ISO 9001:2015 was published in September 2015.  It replaced ISO9001:2008 version placing a new shine on the quality management system gold standard.

ISO 9001 is a standard that sets out the requirements for a quality management system. It helps businesses and organizations to be more efficient and improve customer satisfaction.  It is considered the gold standard of quality management system evaluation.   Originally published by International Organization for Standardization (ISO) in 1987, its foundation is the 1979 version of the British Standards Institution’s (BSI) BS 5750 series of standards. However, the rational for its existence can be traced back some twenty years before that, to the publication of the United States Department of Defense MIL-Q-9858 standards of 1959.

ISO standards are reviewed every five years and revised if needed. This review helps ensure they remain useful tools for the marketplace. The challenges faced by business and organizations are continually changing.  The scheduled revisions of the standard take these changes into account.  As such, all ISO standards are living documents that are adapted to new environments as they occur.

One of the most significant differences between the 2008 and 2015 revisions of ISO 9001 is its approach to anticipating problems that may be encountered in the future.  ISO 9001:2008 focused on preventative actions that would avoid situations that would require corrective actions.  ISO 9001:2015 has shifted the mean of addressing problems before they occur by shifting from a focus on preventative actions to using risk based thinking to  identify potential problems.

The purpose of this article is to simply explain the components of risk-based thinking and how it applies to ISO 9001.  It will also address fear that risk-based thinking replaces the process approach and the apprehension that preventive action has been removed from ISO 9001.  Most importantly, it will help you understand the shift in quality management philosophy that will enabling you to transition smoothly from ISO 9001:2008 to ISO 9001:2015.

 What is risk-based thinking?

One of the key changes in the 2015 revision of ISO 9001 is associated with the concept of continual improvement.  ISO 9001:2008’s approach was based upon the use of prior experiences to “prevent” undesirable things from happening.  This is a reactionary approach to improvement that uses lessons learned, through personal experience or the experiences of others, to establish policies and procedures to prevent future mistakes.

By contrast, ISO 9001:2015 takes a proactive approach to continuous improvement through the use of risk-based thinking.  That is, attempting to identify and rectify what “could” go wrong as opposed to what “did” go wrong.  This shift in philosophy is no less focused on prevention that its predecessor.  In reality, it is more preventative in that it expands the sphere of influences that are considered when establishing quality programs focused on prevention.

When using risk-based thinking, risk becomes an integral consideration. Risk becomes proactive rather than reactive in preventing or reducing undesired effects through early identification and action. Preventive action is built-in to all aspects of quality management when a system is risk-based.

As in life, risk is inherent in all aspects of a quality management system. Risk exists in every system, process and function. Risk-based thinking simply identifies, considers and controls risks throughout the design and implementation of the quality management system.  ISO 9001:2015 simply requires the conscience incorporation of this everyday function into the design and implementation of the QMS.

In previous editions of ISO 9001, a clause on preventive action was separated from the whole. Clause 8.5.3 of ISO 9001:2008 specifically address the issue of preventive action.  Risk-based thinking has always been a subliminal part of ISO 9001.  The 2015 revision builds it in as an overt part of the entire management system. ISO 9001:2015 requires risk-based thinking from the beginning and throughout the system, making preventive action inherent to planning, operations, analysis and evaluation activities.

Risk-based thinking is already part of the process approach.

Risk-based thinking considers both the current situation and the possibilities for change.  ISO 9001:2015 often cites risks and opportunities together. Opportunity is not necessarily the positive side of risk. An opportunity is a situation that presents the opening to do something. Taking or not taking an opportunity then presents different levels of risk.

Risk-based thinking is used even before the decision to implement ISO 9001:2015 is made.  It is part of the calculus used in determining if an organization wants to implement the Standard.  What are the positive outcomes of implementing ISO 9001:2015?  What are the negative implications of implementing the Standard?  Conversely, the risks associated with NOT implementing the Standard must be considered.  What are the positive outcomes of NOT implementing ISO 9001:2015?  What are the negative implications of NOT implementing the Standard?

As you can see, the risk-based thinking associated with the implementation of ISO 9001:2015 begins with the evaluating the risk of implementing the Standard.  What would appear to be a simple question: yes we implement ISO 9001:2015 or no we do not, becomes the first risk-based thinking problem with minimally 4 issues to consider.  The collective weight of the answers to these questions will drive the development of your QMS.

