Where does Risk fit into ISO 9001:2015? 5 Takeaways from our Webinar
The dynamic of risk management in compliance today is experiencing a shift—one that is drawing more attention to leveraging risk management in operations. However, the biggest question I am often asked it that “I know I need to do risk, but I don’t know where to start, and I don’t know how to put it into practice.” It’s the practicality in daily operations that folks struggle with.
We recently held a webinar on getting started with risk management in ISO 9001 and this post will outline the key takeaways from this webinar. We will consider the context of “why risk” and how we look at risk management within operations, where risk fits into the new ISO 9001:2015 standard, some common tools you can leverage to make risk management a practical option for your business and more.
1. Risks and Hazards are Two Different Things
The terms hazard and risk are often used interchangeably; however, risk and hazard are two distinct terms, and do not necessarily equal the same thing.
Whether you are looking at quality, safety or any other business context, a hazard is a condition or situation that creates the opportunity for a problem to occur. They are the events we encounter each day that raise the potential for something “bad” happening. In business, hazards are everywhere and there are many types, but they only create the chance for something to go wrong—it is a potential, and not an actual possibility.
So…what is risk then? Risk is the likelihood that the hazard will lead to that negative consequence. Risk is the hazard multiplied by the probability of exposure to that hazard. So risks are not hazards—for this reason you can have a hazard that poses no risk, if there is no probability of exposure to that hazard.
The takeaway here is that risk is not just something that stands on its own and is automatic; it is a calculation of hazards and the likelihood of that hazard manifesting itself.
The key is that when you know your hazards, and you can estimate the probability of those hazards, then you have risk management in place.
2. Risk in ISO is Simply-Stated
Currently, the risk view on ISO 9001:2015 is simply stated. This means that it is not a directive to build an enterprise risk management program, or to change your entire processes to accommodate Governance, Risk and Compliance (GRC) initiative. It’s part of the whole “broadening” of the standard, one that puts you in a mindset of risk over traditional terminology. The goal is to promote risk-based-thinking, which is fairly broad, and open to interpretation. so when we go through these next areas, keep in mind that this is designed to be an outline of a common method for risk-based thinking, and a generally accepted process. Every company should evaluate their own processes around the standard.
3. Where Do I Start My Risk Journey?
One of the most common things I am asked is, “how do I start identifying my risks?” First, you need to examine your operations, seek out potential hazards within those operations and categorize them.
How do you do this? By asking.
You can survey and audit your operations, like you normally would, but figure out the potential hazards from all areas of the business. Think about the problems that could occur, and how likely they are to occur. You’ll probably get a lot of hazards, and a host of probabilities. The key is to collect and analyze the hazards and then categorize them. This is called a taxonomy of risk—general areas of hazard types in broader categories, and then you can make better sense of everything. Then, you can create general scales of severity of hazards and their frequency (likelihood to occur). Then you can have more variability, but it’s the easiest and most logical way to identify and organize the overall risk levels.
Once you have that you can start evaluating the risk.
The next step is to calculate your risk. There are several ways to assess risk, but the bottom line is that you are doing the calculation on the components to quantify the risk. When doing this, keep in mind that risk evaluation and risk assessment are not automatic. Math is tricky; it doesn’t always solve the problem, especially in operations. Too often, we hear of people implementing risk assessment tools that calculate risk, and they just leave it to the tool to determine the risk. The reality is that the tool is there to help you guide your decisions and risk calculations, but the ultimate decisions on how to handle risk should come from people. The tool is there as a guide, but most people will test their risk tools with real-world data. This is done by gathering as a risk team and reviewing risk calculations to confirm that the calculations actually reflect what would be done in the real-world. Some tweaking to the math may be necessary, but the treatment of risk should be a combination of people, process and tools.
The next step is to determine what you’re going to do if there is a risk. This is where a cross-functional team comes in handy to review the different risk outcomes, and then determine how you’re going to handle different risk levels.
Risk treatment typically falls into these broad categories:
- Acceptance—leave it if it’s worth the risk
- Reduction—take steps to mitigate the risk
- Compensation—take steps to insure yourself against the risk
- Transfer—outsource the risk to a partner/supplier
- Avoidance—stop the process altogether
Each company has a different way of treating risk, and it’s up to your risk team to determine which ways to interpret risk levels…but once you do, you need to take action on it.
This is where you need to incorporate your Quality Management processes to the dynamic. This is where you can kick off Corrective or Preventive Actions based on a risk level or risk treatment. You can also launch actions from Risk levels, taking specific management of change, or action plans to address the issues. Finally, you want to have reporting in place to analyze risks over time, so you can see where your top risks are and how you are doing overall as an organization in mitigating risk.
4. Use Risk Management for Opportunities, not just Risks
The ISO standard mentions opportunities as well. What this process does is not only look for the threats to your compliance, it also helps to uncover potential, but not yet realized hazards. Things that might not be risks today, but could potentially be risks in the future. For example, you can have a hazard that has a low probability, and thus the risk is inherently low. Does that mean you ignore it? Hopefully not—you take this as an opportunity to mitigate any potential risk, and seek ways to continuously improve. There are risk tools, such as Failure Mode and Effects Analysis (FMEA) and Bowtie analysis that deal more specifically in preventive aspects of Risk. So you should always take hazards, and identify whether this becomes a risk, or it may be an opportunity for improvement, in a more preventive way.
5. Documentation is Key
How can you document your risk management process and prove it in an audit? Here you have a process of risk management, one that might be incorporated into your existing processes. So the generally accepted practice is to document what you’re doing and then document when you do it. So the whole risk management process should be documented, controlled, and built with work instructions and roles. This should be standard, especially when you introduce new elements to the existing process. For each step, you should be conducting activities that will be documented, have traceability, and can be tied to your overall Quality Program. So, when you’re looking to identify the hazards, categorize them and build out the risk for them, this should be recorded in the results of the audits, surveys and analysis.
You should also be documenting the process by which you’ve built this risk measurement. Then, when you are building the evaluation and treatment of the risk you need to control the tool you use, you also need to document each time it’s incorporated into a record. This is all about having traceability. Whether you’re doing this manually, digitally, or through a technology solution, the traceability of the process, and the practice of that process is key. This also rings true when taking action.
This is all part of a process, and it’s one that is fairly simply-stated in the standard. Any one of these steps can be considered “risk-based thinking” and applies to your Quality Systems compliance.
There’s a lot going on these days—we have a new level of complexity in the marketplace, and it won’t get any easier. So this complexity breeds a need for a new way of looking at compliance, and risk is that universal concept that is being pushed to be that new way. Even ISO 9001:2015 is picking up on this new way of thinking—we need to enroll everyone in quality, but we need risk in order to make it more digestible to all operations.
Risk in ISO 9001:2015 is a great way to look at risk management at a high level. We went through the path to success on risk planning, and it’s really just a matter of taking these concepts, and applying them to your unique business. There are tools that can help. but remember, a tool is just there to help you—the risk journey starts with your people and teams that know the business, know the hazards and can help determine how to make risk work for you organization.
To quote one of my favorite books, “don’t panic.” You’re not alone in the risk management journey, and by breaking it down into a more logical path, you can ensure risk can be implemented into your processes easily and effectively.
Learn more by watching the full webinar below.