Risk Based Thinking

ISO 9001:2015 –  Risk Based Thinking

One of the key changes in the 2015 revision of ISO 9001 is to establish a systematic approach to risk, rather than treating it as a single component of a quality management system. In previous editions of ISO 9001, a clause on preventive action was separated from the whole. Now risk is considered and included throughout the standard. By taking a risk-based approach, an organization becomes proactive rather than purely reactive, preventing or reducing undesired effects and promoting continual improvement. Preventive action is automatic when a management system is risk-based. Risk-based thinking is something we all do automatically and often sub-consciously. for e.g if I wish to cross a road I look for traffic before I begin. I will not step in front of a moving car. The concept of risk has always been implicit in ISO 9001 – this revision makes it more explicit and builds it into the whole management system. The risk is considered from the beginning and throughout the standard, making preventive action part of strategic planning as well as operation and review. Risk-based thinking is already part of the process approach. For e.g  to cross the road I may go directly or I may use a nearby footbridge. Which process I choose will be determined by considering the risks. Risk-based thinking makes preventive action part of the routine. Risk is often thought of only in the negative sense. Risk-based thinking can also help to identify opportunities. This can be considered to be the positive side of risk. Crossing the road directly gives me an opportunity to reach the other side quickly, but there is an increased risk of injury from moving cars. The risk of using a footbridge is that I may be delayed. The opportunity of using a footbridge is that there is less chance of being injured by a car. Opportunity is not always directly related to risk but it is always related to the objectives. By considering a situation it may be possible to identify opportunities to improve. The opportunities for improvement: a subway leading directly under the road, pedestrian traffic lights, or diverting the road so that the area has no traffic. It is necessary to analyze the opportunities and consider which can or should be acted on. Both the impact and the feasibility of taking an opportunity must be considered. Whatever action is taken will change the context and the risks and these must then be reconsidered.

The Main Objectives Of ISO 9001 to provide confidence in the organization’s ability to consistently provide customers with conforming goods and services and to enhance customer satisfaction. The concept of “risk” in the context of ISO 9001 relates to the uncertainty in achieving these objectives.

DEFINITIONS

ISO 9001:2015 defines risk as the effect of uncertainty on an expected result.

1. An effect is a deviation from the expected – positive or negative.
2. Risk is about what could happen and what the effect of this happening might be.
3. Risk also considers how likely it is.

The target of a management system is achieve conformity and customer satisfaction.

Explanation:

Risk is the possibility of events or activities impeding the achievement of an organization’s strategic and operational objectives. It is the volatility of potential outcomes. Risk can be defined by two  parameters

• Severity (This is the Seriousness of the harm)
• Probability (This is the Probability that the harm will occur)

Risk as Currently Stated in ISO 9001:2015

ISO 9001:2015 uses risk-based thinking to achieve this in the following way:

• Clause 4 (Context) the organization is required to determine the risks which may affect this.
• Clause 5 (Leadership) top management are required to commit to ensuring Clause 4 is followed.
• Clause 6 (Planning) the organization is required to take action to identify risks and opportunities.
• Clause 8 (Operation) the organization is required to implement processes to address risks and opportunities.
• Clause 9 (Performance evaluation) the organization is required to monitor, measure, analyze and evaluate the risks and opportunities.
• Clause 10 (Improvement) the organization is required to improve by responding to changes in risk.

ISO 9001:2015 sub clause 4.4.2—Process approach

“The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;”

Unintended outputs in ISO 9001:2015 can mean same as non conforming products in ISO 9001:2008.Unintended  output from a process can be: reprocessed/rework, scrapped, or sold at a discount. The risk of producing unintended output should theoretically be set at zero or near zero but is rarely achieved; the analogy would be a process operating at 4.5 sigma vs. 5 or higher. The lower the parts per million, the lower the risk of producing unintended output. However, one must not forget that depending on the industry (e.g., medical vs. pencil manufacturers), these risks have different end-user impact and costs.

5.1.2—Leadership and commitment with respect to the needs and expectations of customers

“Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that:
a) the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed;”

This can be achieved by establishing process capabilities for each process from manufacturing and assembly to packaging and product delivery and installation. The computation of a simple indicator of process capability (Cp) or the adjustment of the process capability toward a specification (Cpk) would help managers quantify their process risk. The objective would be to achieve the highest economically feasible capability for each process, thus minimizing the risk of producing so-called unintended output.

6.1—Actions to address risks and opportunities

6.1.1 “When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2(4.2 Understanding the needs and expectations of interested parties) and determine the risks and opportunities that need to be addressed to:
a) assure the quality management system can achieve its intended outcome(s)
b) assure that the organization can consistently achieve conformity of goods and services and customer satisfaction
c) prevent, or reduce, undesired effects, and
d) achieve continual improvement.”
6.1.2 “The organization shall plan:
a) actions to address these risks and opportunities, and
b) how to
1) integrate and implement the actions into its quality management system processes (see 4.4), and
2) evaluate the effectiveness of these actions.
Any actions taken to address risks and opportunities shall be proportionate to the potential effects on conformity of goods and services and customer satisfaction.”

8.3—Operational planning process

“In preparing for the realization of goods and services, the organization shall implement a process to determine the following, as appropriate:
b) actions to identify and address risks related to achieving conformity of goods and services to requirements;”

8.5.1—Development processes

“In determining the stages and controls for the development processes, the organization shall take account of:
e) the determined risks and opportunities associated with the development activities with respect to
1) the nature of the goods and services to be developed and potential consequences of failure
2) the level of control expected of the development process by customers and other relevant interested parties, and
3) the potential impact on the organization’s ability to consistently meet customer requirements and enhance customer satisfaction.”

