ISO 9001: 2015 requires organizations to incorporate risk-based thinking into their quality approaches. It establishes a systematic approach to risk and ensures that risks are identified, considered and controlled throughout the design and use of the quality management system.
The consideration of risk is integral. Risk-based thinking makes prevention proactive rather than reactive. Here’s how your organization should address risks and opportunities to be ISO 9001 compliant.
Steps for addressing risks and opportunities: ISO guidance
When you’re building your organization’s management system and processes, you need a systematic approach to considering risk and incorporating risk-based thinking at every stage.
Identify your risks
Firstly, you need to identify risks. You must ask what can go wrong. When doing so, you should consider context. For example, consider the risks to your organization if you lose a key supplier.
The risk is not the same if the service or product the supplier provides is quickly and easily replaced by another supplier. If the supplier is the only supplier of a key component, then the risk is considerable.
Assess risks
To understand risks, you need to assess them. Basically, you need to determine the likelihood that they will occur. You must consider what’s acceptable and what’s not. What advantages or disadvantages are there to one process over another?
In the above situation, what is your organization’s objective? Quite simply, you need to be able to ensure your organization can continue production at all times. It’s unacceptable to stop production.
Analyzing the risk is difficult. Risk must be assessed based on quantitative and qualitative analyzes. You determine the risk factor based on how it will potentially affect the project through a variety of metrics. You will base your decision on a risk assessment of the likelihood of losing the supplier and how you can mitigate that risk.
In some cases, risk can bring opportunity. In the above example, you need to assess where risk ends and opportunity begins. How can your organization reduce one while capitalizing on the other? Does the risk of losing a key supplier create an opportunity? Could your organization realize the opportunity to become a supplier of this key component?
Planning risk responses
Once each risk is identified based on the severity and likelihood of it occurring, you must develop a plan for addressing the risks and opportunities. These planning actions must be clearly laid out and documented.
Risk response strategies prevent the risks that can be eliminated and minimize those that are impossible to avoid. They reduce the risk profile of your organization.
The four techniques for managing risk are:
- avoid
- accept and share
- mitigate
- transfer.
Avoid
This aims to eliminate the risk by developing an alternative strategy or process that’s more likely to succeed. It’s usually linked to a higher cost.
Accept
This technique involves accepting the risk and collaborating with others to share responsibility for risky activities. Partnering with another company can be particularly advantageous when the new partner has experience your organization does not.
Mitigate
Mitigating the risk is a technique that usually involves an investment to reduce the risk of a project.
Transfer
Risk transfer shifts risk from the project to another party. A classic example is paying someone else to accept the risk through purchasing insurance
Continuing the example above, it’s easy to see how these techniques could be used to address the risk of losing a key supplier. Your organization may be able to avoid the risk altogether by changing the production process to eliminate the need for the supplier.
You may accept the risk of losing the key supplier and take the opportunity to partner with another company that has experience in this area.
Your company could mitigate the risk by investing and producing the product, thus removing the risk by removing the need for the supplier.
Monitoring effectiveness
All techniques used to respond to a risk must be monitored for effectiveness – or failure – by a dedicated team. Communication channels should be created so that important information isn’t lost.
In our example, if a new production process is implemented to avoid the risk of losing a key supplier, its effectiveness must be monitored. Has the requirement for that supplier been eliminated? Has the risk been removed?
Updating risks and improving responses
Of course, risks change and evolve. The process is cyclical and risk management should be a continuous process.
If, for example, your company decided to bring production inhouse to eliminate the risk of losing a key supplier, you then need to analyze any risk that arises from that new process. For example, what if you lost a key employee in charge of that process? Would production stop?
How to simplify ISO 9001 risk management
isoTracker’s risk management software dramatically simplifies risk management. The module makes it easy and affordable to ensure compliance with ISO 9001 requirements for managing risks and opportunities. Using the module, you can:
- record risks in a way that’s fast, accurate and central
- use automated notifications and workflows to assign and track risk mitigation tasks
- benefit from up-to-date risk analysis and reporting.
The module can standalone or integrate with isoTracker’s other quality management software.
isoTracker
It’s easy to address risks and opportunities with isoTracker’s risk management software. isoTracker offers modular, subscription-based quality management software that’s secure, cloud-based and affordable. It includes a document control module, as well as complaints management, audit management, and training modules, with built-in CAPA capabilities.
Digital quality management is one, straightforward way for small to medium manufacturing businesses to start realizing value from Industry 4.0 – and with isoTracker’s QMS, it’s easy and cost-effective to implement.
Sign up for a free 60-day trial of isoTracker’s quality management software or contact us to discuss your needs.
