Risk-based Thinking

Contrary to prevailing perception, risk-based thinking is glaringly evident in the ISO 9001:2008 standard. Thus, it's not a foreign concept in the 2015 version.

As we're all familiar with, the 2008 version comprises of the following distinct elements:

  • Clause 4.1 General requirements
  • Clause 4.2 Documentation requirements
  • Clause 5 Management responsibility
  • Clause 6 Resource management
  • Clause 7 Product realization
  • Clause 8 Measurement, analysis and improvement

Based on the PDCA cycle of continual improvement, they define how the QMS ought to be operated and maintained in order to consistently meet customer requirements and sustain customer satisfaction.

Now, imagine what will happen if:
  • Process approach was not employed?
  • Documents and records were not controlled?
  • Top management does not commit itself to the QMS and its goals?
  • Resources were not planned and maintained?
  • Customer requirements were not accurately defined?
  • Design and development outputs were not reviewed, verified nor validated?
  • Suppliers performance were not monitored?
  • Products were not inspected prior to acceptance nor delivery?
  • Customer dissatisfaction is not monitored and remedied upon?
  • Process performance data is not gathered nor analysed?
  • Internal audits were non-existent?
  • Improvements via were not made with the passing of time?

Surely there will be internal inefficiencies. Even when only one element is missing, the business will lose its sustainable character.

Why? These elements eliminate the risks of:

  • Poor management of processes
  • Not having documented references to refer to
  • Loss of records
  • Irresponsible management team
  • Poor maintenance of resources
  • Ill-defined customer requirements
  • Poor design outputs
  • Poor suppliers performance
  • Delivering nonconformities products to customers
  • Recurring customer complaints and returns
  • Not knowing the statuses of process effectiveness
  • Not improving over time

This is risk-based thinking in action. It's preventive in nature where it acts upon risks known to be existent in any type of operations. 

In the 9001:2015 version, the scope of this risk-based thinking has been expanded. Organizations are now on expected to address risks and opportunities related to its external and internal environments, interested parties and processes.

External risks and opportunities may be posed by new developments in the political, economic, social, technological, legal or competitive environments. Adequate and effective monitoring activities are necessary to keep abreast of such developments.

Internal risks and opportunities maybe identified after careful analysis of performance data, organizational knowledge requirements, work culture and values.

Risks and opportunities could also be identified when the needs and expectations of interested parties have not been fulfilled. These parties could be the customers themselves, regulatory bodies, suppliers, staff, activists, neighbours, etc.

In planning for an effective process via the process approach, any identified risk and opportunities for improvement must be addressed also. 

Questions to ask when evaluating risks:
  1. What will happen if we don't address this potential undesirable event?
  2. What are the risks involved if we pursue this opportunity?

In order to validate these risks, you need to evaluate their probabilities or likelihood of occurrence. Once confirmed, action plans must be drafted and implemented.

It must be noted that action plans must specifically address the root causes that give rise to the risks in order to be effective.

Strategies for the control of risks may include:

  • Avoidance of the risk if it is too great to handle
  • Taking the risk in the pursuit of an opportunity
  • Eliminating the risk
  • Mitigating the projected consequences
  • Decreasing the likelihood of occurrence of the risk
  • Sharing the risk with an interested party
  • Ignoring the risk due to its insignificant projected impact or low probability of occurrence

Why does ISO require that risks and opportunities be addressed? One reason:
  1. To ensure that the organization's ability to achieve its quality goals is continually enhanced. As a result, customer satisfaction is ensured to be continually enhanced.

As such, risk-based thinking is fundamental to an effective QMS, and it's not something new.

Considering its benefits, strategic risk management is indeed a much needed element in the ISO 9001:2015 version in order to ensure a more responsive and resilient QMS.