Featured Video
This Week in Quality Digest Live
Risk Management Features
Jeff Dewar
But catastrophic events aren’t the only things that need some risk analysis
Ian Setliff
A potentially game-changing shift in vaccinology
Scott Shackelford
The case for a cybersecurity safety board
John Toon
Replicability of scientific studies is a major source of concern in the research community
Knowledge at Wharton
The double-edged potential of social media

More Features

Risk Management News
Standard recognizes that everyone is critical to a successful quality management process.
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals
Strategic investment positions EtQ to accelerate innovation efforts and growth strategy
If you want to understand a system, try and change it
Mathis will provide business development for HACCP certification in the Americas
Explains basic steps businesses can take to better protect their information systems

More News

Timothy Lozier

Risk Management

What Is Risk-Based Thinking?

Risk management in ISO 9001:2015

Published: Wednesday, March 2, 2016 - 16:28

There’s been a shift in how companies view quality and compliance, and as a result, businesses are looking for a more comprehensive method for measuring operational efficiency. Risk management processes are proving to be an effective option for this. ISO 9001:2015 now promotes risk-based thinking in quality management systems, but many organizations aren’t sure what that means or how to go about it. This article explains risk-based thinking, describes the tools for identifying and managing risks, and looks at how ISO 9001:2015 incorporates risk concepts into its requirements.

The need for risk assessment

Risk management is a tool that helps companies evaluate risks in processes and content. It evaluates event data in order to measure levels of risk in an operational context. Risk assessment is repeatable and objective; it allows you to replace an otherwise subjective “gut sense” with a more guided decision-making approach. Furthermore, it’s easy to understand for people who aren’t directly involved in the process.

Risk assessment helps drive change. It enables you to build alerts for critical events and develop guidelines and solutions for risk levels that are unacceptable. These solutions are systematic and repeatable, and you can implement them for high risks in a more automatic and consistent manner.

However, it’s important to note that risk assessment is a tool, not the solution. Context is important in risk assessment, and for that, you need people. For example, someone on the shop floor might consider something a critical risk, whereas from the top floor, that risk might not look as bad in the larger context of operations. So it’s a good idea to have a team in place to vet your risk assessment process to ensure you’re achieving the right results. As your operations change or as more data accumulate, you may find that established risk levels need to be adjusted.

Risk management in ISO 9001:2015

The updates to the 2015 standard aren’t all about the requirements. Although they establish the framework to help you map your business, the standard outlines a different approach in how you should satisfy requirements. ISO 9001:2015 includes a component of risk-based thinking, and it involves the people and leaders within your organization. The standard doesn’t include a specific requirement for a quality management representative, or even a quality manual. Instead, ISO 9001:2015 focuses on a companywide commitment to quality that is champioined and brought about by leaders. How can that be done using a centralized system, and where does risk fit in?

There are two sections where risk appears in the standard: leadership directives and planning.

Leadership directives. ISO 9001:2015 is designed to create a companywide approach to quality, and leaders need to be directly involved. Although some leaders might not “speak quality,” they definitely can speak risk. That’s why the standard encourages the concept of “risk-based thinking.” This refers to a coordinated set of activities and methods that organizations use to manage and control the many risks that affect their ability to achieve objectives. Risk-based thinking replaces what earlier version of the standard called preventive action.

Planning. This section is where preventive action used to be and is now replaced with managing risks and opportunities. It’s important to note that ISO 9001:2015’s take on risk is simple. This isn’t a directive to go out and build an enterprise risk management program, or change all of your processes to comply with the requirements. The standard directs companies to “promote” risk-based-thinking, which is fairly broad and open to interpretation. Every company should evaluate its own processes in light of the risks specific to their business or industry.

We can break the planning section down to these salient facts: Risk management is an objective process that can be repeated and standardized. Your first goal is to identify the risks in your operations, then determine how you’re going to measure those risks. After that, you need to figure out treatment options for those risks, and eventually implement actions and controls to address each risk.

Creating a risk taxonomy

How do you start identifying risks? You’ll need to examine your operations, seek out potential hazards within those operations, and categorize them. Asking questions is a good way to start. Survey and audit your operations as you normally would, but note the potential hazards from all areas. What are the problems that could occur, and how likely is it they will occur? Your results will probably include a lot of hazards and a host of probabilities. At this point you need to analyze the hazards and then categorize them. This is called a “taxonomy of risk”—i.e., hazard types grouped in broader categories that will enable you to make better sense of everything. You then create scales of severity for hazards and their frequency (likelihood to occur). Once you’ve done this, you can start evaluating the risks.

Taking subjectivity out of risk management

You now have a list of hazards, categorized and organized, and you’ve built some probabilities around them. How do you calculate the risk in these hazards? Keep in mind that an accurate risk assessment doesn’t always follow a risk evaluation. Too often, people use risk evaluation tools that calculate risk and just leave it to the tool to determine the risk level. Risk tools can help guide your calculations and decisions, but the ultimate decisions on how to handle risk should come from people. It’s helpful to have a risk team review risk calculations to confirm that they reflect real-world data. Ideally, risk should be addressed with a combination of people, processes, and tools.

Risk management as a tool for quality and compliance

You’ve created a list of hazards and their probabilities, and come up with a slick risk-assessment strategy that combines quantitative analysis with real-world data. Now what? Just because you’ve calculated something as a high risk doesn’t mean you’ve solved the problem. The next step is to assign treatment options to that risk. You must determine what you’re going to do if there is a risk, and you do this in several ways. Again, this is where a cross-functional team comes in handy: You can review the different risk outcomes and then determine, based perhaps on past data or processes, how you’re going to handle different risk levels.

