What Is Risk-Based Thinking?

Risk management in ISO 9001:2015

Published: Wednesday, March 2, 2016 - 15:28

There’s been a shift in how companies view quality and compliance, and as a result, businesses are looking for a more comprehensive method for measuring operational efficiency. Risk management processes are proving to be an effective option for this. ISO 9001:2015 now promotes risk-based thinking in quality management systems, but many organizations aren’t sure what that means or how to go about it. This article explains risk-based thinking, describes the tools for identifying and managing risks, and looks at how ISO 9001:2015 incorporates risk concepts into its requirements.

The need for risk assessment

Risk management is a tool that helps companies evaluate risks in processes and content. It evaluates event data in order to measure levels of risk in an operational context. Risk assessment is repeatable and objective; it allows you to replace an otherwise subjective “gut sense” with a more guided decision-making approach. Furthermore, it’s easy to understand for people who aren’t directly involved in the process.

Risk assessment helps drive change. It enables you to build alerts for critical events and develop guidelines and solutions for risk levels that are unacceptable. These solutions are systematic and repeatable, and you can implement them for high risks in a more automatic and consistent manner.

However, it’s important to note that risk assessment is a tool, not the solution. Context is important in risk assessment, and for that, you need people. For example, someone on the shop floor might consider something a critical risk, whereas from the top floor, that risk might not look as bad in the larger context of operations. So it’s a good idea to have a team in place to vet your risk assessment process to ensure you’re achieving the right results. As your operations change or as more data accumulate, you may find that established risk levels need to be adjusted.

Risk management in ISO 9001:2015

The updates to the 2015 standard aren’t all about the requirements. Although they establish the framework to help you map your business, the standard outlines a different approach in how you should satisfy requirements. ISO 9001:2015 includes a component of risk-based thinking, and it involves the people and leaders within your organization. The standard doesn’t include a specific requirement for a quality management representative, or even a quality manual. Instead, ISO 9001:2015 focuses on a companywide commitment to quality that is champioined and brought about by leaders. How can that be done using a centralized system, and where does risk fit in?

There are two sections where risk appears in the standard: leadership directives and planning.

Leadership directives. ISO 9001:2015 is designed to create a companywide approach to quality, and leaders need to be directly involved. Although some leaders might not “speak quality,” they definitely can speak risk. That’s why the standard encourages the concept of “risk-based thinking.” This refers to a coordinated set of activities and methods that organizations use to manage and control the many risks that affect their ability to achieve objectives. Risk-based thinking replaces what earlier version of the standard called preventive action.

Planning. This section is where preventive action used to be and is now replaced with managing risks and opportunities. It’s important to note that ISO 9001:2015’s take on risk is simple. This isn’t a directive to go out and build an enterprise risk management program, or change all of your processes to comply with the requirements. The standard directs companies to “promote” risk-based-thinking, which is fairly broad and open to interpretation. Every company should evaluate its own processes in light of the risks specific to their business or industry.

We can break the planning section down to these salient facts: Risk management is an objective process that can be repeated and standardized. Your first goal is to identify the risks in your operations, then determine how you’re going to measure those risks. After that, you need to figure out treatment options for those risks, and eventually implement actions and controls to address each risk.

Creating a risk taxonomy

How do you start identifying risks? You’ll need to examine your operations, seek out potential hazards within those operations, and categorize them. Asking questions is a good way to start. Survey and audit your operations as you normally would, but note the potential hazards from all areas. What are the problems that could occur, and how likely is it they will occur? Your results will probably include a lot of hazards and a host of probabilities. At this point you need to analyze the hazards and then categorize them. This is called a “taxonomy of risk”—i.e., hazard types grouped in broader categories that will enable you to make better sense of everything. You then create scales of severity for hazards and their frequency (likelihood to occur). Once you’ve done this, you can start evaluating the risks.

Taking subjectivity out of risk management

You now have a list of hazards, categorized and organized, and you’ve built some probabilities around them. How do you calculate the risk in these hazards? Keep in mind that an accurate risk assessment doesn’t always follow a risk evaluation. Too often, people use risk evaluation tools that calculate risk and just leave it to the tool to determine the risk level. Risk tools can help guide your calculations and decisions, but the ultimate decisions on how to handle risk should come from people. It’s helpful to have a risk team review risk calculations to confirm that they reflect real-world data. Ideally, risk should be addressed with a combination of people, processes, and tools.

Risk management as a tool for quality and compliance

You’ve created a list of hazards and their probabilities, and come up with a slick risk-assessment strategy that combines quantitative analysis with real-world data. Now what? Just because you’ve calculated something as a high risk doesn’t mean you’ve solved the problem. The next step is to assign treatment options to that risk. You must determine what you’re going to do if there is a risk, and you do this in several ways. Again, this is where a cross-functional team comes in handy: You can review the different risk outcomes and then determine, based perhaps on past data or processes, how you’re going to handle different risk levels.

Treatment options typically fall into these broad categories:
• You can accept the risk (i.e., the outcome is worth the risk)
• You can seek ways to reduce the risk
• You can find ways to ensure yourself against the risk
• You can transfer risk (perhaps you source out high-risk processes to a partner or supplier with a better risk management process)
• If the risk is simply too high, you can avoid it (i.e., stop the process altogether)

Each company has a different way of treating risk, and it’s up to your risk team to determine the best way to interpret risk levels. Once you do, you need to take action on the risks. This is where you’ll want to make use of your quality management processes such as corrective and preventive actions (CAPA) to address the risks. You’ll also want to have some means of reporting in place to analyze risks over time.

Documenting the risk process

The generally accepted practice is to document what you’re doing and then document when you actually do it. So the whole risk management process should be controlled and supported with work instructions and assigned roles—this should be standard, especially when you introduce new elements to the existing process.

Each step should be documented, traceable, and tied to your overall quality program. The hazards that you identify, how you categorize them, and your risk assessment for them should be recorded in the results of the audits, surveys, and analysis. You should also document how you go about the risk assessment process. Record each risk assessment that you perform and the tools that you use. Whether you’re doing this manually, digitally, or through a technology solution, the traceability of the process, as well as the practice of that process, is key. If you’ve issued a corrective action, you’ll want to document how it was discovered and the process you used to address it. Any one of these steps can be considered “risk-based thinking,” and they also apply to your quality management system.

Closing thoughts

There’s a lot going on these days. This complexity calls for a new way of looking at compliance, and risk management is a universal concept that can fill the role. The risk-based thinking outlined in ISO 9001:2015 is a great way to look at risk management at a high level. It’s really a matter of taking these concepts and applying them to your unique business. There are tools that can help, but remember that the risk management process must start with your people and teams who know the business, know the hazards, and can help determine how to identify and address risk in your organization.

Join Timothy Lozier, director of product strategy for VERSE Solutions, and Dirk Dusharme, editor in chief at Quality Digest, for the webinar, “Risk-Based Thinking in Quality Management Systems: How to Incorporate Risk into Your Processes,” on March 8, 2016, at 2 p.m. Eastern/11 a.m. Pacific.

About The Author

Timothy Lozier

Timothy Lozier is the director of product strategy for Verse Solutions, a quality and compliance management software provider that incorporates key quality processes, such as document control, corrective action, audits, and training in a dedicated cloud environment. Lozier has been involved in the quality and compliance industry for more than a decade and has an extensive background in quality and compliance management systems. At Verse Solutions he is responsible for driving the innovation and strategy of leading cloud-based compliance and quality management software solutions.