What Is Risk-Based Thinking in ISO 9001?
29 December 2019
Risk-based thinking is an integral part of ISO 9001. It goes beyond traditional risk management – which is often assigned to a dedicated risk manager – to become a fundamental way of thinking and decision making throughout the entire organization. To achieve ISO certification, businesses must demonstrate risk-based thinking at all levels, from business objectives and strategies, through systems, processes and products.
Let's take a closer look at risk-based thinking in ISO 9001. We'll start by reviewing how to identify risk, and then examine some of the techniques used in risk management. Finally we'll show you how to use these techniques and thread them into your quality management system (QMS) to achieve risk-based thinking.
Identifying Risk
The way in which an organization sets about identifying risk depends heavily on the context of the organization, its stakeholder requirements, its size, culture, and the nature of its products or services. Several clauses of ISO 9001:2015 explicitly mention the identification of risks.
Models can be very useful for identifying risk. The SWOT analysis, for example, is a simple but powerful tool used to help organizations identify their internal and external strengths, weaknesses, opportunities and threats. An effective model for determining external risk is the PESTEL analysis, which examines political, economic, social, technological, environmental and legal factors to identify the presence of risks.
The PESTEL Analysis
Assessing Risk
Risk assessment involves determining the probability of the risk and its severity should it occur. It's important to remember that there's no correlation between probability and severity, and risk isn't necessarily catastrophic simply because it's likely to occur. To a large extent, we're surrounded by risk, much of which is either minor or insignificant.
The probability of a risk is the likelihood for the risk event to actually occur. Probabilities can be ranked from 'remote' (or 'highly unlikely') to 'very likely'.
In terms of severity, risks can be graded from insignificant to catastrophic. Severity refers to the impact in case the risk occurs. The disruption depends on the size and nature of the organization. For example, while smaller companies would probably think of a warehouse fire as catastrophic, larger organizations might view catastrophe as a fleet of aircraft grounded due to a global lockdown.
The matrix below plots the severity of risk against the probability of it occurring. The "warmer" the cell, the greater the threat. The red cells convey a level of risk that's generally unacceptable, while those colored yellow are deemed to carry a risk that's ALARP (As Low As Reasonably Practical). The green cells represent risk that's either tolerable or negligible.
Risk Assessment Matrix
Insignificant
Minor
Moderate
Major
Catastrophic
Very likely
Probable
Possible
Unlikely
Remote
Dealing with Risk
Applying the concepts of risk assessment to each identified risk enables organizations to prioritize risk. The "warmer" the risk classification, the higher the priority. Responses to risk are often referred to as the 4 T's Process: Tolerate, Treat, Transfer or Terminate.
Tolerate
Tolerating risk is where no action is taken to reduce a risk.
This could be because mitigating or eliminating the risk isn't cost-effective, or because its probability is so remote that it's deemed acceptable.
Examples might include hotels built in known tsunami zones or businesses operating along the San Andreas Fault.
Risk can also be tolerated if its severity is low enough to be negligible, or if it's accompanied by benefits that outweigh the negative impacts.
Treat
Treating risk means addressing it directly.
Strategies to consider include mitigating the risk to minimize its impact (severity), or reducing the probability of it occurring.
If our hotel is built on the San Andreas Fault, for example, we could consider strengthening it in order to lessen the severity of damage should an earthquake occur.
And to reduce the probability of a warehouse fire, we could remove all flammable materials in its vicinity.
Transfer
Risk can be transferred in a number of ways, the most common of which is probably insurance.
This option is particularly effective for managing financial risks or risks to assets (fire or theft, for example).
Liability waivers can also be used to transfer risk.
Other options include setting up a corporate structure where an operating company without assets takes the risk while the company that owns the assets is a step removed.
Terminate
Terminating risk is often the simplest yet most frequently overlooked option.
If the risk can be removed without materially affecting the organization, then this option should be considered first.
Risk can be eliminated by altering a risky process or discontinuing a risky product.
In the example of the hotel built on the San Andreas Fault, selling and relocating would terminate the risk.
Once risks have been identified and prioritized, the 4 T's Process is an extremely useful tool. But risk management in ISO 9001 isn't static. Organizations need to constantly monitor, measure and evaluate the effectiveness of actions they take to address risk, and must periodically re-assess both risk and their approach to combating it.
From Risk Management to Risk-Based Thinking
So far, we have discussed the main concepts of risk management. But how does risk management differ from risk-based thinking in ISO 9001?
First, risk-based thinking in ISO 9001 considers both risks and opportunities. Opportunities are basically the opposite of risk and can be managed using the same techniques. When prioritizing, you would look for a combination of likelihood and positive impact. And your actions would seek to foster opportunities.
Second, risk-based thinking means that organizations fully integrate the concepts of risk (and opportunity) management in their operations. There are numerous requirements in the standard calling for the consideration of risks and opportunities. Often a formal process, including documentation, is necessary to address these risks and opportunities.
Third, risk-based thinking means that decision makers not only understand the concepts of risk management, but have these concepts ingrained in their thinking and use them as a foundation for decision making. This is often done without a formal and documented risk management process. As mentioned earlier, we are constantly surrounded by risks. Addressing each through a formal and documented process would bring other activities to a grinding halt. But having a fundamental understanding of probability and severity, as well as the ways of dealing with risk (4 Ts), enables decision makers to deal with risk management on the fly. This is what we call risk-based thinking.
Documentation
Risk-based thinking is a core component of ISO 9001 and something that auditors expect to see evidence of when conducting audits. As such, it's important for organizations to keep records of their risk management related activities. The International Organization for Standardization (ISO) provides guidelines to auditors on how to seek evidence of risk-based thinking. Suggested evidence includes:
Meeting minutes
SWOT analysis
Reports on customer feedback
Brain-storming activities
Competitor analysis
Management review
The American Society for Quality recommends keeping a Risk Register, an example of which is shown below. This type of document is a breeze to set up and enables organizations to prioritize risk quickly and without fuss. It's also easy for auditors to examine and assess.
Click on the image below to view it full size, or download the PDF.
Conclusion
Along with the Process Approach and Plan-Do-Check-Act (PDCA) methodology, risk-based thinking is an integral component of ISO 9001 and one that top executives and department managers need to be intimately familiar with. Remember too that when it's time to get certified, external auditors will expect to see evidence of your organization's approach to risk.