Process Oriented Risk Based Thinking
ISO 9001:2015 Introduces a New Way to Manage Risks
One major addition to ISO 9001:2015, is the concept of risk based thinking. Many organizations have risk management departments, but these departments typically do not focus on the risks that ISO 9001:2015 is referring to. Quality departments now have the responsibility, to apply risk based thinking to their business processes. This article will define process oriented risk based thinking, discuss the risk based thinking model, outline a risk assessment and suggest 7 steps on how to implement the process oriented risk based thinking approach.
What is Process Oriented Risk-Based Thinking?
Process oriented risk based thinking, is one of the major changes to ISO 9001:2015. ISO 9001 defines risk, as the effect(s) of uncertainty. Process oriented risk based thinking, in terms of ISO 9001:2015, is simply thinking about risks that are inherent in your organization’s business processes and their potential negative effects. Traditional risk management often focuses on outside risks, but does not focus on business processes. When there is a focus on process oriented risk based thinking, you can take action against the recognized risk in your business processes, before they cause a negative effect on your organization. Process oriented risk based thinking provides the opportunity to:
1. Think about risks that are inherent in your organization’s business processes
Inherent risks, are those that are simply part of the process, meaning that we know they exist. We can typically be more prepared for these types of inherent risks, if they are identified early enough. Process oriented risk based thinking allows us to deal with risks proactively.
2. Assess risks in the order or sequence of how your processes interact with each other
Process oriented risk based thinking, focuses on understanding the risks found in each process in the order they are introduced in the overall process. If risks are not identified in the proper sequence, you are not able to understand the interrelationships of the preceding process risks. When going through the processes in proper sequence, we are able to understand how one risk is actually derived from another, and the effect those risks, have on processes down the line. By assessing risks in the order of how your organization’s processes flow, you might be able to identify even more risk.
3. Identify the potential negative impacts of risks within your processes
It is important to recognize the potential negative impacts of risks in your business process. For example, if a sales person does not correctly capture a customer’s requirements initially, all processes afterward will be affected. This risk could lead to a loss of time, sales and overall customer satisfaction. Many organizations, only take action when the nonconformity occurs, but by proactively identifying potential negative impacts of risks, we are able to prevent nonconformities.
4. Assist in proactively identifying risks before experiencing a negative impact
Don’t wait to identify risks until after you experience a negative impact! By applying the process oriented risk based thinking approach, your customers can be confident in the quality of your goods and services. Waiting until you experience the negative impacts is more costly, than being proactive. It’s always better to prevent a fire, than to extinguish it.
Process Oriented Risk Based Thinking Model
As previously stated, risks are inherent in all business processes. There are hundreds or maybe even thousands of processes that work together for an organization to produce its products or provide its services to its customers. These processes must provide an expected result for the organization, its customers and relevant interested parties, but there are uncertainties (variation) all along the way including: employees, vendors and equipment, which is often where risk is derived from. In the ISO 9001:2015 process-based quality management system model below, we can see where an organization might find risks in their business processes.
When we look at each individual process, we are able to see the inputs that go into that process. This means that there are risks that occur at the input point. Overall processes in an organization are affected by the uncertainty of inputs and outputs. If you are able to effectively control the risks at the input level, you can be proactive in controlling the level of negative effect on both the processes and their outputs.
Performing a Risk Assessment
Process oriented risk based thinking, requires an organization to take the time to think about all of its processes. This will the organization to determine the potential impacts of the risk, and move forward with implementing preventive actions to control the identified risks. When performing a risk assessment, it is important to answer the following 4 questions:
1. What are the risks in your business processes?
Identifying all the risk in your business processes, is the first step to performing a risk assessment.
2. What is the probability of that risk occurring?
Once risks are determined, we must now determine the probability of the risks occurring. Some companies use categories such as, Very Likely, Likely, Possible, Unlikely and Very Unlikely. By putting an actual probability on each risk, we are able to prioritize the risk and create a control that is commensurate with the probability.
3. What is the magnitude of the potential impact of the risk on your company?
Beyond understanding the risks and its probability of occurring, it’s important to understand the potential negative impacts of each risk. By understanding the magnitude of the potential impact, you are able to form an appropriate control. Some companies use categories such as, High, Medium, or Low.
4. What control can be implemented to prevent the risk from occurring?
Creating an appropriate control to mitigate the risk, is the whole point of risk based thinking. You might even find risks that have no control currently in place, and may need to begin working to implement a control.
By performing a risk assessment, you can proactively identify controls before the risk happens. Contingency (back-up) plans should also be developed in the event the mitigation controls fail.
How to Apply Process Oriented Risk Based Thinking
The ISO 9001 Group suggests following 7 Steps, to applying the process oriented risk based thinking approach, for your company:
1. Develop a process interaction map
2. Assess the risk of each process in order of the sequence of the process interaction map
3. Register each identified risk
4. Determine if you already have controls to mitigate the identified risks
5. If no controls exist, develop and implement a control to address the actual or potential negative effect
6. Formalize the control with a procedure
7. Monitor for effectiveness
Want to learn more about process oriented risk based thinking? Request time with a consultant today or call us at (832) 326-9796 to see how The ISO 9001 Group can support your management system need.