One of the biggest changes to the ISO 9001 Revision 2015 is the requirement to implement risk-based thinking. This “new” requirement may already be in place within your org – it’s simply a codification of what’s already there.
ISO 9001:2015 requires a systematic, proactive approach to risk-based thinking. In previous version, notably ISO 9001:2008, this was considered solely in clause 8.5.3 – Preventive Action. By moving the requirement from a single clause to a wider, system-based approach, it drives risk-based thinking into the Plan stage of the Plan-Do-Check-Act cycle, encompassing the entire system rather than the more narrowly applied prevention of defects, and encourages the organization to consider risk proactively across the entire enterprise.
Risk-based thinking is closely tied to opportunity – these are actually paired terms in ISO 9001:2015 – risk and opportunity. Risk is typically connoted as a negative, while opportunity is the opposite/positive. In considering risks and opportunities together, an organization makes a knowledge-based determination of where to set its objectives and priorities. For example, an organization may wish to release a new product or service, and is considering moving up the release date. They take several factors into account, including potentially:
- product/service may not be ready
- product or service may not be fully functional in time / have many design ‘bugs’
- employees will have to work overtime
- additional costs to move up collateral (marketing materials, etc.) to meet new deadline
- We will beat competition to market
- We can get a larger market share
- our Board of Directors will be happy
ISO 9001:2015 defines risk as the effect of uncertainty on an expected result.
1. An effect is a deviation from the expected – positive or negative.
2. Risk is about what could happen and what the effect of this happening might be
3. Risk also considers how likely it is
ISO 9001:2015 uses risk-based thinking to achieve this in the following way:
- Clause 4 (Context) the organization is required to determine the risks which may affect this.
- Clause 5 (Leadership) top management are required to commit to ensuring Clause 4 is followed.
- Clause 6 (Planning) the organization is required to take action to identify risks and opportunities.
- Clause 8 (Operation) the organization is required to implement processes to address risks and opportunities.
- In Clause 9 (Performance evaluation) the organization is required to monitor, measure, analyse and evaluate the risks and opportunities.
- In Clause 10 (Improvement) the organization is required to improve by responding to changes in risk.
– source: ISO document N1222, July 2014
What are the steps to implement risk-based thinking?
- Identify risks and opportunities, based on the context of the organization
- Analyze risks and opportunities
- Prioritize risks and opportunities
- Design plans to minimize or mitigate risks, and capitalize on opportunities
- Implement the plan(s)
- Check effectiveness – did it work?
- Make improvements and repeat as necessary