The ISO9001 quality management standard is one of the most established management system standards around, and it’s incredibly popular with over one million organizations certified to it. In its last update in 2015, ISO9001 became more focussed around the management of risk and its more positive twin, opportunity. But what do these concepts have to do with quality and how does an organization wanting to become certified address them effectively? In this blog we look at risk and opportunity in ISO9001 and clarify what you need to do to meet the requirements correctly.
For the purposes of our discussion, the interesting clause in the ISO9001 standard is 6. Planning and specifically its sub-clause 6.1 Actions to address risks and opportunities. In the context of the ISO9001 document, this part is relatively brief (in contrast to the seemingly never-ending clause 8. Operation) and gives a clear and concise description of what is required.
First, we’re asked to think about the external and internal issues we identified in the earlier Clause 4.1. These could be a wide variety of items from the prevailing economic environment through to a lack of investment in machinery on the shop floor. Secondly, we are also asked to bring in the requirements of the interested parties we identified in Clause 4.2. These could be employees, customers, shareholders, regulators or similar people or organizations who are, or could be, affected by our QMS.
With these two lists in hand, ISO9001 now wants us to consider the risks and opportunities that could arise from them in order to increase the chances of things going smoothly with respect to the QMS. We then need to work out what to do about them and check that our actions have worked.
Lastly, there’s a reminder that we need to be sensible and not go crazy with the actions when the impact of the risk wasn’t that big.
Before deciding where to start, let’s talk about what we need to end up with. When you’re at your ISO9001 certification audit sitting opposite the auditor and she asks you how you have addressed the requirements of these clauses, what are you going to show her? From experience, she is likely to want to see the following items:
I’m going to assume you have items 1 and 2 from your earlier work on Clause 4 Context of the organization, so let’s focus on items 3 and 4.
A risk is something bad that hasn’t happened yet (just to clarify – it could have happened before, but not in the current period of time under consideration). The first step is to identify what the risks are. One way to do this (there are many possible ways) is to look at each of the items on the list of issues and the list of interested parties and their requirements and think “what could go wrong that would affect this item?”. Let’s try an example. One of the internal issues we mentioned before was a lack of investment in machinery on the shop floor. What could happen that would make this a problem?
Perhaps a key piece of machinery could break down and stop production of product completely. Or perhaps the machine could go out of line and produce products that are out of specification. Both of these items could be risks that go onto our risk assessment. Once they are on there, we then consider how likely these risks are to happen, and what the impact would be if they did. We could use a scale of one to five to represent likelihood and impact. Multiplying these figures together gives us a score which is then classified via a matrix as low, medium or high risk (this is just one of many ways of assessing risks).
So taking the risk of a key item of machinery breaking down completely, we might say the likelihood of that happening (perhaps based on past maintenance records) is 4 out of 5 (pretty likely) and if it did happen then the impact would be a 4 out of 5 (very bad – production of a key product or component would cease). Multiplying 4 by 4 gives a risk score of 16 which our classification scheme might define as a high risk.
We therefore have a high risk which we are likely to want to do something about. Options could include buying or leasing a new machine, having the existing machine refurbished or buying spare parts in advance. Remember that the action we take has to be justified by the potential impact on what we’re trying to achieve, so it could be that buying a new machine is far too expensive compared to what we’d lose in production if the risk happened.
Once we have identified all of the risks we feel are relevant, assessed them and decided on what to do about them, we then have a risk assessment and an action plan – that’s item 3 on our list for the auditor.
Just as a risk is something bad that hasn’t happened yet, so an opportunity is something good that hasn’t happened yet. The process of identifying opportunities has a lot in common with that of risks; again we start with the lists of issues and interested parties’ requirements and we think “what else could happen that might have a positive impact on our organization and our QMS?”.
Continuing with our machinery example, it could be that a development fund becomes available that fully or partially funds the replacement of this type of machinery. If that happened then perhaps a new machine would be able to produce twice as much product as the old one. So we go through a similar process to score the likelihood of this happening and the impact if it were to happen. We might then identify an action to take that would make it more likely to happen (such as actively looking for development funds) and perhaps one that would increase the positive impact (such as investigating pricing and supply of new machines).
We then have the fourth item on our list for the auditor – the opportunity assessment and action plan.
All of the above can be achieved using a spreadsheet and this is a common way to do it. Online tools can also be used, particularly for a more complex risk assessment. As we alluded to earlier there are many, many ways to conduct risk assessment and no one way is the right way.
Risk and opportunity assessment is an important part of the ISO9001 standard and one which is absolutely necessary for certification. But it doesn’t have to be complicated; the benefit is in the action lists that are produced which will have a positive effect both in reducing risk and making opportunity more likely.
And that has to be a good thing.
For more information on the ISO9001 implementation process, download our free guide for 10 steps to ISO9001 certification.