ISO 9001:2015 Risk Management
Risks and Opportunities
Risk-based thinking is presented within the introduction of the ISO 9001:2015 standard. ISO 9001 has always advocated mitigating and avoiding risk; it has implicitly addressed the issue through “preventative actions” in previous revisions. ISO 9001:2015 replaced the term preventative actions with “actions to address risks and opportunities”.
A risks is a positive or negative deviation from the expected. Addressing a risk could mean pursuing a new opportunity. Organizations are required during planning of their QMS to address both risks and opportunities. Opportunities can include the adoption of new customers, products, technology or practices.
There are several requirements around risks and opportunities throughout the ISO 9001:2015 standard. The examples in the table below are just some of the clauses that in effect mandate risk management.
|ISO 9001:2015 clauses||Comments|
|4.4 Quality management system and its processes||The overall quality management system (QMS) must consider both risks and opportunities as part of its core planning process.|
|5.1 Leadership and commitment||Those who lead the organization must promote risk-based thinking.|
|5.1.2 Customer focus||Ensure risks and opportunities that affect customers are determined and addressed.|
|6.1 Actions to address risks and opportunities||When planning for the QMS, determine and address risks and opportunities.|
|9.1.3 Analysis and evaluation||Evaluate the effectiveness of actions taken to address risks and opportunities.|
|10.2 Nonconformity and corrective action||Update risks and opportunities determined during planning, if necessary.|
How to address risks and opportunities?
The ISO 9001:2015 requirements around risks and opportunities do not require a formal risk management system. However, it does require that you determine what they are and how they will be addressed. When evaluating risk, it is helpful to use two metrics or parameters:
- Severity (If the risk occurs, how serious is it?)
- Probability (What is the probability of the risk occurring?)
Common methods for identifying and addressing risk include maintaining a risk register, performing FMEA (Failure Mode Effects Analysis) or FTA (Fault Tree Analysis), using a Probability and Impact Matrix, or other risk management exercises.
When addressing risks and opportunities, consider asking these key questions:
- How will the organization identify potential threats?
- What are they ways to prevent, or reduce, undesired effects?
- How will the organization ensure that it can achieve its intended outcomes?
- Who will be responsible for ensuring that this process works correctly?
- When and how will the risk management actions be triggered?
- What are the priorities and cost impacts of each threat?
- Where could these threats come from?
- Who are all of the potential players that could help identify and deal with these risks?
- How can such a system for dealing with these risks be evaluated, tested and kept up-to-date to ensure it will work when needed?
In effect, 9001:2015 risk management asks the organization to establish an end-to-end process for risk management and then to execute that process consistently, carefully and widely. And while the process for creating and applying risk management may never be overly specific because of the need to apply in so many different situations, ISO has already provided a fairly rich reference set in this area including:
- ANSI/ASSE Z690.1-2011 Vocabulary for Risk Management (U.S. Adoption of ISO Guide 73:2009),
- ANSI/ASSE Z690.2-2011 Risk Management Principles and Guidelines (U.S. Adoption of IEC/ISO 31000:2009)
- ANSI/ASSE Z690.3-2011 Risk Assessment Techniques (U.S. Adoption of IEC/ISO 31010:2009
We’re here to help you address ISO 9001:2015 risk management requirements. Since we are in the business of helping companies quickly and cost effectively gain and maintain ISO 9001 certification, we have made major revisions of our document templates, training, software and registration relationships to accommodate risk planning. We are also preparing additional education and updates on specific areas of the standard. If you have not done so already, we encourage you to sign up for our newsletter series to stay abreast of these important changes.
Risk is Addressed in Other ISO Standards
ISO has essentially built whole standards around the concept of planning for and responding to risk. Key examples are ISO 14001 which in effect is a blueprint for dealing with environmental problems before, during and after their inception. The same goes for AS9100 which requires identification, assessment and communication of risks throughout product realization, implementation and management of actions to mitigate risks that exceed the defined risk.
The ISO 31000 standard provides an organizational-level risk management approach. ISO 31000 deals with crucial risk management concepts like:
- Avoiding activities associated with a given risk
- When to or not to accept risk when taking advantage of a key opportunity
- Acceptable ways to remove a risk source entirely
ISO 9004 also addresses many aspects of risk management including risk’s impact on strategy and innovation.
A Giant Risk That ISO 9001:2015 Could Have Mitigated
The Northeast region of Japan has been the major supplier of key auto components, not only for Japanese car companies, but other automakers worldwide. After the 2011 earthquake/tsunami hit the area, Toyota, Nissan and many other producers were forced to halt production with resulting sales declines of almost 20% for some. Dependence upon a small, but vital set of suppliers would be a major risk that the new ISO 9001:2015 emphasis on risk mitigation would have required addressing.
Please note that certain text from the ISO 9001 standard is only used for instructional purposes. Standard Stores recognizes and respects the International Organization for Standardization (ISO) copyright and intellectual property guidelines.