Every decision in life has a consequence.  Some positive.   Some negative.  The consequences may all be negative, each with a differing level of undesirability.  Conversely, a decision may generate only positive results, each producing a varying level of success.

Risk-based thinking is a two way street, although it is commonly understood to have only negative consequences.  However, the effects of risk can be either negative or positive and should be viewed in that context.

ISO 9001:2015 recognizes that not all the processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives. Some need more careful and formal planning and controls than others. Clause 6.1.2 requires that “Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.”  Thus allowing the organization to adjust its risk / response ratio as required.

 Where is risk addressed in ISO 9001:2015?

The concept of risk and risk based thinking is scattered throughout ISO 9001:2015.  Unlike its predecessor who implicitly addressed the concept of risk-based thinking through requirements for planning, review and improvement, ISO 9001:2015 specifically uses the terms, risk throughout the Standard.

Introduction of ISO 9001:2015 and Annex A discuss the concept of risk-based thinking as an integral part of the process.  Both of these section refer to the fact that the concept of risk-based thinking has been implicit in previous editions of the Standard.

Introduction – the concept of risk-based thinking is explained

0.1   General

This International Standard employs the process approach, which incorporates the Plan-Do-Check-Act (PDCA) cycle and risk-based thinking.

Risk-based thinking enables an organization to determine the factors that could cause its processes and its quality management system to deviate from the planned results, to put in place preventive controls to minimize negative effects and to make maximum use of opportunities as they arise.

0.3.1   General

Management of the processes and the system as a whole can be achieved using the PDCA cycle with an overall focus on risk-based thinking aimed at taking advantage of opportunities and preventing undesirable results.

0.3.3   Risk-based thinking

Risk-based thinking is essential for achieving an effective quality management system.

The concept of risk-based thinking has been implicit in previous editions of this International Standard including, for example, carrying out preventive action to eliminate potential nonconformities, analyzing any nonconformities that do occur, and taking action to prevent recurrence that is appropriate for the effects of the nonconformity.

0.4   Relationship with other management system standards

This International Standard enables an organization to use the process approach, coupled with the PDCA cycle and risk-based thinking, to align or integrate its quality management system with the requirements of other management system standards.

The following are excerpts of clauses within ISO 9001:2015 that specifically address the implementation of risk-based thinking into the QMS.

4.4.1.f. The organization shall…: address the risks and opportunities as determined in accordance with the requirements of 6.1;

5.1.1.d Top management shall demonstrate leadership … by: Promoting the use of the process approach and risk-based thinking;

5.1.2.b Top management shall … ensuring that: The risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed;

6.1.1 When planning for the quality management system, the organization shall … determine the risks and opportunities that need to be addressed to: …

6.1.2.a The organization shall plan: a)[take]  actions to address these risks and opportunities; … Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.

7.1.1 The organization shall determine and provide the resources needed for the … continual improvement of the quality management system. (Risk is implicit continual self-improvement is mentioned)

8.1 The organization shall plan, implement and control the processes … (risk is implicit whenever plan and control are mentioned)

9.1.3.e  The organization shall analyze and evaluate appropriate data ….  The results of analysis shall be used to evaluate: … the effectiveness of actions taken to address risks and opportunities;…

10.2.1.e When a nonconformity occurs … the organization shall: … update risks and opportunities determined during planning, if necessary;

Why use risk-based thinking?

By considering risk throughout the system and all processes the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service.

Risk-based thinking:

• improves governance
• establishes a proactive culture of improvement
• assists with statutory and regulatory compliance
• assures consistency of quality of products and services
• improves customer confidence and satisfaction

Successful companies intuitively incorporate risk-based thinking.

How do I do it?

Risk based thinking is not a simple yes no proposition.  Everything has consequences.  Sometimes, multiple consequences.  Every organization has an acceptable level of risk.  One size does not fit all.   However, the risk reward concept applies to all organizations regardless of their size.

The thought process used for risk-based thinking can be equated to the thought process used for root cause analysis used in evaluating corrective actions.  Seldom is the first cause of a nonconformity that requires corrective action the true cause of the nonconformity.  Similarly, deeper reflection is required to identify all of the risks, and opportunities, associated with the action.

1. Identify the risks and place it in context

Let’s use the decision to implement ISO 9001:2015 as our example.  There are risks associated with choosing to implement it Standard or choosing not to.  The level of risk and its impact on the organization will depend on the context.