8.6.5—Post delivery activities

“The extent of post delivery activities that are required shall take account of:
a) the risks associated with the goods and services”

This sounds like a rephrasing of warranty-cost analysis; major companies have done this for a long time, but I don’t know about small to medium-size companies.

9.1—Monitoring, measurement, analysis and evaluation

“The organization shall take into consideration the determined risks and opportunities and shall:”

There are important issues to address relating to inaccurate measurements or insufficient measurements. Gauge repeatability and reproducibility (Gauge R&R) addresses many if not most of these issues and I don’t see how adding the word “risk” brings any value to this paragraph except that now one must think of the missed “opportunities” for measuring (or rather, not measuring) and the associated risk.

9.2—Internal audit

“The organization shall:
a) plan, establish, implement and maintain an audit program(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit program(s) shall take into consideration the quality objectives, the importance of the processes concerned, the related risks, and the results of previous audits;”

Internal auditors would now have to assess the risk of failing to do something or the risk of not following a procedure. This would be challenging to quantify and assess. Potential risks would also have to be assessed, which would be even more challenging.

10.2—Improvement

“The organization shall improve the quality management system, processes and goods and services, as appropriate, through responding to:
c) changes in identified risk (see 6.1);”
One could do failure mode effects and analysis (FMEA) to show that the risk-priority number has decreased as a result of a process change. This would not be difficult to do but full of uncertainties because FMEA is based on subjective assessment.

Use of risk based thinking.

By considering risk based thinking throughout the organization the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service.

Risk-based thinking therefore:

• builds a strong knowledge base
• establishes a proactive culture of improvement
• assures consistency of quality of goods or services
• improves customer confidence and satisfaction

Use of Risk Register

The risk register or risk log becomes essential as it records identified risks, their severity, and the actions steps to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is a table.  A table presents a great deal of information in just a few pages. There is no standard list of components that should be included in the risk
register. Some of the most widely used components are:

• Dates: As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.
• Description of the Risk: A phrase that describes the risk.
• Risk Type (business, project, stage):  Business risks relate to delivery of achieved benefit;, project risks relate to the management of the project such as timeframes and resources, and stage risks are risks associated with a specific stage of the plan.
• Likelihood of Occurrence: Provides an assessment on how likely it is that this risk will occur. Examples are: L-Low >30%)(, M-Medium (31- 70%), H-High (>70%).
• Severity of Effect: Provides an assessment of the impact that the occurrence of this risk would have on the project.
• Countermeasures: Actions to be taken to prevent, reduce, or transfer the risk. This may include production of contingency plans.
• Owner: The individual responsible for ensuring that risks are appropriately engaged with countermeasures undertaken.
• Status: Indicates whether this is a current risk or if risk can no longer arise and impact the project. Example classifications are: C-current or E-ended.
• Other columns such as quantitative value can also be added if appropriate.

Risk-driven approach in  organizational processes.

Identify what  risks and opportunities are – it depends on context. For example If I cross a busy road with many fast-moving cars the risks are not the same as if the road is small with very few moving cars. It is also necessary to consider such things as weather, visibility, personal mobility and specific personal objectives.

1. Analyse and prioritize your risks and  opportunities.

   What risk is acceptable, what is unacceptable? What advantages or disadvantages are there to one process over another? for Example If  I need to safely cross a road to reach a meeting at a given time. It is UNACCEPTABLE to be injured. It is UNACCEPTABLE to be late. The opportunity of reaching my goal more quickly must be balanced against the likelihood of injury. It is more important that I reach my meeting uninjured than it is for me to reach my meeting on time. It may be ACCEPTABLE to delay arriving at the other side of the road by using a footbridge if the likelihood of being injured by crossing the road directly is high.I analyse the situation. The footbridge is 200 metres away and will add time to my journey. The weather is good, the visibility is good and I can see that the road does not have many cars at this time. I decide that walking directly across the road carries an acceptably low level of risk of injury and an opportunity to reach my meeting on time.

2. Plan actions to address the risks

   How can I avoid or eliminate the risk? How can I mitigate risks? For example I could eliminate risk of injury by using the footbridge but I have already decided that the risk involved in crossing the road is acceptable. Now I plan how to reduce the likelihood of injury and/or the effect of injury. I cannot reasonably expect to control the effect of a car hitting me. I can reduce the probability of being hit by a car. I plan to cross at a time when there are no cars moving near me and so reduce the likelihood of an accident. I also choose to cross the road at a place where I have good visibility and can safely stop in the middle to re-assess the number of moving cars, further reducing the probability of an accident

3. Implement the plan – take action

   For example I move to the side of the road, check there are no barriers to crossing and that there is a safe place in the centre of the moving traffic. I check there are no cars coming. I cross half of the road and stop in the central safe place. I assess the situation again and then cross the second part of the road.

4. Check the effectiveness of the actions – does it work?

   For Example I arrive at the other side of the road unharmed and on time: this plan worked and undesired outcomes have been avoided.

5. Learn from experience – continual improvement

   For example I repeat the plan over several days, at different times and in different weather conditions. This gives me data to understand that changing context (time, weather, quantity of cars) directly affects the effectiveness of the plan and increases the probability that I will not achieve my objectives  of being on time and avoiding injury. Experience teaches me that crossing the road at certain times of day is very difficult because there are too many cars.To limit the risk I revise and improve my process by using the footbridge at these times.  continue to analyse the effectiveness of the processes and revise them when the context changes. I also continue to consider innovative opportunities such as Can I move the meeting place so that the road does not have to be crossed? Can I change the time of the meeting so that I cross the road when it is quiet? Can we meet electronically?