There is a continuing discussion of the difference between risk management and quality management. Some believe they are the same thing while others say there is no area of overlap. The article is not intended to be an exercise in wordplay, it is my personal view of how ISO 9001 covers aspects of managing quality risk and, at the same time, is not a general risk management standard.
An organization can choose to include quality risks in a wider-ranging risk management process, or use existing quality management system processes to manage those risks specifically related to products and services.
One aspect of ensuring that products and services meet customer requirements (and those of other relevant interested parties) both now and in the future, is for the organization to identify, evaluate and manage conformity risks for products and services. All of the control and assurance activities that it undertakes are specifically around risk.
How, then, is risk-based-thinking presented in ISO 9001? The word ‘risk’ features in ISO 9001 49 times. The first mentions are in the standard’s introduction, Clause 0.1, appearing in two places:
- Firstly as a potential benefit for implementing a quality management system to be able to identify ‘risks and opportunities’ associated with its context and objectives. In the relevant requirement clauses later we see an explanation of how that is to be achieved.
- Secondly, risk is directly associated with the process approach, and risk-based thinking is covered alongside the Plan-Do-Check-Act (PDCA) cycle so whenever we see the term process in ISO 9001 we should be considering risk-based-thinking as part of putting processes into place.
Later in the Introduction, the concept of risk-based thinking is explained further. It enables an organisation, when looking at its processes, to anticipate those factors that could cause the process to fail and therefore to prevent it from delivering planned results. The organisation can then put in place preventive controls to reduce the likelihood or minimize the negative impacts of process failure. This preventive approach allows the organisation, through its processes and, by extension, the quality management system to make maximum use of opportunities as they arise.
Later in the general introduction, Clause 0.3.1 we are given more explanation about the process approach and how risk-based-thinking is used. Through the systematic definition, management of processes and their interactions that make up the process approach the organisation can achieve the intended results, as set out in the quality policy in line with the strategic direction of the organisation. In the process diagram (Figure 1) the standard talks about process controls and tells us that monitoring and measuring checkpoints for each process vary depending on the process risks.
In Clause 0.3.2, when explaining the PDCA cycle we are told that a significant part of the ‘Plan’ activity is to identify and address risks and opportunities of the system and its processes.
Later there is a full clause, 0.3.3 providing information on risk-based-thinking (RBT). Here it mentions that RBT is vital to having an effective quality management system and says that RBT has been implicit in previous editions of ISO 9001 under clauses such as preventive action used to eliminate potential nonconformities, and taking action to prevent a recurrence. This dual role of actions pre and post nonconformity has created a lot of the confusion around preventive action. RBT provides an opportunity to reset and re-explain what proactive action to prevent nonconformity should be about. Using RBT the organisation is required to assess potential risks and opportunities and to plan and implement actions to address both. If the organisation does this it will improve the control and assurance aspects of its quality management system and the overall effectiveness. The positive benefits of preventing the negative effects that risks posed to the organisation will lead to achieving improved results.
In Clause 0.4 Relationship with other management system standards, the standard refers again to the process approach, the PDCA cycle and risk-based thinking and mentions that the quality management system can be aligned with the requirements of other management system standards.
The first mention of risk in the requirements clauses of ISO 9001 is Clause 4.4, Quality management system and its processes
The organization shall determine the processes needed for the quality management system and their application throughout the organization, and shall (sub-clause f) ‘address the risks and opportunities as determined in accordance with the requirements of 6.1;’
These words appear at first sight to be very simple, this does not mean that it is easy to satisfy the requirements. I’ve recently been reading Walter Shewhart’s Economic Control Of Quality Of Manufactured Product, something I have been meaning to do for many years. The enforced hiatus in the day job due to the coronavirus pandemic has allowed me to do so. Shewhart discusses the definition of quality (as all quality professionals tend to do) but he has a take on this that created tremendous insight for me. For each product, there are multiple facets that, taken together, encompass the quality of the product. Each facet is important to ensure the overall quality of the product is maintained. Shewhart then goes on to discuss how to control quality using statistical methods, I will return to this later.
In quality management terms a process transforms inputs into outputs. Each process is made up of a sequence of activities, the product facets are created or modified by the activities in the organisation’s processes. Each activity, if it does not work as planned, risks the facet not achieving the desired quality. Now multiply this for the range of facets or features that need to be controlled to ensure our organisation’s products and services satisfy customer requirements and we start to get the picture for the complexity of assessment of quality risk.
