Risk-based thinking is a sore point among many Quality professionals. Even so, identifying risk, analysing the consequences, probability and level of risk (i.e. risk analysis) and risk evaluation using formal techniques are becoming increasingly important tasks in the global business world.
I am sceptical about the subject of demonstrating risk-based thinking to a certification auditor when they assess your quality management system. Of course, it's possible that you won't be subject to an intensive grilling if the Standard does not require you to produce the outputs from your risk assessment processes or evidence of a formal risk management system. Although if risk-based thinking is required by ISO 9001:2015 to plan and control the quality management system (QMS) and component processes and activities, it is unlikely to be ignored in the certification audit process.
Which begs the question:
Assessing “Risk-based thinking" is likely to form a sizeable section of the ISO 9000 Guidance documents that, along with the ISO 9001:2015 Standard, are yet to be published. And since waiting until September may not be an option for those of you looking to transition from the 2008 Standard as rapidly as possible in 2015-2016, I thought that it would be a 'fun' idea to look at how you might go about this interesting 'thinking' task so as to produce (a) evidence that you could show to an assessor [HEALTH WARNING: nobody yet knows exactly what they will be asking for - and they don't know themselves either, unless they are the ones writing the guidelines!], and (b) a useful way of identifying, evaluating and treating the kind of risks that apply to the processes used in Quality Management.
In my post ISO 9001:2015 – The likely impact (Part II), February 4, 2015, I suggested the following basic checklist of tasks...
Analyse and prioritize the risks and opportunities in your organisation:
Then plan actions to address the risks. Ask yourself:
Then ...
However, this list presupposes that you have identified risks and opportunities.
So if you haven't yet, how do you approach risk identification in your context?
Read on...
Short answer: it can do, depending [entirely?] on your organization's context.
The ISO 9001 DIS says that ISO 31000 provides guidelines on formal risk management which can be appropriate in certain organizational contexts.
This fact will be well understood by those working for large, indeed global entities that have long since adopted risk management methodologies and have risk managers on their team who are familiar with ISO 31000.
But what is ISO 31000 attempting to achieve, and is it relevant to the majority of organizations that are trying to gain or transition to ISO 9001?
ISO 31000 describes an "overall approach to risk management, not just risk analysis or risk assessment. It deals with the links between risk management process and both strategic direction and day to day actions and treatments1." Which on the face of it sounds an ideal recipe for risk-based thinking. Pick up the Standard and read it, and this thought is quickly dispelled, since ISO 31000 takes a generic approach that has to be developed - in considerable detail - to be useful in a given context.
Great for the Strategic aims of the senior management, but not of any great value to the 'poor bloody infantry' of quality managers out there.
Perhaps the first (and most frustrating) conclusion that you will come to, having spent £120 ($180 USD) on your personal copy is that you next need to buy ISO.IEC 31010:2009 – Risk management – Risk assessment techniques. A slightly steeper £226 from BSI, or $337 USD, on 24/03/15.
So your boss says, "OK, buy the one that you actually need, but don't come back to me asking for any more. We've got by without 'risk-based thinking' in the past [insert number of years or decades]; surely we will do so this time?" And you thank her or him for authorizing the purchase.
The pdf arrives on your machine. You open it. There are 92 pages, 6 of which in Annex A are a comparison of risk assessment techniques (some useful tables here) before you arrive at Annex B, consisting of 61 pages describing the 31 risk assessment techniques; all for the kind of people who enjoyed Mathematics (statistics especially) at school... but who may not be that interested in helping you to design effective quality processes.
Yes, there's a worthy (absorbing even?) preamble about risk assessment concepts and processes. There also a Clause describing how techniques for risk assessment may be selected, which starts with the valid advice:
Risk assessment may be undertaken in varying degrees of depth and detail and using one or many methods ranging from simple to complex. The form of assessment and its output should be consistent with the risk criteria developed as part of establishing the context. [Clause 6.2]
There is no point in making life more complicated than it needs to be; thus:
In general terms, suitable techniques should exhibit the following characteristics:
Great!
By now, you're probably fired up with the possibility of finding a suitable risk assessment technique that fits the context of your organization and its quality management system? You can't wait to get started on the job.
(Come on ... humour me!)
You turn to...
Annex A
(informative)
Comparison of risk assessment techniques
And quickly realize that there are more risk assessment techniques than you thought existed, and even a cursory reading suggests that some are complex. Notable the ones that are strongly applicable to each step of the full risk assessment process; specifically:
Below is the list of the 31 tools. Depending on the industry you are working in, you will almost certainly recognise at least some of them, even if you haven't actually used any of the techniques to assess risk.
Table A.1 – Tools used for risk assessment
Not everybody of course will have the resources and capabilities within the organization to attempt some of these - e.g., Fault tree analysis, Cause / consequence analysis, Monte-Carlo analysis, Bayesian analysis.
Quality managers working for smaller enterprises (SMEs) may only dream of conducting analysis at the level required by some techniques in the list. The sheer complexity of some types of risk assessment will render the tool useless in most organizations employing between 1 and 250 people. However, that doesn't mean to say that ISO 31010 isn't a valuable reference should you ever be required to think about risk in these terms.
Bear with me, though, because in the next few posts, I am going to show you a method to assess risk by turning Complexity into Simplicity!
1 Project risk management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F Cooper, et al, Wiley, 2014.
There are twelve posts in this series. To read Part II, please click here.
This post was written by Michael Shuff