기업은 한편으로는 기회를 체계적으로 식별, 분석 및 조치하고 다른 한편으로는 관련 위험을 식별하고 그에 따라 조치를 취하면 성공적인 기업입니다. ISO 9001의 위험 기반 접근 방식은 주로 비즈니스 불확실성의 영향을 식별하고 계획의 기초로 위험을 결정하는 것과 관련이 있습니다. 이제 품질 관리 시스템에서 "리스크"라는 주제가 완전히 새로운 것은 아닙니다. ISO 9001의 이전 버전에서는 예방 조치에 대한 요구 사항에 포함되었습니다. 이 장은 ISO 9001:2015에서 삭제되었으며 위험과 기회를 살펴보는 것으로 대체되었습니다.

Loading...

What is a risk-based approach?

The starting point for looking carefully at opportunities and risks is the sharpened focus of ISO 9001:2015 on achieving "intended results". This applies to both the quality management system (QMS) and the processes required for this.

The standard defines risk as the "effect of uncertainty" on an expected result.

ISO 9001:2015 - Quality management systems - Requirements

Intended results, on the other hand, result from the scope of the management system with the objective of providing products and services that must be met by the following:

  • Customer requirements
  • Legal and/or regulatory requirements
  • The organization's own specifications

 

How do you manage risks and opportunities?

The risk-based approach runs like a thread through ISO 9001. Chapter 6.1 (Planning) of the well-known ISO standard sets out general requirements for dealing with risks and opportunities. However, the standard merely specifies that appropriate measures must be planned, integrated into the quality management system, implemented and evaluated for their effectiveness. How this requirement is to be implemented is not specified.

Neither is there any mention of a comprehensive risk management system, e.g. based on the ISO 31000 standard, nor of a formal risk management process. Nor are there any requirements in ISO 9001 regarding specific methods to be used for risk identification or risk assessment.

Otherwise, the following applies:

  • Avoid risks,
  • Eliminate sources of risk,
  • Influence the probability of occurrence,
  • influence the possible consequences, or
  • Take risks in a targeted manner by making a well-founded decision, e.g. to seize an opportunity.

Risk-based approach - What does the standard require?

  • Identification (determination) of risks and opportunities to:
    - Assure achievement of intended results
    - Enhance desired impacts - these are the opportunities
    - Prevent or reduce undesired impacts (risks)
    - Achieve improvements
  • Evaluation of identified, determined risks and opportunities. No mandatory methods to be used are mentioned here. Common, established tools are however quite recommendable, e.g.:
    - (process) FMEA
    - SWOT analyses
    - ABC analyses
    - Risk matrix
  • Derive measures from the identified risks and opportunities. These can:
    - Refer to the removal or avoidance of the risk or the source of the risk
    - Be focused on reducing the risk by a change of the probability of occurrence or the effects or consequences
    - Include an acceptance of the risk, e.g., in order to seize an opportunity.
  • Evaluation of the effectiveness of the measures, e.g. based on:
    - Non-occurrence of an identified risk
    - The lowering of a probability of occurrence
    - The reduction of the impact, e.g. through insurance or contractual safeguards in customer contracts.

 

 


 

Documented information as proof

The question in which form or to what extent documented information is required as proof can be answered as follows: There is no concrete, precise requirement for this in the relevant chapters of the standard!

Instead, Annex A4 of the ISO 9001 QM standard, which is also worth reading, states that "... the organization is responsible for applying risk-based thinking and for initiating actions to address a risk, including answering the question of whether or not documented information is to be retained by it as evidence of the determination of risks."

In simpler terms, this is something an organization determines individually for itself - not the standard! And: this is also not determined by the certification body or its auditors.

Interested parties and their relevant requirements

One aspect that should not be overlooked is the consideration of the essential requirements of the interested parties relevant to the quality management system (QMS) (chapter 4.2).

In this context, "relevance" is to be interpreted as follows:
impact on the organization's ability to continuously provide compliant products and services, i.e., products and services that meet customer expectations and legal, regulatory requirements. Thus, in the context of the risk-based approach, these must also be taken into account (section 6.1.1 Planning).

Distinction between opportunities and risks in the sense of ISO 9001

In addition to considering risks, the standard's requirement also addresses those of opportunities that can arise from risks. However, many companies are faced with the question of what concrete opportunities can be. What is not meant by an opportunity is the achievement of intended results. This is a fundamental requirement of the management system and its processes.

In the QM standard, the opportunity is understood as a "possibility or opportunity" that can arise when a company takes a controllable risk. Good references are given in chapter 0.3.3 of ISO 9001, where the following possibilities for opportunities are listed:

  • Customer acquisition
  • Development of new products and services
  • Reduction of scrap or waste
  • Improvement of productivity

Further guidance on what can be understood by an opportunity can be found in the notes to chapter 6.1.2:

  • Adoption of new practices and use of new techniques
  • Market introduction of new products
  • Development of new markets
  • Acquiring new customers and building partnerships
  • Use of new techniques, etc.

Further tips

Chapter 0.3.3 of ISO 9001 provides good and complementary explanations on how to deal with the risk-based approach. Among other things, it states that risk-based thinking is essential for an effective quality management system (QMS) and should be used to achieve improved results and avoid negative effects.

In addition, the ISO 31000 guide provides a comprehensive, systematic approach to managing risk that goes well beyond the requirements of a QMS.

Also, two documents published by the responsible ISO committee are really recommendable, explaining in a short and concise way what the risk-based approach is really about. These are firstly a set of slides ("ISO 9001 and Risk Based Thinking") and secondly the document "Risk Based Thinking in ISO 9001:2015".

 

Conclusion on the risk-based approach in ISO 9001

Risks are "effects of uncertainties". Thus, risks can also result in opportunities. Opportunities can lead, for example, to the acquisition of new customers and the development of new markets, but this also means that opportunities can in turn give rise to uncertainties and associated risks.

All in all, we recommend dealing with potential opportunities with the same intensity with which risks are determined, assessed and measures derived from them. They, too, must be determined and evaluated - and measures for taking them must be derived.

 

ISO 9001 - Audited with added value

In everything we do, we set the highest standards for quality and competence in every project. As a result, our actions become the benchmark for our industry, but also our own guiding principle, which we renew every day.

Our core competencies lie in the performance of certification audits and assessments. This makes us one of the leading providers worldwide with the claim to set new benchmarks in reliability, quality, and customer orientation at all times.

저자
프랭크 그라이헨

열정적인 기조 연설자, 인기 있는 강사, 사회자, 표준 및 관리 시스템에 대한 출판물의 저자 등 다양한 활동을 하는 표준 전문가이자 ISO 9001에 대한 오랜 DQS 심사원입니다.

Loading...