This is a significant requirement which was new in the 2015 release of ISO 9001 which necessitates organisations to identify those risks and opportunities that have the potential to impact (negatively or positively) on the operation and performance of the management system.
We will therefore spend a little more time with this article.
When planning for the management system, the organisation is required to consider article 4.1 (internal and external context in which the organisation operates) and article 4.2 (the requirements of interested parties) and establish the risks and opportunities that need to be addressed in order to:
In addition, the organisation must plan appropriate actions to address these risks and opportunities and to integrate and implement the actions into the management system processes (see article 4.4) and evaluate the effectiveness of these actions.
Actions taken to address risks and opportunities must also be proportionate to the potential impact on the conformity of products and services.
Section 6.0 of ISO 9001:2015 is primarily concerned with the “Plan” part of the Plan, Do, Check, Act cycle.
The concept of risk has always been implied in the 9001 standard. IE The now deleted reference to “Preventive Action. ”The 2015 update however, makes it now much more explicit and builds it into the whole management system. From the Introduction – where the concept of risk-based thinking is first explained, to Clause 4, 5, (6) 9, and 10 risks and opportunities are required to be considers and acted upon. (Risk based thinking is also implied in clauses 7 & 8, as risk can be considered implicit whenever “suitable” or “appropriate” is referred to.)
The intent is that by addressing risk throughout the business processes, the output quality is more consistent and customers more likely to receive the required products or services. The emphasis on organisations assessing their own unique risks and opportunities, has also enabled a reduction in prescriptive requirements in the standard. (Critics may term this as being more “woolly!”)
Methodology: Plan, Do, Check, Act
Although there are many tools and methodologies available, ISO 9001:2015 does not require a formal risk management process and there is no specific requirement in on how to document the results of determinations of risks and opportunities. It is therefore up to each organisation to determine the extent of documentation needed to provide objective evidence of the application of appropriate risk based thinking. (The important thing of course, is to do whatever is right for your business.)
To this end, the Plan, Do, Check, Act approach (as defined in section 0.3.2 of the standard) can be used to great effect:
First, determine the risks and opportunities. By for example:
(EG: Customers, regulators, shareholders, board members, staff, competitors, and subcontractors / suppliers.)
(EG: Legal, technological, competitive, market related and cultural, social and economic environments, whether international, national, regional or local. Values, culture, knowledge and performance of the organisation.)
Possible inputs to this process could include:
Next, analyse and prioritise risks.
IE: What is the probability and severity? (What is acceptable or unacceptable and hence requiring mitigation?)
Methods might include:
Plan, Do, Check, Act
Next, (Plan) actions to address the risks / opportunities and Implement. (Do)
(Remember, planed actions must be proportionate.)
Possible tools and techniques:
(Check)the effect of the planned action. IE
(Act) Embed the new state / revisit the PDCA cycle
If (from the check phase) the actions have been effective, the new state should be embedded (IE revised practices, processes etc), if not repeat a new PDCA cycle.
(See also article 6.3 Planning of changes.)
For complex systems, an alternative, highly structured process may be required (IE 6 sigma.)
ISO 31000 Risk management - Principles and guidelines, may also be a useful reference for organisations that require a more formal approach to risk. It can be used by any business regardless of its size, activity or sector, but its use is not a mandatory requirement of ISO 9001:2015
(See also article 9.1.3 Analysis and Evaluation)
These guidelines and lists are by no means exhaustive and every organisation will have its unique risks and opportunities. However, businesses need to be prepared to demonstrate to auditors that a systematic, planned methodology is in place that allows them to determine the risks and opportunities relevant to the planning and implementation of the management system.
As risk based thinking is now embedded throughout the standard, auditors are being advised to assess compliance when conducting audits across the entire breadth of the management system, including when interviewing top management (risk can of course impact on the business strategy) and ensuring that the effectiveness of planned actions (Act) have been followed up, as this is the most common point of failure in the Plan, Do, Check, Act process.
A word on Covid-19
In 2020, the Coronavirus pandemic severely tested business continuity plans world wide. Organisations had to react rapidly and make significant changes to procedures and processes in order to protect workforces and maintain quality and continuity of supply of goods or services. The risks associated with Pandemics are therefore now recognised as a very real threat which businesses will be expected to have considered (Risk Assessed,) and put in place plans to mitigate the potential impact.
This article is the property of David Barker Consulting © and is free for you to use. If you wish to reproduce elsewhere, please be so kind as to ask permission first and credit me as your source. If you need any further assistance, feel free to use my contacts page to get in touch and let me know how I can help!
David Barker CQP MCQI