What is
Risk Based Thinking?
One of the key changes in the 2015 revision
of ISO 9001 is to establish a systematic approach to consider risk, rather than
treating “prevention” as a separate component of a quality management system,
because risk is inherent in all aspects of a quality management system. Nonetheless,
there are risks in all systems, processes and functions, where risk-based
thinking ensures these risks are identified, considered and controlled
throughout the design and use of the quality management system. In previous
editions of ISO 9001, a clause on preventive action was separated from the whole.
According to the risk-based thinking; the consideration of risk is integral,
where it becomes proactive rather than reactive in preventing or reducing
undesired effects through early identification and action. Preventive action is
built-in when a management system is risk-based. On the other hand, risk-based
thinking is something that, we all do automatically in everyday life, i.e. if
you wish to cross a road you automatically look for traffic lights or two sides
of the road before you begin, because you will not step in front of a moving vehicle.
On the other hand, not all the processes of a quality management system represent
the same level of risk in terms of the organization’s ability to meet its
objectives, because certain risks need more careful and formal planning and
controls than others, i.e. to cross the road you may go directly through or you
might use a nearby footbridge or a pedestrian crossing. Which process you
choose will be determined by considering the risks.
Even though the
effects of risks can be either negative or positive, it is commonly understood
and considers only the negative consequences. Thus ISO 9001:2015 version
considers risks and opportunities together as a way of preventive risk
management and continuous improvement strategy; in which opportunity is not the
positive side of the risk. Whereas an opportunity is a set of circumstances
which makes it possible to improve the product quality or safety or preventing
an unintended or risk to the consumer or the manufacturer, but captivating or
not taking an opportunity then presents different levels of risk. i.e. crossing the road
directly gives me an opportunity to reach the other side quickly, but if I take
that opportunity there is an increased risk of injury from moving cars. Risk-based
thinking considers both the current situation and the possibilities for change.
Analysis of this situation shows opportunities for improvement:
A
subway leading directly under the road
Pedestrian
traffic lights, or
Diverting
the road so that the area has no traffic
Why use risk-based thinking?
By considering risk
throughout the system and all processes the likelihood of achieving stated
objectives is improved, output is more consistent and customers can be
confident that they will receive the expected product or service.
Risk-based
thinking:
Improves
governance
Builds
a strong knowledge base
Establishes
a proactive culture of improvement
Assists
with statutory and regulatory compliance
Assures
consistency of quality of products and services
Improves
customer confidence and satisfaction
Successful
companies intuitively incorporate risk-based thinking.
Risk based thinking is a sore point among
many Quality professionals. Even so, identifying risk, analyzing the
consequences, probability and level of risk (i.e. risk analysis) and risk
evaluation using formal techniques are becoming increasingly important tasks in
the global business world. ISO 9001:2015 incorporates what the draft version of
the International Standard has termed “Risk Based Thinking” in its requirements
for the establishment, implementation, maintenance and continual improvement of
the quality management system. If you are already familiar with the DIS or have
read the many discussions on the subject, you will already be aware that formal
risk management is not mandated. However, organizations can, in the words of
the TC 176 Committee’s draft standard (May 2014) “…choose to develop a more
extensive risk based approach than is required by this International Standard,
and ISO 31000 provides guidelines on formal risk management which can be
appropriate in certain organizational contexts”.
Managing risks is something we all do every
day, mostly without even thinking about it, but when the complexity increases
beyond our everyday experiences, such as risks faced by a business or a big
project, a more formal approach is required. However, it really isn’t
difficult, since generic risk management process has been set out in ISO
standard 31000 and can be applied to any kind of risk by any kind of organization.
ISO 31000 describes an “overall approach to risk management, not just risk
analysis or risk assessment. It deals with the links between risk management
process and both strategic direction and day to day actions and treatments.” The
form of assessment and its output should be consistent with the risk criteria
developed as part of establishing the context [Clause 6.2]. However, there is
no point in making life more complicated than it needs to be. Thus, suitable techniques should exhibit the
following characteristics, which should be justifiable and appropriate to the
situation or organization under consideration. it should provide results in a
form which enhances understanding of the nature of the risk and how it can be
treated and it should be capable of use in a manner that is traceable,
repeatable and verifiable.
Although risks and opportunities have to be
determined and addressed, there is no requirement in ISO 9001:2015 for a formal
risk management or a documented risk management process. Even so, the concept
of preventive action is expressed in the 2015 wording through the risk based
approach to formulating quality management system requirements, which
indirectly explains that you will most probably want to show your reasoning in
this respect. In other words, how your thinking about risk led to these
actions?
Strategic Approach to Risk Management
A technique that
provides a listing of typical uncertainties which need to be considered, where
users refer to a previously developed list, codes or standards. Checklists and
reviews of historical data are, naturally enough, a sensible step if you are
serious about identifying the risks and opportunities in accordance with the requirements
of ISO 9001:2015 Clause 6.1, and intend to plan and implement the appropriate
actions to address them. Although you could enhance the quality of the output
by following a systematic process to identify risks by means of a structured
set of prompts or questions for the experts by making a checklist of the known
issues in the environment that can (a) affect conformity of products and
services [risk] and (b) have the ability to enhance customer satisfaction
[opportunity].
Regardless of the industry or the product, different
kinds of risks need different assessments in terms of the questions to ask or
the exact technique you use, but the overall risk management process is the
same. Essentially, the generic steps are as follows:
Establish
the context
what activities are we talking about?
What are you trying to do?
e.g., using a piece
of machinery, making/building something, collecting measurements, importing or
exporting goods, staff, data
analysis and
reporting.
Identify
risks
what might affect the outcome?
e.g., a weather
event, change to regulations, injury, staffing shortages, lack of required
skills, loss of a key supplier, chemical exposure, theft, fraud, computer
failure, human error.
Analyze
the risks
– to prioritize them.
What are the consequences if the risk
actually occurs?
How likely is it to occur?
e.g. minor injury,
loss of life, schedule delays, change to reputation, financial losses/gains,
business growth/closure…
Evaluate – can we live with
this risk?
Is it a minor inconvenience?
Major problem?
Fantastic opportunity?
what’s our risk appetite?
Risk averse?
Risk seeking?
Neutral?
How could we change the consequences or
change the likelihood?
Weigh up the
cost/benefit balance for different options and for hazards, check the hierarchy
of controls.
Control/treat – actually implement
what you decided should be done to control the risk.
changes to work
practices
extra monitoring to
watch out for triggers
Review – is it working?
Can we do better?
Has anything changed?
Does this risk still apply?
Looking at past incidents
will help you become aware of the different kinds of risks and hazards to look
for.
However, some organizations have developed
specific forms for particular hazards they deal with, to make it easier to
remember to ask all the relevant questions.