Returning to the work of Shewhart, he did tremendous work on the study of processes and, particularly, the application of statistics to an understanding of process variation and how it created the potential (risk) of the product failing to meet requirements. Only with this understanding are we able to predict and/or control the output quality.
For all processes there are risks and opportunities – covered in Clause 6.1 and these are very applicable to the organisation’s processes, its ways of working. This can also impact on 4.4 c) as risks and opportunities often lead the organisation to introduce checks and balances to ensure risks are managed and opportunities are converted.
Next, in Clause 5.1.1 (General) risks and opportunities are assigned as the responsibility of top management. They are required to lead in this area by d) promoting the use of the process approach and risk-based thinking;
The only requirement here is for the leaders to actively encourage others within the organisation to carry out all the activities we cover in this article but there should be evidence of this.
Under Clause 5.1.2 Customer focus the responsibility remains for the organisation’s leaders to set an example by ensuring that: b) the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed;
Here risks are specifically related to customer satisfaction with products and services that the organisation produces. In leading on this the leaders have to have a good overview of the risks and opportunities across the organisation and ensure checks and balances are in place to manage them.
Under Clause 6.1 Actions to address risks and opportunities, we get into the detail of how the organisation should manage the activities involved in assessing and managing risk.
6.1.1 When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
- a) give assurance that the quality management system can achieve its intended result(s);
- b) enhance desirable effects;
- c) prevent, or reduce, undesired effects;
- d) achieve improvement.
Clause 6.1 leads us back to the organisation’s context (Clause 4) and the internal and external issues evaluated there, including the requirements of interested parties, and requires the organisation to do all that is necessary to manage those risks and opportunities that arise from its context using its quality management system.
6.1.2 The organization shall plan:
- a) actions to address these risks and opportunities;
- b) how to:
1) integrate and implement the actions into its quality management system processes (see 4.4);
2) evaluate the effectiveness of these actions.
Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.
Having done all the evaluation work in clause 6.1 the next clause takes us into how to address these risks and opportunities through plans and actions. These form part of the quality management system.
Towards the end of the standard we enter the ‘Check’ phase of the PDCA cycle and all the identification, assessment, planning and controlling that we carried out earlier is then evaluated to see that it has had the necessary effect, starting in Clause 9.1.3 Analysis and evaluation, specifically sub-clause e) the effectiveness of actions taken to address risks and opportunities;
Processes have to be in place to capture data on the effectiveness of the planned activities and to periodically evaluate them.
The responsibility for leaders to lead on managing risks and opportunities also comes full circle with the requirement for top management to be involved in reviewing effectiveness in Clause 9.3.2 Management review inputs, in particular, sub-clause e) the effectiveness of actions taken to address risks and opportunities (see 6.1); where the evaluation, planning for and management of risks and opportunities has to be on their radar.
ISO 9001 has a feedback loop built in to evaluate the effectiveness of the risk identification, evaluation and management process with Clause 10.2.1 on nonconformity, specifically under sub-clause e) a requirement for the organisation to ‘update risks and opportunities determined during planning, if necessary’. Logically here any nonconformity indicates the process for managing risk has not been effective and therefore we should use this information, revisit the original assessment and update it to decide if further action is needed.
In Appendix A of ISO 9001, the standard goes on to provide further guidance on the requirements in ISO 9001 and the concepts of risk-based-thinking.
Even in these uncertain times the matched pair of ‘risk’ and ‘opportunity’ used in ISO 9001 (and in Annex L, soon to be Annex SL again) provides a great opportunity for quality professionals to design an effective quality management system to manage the risks associated with its processes and enable it to focus on grasping the opportunities available to it in the market it operates in.
BIO:
Paul is the current Chair of ISO TC 176 Sub Committee 2. The committee is responsible for ISO 9001 and ISO 9004 among other quality management standards He runs s2a2s Limited providing consultancy and training in areas of quality management, management systems and risk.
With a first degree in engineering, Paul has extended his postgraduate qualifications in marketing and business as well as professional areas of auditing, risk, health & safety and quality. Paul contributes to the quality and risk professions through UK and International Standards committees, articles and volunteer roles.
Paul Simpson
Director – Strategy to Action, s2a2s Limited
email: paul@s2a2s.com
Phone: +44 (0) 7879 812008
Website: www.s2a2s.com