Featured Video
This Week in Quality Digest Live
Standards Features
Transitioning to the latest version of the world’s most popular standard
Pam Bethune
Organizations may need to broaden their traditional concepts of themselves
Mary McAtee
Why old tools and approaches aren’t enough
Tim Lozier
Get rid of gray areas and enhance continual improvement
A transition audit to ISO 14001:2015 is an opportunity to start fresh without having to start over

More Features

Standards News
Mathis will provide business development for HACCP certification in the Americas
Integrates sensors in smartphone, IoT, automotive, and other product designs
Checklist helps safety managers and business leaders assess facility safety
Explains basic steps businesses can take to better protect their information systems
Program uses peer learning to enable organizations to become more effective and profitable
AIAG’s director of corporate responsibility comments on impact of new ethics language in upcoming IATF 16949

More News








Tim Lozier


A Risk Management Primer

Getting started with risk in ISO 9001:2015

Published: Wednesday, September 23, 2015 - 14:42

Sponsored Content

We’ve all heard it before: Change is the only constant. This isn’t just cliché but a truth that all companies will come to recognize. Change is the driving force behind improvement. And all of the changes that take place within an organization, whether to products, processes, or regulations, aren’t isolated. Each has an impact on the other.

When combined, these factors result in a complex process—a delicate balance that must be handled carefully and deliberately to bring about a successful process. An organization also must ensure that quality and compliance are met when rolling out new products and processes. This, combined with the rapid pace of product life cycles, means that you must move at warp speed to keep up.

That’s where automated risk management tools come in to streamline the process.

A high-level look at risk management

The risk management process starts with identifying risk. You must look at your business operations and determine hazards and the risk that those hazards will occur. A risk team is critical in identifying these risks throughout an organization.

Next, you want to take your known risks and determine a way to quantify them. To do this effectively, you’ll want to look for ways to measure risk in a systematic and objective way. Many organizations use scales, such as severity and probability, to help them determine the criticality of the risk and the chances of it occurring. A process for evaluating and assessing a risk is also a critical part of the process.

The point of risk management is to reach a decision as the result of an assessment. Risk management tools help quantify and filter risk, but ultimately, a decision must be made about how to handle the risk. Some things to consider when making this decision include:
• Acceptance: Is it worth the risk?
• Reduction: Should you take steps to mitigate the risk?
• Compensation: Find ways to insure against the risk
• Transfer: Source the risk out to a third party with a better risk-management process
• Avoidance: If the risk is too high, avoid the process altogether

When you’ve made your decision, the next step is to implement it. This could mean changing how processes or operations are managed, implementing controls to mitigate or reduce the risk, or carrying out improvement activities that ultimately will support your company’s decision.

The risk umbrella

Risk is prevalent in all areas of an organization. It spans everything from quality to environmental health and safety (EHS) to financial, the supply chain, and more. That’s why it’s such powerful concept: It can be used as a universal methodology for benchmarking compliance within the organization. When a company looks at its operations, it may find areas where risk assessment makes sense as a viable tool. here are five of the most common.

Production planning: As a company designs processes, it can build risk management in an operational context in processes as a way to plan for change. This ensures that the process is benchmarked along the way, and it also enables an organization to build risk management around the production part approval process (PPAP) and failure modes and effects analysis (FMEA). From a safety perspective, a company could build risk around job safety, incorporating risk at each level of each job step, and then roll up the risk assessment to determine what the overall risk of that job truly is.

Manufacturing: During operations, a company collects production data, such as nonconformances and deviations. Building risk management into these processes can help uncover trends in production events as well as gauge the severity and frequency of defects. From an EHS perspective, incidents and accidents are going to happen. When a company encounters these adverse events, risk assessment can serve as a decision-making tool to help filter the severity and criticality of those events, which in turn allows better, more informed decisions.

Post-production: All organizations want to foster continuous improvement because it drives the business to be more efficient and operate in a more streamlined and compliant manner. When a company builds risk management into continuous improvement initiatives, complaint data should be filtered by risk to ensure that the most critical events are handled first. Risk management can also be built into the supply chain. By creating a holistic approach to supplier risk, a company can determine which suppliers have a higher risk than others.

Internal audits: Similarly, internal audits will measure the effectiveness of operations, and building risk management into the auditing process will help to prioritize the findings in the audit report.

CAPA: Corrective and preventive action is also a great way to assess risk. It enables a company not only to effectively correct systemic issues, but also to correct them to within acceptable risk levels. Risk assessment serves as an important “check” on the effectiveness of corrective actions taken. Was the level of risk reduced? If not, then maybe the corrective action wasn’t truly effective.

These are just some of the areas in which risk assessment is has value within compliance operations.

Risk as it relates to ISO 9001:2015

Risk management is becoming a focal point in compliance initiatives such as certification to the ISO 9001:2015 standard. The latest revision of the standard has an element of risk-based thinking built into its guidelines for creating a quality management system. As such, ISO 9001:2015 represents a shift away from a preventive approach and toward a risk approach, which involves several components. For example, your company might be using risk management to identify and categorize its hazards based on their overall risk, but is it also seeking ways to control the risk proactively? How can we mitigate our risks? What tools can we use that will build risk management throughout the entire quality life cycle, so that we are effectively benchmarking the risks against our objectives?

There are several ways to manage risk using an automated solution that can build risk assessment into a company’s processes. A company can identify and control activities, but equally important is tracking and measuring risk operationally, within the operational processes.

