ISO 9001 and Risk Management Result in a Risk-Intelligent Business

Digitalization, globalization, competition and the speed of technological advances has changed the nature of business. ISO 9001:2015 places a heavy emphasis on using “risk-based thinking” for managing quality-related processes. Risk has always been implicit in ISO 9001.  But this revision asks organizations to make a cultural shift—rather than focusing on isolated problem solving and resolution, the focus is on prevention and performance improvement.

The International Organization for Standardisation (ISO) explains it this way:

“Risk based thinking ensures these risks are identified, considered and controlled throughout the design and use of the quality management system”.

Under the ISO 9001 requirements, risk management serves as the cornerstone of quality management system design. As organizations determine the processes needed for a quality management system, they’re also asked to determine the associated risks and opportunities and to plan and implement appropriate actions to address them.

In the context of ISO, the concept of “risk” relates to the uncertainty in achieving the main objectives of International Standards—namely, to provide confidence in the organization’s ability to consistently provide customers with conforming goods and services, and to enhance customer satisfaction. Risk is the possibility of events or activities preventing an organization from achieving its strategic and operational goals. Much like the risks organizations are experiencing globally in 2020 due to the disruptions from the COVID-19 pandemic.  (Learn more in our article Remote Auditing During COVID-19 (Coronavirus) – Risk Management in a Pandemic.)

This shift in thinking does not replace the standard’s process-oriented approach, but enhances it. While the process is still a critical part of ISO 9001:2015, processes must now be implemented with an acute awareness of risk.

Identify, Analyze and Prioritize Potential Risks

Organizations are asked to identify, analyze and prioritize all potential risks as they undergo building or adapting their existing quality management implementations for updated certification.

Risks can be defined by two parameters—the severity, or seriousness, of the harm, and the probability that the harm will occur. Risks can be assessed based on the likelihood they will occur, the likelihood they can be detected, and potential impact should they occur. From there, risks are evaluated based on their importance (what is acceptable, what is unacceptable?) and actions are planned to address the risks, whether that’s avoiding or eliminating the risk or mitigating it.

Once plans are implemented, it’s essential for organizations to check the effectiveness of their actions and continually learn from experience.

How Do You Evaluate Risk?

What’s the best way to document risk-based thinking and demonstrate the approach during audits?. Evaluate how you evaluate risks today with the processes you have. Understand how you decide when risks are acceptable or unacceptable.  ISO wants to see that you record identified risks when action is required, and the action steps to be taken. 

Putting into place the Plan-Do-Check-Act (PDCA) methodology can be a great way to define, implement and control corrective actions and improvements. Companies should Plan what to do and how to do it, Do what was planned, Check that things happened according to plan, and Act on how to improve the next time around.

Many companies are approaching the time for their ISO 9001:2015 recertification. The ISO certificate is valid for three years after  initial issue. Recertification requires an organization to undergo an audit with their registrar (similar to the initial auditing process without the need for a Stage One audit).

SimpleQuE assists companies with implementation or preparing for recertification so they can be “risk-intelligent” and not a “risky business”.  We’ve  been in business since 2005 and simpleQuE was one of the first consulting companies to be ISO 9001:2015 certified.  Contact us for a consult and see the difference that our experts can bring to your quality management process.