A company is successful if, on the one hand, it systematically identifies, analyzes and takes action on opportunities and, on the other hand, identifies the associated risks and acts accordingly. The risk-based approach in ISO 9001 is primarily concerned with identifying the effects of business uncertainties and determining the risks as a basis for planning. Now, the topic of "risk" in a quality management system is not entirely new. In the old versions of ISO 9001, it was embedded in the requirements on preventive measures. This chapter has been dropped with ISO 9001:2015 and has been replaced by looking at risks and opportunities.
- What is a risk-based approach?
- How do you manage risks and opportunities?
- Risk-based approach - What does the standard require?
- Documented information as evidence
- Interested parties and their relevant requirements
- Distinction between opportunities and risks as defined by ISO 9001
- Further tips
- Conclusion on the risk-based approach in ISO 9001
- ISO 9001 - Audited with added value
What is a risk-based approach?
The starting point for looking carefully at opportunities and risks is the sharpened focus of ISO 9001:2015 on achieving "intended results". This applies to both the quality management system (QMS) and the processes required for this.
The standard defines risk as the "effect of uncertainty" on an expected result.
ISO 9001:2015 - Quality management systems - Requirements
Intended results, on the other hand, result from the scope of the management system with the objective of providing products and services that must be met by the following:
- Customer requirements
- Legal and/or regulatory requirements
- The organization's own specifications
How do you manage risks and opportunities?
The risk-based approach runs like a thread through ISO 9001. Chapter 6.1 (Planning) of the well-known ISO standard sets out general requirements for dealing with risks and opportunities. However, the standard merely specifies that appropriate measures must be planned, integrated into the quality management system, implemented and evaluated for their effectiveness. How this requirement is to be implemented is not specified.
Neither is there any mention of a comprehensive risk management system, e.g. based on the ISO 31000 standard, nor of a formal risk management process. Nor are there any requirements in ISO 9001 regarding specific methods to be used for risk identification or risk assessment.
Otherwise, the following applies:
- Avoid risks,
- Eliminate sources of risk,
- Influence the probability of occurrence,
- influence the possible consequences, or
- Take risks in a targeted manner by making a well-founded decision, e.g. to seize an opportunity.
Risk-based approach - What does the standard require?
- Identification (determination) of risks and opportunities to:
- Assure achievement of intended results
- Enhance desired impacts - these are the opportunities
- Prevent or reduce undesired impacts (risks)
- Achieve improvements
- Evaluation of identified, determined risks and opportunities. No mandatory methods to be used are mentioned here. Common, established tools are however quite recommendable, e.g.:
- (process) FMEA
- SWOT analyses
- ABC analyses
- Risk matrix
- Derive measures from the identified risks and opportunities. These can:
- Refer to the removal or avoidance of the risk or the source of the risk
- Be focused on reducing the risk by a change of the probability of occurrence or the effects or consequences
- Include an acceptance of the risk, e.g., in order to seize an opportunity.
- Evaluation of the effectiveness of the measures, e.g. based on:
- Non-occurrence of an identified risk
- The lowering of a probability of occurrence
- The reduction of the impact, e.g. through insurance or contractual safeguards in customer contracts.
Documented information as proof
The question in which form or to what extent documented information is required as proof can be answered as follows: There is no concrete, precise requirement for this in the relevant chapters of the standard!
Instead, Annex A4 of the ISO 9001 QM standard, which is also worth reading, states that "... the organization is responsible for applying risk-based thinking and for initiating actions to address a risk, including answering the question of whether or not documented information is to be retained by it as evidence of the determination of risks."
In simpler terms, this is something an organization determines individually for itself - not the standard! And: this is also not determined by the certification body or its auditors.
Interested parties and their relevant requirements
One aspect that should not be overlooked is the consideration of the essential requirements of the interested parties relevant to the quality management system (QMS) (chapter 4.2).
In this context, "relevance" is to be interpreted as follows:
impact on the organization's ability to continuously provide compliant products and services, i.e., products and services that meet customer expectations and legal, regulatory requirements. Thus, in the context of the risk-based approach, these must also be taken into account (section 6.1.1 Planning).
Distinction between opportunities and risks in the sense of ISO 9001
In addition to considering risks, the standard's requirement also addresses those of opportunities that can arise from risks. However, many companies are faced with the question of what concrete opportunities can be. What is not meant by an opportunity is the achievement of intended results. This is a fundamental requirement of the management system and its processes.
In the QM standard, the opportunity is understood as a "possibility or opportunity" that can arise when a company takes a controllable risk. Good references are given in chapter 0.3.3 of ISO 9001, where the following possibilities for opportunities are listed:
- Customer acquisition
- Development of new products and services
- Reduction of scrap or waste
- Improvement of productivity
Further guidance on what can be understood by an opportunity can be found in the notes to chapter 6.1.2:
- Adoption of new practices and use of new techniques
- Market introduction of new products
- Development of new markets
- Acquiring new customers and building partnerships
- Use of new techniques, etc.
Chapter 0.3.3 of ISO 9001 provides good and complementary explanations on how to deal with the risk-based approach. Among other things, it states that risk-based thinking is essential for an effective quality management system (QMS) and should be used to achieve improved results and avoid negative effects.
In addition, the ISO 31000 guide provides a comprehensive, systematic approach to managing risk that goes well beyond the requirements of a QMS.
Also, two documents published by the responsible ISO committee are really recommendable, explaining in a short and concise way what the risk-based approach is really about. These are firstly a set of slides ("ISO 9001 and Risk Based Thinking") and secondly the document "Risk Based Thinking in ISO 9001:2015".
Conclusion on the risk-based approach in ISO 9001
Risks are "effects of uncertainties". Thus, risks can also result in opportunities. Opportunities can lead, for example, to the acquisition of new customers and the development of new markets, but this also means that opportunities can in turn give rise to uncertainties and associated risks.
All in all, we recommend dealing with potential opportunities with the same intensity with which risks are determined, assessed and measures derived from them. They, too, must be determined and evaluated - and measures for taking them must be derived.
ISO 9001 - Audited with added value
In everything we do, we set the highest standards for quality and competence in every project. As a result, our actions become the benchmark for our industry, but also our own guiding principle, which we renew every day.
Our core competencies lie in the performance of certification audits and assessments. This makes us one of the leading providers worldwide with the claim to set new benchmarks in reliability, quality, and customer orientation at all times.