​ISO 9001 and risk

The very purpose of any quality management system is to ensure a consistent, acceptable level of quality for a product or rendered service to the customer. The ISO 9000 standard has been developed and is being used by industries to meet customer requirements. In its subsequent revisions, a new slant and refinement has taken place.

The concept of “risk” in the context of ISO 9001:2015 relates to the uncertainty or undesired outcome in achieving these objectives.

Risk-based thinking enables an organisation to determine the factors that could cause its processes and its quality management system to deviate from the planned results, to put in place preventive controls to minimise negative effects and to make maximum use of opportunities as they arise.

Importance of risk

The risk based approach for establishing, defining and implementing the QMS in an organisation has some distinct advantages.

These can be listed as:

• The risk of the business and its related process and activities are known beforehand to the organisation
• The identified risk leads to taking proactive action to mitigate the problem and improve the situation
• It is a great tool to capture the uncertainties of business operation in the changing market place
• It takes care to assure consistency of quality of goods and services by appropriate actions every time
• It paves the way for better customer confidence and satisfaction
• It opens up the opportunity for improvement in product/service quality in a competitive market scenario
• It prioritises the business decision and resource allocation
• It helps to determine external and internal issues that affect the ability to achieve the intended results of the QMS.

Addressing risk requirements

In the new version of ISO 9001:2015 the risk concepts have been woven throughout the entire document, and feature especially in the following clauses:

Clause 0.1, 0.3.3: address the idea that risk-based thinking enables an organisation to determine the factors that could cause its processes and its quality management system to deviate from the planned results

Clause 4.4: the organisation is required to determine the risks which can affect its ability to meet these objectives.

In clause 5.1: top management shall demonstrate leadership and commitment with respect to the quality management system, by promoting the use of the process approach and risk-based thinking

Clause 6.1: the organisation shall plan: a) actions to address these risks and opportunities.

Clause 9.1.3: the organisation shall analyse and evaluate the effectiveness of actions taken to address risks and opportunities.

Clause 10.2: when nonconformity occurs, update the risks and opportunities determined during planning, if necessary.

Risk management process

Risk is a serious business issue and hence needs a formal process to deal with it. This does not necessarily mean comprehensive documentation.

The starting point of the process is to establish the context, and an organisation has to understand and comprehend internal, as well as external, parameters to be taken into account to assess risk.

Risk assessments have to be reviewed and carried out periodically and/or as and when a contingency situation arises.

The selection of the right risk assessment technique is very important. Again, this depends upon the type of product and/or services being offered by the organisation.

ISO 31010 details various techniques to be employed for the risk assessment. For an organisation offering photocopying services it may employ a simple technique of brainstorming to understand the context of the organisation and related issues and the consequences to assess risk. While an organisation that operates nuclear power plant has to employ complex, robust, reliable and quantitative techniques like FMEA (failure mode effect analysis) to assess risk.

The aim of the process approach is to enhance an organisation’s effectiveness and efficiency in achieving its set objectives. This means enhancing customer satisfaction by meeting customer requirements.

In the process approach, there is: input, value addition (process resources and control), and an output.

Risk is there to get the correct and right input at the right time, the correct design of a product, the proper selection of processes and their control, infrastructure and environment and competent manpower to operate any machines and deal with monitoring.

These risk factors play an important role in getting the desired results.

We need to identify the processes and activities and anticipate any potential problem which may crop up during the actual practice in the organisational environment.

Risk plan

After a comprehensive process of risk assessment, a risk assessment plan needs to be drawn up for the potential risk that can affect the QMS and its intended results and depending on the risk type, severity and business impact prioritisation of risk resolution needs to be prepared.

In the process, the cause of the risk needs to be studied. The risk value can be reduced either by reducing the likelihood of occurrence or impact.

Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.

It is impossible to mitigate all risks, as it is neither feasible nor cost-effective. One can only reduce risk so that it can be tolerated and business can be done. Acceptable risk is a risk that is understood, controlled and tolerated.

Tapas Bandyopadhyay works at the department of electronics and information technology at the Government of India: [email protected]

Chittaranjan Das also works at the department of electronics and information technology at the Government of India: [email protected]