Tuesday, December 27, 2016

ISO 9001:2015 Risk Assessment

What is Risk Based Thinking?
One of the key changes in the 2015 revision of ISO 9001 is to establish a systematic approach to consider risk, rather than treating “prevention” as a separate component of a quality management system, because risk is inherent in all aspects of a quality management system. Nonetheless, there are risks in all systems, processes and functions, where risk-based thinking ensures these risks are identified, considered and controlled throughout the design and use of the quality management system. In previous editions of ISO 9001, a clause on preventive action was separated from the whole. According to the risk-based thinking; the consideration of risk is integral, where it becomes proactive rather than reactive in preventing or reducing undesired effects through early identification and action. Preventive action is built-in when a management system is risk-based. On the other hand, risk-based thinking is something that, we all do automatically in everyday life, i.e. if you wish to cross a road you automatically look for traffic lights or two sides of the road before you begin, because you will not step in front of a moving vehicle. On the other hand, not all the processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives, because certain risks need more careful and formal planning and controls than others, i.e. to cross the road you may go directly through or you might use a nearby footbridge or a pedestrian crossing. Which process you choose will be determined by considering the risks.

Even though the effects of risks can be either negative or positive, it is commonly understood and considers only the negative consequences. Thus ISO 9001:2015 version considers risks and opportunities together as a way of preventive risk management and continuous improvement strategy; in which opportunity is not the positive side of the risk. Whereas an opportunity is a set of circumstances which makes it possible to improve the product quality or safety or preventing an unintended or risk to the consumer or the manufacturer, but captivating or not taking an opportunity then presents different levels of risk. i.e. crossing the road directly gives me an opportunity to reach the other side quickly, but if I take that opportunity there is an increased risk of injury from moving cars. Risk-based thinking considers both the current situation and the possibilities for change. Analysis of this situation shows opportunities for improvement:
A subway leading directly under the road
Pedestrian traffic lights, or
Diverting the road so that the area has no traffic

Why use risk-based thinking?
By considering risk throughout the system and all processes the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service.
Risk-based thinking:
Improves governance
Builds a strong knowledge base
Establishes a proactive culture of improvement
Assists with statutory and regulatory compliance
Assures consistency of quality of products and services
Improves customer confidence and satisfaction
Successful companies intuitively incorporate risk-based thinking.

Risk based thinking is a sore point among many Quality professionals. Even so, identifying risk, analyzing the consequences, probability and level of risk (i.e. risk analysis) and risk evaluation using formal techniques are becoming increasingly important tasks in the global business world. ISO 9001:2015 incorporates what the draft version of the International Standard has termed “Risk Based Thinking” in its requirements for the establishment, implementation, maintenance and continual improvement of the quality management system. If you are already familiar with the DIS or have read the many discussions on the subject, you will already be aware that formal risk management is not mandated. However, organizations can, in the words of the TC 176 Committee’s draft standard (May 2014) “…choose to develop a more extensive risk based approach than is required by this International Standard, and ISO 31000 provides guidelines on formal risk management which can be appropriate in certain organizational contexts”.

Managing risks is something we all do every day, mostly without even thinking about it, but when the complexity increases beyond our everyday experiences, such as risks faced by a business or a big project, a more formal approach is required. However, it really isn’t difficult, since generic risk management process has been set out in ISO standard 31000 and can be applied to any kind of risk by any kind of organization. ISO 31000 describes an “overall approach to risk management, not just risk analysis or risk assessment. It deals with the links between risk management process and both strategic direction and day to day actions and treatments.” The form of assessment and its output should be consistent with the risk criteria developed as part of establishing the context [Clause 6.2]. However, there is no point in making life more complicated than it needs to be.  Thus, suitable techniques should exhibit the following characteristics, which should be justifiable and appropriate to the situation or organization under consideration. it should provide results in a form which enhances understanding of the nature of the risk and how it can be treated and it should be capable of use in a manner that is traceable, repeatable and verifiable.

Although risks and opportunities have to be determined and addressed, there is no requirement in ISO 9001:2015 for a formal risk management or a documented risk management process. Even so, the concept of preventive action is expressed in the 2015 wording through the risk based approach to formulating quality management system requirements, which indirectly explains that you will most probably want to show your reasoning in this respect. In other words, how your thinking about risk led to these actions?

Strategic Approach to Risk Management  
A technique that provides a listing of typical uncertainties which need to be considered, where users refer to a previously developed list, codes or standards. Checklists and reviews of historical data are, naturally enough, a sensible step if you are serious about identifying the risks and opportunities in accordance with the requirements of ISO 9001:2015 Clause 6.1, and intend to plan and implement the appropriate actions to address them. Although you could enhance the quality of the output by following a systematic process to identify risks by means of a structured set of prompts or questions for the experts by making a checklist of the known issues in the environment that can (a) affect conformity of products and services [risk] and (b) have the ability to enhance customer satisfaction [opportunity].

Regardless of the industry or the product, different kinds of risks need different assessments in terms of the questions to ask or the exact technique you use, but the overall risk management process is the same. Essentially, the generic steps are as follows:

Establish the context
what activities are we talking about?

What are you trying to do?
e.g., using a piece of machinery, making/building something, collecting measurements, importing or exporting goods, staff, data
analysis and reporting.

Identify risks  
what might affect the outcome?
e.g., a weather event, change to regulations, injury, staffing shortages, lack of required skills, loss of a key supplier, chemical exposure, theft, fraud, computer failure, human error.

Analyze the risks – to prioritize them.
What are the consequences if the risk actually occurs?
How likely is it to occur?
e.g. minor injury, loss of life, schedule delays, change to reputation, financial losses/gains, business growth/closure…

Evaluate – can we live with this risk?
Is it a minor inconvenience?
Major problem?
Fantastic opportunity?
what’s our risk appetite?
Risk averse?
Risk seeking?
Neutral?
How could we change the consequences or change the likelihood?
Weigh up the cost/benefit balance for different options and for hazards, check the hierarchy of controls.

Control/treat – actually implement what you decided should be done to control the risk.
changes to work practices
extra monitoring to watch out for triggers

Review – is it working?

Can we do better?
Has anything changed?
Does this risk still apply?
Looking at past incidents will help you become aware of the different kinds of risks and hazards to look for.
However, some organizations have developed specific forms for particular hazards they deal with, to make it easier to remember to ask all the relevant questions.