ISO 9001:2015 in Detail: Risk Management
Risk Based Emphasis
ISO 9001 has always advocated mitigating and avoiding risk; it has implicitly addressed the issue. The new ISO 9001:2015 standard explicitly expects organizations to identify and address risks affecting product and service compliance; resulting in improved customer satisfaction. Besides identifying the risks, the new ISO standard expects organizations to address opportunities for improvement based on the risk analysis. Although it does not require you to create a formal risk management system.
Making Risk Part of the Quality Management Process
Preventing and correcting unwanted actions and outcomes have long been a part of ISO 9001, but it has been limited to specific elements of the quality management process. ISO 9001:2015 changes that.
As an organization, ISO has already addressed the notion of a more global risk management approach to businesses in itsISO 31000 standard, which provides an organizational-level risk management approach. ISO 31000 deals with crucial risk management concepts like:
- Avoiding activities associated with a given risk
- When to or not to accept risk when taking advantage of a key opportunity
- Acceptable ways to remove a risk source entirely
Another example of ISO’s move into risk management is ISO 9004, which addresses many aspects of risk management such as including the needs and expectation of interested parties and risk’s impact on strategy and innovation.
Is ISO 9001 2015 Risk Management Emphasis Really New?
But what about risk management at the individual standard’s level? Here too, ISO has essentially built whole standards around the concept of planning for and responding to risk. Key examples are ISO 14001 which in effect is a blueprint for dealing with environmental problems before, during and after their inception. The same goes for AS9100 which requires identification, assessment and communication of risks throughout product realization, identification, implementation and management of actions to mitigate risks that exceed the defined risk.
A Giant Risk That ISO 9001 2015 Could Have Mitigated
The Northeast region of Japan has been the major supplier of key auto components, not only for Japanese car companies, but other automakers worldwide. After the 2011 earthquake/tsunami hit the area, Toyota, Nissan and many other producers were forced to halt production with resulting sales declines of almost 20% for some. Dependence upon a small, but vital set of suppliers would be a major risk that the new ISO 9001 2015 emphasis on risk mitigation would have required addressing.
And yet ISO 9001, perhaps the most broadly used management process in history, seems to have remained focused on quality management. And for many involved in the quality process from quality managers to consultants to auditors, keeping it that way preserves a unique and important focus within most organizations on keeping quality as high as possible. But it also poses a problem – if the quality plan doesn’t follow the organization’s goals and processes, something that has happened when the quality management system is drafted and implemented in isolation.
ISO 9001:2015: Revolutionary or Evolutionary?
The ISO 9001:2015 revision expands the more limited view of:
A. Trying to find the “root cause” of a problem
B. Fix it
C. And keep it from happening again
Instead, it elevates the idea of risk management into higher priority. It examines system-wide risks that can be concerns of a broader base that the organization may serve. This can include not only customers, but other “stakeholders” as well including employees, vendors, communities in which the company operates, unions, regulators and beyond. It also asks the organization to balance the likelihood versus the impact of these potential events.* (So for instance the impact of a meteor strike is enormous, but the likelihood very small.)
But is the notion of charging a quality management system with the responsibility of anticipating and responding to organizational such a major reach? Perhaps not if you view ISO 9001 previous involvement with risk management in specific areas of the standard, since clauses dealing with subjects ranging from human resources to purchasing seem to address it. (See the table below for some examples of risk management included in ISO 9001:2015.)
|ISO 9001:2015 clauses||Comments|
|4.4 Quality Management||The overall quality management system (QMS) must consider both risks and opportunities as part of its core planning process.|
|5.1.1 Organizational Leadership||Those who lead the organization must go beyond merely supporting risk-based approaches and become strong advocates of the practice.|
|5.1.2 Serving Customers||Risks and opportunities must become the core of serving an organization’s customer base, including not only maintaining quality, but to improve customer perceptions as well.|
|6.1.2 Risk-Driven Planning||In the main planning clause, risk becomes a central focus in determining actions, including deciding how to use risk to the organization’s advantage including both risk avoidance, purposeful risk-taking, sharing risk and factoring it into ongoing operation.|
|9.1.3 Measuring Performance||The effectiveness of risk-based activities must be evaluated in terms of meeting overall organizational goals.|
|10.2.1 Making Corrections||If non-compliance is determined, then it must be factored back into the planned risk management approach, and a new risk profile determined.|
The new ISO 9001-2015 revision focuses on risk management at the organizational level. While this may seem a departure from a strict quality management focus, there is ample focus within the existing standard on controlling risk to justify an expanded focus. Above are just some of the clauses that in effect mandate risk management, albeit for specific activities. The new revision in its current draft form appears to expand these more tactical risk management elements into a more programmatic view.
How ISO 9001:2015 Will Ask You To Manage Your Risk
Interestingly, ISO 9001:2015 no longer even has a specific clause dedicated topreventive action, but rather rolls up this activity into the broader (and more useful) concept of risk-based activities. This is how the revision aims to take risk management to a higher level by assuming that a management system (and in this case a quality management system or QMS) is designed as a whole to prevent unwanted outcomes – and that this function of isolating potential risks is really also implicitly preventing them. Through many of its clauses, ISO 9001-2015 requires an organization to identify risks and ways to address them so that the QMS can deliver upon its objectives.
