How to demonstrate risk-based thinking for auditors
By John J. Guzik
Most organizations implement risk-based thinking without realizing it. When a decision is made that affects a business, there’s a formal or informal assessment of risk versus opportunity. The emphasis on risk-based thinking in ISO 9001:2015’s requirements supports the notion that a proactive decision-making mentality is crucial for the continual improvement of a quality management system (QMS) and an entire organization.
There has been much written and said about this "new" ISO 9001 requirement on risk. Many have pointed to risk management programs, insisting the standard now formally requires them. Tools such as a failure mode and effects analysis (FMEA), a production part approval process (PPAP) and a plethora of new whiz-bang software programs have been introduced as tools that can do the task.
The difficulty with using these tools is that most of them were designed for risk management programs that address requirements of a product or service. Using these tools may help with product integrity, but they could leave you hanging in the breeze when it comes to demonstrating risk-based thinking per ISO 9001’s requirements.
Embracing rigid structures such as FMEA and PPAP and moving into the realm of addressing risks and opportunities from the ISO 9001 perspective can create new risks for smaller organizations, which could include:
- Potentially excessive costs of tool investments, which may provide no value to the organization, result in slowed operational performance, cause poor financial performance and risk shutting down the business.
- Poorly structured programs, which could weaken the QMS or the end products or services going to customers, and could result in nonconformance reports, advisory notices, recalls or safety liabilities.
If you were around for the release of ISO 9001:2000, you may remember the introduction of what was at that time a new topic called continual improvement. This caused many people to go off and create continual improvement programs as new tools in their QMSs.
Eventually, people saw how continual improvement could be demonstrated through areas listed in subclause 8.5.1: quality policy, quality objectives, audit results, analysis of data, corrective action, preventive action and management review.1
Auditors looked to these areas of a QMS for evidence of continual improvement. Perhaps it would be better to take the same approach with risk-based thinking.
Only after you have read and understood subclause 0.3.3, "Risk-based thinking," and annex A.4, "Risk-based thinking in ISO 9001:2015," can you truly implement subclause 6.1, "Actions to address risks and opportunities."2
In familiarizing yourself with these areas of the standard, it becomes clear that risk-based thinking, similar to continual improvement in 2000, can be seen in the standard’s existing toolset and doesn’t require a new tool.
Evidence of risk-based thinking
Consider these seven applications of risk-based thinking:
- You could see evidence of risk-based thinking in the records of management reviews, such as decisions and actions being taken with regard to opportunities for improvement, changes needed in a QMS and resource needs. If these decisions and actions demonstrate they were based on an evaluation of risk of uncertainty, risk-based thinking was implemented.3
- If an organization plans its internal audit program while considering "the importance of processes concerned, changes affecting the organization, and the results of previous audits," it could demonstrate risk-based thinking was used while planning for the audit program.4
- If you’re planning to change a QMS, your organization is required to consider the potential consequences of the proposed changes, as well as the integrity of the QMS.5 If there was an evaluation of the severity of potential consequences in making these changes, the organization implemented risk-based thinking.
- In controlling changes for production and service provisions, an organization could demonstrate changes were effectively controlled through an evaluation of potential impacts on other processes.6 In some cases, a simple evaluation could be sufficient. For other situations, a more formal evaluation—such as installation qualification, operational qualification and performance qualification—might be more appropriate. If potential impacts were considered, risk-based thinking was used.
- In determining whether an organization has "the ability to meet the requirements for products and services to be offered to customers," it could be using risk-based thinking to decide whether to pursue a particular business opportunity.7 In most organizations, a managerial decision to pursue business opportunities is based on potential consequences related to how additional resources will be dedicated. This demonstrates risk-based thinking.
- To determine whether to start designing and developing a new product or service, most organizations base the decision on an evaluation of variables, such as the potential for a nonmarketable product or service, or an inability to produce or design it at a sellable price. This evaluation is evidence of implementing risk-based thinking.
- Later in the design and development process, after considering changes to the design characteristics, an organization is required to control the changes to "ensure that there is no adverse impact on conformity to requirements."8 In doing this, the organization has demonstrated risk-based thinking.
Many people ask, "So, how can I show an auditor we have implemented risk-based thinking in these applications?" Subclause 6.1 of ISO 9001:2015 does not require an organization to retain documented information on actions taken to address risks and opportunities, but in most of the previous examples, retention of documented information is required. These records could be used to demonstrate risk-based thinking. Whatever path is selected in addressing this requirement, an organization is wise to recognize the risks associated with its decision.
- International Organization for Standardization (ISO), ANSI/ISO/ASQ Q9001:2000—Quality management systems—Requirements, 2000.
- ISO, ISO 9001:2015—Quality management systems—Requirements.
- ISO, ISO 9001:2015—Quality management systems—Requirements, subclause 9.3.3—Management review outputs.
- ISO, ISO 9001:2015—Quality management systems—Requirements, subclause 9.2.2—The organization shall.
- ISO, ISO 9001:2015—Quality management systems—Requirements, subclause 6.3—Planning of changes.
- ISO, ISO 9001:2015—Quality management systems—Requirements, subclause 8.5.6—Control of changes.
- ISO, ISO 9001:2015—Quality management systems—Requirements, subclause 8.2.3—Review of the requirements for products and services.
- ISO, ISO 9001:2015—Quality management systems—Requirements, subclause 8.3—Design and development of products and services.
John J. Guzik is principal of Impact Management in Hanover, PA. He is a participating member of the U.S. Technical Advisory Group to ISO Technical Committee 176 and ASQ ASC Z1-Q subcommittee on quality management.