“Risk-Based Thinking” Within the New ISO Standards

By ETQ on January 10, 2017

Risk has always had an implicit role in ISO standards, but newer versions are giving risk a more prominent place in quality and environmental management standards. Updated standards like ISO 9001:2015 and 14001:2015 require companies to apply risk-based thinking to a variety of processes across planning, operations and performance evaluation.

But what exactly does ISO mean by risk-based thinking? A deeper look reveals that while it’s not the same as risk management, automated risk management tools can help you incorporate risk-based thinking into your processes.

Risk-Based Thinking Defined

In the context of ISO 9001:2015, risk-based thinking replaces what was called preventive action in the previous standard version. Where ISO once gave preventive action a separate clause, it now incorporates risk throughout. Risk-based thinking requires companies to evaluate risk when establishing processes, controls and improvements in a Quality Management System.

It’s important to note that risk isn’t limited to negative possibilities. Companies can also use risk-based thinking to pinpoint opportunities, which represent the positive side of risk.

Areas where risk appears in the new standard requirements include:

  • Organizational context: When establishing the context of the organization, ISO requires companies to identify risks that could impact quality objectives. They also need to evaluate the risk of producing nonconforming products, which can vary depending on the type of good manufactured.
  • Leadership: Your company’s management must commit to addressing risks and opportunities that could affect product quality.
  • Planning: This section of the standard requires you to not just identify risks and opportunities, but also create plans for how to address them.
  • Operation: ISO requires you to implement and control the actions identified during planning steps.
  • Performance evaluation: Here’s where you track and analyze the risks and opportunities identified.
  • Improvement: Organizations must make improvements based on any changes in risk.

The new high-level structure for ISO standards is based on the Plan-Do-Check-Act (PDCA) cycle for process improvement, corresponding with proven risk management approaches.

Risk-Based Thinking vs. Risk Management

So if risk-based thinking aligns so well with risk management, why not just call it that? Ask some experts and you might hear that risk-based thinking is just a watered-down version of risk management.

For example, ISO 9001:2015 doesn’t require any sort of formal risk assessment, nor does it require you to maintain a Risk Register. ISO’s risk-based thinking requirements center on incorporating risk into decision-making, without formalizing exactly how to do it.

Presumably, it’s because the organization wants to provide more flexibility in how companies across varying industries satisfy the standard requirements. Others will say it was just too big a leap to make risk management approaches a formal requirement for certification.

Either way, companies need a way to make risk part of their QMS, and there are several tech tools that can help them get there.

Using Technology to Mitigate Risk

One of the most important parts of applying risk-based thinking to your quality management process is to actually make it part of your process rather than a siloed activity.

From a tech perspective, this means having risk tools built into your QMS rather than using a separate point solution or time-consuming manual processes. Key capabilities of risk-enabled Quality Management Software include:

  • Integrated Risk Register: You need a centralized place to record and monitor individual hazards and risk items. While not formally part of ISO standards, consistently using a Risk Register will help you satisfy several requirements.
  • Flexible risk tools: You should be able to activate risk assessment tools such as a risk matrix or decision tree within any QMS application, from audits to deviations to regulatory compliance tracking.
  • Risk-based effectiveness checks: Adding a final risk-based verification step for processes like corrective action helps satisfy performance evaluation and improvement requirements.

Finally, one of the most important ways you can use technology to reduce risk is through automation. Creating automated risk management processes ensures nothing falls through the cracks, giving you a documented history to turn to if things go wrong.

New call-to-action