DETERMINING AND ADDRSSING RISKS AND OPPORTUNITIES
- Keshav Ram Singhal
One of the key changes in ISO 9001:2015 QMS standard is to establish a systematic approach to consider risks as an integral part of the QMS, rather than to treat 'prevention' as a separate need.
Risk is inherent in all aspects of the QMS. Each action we take has some risk or opportunity. All processes, functions and systems have some risks. Risk-based thinking helps to identify, consider and control all risks.
Risk can be defined as a deviation from the expected. It can be positive or negative. When a student appears in an examination, he may pass or fail depending upon his preparation and studies of the subject. Likewise, in an organization, all processes, functions and systems have some risks.
Earlier version, ISO 9001:2008 QMS standard, has a separate clause on preventive action. But the new version, ISO 9001:2015 QMS standard, uses risk-based thinking, where consideration of risk is integral. It is now a proactive action, rather than to be reactive (as it appeared in the earlier version). With the introduction of risk-based thinking, we need to: (i) determine risks and opportunities in all processes and functions, and (ii) plan and take actions to address risks and opportunities.
Risk-based thinking is something every person does automatically and regularly every day, but sometimes there have been omission in taking the preventive action that may cause an unfortunate incident. When we cross a road, we look to the traffic risk on the road; or when we board a coach of a train, we look that we get into the coach safely. We strive to take proactive action so that unfortunate incident does not happen.
Risk-based thinking was in the earlier version of ISO 9001 as requirements of preventive action, however the new version, ISO 9001:2015 QM standard, builds it into the whole management system from the beginning and throughout the system. Now preventive action, present in risk-based thinking, is inherent to planning, operation, analysis and evaluation activities.
Process approach also includes risk-based thinking.
Risk-based thinking is evident/mentioned in the following Para and clauses of ISO 9001:2015 QMS standard:
- Introduction - This Para explains the concept.
- Clause 4 - Organization needs to address risks and opportunities in accordance with requirements.
- Clause 5 - Top management needs to (i) promote use of risk-based thinking, and (ii) ensure determining and addressing the risks and opportunities that can affect conformity of product/service.
Clause 6 - Organization needs to (i) determine risks and opportunities, (ii) plan actions to address risks and opportunities, (iii) ensure actions taken (to address risks and opportunities) must be in proportionate to the potential impact on product/service conformity.
Clause 7 - Organization needs to determine and provide necessary resources for QMS. Risk is inherent in all aspects of the QMS.
Clause 8 - Organization needs to manage operational processes. Risk is inherent in all aspects of QMS.
Clause 9 - Organization needs to analyze and evaluate data and information with regard to the risks and opportunities. Management review includes consideration of the effectiveness of the actions taken to address risks and opportunities.
Clause 10 - Organization needs to correct/prevent/reduce undesired effects and update risks and opportunities determined during planning.
Since the risk-based thinking is evident in various requirements of ISO 9001:2015 QMS standard, auditors will look to the objective evidence of risk-based thinking during audits, including internal, certification, and surveillance audits.
Benefits of using risk-based thinking
- promotes proactive culture in the organization that improves organization's governance,
- assists organization to comply legal requirements,
- assures consistency of product/service quality, and
- improves customer confidence and satisfaction.
Using risk-based thinking
First question comes in our mind, how to use risk-based thinking in the QMS. Simple, we need to identify, understand and then address risks. ISO 9001:2015 QMS standard does not provide any specific procedure or method to determine risks and opportunities. It is for the organization to apply any procedure or method to determine risks and opportunities. Risk analysis is the important step of identify potential problems. One commonly used method of risk identification and risk analysis is known as 'Failure Modes and Effect Analysis' (FMEA) that is done during the design of a product or process. The purpose of FMEA is to identify all potential problems that could arise in the product or process, identify how critical is the risk and decide what to do about it.
