ISO 9001: 2015 requires organisations to incorporate risk-based thinking into their quality approaches. It establishes a systematic approach to risk and ensures that risks are identified, considered and controlled throughout the design and use of the quality management system.
Risk consideration is integral. Risk-based thinking makes prevention proactive rather than reactive. Here’s how your organisation should address risks and opportunities to be ISO 9001 compliant.
Steps for addressing risks and opportunities: ISO guidance
When building your organisation’s management system and processes, you need a systematic approach to considering risk and incorporating risk-based thinking at every stage.
Identify your risks
Firstly, you need to identify risks. You must ask what can go wrong. When doing so, you should consider the context. For example, consider the risks to your organisation if you lose a key supplier.
The risk is not the same if another supplier quickly and easily replaces the service or product the supplier provides. The risk is considerable if the supplier is the only supplier of a key component.
Assess risks
To understand risks, you need to assess them. You need to determine the likelihood that they will occur. You must consider what’s acceptable and what’s not. What advantages or disadvantages are there to one process over another?
What is your organisation’s objective in the above situation? You need to ensure your organisation can continue production at all times. Stopping production is unacceptable.
Analysing risk is complex. Risk must be assessed using quantitative and qualitative analyses. You determine the risk factor based on how it will affect the project through various metrics. You will base your decision on a risk assessment of the likelihood of losing the supplier and how to mitigate that risk.
In some cases, risk can bring opportunity. You must assess where risk ends and opportunity begins in the above example. How can your organisation reduce one while capitalising on the other? Does the risk of losing a key supplier create an opportunity? Could your organisation realise the chance to become a supplier of this key component?
Planning risk responses
Once each risk is identified based on its severity and likelihood, you must develop a plan for addressing the risks and opportunities. These planning actions must be laid out and documented.
Risk response strategies prevent the risks that can be eliminated and minimize those that are impossible to avoid. They reduce an organisation’s risk profile.
The four techniques for managing risk are:
- avoid
- accept and share
- mitigate
- transfer.
Avoid
This aims to eliminate the risk by developing an alternative strategy or process more likely to succeed. It’s usually linked to a higher cost.
Accept
This technique involves accepting the risk and collaborating with others to share responsibility for risky activities. Partnering with another company can be particularly advantageous when the new partner has experience your organisation does not.
Mitigate
Mitigating the risk is a technique that usually involves an investment to reduce the risk of a project.
Transfer
Risk transfer shifts risk from the project to another party. A classic example is paying someone else to accept the risk by purchasing insurance
Continuing the example above, it’s easy to see how these techniques could address the risk of losing a key supplier. Your organisation may avoid the risk altogether by changing the production process to eliminate the need for the supplier.
You may accept the risk of losing the key supplier and take the opportunity to partner with another company that has experience in this area.
Your company could mitigate the risk by investing in and producing the product, thus eliminating the need for the supplier.
Monitoring effectiveness
A dedicated team must monitor all techniques used to respond to a risk for effectiveness—or failure—and create communication channels so that important information isn’t lost.
In our example, if a new production process is implemented to avoid losing a key supplier, its effectiveness must be monitored. Has the requirement for that supplier been eliminated? Has the risk been removed?
Updating risks and improving responses
Of course, risks change and evolve. This process is cyclical, and risk management should be continuous.
If, for example, your company decided to bring production in-house to eliminate the risk of losing a key supplier, you need to analyse any risk arising from that new process. For example, what if you lost a key employee in that process? Would production stop?
How to simplify ISO 9001 risk management
isoTracker’s risk management software dramatically simplifies risk management. The module makes it easy and affordable to ensure compliance with ISO 9001 requirements for managing risks and opportunities. Using the module, you can:
- record risks in a way that’s fast, accurate and central
- use automated notifications and workflows to assign and track risk mitigation tasks
- benefit from up-to-date risk analysis and reporting.
The module can be standalone or integrated with isoTracker’s other quality management software.