Benefits of applying risk-based thinking

Benefits of applying risk-based thinking

Risk-based thinking is a mindset to proactively improve the certainty of achieving results / outcomes utilizing processes and methods that consider threats and opportunities. There are various benefits of applying risk-based thinking.

Risk-based thinking:
- promotes proactive culture in the organization that improves organization's governance,
- assists organization to comply legal requirements,
- assures consistency of product/service quality,
- improves customer confidence and satisfaction, and
- can help organization prevent losses, capture opportunities and improve communication throughout the organization.

Lessons are learned by applying risk-based thinking and risks can be transformed into opportunities.

- Keshav Ram Singhal

Organizations may contact for conducting in-house training programmes on (i) 'ISO 9001:2015 QMS Awareness', and (ii) 'Applying risk-based thinking.'
Moderate trainer's fee.
Customer satisfaction is prime objective.

Risk-based thinking in ISO 9001:2015 QMS standard

Risk-based thinking in ISO 9001:2015 QMS standard

ISO 9001:2015 QMS standard incorporates risk-based thinking in its requirements. ISO 9001:2015 QMS standard does not mandate formal risk management. An organization can decide whether or not to develop a more extensive risk management methodology, however risk-based thinking is an integral part of ISO 9001:2015 QMS standard. One of the key changes in ISO 9001:2015 QMS standard is to establish a systematic approach to consider risks as integral part of the QMS, rather than to treat 'prevention' as a separate need.

The concept of risk-based thinking was also present in the earlier versions of ISO 9001 standards through requirements for planning, review and improvement. Earlier version, ISO 9001:2008 standard had a clause on preventive action that indirectly included risk-based thinking.

ISO 9001:2015 QMS standard specifies requirements to understand organization's context (clause 4.1) and determine risks as a basis for planning (actions to address risks and opportunities - clause 6.1). Requirements of clause 4.1 together with clause 6.1 depict the application of risk-based thinking to planning and implementing QMS processes. Consideration of risks is integral in ISO 9001:2015 QMS standard. It is now a proactive action, rather than to be reactive.

One of the objectives of a QMS is to function in a preventive environment and now the preventive action, though not present as a requirement, is reflected through risk-based thinking and is inherent to planning, operation, analysis and evaluation activities. Risk-based thinking is the part of the process approach. Risk-based thinking is evident in the following Para and clauses of ISO 9001:2015 QMS standard.

- Introduction - The Para explains the concept.
- Clause 4 - Organization needs to address risks and opportunities in accordance with requirements.
- Clause 5 - Top management needs to (i) promote risk-based thinking, and (ii) ensure determining and addressing the risks and opportunities that can affect conformity of product/service.
- Clause 6 - Organization needs to (i) determine risks and opportunities, (ii) plan actions to address risks and opportunities, and (iii) ensure actions taken (to address risks and opportunities) are in proportionate to the potential impact on product/service conformity.
- Clause 7 - Organization needs to determine and provide necessary resources for the quality management system. Risk is inherent in all aspects of the quality management system, so determining and providing resources is also necessary for determining risks and opportunities and taking actions to address risks and opportunities.
- Clause 8 - Organization needs to manage operational processes. Risk is inherent in all aspects of the quality management system. All operational processes have some risks.
- Clause 9 - Organization needs to analyze and evaluate data and information with regard to the risks and opportunities. Management review includes consideration of the effectiveness of the actions taken to address risks and opportunities.
- Clause 10 - Organization needs to correct / prevent / reduce undesired effects and update risks and opportunities determined during planning.

The risk-based thinking applied in ISO 9001:2015 QMS standard has enabled organization to plan and manage risk on the basis of performance. Clause 6.1 of the standard specifies requirements to plan and address risks and opportunities, however no formal methods or processes are mentioned in the standard. Formal risk management is not mandated in ISO 9001:2015 QMS standard, however an organization can decide its risk management methodology with the help of other guidance or standards. In the bibliography list at the end of ISO 9001:2015 QMS standard, ISO 31000 standard is mentioned that provides principles and guidelines for risk management. ISO 31000:2009 risk management (RM) standard can be helpful in taking a risk-based approach depending on the context of an organization, but necessarily implementing this standard's guidelines is not a requirement of ISO 9001:2015 QMS standard.

