Risk and ISO 9001: 2015
Risk-based thinking and the process approach.
In September, the International Organization for Standardization (ISO) published ISO 9001:2015, the updated high-level system (HLS) quality management system standard that includes some fundamental changes in how organizations are expected to operate to remain in conformance.
The most noticeable change in the revised standard is that it follows the Annex SL structure that ISO management system standards are now required to adopt. ISO developed the 10-clause, high-level structure to ensure that management system standards are aligned with a set of common requirements.
Additional key changes include enhanced leadership engagement in the management system, increased emphasis on organizational context, greater focus on risk-based thinking, more flexibility regarding documentation and fewer prescriptive requirements. This means more planning documentation and the application of appropriate risk measures at the management level as part of that documentation.
Compared with earlier versions of ISO 9001, the 2000 and 2008 editions focused less on documentation and more on managing processes. ISO 9001:2015 is even less prescriptive than its predecessors and focuses more on performance. This creates challenges for auditing the system by the evaluation of such components as metrics/key performance indicators for quality objectives.
ISO has combined the process approach—the systematic management of processes and their interactions to achieve intended results—with risk-based thinking (risk and opportunity analysis), and by employing the four-step Plan-Do-Check-Act (PDCA) method at all levels in the organization. This combination of risk-based thinking, process approach and PDCA forms an integral part of the ISO 9001:2015 standard.
Risk-Based Thinking, the Process Approach and PDCA
Chief among the changes in ISO 9001:2015 is that risk is no longer implicit or limited to specific elements of the quality management process. Risk is now addressed throughout the standard and built into the whole management system. The revised standard also has explicit requirements for risk-based thinking to support and improve the understanding and application of the process approach.
In ISO 9001:2105, risk-based thinking makes preventive action part of strategic and operational planning, so reference to “preventive action” has been replaced with “actions to address risks and opportunities.” Companies are now expected to identify risks and opportunities, and execute S.M.A.R.T. driven quality objectives and planning of changes. Organizations’ consideration of risk becomes proactive rather than reactive to factors that may affect their QMS. Essentially, risk-based thinking turns the entire management system into a preventive planning tool.
Risk-based thinking is a major part of the process approach, ensuring risk is considered from beginning to end. A key point of the process approach is to have an organization’s processes operate as a single, integrated system. Understanding activities as linked processes that function as a complete system helps achieve more consistent results. This means organizations must consider activity inputs and outputs; a set of activities in a process; a process working within a system; the objectives for which the system should operate; and the direction the system should go.
The process approach is meant to help organizations achieve defined objectives by planning processes, performing them according to the plan, assessing performance and improving the processes. ISO 9001:2015’s new structure is built around the PDCA sequence, commonly used to manage processes and systems. Operating as a closed-looped approach for continual improvement, with risk‐based thinking at each stage, PDCA can help organizations define, implement and control active measures toward improvements—both in individual processes and the QMS as a whole.
In the 2015 edition, ISO 9001’s primary objective remains the same: to continually improve quality and ensure that products and services consistently meet customers’ requirements. By integrating risk-based thinking with the process approach and PDCA, organizations are better able to achieve their stated objectives, ensure consistency of output quality and create value for the customers and the organization as a proactive posture.
As of September 2015, companies with or seeking ISO 9001 certification have three years to meet the QMS requirements in the new edition. For organizations with a culture of risk-based thinking, the updates may mean business as usual. For others, introducing a risk-based approach to their entire QMS could be challenging, mainly in shifting the way that they think about risk. Pushing risk-based thinking to its simplest level of understanding is the most effective way to accomplish this strategy.