There’s been a shift in how companies view quality and compliance, and as a result, businesses are looking for a more comprehensive method for measuring operational efficiency. Risk management processes are proving to be an effective option for this. ISO 9001:2015 now promotes risk-based thinking in quality management systems, but many organizations aren’t sure what that means or how to go about it. This article explains risk-based thinking, describes the tools for identifying and managing risks, and looks at how ISO 9001:2015 incorporates risk concepts into its requirements.

The need for risk assessment

Risk management is a tool that helps companies evaluate risks in processes and content. It evaluates event data in order to measure levels of risk in an operational context. Risk assessment is repeatable and objective; it allows you to replace an otherwise subjective “gut sense” with a more guided decision-making approach. Furthermore, it’s easy to understand for people who aren’t directly involved in the process.

Risk assessment helps drive change. It enables you to build alerts for critical events and develop guidelines and solutions for risk levels that are unacceptable. These solutions are systematic and repeatable, and you can implement them for high risks in a more automatic and consistent manner.

However, it’s important to note that risk assessment is a tool, not the solution. Context is important in risk assessment, and for that, you need people. For example, someone on the shop floor might consider something a critical risk, whereas from the top floor, that risk might not look as bad in the larger context of operations. So it’s a good idea to have a team in place to examine your risk assessment process to ensure you’re achieving the right results. As your operations change or as more data accumulate, you may find that established risk levels need to be adjusted.

Risk management in ISO 9001:2015

The updates to the 2015 standard aren’t all about the requirements. Although they establish the framework to help you map your business, the standard outlines a different approach in how you should satisfy requirements. ISO 9001:2015 includes a component of risk-based thinking, and it involves the people and leaders within your organization. The standard doesn’t include a specific requirement for a quality management representative, or even a quality manual. Instead, ISO 9001:2015 focuses on a companywide commitment to quality that is championed and brought about by leaders. How can that be done using a centralized system, and where does risk fit in?

There are two sections where risk appears in the standard: leadership directives and planning.

Leadership directives: ISO 9001:2015 is designed to create a companywide approach to quality, and leaders need to be directly involved. Although some leaders might not “speak quality,” they definitely can speak risk. That’s why the standard encourages the concept of “risk-based thinking.” This refers to a coordinated set of activities and methods that organizations use to manage and control the many risks that affect their ability to achieve objectives. Risk-based thinking replaces what earlier version of the standard called preventive action.

Planning: This section is where preventive action used to be and is now replaced with managing risks and opportunities. It’s important to note that ISO 9001:2015’s take on risk is simple. This isn’t a directive to go out and build an enterprise risk management program or change all of your processes to comply with the requirements. The standard directs companies to “promote” risk-based-thinking, which is fairly broad and open to interpretation. Every company should evaluate its own processes in light of the risks specific to their business or industry.

We can break the planning section down to these relevant facts: Risk management is an objective process that can be repeated and standardized. Your first goal is to identify the risks in your operations, then determine how you’re going to measure those risks. After that, you need to figure out treatment options for those risks, and eventually implement actions and controls to address each risk.

Creating a risk classification

How do you start identifying risks? You’ll need to examine your operations, seek out potential hazards within those operations, and categorize them. Asking questions is a good way to start. Survey and audit your operations as you normally would; but note the potential hazards from all areas. What are the problems that could occur, and how likely is it they will occur? Your results will probably include a lot of hazards and a host of probabilities. At this point you need to analyse the hazards and then categorize them. This is called a “classification of risk” – i.e., hazard types grouped in broader categories that will enable you to make better sense of everything. You then create scales of severity for hazards and their frequency (likelihood to occur). Once you’ve done this, you can start evaluating the risks.

Taking subjectivity out of risk management

You now have a list of hazards, categorized and organized, and you’ve built some probabilities around them. How do you calculate the risk in these hazards? Keep in mind that an accurate risk assessment doesn’t always follow a risk evaluation. Too often, people use risk evaluation tools that calculate risk and just leave it to the tool to determine the risk level. Risk tools can help guide your calculations and decisions, but the ultimate decisions on how to handle risk should come from people. It’s helpful to have a risk team review risk calculation to confirm that they reflect real-world data. Ideally, risk should be addressed with a combination of people, processes, and tools.

Risk management as a tool for quality and compliance

You’ve created a list of hazards and their probabilities and come up with a slick risk-assessment strategy that combines quantitative analysis with real-world data. Now what? Just because you’ve calculated something as a high risk doesn’t mean you’ve solved the problem. The next step is to assign treatment options to that risk. You must determine what you’re going to do if there is a risk, and you do this in several ways. Again, this is where a cross-functional team comes in handy: You can review the different risk outcomes and then determine, based perhaps on past data or processes, how you’re going to handle different risk levels.

Treatment options typically fall into these broad categories:

• You can accept the risk (i.e., the outcome is worth the risk)
• You can seek ways to reduce the risk
• You can find ways to ensure yourself against the risk
• You can transfer risk (perhaps you source out high-risk processes to a partner or supplier with a better risk management process)
• If the risk is simply too high, you can avoid it (i.e., stop the process altogether)

Author of What is Risk Based Thinking: Timothy Lozier