Successfully Incorporating Risk in ISO 9001:2015

www.etq.com

ISO 9001:2015 Brings a Change in MindsetThe latest ISO revisions present a shift in mindset towards quality as an underlying concept throughout all organizational operations. Leaders are urged to make quality a priority across all aspects of business, not just those directly involved with quality management decisions. With that shift also comes an emphasis on risk-based thinking as the foundation for all quality decisions. A risk-focused quality management system (QMS) streamlines compliance by creating an entire system around a central focus. Centralizing your system helps you maintain compliance while keeping up with the faced-paced changes and new business challenges.

Operational Risk Management: What and How?To properly manage risk, you need to understand what risk is and how it applies to your organization. Risk is the likelihood that a hazard will lead to a negative consequence or adverse event. Once you have defined risk and understand it, you can apply the general steps of the Risk Management process to your organization:

1. Identify all relevant risks: Use internal audits, surveys and other documents to catalog your organization’s hazards and determine which ones present a risk.

2. Quantify the risks: Use variables such as severity and frequency to quantify the risks and prioritize which ones should be dealt with first.

3. Treat the risk: Depending on the severity and frequency of the risk, it can be handled in a variety of ways:

� Acceptance: If the event has a low enough risk level where implementing controls would take more time and effort than recovery measures, it can often be ignored.

� Reduction: When risks are slightly above the acceptable threshold, it should be mitigated, even though it may not be the highest priority action.

� Compensation: When risks are moderately severe or frequent, you can design an “insurance policy,” putting extra effort into changing processes to prevent the event.

� Avoidance: When a risk is very severe or very likely to happen, it must be a priority to implement preventive controls.

4. Implement a control: Put actions in place—like safety precautions, employee training or a procedural change—to reduce risk.

5. Manage change: Introduce the risk controls and monitor the new processes while making improvements where necessary.

Risk Management in ISO 9001:2015 The new standard affects how organizations structure their quality systems and the supporting leadership. Section 5 prescribes leadership roles, stating that leaders should focus on creating a culture of risk-driven quality decisions throughout all operations. That way, risk-driven quality is a priority for all team members. Section 6 focuses on planning a QMS based on the various risks and opportunities that your organization presents. From there, you should take action, using objective tools backed by real-world data to document all activities and make risk-driven decisions.

Successfully Incorporating Risk in ISO 9001:2015

www.etq.com

Common Tools for Leveraging Risk ManagementDepending on the specific needs of your organization, you can utilize one or more Risk Management tools for systematic, objective and repeatable risk assessment and analysis.

1. Decision Tree: This is a map that connects possible decision points in a logical order of occurrence to see all thepossible outcomes of a given event and the subsequent decisions. It’s a simple tool that shows the effect that a singledecision point can have on a series of events. You can pinpoint exactly which decision has the biggest impact on riskand use that to make decisions.

2. Risk Matrix: This is a commonly used, visual representation of risk. The risk matrix quantifies risk level using testedassumptions about an event—most commonly severity and frequency. Those levels are put on a numerical scale andthe given event is plotted in the matrix accordingly. Different intervals on the matrix are labeled with different colorsbased on personalized algorithms to determine if a risk is acceptable, needs mitigation or needs to be avoided.

3. Failure Modes and Effects Analysis (FMEA): This is designed to identify possible failures during the design phase ofa product, so you are aware of potential issues before the product is even produced. The different components of thedesign are broken down and assessed for risk at that level.

4. Bowtie Matrix: This tool is used for events that have a low occurrence probability, but are potentially catastrophic.It highlights the proactive and preventive measures that you can use to mitigate the risk and prevent the event. Theundesired event is plotted in the middle with preventive measures on the left side and recovery controls to minimizedamage on the right side. In one single view you see the ways to prevent the unwanted event as well as ways torespond to it if it were to happen.

5. Risk Register: This tool helps you plan your risk management efforts and manage them over time. The first component of a risk register is a library of hazards, which is a reference of all the known hazards in your organization. The secondcomponent is a collection of risk data for all of your processes that can be used for trend reporting, so you can checkthe effectiveness of your risk management procedures.

Risk assessment and management are key factors in transitioning to the ISO 9001:2015 standard. To best meet this standard, you should leverage risk management tools that maximize the impact of risk data while minimizing the time and effort to collect and analyze the data.

Successfully Incorporating Risk in ISO 9001:2015