Applying Risk-based Thinking - Understanding the needs and expectations of interested parties

Applying Risk-based Thinking - Understanding the needs and expectations of interested parties


Clause 4.2 of ISO 9001:2015 QMS standard deals with the requirements related to the understanding of the requirements of interested parties. According to the requirements of the standard, following needs to carry out:

(i) Determine: Interested parties relevant to the organization
(ii) Determine: Requirements of the determined interested parties that are relevant to the organization
(iii) Monitor and review: Information about the determined interested parties and their determined requirements.

Clarification:
(i) Interested parties = Persons/organizations that can affect, be affected by, or perceive themselves to be affected by a decision or activity.
(ii) Examples of interested parties: Customers, owners, stockholders, employees, workers on contract, contractors, suppliers, bankers, unions, partners, society, competitors, opposite pressure groups, government, regulatory bodies, neighbours etc.
(iii) Why there is a requirement to understand the needs and expectations of interested parties? Because interested parties' needs and expectations can have an effect or potential effect on the organization's ability to consistently provide products/services that meet (fulfill) customer and applicable legal requirements.
(iv) Needs and expectations = Requirements

An understanding of the needs and expectations of interested parties is an important issue as this can affect the organization's quality management system. As such, it is required that the organization remains familiar with the requirements of interested parties and maintain an awareness through monitor and review and thus make the organization to respond to the requirements appropriately. Unwillingness or reluctance to recognize the needs and expectations of interested parties will hamper a robust quality management system.

Step-by-step process:
(i) Make a team of identified persons.
(ii) The team should be asked to determine interested parties and their requirements.
(iii) The team should make a list of all such requirements with necessary details.
(iv) Assign responsibility to monitor and review such requirements to different persons or groups in the organization, so that effective decisions can be taken for the improvement.

- Keshav Ram Singhal

Organizations may contact for conducting in-house training program on (i) 'ISO 9001:2015 QMS Awareness', and (ii) 'Applying risk-based thinking.'

Applying Risk-based Thinking - External and internal issues of an organization

Applying Risk-based Thinking - External and internal issues of an organization

ISO 9001:2015 QMS standard requires determining external and internal issues that are relevant to the organization's purpose and the organization's strategic direction and that affect the organization's ability to achieve the intended results of the QMS. In this connection, note given at the end of the requirements of clause 4.1 is relevant. We should understand three basic points - (i) Issues may be positive and/or negative factors/conditions. (ii) External issues may arise from external environment that can be from legal, technological, competitive, market, cultural, social and economic environments. (iii) Internal issues are issues that an organization's people face in the organization due to internal environment. These are the issues related to values, culture, knowledge and performance of the organization.

Some external issues may relate to:

- Government regulations that affect the organization's performance,
- Changes in law that has an impact on the organization,
- Economic shifts in the organization's markets,
- Competition the organization is facing,
- Events (such as business fairs, customers meet etc) that may improve or affect corporate image of the organization,
- Changes in technology (yet not adopted by the organization),
- What others (external interested parties) require from the organization, such as bankers requires timely submission of statement related to hypothecated goods, customer requires timely delivery of the product/service etc.

Some internal issues may relate to:

- Accountability of the people working in the department/ organization - whether defined or not, whether defined adequately or not,
- Coordination with different groups/people/departments in the organization,
- Performance,
- Monitoring of activities,
- Allocation of individual tasks/responsibilities/job specifications,
- Formal reporting relationships,
- Grouping of people/department/processes,
- Communication,
- Delegation of authorities,
- Availability of the procedure for the activity performance, measurement, monitoring, evaluating,
- Product/service offerings,
- Organizational structure (needs changes),
- Policies,
- Assets (such as facilities, property, equipment, technology etc.),
- Capabilities of people,
- Information system within the organization,
- Relationship of people within the organization,
- Organization's culture,
- Standards/industry guidelines/business model adopted by the organization and its awareness among people within the organization,
- Habits of people, such as late coming, leaving early, taking frequent leave from work etc.

Internal context may be anything within the organization that may influence the way in which the organization manages its internal issues..

