ISO 9001 Risks and Opportunities - DOs and DON'Ts

ISO 9001:2015 Clause 6.1, Actions to address risks and opportunities - Practical Advice

Planning has always been a significant element of ISO 9001. In the 2015 Edition, there is an increased focus on ensuring that Clauses 4.1, ‘Context of the organisation’, and 4.2, ' Interested Parties’, are considered. Clause 6.1 requires that both the risks and the opportunities arising from Clauses 4.1 and 4.2 be addressed. A common mistake is to overlook opportunities. A risk-based approach is essential here.  So make sure you don't get caught out and read on...

NOTE: The advice given here also applies to ISO 14001, ISO 27001, ISO 45001, and other standards having the same HLS structure as ISO 9001.

What is “risk-based thinking”?

Risk is inherent in all aspects of a quality management system. There are risks in all systems, processes, and functions. A risk-based approach to managing systems ensures that these risks are identified, considered, and controlled throughout the design and implementation of the quality management system.

What, then, is the logical and practical way to tackle RBT when implementing ISO 9001?

Here are some things to take note of:

• Risk-based thinking is something we all do automatically and often subconsciously to get the best result
• The concept of risk has always been implicit in ISO 9001; this revision makes it more explicit and integrates it into the entire management system.
• Risk-based thinking ensures risk is considered from the beginning and throughout the process approach.
• Risk-based thinking makes preventive action part of strategic planning 
• Risk is often thought of only in the negative sense. Risk-based thinking can also help to identify opportunities. This can be considered to be the positive side of risk, including exceeding expectations and going beyond stated objectives.

Where is risk addressed in ISO 9001:2015?

The concept of “risk” in the context of ISO 9001 relates to the uncertainty of achieving such objectives.

Risk is addressed in many of the Clauses as well as the Introduction, namely:

• In the Introduction, the concept of risk-based thinking is explained
• In Part 4, the Process Approach, the organization is required to identify the risks that could impact its ability to meet these objectives.
• In Part 5, Leadership, top management is required to commit to ensuring Part 4 is followed.
• In Part 6, Planning, the organization is required to take action to identify risks and opportunities.
• In Part 7, Support, the organization is required to determine and provide necessary resources, reducing the risk of producing/delivering defective products or services to an acceptable low level.

Key Elements of ISO 9001 Clause 6.1

Applying Risk-Based Thinking

One of the primary purposes of implementing a Quality Management System is to serve as a preventive tool, thereby preventing adverse events. As a result, the formal requirement for preventive action, with perhaps a narrow focus, has been removed. This is being replaced by risk-based thinking, a concept intended to be applied to every aspect of a quality management system.  

This approach is then applied throughout the QMS, requiring each organization to identify, plan for, and take action on those risks and opportunities relevant to achieving the intended outcomes of the management system.  There is, however, no requirement for implementing a formal risk management process.

Note: Most organisations have chosen to adopt a formal documented risk management approach, albeit typically of a basic kind.

The organisation must then plan actions to address risks and opportunities, integrate and implement them into its management system processes, and evaluate the effectiveness. Actions must be monitored, managed and communicated across the organisation.

Establishing Quality Objectives

Another key element of ISO 9001 Risk and Opportunities, as outlined in Clause 6.1, is the need to establish measurable quality objectives. This retains some of the requirements contained in Clause 5.4 of the 2008 version but is more specific.

The main objectives of ISO 9001:

• to provide confidence in the organization’s ability to provide customers with conforming goods and services consistently
• to enhance customer satisfaction

What are the possible benefits of risk-based thinking?

• A focus on the more important (“high-risk”) processes and their outputs
• improved understanding, definition, and integration of interdependent processes
• systematic management of planning, implementation, checks, and improvement of processes and the management system as a whole.
• better use of resources and increased accountability
• more consistent achievement of the policies and objectives, intended results, and overall performance
• the process approach can facilitate the implementation of any management system
• enhanced customer satisfaction by meeting customer requirements
• enhanced confidence in the organization.
• In Part 9, Evaluation, the organization is required to monitor, measure, analyze, and evaluate the risks and opportunities.
• In Part 10, Improvement, the organization is required to improve by responding to changes in risk.
  
