While ISO 2008 required a documented procedure of preventative action to be implemented when appropriate after the corrective measures had been taken, the approach was a reactive response to an adverse event or nonconformity. In ISO 9001 2015, the notion of preventative action has morphed into a more proactive preventative approach applied in all the main processes of the quality management system: planning, design, development, manufacture, customer support and service. In this new standard, the measure is called risk-based thinking or RBT.
Understanding Risk in Context
Let’s first attempt to understand what is risk. The answer may ultimately be subjective when considering what risks are in the context of an organisation. However, one common explanation is, where there is risk, there is a chance or probability of something adverse happening or a chance to exploit a resulting opportunity. The end-product of risk is uncertainty and deviation from that which is intended. According to the new standard, this deviation could be positive or negative.
What is Risk Based Thinking?
While there is no definition for Risk-based Thinking (RBT) provided in ISO 9001 2015, there is some explanation in ISO 9001 and TC 176. This clause tells us that RBT is something we do “automatically in everyday life.” Some have described RBT as being a common sense measure. Perhaps the old adage is true;
“Common sense is not so common,” Voltaire
Where to Apply RBT
The new ISO standard states that RBT should be applied in each of the processes that make up the quality management system. However, each process of the quality management system holds varying levels of risk regarding the organization’s ability to meet its quality objectives. Because of this, more careful and formal planning and controls are needed for certain risk areas than others.
Understanding Opportunity as a Risk
When considering the context of the new standard, opportunity, is not merely the positive side of risk —but a set of circumstances in which an outcome is impacted to some degree, by either action or non-action. There is less risk involved when choosing to exploit an opportunity for a positive outcome than there is in failing to act when the result would have negative, neutral, or less than positive consequences. Therefore, each potential scenario is relevant to RBT in weighted amounts.
Planning and Implementation of RBT
RBT, as the standard requires, should be applied in the planning and formulation of the complete quality management system. This begins with a requirement for top management to identify and include both internal and external parties who have an interest in the effectiveness of the QMS. Those whose end goal is to achieve the production quality goods and services. For the same reason, top management is to identify both positive and negative issues that present opportunities and risks that are relevant to quality goods and services as these will need to be taken into account when planning and implementing the quality management system.
The Fluidity of Context of the Organisation
Because the context of the organisation is not a static trait, the risk potential also changes. It is important that an enterprise can appropriately evaluate risk potential, mitigate those risks and identify opportunities in the ever-changing environment of organisational context. While it is not a requirement, one suggestion for to successfully plan, implement and follow through with RBT in any number of risk areas is to utilise the following process:
Plan – Identify and plan to address the risk.
Do – Implement the plan to avoid, eliminate or mitigate the risk.
Check- Asking how effective your plan was at risk avoidance.
Documentation of RBT Processes
It is important to note that there is no explicit requirement for the process to be formalised into a written document nor is there any stipulation to retain documentation for recordkeeping. However, you must be prepared to present some form of evidence that suggests you engaged appropriately in risk-based thinking, as this process does require significant forethought and “what-if” or scenario planning.
Summary of the Requirements for RBT
Promote awareness of risk-based thinking allows leadership to determine and address various risks and opportunities which we otherwise might have missed.
Provide the necessary resources for RBT in all areas of risk or opportunity, remembering that risk is implicit whenever the conditions determine it suitable or appropriate
Monitor, measure, analyse and evaluate the effectiveness of actions taken to address the risks/opportunities.
Correct, prevent, or reduce artefacts, improving the QMS and updating risks and opportunities as needed within the changing context.
Consider including some evidence of risk identification and evaluation having been performed, if this action supports or adds value to the organisation.
Benefits of RBT
An organisation is responsible for its ISO application to have risk-based thinking and identify the actions it takes to address the risk including evaluation of opportunities as a risk. The standard, by applying risk-based thinking, greatly increases the likelihood of a company realising the following benefits
Proactive stance to prevent poor outcomes
Greater ability to recognise opportunity
Improved consistency and quality of products and services
Increased customer confidence and satisfaction
In summary, RBT is the next obvious step-up from the previous standard which was reactionary. Successful companies will have the common sense to intuitively incorporate proactive risk-based thinking into the existing quality management system. When properly implemented, RBT ensures greater knowledge of risks and better prepares the organisation to deal with those risks. It promotes a thought framework in which missed opportunities are also calculated as potential risks. It increases the likelihood of reaching objectives while reducing the possibility of undesirable outcomes.