Risk and the ISO 9001 Revision
RISK IS GIVEN A FRONT-AND-CENTER PRESENCE IN SECTION 6 OF THE STANDARD.
Years in the making, the ISO 9001:2015 revision has been published. Prior to the release date, auditors, inspectors, quality managers, and many others studied the initial drafts in an attempt to understand the changes. Readers immediately recognized that risk would be a major concept within the quality management systems standard.
Companies will use the next three years to fully implement the standard. To do so, risk—as well as risk management and risk-based thinking—will need to be understood and incorporated into your quality management system (QMS).
It should be pointed out that risk as a concept is not new to ISO 9001. In previous versions of the standard, risk was implied. The 2015 revision makes that no longer the case.
It should also be stated that there are people in the standards community who believe risk simply took the place of preventive action (which is no longer mentioned in the standard). Regardless of the origin and intention, risk is given a front-and-center presence in section 6.
“The organization shall plan: a) actions to address these risks and opportunities; b) how to: 1) integrate and implement the actions into its quality management system processes (see 4.4); 2) evaluate the effectiveness of these actions.”
The advantage of bringing this language to the foreground is the emphasis it places on the importance of considering risks and opportunities in your quality management system. In an article for Quality Progress, Jack West, a well-regarded standards expert, wrote, “(it is) prudent (that) a well-developed quality management system (QMS) should have always considered the risk of things going wrong, assessed the potential effects of negative outcomes and taken reasonable action to prevent problems.”
West mentions it is interesting then that many organizations do not formally address risk—or preventive action, for that matter—in their quality management system. The ISO 9001:2015 might not remedy this situation entirely but it can no longer be ignored. West continues, “A QMS also should require a strategic, forward-looking process to assess potential risks related to changing and evolving external and internal conditions such as competitive actions, technology advances, and personnel knowledge and skills.”
The idea behind risk-based thinking is that you look into the future to get a handle on what could happen. What are the risks that things can go wrong and what opportunities do the risks present to your organization?
To accomplish this, tools are essential. In an interview with ASQ TV, audit expert Dennis Arter suggested creating a risk catalog and classifying each risk in two ways. First, assess the probability of the identified risk occurring. Then, determine the consequence level (high, medium, low) of each identified risk. Once each risk has been assessed, Arter states that you must determine what to do with it. You can:
Accept—leave it alone (but keep it in the catalog).
Transfer—lessen the risk by “transferring to someone else.”
Mitigate—apply controls to reduce the probability and consequences of the risk.
While these tools will assist you in your risk management activities, you might want to think holistically with a risk management system. Before you begin panicking about the need to create another system, you need to know that there is already a risk management standard prepared to help you with your ISO 9001:2015 transition: ISO 31000.
Allen Gluck, member of the U.S. Technical Advisory Group to ISO Technical Committee 262 (TAG 262)—the group involved with developing ISO 31000—stated in a recent interview (which can be found at http://videos.asq.org/product/risk-based-thinking-how-iso-31000-can-help) that using ISO 31000 can help you begin your process into risk-based thinking.
“The (ISO 9001:2015) standard,” Gluck states, “does a very positive thing in referencing the ISO 31000 standard. So it’s not mandated and users don’t have to create any kind of risk management system but they have a fully defined and fully described reference and can include as many components as they see fit based on the needs of their organization.”
While implementing ISO 9001:2015 will take time and a commitment from your organization, great care has been taken to guide you through the updates, changes, and improvements that will lead to a stronger, comprehensive quality management system.