“Risk-based thinking” and the IATF 16949^® and ISO 9001  requirements related to risk

IATF 16949:2016 is based on ISO 9001:2015, so the quality management system standard is a good place to start when considering risk.  Although it is not one of the seven quality management principles that provide the foundation for the standard, ISO 9001:2015 embraces the concept of “Risk-based Thinking,” and this is one of the major changes with the 2015 version.  In the Introduction to ISO 9001:2015, as well as in Annex A.4, the concept of risk-based thinking is explained.  The ISO 31000:2018 definition of risk is the “effect of uncertainty on objectives”, which means that risk is the consequence of any effect leading to deviation from the expected due to any cause.  Although risk usually has a negative connotation (for instance, with medical devices), the effect of the deviation can be either positive or negative; in other words, there may be opportunities to exploit, as well as risks to avoid or mitigate due to this effect.  The term uncertainty simply means some lack of knowledge or understanding about an event, including the probability of occurrence and/or its consequences.  This version of ISO 9001 is explicitly incorporating risk, although falling short of requiring a comprehensive, organization-wide risk management system, such as that described in ISO 31000:2018 Risk management – Guidelines.

What is Risked-Based Thinking?

Risk-based thinking is focused on the prevention of problems before they occur (i.e., preventive actions) and require that we not only identify risks, but also attempt to assign a probability of likelihood for their occurrence (using objective evidence), and then foreseeing the consequences if they do occur (neither of which are easy nor knowable with certainty).  The concept of risk-based thinking can be applied to many things such as a decision to buy a house rather than rent. Suppose we have as our objective, buying a house that we will live in for 5 years and then selling it at a 10% profit.  There is uncertainty as to what events can or will happen over the next 5 years, but some of these would impact our objective:

• the overall economy could decline, along with the housing market;
• a major employer in the area could go out of business;
• or there could be some unexpected expenses over the five years – such as mold that must be remediated, a new roof is required, or the HVAC system needs to be replaced.

These events may all cause us not to achieve our expected profit on the house, or even worse, cause us to lose some or all of our invested funds.  On the other hand, we might benefit from a booming economy and housing market, or the influx of new businesses and/or people into the area for other reasons causing our house to increase in value.  We weigh the risks and opportunities, considering the impacts and the probabilities of each occurring, and decide on actions to take (decide to keep renting, have a home inspection done before committing to the purchase, buy insurance, etc.). If you ever purchased a house, this type of risk-based thinking probably occurred naturally.  The ISO 9001 standard wants you to apply this approach to your quality management system (QMS).

ISO 9001:2015 and risk-based thinking

The ISO 9001:2015 standard not only promotes the use of risk-based thinking, but some clauses require this approach:

• 4.4 f) – Quality management system (QMS) and its processes – for each QMS process, the organization has to address the risks and opportunities identified and prioritized for action (see 6.1)
• 5.1.1 d) – General [Leadership] – top management is to promote risk-based thinking in the organization (to do that, they need to understand and be able to explain the concept).
• 5.1.2 b) – Customer focus – top management has to identify and deal with the risks and opportunities affecting product conformity and the ability of the organization to enhance customer satisfaction through the QMS;
• 6.1 – Actions to address risks and opportunities – This is the main clause related to risk.  Once risks and opportunities are identified (including internal and external issues from clause 4.1 – Context of the organization and requirements on interested parties from clause 4.2), they need to be prioritized based on impact on the conformity of products and services (how is up to you).  Plans need to be developed for actions to address the (highest priority) risks and opportunities; these actions need to be integrated into the QMS, and you need to determine how to evaluate them (see clauses 9.1.3 and 9.3.2, below).
• 9.1.3 e) – Analysis and evaluation – evaluate how effective the actions taken in 6.1 were in addressing the risks and opportunities;
• 9.3.2 e) Management review inputs – based on the analysis and evaluation (clause 9.1.3), report on the effectiveness of actions taken to address risks and opportunities (from clause 6.1);
• 10.2.1 e) [Nonconformity and corrective action] – after taking corrective action, update risks and opportunities determined during planning (clause 6.1), if necessary.

Knowledge. Expertise. Experience.

