Welcome

Welcome!
Thanks for visiting this blog. Please share information about this blog among your friends interested in ISO 9001:2015 QMS Awareness.
- Keshav Ram Singhal
krsinghal@rediffmail.com
keshavsinghalajmer@gmail.com
Blog on 'Quality Concepts and ISO 9001: 2008 Awareness' at http://iso9001-2008awareness.blogspot.in

Academic comments are invited. Please join this site. Reproduction of articles from this blog is encouraged, provided prior information is provided. Please give credit to the blog and the writer, and also send a copy of the published material to the editor of the blog.

Various information, quotes, data, figures used in this blog are the result of collection from various sources, such as newspapers, books, magazines, websites, authors, speakers, information from google search, ChatGPT (a large language model trained by OpenAI), Gemini Google, Bing Copilot and other AI tools etc. Unfortunately, sources are not always noted. The editor of this blog thanks all such sources.

Encouragement Support - Please become a member of NCQM - National Centre for Quality Management

People from following (more than 90) countries/economies have visited this blog: Albania, Algeria, Argentina, Australia, Austria, Azerbaijan, Bahamas, Bahrain, Bangladesh, Belgium, Bosnia and Herzegovina, Brazil, Bulgaria, Burundi, Cambodia, Canada, Chile, China, Colombia, Croatia, Denmark, Ecuador, Egypt, Estonia, Ethiopia, European Union, Finland, France, Georgia, Germany, Gibraltar, Greece, Hong Kong, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Kenya, Luxembourg, Lebenon, Macedonia, Malawi, Malaysia, Malta, Mauritius, Mexico, Moldova, Monaco, Morocco, Myanmar, Namibia, Nepal, Netherlands, Nigeria, Oman, Pakistan, Peru, Philippines, Poland, Portugal, Qatar, Romania, Russia, Saudi Arabia, Serbia, Seychelles, Singapore, Slovakia, Slovenia, South Africa, South Korea, Spain, Sri Lanka, Sudan, Sweden, Taiwan, Tanzania, Thailand, Trinidad and Tobago, Tunisia, Turkey, Uganda, Ukraine, United Kingdom, United Arab Emirates, United States, Venezuela, Vietnam, Yemen, Zimbabwe.

Tuesday, August 29, 2023

Risk-based thinking – An integral part of ISO 9001:2015 QMS

 

==========

Risk-based thinking – An integral part of ISO 9001:2015 QMS

==========

 

One of the key concepts in ISO 9001:2015 QMS standard is to establish a systematic approach to consider and address risks and opportunities as an integral part of the quality management system, rather than to treat ‘prevention’ as a separate need.

 

Risk is inherent in all aspects of the quality management system. All processes, functions and systems have some risks. Risk-based thinking helps to identify, consider and control all risks.

 

Earlier version, ISO 9001:2008 QMS standard, has a separate clause stipulating requirements on preventive action. But this version, ISO 9001:2015 QMS standard, uses risk-based thinking, where consideration of risk is integral. It is now a proactive action, rather than to be reactive, as it appeared in the earlier version of the standard.

 

Risk-based thinking is something like we do automatically and regularly ever day. When we cross a road, we look both sides and assess the situation of risks (traffic, accident) and of opportunity to cross the road.

 

Risk-based thinking has always been in ISO 9001; however, this standard builds it into the whole management system from the beginning and throughout the system. Now preventive action, present in risk-based thinking, is inherent to planning, operation, analysis and evaluation activities. Process approach also includes risk-based thinking. Risk-based thinking is evident and mentioned in the following Para and clauses of ISO 9001:2015 QMS standard:

 

·       Introduction: Introduction of the standard in brief explains the concept. Para 0.1 and Para 0.3.3 describe risk-based thinking. It emphasizes that risk-based thinking empowers and authorizes: (1) the organization to define those factors that could matter or influence the organization’s processes and the quality management system. The influence could be deviation from intended results, (2) to take control decisions and actions to minimize the negative effects of the defined factors, and (3) to take suitable benefits of the opportunities encountered.

