Risk-Based Thinking - A Mind Set, Not a Process
John J Guzik, President, Impact Management, Hanover, PA, USA
Keywords: Risk, Change, Planning
In today s business environment, most organizations are implementing risk-based thinking without thinking of it in these terms. Whenever making a decision that will have an impact on the business, an assessment of risks vs opportunities is done, either formally or informally. The emphasis of this requirement in ISO 9001 supports the notion that this kind of proactive decision-making mentality is crucial to the continual improvement of the QMS, and the organization as a whole.
There has been a great to-do about this new ISO 9001 requirement, risk . Many have pointed to risk management programs, insisting that the standard now formally requires this. Tools such as FMEAs and PPAPs as well as a plethora of new wiz-bang software programs have been introduced as tools that can do the task. The difficulty with utilizing these tools is that most of them were designed for risk management programs as they address the requirements of the product/service. The fact is that utilizing these tools may help with product integrity while you re still left hanging in the breeze to demonstrate risk-based thinking as the standard calls for.
Moving in the direction of embracing a formal rigid structure such as FMEAs and PPAPs into the realm of addressing risks and opportunities in the perspective of ISO 9001 can create new risks to smaller organizations. In attempting to employ these kinds of tools, the additional risks could include:
1. The potential for investment of excessive costs which may provide no value to the organization, ultimately resulting in slowed operational performance and poor financial performance of the organization, leading to potential closure.
2. The potential for poorly structured programs that could weaken the QMS, and possibly the end products/services going to the customer (read: NCRs, advisory notices, recalls, safety liabilities, etc.) is another very real risk.
If you were around for the introduction of ISO 9001:2000, you may remember the introduction of the then new topic, continual improvement . At that time, many went off creating continual improvement programs as a new tool in the QMS. After things settled in, we saw how continual improvement could be demonstrated through the tools listed in clause 8.5.1 quality policy, quality objectives, audit results, analysis of data, corrective action, preventive action, and management review. Auditors would then look to these areas of the QMS and look for evidence of continual improvement. Perhaps the same approach would be better taken here.
Only after the user has read and understood clause 0.3.3, Risk-based thinking, as well as Annex A.4, Risk-based thinking in ISO 9001:2015, can they truly undertake the implementation of clause 6.1, Actions to address risks and opportunities. In reading and understanding these other portions of the standard, it comes clear that risk-based thinking (much like continual improvement was in 2000) can be seen in existing tools of the standard, and is not requiring a new tool. Consider the following applications
1. One could see evidence of risk-based thinking in records of management review, with decisions and actions being made regarding opportunities for improvement, changes needed in the QMS, and resource needs. If these decisions and actions demonstrate that they were based on an evaluation of risk of uncertainty, then risk-based thinking has been implemented.
2. When the organization plans its internal audit program while taking into consideration the importance of processes concerned, changes affecting the organization, and the results of previous audits (see 9.2.2a), the organization could demonstrate that risk-based thinking has been utilized while planning for the audit program.
3. When planning for changes to the QMS (see 6.3a), an organization is required to consider the potential consequences of the proposed change, as well as (see 6.3b) the integrity of the QMS while planning for these changes. If the organization has evaluated the severity of the potential consequences when making these changes, then they have implemented risk-based thinking.
4. When controlling changes for production and service provision (see 8.5.6), an organization could demonstrate that the changes were effectively controlled through an evaluation of potential impacts on other processes. In some cases a simple evaluation could be sufficient; in others, perhaps a formal IQ-OQ-PQ would be more appropriate. In either case, if potential impacts were considered, then risk-based thinking was employed.
5. When determining that they have the ability to meet the requirements for products and services to be offered to customers (see 22.214.171.124) an organization could be utilizing risk-based thinking when determining whether to pursue a particular business opportunity. In most companies, a managerial decision is made to either pursue or not to pursue these business opportunities based on the potential consequences of the dedication of additional resources. If this is the case, risk-based thinking has been implemented.
6. When deciding on whether or not to begin to design and development of products and services (see 8.3), most organizations base this decision on an evaluation such variables as the potential for a non-marketable product/service, inability to produce, inability to design at a sellable price, etc. If this has been the case, risk-based thinking has been implemented. Later in design and development, when considering changes to the design characteristics (see 8.3.6) the organization is required to control the changes to ensure that there is no adverse impact on conformity to requirements When doing so, the organization has demonstrated risk-based thinking.
The question then arises, So how can I show an auditor that we have implemented risk-based thinking in these applications? The fact is clause 6.1 ISO 9001:2015, does not require that the organization retain documented information on actions to address risks and opportunities. But, in most of the examples listed above, retention of documented information is required. These records could be used to demonstrate risk-based thinking.
Whatever path is selected in addressing this requirement, the organization is wise to recognize the risks associated with this decision.