For companies operating under the ISO 9001 system, they might have noticed that risk-based thinking has been given a far more prominent role in the 2015 standard than it’s received in the past.
The ISO 9001: standard outlines a process of four steps for addressing risk and opportunity:
This process largely falls in line with the process and standards already demanded by the ISO 9001 system. This is just the principles of the ISO 9001 standard as applied to risk and opportunity.
Each step in this process will require a company to apply the core principles of the ISO 9001 standard to the concept of risk and opportunity. Because of this, any company that is already operating under this standard should have no trouble implementing these new requirements.
A lot will go into the identification of potential risks for a company. There are two distinct kinds of risk that a company may encounter: external and internal.
External risk is risk incurred from the environment in which the company operates. These can be legal, regulatory, financial, and cultural risks.
Internal risk is risk incurred from within an organization. This can be caused by an organization’s structure, resource deficiencies or allocation, and hierarchy.
Risk and opportunity need to be determined within the context of the business, something that will lead to different definitions of each term for different organizations.
Additionally, in many cases, risk will also bring opportunity. Companies need to properly assess where risk ends and opportunity begins, and how they can reduce one while capitalizing on the other.
As with any other part of the ISO 9001 standard, companies are required to develop a plan for addressing the risk and opportunities they’ve identified.
A company will need to do an in-depth assessment of the possible risks for this part. How likely are these risks? How disruptive would they be if they were to happen? What amount of resources is your company willing to dedicate to mitigating these risks?
Similarly, what is the potential for capitalizing on the opportunities? Can their likelihood be increased while mitigating the risk? Is the potential risk worth incurring for a chance at capitalizing on the opportunity?
Once these assessments have been made, an organization can develop a plan for addressing the risks and opportunities based on their stated strategies for both. Without properly assessing their appetite for risk, an organization cannot properly plan to either mitigate it or capitalize on the opportunities it presents.
In accordance with the ISO 9001 standard, these plans need to be clearly laid out, with a plan for documenting the process and keep clear records on it.
This step requires a company to insert the plan they’ve developed for addressing risk and opportunity into the greater framework of the QMS that they already have in place. This step is critical, in that the plan needs to allow for the rest of a company’s QMS to remain seamless.
As a standard that emphasizes universal application, the nature of ISO 9001 will require that the process developed for addressing risk and opportunity be compatible with all other procedures in the company.
For this reason, keeping a company’s QMS in mind as it goes through the process of developing a plan for addressing risk and opportunity can prove to be helpful. Developing a plan only to find that it doesn’t integrate well into the larger process means time and energy has been wasted.
This step in the process is also in lockstep with the core principles of the ISO 9001 standard. As with any other procedure in a company operating under ISO 9001 standards, proper documentation and record keeping processes will need to be put in place.
This is where a company can record the outcomes and measure the effectiveness of their efforts. This stage in the process is also why it is crucial to develop a comprehensive assessment of the company’s willingness to take on risk and pursue potential opportunities.
Without a detailed understanding of the company’s aims in regards to both risk and opportunity, it will be all but impossible to properly assess the effectiveness of the process that’s been implemented.
As with any procedure in a company operating under ISO 9001 standards, this step allows for the constant scanning of potential inefficiencies that can be improved upon.
It should be noted that context is also a key factor in any risk assessment process. Risk at one juncture of the process might look different than the same risk at another juncture. This is why having a comprehensive strategy for risk assessment is critical. Preparing for and thinking about all the possibilities will help better prepare your company.
The ISO 9001 standard is an all-encompassing standard, and its principles will guide any plan a company designs for addressing potential risks and opportunities. Following the guiding principles of the ISO 9001 standard will help a company ensure the plan they implement for risk and opportunity is a success.
In the ISO 9001:2015 update, risk-based thinking is process of putting a greater emphasis on understanding how risk affects an organization, and ways it can be both mitigated and leveraged into opportunity.
In the past, the ISO 9001 system treated risk as a separate component to quality management, focusing on prevention instead. In the 2015 update, the idea of risk-based thinking is meant to be addressed with a more systematic approach.
While risk-based thinking will sound like a new concept, its already something that most people engage with on a day to day basis. Any individual who is asked to make decision in their day to day life, i.e. everyone, is constantly weighing the risks associated with those decisions and working to mitigate that risk.
The idea behind the 2015 update is to infuse that thought process into the entire quality management system. To make risk assessment a main component of the process at each level of the system.
In short, improved risk assessment and an emphasis on it will help to improve a company. While not an end in itself, risk assessment adds another tool to an organization’s decision-making toolkit.
In the context of the ISO 9001 standard, risk assessment is an objective, evidence-based process for making decisions. Because it is standardized and evidence-based, it’s also repeatable. For this same reason, it can be easily understood and picked up by members of an organization, even if it’s not a main focus in their current role.
Similar to the rest of the ISO 9001 system, risk assessment puts a premium on improvement and growth. For an organization that puts a focus on risk assessment, they are actively measuring the potential for growth and new opportunities as part of a standardized, repeatable system.
In the ISO 9001:2015 update, risk assessment appears in two main ways: leadership directives and planning.
It’s important to recognize that the ISO 9001 system is not so much a set of requirements as much as a set of principles that, when applied to an organization, will help an organization to improve quality in their everyday activities.