  

How to Address Risks and Opportunities in ISO 9001

In your ISO 9001 implementation project, there are several key considerations regarding risk and opportunity that you should carefully evaluate. For example:

• Understand the nature of the risk. Use established risk mitigation approaches as the basis of the coming course of action.

• Base your actions on the potential impact on product conformity and service quality, or on customer satisfaction. Ensure that you incorporate it into the quality management system and its processes, as applicable. For example, if the organization has a single-source provider of critical raw material, it should consider investing in developing a new source.

• Take note of the various situations where risks and opportunities should be considered. For example, strategy meetings, management reviews, internal audits, discussions on quality, meetings to set quality objectives, the planning stages for designing and developing new products and services, and the planning stages for production processes.

• In terms of opportunity, use risk-based thinking to help your organization develop a proactive and preventive culture. Focus on doing things better and improving the overall work process.

• Decide which risk management methods or tools to use. Keep in mind that these may vary from one process to another.

• Adopt a risk-based approach. Consider applying it to the processes required for your organization's quality management system.

• Make use of common risk management tools and methods such as:

• • Hazard Analysis and Critical Control Points (HACCP).
  • Failure Mode, Effects, and Criticality Analysis (FMECA), and
  • Failure Mode and Effects Analysis (FMEA).
  • PESTLE, a concept in marketing principles, for analysis of the business environment under the headings P for Political, E for Economic, S for Social, T for Technological, L for Legal and E for Environmental.
  • SWOT, strengths, weaknesses, opportunities, and threats analysis,

• Use simpler risk management approaches and techniques. Examples include brainstorming, structured what-if technique (SWIFT), and consequences/probability matrices are all acceptable

• In determining risks and opportunities, select from a wide range of established techniques, including:

• • giving confidence that the quality management system can achieve its intended result(s);
  • enhancing desirable effects and the creation of new possibilities (by improving the efficiency of its activities, developing or applying new technologies, etc.);
  • preventing or reducing undesired effects (through risk reduction or preventive actions);
  • achieving improvement to ensure product and service conformity and enhancing customer satisfaction.

• For ISO 9001:2015, 6.1.1, bullets a) to d), in determining its risks and opportunities, make sure to focus on the following: 

• • avoiding the risk by no longer performing the process where the risk can be encountered;
  • eliminating the risk, for example, by using documented procedures to assist persons in the organisation with less experience;
  • sharing the risk, for example, by working with the customer to facilitate the advance purchase of raw materials when production levels are unknown;
  • taking no action, where the organisation accepts the risk itself, based on its potential effect or the cost of the needed action.
  • taking the risk to pursue an opportunity, such as investing in new capital equipment to launch a product line where the return on investment is unknown;

ISO 9001 Certification will only be achieved if you:

• Do not treat the topic as of minor importance. A risk-based approach should permeate your QMS, for example, with evidence of decisions being informed by a consideration of risks to product and service quality, as well as customer satisfaction.
• Don’t depend on interview evidence alone to demonstrate compliance. While the Standard does not require formal risk management to be included and/or for formal records to be maintained, your Auditors will seek objective evidence of compliance.  And what better evidence than records?
  
• Don’t downplay the importance of Opportunity. In the Standard, Opportunity replaces Preventive Action, and Auditors will seek evidence of actions taken to prevent process and system failures, as well as actions to improve processes (which overlap with the Improvement requirements in Clauses 10.1 and 10.3).

 Reference: 1) EN ISO 9000:2015 Quality management systems - Fundamentals and vocabulary

2) ISO 9001:2015 Quality Management System Implementation Handbook (deGRANDSON Global, 2016)

Related Courses (ISO 9001 Implementation)

How to Integrate Risk-Based Thinking with Your Quality Management System

DO's

1. Use Risk-Based Thinking to determine the factors that could cause your processes and its quality management system to deviate from the planned results.
 