For example, once you’ve established a risk plan, you want to measure it against risk levels. So you identify a hazard and then categorize it, but also determine the severity and frequency or likelihood of that hazard manifesting itself as a risk. This can be done by creating simple decision trees (i.e., if this, then that), or leveraging a risk matrix, which allows you to build systematic and objective risk rankings based on the risk levels.

Although top executives might not “speak” quality, they do “speak” risk. Being able to put quality events and objectives into a risk context engages the entire company in quality management. No longer are we speaking quality; we’re speaking a language that anyone in the company can understand.

One of the benefits of building risk into processes is that you can set an objective method for calculating risk. An automated risk-management solution will take the severity and frequency of an event, backed by historical data, and compile recommendations based on past data and your identified risk levels. This creates a more quantitative dimension to the process. Each event uses the same assessment tool and compares the results using a common method. This allows decision makers to weigh multiple factors in order to make a more informed decision.

Building risk into your process also means that when the company is audited, you can demonstrate that your decision, while based on multiple factors, also takes into account risk assessments that are proven, repeatable, and based on the quality objectives and risk management methods outlined in the company’s quality policies. It’s another check, one that also provides a better way for organizing, prioritizing, and filtering adverse events.

Common tools for assessing risk

There are many ways to approach risk management, and many organizations have developed different risk-based tools to suit their specific business needs. Although these tools may be different, they share a common goal—to provide an effective risk management process. Some of these tools include:

Risk matrices
The risk matrix is a quick easy tool for plotting risk levels on a graph. It’s designed to make risk levels apparent to everyone in the organization. The risk matrix plots two or three levels on a graph, typically severity and likelihood. Each risk level is assigned a number, and within the graph a company can plot a formula to calculate where the two numbers intersect. The user can then assign a color to the risk level—red, yellow, or green are common, with red indicating severe risk and green indicating low risk. The risk matrix is a great tool to help guide decision-making. However, this is not a standalone tool. In order for it to be effective, it needs human involvement. You will need to vet the matrix by assessing it against real-world historical examples to see if the matrix comes up with the correct risk based on historical events.

Decision trees
Decision trees are another effective method of risk assessment. If a company experiences an adverse event, it can use the decision tree to help determine the event’s outcome. Decision trees can be built in such a way that they will help a company reach the right decision and provide guidance on that decision. It allows the user to follow a path, usually through question-and-answer trees (e.g., if this, then this, if yes, then this, etc.) Decision trees are powerful in that they can be embedded directly into operational processes.

Risk registers
A risk register is essentially a library of hazards that takes risk data from all events, whether job safety analysis (JSA), incidents, accidents, and any adverse events. It provides a centralized location that allows visibility into the risk within all operations.

Risk trending is a critical component of risk management, and it needs to be based on historical data. A company can build a risk history from various operational areas and report on the trends. Although not all operational areas will be the same in terms of how risk is assessed, the risk register provides a common location for the operational data so the user can look at how risk management has evolved over time. A risk register also allows a company to analyze and identify trends for where high risks are, what areas need more oversight, and how operations can be improved.

Bowtie risk
The bowtie risk method is a great risk-assessment tool for low-occurrence events. In some cases a company might have very little data about potential critical events, but the undesired effect of these events are so catastrophic that it can’t afford to sit and wait for them to happen. Unlike the previous tools, bowtie risk is considered a proactive assessment tool in that it seeks to mitigate risk before it happens. This model looks at the undesired event and builds out controls as “barriers” to prevent that event from occurring. Companies use the bowtie risk method to guard against events that they don’t have enough historical data about, but need to protect themselves from by assessing both preventive and responsive actions.


In order to make compliance streamlined and efficient, a company must have risk management methods in place. Risk management is a universal language that is applicable to many operational areas, and it can provide an objective and systematic way to filter and prioritize adverse events so informed decisions can be made quickly.

Risk management is becoming a focal point of compliance initiatives and standards. ISO 9001:2015 has built in an element of risk-based thinking, bringing a new level of focus to risk planning. It helps companies take a proactive approach to risk by operationally assessing risk across all areas of an enterprise, and tracking and reporting on all risks.

Having automated risk management tools in place is a step toward being prepared for ISO 9001:2015.

For more on risk as it relates to ISO 9001:2015, join Tim Lozier and Dirk Dusharme on Sept. 29, 2015, at 11 a.m. Pacific for the webinar, Risk Management Primer: Getting Started With Risk in ISO 9001:2015.


About The Author

Tim Lozier’s picture

Tim Lozier

Tim Lozier is the director of product strategy at Traqpath, in Farmingdale, New York. He has extensive experience in the software industry, and has been involved in the creation of leading-edge technologies in user-interface design and development. He began his career in digital marketing before taking a turn into software design and marketing at Quark Inc. Since then, he’s never looked back—helping to foster the development (and blog about) leading quality management software solutions.


Except ISO 9001:2015 Doesn't Require Risk Management

ISO 9001:2015 -- as well as TC 176 -- have specifically tried to tell people that risk-based thinking does not require "risk management." The standard, from Appendix A.4 is explicit on this point:

"Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process. Organizations can decide whether or not to develop a more extensive risk management methodology than is required by this International Standard, e.g. through the application of other guidance or standards."

I'm not sure how these articles keep getting published, while those pointing out the facts of risk-based thinking can't get a whisper. Companies will spend tens of thousands of dollars implementing wasteful, costly and time-sucking risk management programs to comply with ISO 9001, which clearly says they didn't need to do a bit of it.