Do you need formal Risk Management or not?
One of the key changes in the 2015 revision of ISO 9001 is a requirement to establish a systematic approach to considering risk, rather than treating “prevention” as a separate component of a quality management system.
Risk is inherent in all aspects of a quality management system. There are risks in all systems, processes and functions.
Risk-based thinking as set out in ISO 9001:2015 requires that these risks are identified, considered and controlled throughout the design and use of the quality management system.
However, the Standard (and ISO 9001 Guidance documents) does not require an organisation to have a formal risk management system nor to have documentation in support of its application.
So what should one do?
What is Risk-based Thinking?
Risk-based thinking enables an organization:
- to determine the factors that could cause its processes and its quality management system to deviate from the planned results,
- to put in place preventive controls to minimize negative effects and
- to make maximum use of opportunities as they arise.
- is not new
- is something you do already
- is on-going
- ensures greater knowledge of risks and improves preparedness
- increases the probability of reaching objectives
- reduces the probability of negative results
- makes prevention a habit
What Does the Revised Standard Say About Risk-based Thinking?
ISO 9001:2015 uses risk-based thinking is addressed in the following sections:
Introduction - the concept of risk-based thinking is explained
- Clause 4 – the organization is required to determine its QMS processes and to address its risks and opportunities
- Clause 5 – top management is required to:
- Promote awareness of risk-based thinking
- Determine and address risks and opportunities that can affect product /service conformity
- Clause 6 – the organization is required to identify risks and opportunities related to QMS performance and take appropriate actions to address them
- Clause 7 – the organization is required to determine and provide necessary resources (risk is implicit whenever “suitable” or “appropriate” is mentioned)
- Clause 8 – the organization is required to manage its operational processes (risk is implicit whenever “suitable” or “appropriate” is mentioned)
- Clause 9 – the organization is required to monitor, measure, analyse and evaluate effectiveness of actions taken to address the risks and opportunities
- Clause 10 – the organization is required to correct, prevent or reduce undesired effects and improve the QMS and update risks and opportunities
Options in Dealing with Risk Management Requirements in ISO 9001
In dealing with the Standards requirement regarding risk, you have two options.
So, what to do?
Option 1: Do the minimum to fulfill the requirements and obtain your Certification.
Some cleverly worded statements in policy documents and in management review records, and nothing more, will suffice.
This is what many will do and, very likely, will think that they are being smart.
They're not, because they're missing a great opportunity to improve the performance of their organisation. The organisation will continue to manage risk 'by the seat of the pants'.
Benefits of Option 1:
It's quick, easy, and gets the job done. Quality management experts will never take this approach.
Option 2: Have a formal risk management system and have documentation in support of its application.
There are several Standards that you might consider to aid you in developing risk management for your organisation.
The one we recommend is ISO 14971. This standard was developed so as to manage risk to patient safety from medical devices. It's about managing risk in the context of a Quality Management System for medical device manufacture.
Its framework for risk management (risk evaluation, risk assessment, risk control, etc) can be applied to any organisation and not just manufacturing - e.g. administrative processes have risk for commercial and public sector organisations too.
Its greatest attraction, however, is the selection of proven risk management tools it explores. These include FMEA - Failure Mode and Effect Analysis, PHA - Preliminary Hazard Analysis, FTA - Fault Tree Analysis, HACCP - Hazard Analysis and Critical Control Point, HAZOP - Hazard and Operability Study, and more.
It's a very good starting point from which to explore and select the tools appropriate to managing the different kinds of risk arising in your organisation.
Benefits of Option 2:
A risk-based approach to managing the organisation will be introduced on many levels and functions. Many business benefits will accrue. Risk will be managed in an objective way, based on facts and the use of appropriate risk management tools.
Consequently, the possibility of failure will be reduced (having in many instances been eliminated by design) and the probability of success, both financial and otherwise, will be increased.