What Is a Risk?
A risk is a positive or negative deviation from the expected. Addressing a risk could mean pursuing a new opportunity. The better your organization manages risks, the better prepared you are to face uncertainties. Organizations are required during planning of their QMS to address both risks and opportunities.
In the context of ISO 9001:2015, risk-based thinking replaces what was called preventive action in the previous standard version. Risk-based thinking requires companies to evaluate risk when establishing processes, controls and improvements in a Quality Management System. (ISO 9001:2015 QMS Standard clause 6.1)
Objective of Risk Identification
- To give assurance that the quality management system can achieve its intended results
- Promote improvement
- Identify potential problems before they occur
- Minimize project threats
- Maximize the positive impact of project opportunities and success
- Prevent and reduce undesired effects
- Enhance desirable effects
Where in ISO 9001:2015 is Risk-Based Thinking?
- Clause 4 Context – Determine the processes required for operation of the quality management system and the risks and opportunities associated with these processes.
- Clause 5 Leadership – Top management must ensure that the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed.
- Clause 6 Planning – to give assurance that the quality management system can achieve its intended result(s), prevent or reduce, undesired effects and achieve continual improvement.
- Clause 8 Operation -The organization is required to implement processes to address risk and opportunities.
- Clause 9 Performance Evaluation – The organization is required to monitor, measure, analyze and evaluate risk and opportunities.
- Clause 10 Improvement – The organization is required to continually improve processes whilst responding to changes in risks and opportunities.
But what exactly does ISO mean by risk-based thinking? A deeper look reveals that while it’s not the same as risk management, automated risk management tools can help you incorporate risk-based thinking into your processes. It is important to note that risk isn’t limited to negative possibilities. Companies can also use risk-based thinking to pinpoint opportunities, which represent the positive side of risk.
Methods of Identifying Risks
Risk identification is a deliberate and systematic effort to identify and document what is at risk within the organizations context. The following methods can be used to identify risks within an organization;
- Risk workshops and interviews
- Cause and effect diagrams
- Nominal group technique (NGT)
- Delphi technique- structured interactive forecasting
- Hazard analysis and critical control points
- Root cause analysis
- Cost benefit analysis
How then do you address risks and opportunities?
The ISO 9001:2015 requirements around risks and opportunities do not require a formal risk management system. However, it does require that you determine what they are and how they will be addressed. When evaluating risk, it is helpful to use two metrics or parameters:
- Severity (If the risk occurs, how serious is it?)
- Probability (What is the probability of the risk occurring?
Common methods for addressing risk after identification includes maintaining a risk register, performing FMEA (Failure Mode Effects Analysis) or FTA (Fault Tree Analysis), using a Probability and Impact Matrix, or other risk management exercises.
In effect, 9001:2015 risk management asks the organization to establish an end-to-end process for risk management and then to execute that process consistently, carefully and widely. And while the process for creating and applying risk management may never be overly specific because of the need to apply in so many different situations.
Above all, a good understanding and knowledge of ISO 31000 is highly required. This standard provides generic guidelines, principles and processes for managing risks within an organization. Most organizations that have implemented it can boast of improved performance in an environment full of uncertainties. This standard can be used by any organization regardless of its size, activity or sector. Although this standard is not for certification purposes, organizations use it to ensure that the best risk management practices are in place as well as sound principles for effective management and corporate governance.