See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/285153350

PREVENTIVE ACTIONS VS. RISK MANAGEMENT IN ISO 9001:2015

Chapter · July 2015

CITATION READS

1 3,439

1 author:

Sławomir Wawak
Cracow University of Economics
28 PUBLICATIONS   72 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Modern text-mining tools View project

Information security management systems View project

All content following this page was uploaded by Sławomir Wawak on 30 November 2015.

The user has requested enhancement of the downloaded file.

 9th International Quality Conference
June 2015
Center for Quality, Faculty of Engineering, University of Kragujevac

PREVENTIVE ACTIONS VS. RISK MANAGE-

Sławomir Wawak1)
MENT IN ISO 9001:2015
1) Cracow University of
Economics, Poland Abstract: New version of ISO 9001 standard issued in 2015
replaces preventive actions with risk management. The article
discusses the desirability of this change, its causes, as well as
new challenges for enterprises and quality managers.
Keywords: quality management, ISO 9001, risk management,
preventive actions

1. INTRODUCTION has looked good from the beginning, however

in practice only corrective actions have proven
ISO 9001 standard introduces new ap- to work well.
proach to preventive actions and continual The main problem with preventive actions
improvement. Risk management is intended to is identification of potential nonconformities.
be more integrated with QMS than former The ISO 9001 standard does not indicate where
process and to supply range of new methods to look for them, nor what should be methodol-
that accelerate improvement in the company. ogy of the identification. Publications that
The aim of the paper is to discuss the describe quality management system imple-
changes related to preventive actions in the new mentation can give some assistance showing
standard and their rationale, describe the impact where to look for opportunities for preventive
on the enterprises and show necessary changes actions. They usually indicate i.e.: management
in quality management systems. review, process monitoring, customer feedback,
The publication was financed from the re- employee suggestions, monitoring changes in
sources allocated to the Management Faculty of legislation, looking for new technology. Some
Cracow University of Economics, under the of them suggest methods that support determi-
grant for the maintenance of the research poten- nation of preventive actions, like: Ishikawa
tial. chart, FMEA, quality circles, benchmarking,
monitoring of competitors. The multiplicity of
sources and methods makes it difficult to com-
2. PREVENTIVE ACTIONS IN FOR- pile one compact and efficient preventive ac-
MER ISO 9001 STANDARD tions process. Moreover, it requires extensive
management knowledge, which is not always
ISO 9001:2008 standard [1] required or- available in the organization.
ganizations to maintain procedure of preventive The other problem, was lack of economic
actions. The procedure should include [2008]: rationale included in the ISO 9001 require-
 determination of potential nonconformities ments. The organization taking preventive
and their causes, actions should know their impact on business.
Otherwise it has no motivation to implement
 evaluation of the need for action to prevent
them. Meanwhile, former standard included no
occurrence of nonconformities,
requirements regarding economic effects of
 determination and implementation of
actions taken (e.g. quality costs, efficiency
actions needed,
analysis).
 recording results of those actions, The standard doesn't clearly enough define
 review preventive actions. what could be treated as prevention. In fact
Those requirements have remained almost every small improvement should be counted, as
unchanged since 1994. They were modified well as large investment programs, as they all
copy of requirements for corrective actions. have impact on quality management system.
Similar approach to both types of improvement But top management in many organizations

