Risk-based thinking is a crucial concept in ISO standards. Previously, ISO 9001 featured the concept of “preventive action” that focused on eliminating any potential causes that can lead to non-conformity. However, this term has been replaced with “risk thinking,” which offers a more systematic approach to dealing with problems and opportunities.
The latest versions of ISO 9001 and ISO 14001 standards require that organisations use risk-based thinking when managing numerous processes through performance evaluation, operations, and planning. It has now become a key part of managing regulatory compliance, as businesses need to demonstrate risk-based thinking through their systems, processes, strategies, and objectives across the organisation to maintain compliance with ISO standards.
Let’s take a closer look at what the risk-based thinking approach is and how it helps organisations improve their quality and processes.
What is Risk-Based Thinking?
ISO 9001:2015 defines risk-based thinking as “the application of information, knowledge, and actions to determine uncertainties and potential opportunities.” It is a proactive approach to handling the risks and opportunities that requires organisations to evaluate risk while establishing processes, controls, and improvements in a QMS.
Moreover, ISO defines risk as something that deviates from the projected objective. This means that the risk-based approach isn’t limited to identifying and mitigating risks but also looks at the positive side of risk and identifies opportunities that can encourage growth.
As a result, taking a risk-based approach throughout the organisation allows you to avoid potential issues and take advantage of opportunities.
Is Risk-Based Thinking the Same as Risk Management?
At its core, risk-based thinking is a fundamental way of decision-making that goes beyond risk management.
Risk management involves identifying, evaluating, managing, and dealing with risks within the organisation. It requires organisations to track risks, monitor the progress of corrective actions, and establish communication.
On the other hand, risk-based thinking is a holistic approach to handling risk and must be made a part of its quality management system and every decision-making. For instance, with a risk-based thinking approach, ISO standards don’t require formal risk assessments, nor do they require a risk register to be maintained. The ISO requirements for risk-based thinking merely require that decision-making incorporate risk, and it does not specify how this should be done.
Risk-Based Thinking in ISO 9001
In the 2015 versions of the standards, the requirements for addressing risks and opportunities are as follows:
-
Context of the Organisation
When the context of an organisation is established, the standard requires organisation to identify risks that could potentially impact the quality objectives.
-
Leadership
The top management must be committed to promoting risk-based thinking across the organisation. It should identify and address opportunities and risks that could affect the quality of products and services.
-
Planning
In the planning clause of the standard, it is specified that organisation not only needs to identify risks and opportunities but also needs to plan, implement, and manage its processes to address the identified risks.
-
Operations
The standard also requires that actions listed during the planning process be implemented and controlled.
-
Performance evaluation
The organisation is required to monitor, track, and analyse the opportunities and risks identified.
-
Improvement
When any change in risk is identified, an organisation must make improvements.
The new ISO standards are based on the PDCA (Plan-Do-Check-Act) cycle that can be used to improve processes.
Here, we discuss these requirements for addressing risk as per ISO 9001:2015 in detail
1. Identification
How an organisation determines its risks and opportunities depends on the context of the organisation – its objectives, size, nature of products, culture, and stakeholder requirements. Consider these factors and use models like SWOT analysis, PESTEL analysis, or process mapping to identify and document the identified risks.
2. Analysis
According to ISO 9001, the risk is, simply put, a positive or negative deviation from the result expected, the possibility of what can happen, what effect it can have, and the likelihood of reoccurring the risk.
In this next step, the standards require organisations to evaluate the risks based on the above factors to understand their potential impact. While risk-based thinking ISO 9001 does not require conducting a full risk assessment, it suggests monitoring, measuring, analysing, and evaluating the risks.
3. Evaluation
Once the organisation has analysed and communicated the risks and opportunities, it is important to evaluate them to determine how to prioritise and address each risk. For this, organisations are required to consider the potential impact of the risk, the consequences, and the cost of addressing the risk for the organisation.
Based on this, businesses can prioritise and plan appropriate actions to address the risk – whether you want to avoid it, eliminate the source, change its likelihood, or take the risk to chase an opportunity.
4.Treatment
Finally, risk-based thinking requires organisations to implement controls to mitigate the risk or benefits from the opportunity. This also involves measuring the effectiveness of actions taken by analysing data or conducting internal or external audits. This way, you can improve the efficiency of your decision, minimise losses, and increase business growth and profitability.
Technical Tools to Mitigate Risk
When using a risk-based thinking approach for your quality management processes, making it an integral part of your processes is critical rather than viewing it as a separate activity.
This means the risk tools should be part of your quality management system to identify and respond to risks more efficiently. While ISO 9001:2015 doesn’t mention specific tools or methods to address risk, manual processes are often time-consuming and difficult to manage. As a result, using automated solutions like QMS Software or Risk and Opportunity Management Software is an ideal solution.
These digital tools, geared to facilitate risk-based thinking, should include the following key capabilities:
- Risk Register: A risk register allows you to record and describe individual risks to be monitored in a central location. Although a Risk Register is not required by the ISO standards, consistently using one will allow you to prioritise risk, record its potential impact, and assign responsibilities for rectification.
- Risk tools: Risk assessment programs, including a decision tree or risk matrix, should be available in any quality management system software. These should include audits, deviations, and regulatory compliance management.
- Effectiveness checks: Having a final verification step that is used for processes such as corrective actions will help satisfy improvement and performance evaluation requirements.
- Risk data assessment: With Risk and Opportunity Management Software, you can track the key data sets for the risks identified through a centralised dashboard to understand the severity of the risk, potential impacts, and the likelihood of reoccurrence.
- Root cause analysis: Root cause analysis is a systematic approach to identifying risks. This tool can help address the root cause once the risk has occurred.
Adopting a risk-based thinking strategy has become more necessary than an option to promote business growth and profitability. By fostering a culture of active risk management within the organisation, you can maintain the quality of processes and products, enhance operational efficiency, and ensure regulatory compliance.