 

·       Clause 4: This clause of the standard stipulates requirements that the organization needs to address risks and opportunities in accordance of the requirements.

 

·       Clause 5: As per requirements of this clause, the top management of the organization needs to (i) promote use of risk-based thinking (5.1.1), and (ii) ensure determining and addressing the determined risks and opportunities that can affect the quality of products and services (5.1.2).

 

·       Clause 6: As per requirements, the organization needs to: (i) determine risks and opportunities, (ii) plan actions to address determined risks and opportunities, (iii) ensure action taken are in proportionate to the potential impact on the quality of the products and services (6.1).

 

·       Clause 7: As per requirements, the organization needs to determine and provide necessary resources for the quality management system (7.1). Risk is inherent in all aspects of the quality management system.

 

·       Clause 8: As per requirements, the organization needs to manage operational processes (8.1). Risk is inherent in all aspects of the quality management system including in its processes.

 

·       Clause 9: As per requirements, the organization needs to analyze and evaluate data and information with regard to the effectiveness of actions taken to address determined risks and opportunities (9.1.3). Management review includes consideration of the effectiveness of the actions taken to address risks and opportunities (9.3.2).

 

·       Clause 10: As per requirements, the organization needs to correct, prevent or reduce undesired effects (10.1) and update risks and opportunities determined during planning, if necessary (10.2).

 

Benefits of using risk-based thinking

 

Let’s understand the benefits of risk-based thinking. As individuals, if our thinking would not have been risk-based, we would have to deal with security and safety issues every day. Similarly, the organization would have suffered a lot due to not having risk-based thinking, its processes would not have been operated correctly, the products and services produced would not have been of quality. There are many benefits to an organization having a risk-based thinking.

 

Risk-based thinking:

 

·       Promotes proactive culture in the organization that improves organization’s governance

 

·       Assists the organization to comply legal requirements

 

·       Assures consistency of the product and service quality

 

·       Improves customer confidence and satisfaction

 

 

An organization that embraces risk-based thinking often experience significant benefits, such as:

 

·       Enhance quality: Proactively addressing risks lead to improvement in the organization’s products and service quality and reducing defects.

 

·       Reduce customer complaints: Enhanced quality of products and services leads to reduced number of customer complaints and enhancement in customer satisfaction.

 

·       Increase operational efficiency: Identifying and mitigating risks helps streamline processes, leading to reduced downtime and increase operational efficiency.

 

·       Proactive regulatory compliance: Risk-based thinking assists the organization to comply regulatory requirements, thus no penalties imposed on the organization.

 

Relevance of internal and external issues to identifying risks

 

Internal and external issues are factors that affect an organization’s ability to achieve its intended outcomes or desired results. These issues play a crucial role in identifying risks and opportunities as they provide context for understanding potential influences on the organization’s processes. As an example of an internal issue, high employee turnover rate in the organization could lead to knowledge gaps, reduced productivity, and potential quality issues. As an external issue, economic recession could result in decreased customer demand, financial constraints, and supply chain disruptions.

 

Risk criteria for evaluation

 

Risk criteria are parameters used to assess the significance of a risk. These criteria kelp prioritize risks based on their potential impact on the organization’s objectives.

 

Examples of risk criteria

 

·       Likelihood: Probability of the risk to occur, rare, unlikely or possible

 

·       Impact: Consequences of the risk, if it occurs, minor, moderate, major or catastrophic

 

·       Detectability: Is the risk easily detectable, moderately detectable or difficult to detect?

 

·       Strategic importance: Risk alignment with the organization’s strategic goals, critical, important or minor.

 

·       Needs of resources: Needs of resources to manage the risk, low, moderate or high.

 

Using risk-based thinking

 

First question comes in our mind, how to use risk-based thinking in the quality management system. Simple, we need to identify, understand and then address risks. Risk analysis is the important step of identifying potential problems.