9th IQC June, 2015 3

think that those actions are either too little o Risk identification,
serious, or too big to treat them as prevention. o Risk analysis,
Therefore they are not being recorded. o Risk evaluation,
Due to mentioned limitations, preventive  Risk treatment,
actions processes are often pretended by the  Monitoring and review.
organizations: no real actions are taken accord- Some authors include fifth step - communi-
ing to the procedures, the records are being cation and consultation. This step, together with
completed just before audit or there are no monitoring and review, is active throughout
records at all. The situation is better in large whole process of risk management and supports
companies, in which more extensive manage- other steps, as shown on Figure. 1.
ment knowledge is available, more people are It should be indicated, that this methodolo-
involved in the improvement and awareness gy is not the only one available in risk man-
between employees is higher. Additional moti- agement. It assumes that enterprise can choose
vation schemes prove to be very helpful in between different scenarios, as well as it has
encouraging people to identify potential prob- time to run the process. If this is not the case,
lems. However, in small organizations almost some methodology that comes from the mili-
all improvement actions are taken by company tary can be more appropriate [3]:
owner, often without employee participation.  identify hazards,
The owner doesn't have the need for documen-  assess hazards,
tation of his/her ideas. As more and more small  make risk decisions,
enterprises certifies their quality management  implement controls,
systems, the need for change in ISO 9001  supervise.
requirements regarding preventive actions
When the time is critical, even shorter
becomes increasingly evident.
methodology can be used [3]:
 assess the situation,
 balance your resources,
3. RISK MANAGEMENT METHOD-
 communicate risk and intentions,
OLOGY IN CONTEXT OF CONTIN-  do and debrief.
UOUS IMPROVEMENT In case of improvement planning in quality
management systems, the full process should be
Organizations usually operate in situation used if possible, as it enables finding best solu-
of risk. It means, they can't know the future, but tions.
they are able to calculate distribution of possi- Two main indicators of risk level are prob-
ble future situations. Rarely enterprises are in ability of occurrence and consequences of the
situation of certainty, when they know all about event. Probability can be determined qualita-
decisions they make and their effects. The same tively or quantitatively. In case of mass produc-
rare is situation of uncertainty, when nothing tion or frequent occurrence of analyzed phe-
can be told about effects of decisions. nomena it is possible to assess probability
Risk management is defined briefly in ISO based on figures. However in most cases this
31000 as “coordinated activities to direct and method can lead to wrong interpretation due to
control an organization with regard to risk” [2]. limitation of the analysis to numerical data
This definition doesn’t explain the idea behind only. The good example is flood caused by high
risk management, which is identifying potential rainfall. Statisticians can determine probability
risks before they occur, analyzing them and of such disaster based on data from previous
taking steps to mitigate them. This idea is very years, however they are unable to predict cli-
similar to preventive actions, however behind it mate changes in future. Therefore risk analysis
there is large number of methods and tech- should not be limited only to figures that are
niques which facilitate implementation and readily available. Quantitative estimation refers
operation of risk management in the company. to understanding of situation and descriptive
Risk management process includes four determination of probability level. This method
steps: is less precise and is less resistant to bias.
 Context determination,
 Risk assessment, which includes:

4 S. Wawak
 Figure 1 - Risk management process [4]

Consequences of the event should be ana-  stopping – organization implements solu-

lyzed in many aspects before they will be ag- tions that remove possibility of occur-
gregated in one indicator. The aspects which rence,
should be taken into account are i.e.:  reduction – organization changes its pro-
 costs, cesses in such a way that consequences are
 durability, minimized,
 politics,  transfer – organization transfers part of
 social responsibility, consequences to business partners using
 financial impact, outsourcing, joint ventures, etc.,
 organization integrity,  insurance – organization doesn’t change
 employees, CPI, but ensures compensation of losses.
 health and safety, The worst way of dealing with risks is ig-
 environment, noring it. In that case, organization doesn’t
 regulations, have to bear the costs of protection, but it’s
 reputation. exposed to the full effects of risk when it oc-
curs.
They are usually evaluated on 5-level scale
Contrary to preventive actions, risk man-
of impact, where first level means almost no
agement methodology offers wide range of
effect, and fifth – catastrophic results. The
product of probability and consequences gives methods supporting identification and analysis
of risks [5]:
composite risk index, which can be used to rank
the risks.  risk rankings,
 CPI analysis,
CRIi  Pi  Ci ,
 risk maps,
where:  residual risk analysis,
CRIi – composite risk index,
 gain/loss curves,
Pi – probability of risk i,
 risk adjustment,
Ci – aggregated consequences of risk i.
 statistical methods,
Organization trying to mitigate risk, should  financial methods,
implement solutions that will reduce conse-  brainstorming,
quences or probability. There are several ways  interviews,
to achieve this:  self-assessment,
 refusing – organization refuses to take  facilitated workshops,
actions that entail increased risk,  SWOT analysis,
 avoidance – organization changes its  PEST analysis,
processes in such a way that occurrence of  risk surveys and questionnaires,
risk is less probable,  scenario analysis.

