y Christopher Paris
Risk-Based Fortune Telling
I hate that I have to use the term “risk assessment” because ISO 9001 doesn’t officially require this, but lacking any other term, it will have to do. As you will see, I am not suggesting the full gamut of formal risk assessment methods commonly used by risk management professionals. If you like, we can call it “risk evaluation” or “risk consideration.” Maybe “risk divination.” I don’t care.
The dirty secret in the risk management profession is that it’s all based on guesswork. Any risk assessment is just making guesses and then assigning numbers to make it look like science. It’s closer to Tarot card reading than physics, but no risk manager will ever admit it.
So here’s what we do, in the real world. Taking your Issues Log, you will determine the best risk treatment method for the given risk or opportunity and apply it.
I’m no fan of FMEA when using it for every type of risk, but if you want something that is a bit more flexible, but which still looks like an FMEA, consider downloading this free Excel file. (Right click, and select “Save As”). This also acts as a risk registry of sorts (and that’s what it’s called).
Whatever method you use, it has to comply with the next “required non-requirement” of ISO 9001, which says the you must
… integrate and implement the actions into its quality management system processes [and] evaluate the effectiveness of these actions.
If you have used a traditional, formal tool (like the FMEA or any of the treatments listed in ISO 31010), your job is done; these tools effectively meet this requirement.
But if you’ve elected to use a nontraditional method, or simply are explaining your actions in a prose text file, then just be sure the text explains clearly (1) identifies the risk, (2) evaluates the risk, (3) defines a risk action and (4) evaluates the actions taken. Here’s what that might look like in a simple typewritten example:
Risk-Based Fortune Telling
I hate that I have to use the term “risk assessment” because ISO 9001 doesn’t officially require this, but lacking any other term, it will have to do. As you will see, I am not suggesting the full gamut of formal risk assessment methods commonly used by risk management professionals. If you like, we can call it “risk evaluation” or “risk consideration.” Maybe “risk divination.” I don’t care.
The dirty secret in the risk management profession is that it’s all based on guesswork. Any risk assessment is just making guesses and then assigning numbers to make it look like science. It’s closer to Tarot card reading than physics, but no risk manager will ever admit it.
So here’s what we do, in the real world. Taking your Issues Log, you will determine the best risk treatment method for the given risk or opportunity and apply it.
- If the risk treatment is FMEA (or similar), then this method includes the risk assessment within the treatment. Run the FMEA and you’re done.
- If the risk treatment method is something else, this may require two steps: first, evaluate (assess) the risk in some way and then determine the course of action to take. This may mean simply writing the evaluations and actions in a simple text document and filing it, or it may require more formal activities and records — you get to decide.
I’m no fan of FMEA when using it for every type of risk, but if you want something that is a bit more flexible, but which still looks like an FMEA, consider downloading this free Excel file. (Right click, and select “Save As”). This also acts as a risk registry of sorts (and that’s what it’s called).
Whatever method you use, it has to comply with the next “required non-requirement” of ISO 9001, which says the you must
… integrate and implement the actions into its quality management system processes [and] evaluate the effectiveness of these actions.
If you have used a traditional, formal tool (like the FMEA or any of the treatments listed in ISO 31010), your job is done; these tools effectively meet this requirement.
But if you’ve elected to use a nontraditional method, or simply are explaining your actions in a prose text file, then just be sure the text explains clearly (1) identifies the risk, (2) evaluates the risk, (3) defines a risk action and (4) evaluates the actions taken. Here’s what that might look like in a simple typewritten example:
This meets all the requirements of ISO 9001:2015’s risk-based thinking without using a single spreadsheet, complicated FMEA or any other traditional method, and can he upheld during audits if you clearly point out the four elements.
Managing Opportunities
Opportunities are the alleged positive side of risk, as we discussed. They are not managed to mitigate (minimize) them, but instead the opposite — you want to maximize the likelihood and impact of opportunities. Therefore while you can use all the same steps in RBT, when you reach the treatment step you will have to select different tools or approaches. Often the “prose” format is best, otherwise you will have to create a risk register that calculates opportunities in the opposite manner of risks, ranking them based on how well you can exploit the opportunity, as opposed to how well you can minimize the risk. Another great option for managing opportunities is SWOT, but it is not easy for the beginner.
Recap and Moving Forward
So, to recap, you use the COTO exercise to identify your stakeholders and their issues. You use this to help identify your risks and opportunities, and then collect them into some format to assess them. That assessment should include the determination of a risk treatment method specific to that risk, since no one tool can be used in all cases. Then you take actions to reduce the risk, evaluate the actions, and keep a record of the whole thing to prove it later.
The flexibility of the vague language of ISO 9001:2015 can be used to your benefit, allowing you to do whatever you like to meet these requirements. But at the same time, this will cause headaches for CB auditors who are expecting to see the same thing from one client to another. Be prepared to defend your interpretations, definitions and approaches. While the standard doesn’t officially require records of risk actions, you should maintain them for your own internal reference, but also to prove to the CB auditor that you’ve actually done something.
Like this topic? Book Christopher Paris for a speaking event at your organization on Practical Implementation of Risk-Based Thinking. Click here for more details.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users.
The original links to this Practical Implementation of "Risk Based Thinking" are the following:
Part 1
Part 2
Part 3
Managing Opportunities
Opportunities are the alleged positive side of risk, as we discussed. They are not managed to mitigate (minimize) them, but instead the opposite — you want to maximize the likelihood and impact of opportunities. Therefore while you can use all the same steps in RBT, when you reach the treatment step you will have to select different tools or approaches. Often the “prose” format is best, otherwise you will have to create a risk register that calculates opportunities in the opposite manner of risks, ranking them based on how well you can exploit the opportunity, as opposed to how well you can minimize the risk. Another great option for managing opportunities is SWOT, but it is not easy for the beginner.
Recap and Moving Forward
So, to recap, you use the COTO exercise to identify your stakeholders and their issues. You use this to help identify your risks and opportunities, and then collect them into some format to assess them. That assessment should include the determination of a risk treatment method specific to that risk, since no one tool can be used in all cases. Then you take actions to reduce the risk, evaluate the actions, and keep a record of the whole thing to prove it later.
The flexibility of the vague language of ISO 9001:2015 can be used to your benefit, allowing you to do whatever you like to meet these requirements. But at the same time, this will cause headaches for CB auditors who are expecting to see the same thing from one client to another. Be prepared to defend your interpretations, definitions and approaches. While the standard doesn’t officially require records of risk actions, you should maintain them for your own internal reference, but also to prove to the CB auditor that you’ve actually done something.
Like this topic? Book Christopher Paris for a speaking event at your organization on Practical Implementation of Risk-Based Thinking. Click here for more details.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users.
The original links to this Practical Implementation of "Risk Based Thinking" are the following:
Part 1
Part 2
Part 3