Treatment options typically fall into these broad categories:
• You can accept the risk (i.e., the outcome is worth the risk)
• You can seek ways to reduce the risk
• You can find ways to ensure yourself against the risk
• You can transfer risk (perhaps you source out high-risk processes to a partner or supplier with a better risk management process)
• If the risk is simply too high, you can avoid it (i.e., stop the process altogether)

Each company has a different way of treating risk, and it’s up to your risk team to determine the best way to interpret risk levels. Once you do, you need to take action on the risks. This is where you’ll want to make use of your quality management processes such as corrective and preventive actions (CAPA) to address the risks. You’ll also want to have some means of reporting in place to analyze risks over time.

Documenting the risk process

The generally accepted practice is to document what you’re doing and then document when you actually do it. So the whole risk management process should be controlled and supported with work instructions and assigned roles—this should be standard, especially when you introduce new elements to the existing process.

Each step should be documented, traceable, and tied to your overall quality program. The hazards that you identify, how you categorize them, and your risk assessment for them should be recorded in the results of the audits, surveys, and analysis. You should also document how you go about the risk assessment process. Record each risk assessment that you perform and the tools that you use. Whether you’re doing this manually, digitally, or through a technology solution, the traceability of the process, as well as the practice of that process, is key. If you’ve issued a corrective action, you’ll want to document how it was discovered and the process you used to address it. Any one of these steps can be considered “risk-based thinking,” and they also apply to your quality management system.

Closing thoughts

There’s a lot going on these days. This complexity calls for a new way of looking at compliance, and risk management is a universal concept that can fill the role. The risk-based thinking outlined in ISO 9001:2015 is a great way to look at risk management at a high level. It’s really a matter of taking these concepts and applying them to your unique business. There are tools that can help, but remember that the risk management process must start with your people and teams who know the business, know the hazards, and can help determine how to identify and address risk in your organization.

Join Timothy Lozier, director of product strategy for VERSE Solutions, and Dirk Dusharme, editor in chief at Quality Digest, for the webinar, “Risk-Based Thinking in Quality Management Systems: How to Incorporate Risk into Your Processes,” on March 8, 2016, at 2 p.m. Eastern/11 a.m. Pacific.


About The Author

Timothy Lozier’s picture

Timothy Lozier

Timothy Lozier is the director of product strategy for Verse Solutions, a quality and compliance management software provider that incorporates key quality processes, such as document control, corrective action, audits, and training in a dedicated cloud environment. Lozier has been involved in the quality and compliance industry for more than a decade and has an extensive background in quality and compliance management systems. At Verse Solutions he is responsible for driving the innovation and strategy of leading cloud-based compliance and quality management software solutions.



Isn't this just FMEAs being applied to your operations?


What Is Risk-Based Thinking

Agreed, very much S,D, Process FMEA is most useful to have RBT manifested within and ISO 9001:2015 QMS

ISO 9001:2015 rightly as written in the QD article, identified RBT within Leadership and Planning but TC-176 and within the current ISO "The Integrated Use of Management Systems Standards" handbook now under review states, ISO 9001:2015 is all about RBT.

TC-176 deliberately removed Preventive Action (not Preventative) and embedded it within the Context requirement and others. It was also driven by companies placing 'CA and PA' together and calling it "CAPA". They are not the same beast or methodology. PA moves us up into FMEA, FTA, PCDP and such techniques can be useful across most ISO 9001:2015 key clauses.

The ISO 9001:2015 "process-approach" affords companies the opportunity if I may, to truly identify their Risks within such business processes - not in the clauses of a current ISO 9001:2008 documented QMS.

The biggest risk to RBT with the 5th edition of ISO 9001 is that companies see the promulgated "transition period' as a easy period for updating their QMS. Far from it. However, the subtle guidance/advice from some training, consultancies and software suppliers, that companies simply update their clauses based system to the new clauses - is wrong.

There are a few software and consultancies now providing 'free' templates for a revised ISO 9001:2015 "compliant" Quality Manual, sad but true, by the clauses. A huge risk given the requirement to have a Process-based and Documented QMS by September 2018. Folk could use their Auto Industry Action Group FMEA text especially in Process FMEAs. The required Flow Process Charts as AIAG states for the direct input to a PFMEA, to develop a “S.O.D.” and “RPN” , can be useful to identify their risks in not adopting RBT within a process but a clause written QMS or Integrated Management System.

Unfortunately, some see the Annex SL and High Level Structure as a means to now document and IMS – it was only to show how all ISO Management System clauses / requirements will be standardized and then embed within a business context and single or integrated system documentation.

In meeting IRCA in London, we agree that RBT is inherent within all of ISO 9001:2015 and people should read the Forward, Introduction and General of the revised Standard BEFORE going to Clauses and Requirements from 4 to 10.

This is enlightening for many quality professionals and risk managers - ISO states that the QMS must not be documented by the Clauses of the Standard. That is RBT.

Of course I forgot to add, ISO 31010 Risk Management techniques is most helpful.  "http://www.itgovernance.co.uk/shop/p-748-iso31010-iso-31010-risk-assessment-techniques.aspx"

Really nice description of

Really nice description of purpose of risk management. I must say that it is very difficult to find really good source describing risk management field.

Most of beginners (as me) are starting from wikipedia slowly switching to such authoritative resources as <a href="http://coso.org/">Coso</a> and other useful websites. But even after studying a lot of materials everybody need to use knowledge on practice.