​ISO 9001, auditing and risk management

Quality and risk management would seem to be natural bedfellows.

Yet, how often do quality managers and risk managers work together in a meaningful way?

There is no doubt the reason for this is the two are distinct disciplines.

Quality management focuses on ensuring organisations meet its customer, statutory and regulatory standards, particularly those in international standards like ISO 9001: 2015 for example, while risk management focuses on identifying, quantifying and addressing the effects of uncertainty.

But both approaches must deal with degrees of ambiguity.

The language of risk is not always familiar to quality professionals, but most of what they do, and are responsible for, is either risk identification or risk mitigation.

For organisations adept enough to fully integrate risk management concepts into a quality management system, the benefits should be clear.

Finding common ground between quality and risk management will, almost inevitably, help quality overall. Risk management is not seen as an instrument for strategy execution and achieving operational excellence but this is strange.

Having control over processes, as any quality manager will tell you, can lead to less process deviations, errors, incidents and loss of production.

It can lead to more focused business decisions: which activities to focus on, better efficiency, higher quality and better service.

This could well be defined as ‘operational efficiency’ or ‘operational excellence’.

The ISO 9001:2015 perspective

ISO 9001:2015 talks in terms of risk and opportunities.

Here, an organisation must evidence that they have determined, considered and, where necessary, taken proportionate action to address any risks and opportunities that may impact, either positively or negatively, their quality management system’s ability to deliver its intended results or that could impact customer satisfaction.

An organisation is required to take a risk-based approach to determine the type and extent of controls appropriate to each external provider and all external provision of products and services.

And the possible benefits of a QMS based on ISO 9001:2015 include the organisation being required to address risks associated with its context, objectives and strategic direction.

Three core concepts underpin ISO 9001:2015: a process approach, PDCA and risk-based thinking, which are designed to facilitate the alignment or integration of the QMS into the business management system.

The organisation must then move on to determine the risks and opportunities that need to be addressed for its given context. And because context changes through time, risk determination and evaluation is an ongoing activity, not a one off.

This is in order to provide assurance that the quality management system can achieve its planned results.

In addition, it needs to increase positive effects, to avoid or minimise negative effects, and to achieve improvement.

Although determining and addressing risks, and opportunities, is now a requirement, undertaking formal risk management is not.

The quality perspective

For quality professionals, the organisation needs to determine required process inputs and expected outputs, assign responsibilities and authorities for processes and identify risks and opportunities for processes, and plan to address these.

ISO 9001:2008 required the organisation to determine the process methods and criteria for effective operation and control.

The methods now explicitly include monitoring, measurements and related performance indicators.

While no specific risk management approach or methodology is prescribed, the organisation may want to consider using ISO 31000:2011 Risk management.

It is important to note that risk as a concept was present in ISO 9001:1994 which is when preventive action (PA) was first introduced – the idea that you should think about where things could go wrong in advance of them going wrong.

PA was not well understood however. As it was the last clause in the 2008 standard, many thought PA was the last thing you did, when actually it was the first thing you should have done.

Risk in 2015 is preventive action on steroids – it runs right through the entire standard and impacts just about every clause from 4-10.

Moreover, organisations that don’t understand their risks and opportunities do not survive.

Andrew Holt is technical content executive at CQI and IRCA.