Schedule A Free Consultation

Outsource Your Internal Audits

How IATF 16949:2016 approaches risk

That brings us to the automotive QMS requirements in IATF 16949:2016, which encompasses all of the ISO 9001:2015 requirements and other risk-related concepts in the Introduction and annexes.  The IATF 16949® standard has several clauses that supplement the main ISO 9001:2015 clause related to risk – 6.1 – Actions to address risks and opportunities:

• 6.1.2.1 Risk analysis – This supplemental clause specifies some inputs that must be included in the risk analysis such as results of product audits, internal failures (scrap, rework), and external problems (product recalls, field returns complaints).  It also requires that records be kept of the results of the risk analysis undertaken.
• 6.1.2.2 Preventive action – this clause resurrects one that was dropped with the 2015 version of ISO 9001 explicitly due to the introduction of risk-based thinking (see Annex A4 of that standard).  The IATF® didn’t agree, and it remains as a clause to identify actions to eliminate the causes of potential non-conformities; the clause has a similar structure to clause 10.2.1 [Nonconformity and corrective action].  Risks that have not yet occurred that are identified and prevented would qualify.  A good example would be action taken in an FMEA to eliminate failure causes identified for a new product or process not yet in production.  It would apply to all aspects of the QMS, however, not just technical risks.
• 6.1.2.3 Contingency plans – This clause is concerned with the identification and prioritization of operational risks (both internal and external) that could impact the ability of the organization to maintain production output to the customer and the development of contingency plans to deal with these risks if they do occur.  There are some specific types of risks identified (such as utility disruptions, supply chain issues, pandemics, natural disasters, fire, cyber-attacks, key equipment failures, and labor shortages) that must be considered, at a minimum.  Note that the focus is not on emergency response (e.g., alarms, fire drills, personnel accountability), but rather on what you are planning to do to keep the conforming product flowing to your customer per delivery schedules to keep them running without interruption.  Unfortunately, there have been many examples in the news of all of these threats in the past few years, so it doesn’t take a lot of imagination to identify some of these risks – they have already occurred.  The clause requires testing (like simulations or “war-gaming”) the contingencies, top management involvement, at least annual reviews, a communication plan, and documenting revisions of the plan, but at its core is the application of risk-based thinking.

There are several other additional requirements related to risk and risk-based thinking in IATF 16949:2016. Grouping them under the relevant section of the standard, the following is a summary of these requirements:

• 7.1 Resources – Two areas in this section are 7.1.3.1 Plant, facility, and equipment planning and 7.1.5.2.1 Calibration/verification records.  In clause 7.1.3.1, the focus is on the use of risk identification and risk mitigation methods to develop and improve plant, facility, and equipment plans, in addition to a mention of re-evaluating risk related to process changes in control plans and job set-up verification (discussed in more detail in clauses 8.5.1.1 and 8.5.1.3).  The reference in 7.1.5.2.1 is a requirement to retain records of risk assessments related to out-of-specification gauges (related to ISO 9001 clause 7.1.5.2 – Measurement traceability)
• 8.3 Design and Development and APQP – In this section of the standard, there is a recurring reference made to the primary tool for identification, prioritization, and addressing product and process technical risks – the FMEA (Failure Mode and Effects Analysis). The use of this tool is well documented in the AIAG FMEA 4^th Ed. Core tool and the 2019 AIAG/VDA FMEA Handbook, among other resources.  The dFMEA (for product-design risk analysis) and pFMEA (for process-related risk) are called out in clauses 8.3.2.1 Design and development planning – supplemental, 8.3.5.1 Design and development outputs – supplemental, 8.3.3.3 Special characteristics, 8.3.5.1 Design and development outputs – supplemental, and 8.3.5.2 Manufacturing process design output in section 8.3. They are also mentioned in clauses 9.1.1.2 Identification of statistical tools, 8.5.1.1 Control plan, and several others that we will cover separately.  Another reference to risk in this section is in clause 8.3.2.3 Development of products with embedded software which requires the organization, if applicable, to prioritize assessment of software development based on risk to the customer.
• 8.4 Control of Externally Provided Products and Services – This section has several significant requirements related to risk and risk-based thinking.  8.4.1.2 a) – Supplier selection process– requires a documented process including risk assessment during supplier selection to ensure product conformity and uninterrupted supply of product to the customer. 8.4.2.3 Supplier quality management system development (including Sanctioned interpretation (SI) #8) specifically requires using a risk-based model to determine the minimum and target QMS levels.  Clause 8.4.2.4.1 Second-party audits require documented criteria for second-party audit need, type, frequency, and scope based on a risk analysis that includes, at a minimum, supplier performance, the regulatory and/or safety requirements of the product being supplied, and the supplier’s current QMS certification level.  As in 8.3, there is a similar clause for embedded software in supplier products: 8.4.2.3.1 Automotive product-related software or automotive products with embedded software.
• 8.5 Production and service provision – There are several other risk-related clauses in this section, besides the ones already mentioned (e.g., 8.5.1.1).  Clause 8.5.2.1 Identification and traceability – supplemental requires developing traceability plans using the levels of risk or failure severity for affected parties. 8.5.6.1 Control of changes – supplemental – requires documenting the evidence of related risk analysis of the effect of the change.  The related clause 8.5.6.1.1 Temporary change of process controls mandates the use of a risk analysis (such as FMEA) to determine the internal approvals to be obtained before implementing alternate control methods.
• 8.7 Control of non-conforming outputs – requires the use of a risk analysis (such as FMEA) methodology to assess risks before acting in both clauses 8.7.1.4 Control of reworked product and 8.7.1.5 Control of repaired product. 
• 9.2 Internal audit – The supplemental clause 9.2.2.1 Internal audit program requires that the overall audit program (which encompasses QMS, manufacturing process, and product audits) be prioritized based upon risk, among other factors.  The FMEA risk tool comes into play again in several internal audit-related clauses: 9.2.2.3 Manufacturing process audit – has to include an audit of the effective implementation of the process risk analysis (such as PFMEA), 7.2.3 Internal auditor competency requires that internal auditors understand the automotive process approach for auditing, including risk-based thinking, while manufacturing process auditors must understand process risk analysis tools (such as PFMEA).  This also applies in clause 7.2.4 Second-party auditor competency.
• 9.3 Management Review – Clause 9.3.1.1 Management review – supplemental requires that the management review frequency be increased based on risk to compliance with customer requirements, and clause 9.3.2.1 j) – Management review inputs – supplemental requires that potential field failures identified through risk analysis (e.g., FMEA) be an input to the management review.
• 10 Improvement – This clause has several risk-related requirements such as 10.2.4 Error-proofing which requires that error-proofing methods be documented in the process risk analysis (such as PFMEA) and 10.3.1 c) Continual improvement – supplemental that requires a documented process for continual improvement that includes risk analysis (such as FMEA).