- Keshav Ram Singhal

Organizations may contact for conducting in-house training programmes on (i) 'ISO 9001:2015 QMS Awareness', and (ii) 'Applying risk-based thinking.'
Moderate trainer's fee.
Customer satisfaction is prime objective.

Why we need risk-based thinking?

Why we need risk-based thinking?

Why we need risk-based thinking? A general question needs answer. Risk is an inherent part of daily life. Risk also depends on the fragilities and capacities in a system, which are often not manifested until there is a triggering event. Risk may lead to disaster. Risk may be a path to disaster if protective capabilities of the system cannot deal with the negative consequences of the event.

Risk is a dynamic concept as it changes over time as the vulnerabilities or weaknesses in the system or society changing in time. Risk is not static, constant but rather a dynamic term that is constantly adjusting to changing vulnerabilities, weaknesses and hazards.

Risk is a fundamental reflection of the normal life. Why we want to minimize risk? Because we wish to minimize the chance of major disruption in our life (personal as well as professional) and also we want to keep the background stress in our life (personal as well as professional) as low as possible. We calculate and deal with risk in everyday life - we wear safety belts to reduce the likelihood of injury, get vaccination to reduce the risk of illness, take medical insurance to meet the cost for the treatment of future illness. Life or any system without risk is generally neither possible nor conceivable. Our response to natural and environmental hazards is often influenced by our perception of risk. Sometimes we choose to take a risk, knowing the associated risk. For example, people choose to smoke or drink, knowing the risks associated to their health. Risk perception is influenced by past experience and knowledge. Understanding a risk allows us to make informed decision by weighing the risk of certain activity or process with the benefits or outcomes derived from that activity or process. Without factual information, or with misinformation, we are faced with making an uninformed decision.

Risk-based thinking thus helps us to understand risks through a systematic valuation of determining risks associated in each process or system.

- Keshav Ram Singhal

Nature and impact of risk

Nature and impact of risk

Risks are basically threats that could stem from a variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters. Risks can impact an organization in the short, medium and long term. Risks may relate to organization's processes, tactics and strategy. Strategy sets out the long-term objectives of an organization, and the strategic planning for an organization will typically be 3 or more years. Tactics define how an organization intends to achieve change. Tactical risks are typically associated with projects, acquisitions, mergers and development of products and services. Organization's processes are the routine QMS activities that are under the impact of risk. Risk impact is an estimate of the potential losses associated with an identified risk. It is a standard risk analysis practice to develop an estimate of probability and impact. Risk management is the process of identifying, assessing and controlling threats to an organization. Although ISO 9001:2015 QMS standard does not mandate a formal risk management, however the standard incorporates risk-based thinking in its requirements.

- Keshav Ram Singhal

Defining risk

Defining risk

Risk is generally defined as: (Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility. Risk is an uncertain event or condition that, if it occurs, has an effect on at least one objective. Risk is also defined in various standards. According to the definition set out in ISO Guide, risk is the 'effect of uncertainty on objectives'. According to the definition set out in ISO 9000:2015 QMS standard, risk is 'effect of uncertainty'. In order to assist with the application of this definition, ISO 9000:2015 standard also add a few notes that mean:
- An effect is a deviation from the expected. It may be positive or negative.
- Uncertainty is the state, even partial, of deficiency of information (= meaningful data) related to, understanding or knowledge of, an event, its consequence, or likelihood.
- Risk is often described by reference to potential (= something to develop in future) events (= happenings) and consequences (= results or effects, typically that may be unwelcome or unpleasant), or a combination of these.
- Risk is often described in terms of a combination of the consequences (= results or effects, typically that may be unwelcome or unpleasant) of an event (= happening), including changes in circumstances, and the associated likelihood of occurrence (= an incident or event).
- The word 'risk' is sometimes used when there is the possibility of only negative consequences.

- Keshav Ram Singhal