ISO 9001:2015 Risk Assessment - II

Risk Identification in ISO 9001:2015

Risk is defined as the "possibility of an event occurring that will have an impact on the achievement of objectives." Organizations are exposed to a wide variety of risks every day and their impact could affect an organization's finances, operations, legal standing, or reputation. Therefore, to effectively manage these risks, management should have a process to identify, assess, prioritize, and manage them, because risk is inherent in all aspects of a quality management system as well as in all systems, processes and functions. Thus risk-based thinking ensures these risks are identified, considered and controlled throughout the design and use of the quality management system. 

The research that was carried out as part of the review process recognized that several other important changes were required since the last major change in 2000. These were:

Providing a foundation for the integration with other management systems

Introducing risk-based thinking, now prevalent in many organizations

Aligning the QMS policy and objectives with the strategy of an organization

Providing greater flexibility with documentation

On the other hand, risk management and preventive action are sequential, complementary elements that are essential to the QMS. The effectiveness of any preventive action depends on the extent to which the action addresses the root causes identified by the risk assessment. Therefore, the success of the risk assessment process depends on the extent to which it identifies root cause issues. When all root cause issues have been identified, it is possible to examine the proposed preventive actions to determine if all elements of risk have been satisfactorily addressed and mitigated.

When considering the 2015 revision of ISO 9001, the committee responsible decided that change was necessary in order to, adapt to a changing world, enhance an organization’s ability to satisfy its customers, provide greater focus on the customer, provide a consistent foundation for the future, reflect the increasingly complex environments in which organizations operate and to ensure the new standard reflects the needs of all interested parties.

Risk Identification

Risk identification is the process of determining risks that could potentially prevent the program, enterprise, or investment from achieving its objectives. It includes documenting and communicating the concern. The objective of risk identification is the early and continuous identification of events that, if they occur, will have negative impacts on the processes’ ability to achieve performance or capability outcome goals. They may come from within the management system or from external sources.

There are multiple types of risk assessments, including quality risk assessments, food safety risk assessments, program risk assessments, risk assessments to support an investment decision, analysis of alternatives, and assessments of operational or cost uncertainty. Risk identification needs to match the type of assessment required to support risk-informed decision making. For a production process, the first step is to identify the production goals and objectives, thus fostering a common understanding across the manufacturing and quality team of what is needed for production success. This gives context and bounds the scope by which risks are identified and assessed.

The sooner risks are identified, the sooner plans can be made to mitigate or manage them. Nevertheless, assigning the risk identification process to a contractor or an individual member of the staff is rarely successful and may be considered a way to achieve the appearance of risk identification without actually doing it. Thus it is important, however, that all relevant management personnel receive specific training in risk management methodology. This training should cover not only risk analysis techniques but also the managerial skills needed to interpret risk assessments.

Preliminary hazard analysis

Preliminary hazard analysis can be defined as “a simple inductive method of analysis of whose objective is to identify the hazards and hazardous situations and events that can cause harm for a given activity, facility or system”. However, the term ‘hazard’ is always used in the context of physical harm. At first sight, not a very promising tool but it does have advantages. Namely, it is able to be used when there is limited information and it also allows risks to be considered very early in the system lifecycle. In some organizational contexts such as food manufacturing organizations, preliminary hazard analysis could be appropriate as a risk assessment tool for quality when its use helps to prevent Critical Nonconformities which could, for example, result in hazardous or unsafe conditions for individuals using, maintaining or depending on the product.

Structured Interviews and Brainstorming

Structured interviews and brainstorming sessions are conducted to collect a broad set of ideas and evaluation, ranking them by a team. Brainstorming may be stimulated by prompts or by one on one and one on many interview techniques. When planning for the quality management system, ISO 9001:2015 requires organizations to consider the issues referred to clause 4.1 [Understanding the organization and its context] and the requirements referred to in 4.2 [Understanding the needs and expectations of interested parties] and determine the risks and opportunities that need to be addressed, in order to:

a)         Give assurance that the quality management system can achieve its intended result(s);

b)         Prevent, or reduce, undesired effects;

c)         Achieve continual improvement.

