Before January 2020, if you had asked an organization whether they had considered a pandemic as a risk to the organization, most would have answered no. Recent world events have resulted in issues that have impacted almost every business industry and type of workforce. Many of these organizations were not fully prepared for these world events. Organizations had not considered a pandemic that would have far reaching effects and require employees to work from home.

ISO 9001:2015 introduced the concept of taking actions to address risks and opportunities. Included in this new concept was the requirement to evaluate the effectiveness of actions taken to address your identified risks and opportunities. As organizations have developed these risks and opportunities, there has been varying degrees of the maturity of approaches that have been used. It can probably be said that none or very few of these approaches considered a pandemic

Now that this unanticipated risk has been identified, it is important to take what we have learned to apply not only to this situation but other future anticipated risks. ISO 9001:2015 can be used as a framework to address these unanticipated risks.

The first step in determining how the clause on risks and opportunities in ISO 9001:2015 can help an organization is to first review how the requirement is typically applied. Many organizations focus on only the risks related to the product. There is typically minimal consideration of risks as they apply to other parts of the management system. This includes risks related to adequate resources, business continuity, and issues related to suppliers such as availability of raw materials. Organizations also have a difficult time proving that the actions that they take are effective since they rarely occur. For example, many organizations identify risks related to weather such as a tornado, earthquake, or hurricane where luckily the effectiveness does not need to be evaluated very often.

Helpful ISO 9001:2015 Requirements in Managing Unanticipated Risk

4.1 Context of the Organization
6.1 Actions to address risks and opportunities
7.1.6 Organization Knowledge
6.3 Planning of Changes
9.3 Management Review

ISO 9001:2015 does not have extensive requirements related to business continuity. Clause 8.2 Customer Communication does require that organizations communicate with customers about contingency actions when it is relevant. This communication may occur only after an issue arises, but it is infrequent since many organizations are reluctant to share with customers any business continuity issues.

Almost no organization had identified in their consideration of risk or business continuity planning for a worldwide pandemic. Plans were not in place and had to be developed quickly. Even with the challenges that a different work environment brings, organizations are still responsible for maintaining control of the quality management system.

Now that the pandemic has occurred organizations must take action to ensure that current actions are effective and wherever possible they are avoided in the future. When considering how the requirements in ISO 9001:2015 can help manage unanticipated risks such as the pandemic, there are several clauses that an organization can focus on to assist them.

Clause 6.3 Planning of Changes – ISO 9001 does not require that an organization be perfect. It does require that when changes are made that the integrity of the quality management system is maintained. The integrity of the quality management system must also be maintained when addressing unplanned changes. This requirement can be used as an unanticipated risk is identified to manage. Steps to consider for addressing unplanned change include:

  • Identify current gaps in your QMS
  • Identify actions to close gaps.
  • If gaps cannot be closed immediately, develop a timeline for managing actions.
  • Gaps that cannot be immediately addressed can be managed through the corrective action requirements.

Clause 10.2 Nonconformity and Corrective Action - Even if your organization has initiated actions to address gaps in the QMS, consider using the corrective action to guide the actions to ensure actions have been documented and are effective.

While some organizations may believe a corrective action with causal analysis may not be needed, the documented information and verification of actions taken will enhance any current approach.

Clause 4.1 Context of the Organization – Organizations are responsible for determining external and internal issues that could have an effect on the organization. These issues are then considered to determine the organization’s risks or opportunities. Actions to address these risks and opportunities are then identified.

When an organization determines that there are issues that have not been previously identified, it is a good time to review these requirements and update them, as necessary.

Key actions include:

  • Review your external and internal issues to determine if changes need to be made.
  • Update any strategic planning.
  • Be broader in your consideration of external and internal issues. Look beyond issues related to the product.
  • Update risks and opportunities.

6.1 Actions to address risks and Opportunities – The external and internal issues determined in clause 4.1 are considerations when determining what actions are needed to address risks and opportunities. Organizations then are required to determine if these actions are effective. The pandemic has created a need to re-evaluate risks and opportunities. Organizations should reconsider these risks and opportunities and determine if there are other risks that were not previous identified.

Organizations should consider:

Internal considerations related to the pandemic such as ongoing social distancing requirements, structure of employees on shifts they are working to ensure that the entire workforce is not impacted by any employee affected by the virus.

External considerations such as the impact of suppliers that are impacted by the virus. Does the organization have secondary sources for raw materials? The organization should also consider the needs and expectations of its customers. Is your customer working at full capacity? Does the customer work structure have an effect on the organization?

Once the organization has considered these items, it can be determined if there is also a need to make changes to any of the risks and opportunities.

7.1.6 Organizational Knowledge – This clause of ISO 9001:2015 requires an organization to maintain the knowledge needed to ensure that products and services conform to requirements. Many organizations focus on the competence of employees or cross-training employees to demonstrate conformity to the requirement. This clause can be used to put systems in place to avoid this situation in the future. Specific steps to consider include:

  • Conduct lessons learned as part of corrective action.
  • Make changes to the QMS as necessary to address lessons learned.
  • Develop a plan (not a shall requirement from ISO 9001:2015) for ensuring information is available in the future.

9.3 Management Review – The requirements for Management Review in ISO 9001 provide a framework to determine if your quality management system is suitable, adequate, and effective. Since management participates in the management review, it also provides the time to determine if actions taken to address risks and opportunities are effective, what actions are needed to make improvements, and ensure that other components of the management system are also being maintained.

Management should identify ongoing challenges in management review and indicate what actions are needed to address them. In short, management review provides organizations the mechanism to maintain the integrity of the management system while engaging management in the analysis of data and determination of needed actions.

As your organization matures its management system and learns from this unanticipated risk, organizations should consider whether their analysis of risks and opportunities is comprehensive and where changes should be made.

Organizations should think of every outside-the-box scenario and ask if that could happen at their organization. Ransomware is another unanticipated risk that most organizations do not consider. When reviewing business continuity scenarios, most organizations focus on risks related to data backups. The ransomware scenario is completely different than a situation where someone loses a data file and needs it recovered.

Regardless of the unanticipated risk, ISO 9001:2015 can assist organizations in continuing to mature their quality management system and ensure that actions are in place to address the risk if it occurs. Q