Although risks and opportunities have to be determined and addressed, there is no requirement for a formal, documented risk management process in ISO 9001. You should, however, ensure that your organization has a methodology in place that enables you to effectively identify risks and opportunities with respect to the planning of the QMS.
|ISO 9001:2015||ISO 9001:2008||Summary of Changes|
|6.0||Planning For The Quality Management System||5.4.2||Quality Management System Planning||
|6.1||Actions To Address Risks And Opportunities||
|Quality Management System Planning||This is a new requirement that requires a process to be implemented to determine and evaluate applicable risks. The organization will be expected to have an understanding of this requirement and be prepared to explain how they are managed within their quality system.|
|6.2||Quality Objectives And Planning To Achieve Them||5.4.1||Quality Objectives||This requirement is amended to ensure that quality objectives are relevant to the conformity of products and enhancing customer satisfaction.
Quality objectives should be analyzed to assign resources, identify responsible parties, establish a timeline, and determine evaluation practices.
|6.3||Planning Of Changes||5.4.2||Quality Management System Planning||This is a new requirement. Organizations should retain documented information relating to planning and implementing changes that impact upon the QMS.|
Reference to risk-based thinking is present in the following clauses of the standards:
The risks and opportunities should be relevant to the context of your organization (Clause 4.1), as well as any interested parties (Clause 4.2). You should ensure that your organization has applied this risk identification methodology consistently and effectively.
In the absence of documented processes/procedures, you may need to use observations and interviews (and a review of the process output, which may contain documented evidence) to assess the processes that determine whether or not undocumented processes are being carried out as planned.
External and internal issues, and relevant needs and expectations of relevant interested parties may be sources of risks. Objective evidence may be in the form of a dedicated risk matrix, risks added to other forms such as an aspect register, corrective/preventive action log and forms, etc.
Each of the processes of a QMS do not represent the same level of risk in terms of your organization’s ability to meet its objectives. Due to this reason, the consequences of failures or non-conformities in relation to processes, systems, products and/or services will not be the same for all organizations.
When deciding how to plan and control the QMS, including its component processes and activities, your organization needs to consider both the type and level of risk associated with them. Ensure that your organization is taking a planned approach to addressing risks and realizing opportunities, and that any actions taken have been recorded. Options to address risks and opportunities can include:
The concept of risk in the context of ISO 9001:2015 relates to the uncertainty in achieving the objectives of the QMS. Risk will influence every aspect of your organization’s operations and by understanding the risks you face, managing them appropriately will enhance your ability to make better decisions and to achieve your objectives.
Your organization should begin to view the management of risks to its people, assets and all aspects of its operations as an important responsibility. Implement and maintain a risk management process to protect and support your organization’s responsibilities. An effective risk management approach is not only good business practice but provides organizational resilience, confidence and benefits, including:
Risk will influence every aspect of your organization’s operations. Understanding the risks and managing them appropriately will enhance your organization’s ability to make better decisions, safeguard assets, and enhance your ability to provide products and services and to achieve your mission and goals.
By considering risk throughout your organization the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service. Risk-based thinking therefore helps to:
We suggest that you use the familiar Plan-Do-Check-Act (PDCA) methodology to manage your organization’s transition to risk-based thinking; using this approach:
Documented information resulting from risk management activities such as risk management processes, plans and reports, etc. should be maintained or referenced in either a risk management file or other appropriate sources:
Your organization should consider the benefits of integrating the risk management processes, documents and records directly into your quality management system. The advantage of this could be a single document control system, ease of use and review, accessibility, retention, etc.
Document controls, including document change controls, for risk management system documentation should be the same as the controls for quality management system documentation. This documentation can be in any form or type of medium.
Within your quality management system, consideration needs to be given to internal and external communication of risk. Internal communication is necessary for all appropriate personnel to be aware of the remaining risks even after implementing risk control measures.
Your organization might outsource the provision of some processes or the manufacture of components, subassemblies or entire units. In order to maintain control over the processes, your organization should incorporate appropriate risk management activities for these processes and products by planning and by ensuring risk control measures are appropriately applied. Before the approval and implementation of a change to any outsourced process or product, your organization should:
If risk control measures are applied to outsourced process or products, the risk control measures and their importance should be documented within the purchasing data or information and clearly communicated to the supplier.
Risk management activities should begin as early as possible in the design and development phase, when it is easier to prevent problems rather than correcting them later.
For each identified hazard, the risk in both normal and fault conditions is estimated. In risk evaluation, you should decide whether risk reduction is needed. The results from this risk evaluation such as the need for risk control measures then become part of the design input.
While not mandated by ISO 9001:2015 or ISO 14001:2015, risk registers can help identify and record the risks and opportunities facing different areas of the business and identifying risk is a critical step in managing it.