Quality management team should integrate and implement the actions into the organization’s quality management system processes (see clause 4.4) and evaluate their effectiveness. Brainstorming as a technique could be particularly useful when, for example, identifying risks of new technology where there is no data or where novel solutions to problems are needed. To quote ISO 31010 “…it encourages imagination which helps identify new risks and novel solutions”. However, it is not applicable to risk analysis tasks of consequence, probability or level of risk. It therefore has its limitations and along with the ‘Look Up Methods’ of Checklists and Primary hazard analysis, and most of the ‘Supporting Methods’ of Structured interviews, Delphi technique, SWIFT (Structured “what if”) and, it does not provide any quantitative output – although this is not a requirement of ISO 9001.

In the section ‘Supporting Methods’, Human reliability analysis (HRA), which deals with the impact of humans on system performance and can be used to evaluate human error influences on the system, is able to provide quantitative output and is ‘strongly applicable’ to risk analysis and ‘applicable’ to risk evaluation.

As a simple method, considering risks in relation to a quality management system and its associated processes, you can ask the following questions from yourself:

What are the risks associated with the organization’s context and objectives – and why does each risk occur? [identifying the risk and the reason for its occurrence].

What would be the likely negative consequences of process, product, service or system nonconformities? [consequences if the risk occurs].

How likely is it that the organization will deliver nonconforming products and services in relation to the risks we have identified? [probability of the risk effective are our existing controls?’ – in order to identify factors that reduce the consequences or probability of the risk. However, in terms of what we actually need to know, these will make a good start.

ISO 31000:2009 states that risk assessment attempts to answer the following fundamental questions:

What can happen and why (by risk identification)?

What are the consequences?

What is the probability of their future occurrence?

Are there any factors that mitigate the consequence of the risk or that reduce the probability of the risk?

Providing that you adhere to this basic structure, you are following the framework that is set out in the International Standard ISO 31000:2009. Rather than spending several days reading the Standard and having long meetings with colleagues to see how it might be applicable, why not look for methods that would help you to meet the requirements of ISO 9001?

One of the important remarks is that you need to document the results of any ‘consideration of risks and opportunities’ exercise as evidence of your management team’s “risk based thinking”. Even if it is clear from the design of your processes that you have taken account of Clause 6.1 and determined the risks and opportunities that need to be addressed, having a record of your risk assessment processes might prove useful, if only as a reminder to keep matters under review! Then, evaluate the risk assessment tools (numbering 31 in total) in ISO 31010 to see if they are applicable to your organizational context.

According to the ISO 31000:2009: introduction “The current management practices and processes of many organizations include components of risk management, and many organizations have already adopted a formal risk management process for particular types of risk or circumstances”. It follows therefore that it is worth interviewing them (in a structured or unstructured way) or bringing them together for a brainstorming session – if only to find out what qualitative and quantitative risk assessments have been made that could help you to address the requirements of ISO 9001. Whether or not though anyone is carrying out risk assessments, with or without the use of the tools in ISO/IEC 31010:2009, ISO 9001:2015 expects the organization to understand its context (see clause 4.1) and determine the risks and opportunities that need to be addressed (see clause 6.1). For example: The ISO assumes that one of the key purposes of a quality management system is to act as a preventive tool, taking account of identified risks. Consequently, ISO 9001:2015 does not have a separate clause or sub clause titled ‘Preventive action’. Rather, the wording states unequivocally: “The concept of preventive action is expressed through a risk based approach to formulating quality management system requirements”

Although there are undoubtedly a number of quality professionals who feel uncomfortable talking about risk in relation to preventive actions, assessing risk is something that managers in most organizations do already in one form or another. They may not always use the term risk to describe their activities, – which could include for example, conducting a sensitivity analysis of a financial projection, or product design for a newly invented production line, scenario planning for a project appraisal, assessing the contingency allowance in a cost estimate, negotiating contract conditions, or developing contingency plans . But even so, thinking about risks and opportunities is central to their work, because not everyone agrees with this statement of course, but understanding the context (see clause 4.1) and determining the risks and opportunities that need to be addressed (clause 6.1) are requirements of ISO 9001:2015. Therefore, before you reject the idea of using risk assessment tools on the grounds that they are too complicated and “not part of your job”, it’s worth pondering this quote from the introduction to the ISO 31000:2009: “The generic approach described in this International Standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context”.