Risk-based thinking (RBT) has been getting a lot of attention lately. It’s a concept expected to be introduced as a requirement in the upcoming revision of ISO 9001 (due in late 2015). Many in the ISO 9000 community are abuzz about what RBT is and what it means to a quality management system (QMS).
Understandably, many have explored the connection between RBT and more formal forms of risk management (e.g., per ISO 31000). Management of ISO 9001-certified companies should apply RBT to determine if formal risk management is necessary.
RBT FOR BALL BEARING MANUFACTURERS
Formal risk management or enterprise risk management is not needed by many organizations. However, organizations would not succeed were it not for adequate RBT.
For example, in the context of a manufacturer supplying ball bearings to a bicycle company, the quality (and safety) risk posed to the user (and the world) is relatively low. Ball bearings can be and are inspected and tested adequately before being used in assemblies. Should a ball bearing fail in the field, someone’s bike might seize up. The risk of bodily injury or death seems fairly low. For a manufacturer of ball bearings for bicycles, formal risk management would likely not be necessary to manage the risk to quality.
In a regulated environment, on the other hand, say in a medical device environment, a supplier of ball bearings will require more formal risk management, particularly if the ball bearings are incorporated into some kind of tiny implantable device. The mechanism of FDA approval ensures medical devices are adequately verified and validated appropriate to the risk each device poses to patients and to the world.
Due to, say, the risk of end-user infection, several aspects of processing must be controlled more tightly in a medical device manufacturing operation than in a bicycle manufacturing operation. To mitigate the risk of infectious agents being included in their shipments, a medical device manufacturer must more tightly control, for example, the work environment. Prior to packaging, finished product would need to undergo special cleaning operations, which would likely need to be conducted in a cleanroom. The packaging operation itself would also be conducted in a cleanroom.
On the other hand, packaging operations of the supplier to the bicycle company might be carried out a greasy garage with equipment belching out oily smoke. No final cleaning may be required at all, and that might be just fine. “Throw 20 in each box and ship ‘em.”
A system requiring bicycle ball bearings to be ultrasonically cleaned and packaged in a class 100 cleanroom seems appears to be a system requiring quality overkill. Absent some reasonable explanation, this would represent an unnecessary inefficiency systemically built into processing, apparently the result of poor or absent RBT.
The point is this: the work environment needs to be appropriate for the work being carried out, mindful of the risks involved. This principle applies to all aspects of processing that bear product conformity. RBT helps determine what appropriate is, given the context and the risks to achieving product conformity and other process/system objectives.
RBT = GOOD BUSINESS SENSE
The requirement to apply RBT is basically nothing more than a requirement to apply good sense given the issue and its context. When taking any action pertinent to product quality or a QMS, management should apply good sense. That would require management to take actions that promote customer satisfaction, product quality, and the effectiveness and efficiency of operations—something they were planning to do anyway if staying in business was an objective.
To apply RBT, before taking an action, management is supposed to weigh the desirable and undesirable outcomes likely to result from taking the action (versus the likely outcomes if no action is taken). Management is supposed to make such decisions considering the context of the organization: the industry in which it operates, the technologies in use, the competence levels of personnel, the organization’s products, services, and the processes involved with delivering those product and services. Again, this is something successful companies are doing already.
Risk may seem new, but it’s always been there
RBT has always been implicit in ISO 9001. In that way, it’s like the process approach. RBT and the process approach both come into play when defining a management system in the first place. A documented management system should be as simple or as complex as the actual system in operation, the system outputting product or service to customers every day.
RBT gives management the freedom to define and document management systems as they see fit, according to the risks involved. (Of course, the documented system must be robust enough to address applicable ISO 9001 requirements, too.) In the case of a QMS, the relevant risks are those to quality—risks to product conformity or timely delivery and risks to process performance and risks to the management system itself.
Risk permeates all aspects of processing, but that’s nothing new. Risk permeates every aspect of life. That’s in part why we develop systems to help us operate in this world of uncertainty.
Without applying RBT and the process approach when defining a QMS, and using instead a standard-based or out-of-the-box approach, QMSs are structured and defined the same way—according to ISO 9001’s clauses and subclauses or with 6 procedures only. This approach essentially presupposes that the same risks are common to each organization, regardless of product or industry, and the same management system is supposed to operate effectively in every organization.
PROVING RBT
To demonstrate RBT to an auditor, a new procedure or a new form shouldn’t be needed. RBT relative to a QMS can be evaluated to some degree by examining definition of a given QMS to determine its structure and complexity vis-à-vis the operations being conducted by the organization. For example, is a simple, low-risk system overkilled by complex documentation, unnecessarily complicating definition of the system? Or might a complex, high-risk system be underdocumented, offering inadequate procedural support to ensure operations consistently comply with requirements?
Once a system is verified to have been defined sensibly, any actions to modify that system—whether reactive or proactive in nature—should be taken after good sense (RBT) has been applied. The possible benefits and pitfalls of various candidate actions should be considered, given the context of the organization, the context of the particular circumstance, and the best available information. Management personnel are paid to make these kinds of decisions every day. That the standard will now articulate RBT as a requirement doesn’t make RBT new.
To prove application of RBT, an organization need not raise a new procedure, develop a new form, or capture additional data (assuming records of management reviews, corrective actions, and decisions made relevant to quality are recorded somewhere). Any recorded action can be examined to determine if RBT is or was being appropriately applied.
For any completed action, one assessing whether RBT was effectively applied might determine if the action effective and efficient. If a problem was overkilled with costly solutions that weren’t necessary, or, if bad results were achieved because not enough resources were applied to address the problem, it would appear RBT could be improved (at least in these cases).
On the other hand, if an action effectively solved a problem (or effectively avoided one) without undue expenditure of resources, the action can be said to have been effective and efficient. Arguably, every effective, efficient action is evidence of effectively applied RBT.
Bio:
T. D. (“Dan”) Nelson has been closely involved with ISO 9000 since 1994 as a technical writer, quality manager, management representative, consultant, author, and CB auditor. Holding an MA in Business Administration from the University of Iowa, Dan also has 12 years of experience as an IRCA-certified QMS Lead or Principal Auditor, conducting registration audits and surveillance audits, and training Lead Auditor candidates in accredited courses. Using a process approach, Dan has taken several scores of clients of various shapes and sizes through registration to ISO 9001:1994/2000/2008 and related sector schemes (e.g. QS 9000, AS9100, ISO 13485, and ISO 17025). Dan’s numerous articles about the process approach have also been published by Quality Digest, Inside Quality, ASQ’s Quality Management Division, the Society for Manufacturing Engineers (SME), and the South African Quality Institute (SAQI); Dan has been featured as a guest blogger by RABQSA, and has been featured on Quality Digest Live. Dan is available for management consulting, training, and coaching, as well as auditor training and coaching. Contact: dan@tdnelson.com 319.210.2642