- Keshav Ram Singhal

Organizations may contact for conducting in-house training program on (i) 'ISO 9001:2015 QMS Awareness', and (ii) 'Applying risk-based thinking.'

Applying Risk-based Thinking: Understanding the organization and its context

Applying Risk-based Thinking: Understanding the organization and its context

Clause 4.1 of ISO 9001:2015 QMS standard deals with the requirements related to the understanding the organization and its context. According to the requirements of the standard, an organization needs to carry out the following:

(i) Determine: Internal and external issues (positive and negative factors or conditions) relevant to organization's purpose, strategic direction and that can affect organizational ability to achieve intended results
(ii) Monitor and review: Information about the determined external and internal issues (positive and negative factors/conditions)

Clarification:
(i) There are many issues that can make easier the understanding the external context of the organization. Such issues may arise from legal, technological, competitive, cultural, social and economic environments and that can be global, national, regional or local.
(ii) There are many issues that can make easier the understanding the internal context of the organization. Such issues may relate to the organization's value, culture, knowledge and performance.

We see that the requirements of ISO 9001:2015 QMS standard starts with asking for determination of all issues that can enhance or interrupt achievement of the quality management system outcomes. The organizational issues may be internal and/or external that may be well defined, substantially subjective or not so well defined. We need to understand them. A subjective issue may be internal issue within and among groups/people in an organization. It is required for the organization to monitor and review all those issues that can affect achievement of defined goals. With monitoring and reviewing internal and external issues, an organization is better prepared to make improvements and thus leads to a success path. The management of the organization should identify persons, who are well-versed with the organization and its processes and who understand the standard's requirements very well. These persons should be encouraged to create a suitable, adequate and effective quality management system by monitoring and reviewing internal and external issues. The persons in the organization should make their best efforts to understand related issues and process details, so that they may contribute to achievement of the defined goals.

Step-by-step process:
(i) Make a team of identified persons in the organization.
(ii) The team should be asked to think and identify all positive and negative factors and conditions that are relevant and that can affect achievement of organizational goals.
(iii) The team should make a list of all such issues with necessary details.
(iv) Assign responsibility to monitor and review such issues to different persons or groups in the organization, so that effective decisions can be taken for improvement.

ISO 9001:2015 QMS standard in its clause 4.1 makes an emphasis on clear understanding of the organization's context. The standard requires organization to:
(i) determine external and internal issues (positive and negative factors or conditions) that are relevant to its purpose and its strategic direction and that affect organization's ability to achieve the intended result(s),
(ii) monitor and review information about the determined external and internal issues (positive and negative factors or conditions).

The intent of above requirements is to understand important issues that can affect, either positively or negatively, the way the organization manages its quality management system to achieve the desired result(s). Requirements mentioned in clause 4.1 is too general and one may think as many issues that may not be relevant. Consider only those issues that are relevant to the quality management system.

Why an organization need to determine external and internal issues? one may answer, it is a requirement. But why is this a requirement? Because (i) the organization needs to take better decisions based on evidence, (ii) the potential benefits of implementing ISO 9001:2015 QMS standard to an organization is addressing risks and opportunities associated with its context and objectives. This leads to improvement in the quality management system.

Addressing risks and opportunities lead to proactively managing uncertainties that lead to better decisions based on evidence. This reminds 'evidence-based decision making' principle among the seven quality management principle on which ISO 9001:2015 QMS standard is based. Clause 0.1 also has a reference of the potential benefits of implementing ISO 9001:2015 QMS.

Internal context of an organization is the environment, in which organization targets to achieve its objectives. Issues that need to be considered are related to culture, beliefs, values, or principles inside the organization, as well as the complexity of processes and organizational structure. Typical examples of internal context related issues may be - Products/services offerings, Governance, Organizational structure, Roles, Responsibilities and authorities, Organizational assets (facilities, building, machinery, equipment, technology), Information system and decision making process, Relationship of staff, Perception of internal stakeholders (owners, suppliers, partners), Organization culture, Guidelines etc.

External context of an organization relates to the issues that may arise from legal, cultural, social, technological, competitive, economic environment that can be global, national, regional or local. Typical examples of external context related issues may be - Government regulations, changes in law, market competition, events (such as trade fairs), etc. These factors should be considered, while managing risks, uncertainty and opportunities and also at the time when you make decisions that may affect quality of the product/service your organization provides.

