IS0 9001:2015

Clause 6.1 Actions to address risks and opportunities

This is a significant requirement which was new in the 2015 release of ISO 9001 which necessitates organisations to identify those risks and opportunities that have the potential to impact (negatively or positively) on the operation and performance of the management system.

We will therefore spend a little more time with this article.

The requirement:

When planning for the management system, the organisation is required to consider article 4.1 (internal and external context in which the organisation operates) and article 4.2 (the requirements of interested parties) and establish the risks and opportunities that need to be addressed in order to:

  1. Assure that the management system can achieve its intended results,
  2. Enhance desirable effects,
  3. Prevent, or reduce, undesired effects,
  4. Improve.

In addition, the organisation must plan appropriate actions to address these risks and opportunities and to integrate and implement the actions into the management system processes (see article 4.4) and evaluate the effectiveness of these actions.

Actions taken to address risks and opportunities must also be proportionate to the potential impact on the conformity of products and services.

Comment:

Section 6.0 of ISO 9001:2015 is primarily concerned with the “Plan” part of the Plan, Do, Check, Act cycle.

The concept of risk has always been implied in the 9001 standard. IE The now deleted reference to “Preventive Action. ”The 2015 update however, makes it now much more explicit and builds it into the whole management system. From the Introduction – where the concept of risk-based thinking is first explained, to Clause 4, 5, (6) 9, and 10 risks and opportunities are required to be considers and acted upon. (Risk based thinking is also implied in clauses 7 & 8, as risk can be considered implicit whenever “suitable” or “appropriate” is referred to.)

The intent is that by addressing risk throughout the business processes, the output quality is more consistent and customers more likely to receive the required products or services. The emphasis on organisations assessing their own unique risks and opportunities, has also enabled a reduction in prescriptive requirements in the standard. (Critics may term this as being more “woolly!”)

Methodology: Plan, Do, Check, Act

Although there are many tools and methodologies available, ISO 9001:2015 does not require a formal risk management process and there is no specific requirement in on how to document the results of determinations of risks and opportunities. It is therefore up to each organisation to determine the extent of documentation needed to provide objective evidence of the application of appropriate risk based thinking. (The important thing of course, is to do whatever is right for your business.)

To this end, the Plan, Do, Check, Act approach (as defined in section 0.3.2 of the standard) can be used to great effect:

First, determine the risks and opportunities. By for example:

  • The relevant requirements, of relevant interested parties (stakeholders).

(EG: Customers, regulators, shareholders, board members, staff, competitors, and subcontractors / suppliers.)

  • Analysis of external and internal issues.

(EG: Legal, technological, competitive, market related and cultural, social and economic environments, whether international, national, regional or local. Values, culture, knowledge and performance of the organisation.)

  • The scope of the management system.
  • The organisations processes and their interrelationship.

Possible inputs to this process could include:

  • Legislative changes,
  • Product and process design innovations,
  • New contract or project launches,
  • Strategic planning,
  • Management review,
  • Customer feedback,
  • Market research and trends,
  • Competitor analysis,
  • Benchmarking,
  • SWOT analysis,
  • Operational performance / Key Performance Indicators,
  • Staff surveys,
  • Human resource plans,
  • Supplier development activities,
  • Management system audit results,
  • Corrective actions analysis,
  • Brain-storming activities.

Next, analyse and prioritise risks.

IE: What is the probability and severity? (What is acceptable or unacceptable and hence requiring mitigation?)

Methods might include:

  • Research,
  • Analysis of data,
  • Formal risk assessment / prioritisation tools such as; Brainstorming, FMEA, Risk Registers, Pareto Analysis, Pugh Matrix,
  • Meetings output.

Plan, Do, Check, Act

Next, (Plan) actions to address the risks / opportunities and Implement. (Do)

EG:

For Opportunities:

  • New practices
  • Adopting / developing new technology
  • Design of new products or services
  • Opening new markets
  • Identifying new customers
  • Building relationships with strategic suppliers.

For Risk:

  • Actions to avoid the risk
  • Deciding to take an identified acceptable risk in order to pursue an opportunity
  • Eliminating the risk at source
  • Changing the probability or consequences, sharing the risk
  • Retaining risk by informed decision.

(Remember, planed actions must be proportionate.)

Possible tools and techniques:

  • Improvement projects
  • Action plans
  • Design Reviews
  • Capital Investment plans
  • The revision of old, or the setting of new, objectives
  • Training
  • Procedures / work instructions review

(Check)the effect of the planned action. IE

  • By monitoring and measuring of actions taken through the gathering, analysing and evaluating of data, to determine their effectiveness. E.g. Via:
  • Key Performance indicators
  • Business metrics
  • Internal audits
  • Monitoring of corrective actions and action plans and subsequent reporting into management reviews.

(Act) Embed the new state / revisit the PDCA cycle

If (from the check phase) the actions have been effective, the new state should be embedded (IE revised practices, processes etc), if not repeat a new PDCA cycle.

(See also article 6.3 Planning of changes.)

Note:

For complex systems, an alternative, highly structured process may be required (IE 6 sigma.)

ISO 31000 Risk management - Principles and guidelines, may also be a useful reference for organisations that require a more formal approach to risk. It can be used by any business regardless of its size, activity or sector, but its use is not a mandatory requirement of ISO 9001:2015

(See also article 9.1.3 Analysis and Evaluation)

Audit Check:

These guidelines and lists are by no means exhaustive and every organisation will have its unique risks and opportunities. However, businesses need to be prepared to demonstrate to auditors that a systematic, planned methodology is in place that allows them to determine the risks and opportunities relevant to the planning and implementation of the management system.

As risk based thinking is now embedded throughout the standard, auditors are being advised to assess compliance when conducting audits across the entire breadth of the management system, including when interviewing top management (risk can of course impact on the business strategy) and ensuring that the effectiveness of planned actions (Act) have been followed up, as this is the most common point of failure in the Plan, Do, Check, Act process.

A word on Covid-19

In 2020, the Coronavirus pandemic severely tested business continuity plans world wide. Organisations had to react rapidly and make significant changes to procedures and processes in order to protect workforces and maintain quality and continuity of supply of goods or services. The risks associated with Pandemics are therefore now recognised as a very real threat which businesses will be expected to have considered (Risk Assessed,) and put in place plans to mitigate the potential impact.

This article is the property of David Barker Consulting © and is free for you to use. If you wish to reproduce elsewhere, please be so kind as to ask permission first and credit me as your source. If you need any further assistance, feel free to use my contacts page to get in touch and let me know how I can help!

David Barker CQP MCQI

ISO 9001:2015

Arrange an obligation-free consultation

get in touch
true
3