by Christopher Paris
RBT in Practice
To recap, so far we’ve conducted a COTO (context of the organisation) exercise which helped us better understand our company, its stakeholders and the things they may find important. We then tailored our understanding of the concepts of “risk” and “opportunity” to something that makes practical sense. Finally, we will use this information to determine the risks facing the company and how to manage them.
One important thing to consider: the ISO 9001:2015 standard specifically uses the phrase “determine” your risks. Many CB auditors and pundits have already misinterpreted this as saying you must “document” or “record” them; but “determining” is not equal to “documenting”, so they are wrong. If TC 176 had wanted you to document them, they would have said so; instead they did include the word “thinking” however, so in the strictest sense you can “determine” your risks merely by thinking about them. Yes, it’s insane, but it’s literally true.
What does this mean in a practical sense? This means you also get to decide how to “determine” the risks. This article just presents one possible way, and it doesn’t pretend to be the only way.
Converting Issues to Risks and Opportunities
Risks are everywhere, and naming every one of them is like naming all the stars in the sky. So what risks do you consider? The standard does give some pointers, thankfully. Clause 6.1.1 says you must “determine the risks and opportunities that need to be addressed to:
But those are vague concepts in and of themselves, so they are only hints. You are going to have to take those hints, run them through the filters of the COTO exercise outputs, and come up with actual risks you can take a bite out of.
I like tables, so I am going to recommend another table; I call this an “Issues Log.” It may look like a traditional risk register, but it’s not, at least not yet; if you elect to create a risk registry later, you can cut and paste data from this table into it.
RBT in Practice
To recap, so far we’ve conducted a COTO (context of the organisation) exercise which helped us better understand our company, its stakeholders and the things they may find important. We then tailored our understanding of the concepts of “risk” and “opportunity” to something that makes practical sense. Finally, we will use this information to determine the risks facing the company and how to manage them.
One important thing to consider: the ISO 9001:2015 standard specifically uses the phrase “determine” your risks. Many CB auditors and pundits have already misinterpreted this as saying you must “document” or “record” them; but “determining” is not equal to “documenting”, so they are wrong. If TC 176 had wanted you to document them, they would have said so; instead they did include the word “thinking” however, so in the strictest sense you can “determine” your risks merely by thinking about them. Yes, it’s insane, but it’s literally true.
What does this mean in a practical sense? This means you also get to decide how to “determine” the risks. This article just presents one possible way, and it doesn’t pretend to be the only way.
Converting Issues to Risks and Opportunities
Risks are everywhere, and naming every one of them is like naming all the stars in the sky. So what risks do you consider? The standard does give some pointers, thankfully. Clause 6.1.1 says you must “determine the risks and opportunities that need to be addressed to:
- give assurance that the quality management system can achieve its intended result(s);
- enhance desirable effects;
- prevent, or reduce, undesired effects;
- achieve improvement
But those are vague concepts in and of themselves, so they are only hints. You are going to have to take those hints, run them through the filters of the COTO exercise outputs, and come up with actual risks you can take a bite out of.
I like tables, so I am going to recommend another table; I call this an “Issues Log.” It may look like a traditional risk register, but it’s not, at least not yet; if you elect to create a risk registry later, you can cut and paste data from this table into it.
You can download a free, customizable version of this table (MS Excel 2013 format) in the link below. (Click "Download File" and select “Save As.”)
Form - Issues Log |
sing this table, you will copy the information from your previous exercises into it. The Excel version provides drop-down lists for most of the columns to make filling it in a bit faster. A few explanations:
“Bias” refers to whether the issue is inherently negative (a risk) or positive (an opportunity.) Now you see why re-defining “risk” (as we discussed previously) is important.
“Processes Affected” refers to the key (core processes in your organization which you should have already identified. The RBT activities should become part of your process approach, so tying each issue to at least one related process is important.
“Priority” allows you to prioritize the issues; this might then carry over into any prioritization used in the risk treatment itself.
“Treatment Method” would be a reference to the preferred method used to process the issue. For many negative risks you may opt for FMEA, but for others you would not. The Excel file provides a drop-down list of about 30 different risk treatment methods, from ISO 31010 Risk Management – Risk Assessment Techniques; you can likewise add your own.
“Record Reference” would be where you indicate the associated records or files related to the risk treatment; this could be a CAR number, a FMEA reference number, a report number… whatever. But the Issues Log should link to where the user can find more information.
To fill this out, you go down your COTO tables and copy the data into this new Issues Log. Once you are done, you can then add additional risks and opportunities that you think of outside of the COTO exercise. In fact, I recommend you hold a special management-level meeting to help populate this Issues Log.
Once it’s complete — and keep in mind, this is a living document that will be updated as conditions change — you can then use this to drive a number of ISO 9001 related activities:
- Use the information to update the company’s Strategic Direction
- Use the information to update the internal audit schedule
- Use in Management Review as an overall risk thinking tool
- Use to populate a formal risk registry
You may wish to upload this to a central server so that employees can add to it as they like; this encourages participation by your staff in the risk thinking activities.
On its own, however, the Issues Log doesn’t fully meet all the requirements of RBT. Instead, it has helped you “determine” the risks and opportunities as required by ISO 9001:2015.
Risk Based Vaporware
Once you’ve identified your risks, ISO 9001 then goes on to require the following:
"6.1.2 The organization shall plan:
a) actions to address these risks and opportunities;
b) how to: integrate and implement the actions into its quality management system processes [and] evaluate the effectiveness of these actions".
The first in that list (take “actions to address” the risks) is ISO’s way of saying you need to conduct some form of assessment and treatment; but ISO didn’t want to use those words, lest they be seen as prescriptive. Formal risk assessment and risk treatment is not required, but you have to do something.
This is where the 9001:2015 standard fails: it wants to have its users adopt risk management, but is so terrified (and ignorant) of formal risk management, it tries to avoid using the terms directly. (There were also a lot of politics in play, and TC 176 didn’t want to step on the toes of TC 262 on risk management, the guys who publish ISO 31000.) The end result is a vague set of words that actually mean nothing, and provide no direction whatsoever on how to meet the requirement. I call this a “required non-requirement” in that it requires something, but says nothing.
So, in a practical sense, you have to do some “action” that — for the purposes of this article, anyway — we will call “risk assessment” and “risk treatment.” But these activities may not always look like the traditional assessments and treatments, and may not be applicable to all the risks or opportunities you identified.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users.
The original links to this Practical Implementation of "Risk Based Thinking" are the following:
Part 1
Part 2
Part 3