Clause 6 titled “Planning” does require a “traditional” prevention or reduction of unwanted outcomes, but more in a more global sense and at a higher priority level. The clause also asks the organization to consider opportunities, since many risks contain both “opportunities” and “threats.” Essentially ISO 9001:2015 will likely ask organizations to do the common sense (but not commonly executed) task of asking and answering key questions such as:
- How will the organization identify potential threats?
- What are they ways to prevent, or reduce, undesired effects?
- How will the organization ensure that it can achieve its intended outcomes?
- Who will be responsible for ensuring that this process works correctly?
- When and how will the risk management actions be triggered?
- What are the priorities and cost impacts of each threat?
- Where could these threats come from, and who are all of the potential players that could help identify and deal with these risks?
- How can such a system for dealing with these risks be evaluated, tested and kept up to date to ensure it will work when needed?
What The 9000 Store Is Doing
We’re here To Help You Address Potential ISO 9001:2015 Risk Management RequirementsSince we are in the business of helping companies more quickly and more cost effectively gain and maintain ISO 9001 certification, we have made major revisions of our document templates, training, software and registration relationships to accommodate the risk planning features in the new ISO 9001(2015) revision. We are also planning more education and updates on specific areas of the standard. If you have not done so already, we encourage you to sign up for our newsletter series to stay abreast of these important changes.
In effect, 9001:2015 risk management asks the organization to establish an end-to-end process for risk management and then to execute that process consistently, carefully and widely. And while the process for creating and applying risk management may never be overly specific because of the need to apply in so many different situations, ISO has already provided a fairly rich reference set in this area including:
- ANSI/ASSE Z690.1-2011 Vocabulary for Risk Management (U.S. Adoption of ISO Guide 73:2009),
- ANSI/ASSE Z690.2-2011 Risk Management Principles and Guidelines (U.S. Adoption of IEC/ISO 31000:2009)
- ANSI/ASSE Z690.3-2011 Risk Assessment Techniques (U.S. Adoption of IEC/ISO 31010:2009
How Risk Management in ISO 9001:2015 May Change Quality Management
In a sense, quality management has always been about ensuring the output of a group meets a consistent, acceptable level. But this new emphasis on higher level risk impact may put quality management representatives (including organizational quality personnel, consultants and auditors) in the position of managing higher level business risks.
And where other planning is present (as perhaps in the case of larger organizations), that role may also include reconciling or integrating those other management systems around the risks identified through the new ISO 9001:2015 risk management process. (This may be even beyond current responsibilities for integrating multiple standards into areas of strategic business planning.)
At whatever level the quality representatives operate, the increased emphasis upon higher level risk management may necessitate a broader perspective, increased organizational knowledge, and expanded skill sets. This may be in opposition to others who see the role of quality management shrinking and being “subsumed” by other departments or functions such as engineering, human resources or financial management.
For example, the growing dependence upon global suppliers and outsourcing of management functions, may shift the responsibility for assessment and accountability in these functions to the quality representative, since the risks associated with these functions could be one of the keys to creating and managing risk under ISO 9001:2015.
Questions That Remain About Implementing ISO 9001:2015 Risk Management
The objectives of injecting more risk management into ISO 9001 may be aimed at addressing a variety of management needs such as:
- Moving to more of a data-driven decision process that increases objectivity
- Being able to more accurately prioritize risks and allocate resources to mitigating them more successfully
- Being truly preventative with respect to those risks that have the potential for greatest harm
- Capturing, retaining and transferring organizational knowledge regarding risk mitigation as employees and managers change
- Broadening the knowledge base regarding risk and creating communication and trust among those who are involved
However, because of the major shift that this approach entails, there are major questions and concerns regarding implementing ISO 9001:2015 risk management including:
- Will the inclusion of risk management make ISO 9001 (2015) more confusing and less likely to be applied and audited correctly either by the certification body or the registered organization?
- How will ISO 9001:2015 risk concepts be harmonized and prioritized with those expressed in other standards such as ISO 31000 since they are to some extent unique?
- Correctly implementing organization-wide risk management will likely require more management involvement and accountability, but will management execute this new responsibility or will they continue to delegate it to internal “quality representatives” as in the past
- Risk management may be a more abstract concept than other elements of ISO 9001; will internal auditors, lead auditors and registrars be able to audit these concepts?
- Other more mature risk management systems include processes for Governance, Risk and Compliance (GRC) and Enterprise Risk Management (ERM) which are considered essential but are not yet included in ISO 9001:2015’s risk management approach.
*Some “risk-based thinking” models also consider the potential frequency with which the threat can occur as in more specific ISO standards 13824, 13688 and 16311-2.
Please note that certain text from the ISO 9001 standard is only used for instructional purposes. Standard Stores recognizes and respects the International Organization for Standardization (ISO) copyright and intellectual property guidelines.