An Introduction to Risk Based Thinking

ISO 9001:2015

1 Introduction
There has been a shift in how companies view quality and compliance, and as a result,
businesses are looking for a more comprehensive method for measuring operational
efficiency.
Risk management processes are proving to be an effective option for this. ISO 9001:2015
now promotes risk-based thinking in quality management systems, but many organizations
aren’t sure what that means or how to go about it.

2 The Need for Risk Assessment

Risk management is a tool that helps companies evaluate risks in processes and content. It
evaluates event data in order to measure levels of risk in an operational context. Risk
assessment is repeatable and objective; it allows you to replace an otherwise subjective “gut
sense” with a more guided decision-making approach. Furthermore, it’s easy to understand
for people who aren’t directly involved in the process.
Risk assessment helps drive change. It enables you to build alerts for critical events and
develop guidelines and solutions for risk levels that are unacceptable. These solutions are
systematic and repeatable, and you can implement them for high risks in a more automatic
and consistent manner.
However, it’s important to note that risk assessment is a tool, not a solution. Context is
important in risk assessment, and for that, you need people. For example, someone on the
shop floor might consider something a critical risk, whereas from the top floor, that risk might
not look as bad in the larger context of operations.
So it’s a good idea to have a team in place to vet your risk assessment process to ensure
you’re achieving the right results. As your operations change or as more data accumulate,
you may find that established risk levels need to be adjusted.

3 Risk Management in ISO 9001:2015

ISO 9001:2015 includes a component of risk-based thinking, and it involves the people and
leaders within your organisation.
The standard doesn’t include a specific requirement for a quality management
representative, or even a quality manual. Instead, ISO 9001:2015 focuses on a
companywide commitment to quality that is championed and brought about by leaders. How
can that be done using a centralized system, and where does risk fit in?
There are two sections where risk appears in the standard: leadership directives and
planning.

4 Leadership directives

Risk Based Thinking Page 1 of 3

ISO 9001:2015 is designed to create a companywide approach to quality, and leaders need
to be directly involved.
Although some leaders might not “speak quality,” they definitely can speak risk. That’s why
the standard encourages the concept of “risk-based thinking.” This refers to a coordinated
set of activities and methods that organizations use to manage and control the many risks
that affect their ability to achieve objectives.
Risk-based thinking replaces what earlier version of the standard called preventive action.

5 Planning
This section is where preventive action used to be and is now replaced with managing risks
and opportunities. It’s important to note that ISO 9001:2015’s take on risk is simple. This isn’t
a directive to go out and build an enterprise risk management programme, or change all of
your processes to comply with the requirements.
The standard directs companies to “promote” risk-based-thinking, which is fairly broad and
open to interpretation. Every company should evaluate its own processes in light of the risks
specific to their business or industry.
We can break the planning section down to these salient facts: Risk management is an
objective process that can be repeated and standardized.
Your first goal is to identify the risks in your operations, then determine how you’re going to
measure those risks. After that, you need to figure out treatment options for those risks, and
eventually implement actions and controls to address each risk.

6 Creating a Risk Taxonomy

How do you start identifying risks?
You’ll need to examine your operations, seek out potential hazards within those operations,
and categorize them.
Asking questions is a good way to start. Survey and audit your operations as you normally
would, but note the potential hazards from all areas. What are the problems that could occur,
and how likely is it they will occur? Your results will probably include a lot of hazards and a
host of probabilities.
At this point you need to analyze the hazards and then categorize them. This is called a
“taxonomy of risk”—i.e., hazard types grouped in broader categories that will enable you to
make better sense of everything. You then create scales of severity for hazards and their
frequency (likelihood to occur). Once you’ve done this, you can start evaluating the risks.

7 Taking Subjectivity out of Risk Management

You now have a list of hazards, categorized and organized, and you’ve built some
probabilities around them. How do you calculate the risk in these hazards?
Keep in mind that an accurate risk assessment doesn’t always follow a risk evaluation. Too
often, people use risk evaluation tools that calculate risk and just leave it to the tool to
determine the risk level. Risk tools can help guide your calculations and decisions, but the
ultimate decisions on how to handle risk should come from people. It’s helpful to have a risk
team review risk calculations to confirm that they reflect real-world data. Ideally, risk should
be addressed with a combination of people, processes, and tools.
Risk Based Thinking Page 2 of 3
8 Risk Management as a Tool for Quality and Compliance
You’ve created a list of hazards and their probabilities, and come up with a slick risk-
assessment strategy that combines quantitative analysis with real-world data. Now what?
Just because you’ve calculated something as a high risk doesn’t mean you’ve solved the
problem. The next step is to assign treatment options to that risk. You must determine what
you’re going to do if there is a risk, and you do this in several ways. Again, this is where a
cross-functional team comes in handy: You can review the different risk outcomes and then
determine, based perhaps on past data or processes, how you’re going to handle different
risk levels.

 Treatment options typically fall into these broad categories:

 You can accept the risk (i.e., the outcome is worth the risk)

 You can seek ways to reduce the risk

 You can find ways to ensure yourself against the risk

 You can transfer risk (perhaps you source out high-risk processes to a partner or
supplier with a better risk management process)

 If the risk is simply too high, you can avoid it (i.e., stop the process altogether)
Each company has a different way of treating risk, and it’s up to your risk team to determine
the best way to interpret risk levels.
Once you do, you need to take action on the risks. This is where you’ll want to make use of
your quality management processes such as corrective and preventive actions (CAPA) to
address the risks. You’ll also want to have some means of reporting in place to analyze risks
over time.

9 Documenting the risk process

The generally accepted practice is to document what you’re doing and then document when
you actually do it.
So the whole risk management process should be controlled and supported with work
instructions and assigned roles—this should be standard, especially when you introduce
new elements to the existing process.
This article was first published in Quality Digest

Risk Based Thinking Page 3 of 3