The long awaited revision of ISO 9001:2008 is upon us and it comes accompanied by much angst.  Over 1.3 million organizations have successfully implemented the international quality management system standard and achieved this expensive, hard-earned certification.  But now that is all about to change.  Painful decisions will need to be made in the coming years on whether to embrace the changes needed for recertification after 2018, or to drop the ISO 9001 certification altogether.

In a perfect world, a revision for an established, internationally accepted standard should be an obvious improvement over the original.  It should be easier to read, learn and implement.  It should provide only non-controversial, improved tools for quality management.  Unfortunately, the world is not perfect.

The international TAGs to ISO/TC 176 have labored mightily to negotiate for the highest caliber revision, scheduled for publication in 2015.  You can only imagine how challenging it is to achieve a consensus among hundreds of individuals, grouped in dozens of countries, with differing professional experiences and work ethic.  This is why a far-from-perfect DIS 9001 (draft international standard) has already been approved and is on track for finalization.  Because of obvious shortcomings, the U.S. TAG voted for non-approval along with Canada, Finland, Germany, Ireland, Israel, Japan and South Africa.   We were outvoted by 64 other countries who voted for approval.  These countries presented 480+ pages of comments and suggestions for improvement.  Hopefully, many of these will be integrated into the final revision.

There are also a number of very new requirements like “understanding the organization and its context” and “risk-based thinking.”  These are terms which are currently non-existent in quality and risk nomenclature.  How are we to learn to understand, implement and audit to these requirements?

ISO 31000
Fortunately, we don’t have to reinvent the wheel.  These two concepts and their implementation are detailed in the ISO 31000 Risk Management standard under different names.  To an outsider, it is truly strange that all ISO documents do not employ the same terminology for the same concepts.  Multiple authorships and the real-politic of consensus are to blame for this anomaly.  Likewise, there is an almost universal concern shared by all voting ISO countries that the revision not burden ISO 9001 users with many new requirements.  New requirements are sometimes obscured with new or different verbiage to help facilitate adoption by the majority of countries.

Indeed, the authors of this revision did not want to require the full, systemic risk management methodology laid out in ISO 31000.  The DIS explains, “The concept of risk-based thinking has always been implicit in ISO 9001.  This International Standard makes risk-based thinking more explicit and incorporates it in requirements for the establishment, implementation, maintenance and continual improvement of the quality management system.  Organizations can choose to develop a more extensive risk-based approach than is required by this International Standard, and ISO 31000 provides guidelines on formal risk management which can be appropriate in certain organizational contexts.”

The DIS proposes that some minimal management of risk is integral to quality systems. The authors deliberately coined the term “risk-based thinking” to encompass the varying degrees in which organizations need to manage risk.  Employing the term “risk management” would have intimated that full adherence to the ISO 31000 standard is required; a position defeated by the consensus.  Fortunately, ISO 31000 is not a management system; its approach to risk management is amenable to being tailored to the needs of its users.  Likewise, the ISO 31000 standard is also helpful for “understanding the organization and its context,” only sparsely explained in the revision.  Sections 4 and 5 of the ISO 31000 document provide adequate detail on why and how to “establish the context.”

So why should your organization embrace the management of risk and employ risk-based thinking as part of your quality system?  The answer is that “all organizations manage risk to some degree” (Introduction – ISO 31000 Standard) and as stated in the DIS, it has always been implicit for organizations certified to ISO 9001.  In laymen’s terms, “managing risk” simply means making decisions which consider how the unknown and its effects can help or hinder an organization’s objectives.  This is something we do each day, both in our personal as well as, in our professional lives.  The existing risk management standard has already become popular internationally and it will be very helpful in the implementation of the new ISO 9001.  Professional training and personal certifications are already available for ISO 31000 risk management.  Learning ISO 31000 will enable you as a quality professional, to assist your organization establish the level of detail required to manage risk under ISO 9001:2015.

Bio:

Allen Gluck, President of ERM31000 Consulting holds a Masters Degree in Leadership from Bellevue University in Nebraska. He is an official member of both the ISO/TC 262 (ISO 31000 Risk Management Standard) and TC 176 (ISO 9001 Quality Management Systems Standard) Technical Advisory Groups, which represents the United States to ISO, the International Organization for Standardization. Mr. Gluck is a validated, certified lead trainer for the ISO 31000 Risk Management Standards and Guidance document. He provides risk management training and consulting across the Unites States for this international standard, which is applicable to organizations of any size and in all sectors, public or private. He is also an adjunct professor at Manhattanville College in Purchase, NY, where he teaches the first risk management course in the Unites States which is based on ISO 31000. Allen has over twenty five years of experience in public speaking and adult training and education.