 

There are several tools and techniques for risk identification and analysis of identified risks. Here-in-below is a list of such tools and techniques that are easy to use and don’t require complex understanding:

 

1.     SWOT Analysis: SWOT = Strengths, Weaknesses, Opportunities, Threats. The SWOT analysis helps identify an organization’s internal strengths and weaknesses, as well as external opportunities and threats. This tool is typically used for strategic planning; however, it can be used to highlight potential risks and opportunities.

 

2.     Brainstorming: The brainstorming is an effective group technique. A note on this technique is provided in this write-up separately.

 

3.     Checklist: A checklist involves using predefined lists of potential risks and evaluating their relevance to the organization. This technique is useful for making sure common risks are not overlooked. A note on this technique is provided in this write-up separately.

 

4.     Cause and effect diagram (Fishbone or Ishikawa diagram): This technique helps identify potential causes for a specific effect or problem. It can be used to uncover risks that might contribute to undesirable outcomes.

 

5.     Failure Modes and Effect Analysis (FEMA): One commonly used method of risk identification and risk analysis is known as ‘Failure Modes and Effect Analysis’ (FEMA) that is done during the design of a product or process. The purpose of FEMA is to identify all potential problems that could arise in the product or process, identify criticality of the risk and decide what to do about it. A note on this technique is provided in this write-up separately.

 

6.     Process mapping: The process mapping visually represents the flow of a process that can be used to identify areas where risks could occur or opportunities for improvement could happen.

 

7.     Risk mapping: The risk mapping involves plotting identified risks on a matrix based on their likelihood and impact to help prioritise identified risks for further analysis and action.

 

8.     Pareto analysis (the 80/20 rule): The pareto analysis involves focusing on the most significant risks that contribute to the majority of potential negative impacts. This tool is used to identify the vital few problems or causes of problems that have the greatest impact on the process.

 

9.     Scenario analysis: The scenario analysis involves exploring different scenarios that could impact the organization and assessing their potential consequences. This helps prepare a range of possible outcomes.

 

10.  Expert interview: Experts are source of valuable information and conducting interviews with subject matter experts can provide valuable insights into potential risks anBenchmakingd opportunities based on their experience and knowledge.

 

11.  Benchmarking: This involves comparing the organization’s practices and processes to those of others in the industry to which the organization belongs to identify potential gaps and areas for improvement.

 

The above list is indicative. There may be more tools and techniques for risk identification and analysis of risks. The organization should adapt the tool and technique that suits the organization’s specific needs and context. It is always useful to use a structured and systematic approach to risk identification and its analysis.

 

Brainstorming

 

Brainstorming is an effective group technique, which can be used to generate a large number of ideas quickly. It can be an important part of identification process of risks and opportunities for applying risk-based thinking in a management system (such as ISO 9001:2015 QMS). The generated ideas can provide solutions to a specified problem in a variety of situations. In the process of brainstorming, members of the group are encouraged to put forward their ideas concerning the problem. All ideas generated in the group are recorded for subsequent analysis. Brainstorming technique may be formal and informal. Formal brainstorming is more structured.

 

Brainstorming process may be described as under:

 

·       Identify a problem, for example determination of risks and opportunities in a particular process and proposed solutions.

 

·       Call a brainstorming meeting of a group. Brainstorm as a group.

 

·       Ask each member of the group to put forward their ideas.

 

·       Record all ideas.

 

·       Identify areas of improvements.

 

·       Design solutions to the identified problem.

 

·       Develop an action plan to execute designed solutions.

 

If you wish to generate a good number of ideas, then as convener of the brainstorming session, you should encourage all participants of the group to put forward their ideas. You should not criticize or make any adverse comments during the session. You should record all ideas. An openness of the convener will be able to bring out hidden ideas during the brainstorming session. A lot of good information and a number of ideas can be discovered, if the brainstorming team is a diverse and have experience in the identified problem area.


Brainstorming is generally used in conjunction with the cause-and-effect diagram tool. The cause-and-effect diagram identifies many possible causes for an effect or a problem. It can be used to structure a brainstorming session.

