Risk-based thinking is one of the major changes introduced in the updated ISO 9001:2015 Standard. While Risk based thinking was addressed in older versions of ISO 9001 implicitly under clause on ‘preventive action’, ISO 9001:2015 increases the focus and explicitly defines the requirement under the clause “Actions to address risk and opportunities”. Therefore, the focus in this new version of the standard is based upon capturing both the risks and opportunities and then, handling them in a structured manner.

ISO defines a risk as ‘effect of uncertainty on the expected result’. Effective management of risk is talked well in advance to ensure there are less surprises, improved planning, effective decision making and better relationships with stakeholders. Effective management of risk leads to better performance, continual improvement and increases customer satisfaction.  Opportunities are considered the positive side of risk which is why, ISO 9001:2015 focuses on reducing risk and enlarging opportunities.

Determining Risk and Opportunities

Risk and Opportunities need to be determined based on the Context of the Organisation, both internal and external and the requirements of applicable Interested Parties. External Context involves the environment in which the organization operate. These can be driven by legal, financial, regulatory, social and cultural factors. Internal Context, involves organization internal environment and is driven by factors such as hierarchy, resource capabilities, organizational structures. Risk which may arise in either of these contexts need to be determined.  Organization then need to determine risks which may arise due to requirements of Interested Parties. The organization need to understand requirements of all its stakeholders and then determine risks involved in achieving these requirements. Some examples of requirements of interested parties are: the customer requires low or zero-defect delivery, employees need for job satisfaction or work-life balance or financial performance. Each of these may lead to risks or opportunities. These need to be understood by the organization and all risks and opportunities which may arise due to context or requirements of interested parties should be determined.

Conduct Risk Assessment and Address Risk and Opportunities

Once risks are identified, a risk assessment will need to be conducted on the risk identified and appropriate actions identified to address these risks. This should result in actions to enlarge the opportunities and mitigate the risks. An organization may define a risk methodology to handle risks. This can involve determining the risk magnitude based on its probability and impact. Risk tolerance criteria may be defined which gives acceptable limit of risk. You can decide based on tolerance criteria and risk magnitude on the level of intervention required to mitigate the risk. Adequate control measures should be identified to ensure the risk falls below the acceptable limit or tolerance criteria.  Alternatively, techniques like FMEA may be used to address the risks. Adequate actions need to be planned to address or enhance the opportunities also.

Monitor and Review Risks and Opportunities

The risks and opportunities identified need to be monitored and tracked on a regular basis. The intent of this is to ensure that after the control measures are implemented, whether the risk falls under the acceptable levels or not and actions taken against opportunities are on track. This should be done on a fixed frequency or on event like changes in staff, process or equipment.

If your organisation still needs to find a Certification Body for its transition to ISO 9001:2015 have a look at the ISO Update Registrar Directory. Here you will find a comprehensive list of Certification Bodies from all over the world.

Quality Management is the process of monitoring the different activities and tasks involved in producing and delivering a product and/or service in order to maintain its desired quality. The objective of Quality Management is for an organization to develop a long-lasting relationship between the customer and the product or service it provides, and this can only be achieved when these continuously meet customer’s expectations.

To manage the quality of a product or service, organizations are required to establish a set of procedures to successfully oversee the different processes involved within the organization. These different procedures that are linked with each other and which are meant to conduct an organization towards a specific goal is what makes up the Quality Management System. This Quality Management System follows 7 basic principles, which are:

1. Customer focus
2. Leadership
3. Engagement of people
4. Process approach
5. Improvement
6. Evidence-based decision making
7. Relationship management

Each of these principles are important for the success of Quality Management within an organization. However, the fifth principle; Improvement; is the most crucial for the sustained success of an organization.

Quality cannot be maintained if improvement is not achieved. The business environment is continuously changing, and customers are increasingly demanding better products and services at lower costs. In order to adapt to these constant changes, organizations need to continuously improve, not only their products and services, but their processes. Thus Quality Improvement is a systematic and continuous process aimed at minimizing costs, increasing the quality of product and services, and meeting and exceeding customer satisfaction. While the Quality Management process assist organizations in achieving and maintaining quality, Quality Improvement drives an organization forward by helping it innovate, manage and create opportunities. It could be said that Quality Improvement is the most proactive part of Quality Management.

Some of the key benefits that an organization can achieved through Quality Improvement are:

• Greater adaptive capacity to meet changing customer’s expectations.
• Decrease of defects and waste, which increases efficiency and lowers costs.
• Prevents errors throughout the organization which improves the products and services delivered to customers.

Quality Management focuses on guaranteeing the ability to deliver quality products and services that meet customer’s expectations, and Quality Improvement focuses on increasing an organization’s capacity to meet its customer’s expectations. Quality Management and Quality Improvement have to be seen as counterparts, as they are both part of the same story, a story of long term success of organizations.

The new ISO 31000 Risk Management Standard was released in February. ISO 31000:2018 supersedes ISO 31000:2009. The risks organizations face have changed significantly the last 9 years. Risks such as terrorism and cyber-attacks were not as prevalent a decade ago.  To adapt to these new realities and to facilitate risk management, the standard Risk Management standard ISO 31000 has been revised, and the latest version has just been released.

Simple is the best way to describe the new ISO 31000:2018 standard. It is clear and concise while giving enough detail to be applicable to organization anywhere in the world and applied to different processes from finance to production. It has been presented with a simple language where risk management fundamentals can be understood by everyone. To make the standard accessible and easy to understand, its terminology has been revised and certain terms used in risk management have been moved to ISO Guide 73, Risk Management – Vocabulary.

