There are twelve posts in this series. To read Part VI, please click here.
Steps 1-3 in the method
If you have been reading this blog recently, you will know we have been considering the problem of how organizations could apply Risk-based thinking (RBT) to Quality Processes. In the previous post (part VI), we started to introduce our own proposed Risk Management method that may help.
In this post we shall deal with the first three Steps in the methodology, namely: (1) The Context of the Organization, (2) Risk Identification processes, and (3) Qualitative risk assessment.
The 'context' of the organization is essentially its business environment.
That is to say, context is a term that is used to describe a combination of internal and external factors and conditions that can have an effect on an organization's (3.01) approach to its products (3.47), services (3.48) and investments and interested parties (3.02).1
An organization needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements and aims to enhance customer satisfaction.2 Therefore, it is necessary to determine both the external and internal context before designing and implementing quality processes that take account of the risks and opportunities that apply in a particular context.
The risk-based approach of ISO 9000:2015 requires the organization to understand its context (see clause 4.1) and determine the risks and opportunities that need to be addressed (see clause 6.1). When applying risk-based thinking to the planning and consideration of quality processes, we should take into account the organization's understanding of the...
The Standard also requires that "...the organization shall maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned".4
The scope and responsibilities of persons responsible for risk management and the risk assessment methods employed will need to be documented.
Risk is defined as "the effect of uncertainty on objectives"5, so it follows that it is necessary to articulate the objectives of the organization and the processes that it uses. In other words, you must define and document what is 'at risk', and how you intend to address risk in your quality management system; specifically, who is to be made responsible for identifying, analyzing (if you chose to analyze risk), evaluating and treating the risk to your QMS and its associated processes.
It is valuable to be as specific as possible in articulating the organization's business objectives as this will assist with the risk identification process (defined in Step 2).6
The context of an organization can include internal factors such as organizational culture, and external factors such as the socio-economic conditions under which it operates; consequently all the requirements of ISO 9001:2015 are generic but the ways in which they are applied can differ from one organization to another.7
Risk-based thinking as it is defined in ISO 9001:2015 requires you to consider risk qualitatively (and, depending on the context that has been identified, quantitatively) when defining the rigour and degree of formality needed to plan and control the quality management system, as well as its component processes and activities8.
Taking the above definitions into account, I would suggest that it would be appropriate for a ISO 9001-compliant organization - and especially one adopting a more formal risk management approach based on ISO 31000 - to document the context in what I am terming a Statement of Context.
To establish the context, you need to:
Establish the external and internal organisational context in which the risk assessment is taking place (see ISO 9001:2015 Clause 4.1);
Specify the main objectives and outcomes that are uncertain and, therefore, represent a risk;
Develop criteria against which the consequences and likelihoods of identified risks can be measured; and
Define the key elements for structuring the risk assessment process.
Key process documents, scope definitions, pre-existing analyses and other relevant documented information such as organisational policies, processes and structures.
The organization's Statement of Context would include internal factors such as organizational culture, and external factors such as the socio-economic conditions under which it operates [ISO 9001:2015, Introduction 0.1].
Establishing the context will provide information that is essential to risk identification, analysis, and evaluation activities if they are to efficient and effective. Components of the context could be summarised as follows:
In this risk management methodology:
The risk criteria should reflect the objectives and context for the risk assessment. Consideration should be given to stakeholder views and risk perceptions, the legal and regulatory framework that applies in the organization's context, and the time and resources that are available.
These criteria should be continually reviewed.
Categories for which risks in a quality management system and associated processes will be evaluated need to be defined and documented, taking account of all associated activities from which risks could arise that would adversely affect the organization or any of its stakeholders. These could include:
However, this list will depend on context and the risks being evaluated.
When defining risk criteria, you should consider:
For the risk criteria to be adequate to support the decisions made at the risk treatment stage, they should:
A closer look at Document Control for ISO 9001
Statement of organization context - including its size and complexity, a general outline of the external and internal risks and opportunities that it needs to address, and how that knowledge is to be made accessible.
Having established the organization's context, we need to identify the specific risks and opportunities that need to be addressed (see clause 6.1) through the quality management system and its associated processes. Risk identification is the process to determine what might happen that could result in undesirable outcomes (see 0.5) that have a negative impact on the organization's ability to "...consistently provide products and services that meet customer and applicable statutory and regulatory requirements or the organization's aim to enhance customer satisfaction"10.
The risk identification process should be as comprehensive and systematic as possible in order to ensure that risks affecting quality are not ignored.
Information used may include:
These techniques include:
[See my previous blog post about ISO/IEC 31010 for more information: ISO 31000 Risk management techniques Attributes of a selection of risk assessment tools ].
See item 2 above.
Steps 3 - 5 will analyse and evaluate these risks and prioritise treatment.