 

Checklist

A checklist is a list of things that can be checked off as completed or noted. When we certain steps to do for a work or process, we make a list of all of them and we check them off as we accomplish each of them. A checklist is a type of informational job aid used to reduce failure by compensating for potential limits of human memory and attention. It helps to ensure consistency and completeness in carrying out a task. Check-lists are simple form of risk identification technique that provides a listing of typical uncertainties which need to be considered. Check-lists are developed usually from experience - either from previous risk assessment result or from past failure result. A check-list can be used to determine hazards and risks. It can be used to assess the effectiveness of the controls applied. Check-lists can be used at all stages of the life cycle of a product/service or system. They may be used independently or as a part of other risk assessment techniques. A well-designed check-lists may be used by non-experts and help ensure that common problems are taken care.



Typical daily checklist for boiler maintenance may be as under:

 

·       Inspect around and under the boiler equipment for leaking water

 

·       Ensure that the area around the boiler equipment is free of materials that may cause obstruction

 

·       Check and ensure temperature readings are within the designed range

 

·       Check and ensure pressure readings are within the designed range

 

·       Watch closely all display panels and ensure no error codes or service codes

 

·       On watching any error codes, ensure to send for service

 

·       Ensure vent termination is not blocked or obstructed

 

·       Inspect and ensure the combustion air opening with no blockage

 

·       Always listen closely for any unusual noises or vibrations

 

To prepare a checklist for a particular process, make a small team of identified people who should be asked to prepare check points of the known issues that can affect conformity of the product/service (risks) and have the ability to enhance customer satisfaction (opportunities).


For writing of a checklist, the initial process is to carry out a thorough investigation of the task to accomplish. A good checklist starts with a thorough investigation into what and why of whatever it is you are trying to accomplish. Understand objectives of what you want to accomplish. Before you start making your checklist, you must understand what you want to accomplish. Do some research. Find out what others are doing. Write down all points. Get everything documented what you want to accomplish. Brainstorm on your own each point of the process and note down them. You must know the value of each task. Write down in simple language to include a fully detailed description by organizing all your points.

 

Failure Modes and Effect Analysis (FEMA)

 

One commonly used method of risk identification and risk analysis is known as “Failure Modes and Effect Analysis” (FEMA) that is done during the design of a product or process. The purpose of FEMA is to identify all potential problems that could arise in the product or process, identify criticality of the risk and decide what to do about it.

 

FEMA process has following four steps:

 

(1)   Identify your risks: It can be done in a brainstorming session from different areas of the organization by listing all potential problems that could arise.

 

(2)   Determine how critical each risk is: You should assess the each risk against probability of occurrence, severity of occurrence and chance of detection of occurrence.

 

(3)   Rank the risk: You should decide the rank of each risk, whether the risk is acceptable or unacceptable.

 

(4)   Determine actions: After understanding the risk, determine your actions, what should be done. Plan actions to address identified risks.

 

FEMA process is simple. It is easy to use. FEMA process gives results that are easy to determine acceptability, and thus provides a framework to assign resources to risk reduction that is easily supported. You should clearly understand that FEMA is a way of dealing risk analysis, and it is no way mandated by ISO 9001:2015 QMS standard that you must use it. Any methods you find useful, relevant and efficient can be used.

 

After FEMA process, you need to address each risk that has following steps:

 

(1)   Implement the plan: Take action

 

(2)   Check the effectiveness of the action: Whether risk is mitigated, what is the result of action taken.

 

(3)   Improve your action: Improve your action on the basis of check results.

 

Effective Communication of Risks and Opportunities

 

The organization should implement effective internal communication about risks and opportunities within the organization. Clear and effective communication helps ensure that all relevant stakeholders particularly the employees are aware of the potential risks and opportunities and can take appropriate action.  

 

Suggested reading:

 

(1)   Guidance document on ‘Risk-based thinking in ISO 9001:2015’ published by International Organization for Standardization.

 

(2)    ISO 31000:2018, Risk management - Guidelines

 

Best wishes,

Keshav Ram Singhal 

(This write-up is a part of a forthcoming book on ISO 9001 being written by Keshav Ram Singhal)

No comments:

Post a Comment