Featured Product
This Week in Quality Digest Live
Risk Management Features
Gleb Tsipursky
Returning to the office harms diversity
Gene Kaschak
Lean supply is not just about the size of inventory
Dwayne Duncum
Understanding and implementing effective controls of workplace hazards is every employer’s responsibility
Etienne Nichols
Even if it’s not required, it’s critical

More Features

Risk Management News
Demonstrating a commitment to keeping people safe and organizations running
Aug. 25, 2022, at 3:00 p.m. Eastern
Now is not the time to skip critical factory audits and supply chain assessments
Extends focus on data-driven explainability and adds customizability
Google Docs collaboration, more efficient management of quality deviations
Major ERP projects take six months longer than companies were told
Three webinars to increase participation and understanding within the world of quality assurance
Partnership bolsters defense against growing cybersecurity risks

More News

Nicole Radziwill

Risk Management

Taming Uncertainty in Your QMS With Risk-Based Thinking and ISO 9001:2015

Why you should start employing a risk-based mindset

Published: Wednesday, August 29, 2018 - 12:01

ISO 31000 defines risk as “the effect of uncertainty on outcomes.” Identifying risks and determining ways to respond to them help you learn about your processes, your organization, and the environment you’re operating within. It also raises your awareness of how any of these things might change in the future. Perhaps most important, this helps you quickly respond to—and recover from—negative events like natural disasters, supply chain disruptions, and cyberattacks.

Risk management can also help your organization uncover new opportunities, if risks are considered within the context of strengths, capabilities, and threats.

But let’s face it: Risk management can be difficult and time-intensive, and it doesn’t easily reveal returns on investment. Especially when people are busy, and budgets are tight, taking a risk-based approach can feel like a distraction. “Compliance complacency” is not uncommon, and sometimes only the minimal amount of effort goes toward meeting governance or documentation requirements. In 2016, Carmela Cucuzzella, of Concordia University in Canada, mentioned that some product designers even express contempt for risk management, claiming that it can strip them of their creative freedom.

Although it may be tempting to avoid risk management entirely, ignoring risks can lead to cost overruns, time delays, waste and rework, and other unpleasant surprises. This is why risk management has played a pivotal role in strategic management since the 1970s, and why enterprise risk management (ERM) and the ISO 31000 guidelines for risk management have emerged. This is also why the topic has received increased attention in the latest revision to ISO 9001.

ISO 9001:2015, which becomes the authoritative version of the standard on Sept. 14, 2018, incorporated several major changes. (For insights into how to make the transition, read Graham Freeman’s “Transitioning to ISO 9001:2015: What You Need to Know.” The revised standard now conforms to Annex SL, the high-level structure that many ISO standards share, making it easier for organizations to avoid duplication of effort when multiple standards are used. Documentation requirements have been relaxed as well, so organizations will have more freedom to capture and share institutional knowledge. Finally, risk-based thinking is now strongly emphasized, and depends upon the organizational context (clause 4.1) and the needs and expectations of “interested parties” or stakeholders (clause 4.2).

What is risk-based thinking?

Raimond Laqua defines risk-based thinking as a “mindset to proactively improve the certainty of achieving outcomes utilizing methods that consider threats and opportunities.” In a recent webinar called “Demystifying Risk,”he explained that risks can be both positive and negative, and can hide within our processes, can lurk outside the processes, or can emerge as a result of changing environmental conditions. To make things even more challenging, “risks hide in our cognitive biases,” he explains, noting that the psychology of risk plays just as important a role as the engineering aspects.

One consequence of this shift toward risk-based thinking in ISO 9001:2015 is that “preventive action” has been dropped from clauses 4 through 10, marking a strong departure from earlier versions of the standard. Does this mean that you don’t need to take preventive actions anymore, or that you can throw away your corrective action/preventive action (CAPA) software? Of course not.

The philosophy underlying the change is that a robust quality management system itself prevents nonconformances: Every time you revisit the information in your risk register, or make adjustments to continually improve the quality management system, you’re engaging in preventive action. Although clause 8.5.3 from ISO 9001:2008 indirectly mentioned risk, it was not a driver for identifying and executing preventive actions. Also, auditors reported that corrective actions were plentiful in most organizations, while preventive actions were much less common and felt more “forced”—i.e., undertaken just to check off a box on the auditing checklist. Find out more from John West and Charles Cianfrani in the article, “Where Is Preventive Action?” from the March 2016 issue of Quality Progress.

What should you do to start employing a risk-based mindset? First, recognize that not all risks need to be identified or managed. Start with the most critical processes, and don’t feel pressured to envision every manifestation of uncertainty you might encounter. Next, examine risks in the context of your strengths and capabilities, which can be used to transform threats into opportunities.

But this is just the beginning. There are many different ways to jumpstart risk-based thinking in your organization, including some from the domain of agile methods. Risk-based thinking can benefit small businesses and large enterprises, and the techniques are applicable whether you use ISO 9001:2015, the Baldrige Criteria for Performance Excellence, the EFQM Excellence Model, or another approach to quality management. Where do you begin?

Find out the answer to this question and more—including what the world’s biggest recent supply chain cyberattack teaches us about risk-based thinking—during the Sept. 6, 2018, webinar, “Risk-Based Thinking: New Requirements for ISO 9001:2015 and Integrated Management Systems.” Register here.

Additional reading
Cucuzzella, Carmela. “Creativity, sustainable design and risk management.” Journal of Cleaner Production, Dec. 2015.
Freeman, Graham. “Transitioning to ISO 9001:2015: What You Need to Know.” Intelex Insight Report, 2018.
West, John, and Cianfrani, Charles. “Where Is Preventive Action?” Quality Progress, March, 2016.
Laqua, Raimond. NEW QUALITY STRATEGIES: “Turn your ‘Risk Management’ Into ‘Risk-Based Thinking!’ ” Aug., 2018.


About The Author

Nicole Radziwill’s picture

Nicole Radziwill

Nicole Radziwill is a quality manager and data scientist with more than 20 years leadership experience in software, telecommunications, research infrastructure, and higher education. Prior to joining Intelex, she was an associate professor of data science and production systems at James Madison University, Assistant Director for End to End Operations at the National Radio Astronomy Observatory (NRAO), managed software product development for the Green Bank Observatory (GBO), and managed client engagements for Nortel Networks and Clarify (CRM). She is an ASQ-certified manager of operational excellence (CMQ/OE), an ASQ-certified Six Sigma Black Belt (CSSBB), and contributed to the development of ISO 26000—“Guidance on Social Responsibility.”