ISO 9001:2015 QMS standard does not speak on the method to determine such issues. It is for the organization to apply its own suitable method. One such method to determine the internal and external issues may consists following steps - (i) The top management of the organization should constitute a team of identified persons, who are well-versed with organization and its processes, (ii) The team members should think individually as well as collectively and identify positive/negative factors and conditions that are relevant and that can affect achievement of organization's goals/objectives, (iii) All such identified issues should summed-up, (iv) the team should also monitor and review identified issues from time to time.

While auditing the standard's requirements, auditor should look into the objective evidence how the organization determined the issues related to the context of the organization.

- Keshav Ram Singhal

Organizations may contact for conducting in-house training program on (i) 'ISO 9001:2015 QMS Awareness', and (ii) 'Applying risk-based thinking.'

Risk management (ISO 31000) and risk-based thinking (ISO 9001)

Risk management (ISO 31000) and risk-based thinking (ISO 9001)

ISO 9001:2015 QMS standard introduced risk-based thinking as an essential part of quality management system. While ISO 9001 QMS standard always advocated mitigating and avoiding risks, in its earlier versions, requirements of preventive action were included that's aim was to prevent or reduce undesired effects. Now with the introduction of risk-based thinking in the quality management system, the organization needs to focus on risk-based thinking and thus implementing risk-based thinking in an organization is a challenge.

It is not necessary to adopt risk management or formal risk-based approach as per ISO 31000:2018 standard for an organization that wishes to implement ISO 9001:2015 QMS standard. Depending on the context of an organization, ISO 31000 family standards may help the organization in taking a 'risk-based approach' to the quality management system, its processes and activities. ISO 31000:2018 standard provides principles and general guidelines on risk management. ISO 31000:2018 standard provides guidelines to adopt formal risk management. Although ISO 9001:2015 QMS standard incorporates risk-based thinking in its requirements. ISO 9001:2015 QMS standard does not mandate adoption of formal risk management as per ISO 31000 standard.

ISO 9001:2015 QMS standard does not prescribe implementing ISO 31000 standard's requirements, however bibliography at the end of ISO 9001:2015 QMS standard includes the reference of ISO 31000 standard.

- Keshav Ram Singhal

Organizations may contact for conducting in-house training program on (i) 'ISO 9001:2015 QMS Awareness', and (ii) 'Applying risk-based thinking.'
Moderate trainer's fee. Customer satisfaction is prime objective.

Risk awareness culture

Risk awareness culture

Risk awareness culture (risk-aware culture) in an organization is helpful in applying risk-based thinking in a proactive way. Build a risk culture in your organization. Risk-aware culture in an organization is a foundation of values. knowledge, beliefs, understanding and communication of the risks associated to the organization's objectives and assets necessary to achieving the objectives. It is a capability of the organization to recognize risks before any threaten, mitigate them when they arise, and recover from the damages they may cause. It is capability present throughout the organization and it is woven into the normal routines, rituals, and behaviors of all persons involved.

To build risk-aware culture in the organization is the leadership (top management) that should demonstrate their leadership and commitment to the management system by collectively establishing core values, policies and procedures for the organization that include risk-based thinking and its awareness. Once the top management has established the foundation for building the risk aware culture, the next step is to share necessary knowledge with the organization's people. This includes written documentation regarding risk and continuous training for risk awareness. The organization should organize a 'Risk Awareness' program (lecture series) from time to time in the organization and motivate all employees to answer the question 'What can go wrong at my desk/job function?' Compile information and address all relevant risk issues. This will facilitate in building a risk culture.

Risk-based thinking must be adopted in every organization.

Decision making should be on the basis risk-based thinking. Define unacceptable to desired in every process. Identify and critically prioritize the mechanisms that can influence the behaviour of employees to adopt risk-based thinking. Enforce risk-based thinking in the organization's activities as usual activities. Leaders (top management) need to continually live and breathe the risk-based culture values.

