What Is Risk-Based Thinking?

One of the foundations of quality management

Risk-based thinking—it sounds easy. How hard can it be to think about risk? But did you know that the phrase “risk-based thinking” was only invented in 2015?

Did you know that the ISO says “risk-based thinking” is one of the foundations of quality management, but never defines it? Or that it sparked a big controversy in the quality community when it first came out?

Did you know that you can use risk-based thinking as a business strategy in the real world, even if you ignore ISO and all of its standards?

It’s all true. Let me explain.

The words “risk-based thinking” first appeared in the 2015 edition of the ISO 9001 standard, which right away declared it to be something fundamental. The standard’s introduction makes risk-based thinking a part of the process approach and says that it “is essential for achieving an effective quality management system.” Three paragraphs in the introduction, and five paragraphs in the annex are dedicated to explaining how risk-based thinking works and why it’s so important.

…

Want to continue?

By logging in you agree to receive communication from Quality Digest. Privacy Policy.

Create a FREE account

Forgot My Password

Comments

Preventative actions

I must disagree with the examples. Every example is based on allowing risk to exist in the process at inception. This is common where “timeliness” is mistaken to mean speedy.

Pushing a poor process through to “ship tomorrow” is not the correct way to go about it. In the example of the off-color widgets, the risk analysis should have happened before the first batch was ever run. “What could go wrong?” needs to be asked up front and those conditions need to be guarded against through error proofing. Adding inspection does not change quality, it only increases costs.

Preventative actions at this point result in lower scrap costs, lower labor costs, lower raw material costs and greater customer satisfaction. That is the real reason it was taken out. Waiting until the customer has experienced pain due to an error that should not have happened in the first place, is the wrong time to put in the due diligence.

There will be many who believe that this would cost too much; that the time it takes would somehow prevent maximum profits. Nothing could be further from the truth. Again, back to the example, equipment was purchased and installed without any thought to what COULD fail. If that was added then, the time expense is amortized over all the products that run across that equipment. Waiting to increase labor costs for every product made by adding additional inspection people to the process. Raw material costs increase due to necessitating forecast for loss into the material stream. Shipping costs increase through additional costs to replace unusable product. Overall operational efficiency has decreased due to the necessity to make the same product twice while only being paid once.

Quality is not inspection. It isn’t sorting out rejects. Quality is a set of inherent characteristics within a product making it fit for its intended use. It occurs at the point of process where those individual characteristics are produced.

Control those and quality truly is free.

Hi, I'm the author. Just a…

Hi, I'm the author. Just a quick note.

Of course you are absolutely right that in real life a risk analysis should have been done before the machine was installed. And yes, adding an inspection process could well be a lazy (and costly) way to fix the problem (depending on the other special circumstances of the case). I hope everyone understands that.

I just wanted an easy example to show the logic whereby the ISO TC 176 concluded that they could remove wording related to "preventive action" because the same work was already covered by "risk-based thinking." I never meant anyone to take that simple classroom-example as a guide to professional practice!

Maybe I should have made my wording clearer to emphasize that this was purely a thought-experiment, and I apologize for the unclarity. In any event, I'm glad to know that you and others are reading with a critical eye. It's what makes our profession work.

How do you audit someone's…

How do you audit someone's risk based thinking. You can't. Unless, you've passed Mind Reading 101. This is the fatal flaw in ISO RBT.

Challenge is ISO never defined RBT so it could be operationalized, audited, and assured. We define RBT as risk based problem solving and decision making. Each has evidence, audit trail, outcomes, assumptions so it can be audted and assured.

ISO and EOQ believe: Future of Quality: Risk(R)

True but how is it any…

True but how is it any better than preventive measures?

While risk based thinking is a bit lame. It is still better auditable than Preventive measures. So you have 2 preventive measures like “good coffee” and then you comply.

Under the older standard,…

Under the older standard, users were required to have (1) a procedure on preventive action processing, (2) records, (3) root cause analysis, (4) follow up verification. All of those were auditable. ISO only bungled it because they confused people as to the preventive aspects of CORRECTIVE action (you have to prevent an existing problem from recurring again) and "pure" PREVENTIVE action (you prevent a problem from occurring in the first place.) This could have been fixed with simple editing, but ISO jammed "risk" into the standard to make money, and they mucked up the entire thing. Now "risk-based thinking" doesn't require anything at all -- no procedure, no records, no verification, nothing. You can "think" about risk, and you've accomplished the requirement. That was a huge step backward.