#48 – WHAT DOES ISO ‘RISK BASED THINKING’ REALLY MEAN? – T. DAN NELSON

Posted on by

T. Dan NelsonISO is promoting ‘Risk-Based Thinking’ in all of its standards – even ISO 9001:2015 its flagship Quality Management System standard.  What does this really mean for companies?

IRISK AS PART OF QUALITY
Risk is recognized (finally?) as being part of quality management—which is nothing new.  Risk is involved with every activity in life—some will likely knee-jerk react with an over-blown response to the inclusion of risk-based thinking among ISO 9001 requirements.  To clearly comply with the requirement to apply ‘risk-based thinking’, some companies will no doubt be tempted to raise a ‘Risk Management’ process and maybe even hire a ‘Risk Manager,’ even though neither is necessary to implement ‘risk-based thinking’ or to comply with requirements to apply ‘risk-based thinking.’

RISK-BASED THINKING
‘Risk-based thinking’ from a quality perspective is supposed to underlie management decisions affecting the (quality) management system, its processes, and the quality of its products, taking into consideration relevant interested parties (e.g., customers, end users, regulatory authorities).

Sound business thinking (including quality management thinking), relies on ‘risk-based thinking.’  Risk (to quality) must be assessed with an understanding of the organizational context: the industry in which the organization operates, the size of the organization, the education and skill level of organizational personnel, the impact of the organization’s product on the world, etc.

‘Risk-based thinking’ is supposed to help assure any actions taken are appropriate to the risks involved.  Understanding what is ‘appropriate’ requires an understanding of the context giving rise to a risk issue.  This includes understanding the issue in the context of the situation from which it arose, an understanding of the circumstances surrounding the issue.

Like the requirements of ISO 9001 themselves, ‘risk-based thinking’ cannot be applied in the abstract.  It needs to be applied to an issue within a context.  We often can’t conclude what is risky and what isn’t based merely on the identification of a risk issue.  For example, what’s a risky job for one organization (as product requirements approach capability limits) might not be risky at all for another organization (in which the requirements are well within normal operating parameters).  So ‘risk-based thinking’ necessarily requires the thinker to understand the context in which risk is being evaluated.

‘Risk-based thinking’ is a far cry from simply filling out a Preventive Action form with information enough to complete the form and consider the issue closed.  ‘Risk-based thinking’ encourages management to weigh the severity of a risk, its likelihood, and its potential consequences in the context giving rise to the situation.

DON’T GO OVERBOARD
Not every risk requires a 20-gun salute, but neither does every risk require to be effectively ignored.  Actions to address any issue should take risk into consideration as a means of determining what is reasonable and prudent. It’s along the line of ensuring actions are “commensurate with the risk encountered” (ISO 9001:1994, 4.14.1) or “appropriate to the effects of the potential problems” (ISO 9001:2008, 8.5.3)—meaning, the objective isn’t to overkill (or under treat) any actions, but these actions should be appropriate, given the risk severity, likelihood, and potential consequences.

So although the ISO 9001:2015 standard requires ‘risk-based thinking’, that doesn’t mean a full blown risk management initiative for every organization seeking ISO 9001 registration.  It means to take actions appropriate to the risk involved.

‘Risk-based thinking’ deals with uncertainty, but it’s nothing to be scared of. It’s just prudent business thinking.

Bio:

T. D. (“Dan”) Nelson is a quality management consultant, author, and trainer
specializing in the process approach, ISO 9001, and related sector schemes.
Dan has roughly 20 years of experience with ISO 9000 and over 15 years’
experience with the process approach. Dan holds an MA in Business
Administration from the University of Iowa.  Dan can be reached at:

dan@tdnelson.com
319.210.2642

 

Leave a Reply

Your email address will not be published. Required fields are marked *