RISK-BASED APPROACH IN ISO 9001

A company is successful when, on the one hand, it systematically recognizes, analyzes, and seizes opportunities and, on the other hand, identifies the associated risks and acts accordingly. The risk-based approach in ISO 9001 is primarily about identifying the effects of business uncertainties and determining the risks as a basis for planning. The subject of “risk” is not entirely new in a quality management system. In the old versions of ISO 9001, it was embedded in the requirements of the preventive measures. This chapter has been omitted with ISO 9001: 2015 and has been replaced by considering risks and opportunities.

WHAT IS A RISK-BASED APPROACH?

The starting point for careful consideration of opportunities and risks is the sharpened focus of DIN EN ISO 9001: 2015 on achieving “intended results”. This applies to both the quality management system (QMS) and the processes required for this.

The standard defines risk as to the “effect of uncertainties” on an expected outcome.

DIN EN ISO 9001: 2015 – quality management systems.

The intended results, on the other hand, result from the scope of the management system with the aim of providing products and services that must be fulfilled by the following:

  1. Customer requirements
  2. Legal and/or official requirements
  3. Company specifications

HOW DO YOU REGULATE RISKS AND OPPORTUNITIES?

The risk-based approach runs like a red thread ISO 9001. Chapter 6.1 (Planning) of the well-known ISO standard sets general requirements for dealing with risks and opportunities. However, the standard only stipulates that corresponding measures must be planned, integrated into the quality management system, implemented, and evaluated for their effectiveness. How this requirement is to be implemented is not specified?

Neither is there a comprehensive risk management solution, e.g., based on the standard ISO 31000, there is also talk of a formal risk management process. Also in ISO 9001, there are no requirements with regard to specific methods to be used for risk determination or risk assessment.

Otherwise applies:

  1. Avoid risks,
  2. Eliminate sources of risk,
  3. Influence the probability of occurrence,
  4. Influence the possible consequences or else,
  5. Taking risks in a targeted manner through a well-founded decision, e.g., to take advantage of an opportunity.

RISK-BASED APPROACH – WHAT DOES THE STANDARD REQUIRE?

Identification (determination) of risks and opportunities in order to

  1. Ensure the achievement of the results intended,
  2. Reinforce the desired effects – these are the opportunities,
  3. Prevent or lessen undesired risk effects, and
  4. Achieve improvements.

Evaluation of the identified, specific risks and opportunities. There are no mandatory methods mentioned here. Common, established tools are definitely recommended, for example:

  1. (Process) FMEA
  2. SWOT analyzes
  3. ABC analyzes
  4. Risk matrix

Derive measures from the identified risks and opportunities. These can

  1. Relate to the elimination or avoidance of the risk or the source of the risk,
  2. Be aimed at reducing the risk through a change in the probability of occurrence or the effects or consequences, or
  3. Include the acceptance of the risk, e.g. to take advantage of an opportunity.

Evaluation of the effectiveness of the measures, e.g. on the basis of

  1. The non-occurrence of an identified risk,
  2. The lowering of the probability of occurrence or
  3. The reduction of the effects, e.g. through insurance or contractual safeguards in customer contracts.

DOCUMENTED INFORMATION AS EVIDENCE

The question in what form or to what extent documented information about this is required as evidence can be answered as follows: There are no specific, precise requirements in the relevant chapters of the standard!

Instead, the evidence says in QM standard ISO 9001 Annex A4: “… the organization is responsible for applying risk-based thinking and for initiating measures to deal with a risk, including answering the question of whether documented information is evidence of the determination of risks are to be retained by her or not.”

To put it more simply: This is what an organization determines for itself – not the norm! And: This is not determined by the certification company or its auditors.

INTERESTED PARTIES AND THEIR RELEVANT REQUIREMENTS

One aspect that should not be overlooked is the consideration of the essential requirements of the interested parties relevant to the quality management system (QMS) (Section 4.2).

“Relevance” should be interpreted as follows:

Effect on the ability of the organization to continuously provide products and services that conform to customer expectations and legal, official requirements. This means that these must also be taken into account in the context of the risk-based approach (Section 6.1.1 Planning).

DIFFERENTIATION BETWEEN OPPORTUNITIES AND RISKS IN TERMS OF ISO 9001

In addition to the consideration of risks, the requirement of the standard also addresses the opportunities that can arise from risks. However, many companies are faced with the question of what specific opportunities can be. A change does not mean the achievement of intended results. This is a fundamental requirement for the management system and its processes.

In the QM standard, the opportunity is understood as an “opportunity” that can arise when a company takes a manageable risk. Chapter 0.3.3 of ISO 9001 gives good information on this. There the following possibilities for opportunities are listed:

  1. Customer acquisition,
  2. Development of new products and services,
  3. Reduction of rejects and waste,
  4. Improve productivity.
CONCLUSION ON THE RISK-BASED APPROACH IN ISO 9001

Risks are the “effects of uncertainty”. This means that risks can also result in opportunities. Opportunities can, for example, lead to the acquisition of new customers and the opening up of new markets, but this also means that opportunities can in turn lead to uncertainties and the associated risks.

All in all, we recommend dealing with the possible opportunities with the same intensity with which risks are determined, assessed, and measures derived from them. They too are to be determined and evaluated, and measures to be taken.