ISO 9001 Revision explained in simple terms
The concept of “Risk-Based Thinking”
In March 2015, ISO sent a communiqué to its members in order to inform them about the future timetable for the publication of ISO 9001:2015. According to the timetable, the last draft (FDIS ISO 9001:2015) should be published in German along with the other official languages of ISO in early July. This means that worldwide matching would be finished by early September and that the Standard could appear in September 2015.In a series of technical lectures, Quality Austria provides information on the revision of ISO 9001:2015.
Each month, a key concept of the revision will be explained more profoundly. This month, Eckehard Bauer, MSc, explains the concept of “risk-based thinking”.
Risks and opportunities in ISO 9001:2015
Eckehard Bauer, MSc
The key requirements relating to “risk-based thinking” are included in Clause 6-1 of ISO 9001:2015 “Actions to address risks and opportunities”.
Managing risks and opportunities is a decision for a positive future and means that it is necessary to realized today what can influence us tomorrow, seize the best opportunities and control the commensurate risks by taking adequate actions with the aim to achieve the corporate goals and strategy.
Systematic handling of risks is no formal system but rather reflects a basic entrepreneurial attitude and the will to design. In order to manage risks and opportunities successfully, risk-based thinking will have to be fully integrated in the corporate steering systems and the organizations’ decisional processes. For this purpose, it is required to anchor systematic management of risks and opportunities in the heads of decision-makers.
In this respect, the most important objective consists in systematically preventing damaging events and systematically seizing opportunities by taking well-aimed actions.
Risks form an integral part of any entrepreneurial activities. Risks denote any future (financial and non-financial) events and any possible developments within and outside an organization, which can impact the degree to which corporate goals are achieved (negatively or positively).
In order to be capable of acting on the market successfully, organizations need to avoid or reduce risks or transfer them to third parties. However, it will also be necessary to deliberately accept and tackle risks in order to seize opportunities (entrepreneurial risk). In practice, there are many tools and methods for managing known risks but also for identifying new risks and changes of risks already identified in a timely manner. Systematic management of risks identified is a significant tool supporting this task. In contrast to so-called crisis or problem management, managing risks by distinctly focusing on the future is characterized by focusing on opportunities.
Active actions are to help effective and efficient management of risks to contribute to avoiding occurrence of acute problems, which may lead up to crises, or to avoid their effects, which mostly are negative - according to the motto “Good managers manage risks, poor managers manage problems”.
“Does ISO 9001:2015 require an organization to demonstrate a risk management system?” No, there is no requirement for a complete risk management system as it is, e.g., described in ISO 31000. It is necessary to consider the risks and opportunities at the points designated by the Standard and take adequate actions for managing risks.
The integration of risk-based thinking in ISO 9001:2015 is aimed at supporting organizations in assuming customer focused opportunities while managing the resulting risks. The risks and opportunities are an important element in the planning process, which ranges from the strategy and the environment in which the organization is operating to processes and sub-processes. The focus always is on achieving the results planned the organization and the effectiveness of the system, i.e. the capability and robustness of the system when it comes to achieving objectives and targets.
The implementation of the “risk-based approach” in practice
For implementing the “risk-based approach”, there are many tools and methods. In practice, determining first what methods and tools are known in the organization and are utilized in everyday work has stood the test.
Examples:
- Organizations that have never used a risk-based approach before can use such tools as the risk scan to get a first general view and thus create a basis for processing opportunities and risks. The result of the risk scan (cf. (German) Figure 1) can then be directly processed or refined, if necessary, by taking actions.
- For identifying the potential risks, brainstorming can be used. The result of brainstorming can be processed further in an Ishikawa Chart in order to quantify the result by means of classical scoring.
- The following procedure has stood the test quite often: conducting brainstorming and then making an initial assessment by using the 3F Method (three-factor method) and continuing to process specific aspects (e.g. product specific or process specific aspects) by means of an FMEA (Failure Mode and Effects Analysis).
Any result desired or planned by the organization can be scrutinized by putting simple questions in the sense of the risk-based approach until the result is achieved positively. In this respect, it does not matter whether corporate strategy, a process or a sub-process is considered:
- What makes it easier to achieve the result, or what can increase the positive effects?
- What prevents the achievement of results, or what can prevent it?
- How can positive effects be reinforced?
- How can undesired effects on the desired result be prevented or reduced?
- How can continual improvement be achieved?
For planning the quality management system (QMS) acc. to ISO 9001:2015, the organization needs to consider the requirements stated in Clauses 4.1 “Understanding the organization and its context” and 4.2 “Understanding the needs and expectations of interested parties” and derive the risks and opportunities from this.
Then the organization will have to plan the following according to Clause 6.1.2:
- actions to address these risks and opportunities
- how to integrate and implement the actions into its quality management system processes
- how to evaluate the effectiveness of these actions
In order to work with risks as to holistically create value for the organization, it is decisive to systematically assess risks. This also includes the following: analyzing and evaluating pertaining data and information, taking relevant decisions at the management review and scrutinizing assumptions about the risks and opportunities in the event of occurrence of failures.
