Never Miss an Opportunity

Using ISO 9001’s risk requirements for innovation

by Peter Merrill

After ISO 9001:2015 was published, I suggested that organizations could use the standard to cultivate innovation.1 I think the standard takes a defensive mindset in how it uses the terms "risk" and "opportunity."

Many organizations have approached ISO 9001:2015 implementation by mindlessly mitigating risk. Instead, they should go on the attack and think about opportunity first. A risk assessment should be used as a tool to prioritize opportunities that can benefit their business.

Over the last year, I worked with several organizations that used the draft international version of ISO 9001 (ISO/DIS 9001), which did not change radically after the standard was published in September 2015.

I am going to share with you our practical experiences from working through clause 4.1. "Context of the Organization" and use the knowledge from that work to address clause 6.1 "Risk and Opportunity," or as I prefer to call it, "Opportunity and Risk." I will focus on just four of these organizations, which were selected because of their diverse nature. They are:

  • A small manufacturer in the steel industry.
  • A technology firm supplying the automotive industry.
  • A design and engineering firm in the chemical industry.
  • A financial services organization that was linked to a law firm.

Each had quite distinct "issues" to quote the standard, and after I had conducted the gap analysis against the new standard, our first hands–on task was an external risk assessment conducted by the leadership team. My job was to provoke, stimulate and facilitate them into thinking about all the issues the business had been addressing over the past couple of years. We grouped the issues into four categories: economic, market, legal and resources. You could add others—such as technical—depending on your business sector.

The economic category included issues such as currency exchange, oil price and other commodities. In the market category, there were offshore competition, domestic competition and new-market opportunities. The legal category generally focused on new legislation and regulation. And for resources, the category included issues such as suppliers and the labor market.

The organizations segmented their issues differently. For example, advances in technology was clearly a critical issue for many and could sit in either market or resources categories. Or it could be a sector on its own, depending on the organization’s perspective. Interestingly, shareholder influence came up several times as a major external risk. Issues in the labor market and the acquisition of skills also were frequently mentioned.

Tools of the trade

A risk matrix was developed to list each organization’s key issues (see Figure 1). We discussed which issue had highest or lowest impact using a scale of one to five. Using a one to 10 scale would take longer, and a scoring model that uses one to three—meaning high, medium or low—would not give you a wide spread. It’s important to remember that this list will be different in your organization.

Figure 1

Next, organizations’ leadership teams worked through the probability column, listing issues that were most or least likely to occur. Notice that the third column is addressed differently from a traditional failure, mode and effects analysis. Detectability was deliberately scored with high and low scores of five and one, respectively. This was to be in a consistent thinking mode. Multiplying the impact and probability scores, and dividing the result by the detectability score will give you a risk priority number for that category.

This provides a list of external risk factors and the organization must show how these will be addressed. The organizations with well-developed strategic planning processes fed this information into their strengths, weaknesses, opportunities and threats (SWOT) analysis to ensure consistency. ISO 9001:2015 was deliberately designed to better integrate into an organization’s business activities. A SWOT analysis points you right at your opportunities for innovation.

The first step in addressing these opportunities will be conventional, but you don’t stop there. You can build risk mitigation into your business strategy by taking actions such as:

  1. Buying futures to mitigate risks with currency exchange rates.
  2. Partnering with universities to explore new technology.
  3. Using trade-school internships to help with the labor market.

Using these three examples, you can step into the world of innovation by adopting radical new solutions to these issues. And these solutions will lead to business model innovation or process innovation. Scan your environment, especially in other business sectors, and see how other organizations have addressed these issues. This benchmarking practice is your first step down the innovation roadway. But also be sure to get away from the "not invented here" syndrome.

Buying futures is not the only answer to an issue with currency exchange rates. You may choose to engage a currency specialist. Partnering with universities is useful, but you may choose to partner with one of your suppliers to develop new technology. Trade-school internships attract new people for the shop floor, but maybe you can develop an in-house skills-development curriculum.

None of these options are innovative, but they are the first step into exploring choices. Exploration is a vital activity for the innovator, and you use the knowledge you harvest to fuel the ideation process. That is where you explore your mind and not just the market. I have no idea what solutions you will find deep in your subconscious, but this ideation is a must-do. It’s how you find your own innovative and unique solution and get away from the first idea that springs to mind. If you want to find the future of your business, it’s worth more than 20 minutes of brainstorming once a year.

Simultaneously conduct your external and internal risk assessments. You will find many internal risks are directly linked to your external risk issues, and the same tool is used to find internal risks. External and internal issues, however, are different.

As a preliminary exercise, I like to have an organization complete a high-level process map using the swim lane method to show the responsibility of each process step (see Figure 2). I usually have leadership map the design and operations areas separately and maybe split operations into two or three maps.

Figure 2

There are about 20 steps on each map. Organizations pick three to five steps on each map, focusing on ones that have given them the highest number of process issues. Look carefully at the link between sales and design, and the link between design and operations. They are often high-risk points. After the processes have been mapped, you’ll use the same risk matrix as before, but this time, you can mitigate risks by applying new technology, developing competencies or creating checklists. You also might create a more detailed process map for a risk to find how it can be improved. Notice that I have not said to write a procedure: That’s a 1990s style of thinking.

Take time to go beyond conventional solutions, and apply innovative thinking to external risk. Explore, benchmark, ideate and look for radical new process solutions.

Market issues

I’ve described the first steps toward innovative behaviors and ultimately a culture of innovation. Let’s go back to the external risk assessment and drill into the market category for issues. If you don’t have something that’s a high risk in this area, your organization must be a monopoly or you didn’t challenge yourselves during the assessment.

Review your offerings that are at risk and new business opportunities that are available. Develop new market offerings with your innovation skills to replace your mature offerings and address any emerging markets.

Look at your SWOT analysis and narrow your focus to two or three new business opportunities. Follow the new product-development process, create concept solutions, repeat the risk assessment, develop working solutions, repeat the risk assessment again and prototype.

Even when you are in the marketplace, you will gain new knowledge about your offerings. After finishing this process, repeat the risk assessment using the new knowledge you gained.

If you are using ISO 9001:2015 as your quality management system (QMS) framework, understand that the standard requires you to revisit your risk assessment at the management review. This should be on your agenda as a way to review the checks and balances of the system. But your QMS also should have an annual, fundamental recalculation to ensure it aligns with your strategic-planning process.


  1. Peter Merrill, "Innovation Imperative: The Business of Innovation," Quality Progress, January 2015, pp. 44-45.

Peter Merrill is president of Quest Management Inc., an innovation consultancy based in Burlington, Ontario. Merrill is the author of several ASQ Quality Press books, including Innovation Never Stops (2015), Do It Right the Second Time, second edition (2009) and Innovation Generation (2008). He is a member of ASQ, previous chair of the ASQ Innovation Division and current chair of the ASQ Innovation Think Tank.

Average Rating


Out of 0 Ratings
Rate this article

Add Comments

View comments
Comments FAQ

Featured advertisers