ISO 9001:2015 and Risk-based Thinking (RBT)

Nearly one year into the three-year transition period, we’ve been hearing a lot of conversation about the International Standards Organization’s (ISO) 2015 revised version of standard 9001 on Quality Management Systems (QMS). The 2015 edition “follows a new, higher level structure to make it easier to use in conjunction with other management system standards, with increased importance given to risk.”[1]

Risk-based thinking, though, isn’t new; in fact, it’s something that all of us have already incorporated into our business practices in some fashion. The standard evolved to bring the focus to process – think Plan-Do-Check-Act (PDCA) – rather than documents, and to bring risk-based thinking from implicit to explicit, segmented to systemic.

So what does this mean?

The standard requires that companies must commit to identifying risks, evaluating them, and managerial review of the effectiveness of the actions taken.  This implies that risk-based thinking will be encouraged throughout different levels of the business, and that those potential risks and ideas will be clearly communicated vertically and horizontally. Regardless of your participation in ISO 9001, these are good practices! Companies are keener to learn about risks while they’re still hypothetical rather than as they’re happening, and getting ahead of risks can drive innovation and opportunity.

How do we do it?

The standard is flexible; there is no prescribed method for evaluating and communicating risk. This lets each company bring its stakeholders to the table and determine the best system for their organization’s culture and objectives.

We ask ourselves often: “what are we getting into?” But once we identify risk, what actions do we take? And of equal importance, what do we communicate to whom? Should we proceed full-speed ahead, or are we uncomfortable with the level of uncertainty?

A good starting place for implementation is to look at your current practices: how do you look for potential risks or pitfalls?  Are you considering risks stemming from both internal and external factors? Do you have a culture that promotes risk identification and communication throughout your organization?  How can you make those practices more robust? Risk management strategies are not one-size fits all but must be matched to the risk profile and comfort level of the organization.

Another important question: how “risky” are your risks, and what should you do about them? Minor risks shouldn’t be overprocessed; major risks shouldn’t slip through convenient cracks.  For example, a partner who has a 10-year history of supplying your company with quality materials, has demonstrated a commitment to continual improvement, and offers transparency in operations probably requires minimal oversight compared to a new supplier with whom you’ve not yet established a strategic relationship, or a supplier with a spotted history of noncompliance that has led to issues with product realization.  In the latter two cases, you would likely choose to take actions to mitigate those elevated risks, such as increased AQL inspection or a partnered analysis of the manufacturing processes and control plans.

Most companies already have an arsenal of brainstorming and analyses tools at the ready to help facilitate this evaluation – including quality classics like SWOT analysis, failure modes and effects analysis (FMEA), statistical process control (SPC), Project Definition Rating Index (PDI), design of experiments (DOE), event trees, system dynamics models, and others.

Keep a process-focused approach here, too; the tool’s output is only as good as the intention behind its use. Your team will glean a much greater benefit from working through a design FMEA before production with the intention of uncovering opportunities to design out potential problems and potentially incorporate more compelling features than if the exercise is run after the specification is finalized and the intention is simply to check off the FMEA box on the project plan.

It is also important to choose the right tool for the right job; risk classification, for example, could be done using a rapid cluster 2×2 matrix (Fig. 1) or a more complex classification matrix with two variables of multiple levels and layered associated actions (Fig. 2).  The rapid cluster model is highly effective for hashing out rough risk categories and classifying potential risks on the spot during a group discussion, whereas, the more complex classification matrix is very useful for quickly classing risks against a more complex, pre-defined rubric.

Relative Impact High    
Low    
Low High
Likelihood of Occurrence

Figure 1. Rapid Cluster 2×2 Classification Matrix

Severity 5          
4          
3          
2          
1          
1 2 3 4 5
Occurrence

Figure 2. Risk Classification Matrix

With no prescriptive methodology, auditors will need to take a dynamic approach when looking for conformity to 9001:2015’s risk-based thinking requirements.  When preparing your organization, think about how you might answer the following questions:

  • Does your company have a practice for identifying internal and external issues within the context of your business?
  • Does your company use the information gathered about these issues when planning for your business?
  • Has the business identified the actions to address the risks and opportunities?
  • How are you tracking against your goals?

The critical link to keep in mind is that this shift toward risk-based thinking is designed to improve decision making, so communication along the way is crucial. I’m excited for the change because it moves ISO 9001 more toward a tool for creating a world class QMS rather than an impetus for artifacts.

How are you identifying risk in your organization? Are you focusing on product or process?

[1] http://www.iso.org/iso/iso9001_revision