- Keshav Ram Singhal

Organizations may contact for conducting in-house training programmes on (i) 'ISO 9001:2015 QMS Awareness', and (ii) 'Applying risk-based thinking.'
Moderate trainer's fee. Customer satisfaction is prime objective.

Summarized hint for applying risk-based thinking

Summarized hint for applying risk-based thinking

First question comes in our mind, how to apply risk-based thinking in the quality management system. Simple, we need to identify, understand and then address risks for which following should be done:
- Determine, analyze and prioritize the risks and opportunities in the organization and its processes. Analyze and prioritize - (i) Acceptable risks and opportunities, and (ii) Unacceptable risks and opportunities. Engage everyone in the organization to share their views on the system and its processes.
- Plan actions to address risks and opportunities by finding the solutions to (i) how to avoid, eliminate or mitigate risks, and (ii) how to benefit from opportunities.
- Then implement the plan. Take actions as per planning. Check the effectiveness of the actions taken. Learn from experience.

Leaders of the organization should integrate risk-based thinking into the organization's work culture. Organization's people need to know organization's processes for which clearly define each process and encourage people to add value to the process. Many risks can be reduced by organization's people when they are asked to add value.

- Keshav Ram Singhal

Organizations may contact for conducting in-house training programmes on (i) 'ISO 9001:2015 QMS Awareness', and (ii) 'Applying risk-based thinking.'
Moderate trainer's fee. Customer satisfaction is prime objective.

Benefits of applying risk-based thinking

Benefits of applying risk-based thinking

Risk-based thinking is a mindset to proactively improve the certainty of achieving results / outcomes utilizing processes and methods that consider threats and opportunities. There are various benefits of applying risk-based thinking.

Risk-based thinking:
- promotes proactive culture in the organization that improves organization's governance,
- assists organization to comply legal requirements,
- assures consistency of product/service quality,
- improves customer confidence and satisfaction, and
- can help organization prevent losses, capture opportunities and improve communication throughout the organization.

Lessons are learned by applying risk-based thinking and risks can be transformed into opportunities.

- Keshav Ram Singhal

Organizations may contact for conducting in-house training programmes on (i) 'ISO 9001:2015 QMS Awareness', and (ii) 'Applying risk-based thinking.'
Moderate trainer's fee.
Customer satisfaction is prime objective.

Risk-based thinking in ISO 9001:2015 QMS standard

Risk-based thinking in ISO 9001:2015 QMS standard

ISO 9001:2015 QMS standard incorporates risk-based thinking in its requirements. ISO 9001:2015 QMS standard does not mandate formal risk management. An organization can decide whether or not to develop a more extensive risk management methodology, however risk-based thinking is an integral part of ISO 9001:2015 QMS standard. One of the key changes in ISO 9001:2015 QMS standard is to establish a systematic approach to consider risks as integral part of the QMS, rather than to treat 'prevention' as a separate need.

The concept of risk-based thinking was also present in the earlier versions of ISO 9001 standards through requirements for planning, review and improvement. Earlier version, ISO 9001:2008 standard had a clause on preventive action that indirectly included risk-based thinking.

ISO 9001:2015 QMS standard specifies requirements to understand organization's context (clause 4.1) and determine risks as a basis for planning (actions to address risks and opportunities - clause 6.1). Requirements of clause 4.1 together with clause 6.1 depict the application of risk-based thinking to planning and implementing QMS processes. Consideration of risks is integral in ISO 9001:2015 QMS standard. It is now a proactive action, rather than to be reactive.

One of the objectives of a QMS is to function in a preventive environment and now the preventive action, though not present as a requirement, is reflected through risk-based thinking and is inherent to planning, operation, analysis and evaluation activities. Risk-based thinking is the part of the process approach. Risk-based thinking is evident in the following Para and clauses of ISO 9001:2015 QMS standard.

