Risks and Opportunities
- What does ISO 9001:2015 say about risks and opportunities?
- How can companies define risks and opportunities?
- How can companies address risks and opportunities?
- What are some common auditing questions about risks and opportunities?
One of the key changes in ISO 9001:2015 is to establish a systematic approach to considering risk. This is different from the ISO 9001:2008 approach of than treating “prevention” as a separate component of a quality management system. Risk exists in all aspects of a quality management system– all systems and processes. ISO 9001:2015 requires risk-based thinking throughout the design and use of the quality management system to ensure these risks are identified, considered and controlled.
Risks also may bring opportunities. ISO 9001:2015 requires companies to identify and select opportunities for improvement. Examples of opportunities for improvement include professional development, improving products and services, correcting or preventing nonconformities or other actions to improve the overall effectiveness of a quality management system.
What Does ISO 9001:2015 Say About Risks and Opportunities?
Risk influences every aspect of a company’s organization, so learning how to manage risk appropriately will ultimately improve an organization’s ability to make smart decisions and obtain business objectives. Managing risks for employees, assets, and all operations should be an important responsibility for an organization. On the other hand, opportunities are considered the positive effect of risk, and ISO 9001:2015 emphasizes reducing risk and enlarging opportunities.
ISO 9001:2015 requires organizations to address risks and opportunities within the Quality Management System, but gives them the freedom to choose their own methodology to do so.
References to risks and opportunities can be found throughout the standard:
- Clause 4.4.1 asks organizations to determine the process by which they will identify risks and opportunities.
- Clause 5.1.2 asks top management to address risks and opportunities impacting product and service conformity.
- Clause 6.1 requires organizations to plan specific actions to address risks and opportunities (that are proportional to the potential impact of conformity), integrate the plans into their QMS, and evaluate how effective they are.
- Clause 8.1 requires organizations to control those identified risks.
- Clause 9.1.3 also mentions analyzing the information that determines the effectiveness of risk and opportunity actions.
- Clause 9.3.2 requires management review to evaluate the effectiveness of these actions.
- Finally, Clause 10.2 states that the risk and opportunities plan should be updated following a nonconformity.
Effective risk management inevitably:
- Increases overall business efficiency,
- Increases the ability to achieve organizational goals,
- Improves output consistency,
- Improves customer satisfaction,
- Creates a proactive culture of prevention and continual improvement,
- Offers flexibility to respond to unexpected issues,
- Improves organizational resilience,
- Improves compliance, and
- Offers a competitive advantage.
The overall aim for ISO 9001:2015’s requirements for risk-based thinking is to develop a proactive rather than reactive approach to risk, which engenders continual improvement rather than emphasizing preventing or reducing nonconformities or other negative impacts.
How Do You Address Risks and Opportunities?
Planning and implementing your QMS demands consideration of different kinds of risk and different levels of risk. The most efficient way to do this is to look at what you already do within your organization to see if you address some of these requirements with your current activities.
You’ll need to ensure your organization is planning for risks, understanding business opportunities associated with risk, and documenting your actions to do so. The Plan-Do-Check-Act (PDCA) is one approach used by some organizations to manage their transition to risk-based thinking.
How Do You Determine Risks and Opportunities?
Before you can address them, you need to identify what the risks and opportunities are.
Risk and opportunities must be determined based on the internal and external context of the organization and the requirements of any interested parties. The internal and external contexts of the organization can be influenced by a variety of factors, including:
- Legal
- Financial
- Regulatory
- Social
- Cultural
- Hierarchy
- Resource capabilities
- Organizational structures
Risks and opportunities that might arise from the requirements of interested parties are:
- Customer requirements for low or zero-defect delivery
- Employees’ need for job satisfaction
- Employees’ need for work-life balance
- Employees’ salary needs
Any of the above may result in risks or opportunities. Some strategies for identifying risks and opportunities include:
- A SWOT analysis
- Developing risk tolerance criteria
- FMEA
- Formal business risk assessment
- The process approach to identify all sources of risk with any inputs, activities, outputs, receivers of outputs, or performance indicators to control and monitor processes
- Observations
- Interviews
As organizations begin to think about where the risks and opportunities come from, they can begin planning how to address them.
Ways to Address Risk
There are a variety of different ways to identify and approach risk. Consider the following approaches some organizations take:
- Avoiding risk
- Taking a risk in order to pursue an opportunity
- Eliminating the source of the risk
- Changing the likelihood of a risk to occur
- Changing the consequences of a risk
- Sharing the risk
- Deciding consciously to take on a risk
All of the options organizations choose to identify and address risks and opportunities should result in actions that increase the opportunities and mitigate the risks. It’s also good practice to document your risk and opportunities procedure and outline your organization’s risk and opportunity management framework and all relevant activities.
Examples of risk documentation include:
- A process output review
- Risk matrix
- Risk addressed in an aspect registrar form
- Corrective/preventative action log
Organizations may decide to use ISO 31000 (Risk Management: Principles and guidelines) for guidance on managing risks and opportunities. It may serve as a useful resource to organizations choosing to implement a formal approach to risk management.
It’s also important to remember that organizations also have the option to choose to do nothing about the risk! As long as the organization is identifying and evaluating the risk or opportunity and is making an informed decision to do nothing, they may still be in compliance with ISO 9001:2015. Organizations may also choose to take on different or new risks in order to pursue different opportunities.
What Are Some Common Auditing Questions About Risks and Opportunities?
Should You Document Your Risks and Opportunities Procedure?
It’s good practice to document your risks and opportunities procedure. Outlining your risk framework helps clarify this framework for all stakeholders and auditors. Your risk management framework should define your risk management process, including your methodology, risk tolerance, and any methods for training or reporting.
How often do I need to track risks and opportunities?
Any risks and opportunities your organization identifies must be monitored and assessed regularly. Organizations are given freedom under this standard to determine the frequency with which these activities are necessary. The purpose of regular monitoring of risks and opportunities is to ensure that after the activities to address risk have been implemented, there is an acceptable level of risk and that actions taken to make adjustments as necessary are effective. Monitoring and tracking of risks and opportunities might be done on a fixed frequency or initiated by a specific event, such as a change in staffing, equipment, or processes.