Featured Video
This Week in Quality Digest Live
Management Features
Ryan E. Day
In which the Hunchback of Quality Digest pays attention to his neck and shoulder
Manfred Kets de Vries
The myths behind the mega pay
Integrated, flexible change management systems have higher adoption rates
Ryan E. Day
6DoF solution drives return on investment
Knowledge at Wharton
IoT improvements allow more data to be analyzed for new insights and real-time actions

More Features

Management News
Standard recognizes that everyone is critical to a successful quality management process.
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals
Management's role in improving work climate and culture
Work with and learn from some of the nation’s best people and organizations
Cricket Media and IEEE team up to launch TryEngineering Together
125 strategies to achieve maximum confidence, clarity, certainty, and creativity
MIT awards more than $1 million to organizations creating greater economic opportunity for workers
Earn continuing education units

More News

Peter Merrill


How Risk-Based Thinking in ISO 9001:2015 Drives a Faster, Better Organization

People, processes, and technology need to be linked together for the QMS to be effective

Published: Wednesday, September 20, 2017 - 12:01

ISO 9001:2015 has significant structural changes that differentiate it from the previous standard. The new high-level structure is common to all ISO management system standards (i.e., quality, environmental,  IT security) and enables us to start looking at integration of these systems. There is a standard core text and structure and, important for ISO 9001, there is now the inclusion of services.

Risk-based thinking is widely recognized as driving the new standard but it is not immediately obvious that this thinking flows right through the quality management system (QMS). The term “documented information” replaces “documents and records.” This points to a vital understanding that information must flow through the QMS and not be just a collection of static records.

System thinking is needed and this is not complicated. We are used to process thinking which means following a series of steps in a regular order. System thinking means looking at the linkage between processes and how information flows between processes. A record is an information output from a process and becomes the information input to the next process.

The QMS starts with organizational context (section 4 of the standard) where we identify issues impacting the organization. Leadership (section 5) has a fundamental role in doing this and primarily the issues flow into risk (section 6) where we prioritize the risks attached to those issues. We then decide on the actions needed to mitigate those risks. The actions may involve development of competencies (section 7.2) or technology and infrastructure (section 7.1.3). The actions are applied through operations (section 8) and the management review “monitors performance” (section 9) adjusting resources and hence driving improvement (section 10).

Section 4.1—“Understanding the organization and its context,” asks us to identify the strategic issues that impact the organization as well as, in section 4.2, to consider the needs and expectations of interested parties, not just customers. The scope of the QMS (section 4.3) requires boundaries to be defined, and exclusions are worded more carefully than before. Section 4.4—“Quality management system and its processes,” is much like ISO 9001:2008 section 4.1.

Context issues for external risk links closely to section 6—“Planning.” The preferred tool to assess this is a risk matrix addressing impact, probability and detectability. The mitigations for the various risks then need to be addressed. This draws us into strategic planning. Risk-based thinking then requires us to identify which issues, both external and internal, have the greatest risk for the organization. There is a very logical flow as the standard then asks us to mitigate the higher risks. This means applying prevention to these risks, and we have choices on how to do this. Traditionally this would have been done by writing procedures. Today we can mitigate risk with far more choices, such as using technology (software), developing our people’s competencies, or the use of simple checklists. A plan to monitor the change in these external issues is be created.

The boundaries of the business to become registered are agreed upon by mapping the business at a high level and from output from the business-context work. The map assists in defining internal risk points. Some causes of internal risk are low competency, frequent change of persons, tasks performed infrequently, and complex processes. Ironically old equipment (i.e., failure) or very new equipment (complexity) both create risk.

In section 6.1 we address risks and opportunities and select the preferred mitigations and in section 6.2 set objectives for the mitigations and create a plan to achieve them. The objectives need to be measurable and regularly updated through the management review process where resources to meet objectives are reassessed as results are evaluated. These objectives then cascade through the organization.

A part of the new standard that must not be overlooked is section 7.1.6—“Organizational knowledge.” This is about knowledge acquisition and management and involves determining the knowledge for process operation and making it available. Acquiring additional knowledge can be a key part of risk mitigation. We learn from failure and success and from experts within the organization. Section 7.2—“Competence” is another important change that can be overlooked. Competence is “the ability to apply knowledge to achieve intended results.” We are now required to retain documented evidence of competence and not records of training. Competence is a key element in controlling risk.

Section 7.5—“Documented information,” links back to scope in section 4.3 and now minimal documentation is required. ISO 9001:2015 only requires “documented information” to be maintained, defining boundaries of the QMS, defining the scope of the QMS, and justifying any requirement not applicable. Now the organization itself decides which supporting information to document in order to demonstrate that processes are controlled (see section 8.5.1) and hence that risk is mitigated. Traditionally documents for a QMS can differ due to organization size, process complexity, and competence and are used for controlling processes and hence risk. The world has changed! Technology now controls risk far more than documents.

The operation clauses (in ISO 9001:2015 section 8) are the “do” part of plan, do, check, act (PDCA) and are where the risk mitigations are applied starting with requirements for products and services, working through design and development to externally provided products and services where risk can often be highest. Release of products and services is where we confirm that mitigations have worked (section 8.6) and if not, we control nonconformity (section 8.7).

The “check” part of PDCA is in the performance evaluation clauses where we monitor, measure, analyze, and evaluate data to identify whether processes are in control. We do this through our measurement plan, which links back to the objectives in section 6.1 as well as through our internal audit. The analyzed data is fed into management review, which now must look regularly at changes in internal and external issues as well as trending of risk using the analyzed data for decisions. An annual manual review is now totally inadequate. Joseph Juran famously said, “You plan and manage quality in the same way as you plan and manage finances.” If you only looked at your finances once a year you could be out of business and not even know. Management review should at a minimum be quarterly.

All of this drives improvement in the knowledge that a system is “a set of interrelated and interacting elements.” Those elements are people, processes, and technology, which need to be linked together for the QMS to be effective.

For more on this subject, join Peter Merrill on Wed., Sept. 27, 2017, at 1 p.m. Eastern, 10 a.m. Pacific, for the webinar, “How risk-based thinking flows through ISO 9001:2015 to drive a faster, better organization. Register here.


About The Author

Peter Merrill’s picture

Peter Merrill

Peter Merrill is a member of the ISO/TC 176 (ISO 9000) communications team at an international level. He led the International Working Group that developed the ISO Guideline on “People Involvement” in quality management systems and is one of North America’s foremost authorities on the subject. He is the current chair of the ASQ Innovation Think Tank and also chair of the Canadian National Committee on Innovation for ISO. Merrill is the author of Innovation Generation, Do It Right the Second Time, and Innovation Never Stops.


Risk Based Thinking

Good read.. gives insight on the importance of risk-based thinking in ISO..