Table of Content
What is the meaning of Risk-based thinking in the ISO standards?
One of the key changes in the new version of ISO 9001, 14001, and 45001 is the establishment of a systematic approach to consider and mitigate risks. Risk-based thinking has always been a part of quality, health & safety, and environmental management systems. In the previous editions of the standard, risks were being considered in a separate clause of the standard. But the new structure of ISO standards makes it inherent to planning, operation, analysis, and evaluation activities. There are risks in all processes and functions of the organisation that if not addressed properly and proactively, can cause failure in different aspects of the business. Applying risk-based thinking in the business processes increases the likelihood of achieving intended outcomes of the QMS and establishes a proactive culture of continual improvement.Risks are the effect of uncertainty, which can influence the organisation in positive or negative way. Risks-based thinking ensures that these effects are being considered throughout the business operations and activities. Thus, risks need to be considered from the beginning and throughout the system. Risk-based thinking is an integral part of the ISO 9001:2015 and has been considered in several clauses of the standard.
- Clause 4.4.f requires organisations to address the risks and opportunities when planning the QMS processes
- Clause 5.1.1 requires top management to promote risk-based thinking
- Clause 5.1.2 requires top management to ensure the risks and opportunities that can affect the quality of the products and services have been determined and addressed
- Clause 6.1 requires organisations to determine risks and opportunities when planning for the QMS and take adequate actions to address these risks and opportunities, integrate actions into business processes and evaluate their effectiveness
- Clause 7 requires organisations to provide adequate resources to determine and address risks and opportunities
- Clause 8 requires organisations to manage risks and opportunities through implementation and control of the processes
- Clause 9.1.3.f requires organisations to evaluate the effectiveness of actions taken to address risks and opportunities
- Clause 9.3.2.e requires management team to review the effectiveness of the actions taken to address risks and opportunities
- Clause 10.2.1.e requires organisations to continually improve their risk management processes by updating risks and opportunities when a nonconformity occurs, if necessary.
How to establish an effective risk assessment procedure?
Risk assessment is a process of evaluating the risks arising from business processes, taking into account the adequacy of any existing controls, and deciding whether the level of risk is acceptable. An acceptable risk is a risk that has been reduced to a level that the organisation is willing to assume with respect to its legal obligations, policies, and objectives.To ensure that their risk assessment procedure is effective and proactive, organisations should adopt a risk assessment methodology that matches the scope and nature of their business. Generally, a risk assessment methodology consists of the following four steps:
Step 1: Determine the risks
Risk identification is a systematic process to identify and document sources of risks. In this step, organisations should determine what are the potential risks, when they can occur, and how they can affect their business processes. Risk identification is crucial because a neglected risk can have significant impact on the organisation. Thus, risk identification is an ongoing process and should be carried our regularly. Inputs to the risk identification can be through- Personal experience
- Group processes
- Interviews
- Checklists
- Document review
Step 2: Determine the exposure
Once the risks are identified, organisations should determine the severity of the risks. A common technique to determine the risk consequences is to use rating scales. Organisations can use rating scales to allocate a specific level of severity to each risk. Consequences of a risks can be insignificant, minor, moderate, major, and catastrophic. It is highly important that the descriptive scales are clearly defined to ensure that different individuals interpret them consistently.Step 3: Determine the likelihood
The next step is to determine the probability of the occurrence of the risks. If historic information is available about the frequency of a risk, it can be used to help determine the probability of the risk eventuating. An example of a likelihood scale is shown below:| LIKELIHOOD | |
| Definition | Probability |
| Almost certain. Expected in most circumstances. | 91-100% |
| likely. Will probably occur in most circumstances. | 61-90% |
| Possible. Might occur at some time. | 41-60% |
| Unlikely. Could occur at some time. | 10-40% |
| Rare. May occur only in exceptional circumstances. | 0-10% |
Step 4: Determine the risk priority
Priority is the combination of exposure and likelihood. Prioritizing risks is a way to help determine which risks are the most serious ones and need to be controlled first. An example of a common risk priority matrix is illustrated below:
Step 5: Determine the control
Once organisations have established the risk priorities, they can decide on ways to control them. Risk control methods are often grouped into the following categories:- Avoidance: change the plan to eliminate the threat. Refuse to accept the risk.
- Reduction: reduce the likelihood or consequences of the risk.
- Retention: accept the risk and exposure with no further action to manage – often for low risks.
- Transfer: shift responsibility and consequences to another party, though the risk still exists.
Conclusion
In this exploration of risk-based thinking within ISO standards, we’ve uncovered a fundamental shift in how organizations approach risk management. From ISO 9001 to 14001 and 45001, the integration of risk-based thinking is not just an addition; it’s a core principle shaping the very fabric of quality, health and safety, and environmental responsibility.
We’ve dissected its meaning, seeing how it transcends mere consideration and becomes inherent in planning, operation, analysis, and evaluation activities. Each clause within the standards emphasizes the need to address risks and opportunities, paving the way for a proactive culture of continual improvement.
Moreover, we’ve delved into the effective establishment of a risk assessment procedure, understanding the importance of risk identification, determining exposure and likelihood, setting risk priorities, and devising control measures.
So, what does this all mean in conclusion? Risk-based thinking isn’t a checkbox; it’s a philosophy that permeates an organization’s entire landscape. From initial planning to ongoing enhancement, it’s the guiding light ensuring integration of risks and opportunities in every facet of your operations. By embracing this mindset, organizations don’t just achieve compliance; they lay the groundwork for proactive excellence. Embrace risk-based thinking, and witness your organization not just survive but thrive, emerging stronger and more resilient in the face of uncertainties.
What Are The Requirements Of ISO 9001 Clause 6?| ParsQuality
October 17, 2021[…] Risks are the effect of uncertainty, which can influence the organisation in positive or negative way. Organisations should take proactive approach in regards to the risks and opportunities, which means that they are expected to identify major risks, determine when they might occur, and define who will be taking actions to address them. Organisations should apply their risk assessment methodology consistently and effectively. To learn more about establishing an effective risk assessment procedure, click HERE. […]