Risk-based thinking in ISO 9001
Ian Stahler, CQP MCQI, Independent Quality Specialist, explains why a revision for ISO 9001’s risk-based thinking requirements is needed for businesses in current times.
The ISO 9001 standard’s section ‘6.1 Actions to address risks and opportunities’ (and others) is in need of a revision to help companies with less formal third party accreditations to prepare for real risks or unexpected events that can happen, such as power outages, flooding or pandemics. Following the ISO/EC directive Annex L – renamed from SL in 2019 – management system standards were updated to harmonise their structure across the main/commonly assessed standards using ISO 9001 as a base. Examples of the standard that were updated include ISO 14001 and ISO 45001.
Since 2015, other system standards have moved on from the ISO 9001 base and added significantly to the structure and emphasised key areas to suit their particular industry or management specialisms. These include environmental issues (ISO 14001), aerospace (AS9100), automotive (IATF 16949) and health and safety (ISO 45001).
An example of where these system standards have moved on in risk-based thinking is continuity or emergency planning. Each of the above industry-specific standards added some detail in their approach to risk and made the changes to this section (6.1) more prescriptive of what should be prepared for and how they should be dealt with. Taking this approach further, specific industry bodies have provided requirements on what to do and how to do it. An example of this is The Automotive Industry Action Group’s Business Continuity Planning for the Automotive Supply Chain, which provides additional guidance over and above the base standard’s content in various sections.
The additional requirements include, but are not limited to:
- ISO 14001:2015 – Requires the organisation to determine potential emergency situations, including those that can have an environmental impact.
- ISO 45001:2018 – Requires the organisation to take account of past relevant incidents, internal or external to the organisation, including emergencies, and their causes.
- IATF 16949:2017 – Requires the organisation to periodically test the contingency plans for effectiveness including simulations, as appropriate.
Consideration should be given to emergency preparedness such as fire drills and other business risks, including IT and security issues. In the author’s opinion, it’s not enough in the real world to just “back up the IT system and have fire drills” because he has experienced phone lines being out of action for over a day, due to a major fire that took place at the Manchester City Centre Exchange, and a power outage which lasted over two days because of local transformer works that were being conducted by the United Utilities. Given these examples, a more prescriptive approach in ISO 9001 to specify real world possibilities would be more appropriate and effective for businesses.
An update to the standard ISO 9001 could also include approaches about how this could be implemented into the company’s management system. For example, one approach that could be adopted is a desk review of various scenarios by members of an organisation’s management team. This would then include a review into the organisation’s performance within the management review requirements, following an actual emergency and how well the business dealt with it, for example.
Since ISO 9001 was published, the coronavirus pandemic has forced the world into dealing with a global emergency.
How industries generally have dealt with the crisis should provide an insight into where ISO 9001 needs to change in future updates to ensure the quality profession is better prepared and more agile in its response to emergencies.
There is a user survey currently underway for ISO 9001, so why not have your say? Visit Survey Monkey and for further content on Covid-19, go to: quality.org/content/coronavirus