1. Requirements for Risk Based Thinking in ISO 9001:2015

The most important new concept to emerge in Quality Management Systems in the past 15 years is the Risk Based Thinking requirements of ISO 9001:2015.   There are two definitions of risk in the ISO family of standards, and since they are very similar to each other, you can choose either one, or use them both together.

ISO 9000:2015 at clause 3.7.9 defines Risk as “Effect of uncertainty” ¹ , and ISO 31000:2009 at clause 2.1 defines Risk as “Effect of uncertainty on objectives” ².

ISO 9001:2015 at clause 5.1.2 describes Top Management’s role in Risk Based Thinking in the following way ³:

“Top Management shall demonstrate leadership and commitment with respect to customer focus by ensuring that… b.) Risks and opportunities that can affect conformity of products/services and the ability to enhance customer satisfaction are determined and addressed.”

ISO 9001:2015 at clause 4.4.1 describes the relationship between Risk Based Thinking and the Process Approach in the following way ⁴:

“The organization shall determine the processes needed for the Quality Management System and their application throughout the organization and shall… f) Address the risks and opportunities in accordance with 6.1 and plan and plan and implement the appropriate actions to address them”

ISO 9001:2015 at clause 6.1.1 describes Risk Based Requirements in the following way ⁵:

“When planning for the Quality Management System, the organization shall consider the issues Referred to in 4.1 (Understanding the Organization and its context) and 4.2 (Understanding the Needs of interested parties) and determine the risks and opportunities that need to be addressed to:

• Give assurance that the Quality Management System can achieve its intended results,
• Enhance desirable effects,
• Prevent, or reduce, undesired effects,
• Achieve improvement.”

ISO 9001:2015 at clause 6.1.2 then continues ⁶:

“The organization shall plan:

• Actions to address these risks and opportunities
• How to integrate and implement the actions into its QMS processes and evaluate the effectiveness of these actions.

Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.”

NOTE (6.1.2) Options to address risks/opportunities can include

• Avoiding risk,
• Taking risk in order to pursue an opportunity,
• Eliminating the risk source,
• Changing the likelihood or consequences,
• Sharing the risk,
• Retaining risk by informed decision.”

ISO 9001:2015 at clause 9.3.1 describes the relationship between Risk Thinking & Management Review ^7:

“Top Management shall review the organization’s Quality Management System at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The Management Review shall be planned and carried out taking into consideration… e) The effectiveness of actions taken to address risks and opportunities (see 6.1)”

It is clear from the above requirements in ISO 9001 (clause 5.1.2) that Risk Based Thinking has to begin with Top Management.   At the company level, risks to products/services and customer satisfaction have to be determined and addressed.     After identifying risks at the company level, the risk assessment needs to be carried out at the individual process level.   Risks are also to be considered within the framework of what the organization is all about (the context of the organization and needs of stakeholders).

2. Quantitative vs. Qualitative Risk Assessment

Two popular models to perform risk assessments are the Failure Modes and Effects Analysis and the Risk Matrix. The benefits of these tools is that they are rigorous and offer a numerically scored or ranked (quantitative) risk assessment. Although these tools are very powerful and can be very effective, they may not be suitable for the assessment of processes in a smaller organization. A much simpler result can be derived from a discussion between experienced employees without using numerical scoring. This approach to risk assessment is qualitative in nature because it is based on the learned observation and “gut feel” of process owners.

3. Conducting a Qualitative Process-Level Risk Assessment – Using a Flowchart

In order to fulfil the requirements of ISO 9001:2015 Clause 4.4, the organization needs to start with its key business processes and consider risks and opportunities within their context. Risks will then be selected for action based on their criticality to the product, the customer, and the business. A flowchart is the preferred method for modelling processes, and the reader is encouraged to use flow charts whenever possible.

If the risk assessment includes creating a set of flowcharts, then any format, such as the “Risk is the Compass^TM” model (Devos 2006) ⁸ can be easily adapted to fulfill this role.   Risks are simply recorded beside each box on the existing flowchart.

When considering types of process risks or categories of risks, it can be helpful to consider those risks along the dimensions of the basic Ishikawa or Fishbone Diagram in its consideration of Man, Machine, Materials, Methods, and Measurement.

In the next issue, we will finish this most important discussion on how to implement Risk Based Thinking.

Bio:

Denis Devos is a Fellow of the ASQ and a recognized expert in the application and auditing of Management System Standards.  For 15 years, Denis has been servicing clients (primarily in the automotive industry) with customized training and support.

Denis began his work with the ISO 9001:1987 standard in 1992 and led the first ISO 9001 implementation of any General Motors plant in North America.  Denis’ unique Risk-Is-The-Compass model for risk-based QMS auditing was devised in 2001 and has been proven effective over years of implementation and is published in the procedings of several ASQ conferences.

A variety of sectors benefit from Denis’ expertise including the automotive industry, financial services, wood working and printing, and healthcare.

Endnotes

1. ISO 9000:2015 Quality Management Systems – Fundamentals and Vocabulary © International Organization for Standardization (ISO), Geneva, 2015.
2. ISO 31000:2009 Risk Management – Principles and Guidelines. © International Organization for Standardization (ISO), Geneva, 2009.
3. ISO 9001:2015 Quality Management Systems – Requirements. © International Organization for Standardization (ISO), Geneva, 2015.
4. Ibid.
5. Ibid.
6. Ibid
7. Ibid.
8. “Risk is the Compass^TM – A New Approach to Auditing Using Risks and Controls.” Denis J. Devos. Proceedings of the ASQ World Conference on Quality and Improvement – © American Society for Quality, Milwaukee 2006.