Although risk has long been mentioned in various ISO standards, newer versions of various standards are mentioning risk much more prominently. The latest versions of the ISO 9001 and ISO 14001 standards require that organizations use risk based thinking when managing numerous processes through performance evaluation, operations and planning.
When we look at what ISO means when talking about risk-based thinking, it’s clear that although risk based isn’t strictly speaking risk management, risk based thinking can be incorporated into processes by using automated risk management tools.
Definition of Risk-Based Thinking
In the 2015 version of ISO 9001, the concept of risk based thinking is used instead of what was known as preventive action with previous versions of the standard. While preventive action was a clause on its own in previous versions, risk is now incorporates throughout the standard. Risk based thinking now means that companies have to perform a risk evaluation when controls, processes and improvements are establishing in a QMS.
One important point to understand is that risk based thinking is not confined to negative outcomes. Risk based thinking should also be used by organizations to identify opportunities. These represent the positive side of risk.
In the 2015 versions of the standards, risk is mentioned in the following areas:
- Context of the Organization: When the context of an organization is established, the standard requires that risks be identified that could potentially have an impact on the quality objectives. Organizations should also determine the risk of manufacturing products or delivering services that don’t conform to the requirements. This will vary greatly subject to the type of service delivered, or products manufactured.
- Leadership: An organization’s top management must be committed to identifying and managing opportunities and risks that could affect the quality of products and services.
- Planning: In the planning clause of the standard, it is specified that opportunities and risks should not only be identified, but that detailed plans need to be created to manage and exploit them.
- Operations: The standard also requires that actions that were listed during the planning process should be implemented and controlled.
- Performance evaluation: During this stage, the opportunities and risks identified should be tracked and analyzed.
- Improvement: When any change in risk is identified, an organization must make improvements.
The new ISO standards have an upper level structure that is based on the PDCA (Plan-Do-Check-Act) cycle that should always be used to improve processes. This corresponds with risk management approaches that have been proven over time.
Comparing Risk Management to Risk-Based Thinking
As risk based thinking is very similar to risk management, wouldn’t it make sense to simply call it risk management? Some deeper comparison actually reveals that risk based thinking is simply a diluted type of risk management.
Some examples of this is that ISO standards don’t require any formal risk assessments, nor do they require that a Risk Register should be maintain. The ISO requirements for risk based thinking merely require that decision making should incorporate risk, and does not specify how this should be done.
One can only presume that ISO is trying to keep the standards flexible and will therefore allow organizations across different industries to satisfy the requirements by using different approaches. Some feel that it would be too big a change to make risk management a requirement for ISO certification.
Irrespective of the reasons, organizations must incorporate risk based thinking into their QMS. Fortunately, there are a number of technical tools available that will provide great help in this regard.
Technical tools that will help with Mitigating Risk
When using risk based thinking when managing your quality management processes, it is critical to make this an integral part of your processes, rather than viewing it as separate activities.
This means that the risk tools should be part of your quality management system and not be a separate solution manual processes that are time consuming and often difficult to manage. QMS Software geared to facilitate risk based thinking should include the following key capabilities:
- Risk Register: Individual risk and hazard items should be recorded and monitored in a central location. Although a Risk Register is not required by the ISO standards as such, consistently using one will enable you to meet several of the requirements easily.
- Risk tools: Risk assessment programs, including a decision tree or risk matrix should be available within any quality management system software. These should include audits, deviations and regulatory compliance management.
- Effectiveness checks: Having a final verification step that is used for processes such as corrective actions will help satisfy improvement and performance evaluation requirements.
One very important way in which technology can be used to reduce risks is by using automation. An automated risk management process will ensure that nothing is accidentally missed or skipped, and will provide documentation that can be used to identify problems if anything goes wrong.
ISO 9001 quality management systems (QMS) are implemented using Effivity software in Karachi ( Pakistan), while ISO 14001 & OHSAS 18001 Health Safety Management Systems (HSE) are implemented with Effivity in Guangzhou ( China).