The benefits of implementing an ISO 9001 based quality management system is undebatable.  The value to the organization will vary depending on a number of variables.  Size of the organization, customer base, customer requirements, scope of the operations all impact the organization’s need for 9001 certification.  So let’s evaluate the risk of implementing ISO 9001:2015 to the following scwnarios:

• Large company currently certified to ISO 9001:2008.
• Large company, not certified to ISO 9001 standard
• Small company currently certified to ISO 9001:2008.
• Small company, not certified to ISO 9001 standard

Each company has its own motivation for acquiring or maintaining their ISO 9001 certification.   Each company has to weigh the risks and the benefits or value in moving forward in the process.  The level of benefit desired also enters into the equation.  The current customer base’s lack of appreciation for ISO 9001 certification does not diminish its value as a management tool.  However, it may influence management’s decision whether to acquire full certification through a recognized certification body, or simply comply monitor the organization’s compliance through internal audits foregoing official certification.

2. Understand your risks

Establishing acceptability parameters is the next step in risk-based thinking.  Once you have identified the risk you must determine what is acceptable and what is unacceptable.   What advantages or disadvantages are there to one process over another?

Example

Objective:

• Establish or maintain ISO 9001 certification

Unacceptable outcomes:

• Loss of clients
• Decrease of net revenue

In evaluating the goal one must balance against the likelihood of loss of clients and the decrease in revenue. It is more important that I maintain my current clients or that I do not loose net revenue.

Not having ISO 9001 certification may be acceptable to my current clients because they do not require the certification.  Alternatively, the loss of clients due to lack of ISO 9001 certification may be acceptable if the remaining clients will tolerate an increase in fees.  (Which leads to another risk which must be evaluated)

Additionally, one must evaluate the risks associated with obtaining ISO 9001 certification using the same unacceptable outcomes as a reference.  The risk analysis questions are the same. Is it more important that the organization maintains their current clients or that they do not loose net revenue?  What is an acceptable balance of unacceptable outcomes?

A combination of “five why’s” approach to root cause analysis and the conditional “if / then” statement used in testing a hypothesis can be applied to risk analysis.  Employing the five why’s approach allows the organization to reflect on more than surface issues and view the long term ramifications of a risk.

Example:  If we do A, B will happen.  (The first why).  B is either acceptable or unacceptable.  (The second why) If B is acceptable, then C(a).  If it is unacceptable then C(u).  (Why, number three)

Using conditional statements that employs decision trees allows the organization to evaluate the decision from two perspectives.  All decisions have multiple consequences.  Some decision produce positive and negative consequences, which simplifies the selection process.   Other decisions only provide less than desirable outcomes.  In this instance the organization must choose between the worst of two evils.  The ramification of both must be taken into account and followed to their logical conclusion.

In some instances, following an options whose initial option to a risk may be unacceptable may produce a better long term solution of mitigating the risk once a complete analysis has been performed.

To conform to the requirements of this International Standard, an organization needs to plan and implement actions to address risks as well as opportunities. The inability to recognize and act on an opportunity to improve the organization is a risk in and of itself.  Addressing both establishes a foundation for increasing the impact of the quality management system, achieving positive results and preventing negative effects.

Opportunities can arise as a result of a situation favorable to achieving an intended result.  Actions to address opportunities can also include consideration of associated risks. Risk is the effect of uncertainty and any such uncertainty can have positive or negative effects. A positive deviation arising from a risk can provide an opportunity, but not all positive effects of risk result in opportunities.

Example

The impact on your client base is an outcome that is under consideration.  An unacceptable outcome is the loss of clients.  However, implementing ISO 9001:2015 will increase operating costs leading to a decrease in net revenue, which is also unacceptable.   The organization must balance the acceptable and unacceptable risks associated with choosing to, or not to, implement ISO 9001:2015.

Can the loss of clients associated with the loss or 9001 certification be offset by an influx of new clients that do not require the certification?  Can the acquisition or upgrade of ISO 9001 to the 2015 Standard generate new business to offset the added expense associated with implementation and maintenance of the Standard?  Will the clients tolerate an increase in fees to offset the increase in operating costs?  These are all questions and risks that must be addressed because they flow down from the simple decision to acquire or transition to ISO 9001:2015.

