ISO 9001 Risks and Opportunities
Risk management has been prevalent in many different industries (banking, insurance, etc.) for decades but has gained significant visibility and traction in other industries as a fundamental business practice over the past ten to fifteen years. Industries such as pharmaceuticals, medical device, and aerospace adopted a risk-approach within their management system requirements back in the early 2000’s and emphasis on risk continues to increase within these and other industries.
Now ISO 9001 has joined the game by adding what is call “risk-based thinking” within the new 2015 version of the standard, however, it still isn’t yet clear what the actual expectations are or what is needed to absolutely satisfy these new requirements. For now, that will most likely be up to individual auditors until things settle down.
Let’s take closer look at the requirements defined in ISO 9001 clause 6.1, Actions to Address Risk and Opportunities. The clause states that when planning for the management system, you should determine the risks and opportunities that impact and effect the organization. Risk assessments should:
- Consider the internal and external issues determined in clause 4.1 and interested party requirements determined in clause 4.2;
- Ensure that the management system can achieve its intended results where results are tied to quality (business) objectives and the desired performance of the management system processes (see clause 4.4);
- Enhance desirable effects. In other words, the results or output of the risk management process should benefit the organization and facilitate realization of established objectives and goals;
- Achieve improvement. This requirement goes hand-in-hand with the previous one as clause 10.1 (Improvement-General) states that improvement initiatives shall facilitate “correcting, preventing, or reducing undesired effects”.
Links to Other ISO 9001 Clauses
Risks and opportunities are directly tied to other ISO clauses more than just about any other clause or requirement in the ISO 9001 standard:
4.1 – Understanding the Organization and Its Context: Internal and external issues are an input to risks and opportunities;
4.2 – Understanding the Needs and Expectations of Interested Parties: Interested party requirements are an input to risks and opportunities;
4.4.1f – Quality Management System and Its Processes: Actions to address and mitigate defined risks and opportunities should be embedded within and addressed by the established management system processes. Also consider, where applicable, processes (and employees) should take a “risk-based approach” to actions and decisions;
5.1.1d – Leadership and Commitment: Management is responsible for promoting and creating a culture which embraces “risk-based thinking”;
5.1.2b – Customer Focus: Risks and opportunities must consider and address those issues which can affect product or service conformity, and customer satisfaction;
9.1.3e – Analysis and Evaluation: Actions to address and mitigate risks and opportunities are to be verified to determine if they are effective. The results of this analysis and evaluation effort should form an input back into the risk assessment process;
9.3.2e – Management Review Inputs: The effectiveness of actions taken to address risks and opportunities (from Analysis and Evaluation activities above) form an input to the management review process. Be sure that your management review activities include a review of risk management results. As with 9.1.3e above, the results of this review may need to be fed back into the risk management process;
10.2e – Nonconformity & Corrective Action: Where warranted, risk assessments should be reviewed and updated based on the results of corrective action activities.
Implementation of Risks & Opportunities
Ok, so what does all this mean? Unfortunately, the ISO 9001 risks and opportunities clause doesn’t provide any real specific requirements or guidance for how “risk-based thinking” is to be implemented, executed, or maintained, which has caused significant confusion, speculation, and argument throughout the ISO 9001 world, even among all the “experts”. ISO does not specify the need to adopt or implement a formal risk management process or the need to complete any type of risk assessment, leading to a lack of clarity as to what action or effort is required to satisfy this clause. The upside of all of this uncertainty is that whatever action you take will most likely be considered acceptable, assuming that it is appropriate for the context of your organization and commensurate to the perceived risk within your company, products, and services. You can determine what risk management process works for your organization, as long as the process is reasonable for your company and meets all the ISO 9001 risks and opportunities requirements (clause 6.1).
Since ISO isn’t prescriptive in how risks and opportunities are to be determined and managed, and no documented information is required, this clause could be satisfied through discussion of risks and opportunities by the management team during management review or strategic planning activities. With that said, we just don’t see this as a practical way to identify, evaluate, mitigate, review, and update identified risks over time, especially without some type of documentation.
A simple approach might involve capturing a half dozen top risks in meeting notes or minutes and reviewing these identified risks at subsequent meetings. This might be acceptable for very small organizations with minimal complexity and risks, as long as action is taken to address and verify risks. However, we feel that most companies of any notable size should attempt to adopt a more formal approach to risk management. This doesn’t need to be complex, and as the ISO 9001 notes state, the actions to address risk and opportunities should be proportionate to the level of risk to products and services.
Our ISO 9001 eCoach system provides a basic risk assessment process and tools which would be appropriate and value-adding to most smaller organizations. This basic approach uses a simple risk assessment tool (risk register) that is widely adopted across many different industries and companies. Learn more about risk registers here, here, and here. A Google search will provide hundreds of additional sites and tools on the topic.
The traditional risk assessment process provides a method for identifying, evaluating, mitigating, and verifying risks, and definitely satisfies the ISO 9001 risks and opportunities requirements. Utilize outputs from strategy planning, management review and other applicable sources to identify, assess, and take action to address risks. Don’t overthink this process or the results. This should be commensurate to the size and type of business your operate. For a small company in a non-regulated industry, perhaps the top 10 or 20 risks impacting the organization is sufficient. For other organizations, the top 100 or more risks may need to be addressed. If unsure, start small (top 10 risks??) and allow the process to expand and grow over time.
It is next to impossible for EBS to define a process that is universally appropriate and effective for every company, which puts the burden on you to understand the letter and spirit of the requirements and determine the process, tools, and actions that best suit your organization. If you feel that the examples and methods provided isn’t appropriate for your organization, an internet search for risk management, risk assessment, etc. will provide an overwhelming amount of information on the topic and numerous methods and tools to consider.
Where an organization might need rather in-depth and/or complex risk assessment framework, methods, and tools, consideration should be given to partnership with a competent risk management consultant or even retaining a risk management resource within the organization.
The ISO 9001 standard provides some additional guidance information for risk-based thinking in sections 0.3.3 and annex A.4, however this information remains fairly ambiguous, leaving much leeway for organizations to determine how best to address risk and fulfill the requirements.
If the ISO 9001 risks and opportunities (risk management) requirements are new to your organization, take some time to devise a risk management process that best fits your organization. Define a simple risk tool and start small with a handful of key risks. Also, embedding risk-based thinking within the organization is really all about a shift in culture. If it isn’t already present, diligence and patience will be needed to slowly shift people to a risk way of thinking and approaching actions and decisions. Get your management team on board, then live and walk your desired behavior over time to get everyone else on board. Remember, employees believe and model what you do, not what your say.