INTRODUCTION

Many organizations are getting prepared for the upcoming ISO 9001 2015 changes. There are many changes that will have far reaching impacts on organizations that are transitioning from ISO 9001:2008. In this article, I would like to discuss the new requirement of risk based thinking.

WHAT IS RISK BASED THINKING?

Risk based thinking, although its not a new concept, it is new to most Quality professionals, in the sense that its become part of the Quality Management System. Many organizations have Risk Management Departments that work to assess and manage risk for their organizations on a daily basis. The major difference is that Risk Management Departments are often looking at risk from a very high level and their impact on the insurance premiums, EMR rates or overall liability exposure for the organization.

The ISO 9001 2015 requirement drills down to the actual production or service provision processes within the organization that may have an impact on the quality of products or services provided to customers. Some of these processes may include: Order Processing, Supplier Evaluation and Monitoring, Purchasing, Inspection and Testing, Shipping, Training and Competency, to name a few.

Often traditional Risk Management Departments are not involved in these processes, so its important for the Quality function and the organization as a whole, to broaden their focus to these line processes, which often contribute to the high level risk monitored by the Risk Management Department.

NINE STEPS TO RISK BASED THINKING

Here are a some steps to effectively implement risk based thinking within your organization. In this example I will use the risk that suppliers may provide the wrong material.

1. PERFORM A RISK ASSESSMENT. The first step in risk based thinking, is to perform a risk assessment of your organization’s processes using your process interaction map, which you should already have established as part of your ISO 9001:2008 QMS. For this example the Purchasing process would be impacted.

2. ASSESS THE RISKS FOR EACH PROCESS. For the purchasing process, we have identified a risk that the suppliers may provide the wrong material.

3. DETERMINE THE PROBABILITY OF THE RISK OCCURRING. Once you determine the risk factors, you can now determine the probability of the risks occurring. I like simple categories such as, Very Likely, Likely, Possible, Unlikely and Very Unlikely. Be careful not to select possible for every risk. For this example, the risk that suppliers will provide the wrong material may be assigned a probability of “Likely”.

4. DEFINE THE POTENTIAL IMPACTS OF THE RISKS. What impacts will risks have if they occurs. Will the risk cause delays in delivery? Product failure in the field? Possible injury? These identified impacts is what the exercise is really all about. How can we put controls in place to prevent these negative impacts?

5. DETERMINE THE MAGNITUDE OF THE POTENTIAL IMPACTS OF EACH RISK IDENTIFIED. Once the impacts have been identified, you must determine the magnitude of the impact. Some risks may have a high probability, but a very low impact. This part of the assessment allows an organization to allocate and prioritize resources. I like simple categories, such as high, medium and low, which will work for most organization. If the wrong material is used and it fails in the field, would the impact be high or low?

6. DETERMINE HOW YOU WILL MITIGATE THE IDENTIFIED RISKS. How will you control the identified risk or prevent it from happening? Will you ensure that material specifications are provided to the supplier when purchasing? Will you perform testing on the material or collect MTRs? In this step you will be able to determine if you have controls in place or if you need to develop controls. This would be considered a preventive actions for the organization.

7. DETERMINE A CONTINGENCY PLAN FOR EACH RISK IDENTIFIED. What if the risk mitigation control fails? What’s the back-up plan? What if the use of the wrong material is noticed after the part is shipped to the customers? There may be a need to send out notices or recalls to customers. The organization will need to replace the parts. These are some examples of contingency plans.

8. DETERMINE WHO SHOULD BE INFORMED OF THE IDENTIFIED RISKS, MITIGATION CONTROLS AND CONTINGENCY PLANS. Plans only work if they are communicated. This may be the Suppliers, Purchasing Department, Receiving Department, Quality Control, Production, etc.

9. WORK WITH THE RISK MANAGEMENT DEPARTMENT. Quality Managers that work within organizations that have Risk Management Departments, should work to form a closer alliance with the Risk Manager and explain the new requirements of ISO 9001 2015 and how both departments can work together or preferably convince them that they are the risk management owners and should assess all risks, including process risks within the organization.

CONCLUSION

The time to establish a culture of risk based thinking is not in the midst of the risk, but proactively discussing risks and controls that should be in place to prevent them with the impacted parties. Risk based thinking is one of the key changes in the ISO 9001:2015 quality management system standard. I believe its a great addition to the standard and if organizations do it properly, it will add tangible value in helping reduce risk and improve your operations.