2. Use Risk-Based Thinking to put in place preventive controls to minimize negative effects.
 
3. Use Risk-Based Thinking to make maximum use of opportunities as they arise.
 
4. Read ISO 9001:2015 Clause 0.3.3 Risk-based Thinking in the Introduction to the Standard. The ISO Committee’s thoughts on the topic are covered here.
 
5. Do introduce a formal Risk Management in your organization if it is a Corporate requirement. Many organizations are taking advantage of their project to migrate to ISO 9001:2015 to introduce it. See ‘What not to do’ a), below.

DON'Ts

1. Do not introduce formal Risk Management in your organization as a requirement of ISO 9001:2015. The Standard does not require an organisation to have a formal risk management system nor to have documentation in support of its application.  See ‘What to do’ e), above.
 
2. Do not limit your focus to ISO 9001:2015 Clause 6.1 Actions to address risks and opportunities. RBT arises in every Section of the standard. Check out:
    
   • Section 4 – The organization is required to determine its QMS processes and to address its risks and opportunities
    
   • Section 5 – Top management is required to:
     1. Promote awareness of risk-based thinking
      
     2. Determine and address risks and opportunities that can affect product /service conformity.
    
   • Section 6 – the organization is required to identify risks and opportunities related to QMS performance and take appropriate actions to address them
    
   • Section 7 – the organization is required to determine and provide necessary resources (risk is implicit whenever “suitable” or “appropriate” is mentioned)
    
   • Section 8 – the organization is required to manage its operational processes (risk is implicit whenever “suitable” or “appropriate” is mentioned)
    
   • Section 9 – the organization is required to monitor, measure, analyse, and evaluate the effectiveness of actions taken to address the risks and opportunities
    
   • Section 10 – the organization is required to correct, prevent or reduce undesired effects, improve the QMS, and update risks and opportunities

How to Provide Evidence of Risk-based Thinking

The Risk-based Thinking requirements of ISO 9001:2015 do not require you to have a formal risk management system. But your first ISO 9001 audit against the revised Standard, the External Auditors will request objective evidence of RBT across all seven auditable Sections of the Standard. Interview (verbal) evidence alone will not suffice.

You will need to supply some tangible evidence of the application of Risk-based Thinking.  ISO 9001 Lead Implementer Training is recommended to ensure that you will have adequately covered this difficult topic.

We have addressed the topic in-depth in our Handbook 'ISO 9001:2015 Quality Management System Implementation', which is provided as part of our ISO 9001 migration training course,  ISO 9001:2015 Transition Training (Course 032T), and our ISO 9001:2015 Lead Implementer Certification (Course 032).

You can have both Risk-based Thinking and Risk Management

The Medical Device Standard, ISO 13485, requires risk-based thinking in relation to the quality system generally and risk management regarding patient/user safety.  So, it is possible to have both risk-based thinking and risk management within one QMS. 

Recommended Approach to Integrating Risk-based Thinking with Your QMS

An approach often taken with ISO 9001 quality systems is to apply risk-based thinking to the QMS generally. However, when addressing the requirements of ISO 9001:2015 Clause 6.1, Actions to address risks and opportunities, it's recommended to have 'full on' risk management with risk assessment and risk treatment focused on threats to customer satisfaction and business success.

Related Articles

• ISO 9001 Clauses
• ISO 9001 Risk-based Thinking: DO's and DON'Ts
• 5 Reasons Why Assessing the Competence of Auditors is a Must
• ISO 9001 Internal Auditing: DO's and DON'Ts
• Free ISO 9001 Implementation Handbook (100+ pages)

deGRANDSON Global is an ISO Certified Educational Organization

We have chosen ISO 21001 certification because it is based on an independent third-party assessment, unlike IRCA and Exemplar badges (which we believe are commercially compromised).  It is a ‘university grade’ standard globally by schools, colleges, and universities to demonstrate their competence.

We are providers of Courses for ISO 9001, ISO 13485, ISO 14001, ISO 27001, ISO 45001, Data Protection, Risk Management, and more.