Risk-based thinking is one of the major changes introduced in the updated ISO 9001:2015 Standard. While Risk based thinking was addressed in older versions of ISO 9001 implicitly under clause on ‘preventive action’, ISO 9001:2015 increases the focus and explicitly defines the requirement under the clause “Actions to address risk and opportunities”. Therefore, the focus in this new version of the standard is based upon capturing both the risks and opportunities and then, handling them in a structured manner.
ISO defines a risk as ‘effect of uncertainty on the expected result’. Effective management of risk is talked well in advance to ensure there are less surprises, improved planning, effective decision making and better relationships with stakeholders. Effective management of risk leads to better performance, continual improvement and increases customer satisfaction. Opportunities are considered the positive side of risk which is why, ISO 9001:2015 focuses on reducing risk and enlarging opportunities.
Determining Risk and Opportunities
Risk and Opportunities need to be determined based on the Context of the Organisation, both internal and external and the requirements of applicable Interested Parties. External Context involves the environment in which the organization operate. These can be driven by legal, financial, regulatory, social and cultural factors. Internal Context, involves organization internal environment and is driven by factors such as hierarchy, resource capabilities, organizational structures. Risk which may arise in either of these contexts need to be determined. Organization then need to determine risks which may arise due to requirements of Interested Parties. The organization need to understand requirements of all its stakeholders and then determine risks involved in achieving these requirements. Some examples of requirements of interested parties are: the customer requires low or zero-defect delivery, employees need for job satisfaction or work-life balance or financial performance. Each of these may lead to risks or opportunities. These need to be understood by the organization and all risks and opportunities which may arise due to context or requirements of interested parties should be determined.
Conduct Risk Assessment and Address Risk and Opportunities
Once risks are identified, a risk assessment will need to be conducted on the risk identified and appropriate actions identified to address these risks. This should result in actions to enlarge the opportunities and mitigate the risks. An organization may define a risk methodology to handle risks. This can involve determining the risk magnitude based on its probability and impact. Risk tolerance criteria may be defined which gives acceptable limit of risk. You can decide based on tolerance criteria and risk magnitude on the level of intervention required to mitigate the risk. Adequate control measures should be identified to ensure the risk falls below the acceptable limit or tolerance criteria. Alternatively, techniques like FMEA may be used to address the risks. Adequate actions need to be planned to address or enhance the opportunities also.
Monitor and Review Risks and Opportunities
The risks and opportunities identified need to be monitored and tracked on a regular basis. The intent of this is to ensure that after the control measures are implemented, whether the risk falls under the acceptable levels or not and actions taken against opportunities are on track. This should be done on a fixed frequency or on event like changes in staff, process or equipment.
If your organisation still needs to find a Certification Body for its transition to ISO 9001:2015 have a look at the ISO Update Registrar Directory. Here you will find a comprehensive list of Certification Bodies from all over the world.