Subscribe to Email Updates

Quality Creates...Perspective

Where does Risk fit into ISO 9001:2015? 5 Takeaways from our Webinar

Tim Lozier
by Tim Lozier on Fri, Oct 09, 2015

The dynamic of risk management in compliance today is experiencing a shift—one that is drawing more attention to leveraging risk management in operations. However, the biggest question I am often asked it that “I know I need to do risk, but I don’t know where to start, and I don’t know how to put it into practice.” It’s the practicality in daily operations that folks struggle with.

We recently held a webinar on getting started with risk management in ISO 9001 and this post will outline the key takeaways from this webinar. We will consider the context of “why risk” and how we look at risk management within operations, where risk fits into the new ISO 9001:2015 standard, some common tools you can leverage to make risk management a practical option for your business and more.

1. Risks and Hazards are Two Different Things

The terms hazard and risk are often used interchangeably; however, risk and hazard are two distinct terms, and do not necessarily equal the same thing.

Whether you are looking at quality, safety or any other business context, a hazard is a condition or situation that creates the opportunity for a problem to occur. They are the events we encounter each day that raise the potential for something “bad” happening. In business, hazards are everywhere and there are many types, but they only create the chance for something to go wrong—it is a potential, and not an actual possibility.  

So…what is risk then? Risk is the likelihood that the hazard will lead to that negative consequence. Risk is the hazard multiplied by the probability of exposure to that hazard. So risks are not hazards—for this reason you can have a hazard that poses no risk, if there is no probability of exposure to that hazard.

The takeaway here is that risk is not just something that stands on its own and is automatic; it is a calculation of hazards and the likelihood of that hazard manifesting itself.

The key is that when you know your hazards, and you can estimate the probability of those hazards, then you have risk management in place.

2. Risk in ISO is Simply-Stated

Currently, the risk view on ISO 9001:2015 is simply stated. This means that it is not a directive to build an enterprise risk management program, or to change your entire processes to accommodate Governance, Risk and Compliance (GRC) initiative. It’s part of the whole “broadening” of the standard, one that puts you in a mindset of risk over traditional terminology. The goal is to promote risk-based-thinking, which is fairly broad, and open to interpretation. so when we go through these next areas, keep in mind that this is designed to be an outline of a common method for risk-based thinking, and a generally accepted process. Every company should evaluate their own processes around the standard.

3. Where Do I Start My Risk Journey?

One of the most common things I am asked is, “how do I start identifying my risks?” First, you need to examine your operations, seek out potential hazards within those operations and categorize them.

How do you do this? By asking.

You can survey and audit your operations, like you normally would, but figure out the potential hazards from all areas of the business. Think about the problems that could occur, and how likely they are to occur. You’ll probably get a lot of hazards, and a host of probabilities. The key is to collect and analyze the hazards and then categorize them. This is called a taxonomy of risk—general areas of hazard types in broader categories, and then you can make better sense of everything. Then, you can create general scales of severity of hazards and their frequency (likelihood to occur). Then you can have more variability, but it’s the easiest and most logical way to identify and organize the overall risk levels.

Once you have that you can start evaluating the risk.

The next step is to calculate your risk.  There are several ways to assess risk, but the bottom line is that you are doing the calculation on the components to quantify the risk. When doing this, keep in mind that risk evaluation and risk assessment are not automatic.  Math is tricky; it doesn’t always solve the problem, especially in operations. Too often, we hear of people implementing risk assessment tools that calculate risk, and they just leave it to the tool to determine the risk. The reality is that the tool is there to help you guide your decisions and risk calculations, but the ultimate decisions on how to handle risk should come from people. The tool is there as a guide, but most people will test their risk tools with real-world data. This is done by gathering as a risk team and reviewing risk calculations to confirm that the calculations actually reflect what would be done in the real-world. Some tweaking to the math may be necessary, but the treatment of risk should be a combination of people, process and tools.

The next step is to determine what you’re going to do if there is a risk. This is where a cross-functional team comes in handy to review the different risk outcomes, and then determine how you’re going to handle different risk levels.

Risk treatment typically falls into these broad categories:

  • Acceptance—leave it if it’s worth the risk
  • Reduction—take steps to mitigate the risk
  • Compensation—take steps to insure yourself against the risk
  • Transfer—outsource the risk to a partner/supplier
  • Avoidance—stop the process altogether

Each company has a different way of treating risk, and it’s up to your risk team to determine which ways to interpret risk levels…but once you do, you need to take action on it.

