Risk-Based Thinking (RBT) is used in many ISO standards, but it’s actually a familiar part of life. We use Risk-Based Thinking to weigh actions and outcomes: whether/when to cross the road; who is/is not allowed to use knives in the kitchen at home; whether/how to respond to an email or phone call.
ISO 9000:2015 defines Risk as “the effect of uncertainty on an expected result”. In other words, what could happen, positive or negative, if things don’t go as planned.
Step 1: Risk Identification
For ISO 13485 or AS9100 certification you need evidence of formal Risk Management Assessment (PFMEA/FMEA) that identifies and evaluates each of the risks associated with each process and how they have been evaluated; the controls established; and how the risk has been mitigated or eliminated. ISO 31000 is a great resource document to develop a risk management program.
For ISO 9001 and ISO 14001 certification, you need evidence that “Risks and opportunities that can affect conformity of products/services and the ability to enhance customer satisfaction are determined and addressed” (ISO 9001:2015 section 5.1.2b) You then “Plan and implement the appropriate actions to address them”(in section 6.1) Evidence of risk-based thinking should be found in strategic planning related to the context of the organization in the needs of stakeholders (in 4.1); at the company level as part of Management Review; and at the process level creating the controls within each process.
The tools to monitor risks below may help.
Step 2: Assessing Risks & Opportunities
The goal of the risk assessment is to compare process risks to current process controls in order to determine if the level of control is sufficient, or if additional controls and contingency plans may be required.
Quantitative - A quantitative measure asks the team to place a number on each named risk, like a simplified Failure Modes and Effects Analysis (FMEA). Potential impact severity is then multiplied or added. Management determines criteria for actions associated with the risk level, driving priority within the overall risk management strategy.
Qualitative Assessment can be derived without using numerical scoring. This is qualitative because it is based on the learned observation and “gut feel” of process owners – generally, experienced employees. This still includes determining criteria for prioritizing actions to address the risk, but is less cumbersome, especially when products or services have very low risk.
Step 3: Determining Actions to Control Risk
Top Management must determine priorities and actions to address the identified risks. Actions to address risk can include:
Taking risk in order to pursue an opportunity
Eliminating the risk source
Changing the likelihood or consequences
Sharing the risk
Retaining risk by informed decision
This could be as simple as presenting a list of proposed process-improvement actions to Management Review, after which approved actions would be taken, and metrics assigned to monitor each risk for effectiveness.
Step 4: Monitor risks and the effectiveness of their controls
Process controls, their results and any trends are collected (in 9.1) and should be reported to Management, and the minutes of Management Review will show evidence of the review of effectiveness, and any follow-up actions that are required. Finally, Management Review should identify any trends of risks or opportunities, for updates to your risk listing and control of new items.