removed the risk. It may of course have introduced a new potential risk: i.e. that the chosen outsourcing company proves to be unreliable and fails to deliver on time, and/or within budget?

This identified risk will then be duly analysed, evaluated and, if it is thought necessary, treated as part of a continual review of the risks.

See Step 6: Monitoring and Review below.

Process outputs

Risk action plan summaries for each proposed risk treatment action.

Documented information

  1. Risk treatment options worksheet
  2. Risk treatment plan summary

STEP 6: Monitoring & review

The main aims of monitoring and review can be summed up as:

Developing a monitoring process for each...

  • risk (risk owners);
  • control (control owners);
  • treatment plan (risk owners)

It will be necessary to decide how risks and controls will be periodically reviewed, including how often and when these will take place; who will conduct the reviews, and what is the most appropriate approach to adopt.

At this final stage, an organization should set up the following processes:

  • reporting process for risk and control monitoring and review;
  • reporting process for progress with risk treatment plans;
  • process to derive lessons from successes and failures within the quality processes and for communicating this information to the organization.8

This confirms to the requirements of ISO 9001:2015 in terms of establishing, implementing, maintaining and continually improving a quality management system, including the processes needed and their interactions.9

The Standard will expect you to plan and consider the risks and opportunities in accordance with the requirements of 6.1 (Steps 1-4 above), and plan and implement the appropriate actions to address them (Step 5 above); including the methods for monitoring, measuring, as appropriate, and evaluation of processes and, if needed, the changes to processes to ensure that they achieve their intended results (Step 6).10

ISO 9001:2015 also mandates that the organization shall maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned.

With the help of a Risk Management method as described above and using QMS documented information templates controlled in the CogniDox DMS, you will be in a strong position to show an assessor that you are taking appropriate actions to address risks and opportunities, in line with the requirements of ISO 9001:2015.

There are twelve posts in this series. To read Part IX, please click here.


1 Project management guidelines: managing risk with ISO 31000 and IEC 62198; Dale F Cooper, et al, John Wiley & Sons Inc, March 2014.
2 Comparative risk assessments: concepts, problems and applications; Holger Schutz, Peter M. Wiedemann, Wilfried Hennings, Johannes Mertens, Martin Clauberg; John Wiley & Sons, July 2006; ISBN: 978-3-527-31667-0.
3 Ibid. p.192, Appendix 4.
4 ISO/DIS 9001:2014, A.4 Risk based approach, p.45.
5 Project management guidelines: managing risk with ISO 31000 and IEC 62198; Dale F Cooper, et al, John Wiley & Sons Inc, March 2014, p.363.
6 Ibid., p.363.
7 Ibid. Chapter 10 Risk Treatment.
8 Ibid., adapted from Monitoring and Review section summarised on pp.363-364.

New call-to-action

Tags: ISO 9001:2015, Quality Management System, Compliance, ISO 13485:2016

Paul Walsh

Written by Paul Walsh

Paul Walsh was one of the founders of Cognidox. After a period as an academic working in user experience (UX) research, Paul started a 25-year career in software development. He's worked for multinational telecom companies (Nortel), two $1B Cambridge companies (Ionica, Virata), and co-founded a couple of startup companies. His experience includes network management software, embedded software on silicon, enterprise software, and cloud computing.

Related Posts

The Importance of Document Control Systems in Business Operations

What does it mean to 'control documents'? And who needs a formal document control system to manage ...

8 Tips for Effective SOP Documentation

There are many reasons why organisations need to document their SOPs. From ensuring uniformity in ...

Building Your Digital QMS: Is Microsoft Software the Right Choice?

SMEs creating a digital Quality Management System (QMS) will often reach for the most familiar ...

Mastering Non-Conformance Reports: A Guide for Quality Management

How do you log and deal with non-conformities so that faulty products don't end up in the hands of ...

Making the Switch: Transforming Your TMF into an eTMF

A Trial Master File (TMF) is a comprehensive collection of documents that ensures the conduct of ...

The Vital Role of ALCOA Principles in Data Integrity for Life Sciences

Data integrity is central to the safe development and manufacturing of every life-science product ...

5 Steps to a Robust Corrective Action Process

It’s the job of your corrective action process to identify and eliminate the systemic issues that ...

5 Challenges in Building a Pharmacovigilance System Master File

Managing the integrity and accessibility of a PSMF (Pharmacovigilance System Master File) is a key ...

Mastering Non-Conformance Reports: A Guide for Quality Management

How do you log and deal with non-conformities so that faulty products don't end up in the hands of ...

Medical Device Technical File requirements: what you need to know

What is the medical device technical file? What should it contain and how should it be structured? ...

Understanding the Differences: ISO 9001 vs ISO 13485

ISO 9001 is the internationally recognised standard for quality management used in many sectors ...

Streamlining Medical Device Design Controls for FDA and ISO Compliance

30 years ago the FDA introduced robust new requirements for medical device design control following ...