ISO 9001:2015 Risk-Based Thinking And How To Apply It

Clause 4.1 of the ISO 9001:2015 Standard requires that your organization determines, monitors and reviews its external and internal issues that are relevant to its purpose and strategic direction and that affect its ability to achieve the intended results of its quality management system.

Additionally, Clause 4.2 requires the organization to determine who its interested parties and what their requirements are with regards to the quality management system.

While Clause 6.1 requires the organization to address the risks and opportunities as contained within its external and internal environments, and needs and expectations of interested parties.

The required outcome from the activities of Clauses 4.1, 4.2 and 6.1 is that all risks would have been adequately controlled so as not to adversely impact the organization and that all opportunities would have been taken advantage of.

To put things into practical perspective, let's create a process to achieve all of the above, as follows:
  • Step 1: Carry out a SWOT Analysis on your organization and its business / operating environment. The purpose of this analysis is to identify the external opportunities and threats that an organization faces in terms of politics, economy, social and technology (PEST), and its internal organizational strengths and weaknesses in terms of its processes and culture, including any other relevant internal aspects.
  • Step 2: For each of the external opportunity and internal strength that have been identified, evaluate the impact in terms of its positive effect on your organization and decide whether you can take advantage of it or enhance its desirable effect.
  • Step 3: For each of the external threat and internal weakness, evaluate its adverse or negative impact on your organization. If the impact is severe enough, come up with a strategy to eliminate it. If that is not possible, think of a strategy to lessen its effects on your organization impact or reduce its likelihood of occurrence, or both. It should be noted that a risk may also be viewed as an opportunity for improvement.
  • Step 4: Create action plans to deal with all opportunities and risks that have been identified and evaluated. These action plans shall define what must be done, what resources will be required, who will be responsible, when it will be completed and how they will be reviewed and evaluated.
  • Step 5: Identify all interested parties that can impact or be impacted by your quality management system. Determine their needs and expectations and evaluate if there are any gaps to be filled. Each gap may be treated as a risk that can adversely impact your organization or as an opportunity that your organization can take advantage of.
  • Step 6: Create action plans to address all risks posed by unfulfilled needs or expectations of interested parties. These action plans shall define what must be done, what resources will be required, who will be responsible, when it will be completed and how they will be reviewed and evaluated.
  • Step 7: As all organizations operate in a dynamic world, review all risks and opportunities at the very least on an annual basis in order to ensure adequate coverage of relevant issues. This can be done in a meeting setting with relevant directors and management personnel.

In conclusion, a quality management system that is based on the ISO 9001:2015 Standard is driven by its strategic evaluations of risks and opportunities. This effectively integrates the quality management system within the overall business processes and further empowers it, as opposed to the ISO 9001:2008 version, where the quality management is driven by the quality policy.

 Ismail Latiff  helps his corporate clients implement the ISO 9001, ISO 14001 and OHSAS 18001 International Standards via training, documentation development, audit and advisory services. Check out his presentations on Slideshare.