Risk management in ISO 9001:2015 and other management system standards

Risk management in ISO 9001:2015 and other management system standards

businessman with coffee and laptop

ISO 9001:2015 establishes a systematic approach to risk. The previous versions treated it as a single component of a QMS.  ISO 14001 and ISO 45001 have added an enterprise risk element to the existing environmental and safety risk assessments. A risk-based approach embeds an assurance and prevention strategy into the whole system. Organisations can increase the likelihood of achieving objectives, standardising output and meeting stakeholder expectations by considering risk at all levels.

Risk-based thinking builds a strong knowledge base so that the company has a realistic picture of the factors which need to be managed to achieve success. It establishes a proactive culture of improvement. Successful organisations intuitively take a risk-based approach. Our experience with risk-based thinking is that many public and semi-state sector organisations have implemented the required processes and structures, and may provide the models for others to follow or study.

References to “risks and opportunities” are present in the following clauses of ISO 9001:

4.1 Context of the organisation

4.4 Quality management system and its processes

5.1.2 Customer focus

6.1.1 and 6.1.2 Actions to address risks and opportunities

8.1 Operational planning and control

8.5.5 Post-delivery activities

9.3.1 Management review general

Use a risk-driven approach in your organisational processes

  1. Identify what requirements and objectives and the associated risks and opportunities in your organisation – it depends on context.
  2. Analyse and prioritize the risks and opportunities in your organisation
  3. Plan actions to address the risks and opportunities
  4. Implement the plan take action
  5. Check the effectiveness of the actions does it work?
  6. Learn from experience continual improvement

We can identify risks at all levels of the organisation and in the same way that we cascade objectives down through organisation structures, risks should be communicated upward.

Analysis of risk starts with the organisation determining its risk appetite and risk tolerance so all members of the organisation can understand the risk philosophy.

  • Risk appetite is the amount of risk on a broad level an entity is willing to accept. It is the measure of the risk reward trade-off within the business.
  • Risk Tolerance is the amount of variation relative to its objectives an entity is willing to accept.

After the organisation decides risk appetite, it should use tools to determine the risk levels and manage the identified risks. Key tools include the organisation’s operational control processes. These are especially important for ensuring the provision of goods and services that meet the customer’s requirements. Compliance includes financial controls at the entity and activity levels.

We can use the risk analysis matrix to identify the level of risk to the business.

For each identified risk, estimate the consequences and likelihood of occurrence of the risk. Input these into a risk analysis matrix. This may look familiar to those who have been involved in health and safety or environmental risk assessment:

In summary, risk based thinking is something you do already. It just needs to be applied in a consistent manner, on a continual basis, and with the correct information to ensure it is meaningful. If it is implemented effectively it will provide greater knowledge and preparedness, increase the probability of success and reduce that of failure.