In Part II, I round off the controversial issue of positive and negative risk, expose more uncertainty in the new definition and in the way the term risk is used in ISO DIS 9001 and finally draw some conclusions.
THE NOTION OF POSITIVE AND NEGATIVE RISK (CONTINUED)
Someone who is pursuing an opportunity may be taking a risk and someone who, by their actions, may miss an opportunity is taking a risk. Thus when we set out to identify risks, we should not only be looking at what could go wrong if we do X in the short or long term but what could go wrong in the short or long term if we don’t do X.
Rock climbing is hazardous but also presents opportunities for adventure, excitement and pleasure. People who engage in rock climbing are at risk of injury, perhaps even death and may find it difficult to get insurance. Rock climbers take risks and by doing so may gain great pleasure but don’t insure against the possibility of pleasure, they only against the possibility of harm. Insurance companies are interested in opportunities to make money out of people taking risks because the rock climber has transferred some of the risk to them but to the insurance company risk will always be used in the negative sense.
As mentioned in Part I, in the finance sector volatility is referred to as a risk but the risk is exposure to volatility rather than exposure to gain. This only matters to you if you have investments and having made investments there is a risk that their value may go down. We would not say there is a risk the value will go up, we say there is chance or opportunity that the value will go up. It’s this play on words that will create confusion among those outside the financial sector who are being asked to accept the new definition of risk.
RISKS AND OPPORTUNITIES
David Hillson says[i] “there are things in the future that could happen but might not happen but if they did happen they would be helpful so they would help us to save money, save time, increase value and benefits enhance our reputation so we could look for these things and manage them proactively”. But most of us would call these uncertainties opportunities e.g we say, there’s a chance we will win this new contract, we don’t say there’s a risk we will win this new contract unless doing so is going to have undesirable consequences. We say this new technology will save us money and therefore we should not miss the opportunity to adopt it. We don’t say his new technology will save us money and therefore we should not miss this risk.
My response to this is simple:
- An uncertainty presents a risk if its occurrence may have a negative effect on an expected result and is therefore relevant.
- An uncertainty presents an opportunity if its occurrence may have a positive effect on an expected result and is therefore relevant.
IS RISK NOW AN EFFECT AND NOT A POSSIBILITY?
That risk is now ‘an effect’ is different to the way we normally use the word risk as in the sense of “exposure to a possibility”. But an effect is the result of an action, but we are now being told that it’s more than a possibility and that it’s a certainty. According to the OED we use the term effect to describe “an operative influence; a mode or degree of operation on an object“ so ISO are also using the word effect differently to its normal use. If there is no action but the possibility of action there is only the possibility of an effect but ISO appear adamant that a risk is an effect and not the possibility of an effect”. The only explanation I can offer is that we can imagine an effect without experiencing it. Therefore ISO could be expecting us to refer to a situation as a risk where we are able to imagine that something good or bad could happen and may affect what we are trying to do. Wouldn’t it be simpler to use the words risk and opportunities as we have always used them? Well, TC 176 are not stupid, this is what they have done.
USE OF THE TERM ‘RISK’ IN ISO DIS 9001
In every instance in which the term risk is used in the new draft it is used in the negative sense and never in the sense of a positive effect. In fact, other than in the guidance and definitions, the word risk is only used among the requirements in the form of the compound term “risks an opportunities” with one exception in clause 8.5.5 on post delivery activities where the meaning is obviously referring to loss. So it looks like TC 176 were taking no ‘risk’ that the word risk could be misunderstood, but nonetheless retained the new definition so as to cause confusion and uncertainty. So much for ISO/IEC Directives that require management system standards to be easily understood and unambiguous!
As mentioned in the introduction in Part I, the clause on preventive action has been removed and in its place a new clause added on “Actions to address risk and opportunities”. If risk (effect of uncertainty) can indeed be positive why would Annex SL refer to opportunities? Could it be that not everyone on these committees think in the same way? The situation may change as we proceed to the FDIS as these uncertainties certainly need to be resolved
There is now a section on Risk-based thinking in the Introduction and another in Annex A entitled, Risk-based approach. Whether it’s an approach or a way of thinking matters not, the intent is to change the way (a) we apply the requirements of ISO 9001 and (b) we manage quality. This is a good thing because, for too long, the requirements have been treated by users as having to be met regardless of need. The only exceptions that were permitted were to requirements in section 7. Now, you are permitted to assess the risk and if you can produce evidence to show that the actions taken to address them are proportionate to the potential impact on the conformity of products and services, it appears you don’t need to meet a requirement that does not address a risk in the context of your organization.
A new guide to Risk-based thinking[ii] has been released by TC 176 in which there is a novel interpretation of the word opportunity. It now appears that when faced with the risk of being injured crossing the road, the options you consider in order to reduce or eliminate the risk are referred to as opportunities. This isn’t as crazy as it appears because it fits with my definition of an opportunity above, but these are not the only opportunities users of ISO 9001 should be identifying. New technologies, methodologies, concepts, legislation, skills etc may enable your organization to bring innovative products and services to market more quickly than your competitors and satisfy more customers. Remember the second reason for using ISO 9001[iii] is to enhance customer satisfaction.
CONCLUSION
I have attempted to expose some of the uncertainties about risk in ISO DIS 9001. The good news is that you can ignore the definition of risk given in ISO 9001 and assume the term risk is used in its negative sense and still understand and apply the requirements. This is because almost everywhere the term risk is used in the standard it is combined with the word opportunity.
You have probably been taking a risk- based approach for years e.g. when you analyzed nonconformities and took action to prevent their recurrence, you were addressing risk, when you introduced training you were addressing risk, when you put in place controls over design, purchasing, production and service delivery, you were addressing risks. So there is nothing new except a definition you can ignore and the realization that bringing your arrangements for the management of quality under control is about managing risks and opportunities.
Bio
After a period in aircraft production and development following which I qualified as a Chartered Engineer, I spent the next 20 years in quality management with British Aerospace and Ferranti International. For the next 15 years I operated as a management consultant and guided large and small companies through their ISO 9000 programmes, delivered quality management and auditor training courses throughout the world, set up my own consultancy business, Transition Support Ltd, and published several books on quality management many of which have been translated into Japanese, Spanish and Italian. A member of the IQA (Now CQI) since 1974, I was elected Fellow in 1988 and have served on and chaired several committees. In 2005 I took early retirement due to sudden sight loss but continue my interest in quality management. My Quality Systems Handbook first published in 1992 is now in its 6th edition and this particular piece on risk, I developed as I undertake my research for a major revision to align with ISO 9001:2015.