Risk Based Thinking – what is it and what it means for organizations certified and/or using ISO 9001:2008
Risk is defined as “the effect of uncertainty on an expected result”. It is the decision of the organisation as to how extensively the risk-based approach is applied. However consider this, the new requirement to have a risk based approach should be seen as a positive part of the QMS and not as a thorn in your side. It makes the QMS more meaningful and effective and supports the fundamental objective every organisation has to be more successful. So now, in order to be compliant to ISO 9001:2015, each organisation must determine the risk and opportunities within the core of your organisation. This is where alignment with business strategy comes into play. With the new clause – understanding the organisation and its context “the organisation shall determine the external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve intended results of its quality management system” The QMS and business processes are to be aligned “ensuring the integration of the QMS requirements into the organisations business processes”. This could be done through consolidating the quality and business objectives. The ultimate goal of any organisation is 100% customer satisfaction. The purpose of a QMS fundamentally is to achieve 100% customer satisfaction. From a business perspective increased customer satisfaction is correlated with an increased profitability (there are many studies providing evidence to support this). It can only be a good thing when the world of business and quality collide. ISO9001:2015 seems to agree and that’s what makes it more relevant in today’s world. Every business has objectives whether they are documented or not and by consolidating the business and quality objectives the organisation must actively work to ensure that objectives are achieved and in turn provide evidence that the objectives are being met. ISO 9001:2015 gives the tools and the structure to do just that. The new standard requires the organisation to ‘give assurance’ that it can ‘achieve its intended results’, i.e. objectives. By aligning the quality and business objectives, assurance that intended results are achieved can be supported by showing “what will be done, what resources are required, who is responsible, when it will be completed and how the results will be evaluated’, all these steps are in fact a plan or more specifically a business plan. The risks of not achieving the objectives for the year in question need to be considered along with the opportunities. There may be several opportunities to meet an objective but the level of risk associated to each opportunity can vary. The example below demonstrates some of the opportunities associated with the objective. Each opportunity has a different level of risk. A risk matrix can be used to categorise and quantify the level of risk to remove the element of subjectivity. In addition an ‘FMEA style’ approach can be used to identify the most suitable opportunity to address the risk. Instead of using the following well known approach of Failure = Severity x Occurrence x Detection this approach could be modified as follows:Objective = Risk x Ease of Implementation of Opportunity x Likely Effectivity
The above quantitative scoring system allows the organisation to identify and quantify risk and opportunity for each objective.The risks and opportunities associated with the operation of the organisation need to be considered and the organisation needs to plan how to address these risks and opportunities.
The organisation may decide based on the risks identified to implement all opportunities to mitigate the risk. A plan will be needed to address all opportunities where action has been agreed.Reference to risk in ISO 9001:2015
The following list details the areas in ISO 9001:2015 where risk is referenced: Introduction to the concept of risk-based thinking Clause 4: The organization is required to determine the risks which can affect its ability to meet objectives. The organisation needs to plan and implement the appropriate action to address the risks. Clause 5: Top management are required to commit to ensuring Clause 4 is followed Clause 6: The organization is required to take action to identify risks and opportunities Clause 8: The organization is required to implement processes to address risk Clause 9: The organization is required to monitor, measure, analyse and evaluate the risks and opportunities In Clause 10:The organization is required to improve by responding to changes in riskPreventive Action Revised for improved applicability
In most organisations keeping up to date with non-conformances and associated CAPA’s is enough work so the requirement in ISO9001:2008 to “eliminate the cause of potential nonconformities” is not always acted upon when opportunity arises. The new standard has removed the requirement for preventative action and now requires actions to address risks and opportunities. This is a much improved approach with a real feeling of relevancy and usefulness. As the risk based approach is a core concept in the new standard the requirement to address risks and opportunities is throughout the standard as discussed above.Additional changes to ISO 9001
Fewer prescribed requirements
A Quality Manual is no longer required. This aligns with a change of approach in general with regard to documentation. ‘Documented requirements’ has been replaced with ‘Documented Information’. Documented information is defined as “information required to be controlled and maintained by an organisation and the medium on which it is contained”. It “can be in any format and media and from any source” With a continued emphasis on a process based approach there is no requirement for the uniformity of structure to align with the clause structure of the standard. The majority of organisations implemented the standard in a uniform way, clause by clause where compliance to each clause was documented in the quality manual. Now compliance to the standard can be demonstrated using a different approach with reference to “internal and external issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system”Less emphasis on documents.
Requirements to have a documented quality manual, documented procedures (control of documents, control of records, internal audit, control of non-conforming product, corrective action, preventive action) and quality records have been removed so there mandatory procedures will be no longer be required in order to gain certification. While ISO 9001:2008 specified a number of mandatory documents, ISO 9001:2015 does not. However that does not mean that organisations have to throw away their quality manuals and documented procedures. If this documentation is in place and working well, there is no need to withdraw it. However these documents will need to be reviewed to ensure they reflect the updated requirements of ISO 9001:2015.Improved applicability for services
For all of us out there who are applying the standard to a service and not a product this update is a great improvement in terms of applicability and implementation. ISO9001:2015 references services much more in comparison to ISO 9001:2008 which mostly refers to products in the clauses. This results in improvement in applicability of the standard to service providers. The table below identifies clauses where reference to services is included. ISO9001:2008 ISO 9001:2015 7.2 Customer-related processes 8.2 Determination of requirements for products and services 7.2.1 Determination of requirements related to the product 8.2.2 Determination of requirements related to the products and services 7.2.2 Review of requirements related to the product 8.2.3 Review of requirements related to the products and services 7.3.1 Design and development planning 8.3 Design and development of product and services 7.4 Purchasing 8.4 Control of externally provided products and services 7.4.3 Verification of purchased product 8.6 Release of products and services 7.5.5 Preservation of Product 8.5.4 Preservation 8.2.4 Monitoring and Measurement of Product 8.6 Release of products and services 8.3 Control of Non-conforming Product 8.7 Control of non-conforming process outputs, products and servicesManagement Responsibility to Leadership
There is no longer a requirement for a management representative instead roles, responsibilities and authorities are to be assigned, communicated and understood. Additional improvement in leadership: A requirement to define the boundaries of the QMS. Increased emphasis on organizational context. Increased leadership requirements. Greater emphasis on achieving desired outcomes to improve customer satisfaction.‘Management Responsibility’ has been replaced by ‘Leadership’.