9th IQC June, 2015 5

 Some of abovementioned methods were ards comprised of following steps (ISO/IEC TR
adopted from other areas of management, 13335-3, 1998, p. 17):
statistics or finance. Failure Mode and Effects  assets identification,
Analysis (FMEA) and quality control cards are  assessment of assets value,
examples of methods adopted from quality  identification of threats,
management.  identification of vulnerabilities,
Contemporary information technology of-  identification of existing protections,
fers range of applications supporting employees  risk level estimation,
responsible for risk management, i.e.: early  evaluation of the options for treatment of
warning systems (mainly financial), project
risk,
risk management software, data management
 selecting controls for the treatment.
tools for operational risk management. The
That procedure was overly complicated and
most advanced ones offer risk management
too inflexible to be used on regular basis. Iden-
information system which gathers and analyzes
tification of assets and their value, as well as
data from entire company and its environment.
threats and vulnerabilities didn’t add much
Identification, assessment and treatment of
value to the whole process of risk management.
risks engages managers and skilled workers, as
In 2009 an alternative emerged – ISO
well as financial resources. Therefore on the
31000 Risk management – principles and
one hand, it limits losses due to occurrence of
guidelines. That standard presented new, less
risks and helps utilize chances, but on the other
bureaucratic approach, closer to project risk
hand it limits growth and development potential
management and operational risk management
of the company. It is important to balance those
methodologies. Model of risk management in
two effects. To limit costs, risk management is
ISO 31000 was presented in Figure 2.
often implemented in companies as process
According to principles introduced by ISO
repeated from time to time, e.g. when new
31000 (left part of Figure 2), risk management
project is launched or to assess new situation on
should be integral part of all organizational
market. However using risk management to
processes. It should be systematic approach to
obtain continuous improvement of management
address risks that are related to organization or
system will require running the process on
its environment. It should include all important
regular basis. This can lead to a situation where
aspects of company operation (people, capabili-
the costs outweigh the revenues. Therefore it is
ties, culture, etc.). Properly implemented, risk
crucial to well design the process.
management should facilitate continual im-
Risk management process is usually aimed
provement of the organization.
at achieving the specified objectives, e.g. prod-
Risk management framework, which is
uct, project. In case of continuous improve-
constructed according to PDCA cycle, includes
ment, where everything can be improved, this
(center part of Figure 2):
process has to be more versatile. It should be
1. understanding the organization and its
able to deal with risks related to products,
context, integration into processes, estab-
markets, processes, organizational structure,
lishing communication and reporting
skills, etc. Those issues should be taken into
mechanisms,
account in the implementation of risk manage-
2. implementing the framework for managing
ment into quality management systems.
risk, including risk management process,
3. monitoring and review of the framework,
4. continual improvement of the framework.
4. RISK MANAGEMENT IN ISO The process (right part of Figure 2) is the
STANDARDS most visible tool of risk management method-
ology presented in ISO 31000. It comprises of
The issue of risk in management systems three key elements: establishing the context,
appeared in the ISO standards in 1996, with the risk assessment (identification, analysis, eval-
publication of ISO 13335-1. It was developed uation) and treatment. Monitoring and commu-
by ISO 13335-3 in 1998. Those standards were nication are complementary elements. The
developed in context of information security. standard suggests implementation of the pro-
Their approach was adopted by standard for cess in such a way that is would be possible to
information security management systems (ISO call it from any other process, similarly to
27001:2005). Risk management in those stand- corrective or preventive actions. It means that

6 S. Wawak
the process should be kept simple, flexible, will add much work to managers and will cre-
decentralized and quick to use. Otherwise it ate unnecessary bureaucracy.

Figure 2 - Risk management model in ISO 31000:2009 [2]

Organization which implements quality former preventive actions. It exists on all levels
management system according to ISO 9001 is of the organization. However the standard
not required to implement risk management doesn’t supply any methodology, which can be
consistent with ISO 31000, however it is the confusing for companies implementing it. Only
most rational solution, as all management after reading ISO 31000 it becomes clear how
systems standards will refer to ISO 31000 the risk management should look like to be
methodology in future. compatible with QMS.
ISO 9001 requires organization to consider The apparent shortcoming of the ISO 9001
specificity of the organization and its context as requirements is lack of economics of quality.
well as needs and expectations of interested The problem was already raised after 2000
parties during planning quality management version. Ignoring economic side of company
system. It should determine risks and opportu- management leads to distortion of quality man-
nities and address them to: agement system idea. In practice the high quali-
 assure achievement of desired results, ty cannot be reached without economic calcula-
 prevent undesired effects, tion. Meanwhile, ISO 9001 requirements con-
 achieve continual improvement. cerning monitoring of QMS (including risk
Moreover, organization should plan actions management) refer to effectiveness, instead of
necessary to address these risks and opportuni- efficiency.
ties, integrate those actions into its QMS pro-
cesses and evaluate their effectiveness. All
actions should be proportionate to potential 5. IMPACT OF CHANGES ON QUAL-
impact on the conformity of products and ser- ITY MANAGEMENT SYSTEMS IN
vices [6]. ORGANIZATIONS
Risk management in ISO 9001 is better in-
tegrated with quality management system than In this part of the paper only changes relat-