With that in mind, the same concept should be applied to risk assessment. The 2015 update does not offer a specific checklist to be marked off in order to implement risk-based thinking into your business. Rather, the idea of risk-based thinking should permeate throughout all of a business’s practices.
That said, it does show up primarily in two sections of the update.
As with anything that goes on in a company, leadership will play an outsized role in the implementation of a quality management system. Because of this, an organization’s leaders will need to be properly versed in the concept of risk-based thinking.
As the primary decision makers in an organization, leaders will already have a general awareness of risk-based thinking and probably already use it to some extent in their day to day activities.
By focusing on leadership directives, the standard is putting an emphasis on how these directives can and should be influenced by a risk-based approach. This shift replaces an emphasis on preventive measures in previous versions of the standard.
The planning section is where the preventive action is removed from the old standard and replaced with an emphasis on managing risks and opportunities at every step of the process.
This is another example of the standard asking organizations to approach risk and opportunity in the same way they would approach any other problem that needed to be solved. The standard is not asking companies to go out and add new steps to their current quality management systems.
Instead, the standard is asking for a more risk-based approach to every step and process in the system. This will look different for each company that applies the standard to their processes.
While these two facets of the ISO 9001 standard focus on addressing risk and opportunities, it should be noted that the design of the 2015 update is to make risk-based thinking a natural part of an organization’s thinking.
Nowhere in the ISO 9001:2015 update outlines a specific set of requirements for implementing a process to address risk and opportunity. There is no requirement for the development and implementation of a risk management system to run in tandem with your quality management system.
Rather, an organization should take care take the idea of risk-based thinking to heart so that it can add it to its day to day operations and decision-making.
With this in mind, addressing risk and opportunity as an organization appear in every part of the ISO 9001 system. While the leadership directives and planning sections feature it most prominently, an organization should be careful to not let risk-based thinking fall to the wayside at other junctures in the process.
In many ways, risk-based thinking helps to highlight and add to many of the benefits that a good quality management system will bring to an organization. These benefits include:
Again, many of these benefits are already the benefits a company will experience from operating under a quality management system that meets the high standards of the ISO 9001 standard.
This is to be expected, based on the way the ISO 9001:2015 update treats risk and opportunity. Because the standard does not create a new set of structures or requirements for addressing risk and opportunity, instead opting for an integration of risk-based thinking into the current system, the benefits will largely remain the same.
That said, by adopting a more risk-based approach, an organization can increase the effect of those benefits while also increasing their frequency. Nevertheless, companies who adopt this approach into their current system will no doubt see the returns for their organization.
Risk-based thinking is more an enhancement on previous versions of the ISO 9001 standard, than an addition of anything new to the standard. Adding it to the toolkit is simply a way for companies to improve their decision-making with a new line of information and inquiry on existing processes.
The likelihood of meeting stated objectives will be increased, as will the engagement of employees as they are empowered with a new way of assessing their processes. These effects will impact the quality of the product or service a company is providing, which will in turn improve the customer experience and satisfaction.
The argument for embracing risk-based thinking, is largely the same argument for implementing a quality management system that meets the ISO 9001 standard. The question is not one of kind, but rather of degree. Adding risk-based thinking to an organization’s approach will help it to maximize these benefits.
The ISO 9001:2015 update rather obliquely defines risk as the “effect of uncertainty.” The standard goes on to outline that risk is the “deviation from the expected,” and can come in both positive and negative forms.
Additionally, the standard notes that risk largely pertains to potential events, and is expressed primarily as the likelihood and consequence of such potential events.
For most organizations, this definition leaves a lot to be desired.
While this will sound like an incredibly open-ended and vague definition of a crucial term, this is in line with what the ISO 9001 standard is meant to be. As an internationally recognized standard, ISO 9001 needs to be applicable to as many industries and organizations as possible. Hence the vague definition of a term as important as risk.
Because of the broad definition, it is up to an organization to define what risk means for their business. This needs to be a comprehensive assessment and will be tailored to that company. Any organization that operates under the ISO 9001:2015 standard will have a definition of risk that is specific to their business.
For this part, many companies will build what is known as a “risk taxonomy.” This is designed to help a company better define the term risk while also outlining what risks look like for their specific context.
The first step in this process involves interrogating current procedures. What could go wrong at each step? What things could arise that are not currently accounted for? How likely are they to occur, and what impact would they have on the business if they did?
This will require both a high-level view of risk, but also more drilled down definitions of specific risks.
At this point, a company will likely have a long list of potential risks. Some patterns will appear among the list, allowing an organization to group similar risks with each other. In addition to grouping similar types of risk, an organization can also break the possible risks into groups based on the likelihood of occurrence, or the organizations willingness to incur the risk.
Included in this taxonomy will be the opportunities that are included with these potential risks. A company will also want to group these into various subcategories based on likelihood, the potential outcomes of the opportunity, and the company’s willingness to take on the associated risks to try and capitalize on the opportunity.
Once a company has thoroughly assessed the potential risks and opportunities around their business, they can properly implement risk-based thinking into their quality management system. While the ISO 9001:2015 update leaves something to be desired in its definition of risk, companies should be able to more than compensate with their own definitions of the terms.
Written: 29th July 2019
Author: Richard Keen
Richard is our Compliance Director, responsible for content & product development.
But most importantly he is ISO's biggest fanboy and a true evangelist of the standards.
Learn more about Richard