Risk Management, Risk Based Thinking, Risks and Opportunities – Why the ISO took the leap with the most controversial aspect of the revisions that became ISO 9001:2015.

When the early drafts of what would eventually become ISO 9001:2015 became readily available in mid-2014 it was painfully apparent that most controversial and difficult “new idea” that was to be included in the new standard was the concept of Risk. The early work on this actually goes back to 2012 and the development of the Annex SL framework that eventually became the basis for almost all of the currently published ISO standards.

As specified in Annex SL – risk is actually treated as one half of a two part assessment. The official section in ISO 9001:2015 is titled “Actions to address risks and opportunities.” Recognizing this two part nature of the concept is key to understanding the intent of the framers when they wrote “risk” into the standard in the first place. Namely, an organization should be vigilant not just for opportunities to “prevent undesired effects” but also for opportunities to “enhance desired effects.”

Furthermore, it was never the intent of the framers that every ISO 9001:2015 certified organization would suddenly have to implement a formal risk management program. Indeed, they took great pains to specifically point out that a risk management program was not mandatory in ISO 9001:2015 Annex A.4.

So – just what IS required to meet this requirement? To begin, an organization must first have a firm grasp on the concept of risk and be prepared to explain the approach that has been taken in meeting the requirement. It is acknowledged that the approach taken can (and should) vary depending on the organization’s character, management team preference, and scope of activity. The only firmly auditable record requirement pertaining to risk from ISO 9001:2015 is clause 9.3.2e, which requires that “the effectiveness of actions taken to address risks and opportunities” be included among the items discussed within the management review meeting.

Beyond management review, all other documentation that an organization chooses to maintain pertaining to risk is voluntary and should be structured in such a way to serve the organization and help it meet the risk/opportunity requirement in an effective way. The myriad of methodologies that can be deployed include the automotive FMEA, which seeks to identify potential weaknesses within the production process with targeted improvement efforts to prevent such issues from occurring. The SWOT method is also popular, giving organizations a structure for analyzing risks and opportunities side by side. Even a basic risk management checklist used during an organization’s contractual and/or production planning phase can be helpful.

The intent of ISO 9001:2015 is that (regardless of methodology) the risk/opportunity assessment leads to “integration and implementation (of) actions into (the) quality management system processes.” In other words, that the lessons your analysis uncovered show up the actual day to day processes and don’t just exist in the minutes of your management review meeting.

When properly implemented, risk analysis and risk based thinking can help an organization operate efficiently and effectively. These efforts should be viewed in much the same way as the Continual Improvement ideology that was new in ISO 9001:2000. Namely, that risk efforts are internal to an organization’s quality management system, not supplemental.