9th IQC June, 2015 7

ed to implementation of risk management are The risk management process should con-
discussed. It should be noted, that there are sider risks as well as opportunities, which stem
other changes in the ISO 9001:2015 standard, from internal and external context of the organ-
which are not of interest to this article. Among ization and requirements of interested parties.
changes related to risk management required by The aim is to assure achievement of intended
new standard are: results, prevent or reduce undesired effects and
 withdrawal of preventive actions proce- achieve continual improvement. The key part of
dure, the process is risk assessment, which includes
 determining the context of the organiza- identification, analysis and evaluation. All risks
tion, and opportunities should be assessed to deter-
 determining needs and expectations of mine their impact on the organization and its
interested parties, products. According to specificity of the fac-
 implementation of risk management pro- tors, organization should apply the treatment. It
cess. can include i.e.: refusing to carry out the activi-
As preventive actions procedure is no long- ty, taking opportunity, removing risk source,
er required and should be replaced by risk sharing risk. Each action should be proportion-
management procedure. Organizations that ate to the potential impact on the conformity of
have joined corrective and preventive actions products and services. Organization should be
procedure should remove part concerning able to explain why certain amount of resources
preventive actions. Due to merger of noncon- was assigned to risk management actions.
formity and corrective actions in section 10.2, Organization should evaluate the effective-
merger of procedures on these issues should be ness of the planned actions. The evaluation
considered. should compare objectives with results. The
The external context of the organization in- standard doesn't require evaluation of econom-
cludes all factors that can influence objectives, ics of those actions unless it is clearly stated in
strategy and risk appetite that are related to the the objectives.
environment. It may include parameters related The risk management process in medium
to culture, society, politics, legislation, regula- and large companies should be decentralized, as
tions, finance, technology, economy, competi- the standard requires integration on the level of
tion, natural environment [2]. The internal quality management system processes. Central-
contexts includes i.e.: governance, organiza- ized process can significantly increase bureau-
tional structure, roles, accountabilities, policies, cracy and managers' work load. Decentraliza-
objectives, strategy, organization capability, tion, however, requires more training. Only
information system, relations with stakeholders, establishing context and monitoring activities
organizational culture, implemented standards, should be centralized and managed by quality
relationships with partners [2]. The top man- manager (top management representative). In
agement should identify all factors that are small companies risk management process can
important, measure them and assess in the be centralized and limited to top management.
context of organization's sustainability, growth The new requirements entail both benefits
and development. and costs to the organizations. Top manage-
Additionally, top management should iden- ment receives tool for prevention and continual
tify interested parties that can have impact on improvement that can do its job. It can be much
organization's ability to consistently provide more effective than preventive actions when
products and services that meet customer and properly implemented. Requirement to evaluate
other requirements. Requirements of those the effectiveness of the risk management ac-
parties should be determined. The word con- tions will deliver information about improve-
sistently refers to business continuity. There- ment and economical effects. This can encour-
fore it is required to assure business continuity age top management to extend risk manage-
solutions that prevent customers from receiving ment process and invest in improvements.
products that don’t comply the requirements. Finally it can lead to better quality management
Effectiveness of those solutions should be system. The costs are related to required chang-
adapted to type of the organization, products es and designing and implementation of the
and customer requirements. Risk management new process. At least all the managers should
should help assure business continuity thanks be trained in risk management process which is
to, among others, extended planning. related to further costs. The big change is re-
quired in approach to continual improvement,

8 S. Wawak
which was pretended in many companies. The Moreover, it is well known in larger enterprises
benefits of the change can be diminished if which facilitates implementation. The method-
certification bodies will treat new requirements ology was already used in ISO 27001 standards
too lightly during the audits. Overall, it is prob- and proved to be effective.
able that benefits of proper implementation will The ISO 9001 still doesn't refer to econom-
significantly exceed the costs. ics of quality. The idea of quality should be
treated as the way of obtaining better econom-
ics results, not in isolation. The ISO 9004 men-
6. CONCLUSION tions quality costs and efficiency issues, but it's
not required to get the certificate. The same
The new requirements of ISO 9001 stand- problem is with risk management which isn't
ard are important changes, however they won't related to economic effects. This can diminish
revolutionize the system. The old preventive benefits of new requirements implementation.
actions didn't worked well because the method- The changes which companies have to im-
ology related to them never was developed plement due to novelization have limited scope.
enough. The risk management has own devel- They include mainly training, changes in doc-
oped methodology which is ready to use. umentation and processes.

REFERENCES:

[1] ISO 9001:2008 Quality management systems – requirements, ISO, Geneva 2008.
[2] ISO 31000:2009 Risk management – principles and guidelines, ISO, Geneva 2009.
[3] Department of the Navy (2009). Time Critical Risk Management. Washington.
[4] Cooper D., Grey S., Raymond G., & Walker P. (2005). Project Risk Management Guidelines.
Chichester: Wiley & Sons.
[5] Enterprise risk management: tools and techniques for effective implementation. Institute of Man-
agement Accountants, Montvale 2007.
[6] ISO/DIS 9001:2015 Quality management systems – requirements, ISO, Geneva 2014.
[7] SO/IEC 27001:2005 Information technology – Security techniques – Information security manage-
ment systems – Requirements, ISO, Geneva 2005.
[8] ISO/IEC 27001:2013 Information technology – Security techniques – Information security man-
agement systems – Requirements, ISO, Geneva 2013.

Acknowledgment: The publication was financed from the resources allocated to the Management Faculty
of Cracow University of Economics, under the grant for the maintenance of the research potential.

9th IQC June, 2015 9

 10 S. Wawak

View publication stats