Applying Risk-based Thinking

ISO 9001:2015 now promotes risk-based thinking in quality management systems, but many organisations aren’t sure what that means or how to go about it.

Risk management is a tool that helps companies evaluate risks in processes, products and services. It evaluates event data in order to measure levels of risk in an operational context. Risk assessment is repeatable and objective; it allows you to replace an otherwise subjective “gut sense” with a more guided decision-making approach. Furthermore, it’s easy to understand for people who aren’t directly involved in the process.

Risk assessment helps drive change. It enables you to build alerts for critical events and develop guidelines and solutions for risk levels that are unacceptable. These solutions are systematic and repeatable, and you can implement them for high risks in a more automatic and consistent manner.

However, it’s important to note that risk assessment is a tool, not the solution. Context is important in risk assessment, and for that, you need people. For example, someone on the shop floor might consider something a critical risk, whereas from the top floor, that risk might not look as bad in the larger context of operations

The updates to the 2015 standard aren’t all about the requirements. Although they establish the framework to help you map your business, the standard outlines a different approach in how you should satisfy requirements. ISO 9001:2015 includes a component of risk-based thinking, and it involves the people and leaders within your company. The standard doesn’t include a specific requirement for a quality management representative, or even a quality manual. Instead, ISO 9001:2015 focuses on a companywide commitment to quality that is championed and brought about by leaders.

There are two sections where risk appears in the standard: leadership directives and planning.

  1. ISO 9001:2015 is designed to create a companywide approach to quality, and leaders need to be directly involved. Although some leaders might not “speak quality,” they definitely can speak risk. That’s why the standard encourages the concept of “risk-based thinking.” This refers to a coordinated set of activities and methods that organisations use to manage and control the many risks that affect their ability to achieve objectives. Risk-based thinking replaces what earlier version of the standard called preventive action.
  2. This section is where preventive action used to be and is now replaced with managing risks and opportunities. It’s important to note that ISO 9001:2015’s take on risk is simple. You don’t have to go out and build an enterprise risk management program, or change all of your processes to comply with the requirements. The standard directs companies to “promote” risk-based-thinking, which is fairly broad and open to interpretation. Every company should evaluate its own processes in light of the risks specific to their business or industry.

Risk management is an objective process that can be repeated and standardised. Your first goal is to identify the risks in your operations, then determine how you’re going to measure those risks. After that, you need to figure out treatment options for those risks, and eventually implement actions and controls to address each risk.

How do you start identifying risks? You’ll need to examine your operations, seek out potential hazards within those operations, and categorise them. If you have documented your processes, you may want to document their risks too. Asking questions is a good way to start. Ask ‘why?’ and ‘what if’. What are the problems that could occur, and how likely is it they will occur? Don’t forget that if it’s already happened, it can’t be a risk!

You’ve created a list of hazards and defined their probabilities. Now what? Just because you’ve calculated something as a high risk doesn’t mean you’ve solved the problem. The next step is to assign treatment options to that risk. You must determine what you’re going to do if there is a risk, and you do this in several ways.

Treatment options typically fall into these broad categories:
• You can accept the risk (i.e., the outcome is worth the risk)
• You can seek ways to reduce the risk
• You can transfer risk (perhaps you source out high-risk processes to a partner or supplier with a better risk management process)
• If the risk is simply too high, you can avoid it (i.e., stop the process altogether)

A simple risk register will enable you to document your risk-based thinking and treatment activities. Don’t forget that risks do change over time. Clients, products, services, regulations, resources, technology, processes, etc. are subject to change and therefore your analysis and treatment of risk should change too. Review risks on a regular basis and re-visit risks when appropriate to your business.


Back to Blog