ISO 9001:2015 – Risk based thinking
November 09, 2015
One of the clauses in the new ISO 9001:2015 standard refers to Risk Based Thinking. Risk Based thinking is now present in so many standards.
Examples include – ISO 14971,OHSAS 18001, ISO 14001 and ISO 31000 that for most organizations, it is a mind-set that many are comfortable communicating and operating with on a daily basis. By alignment with these standards, the ISO 9001 standard itself is being continually improved in order to minimise the work involved where requirements of various standards are integrated.
For enterprises, bringing ISO 9001:2015 explicitly in line with other standards and include risk based thinking is sensible as it aligns risk methodologies, mind-sets and mitigating actions across various standards and processes.
For ISO 9001:2015, the risk mind-set does not always come naturally to us. There are frequent occasions where management and staff of an organisation are aware of potential risks but do consider that these risks will ever occur, they fail to consider these risks as real and actual threats, and are often surprised when the risks become a reality. Whether risks are naturally occurring events or manmade, the Risk based thinking allows the organization to identify these risks, consider the severity of the outcome, and quantify what risks need to be acted upon and what mitigating actions are necessary for the enterprise to undertake.
Today, within the framework of ISO 9001:2015 this can be achieved throughthe development of an effective risk register. The risk register should be treated as a living document that works for your enterprise every day. At its simplest level, the resister can outline
a) The risks the enterprise has identified as having an impact on its performance/continuation
b) The severity of the outcome
c) The likelihood of the outcome
d) The opportunity for the enterprise to detect the occurrence of an outcome.
Starting with Top level management, the deeper Risk Based Thinking develops within the levels of an enterprise the greater the opportunity the organization has of continually using risk based thinking to identify actual risk and put in place effective mitigating actions. This does require collaboration and involvement of all staff or as many of its staff as is practical. The enterprise does not have to have all staff fully versant in the risk methodologies, but the tools are currently available through modern day cloud communications or with direct face to face interactions to allow all staff to contribute to what they consider are the risks to the organization. It is important that all risk real or perceived are considered and included on the register. Once on the register, it can be assessed.
There will often be a residual risk where each enterprise defines a point where they decide specifically not to peruse each individual risk as it not be considered practical on its own. One of the opportunities of risk based thinking in ISO 9001:2015 is that it facilitates the examination of these lower risk events. As the register of risk grows, there is often a family or cluster of singular risks that are similar or have an interrelationship. These can be brought together as a group and try to identify if a common mitigating action may have a risk reducing effect on 2 or more risks.
Where there are risks and the enterprise has put in actions or fixes to prevent or minimise the occurrence of these specific risks, every enterprise should be careful to consider how strong these fixes are and what these fixes are dependent on, i.e. human behaviour, infrastructure & utilities.
In all major post event investigations, where there have been a substantial loss of business or life, there have always been a series of risk mitigating actions or fail safes where 1 or more failed or were directly or indirectly circumvented, ignored or were not fully understood by users.
By starting to use Risk based thinking effectively, ISO 9001:2015 allows your enterprise take effective steps to meet the challenges that are ahead.
- » Auditor Training (2)
- » Combined ISO 14001 and OHSAS 18001 (3)
- » Environmental Management & ISO 14001 (5)
- » Food Safety & ISO/FSSC 22000 (6)
- » Information Security & ISO/IEC 27001 (3)
- » Integrated Management Systems (2)
- » Medical Devices & ISO 13485 (4)
- » Occupational Health & Safety and OHSAS 18001 (4)
- » Quality Management & ISO 9001 (20)