International
Organization for Standardization
BIBC II, Chemin de Blandonnet 8 , CP 401, 1214 Vernier, Geneva , Switzerland
Tel: +41 22 749 01 11, Web: www.iso.org
BIBC II, Chemin de Blandonnet 8 , CP 401, 1214 Vernier, Geneva , Switzerland
Tel: +41 22 749 01 11, Web: www.iso.org
RISK-BASED THINKING IN ISO 9001:2015
Purpose of this paper
• to explain risk-based thinking in ISO 9001
• to address perceptionsand concerns that risk-based
thinking replaces the process approach
• to address the concern that preventive action has been
removed from ISO 9001
• to explain in simple terms each componentof risk-based
thinking
What is risk-based
thinking?
One of the key changes in the
2015 revision of ISO 9001 is to establish a systematic approach to considering
risk, rather than treating “prevention”as a separate component of a quality
management system.
Risk is inherent in all
aspects of a quality management system. There are risks in all systems,
processes and functions. Risk-based thinking ensures these risks are
identified, considered and controlled throughout the design and use of the
quality management system.
In previous editions of ISO
9001, a clause on preventive action was separated from the whole. By using
risk-based thinking the consideration of risk is integral. It becomes proactive
rather than reactive in preventing or reducing undesired effects through early
identification and action. Preventive action is built-in when a management
system is risk-based.
Risk-based thinking is
something we all do automatically in everyday life.
Example: If I wish to cross a
road I look for traffic before I begin. I will not step in front of a moving
car.
Risk-based thinking has always
been in ISO 9001 – this revision builds it into the whole management
system.
In ISO 9001:2015 risk-based
thinking needs to be considered from the beginning and throughout the system,
making preventive action inherent to planning, operation,
analysis and evaluation activities.
Risk-based thinking is already
part of the process approach.
Not
all the processes of a quality management system represent the same level of
risk in terms of the organization’s ability to meet its objectives. Some need
more careful and formal planning and controls than others.
Example: To cross the road I
may go directly or I may use a nearby footbridge. Which process I choose will
be determined by considering the risks.
Risk is commonly understood to
haveonly negative consequences; however the effects of risk can be either
negative or positive.
In ISO 9001:2015 risks and
opportunities are often cited together. Opportunity is not the positive side of
risk. An opportunity is a set of circumstances which makes it possible to do
something. Taking or not taking an opportunity then presents different levels
of risk.
Example:
Crossing the road directly
gives me an opportunity to reach the other side quickly, but if I take that
opportunity there is an increased risk of injury from moving cars.
Risk-based thinking considers
both the current situation and the possibilities for change.
Analysis of this situation
shows opportunities for improvement:
• a subway leading directly under the road
• pedestrian traffic lights, or
• diverting the road so that the area has no traffic
Where is risk addressed
in ISO 9001:2015?
The concept of risk-based
thinking is explained in the introduction of ISO 9001:2015 as an integral part
of the process approach.
ISO 9001:2015 uses risk-based
thinking in the following way:
Introduction - the concept of risk-based
thinking is explained
Clause 4 –the organization is required to determine its QMS
processesand toaddress its risks and opportunities
Clause 5 – top management is required to
·
Promote awareness of risk-based thinking
·
Determine and address risks and opportunities that can
affect product /service conformity
Clause 6 –the organization is required to identify risks
and opportunities related to QMS performance and take appropriate actions to
address them
Clause 7 – the organization
is required to determine and provide necessary resources (risk is implicit
whenever “suitable” or “appropriate” is mentioned)
Clause 8–the organization
is required to manage its operational processes (risk is implicit whenever
“suitable” or “appropriate” is mentioned)
Clause 9–the organization
is required to monitor, measure, analyse and evaluate effectiveness of actions
taken to address the risks and opportunities
Clause 10–the organization
is required to correct, prevent or reduce undesired effects and improve the QMS
and update risks and opportunities
Why use risk-based
thinking?
By considering risk throughout
the system and all processes the likelihood of achieving stated objectives is
improved, output is more consistent and customers can be confident that they
will receive the expected product or service.
Risk-based thinking:
• improves governance
• establishes a proactive culture of improvement
• assists with statutory and regulatory compliance
• assures consistency of quality of products and
services
• improves customer confidence and satisfaction
Successful companies
intuitively incorporate risk-based thinking.
How do I do it?
Use risk-based thinking in
building your management system and processes.
Identify what your risks are – it depends on context
Example:
If I cross a busy road with
many fast-moving cars the risks are not the same as if the road is small with
very few moving cars. It is also necessary to consider such things as weather,
visibility, personal mobility and specific personal objectives.
Understand your risks
What is acceptable, what is
unacceptable? What advantages or disadvantages are there to one process over
another?
Example:
Objective: I need to safely cross a road to reach a
meeting at a given time.
• It is UNACCEPTABLE to be injured.
• It is UNACCEPTABLE to be late.
Reaching my goal more quickly
must be balanced against the likelihood of injury. It is more important that I
reach my meeting uninjured than it is for me to reach my meeting on time.
It may be ACCEPTABLE to delay
arriving at the other side of the road by using a footbridge if the likelihood
of being injured by crossing the road directly is high.
I analyse the situation. The
footbridge is 200 metres away and will add time to my journey. The weather is
good, the visibility is good and I can see that the road does not have many
cars at this time.
I decide that walking directly
across the road carries an acceptably low level of risk of injury and will help
me reach my meeting on time.
Plan actions to address
the risks
How can I avoid or eliminate
the risk? How can I mitigate risks?
Example: I could eliminate
risk of injury caused by being hit by a vehicle if I use the footbridge but I
have already decided that the risk involved in crossing the road is acceptable.
Now I plan how to reduce
either the likelihood or the impact of injury. I cannot reasonably expect to
control the impact of a car hitting me. I can reduce the probability of being
hit by a car.
I plan to cross at a time when
there are no cars moving near me and so reduce the likelihood of an accident. I
also plan to cross the road at a place where I have good visibility.
Implement the plan – take action
Example:
I move to the side of the road, check there
are no barriers to crossing. I check there are no cars coming. I continue to look for cars whilst crossing
the road.
Check the effectiveness of the
action – does it work?
Example:
I arrive at the other side of the road
unharmed and on time: this plan worked
and undesired effects have been avoided.
Learn from experience – improve
Example:
I repeat the plan over several
days, at different times and in different weather conditions.
This gives me data to
understand that changing context (time, weather, quantity of cars) directly
affects the effectiveness of the plan and increases the probability that I will
not achieve my objectives (being on time and avoiding injury).
Experience teaches me that
crossing the road at certain times of day is very difficult because there are
too many cars. To limit the risk I revise and improve my process by using the
footbridge at these times.
I continue to analyse the
effectiveness of the processes and revise them when the context changes.
I also continue to consider
innovative opportunities:
• can I move the meeting place so that the road does not
have to be crossed?
• can I change the time of the meeting so that I cross
the road when it is quiet?
• can we meet electronically?
Conclusion
Risk-based thinking:
• is not new
• is something you do already
• is on-going
• ensures greater knowledge of risks and improves
preparedness
• increases the probability of reaching objectives
• reduces the probability of negative results
• makes prevention a habit
Other useful documents
ISO 31000:2009 Risk Management
– Principles and guidelines
ISO 9001:2015 Risk-based
thinking - power
point presentation
ISO 31010:2010 Risk management - Risk assessment techniques
No comments:
Post a Comment