Concept of Risk in ISO 9001:2015

The standard has major change in principle by adding the risk based approach. It is therefore important to understand where, to what extend will this have an impact, and what can be changes in the implementation, and audits.

The risk is defined as Effect of Uncertainty over expected result. Let us use this definition on where ever the requirement is added.

The risk related requirements are added in clause: 4.4, 5.1.2, 6.1, 8.5.5, 9.3.

Also the, reference can be linked with clauses like- 6.3, 8.1, 8.3.3, 8.4.2, 10.2.

Before that, it is interesting to see the linkage of context, risk, review and strategic direction.

This means, the organization shall   know issues, have a set direction, and monitor the performance. The review shall give details of actions taken.

Let us see a small example.

The issues for small sector organization can be typically:

1. Dependence on small client base.
2. Retaining  of  employee
3. Cash flow

The strategic direction on each of these issues can have set of risk/ opportunities.

The direction in general can be:

1. Maintain quality, delivery schedule
2. Ask for better payment terms
3. Develop new customer.
    

The associated risk, opportunities are

Risks:  Loss of current customer, Loss of employee

Opportunity: Spare capacity for new customers, less paid employees

The management need to have plan on risks, opportunities to meet uncertainties of result and review the direction.

Review ideally should state actions on:

1. Result on set objectives on Quality, delivery performance customer satisfaction.
2. Result on new customer development.

The action points actually have clear co-relation to risks mentioned above:

1. Procurement of new instruments for inspection, new machines,

2. Recruitment of employees, training.

 The extent of documentation is left to organization for documenting context, strategic direction, risks, and opportunities. There is no reference to documented information for the clauses except for review.

 

On the operational part / product related part, the areas where the risk becomes starting point for review. Following statement refers to the action, or result of risk analysis.

Planning of the process is risk based as per concept shown figure 2 of the standard.

This is referred in planning for the changes, and statement refers to potential consequences. (6.3. a)

At operational planning again the reference is used to consider controls based on risk.  (8.1)

For Design of the product, consideration is given to potential consequences. (8.3.3.e)

Potential impact of service provider’s services on the final product also refers to risk.

When taking corrective action, the considerations are on consequences, and evaluation is based on potential to occur again. (10.2 A, b)

Thus at operational level, during various stages right from planning, design procurement stage the risk and impact is to be analysed.

Simple example can be:

After deciding the processes for realization & after reviewing the result, the organization can consider:

1. Inspection sampling plan, method, stages for the product.
2. FMEA for the product under design
3. Pre check before procurements.
    

 

For auditors: some simple questions can lead the trail.

1. What if the results are not achieved?
2. When was the process reviewed for risk/ opportunity and what is the outcome.
3. What are the proposed improvements based on risk/ opportunities.
    
   Hence, to conclude
   The consideration of risk based thinking means, evaluate the result, identify uncertainties, and take actions for improvement.
   The risk based thinking actually is not a document which does not add any value, but gives insight for sustainable development towards strategic direction.