- Introduction - The Para explains the concept.
- Clause 4 - Organization needs to address risks and opportunities in accordance with requirements.
- Clause 5 - Top management needs to (i) promote risk-based thinking, and (ii) ensure determining and addressing the risks and opportunities that can affect conformity of product/service.
- Clause 6 - Organization needs to (i) determine risks and opportunities, (ii) plan actions to address risks and opportunities, and (iii) ensure actions taken (to address risks and opportunities) are in proportionate to the potential impact on product/service conformity.
- Clause 7 - Organization needs to determine and provide necessary resources for the quality management system. Risk is inherent in all aspects of the quality management system, so determining and providing resources is also necessary for determining risks and opportunities and taking actions to address risks and opportunities.
- Clause 8 - Organization needs to manage operational processes. Risk is inherent in all aspects of the quality management system. All operational processes have some risks.
- Clause 9 - Organization needs to analyze and evaluate data and information with regard to the risks and opportunities. Management review includes consideration of the effectiveness of the actions taken to address risks and opportunities.
- Clause 10 - Organization needs to correct / prevent / reduce undesired effects and update risks and opportunities determined during planning.

The risk-based thinking applied in ISO 9001:2015 QMS standard has enabled organization to plan and manage risk on the basis of performance. Clause 6.1 of the standard specifies requirements to plan and address risks and opportunities, however no formal methods or processes are mentioned in the standard. Formal risk management is not mandated in ISO 9001:2015 QMS standard, however an organization can decide its risk management methodology with the help of other guidance or standards. In the bibliography list at the end of ISO 9001:2015 QMS standard, ISO 31000 standard is mentioned that provides principles and guidelines for risk management. ISO 31000:2009 risk management (RM) standard can be helpful in taking a risk-based approach depending on the context of an organization, but necessarily implementing this standard's guidelines is not a requirement of ISO 9001:2015 QMS standard.

- Keshav Ram Singhal

Organizations may contact for conducting in-house training programmes on (i) 'ISO 9001:2015 QMS Awareness', and (ii) 'Applying risk-based thinking.'
Moderate trainer's fee.
Customer satisfaction is prime objective.

Why we need risk-based thinking?

Why we need risk-based thinking?

Why we need risk-based thinking? A general question needs answer. Risk is an inherent part of daily life. Risk also depends on the fragilities and capacities in a system, which are often not manifested until there is a triggering event. Risk may lead to disaster. Risk may be a path to disaster if protective capabilities of the system cannot deal with the negative consequences of the event.

Risk is a dynamic concept as it changes over time as the vulnerabilities or weaknesses in the system or society changing in time. Risk is not static, constant but rather a dynamic term that is constantly adjusting to changing vulnerabilities, weaknesses and hazards.

Risk is a fundamental reflection of the normal life. Why we want to minimize risk? Because we wish to minimize the chance of major disruption in our life (personal as well as professional) and also we want to keep the background stress in our life (personal as well as professional) as low as possible. We calculate and deal with risk in everyday life - we wear safety belts to reduce the likelihood of injury, get vaccination to reduce the risk of illness, take medical insurance to meet the cost for the treatment of future illness. Life or any system without risk is generally neither possible nor conceivable. Our response to natural and environmental hazards is often influenced by our perception of risk. Sometimes we choose to take a risk, knowing the associated risk. For example, people choose to smoke or drink, knowing the risks associated to their health. Risk perception is influenced by past experience and knowledge. Understanding a risk allows us to make informed decision by weighing the risk of certain activity or process with the benefits or outcomes derived from that activity or process. Without factual information, or with misinformation, we are faced with making an uninformed decision.

Risk-based thinking thus helps us to understand risks through a systematic valuation of determining risks associated in each process or system.

- Keshav Ram Singhal

Nature and impact of risk

Nature and impact of risk

Risks are basically threats that could stem from a variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters. Risks can impact an organization in the short, medium and long term. Risks may relate to organization's processes, tactics and strategy. Strategy sets out the long-term objectives of an organization, and the strategic planning for an organization will typically be 3 or more years. Tactics define how an organization intends to achieve change. Tactical risks are typically associated with projects, acquisitions, mergers and development of products and services. Organization's processes are the routine QMS activities that are under the impact of risk. Risk impact is an estimate of the potential losses associated with an identified risk. It is a standard risk analysis practice to develop an estimate of probability and impact. Risk management is the process of identifying, assessing and controlling threats to an organization. Although ISO 9001:2015 QMS standard does not mandate a formal risk management, however the standard incorporates risk-based thinking in its requirements.

- Keshav Ram Singhal