Risk registers will allow your organization to assess the risk in context with the overall context of your organization and will help to record the controls and treatments of those risks. Risk registers can be developed in tiers:
The risk registers or risk logs become essential as it records the identified risks, their severity, and the actions steps to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is a table.
A table presents a great deal of information in just a few pages. As the register is a living document, it is important to record the date that risks are identified or modified.
The primary objective of auditing the risk management process is to provide an assurance framework that underpins the risk management process.
This should include reviews of processes and controls over high risks as determined through the risk planning process. The internal audit function provides independent appraisal of the adequacy and effectiveness of internal controls. Recommendations should be provided, where applicable, for improvements to controls, efficiency and effectiveness of processes.
Risk-based thinking is probably already part of your organization’s process approach as it forms a key part of preventive action routines. Risk is often thought of only in the negative sense but risk-based thinking can also help to identify opportunities and advantages, this is the positive aspect of risk management.
There are six clauses in ISO 9001:2015 that require your organization to consider risk:
The adoption of risk-based thinking will, over time, improve customer confidence and satisfaction by assuring the consistency of the quality of goods and services brought on by establishing a culture of prevention and improvement.
Risk evaluation should become embedded into your organization’s day-to-day operations and should be undertaken at all levels throughout your organization.
The overall aim of risk evaluation is to ensure that organizational capabilities and resources are employed in an efficient and effective manner to manage opportunities and threats.
Risk evaluation can be represented as a seven step, cyclical process:
Your organization should develop and document a plan that briefly describes how and when risk, in the form of strengths, weaknesses, opportunities and threats, will be assessed, and who will be involved. This should reflect the scope (including its complexity, interfaces, etc.), policies and objectives.
In this step, your organization should systematically identify those risks associated with the scope of the process that could significantly affect the achievement of objectives and product conformity.
Risk identification should be carried out with the full involvement of the relevant parties to ensure the relevant perspectives and expertise should be represented (e.g. appropriately qualified representatives from various functions, contractors, stakeholders, suppliers and specialists as appropriate.
Risk identification involves the relationship between your organization and the broader, external environment or community.
A range of issues should be considered in examining the strategic content, including:
Operational risk identification involves gaining an understanding of the organisation’s capabilities, goals, objectives, strengths and weaknesses by considering:
Having identified all hazards and associated risks which could impact on occupational health and safety, the process of rating the risks for significance can be carried out.
This crucial process, together with a thorough knowledge of legal and other similar requirements, provide the foundations of the management system.
This assessment process is vital in determining the need for controls aimed at either reducing risk to levels deemed to be tolerable or meeting the requirements of legislation.
The significance level (or risk rating) should then be used to prioritise actions.
Remember that the importance of this process cannot be overestimated. If you get this process wrong, the whole system will be suspect.
The assessment of the severity of a risk should drive management attention and supports the planning for risk mitigation. Quantitative risk assessments (QRA) can be undertaken to provide an improved understanding of the risk profile and derive a more detailed understanding of certain cost and time risks. The output of QRA can also support decision making and monitoring of risk management activities.
For each risk, the risk owner must establish an appropriate level of mitigation. Control measures in addition to those already existing may be needed to achieve this level of mitigation.
When a response action is completed, the risk should be reassessed (i.e. repeat Step 3) to reflect any newly introduced existing control measure.
Regular review and challenge is essential to ensure that risks are being appropriately managed, and that the risk data remains accurate and reliable, reflecting any changes in circumstances or management activities.
Regular reports are necessary to inform and provide assurance to Top Management and other key stakeholders, that risks are being appropriately managed. Reporting must be based on current process data, which must be updated and reviewed in good time for the reporting cycle (see Step 5 above).
On occasion, it may be appropriate to escalate a risk to ensure it is assessed and/or managed by the person or party best placed to do so (able and with appropriate authority). For example, where a more substantial or coordinated response is required than the current owner can authorise or implement, or where the risk severity or its effects on the wider project justify higher level assessment and/or management.
Continuous systematic and formal monitoring of implementation of the risk process and outputs will take place against appropriate performance indicators to ensure process compliance and effectiveness. Monitoring may take a variety of forms and range from self-assessment and internal audit to detailed reviews by independent external experts.
ISO 9001 Clauses - PLAN
- 1 Scope
- 2 Normative references
- 3 Terms and Definitions
- 4 Context of the organization
- 5 Leadership
- 6 Planning
Updated: 15th October 2019
Author: Richard Keen
Richard is our Compliance Director, responsible for content & product development.
But most importantly he is ISO's biggest fanboy and a true evangelist of the standards.
Learn more about Richard