Risk management tools

The IATF 16949:2016 standard has fully embraced the focus on risk and risk-based thinking.  In addition to the well-defined FMEA tool, there are other risk management tools (for example, Strengths-Weaknesses-Opportunities-Threats (SWOT) Analysis, Risk Matrices, and Fault Tree Analysis) that can be used to meet these risk-based requirements.  Since QMS risks have to be addressed with the same resources as safety, environmental, information security, and other organizational risks, adopting an organization-wide risk management system such as described in ISO 31000:2018 Risk management – guidelines is a logical next step.  Using the same or similar criteria and risk-related tools for all types of risk would also simplify the prioritization process for the organization.  In any event, for those certified to ISO 9001:2015 and/or IATF 16949:2016, the use of risk-based thinking and fulfilling their risk-related requirements is a given. In most cases, it is up to your organization to decide how to do it.

This article was written by Paul Gambino, a simpleQuE consultant and auditor with more than 20 years’ experience implementing, maintaining and improving quality management systems and business processes. He is also currently an ISO 9001 and IATF 16949® lead auditor for several Certification Bodies. 

We Can Help: IATF 16949® Experts a Click Away

If you’re searching for an IATF 16949:2016 consultant, our team at simpleQuE is well-positioned to support your IATF 16949® and MAQMSR consulting (Minimum Automotive Quality Management System Requirements), certification, maintenance, training and internal auditing needs. Our consultants are qualified and certified and are experts on automotive standards, customer-specific requirements, and AIAG or VDA core tools. In addition, many are current or former 3rd party auditors who bring valuable insight because of the knowledge gained from auditing for certification bodies.

SimpleQuE also offers a full line-up of IATF 16949® training courses which includes AIAG and VDA Core Tools, Root Cause Analysis and Problem Solving, Requirements and Implementation.  With IATF® also putting a major focus on internal auditor competency, it is essential to have IATF 16949® Internal Auditor Training. Our IATF 16949® auditor training utilizes the process audit approach. Contact our IATF® consultants to learn more about the customized services offered to match your certification and training needs.

Obtaining and maintaining IATF 16949®, and meeting all of the related Customer Specific Requirements (CSRs), is difficult, which is why we’ve created free IATF 16949® tools, checklists, and resources for your use. 

SimpleQuE is not associated with the IATF®, IAOB, ANAB®, IAQG®, and is not a certification body. SimpleQuE is an independent consulting, training, and internal auditing service provider that assists a company on a path for the company to obtain and maintain certification through accredited certification bodies.