ISO 9001:2015 revision explained: Risk-based thinking
11 February 2015
The revised ISO 9001 standard has moved away from what it previously called "preventive action" towards a "risk-based approach". Preventive action was found to be lacking when it came to driving change and continuous improvement. The risk-based thinking approach is likely to be much more effective in allowing organisations to become stronger, fitter businesses.
Taking a risk-based approach means:
- Determining the risks and opportunities
- Planning actions to address them
- Implementing them in a quality management system
- Evaluating their effectiveness
All this ensures your organisation is proactive rather than reactive, preventing potentially damaging events and promoting improvement. Once a management system is risk-based, preventive action is automatic.
Though we commonly understand risk to be negative, risk-based thinking has a more positive slant in that it provides opportunities for improvement and enables businesses to make strategic decisions. Applying a robust quality management system is another important aspect.
Here at Ideagen, we believe quality management is currently going through a state of metamorphosis. Quality professionals must change the opinion of those in organisations that view quality as simply improving compliance. It's more than that – it can empower a business by reducing risk. Even better, a good quality management system not only enables you to reduce risk, but also take risks.
Reducing risk to take more risks may sound counterintuitive, even paradoxical, but that’s where the power of quality can be. By considering compliance risks you can drive a business forward by giving it the power and control to take educated risks to gain positive results.
Determining risks and opportunities
In order to achieve this, how do you determine your risks and opportunities and the appropriate level of action to address them? To do this, you need to determine your objectives before you can identify things that might get in the way of meeting them.
You must consider:
- Issues that may affect your organisation's values, culture, knowledge and performance
- How these issues may impact your ability to deliver products and services that meet customers' needs and any regulations that may apply
Look at them both from an internal and external perspective: strategies to achieve your policies and objectives; your relationship with your staff and stakeholders (including partners and suppliers) and issues arising from political, economic, social and technological changes within the sector.
Analysing and prioritising your risks and opportunities
ISO 9001 defines a risk as "the effect of uncertainty on an expected result". To summarise:
- an effect is a deviation from the expected – positive or negative
- risks are about what could happen and what effect it might have
- risk also considers the likelihood of an event occurring
Though the revision to ISO 9001 doesn't formally say you must do a full risk assessment or maintain a risk register, it does say you must monitor, measure, analyse and evaluate the risks and opportunities. There are various methods to approaching risk-based thinking – which method is appropriate to you is determined by the context of your organisation.
In smaller organisations, it may be sufficient to simply provide appropriate records of risk-based thinking and to ensure control of business processes (e.g. by regularly reviewing documentation, keeping clear records of training and competence, recording sufficient data for analysis and continual improvement).
In contrast, many busy quality teams in larger organisations use risk registers as a framework for assessing, evaluating and prioritising risks. Risk management software such as Q-Pulse QMS enables you to identify and assess risks looking at 'likelihood' and 'impact'. Q-pulse QMS allows you to identify the top risks to your organisation and how to deal with them, pinpointing the key opportunities and what you can do right now to exploit them. It takes the guesswork out of decision-making with comprehensive data at your ﬁngertips.
Planning and implementing actions to address risk
Planning actions to address risks and opportunities can include:
- Avoiding risk
- Eliminating the source of the risk
- Changing the likelihood or consequences (likelihood and impact)
- Sharing the risk
- Retaining risk by informed decision
- Taking risk to pursue an opportunity
When you are planning your own actions, again, you must consider the context of your organisation. Planning actions to mitigate a potential fault with a nuclear reactor at a power plant will be much more thorough and meticulous than if you were mitigating the risk of the wrong sandwiches being ordered for the staff vending machines.
Similarly, the risk of an economic downturn in a country with which your organisation has little trade or links is minor compared to a recession in the country in which you solely trade and operate. Understanding your organisation and its strategic direction is essential if you're going to determine and address the associated risks.
Many organisations use risk management software such as Pentana Risk to implement actions to address risks. Pentana Risk enables you to effectively monitor corporate strategies via a golden thread that links objectives to risk to real time performance monitoring. Proactive awareness of performance and risk generates transparency, opportunity and synergy in your organisation.
Checking the effectiveness of the actions – do they work?
In simple terms, checking whether actions to address risk are effective means asking "Do they work?". There are various ways you can do this, including:
- Audits and internal reviews
- Analysing KPI
- Project evaluations
One important thing to bear in mind is making sure you have the right data available to make informed decisions. By improving how you aggregate risk data, you can make much stronger, better judgements. This leads to you becoming more efficient, making fewer losses, and ultimately increasing profitability.
Many organisations now employ KPI dashboards such as Pentana Risk so they can have real-time, instant access to management information. Having an overarching view of the key performance indicators you've set means you can track your performance in critical areas and make informed strategic decisions.
Instant access to risk assessments, audit reports, customer complaints, non-conformance and CAPA statuses, and document notification confirmations gives you the ability to 'take the temperature' of your organisation, analyse trends and demonstrate that your organisation has a 'culture of compliance'.
The concept of risk has always been implicit in ISO 9001 and many organisations take a risk-based approach intuitively. But the 2015 revision of the standard makes it more explicit and encourages organisations to build it into their entire management system.
Business risks are ever-growing worldwide, reflecting widespread political, economic and social uncertainties. ISO 9001:2015 makes it mandatory for you to adopt a risk-based approach, so that you improve customer confidence and satisfaction, assure a consistency of quality of goods and services, and establish a proactive culture of prevention and improvement. Every organisation should see risk-based thinking as an opportunity and a step in the right direction.
What you should do now
Learn more about how our QMS software can help your organisation adopt an iso 9001 risk-based thinking approach to not only meet the requirements of ISO 9001 but to see improvements for your organisation.