1. Risks and opportunities register (R&O register) - recording identified risks, controls, and ratings.
2. Risk description worksheet - (for recording risk at process level) listing risk description process, existing controls, key assumptions, sources of information, document attachments.The International Standard, ISO/IEC 31010 describes the techniques for risk identification that could be used in Quality Management Systems.
Along with examining any check-lists that identify the causes of risk that have led to preventive actions, and the experience of other quality managers in similar contexts, you should also consider conducting structured interviews with individuals, focus and discussion groups, scenario analysis, and surveys and questionnaires to help identify risks.
The recommended method is Brainstorming - see previous blog post.
Brainstorming is significantly more effective than superficially attractive mechanisms such as checklists. The process draws on the creative capacity of the participants, reducing the danger of over-looking new and emerging issues12.
The quality manager/lead writes the initial risk list on a whiteboard without comments from the other participants, who then make their contributions. The team reviews the list, classifying and grouping the similar risks where appropriate and adding new ones as ideas are generated. The aim is usually to generate a list of 10 risks associated with each quality process being assessed, although this number will vary depending on the organizational context and complexity of processes.
A structured workshop is the most effective format and adequate time should be allocated by key participants for all the risks to be considered.
How a DMS supports highly effective product development
Experience and knowledge will always form a valuable part of the process, however, historical information should not be allowed to block a creative assessment of the future where the situations that have never arisen before affect the balance between familiar risks may shift dramatically13.
Qualitative analysis is based on ordinal and ranking scales for describing the consequences and likelihoods of risk. This method helps managers to understand risks and prioritise them for treatment, taking account of activities, processes and plans that act as controls. It is a useful approach in situations where there is insufficient reliable statistical data available, or where time and cost constraints prevent managers from undertaking a more resource-intensive semi-quantitative or quantitative analysis of risk.
In comparison:
Quantitative analysis uses numerical (ratio) scales for consequences and likelihoods, rather than descriptive or nominal scales, and requires more advanced skills.
ISO 9001:2015 requires that we consider risk qualitatively (and, depending on the organization's context, quantitatively) when defining the rigour and degree of formality needed to plan and control the quality management system, as well as its component processes and activities. Qualitative risk analysis is the systematic use of available information - including documented information from the risk identification process in Step 2 - to develop an understanding of the risks to quality objectives14.
This includes:
The quality management team is often the best source of information for assessing risks to quality in terms of their causes and consequences.
However, where the organizational context is high-risk and/or complex, additional information will most likely be required from other teams. When assessing high-priority risks and evaluating the most effective ways to mitigate them, quality managers/leads may include sources such as:
Information used in qualitative risk analysis and evaluation includes:
Note: This simple list is intended to be identical to the list for risk identification in Step 1, although you can probably add further types of information based on your organization's experience of risks to outputs.
Steps required for a Qualitative Risk Assessment include:
A prioritised list of risks that takes account of uncertainty for:
For each risk, determine a rating for:
1. Risks and opportunities register (R&O register) - Recording identified risks, controls, and ratings.
2. Risk description worksheet - (for recording risk at process level) Listing risk description process, existing controls, key assumptions, sources of information, document attachments.In the first 3 Steps of this risk management process for quality systems, we have addressed three fundamental requirements of ISO 9001:2015; namely:
As ISO 9001:2015 states, the process for considering and controlling past, existing and additional knowledge needs to take account of the organization's context, including its size and complexity, the risks and opportunities it needs to address, and the need for accessibility of knowledge17. I propose documented information in the form of (1) Statement of Context, and (2) Risks and Opportunities Register (R&O register) used to record identified risks, controls, and ratings.
There are twelve posts in this series. To read Part VIII, please click here.
Notes:
1 Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013: The new international standard for information security management systems, Transition Guide, BSI Group. 3.24, p.17.
2 Ibid. A.3, p.45.
3 Ibid. 4.1. p.25.
4 Ibid. 4.4 Quality management system and its processes, p.26
5 ISO 31000, 2 Terms and definitions, 2.1 risk, p.1
6 Project management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F Cooper, et al, John Wiley & Sons Inc, March 2014.
7 ISO/DIS 9001:2004, Clause 0.1 Introduction, p.6.
8 Ibid. Clause 0.5, p.9.
9 Ibid. Clause 0.1 Introduction, p.6.
10 Ibid. A.3 Context of the organization, p.43.
11 Adapted from assessing risks to quality from Project management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F Cooper, et al, John Wiley & Sons Inc, March 2014
12 Ibid.
13 Ibid.
14 Ibid. Chapter 8: Qualitative Risk Analysis and Risk Evaluation.
15 Adapted from assessing risks to quality from Project management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F Cooper, et al, John Wiley & Sons Inc, March 2014
16 ISO/DIS 9001:2014, Clause 5.1.1 Leadership and commitment for the quality management system, pp.26-27.
17 ISO/DIS 9001:2014, A.7 Organisational knowledge, p.46.