The Implementation of ISO 9001:2015 in this context may be viewed as an opportunity for improvement, rather than a risk.  Risks, tend to dwell on the negative impact of a change, while an opportunity for improvement looks at the change in a positive light.

Looking at the scenario as an opportunity for improvement we see the following benefits.

• Compliance with the most recent version international Standard
• Acquire new clients
• A chance to become more efficient as an organization
• Increase net revenues through increased client base and increased operational efficiency

3. Risk mitigation

How can I avoid or eliminate the risk, is a common question.  The simple answer is, “you don’t”.  Actions have consequences.  Newton’s Third Law is relevant.  For every action in nature there is an equal and opposite reaction. Every decision has consequences.  Not making a decision to address a risk is making a decision and as such will have consequences.  The best one can hope for it mitigate the risk to an acceptable response level.

Not all choices have an acceptable resolution.  In some situations the organization must choose between two unacceptable outcomes, choosing the outcome that is the better of two bad choices.   As a result, the organization must determine how to mitigate, or minimize, the impact of its approach to dealing with a risk.

Example.

The organization has choose to implement ISO 9001:2015 which leads to the acceptable result of retaining the current clients that require ISO certification.  However, the unacceptable result of this decision is a requisite increase of fees.  This may lead to the unacceptable result of loss of business.

There are a number mitigation strategies that may apply in this instance.  The organization could restructure its operation to reduce costs and eliminate the need to increase fees.  The organization could provide education concerning the customer benefits from the implementation ISO 9001:2015, thus justifying the fee increase.

Choosing to do neither of these is a risk that requires action.  Not restructuring to reduce operating costs, without increasing fees, will result in a decrease in net revenue which has been deemed unacceptable.  Alternatively, not communicating the added value to the customer that ISO 9001:2015 certification provides the customer may result in the loss of that customer because of fees, which is equally unacceptable.  Inaction is action.

4. Implementation

Risk-based thinking is an intellectual approach to preventative actions.  What could go wrong and what does go wrong can be two entirely different situations.  Although both must be taking consideration during the planning process, the later should be given more credence as the QMS evolves and change the perception of a situation as a risk.

Example:  Client base and net revenue has increased since ISO 9001:2015 certification has been acquired.  Therefore, the efforts implemented to address the unacceptable consequences of implementing the new Standard were successfully mitigated.

Understanding how processes work as a system contributes to the organization’s effectiveness and efficiency. Managing this understanding enables the organization to control the interrelationships and interdependencies enhancing the overall performance of the organization.

Actively managing the system as a whole can be achieved using the PDCA cycle.  PDCA is an acronym for Plan, Do, Check, and Act.   The cycle’s overall focus utilizes risk-based thinking to take advantage of opportunities and preventing undesirable results.  PDCA allows the organization to transition the QMS from theoretical realm of the planning phase to addressing operational realities that are identified during the implementation and maintenance of the QMS.

The PDCA cycle can be applied to all processes and to the quality management system as a whole. The following list depicts how Clauses 4 to 10 of ISO 9001:2015 can be grouped in relation to the PDCA cycle.

• Clause 4: The organization and its contents
• Clause 5: Organizational Leadership
• Clause 6: Planning
• Clauses 7: Program support
• Clause 8: Operations
• Clause 9: Performance evaluation
• Clause 10: Improvement

The PDCA cycle can be briefly described as follows:

• Plan: establish the objectives of the system and its processes, and the resources needed to deliver results in accordance with customers’ requirements and the organization’s policies, and identify and address risks and opportunities;
• Do: implement what was planned;
• Check: monitor and (where applicable) measure processes and the resulting products and services against policies, objectives, requirements and planned activities, and report the results;
• Act: take actions to improve performance, as necessary.

Conclusion

Risk-based thinking is not a new concept.  It is an ongoing process that people continually perform, either ocnsciencely or unconsciencely.  Actively participating in risk-based thingking provides a greater knowledge of risks and improves preparedness by expanding the prevention process from a reactionary to a proactive prevention process.  This expansion od scope increases the probability of reaching objectives and reduces the probability of negative results.  Thinking with a risk-based mind set makes prevention a habit.

Risk-based thinking is essential for achieving an effective quality management system.  Its concept has been implicit in previous editions of this International Standard.  The preventative action clause 8.5.3 is now dispersed overtly throughout the Standard.