1. Objective of this post:
- to explain how risk is addressed in ISO 9001.
- to explain what is meant by ‘opportunity’ in ISO 9001.
- to address the concern that risk based thinking replaces the process approach.
- to address the concern that preventive action has been removed from ISO 9001.
- to explain in simple terms each element of a risk based approach.
2. Overview:
One of the key changes in the 2015 revision of ISO 9001 is to establish a systematic approach to risk, rather than treating it as a single component of a quality management system.
In previous editions of ISO 9001, a clause on preventive action was separated from the whole. Now risk is considered and included throughout the standard.
By taking a risk - based approach, an organization becomes proactive rather than purely reactive, preventing or reducing undesired effects and promoting continual improvement. Preventive action is automatic when a management system is risk - based.
3. What is risk - based thinking ?:
Risk - based thinking is something we all do automatically.
Example: If I wish to cross a road I look for traffic before I begin. I will not step in front of a moving car.
Risk - based thinking has always been in ISO 9001– this revision builds it into the whole management system.
In ISO 9001:2015 risk is considered from the beginning and throughout the standard, making preventive action part of strategic planning as well as operation and review.
Risk - based thinking is already part of the process approach.
Example: To cross the road I may go directly or I may use a nearby footbridge. Which process I choose will be determined by considering the risks.
Risk is commonly understood to be negative. In risk - based thinking opportunity can also be found – this is sometimes seen as the positive side of risk.
Example: Crossing the road directly gives me an opportunity to reach the other side quickly, but there is an increased risk of injury from moving cars.
The risk of using a footbridge is that I may be delayed. The opportunity of using a footbridge is that there is less chance of being injured by a car.
Opportunity is not always directly related to risk but it is always related to the objectives. By considering a situation it may be possible to identify opportunities to improve.
Example: The analysis of this situation shows further opportunities for improvement:
- a subway leading directly under the road
- pedestrian traffic lights, or
- diverting the road so that the area has no traffic.
It is necessary to analyse the opportunities and consider which can or should be acted on. Both the impact and the feasibility of taking an opportunity must be considered. Whatever action is taken will change the context and the risks and these must then be reconsidered.
4. Where is risk addressed in ISO 9001:2015 ?:
Introduction: The concept of risk - based thinking is explained in the introduction of ISO 9001:2015.
Definitions: ISO 9001:2015 defines risk as the effect of uncertainty on an expected result:
1. An effect is a deviation from the expected – positive or negative.
2. Risk is about what could happen and what the effect of this happening might be.
3. Risk also considers how likely it is.
The target of a management system is achieve conformity and customer satisfaction.
ISO 9001:2015 uses risk - based thinking to achieve this in the following way:
Clause 4 (Context): the organization is required to determine the risks which may affect this.
Clause 5 (Leadership): top management are required to commit to ensuring Clause 4 is followed.
Clause 6 (Planning): the organization is required to take action to identify risks and opportunities.
Clause 8 (Operation): the organization is required to implement processes to
address risks and opportunities.
Clause 9 (Performance evaluation): the organization is required to monitor, measure, analyse and evaluate the risks and opportunities.
Clause 10 (Improvement): the organization is required to improve by responding to changes in risk.