In addition to the changes aimed at making the standard easier to read and apply, there have also been changes regarding the principles of risk management. In ISO 31000:2018 these principles are designed in order for risk management to provide Value Creation and Protection to every organization. These principles make risk management:

• Integrated
• Structured and comprehensive
• Customized
• Inclusive
• Dynamic
• Based on best available information
• Aware of human and cultural factors
• Focused on continual improvement

These principles and the standard’s new definition of risk as the “effect of uncertainty on objectives” will drive organizations to look at the internal and external uncertainties that could jeopardize the accomplishments of their objectives. In this way, risk management is tailored to the needs and objectives of each organization. The integrated and inclusive principles help organizations develop a system which brings risk management to the center of decision making and which supports all activities across the organization.

ISO 31000:2018 recognizes risk as ever changing, therefore the system must be flexible and dynamic to adapt to the changing uncertainties, while always focusing on the continual improvement of processes.

Overall, the new ISO 31000:2018 standard presents guidelines for effective and efficient risk management in a simple manner. These guidelines will help organizations understand and address the different uncertainties which will inevitably appear in their path to achieving their objectives.

This column will cover the background and importance of Auditing Multiple and Integrated Management Systems, the advantages and disadvantages organizations accrue when integrating and when auditing their systems. And adjusting their auditing programs to fit the new reality of multiple and integrated management systems (intMS) increasingly prevalent today.

The adoption of formal Management Systems has risen dramatically the past few decades, and an increasing number of organizations have implemented multiple management systems. Organizations are increasingly recognizing the advantages and efficiencies that accrue by their integration, whether it be full, or partial integration.

Integration was more difficult prior to the harmonization of the ISO Standards – now guided by ISO’s Annex SL – the high-level structure that provides identical structure, text, and common terms and definitions for management system standards of the future. This will ensure consistency among future and revised management system standards and make their integration, and integrated use simpler. This is highlighted in the recent adoption of ISO 9001 and ISO 14001: 2015, and ISO 45001, ISO’s Occupational Health and Safety Management System Standard, and ISO’s newest.

With the addition of each management system, auditing resources necessary to ensure their effectiveness could, without integration and streamlining efforts, roughly double. Those organizations with a QMS, EMS, and HSMS could triple the auditing resources – including time, utilized over that of a single system.

For the commonly used 2-3 auditors per system, 6-9 auditors may be necessary for those with a QMS, EMS, and HSMS. For those using 3 or more audit team members, imagine the audit army this creates, let alone the time necessary to audit separate systems, and the disruption to the organization.

Considering all the other financial, customer, supply chain, and other audits organizations are subjected, and you can understand why many organizations are ‘audit weary’!

Integrated Audits

Professionals who have conducted integrated audits recognize how much more efficient they can be. The process under review, along with all its controls; environmental, health, safety, and quality; has to be evaluated only once.

There is less duplication of effort during the planning, execution, and even follow-up phases of the audit. Other efficiencies, often unforeseen, are uncovered or revealed once an organization begins an integrated management system pathway, and is yet another advantage to integrated auditing.

Typically, management systems integration allows the organization to minimize duplication and redundancy of effort, streamline or leverage the use of its limited resources, and reduce or eliminate overlapping responsibilities. This is true of integrated systems in general and is especially true regarding the audit function. minimizing duplication and redundancy of efforts translates to significant cost savings, productivity increases, risk reductions, and enhanced effectiveness and efficiency that the intMS are designed to achieve.

When it comes to intMS registration, Registrars should confer savings when auditing and certifying intMS through the same efficiencies and streamlining efforts organizations achieve internally.

Disadvantages of Integrated Audits

While there are many advantages to implementing and auditing intMS, it is important to recognize that there are disadvantages as well.

If an organization is seeking third-party registration to one or more standards, a non-conformance against a requirement of one standard may carry over to another standard. In the worst case scenario, if the non-conformance is major, all registrations could be at risk unless effective corrective action is taken.

Another disadvantage is the learning curve and attendant training that will likely be an adjustment for staff members, many of whom will not be familiar with the requirements of all the management systems involved in the IntMS.

For example, Quality staff may be intimately familiar with ISO 9001 requirements, while needing extensive and perhaps costly training on ISO 14001. The same will be true of OHSMS staff, and vice-versa for each staff function.

—

In the next installment of this column, we will dive into the mechanics and logistics of intMS auditing, as well as provide tips and techniques to help improve intMS audit team effectiveness and efficiency.

About John Grosskopf: Since a Dr. Deming led quality and environmental paradigm shift at General Dynamics in the late 80’s, John has been a strong management systems (MS) advocate. He has pioneered advances in auditing, integrating MS, a chief contributor to two national MS Standards, and has led the development, implementation, and improvement of hundreds of MS in the public and private sectors. He is an accredited EMS, HSMS, and QMS auditor (accreditations pending), a published author, instructor/trainer, and has presented widely on MSs. Through his firm, DeepGreen Consulting, he is currently assisting clients to improve their triple bottom line through a combination of MS, best practices, collaboration, and leadership

Reference: Auditing Integrated Management Systems: Considerations and Practice Tips, November 2008, Journal of Environmental Quality Management, John Grosskopf, with co-author Jennifer Kraus.