#148 – 3 THINGS YOU HAVE TO KNOW ABOUT ISO 9001:2015 RISK’S DEFINITION BEFORE MOVING ON – MOHAMMAD ELSHAHAT

Posted on by

AAAWhy do you think most executives and quality practitioners are focusing on the strategies, techniques, and tools when it comes to Risk Based Thinking?

I bet you’ve heard or even read these questions before; What are the best tools to address risks? Is it SWOT or FMEA will be more helpful? How can I implement this risk-based thinking?

People tend to look for strategies and tools not only when it comes to risk-based thinking, but also in every aspect of their life, whether in health, money, career, or even their spiritual life. Because people believe that if they have the best strategies and applied the best tools….BINGO!

But in reality it is not as easy as it would look like unless they previously answered to main questions: Where are we right now? and Where do we want to go? After that, selecting the right strategy and tools will be more reasonable and helpful.

That’s why in this post, I’m going to shift the focus to this question what really risk means in ISO 9001:2015, by discussing three things that many people overlook when they identify risks and address them. The conceptualization of this term (risk) will certainly help in managing risks effectively and ingrain the Risk Based Thinking concept in the organization.

The three things that you need to resolve before moving on are:

  • Risk and Opportunity
  • Risk and Objectives
  • Effect of uncertainty OR Uncertainty that affects

Now, let’s tackle them one by one …

Risk and Opportunity

Is the effect of risk always and wholly negative? Risk management practitioners have been in a debate for long time and it was a hot topic around the turn of the century, but as per Dr. David Hillson (2010) now the majority seems to adopt the definition of risk that constitutes both threats and opportunities.

There can be  no great accomplishment without risk. – Neil Armstrong (1930-2012)

The term risk has many definitions, but in the below figure I’m going to share with you the definition of risk and its relationship between threats and opportunities, these definitions are adopted by most national and international risk management standards.

AAA MOHAMMAD

Source: Hillison, 2004.

If you still believe that risk is all about threats, you’re right and you can get an evidence to support your claim, and that’s because there’s no clear consensus on a single accepted definition or risk.

On the other hand the majority consensus seems to adopt a broad definition that includes both threats and opportunities especially since 2000. A review had been conducted by Dr. David (2002), it included 22 standards, of which eight standards use the negative definition, five of them use the neutral definition, and nine standards use a broad definition that explicitly including both threats and opportunities.

 But how would this be beneficial to you when addressing risk?

ISO 9001 users and quality practitioners should have a clear definition of risk in mind. In addition to, they should understand that the occurrence of avoidable threats and the nonoccurrence of achievable opportunities should be viewed as equally as bad outcomes.

This mindset is critical in the success of any risk management program, whatever the framework you’re using to identify and manage risks.

Risk and Objectives

Although ISO 9001:2015 has stated ISO 31000:2009 the risk management standard in its bibliography, but it didn’t take on its definition of risk! …. How’s that?

Risk: “effect of uncertainty” [ISO 9000:2015]

Risk: “effect of uncertainty on objectives” [ISO 31000:2009]

Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process)  [ISO 31000:2009, ISO Guide 73:2009]

Do objectives matter? Of course yes, so why ISO 9000:2015 removed it from its definition?

In fact there’s no meaning for managing risk without specific objectives in place. If you don’t have objectives, you don’t have risks, simply because risks are the interaction between uncertainty and objectives.

So, whether you’re a business owner or executive you’re only exposed to risk if the uncertainties in your business environment have effects (positive or negative) on your business’ objectives.

That’s why it’s a problem for you as an ISO 9001 user to suddenly find the definition of risk without objectives anymore! Of course this has an effect on the risk identification stage in your risk management program in terms of:

Are you going to include effects of uncertainties on objectives only?

Or you’re going to list all probable risks in the world?!

I’m going to answer this, but after tackling the third problem and the most important one among the three.

 Effect of uncertainty OR Uncertainty that affects

What is the problem here?

The problem is that most other risk standards defined risk as an “uncertain event”that if it occurs might have an effect on objectives (take a look at the above figure again).

So, what are the implications of shifting the focus from “uncertainty” to “effect of uncertainty”?

David Hillson (2010) in his follow up to the release of ISO 31000:2009 stated that:

“following this approach, we would define the following as negative risk: Delay, overspend, accidents, reputation damage, lost market share, and inefficiency. On the upside we would use time and cost savings as positive risks.”

On the other hand, following this approach will also mean that the arising of new competitors is not a negative risk (threat) unless it has potential consequences on our market share. And, opening new market in a certain area, merging or acquisition won’t be considered as a positive risk (opportunity) unless it has potential positive consequences on our sales and profits.

But what you just read is not completely true ….. How?

Let’s take a look at the definition of “effect” before going further.

An effect is the deviation from the expected – positive or negative  [Source: ISO Guide 73:2009, ISO 31000:2009, ISO 9000:2015]

When you have a process, or a product or a new project, you have also some expectations, some outcomes, some results, or some objectives you’re looking for. The deviations that might happen during the execution stage should be identified and managed properly in a proactive manner to achieve what’s expected.

The following example will help in understanding these terms; deviation, objective, effect, and uncertainty.

Let’s picture this scenario. A small software company specialized in mobile applications is about to launch its new product. The product development team identified all the associated risks with the product launch.

They expect to reach the break-even point after six months (their objective), which means they expect to harvest the rewards after six months from the launch.

But because of the high mobility and the rapid change in this industry (Uncertainties), they will probably face one of these three different cases:

  • Collecting the profits after six months (The expected)
  • Collecting the profits after more than six months (Negative effect)
  • Collecting the profits before six months (Positive effect)

This launch might also be profitable within one week, if they have the fortune of Pokémon Go founder!

In this life nothing can be said to be certain, except death and taxes. – Benjamin Franklin(1706-1790)

In this scenario you’re not able to manage the uncertainties, but you can deal with the effects by whether limiting or minimizing the negative effects and seizing or maximizing the positive ones.

So, your role as an executive or quality professional to achieve the expected outcomes/results (objectives), while managing the deviations (effects) that might occur due to the lack of knowledge, inaccurate information, or misinterpreted information or any other source of uncertainty in your business environment.

Uncertainty is an inherent variable in your product, your process, your system, or even in a simple activity you practice daily.

You always have uncertainties, but not all of them will lead to risk. You can have uncertainty without risk, but you can’t have risk without uncertainty.

What’s Next!

You probably started your transition journey to the new QMS ISO 9001:2015 or about to make this transition. Putting these three things in mind and getting clear about them in your organization will save you time and money before proceeding in formal or informal risk management program.

Here’s a guide to all the documented information required to establish your quality management system as per ISO 9001:2015.

If you don’t mind I’d like to know from you in a comment below this post:

  • What are you struggling with right now? Whether you’re in a transition phase or an establishment one.
  • What are the biggest challenges you face during the transition?
  • Did you address and manage both threats and opportunities effectively? and How?

Bio:

This is Mohammad Elshahat, I’m a quality and lean practitioner. I’d like to help ambitious professionals like you, senior executive, and business owners to take their business to the next level.

My Specialties: Lean Management, Quality Management, Statistical Quality Control, Cultural Transformation, and Neuroscience.

You can reach me any time:
e-mail: muhammad.elshahat@gmail.com
or call me: ✆ +2 010 11 77 49 74

Leave a Reply

Your email address will not be published.