This is where you need to incorporate your Quality Management processes to the dynamic. This is where you can kick off Corrective or Preventive Actions based on a risk level or risk treatment. You can also launch actions from Risk levels, taking specific management of change, or action plans to address the issues. Finally, you want to have reporting in place to analyze risks over time, so you can see where your top risks are and how you are doing overall as an organization in mitigating risk.

4. Use Risk Management for Opportunities, not just Risks

The ISO standard mentions opportunities as well. What this process does is not only look for the threats to your compliance, it also helps to uncover potential, but not yet realized hazards. Things that might not be risks today, but could potentially be risks in the future. For example, you can have a hazard that has a low probability, and thus the risk is inherently low. Does that mean you ignore it? Hopefully not—you take this as an opportunity to mitigate any potential risk, and seek ways to continuously improve. There are risk tools, such as Failure Mode and Effects Analysis (FMEA) and Bowtie analysis that deal more specifically in preventive aspects of Risk. So you should always take hazards, and identify whether this becomes a risk, or it may be an opportunity for improvement, in a more preventive way.

5. Documentation is Key

How can you document your risk management process and prove it in an audit? Here you have a process of risk management, one that might be incorporated into your existing processes. So the generally accepted practice is to document what you’re doing and then document when you do it. So the whole risk management process should be documented, controlled, and built with work instructions and roles. This should be standard, especially when you introduce new elements to the existing process. For each step, you should be conducting activities that will be documented, have traceability, and can be tied to your overall Quality Program. So, when you’re looking to identify the hazards, categorize them and build out the risk for them, this should be recorded in the results of the audits, surveys and analysis.

You should also be documenting the process by which you’ve built this risk measurement.  Then, when you are building the evaluation and treatment of the risk you need to control the tool you use, you also need to document each time it’s incorporated into a record. This is all about having traceability. Whether you’re doing this manually, digitally, or through a technology solution, the traceability of the process, and the practice of that process is key. This also rings true when taking action.

This is all part of a process, and it’s one that is fairly simply-stated in the standard. Any one of these steps can be considered “risk-based thinking” and applies to your Quality Systems compliance.

There’s a lot going on these days—we have a new level of complexity in the marketplace, and it won’t get any easier. So this complexity breeds a need for a new way of looking at compliance, and risk is that universal concept that is being pushed to be that new way. Even ISO 9001:2015 is picking up on this new way of thinking—we need to enroll everyone in quality, but we need risk in order to make it more digestible to all operations.

Risk in ISO 9001:2015 is a great way to look at risk management at a high level. We went through the path to success on risk planning, and it’s really just a matter of taking these concepts, and applying them to your unique business. There are tools that can help. but remember, a tool is just there to help you—the risk journey starts with your people and teams that know the business, know the hazards and can help determine how to make risk work for you organization.

To quote one of my favorite books, “don’t panic.” You’re not alone in the risk management journey, and by breaking it down into a more logical path, you can ensure risk can be implemented into your processes easily and effectively.

Learn more by watching the full webinar below.

On Demand Webinar: The Risk Management Primer: Getting Started with Risk in ISO 9001:2015  

In this webinar, we will explore a practical approach to Risk Management planning, the tools available for identifying and managing risks, and how standards such as ISO 9001:2015 are incorporating risk into its requirements.

 Watch Now


Leave a comment

Tim Lozier
Written by Tim Lozier
Tim is the Manager for Marketing and Strategy at EtQ, Inc.
Written by Author

Related posts

ETQ Recognized as “Best in Category” in Quality Management Software

ETQ was awarded "Best in Category" for quality management software by FeaturedCustomers in the firm's Spring 2020 market report.

Chris Nahil
By Chris Nahil - May 19, 2020
Audits in the Time of Coronavirus

In a time of staff displacement, quality audits can be done virtually with some creativity, planning and technology!


Nick Metrakos
By Nick Metrakos - March 25, 2020
Top 5 Steps to Prepare for Hosting a Successful Quality Audit

We often hear, a picture is worth a thousand words, but we forget that a word is worth a thousand feelings. In just one word...

Nick Metrakos
By Nick Metrakos - February 13, 2020