FMEA process includes four steps -
(i) Identify your risks - It can be done in a brainstorming from different areas of your organization. List all potential problems that could arise. Considering external and internal issues and interested parties (as determined as per clause 4.1 and 4.2 of the standard) will be helpful in identifying the risks.
(ii) Determine how critical each risk is - You should assess the risk against probability of occurrence, severity of occurrence and chance of detection of occurrence. Brainstorm each risk that you identify. What is the probability of risk occurring? What is its impact?
(iii) Rank the risk - You should decide the rank of the risk, whether the risk is acceptable or unacceptable. What is your priority with regard to the risk?
(iv) Determine actions - After understanding the risk, determine your actions, what should be done. What you plan? Plan actions to address the risks. Mention mitigation steps to eliminate or reduce the risks.
FMEA process is simple. It is easy to use. FMEA process gives results that are easy to determine acceptability, and thus provides a framework to assign resources to risk reduction that is easily supported. You should clearly understand that FMEA is a way of dealing risk analysis, and it is in no way mandated by ISO 9001:2015 QMS standard that you must use it. Any method you find useful, relevant and efficient can be used.
After FMEA process, you need to address the risk:
(i) Implement the plan - Take action
(ii) Check the effectiveness of the action
(iii) Improve your action on the basis of check results
Examples of some risk factors
(i) Lack of trained staff - Not aware of procedure, process, task adequately
(ii) Infrastructure - Availability of material in time
(iii) Project goals not clearly defined
(iv) Cultural risk - Employees take leave without prior information, Employer-employee relationship
(v) Changes in legislation
(vii) Competition - Entry of too many competitors in the market, market size shrinks
(viii) Poor production process, process not clearly defined
(ix) Inadequate equipment/tools
(x) Poor/unattractive packaging
(xi) Late delivery of incoming materials
(xii) Customer does not provide timely feedback
(xiii) Insufficient test resources
(xiv) Data security
(xv) Workplace safety
(xvi) Material handling
(xvii) Improper use of protective equipment (such as, eye-glass, safety shoes, gloves etc.)
(xviii) Injury to workers due to water/oil leakage
Above list is indicative.
Format for risk identification and determining actions
Design a format for risk identification and determining actions with following columns: (i) Serial number, (ii) Date, (iii)Details of risk identified, (iv) How critical is the risk, (v) Acceptable or unacceptable (vi) Action to address the risk (what should be done?). Ask each department head and process owner to fill the format as soon as a new risk is identified. A copy of this determined information should be sent by the department head and process owner to an authority (say, QMS Coordinator) in the organization, who should consolidate relevant information in a Risk Register and share the information within the organization for the benefit of others.
Maintaining or retaining a Risk Register is not a requirement of ISO 9001:2015 QMS standard. However, maintaining risk register and retaining appropriate data will be a good practice. Risk register may have following columns:
(ii) Details of risk
(iii) Risk type - Classification of risk
(iv) Likelihood of occurrence
(v) Severity of effect
(vi) Actions to be taken to prevent, reduce or transfer risk
(vii) Owner - Who is responsible to take action?
(viii) Status - Current or ended
The columns are indicative.
- Risk is inherent in all aspects of the QMS. Each action we take has some risk or opportunity. All processes, functions and systems have some risks. Risk-based thinking helps to identify, consider and control all risks.
- Risk-based thinking helps to improve processes, functions and systems.
- Risk-based thinking implementation helps building an effective quality management system.
- Effectiveness of the actions taken to address risks and opportunities are the inputs to management review.
- Risk-based thinking helps continual improvement that focuses on prevention.
- Auditors will look to the objective evidence of risk-based thinking during audits, including internal, certification, and surveillance audits.
Suggested reading - (i) Guidance document on 'Risk-based thinking in ISO 9001:2015'.published by International Organization for Standardization (ISO)
(ii) ISO 31000:2009, Risk management - Principles and guidelines
For details on the Training Handbook on 'ISO 9001:2015 QMS Awareness', please CLICK HERE.
For details on 'Checklist for ISO 9001:2015 QMS', please CLICK HERE.