Risk-based thinking - You've been doing it already!

Risk-based thinking – You’re already doing it.

The spring months of 2015 have seen many blog articles and LinkedIn forums touch on the topic of risk-based thinking. Consulting services and registrars alike are offering their advice and guidance on “how to do RBT”: how to train for it, how to implement it, how to audit it, how to prepare for when the registrar’s auditors arrive.

What made me think carefully about RBT was a statement in one of the TC176 documents, endorsing risk-based thinking. “It has always been in ISO 9001.” At first, my reaction was Orwellian – another statement from the Ministry of Truth. I began to ponder the contrasting comments and perspectives in LinkedIn forums, and I started reading what was being offered by registrars in their “guidance documents”.

In a sense, risk-based thinking has always been in ISO 9001. What is it you wish to address as you implement ISO 9001 QMS? You want to reduce costs, reduce exposure to unseen problems, you want to produce your product consistently, you want to improve your financial position, and want to ensure the customer receives what it ordered. In short, you want to reduce your exposure to risk. I’m not going to touch the simmering debate between positive and negative risk. 

How you are doing it already in ISO 9001:2008

Formal risk management does not seem to have ever been a requirement in ISO 9001. Yet, most clauses demand and depend upon some kind of risk assessment/risk analysis to reduce the exposure to and fallout from mistakes. Some of the most overlooked risk-based processes are the six mandatory documented procedures:

• Control of documents,
• Control of records,
• Internal audits,
• Corrective action,
• Preventive action, and
• Control of Nonconforming Material.

Hiding in plain sight, these six processes form a basic frame for risk-based thinking. You might ask, “How can this be so? The standard never told us that!” Well, I had agreed with this story-line, too, all along. We do what the standard tells us to do. But, my framework of thinking had to become jolted or shocked to consider an alternative viewpoint.

Consider: the lowly internal audit, clause 8.2.2. What is its purpose? To assess compliance to the QMS, to the standard, to customer requirements, and to statutory and regulatory requirements.

Why “assess”? One reason is to reduce the risk of having the CB auditor find and issue nonconformances.

It’s that simple. “To reduce the risk…” Isn’t this risk-based thinking? It doesn’t get easier than that.

Let’s look at Control of Documents, clause 4.2.3. The 2008 ISO 9001 standard is clear on requirements to define the controls needed:

a)    to approve documents for adequacy prior to issue,

b)    to review and update as necessary and re-approve documents,

c)    to ensure that changes and the current revision status of documents are identified,

d)    to ensure that relevant versions of applicable documents are available at points of use,

e)    to ensure that documents remain legible and readily identifiable,

f)     to ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled, and

g)    to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.

Break it down into the risks:

a)    Reduce the risk of releasing an inadequate, vague, or inappropriate document,

b)    Reduce the risk of unapproved, obsolete, or mistake-laden documents being released,

c)    Reduce the risk of using the wrong version of the document,

d)    Reduce the risk of not providing current and relevant documents where they are required or needed,

e)    Reduce the risk of damaged or unreadable documents being released and used,

f)     Reduce the risk of documents from outside the organization (purchased, stolen, downloaded, plagiarized) being used without appropriate permissions,

g)    Reduce the risk of the wrong/obsolete document being used in production.

This is risk-based thinking. It doesn’t get easier than this!

A final example, that of Customer Requirements, clauses 7.2.1 and 7.2.2. The organization must comply with several product-related customer requirements listed under these two clauses.

Why? Briefly, to reduce the risk of producing the wrong product, to reduce the risk of violating applicable laws and regulations, and to reduce the risk of not being able to produce the product for the customer.

Is this not risk-based thinking?

In closing

The soon-to-be-released 2015 version of ISO 9001 incorporates the new phrase “risk-based thinking”, which is assumed to be a new requirement, and the standard (still slated for release this September) incorporates the need to think about risk. Suddenly, training classes are being promoted by registrar and consulting firm alike to address the need for risk management and risk-based thinking. But, wait...you’ve been doing it already.

Some summary points to consider about risk-based thinking -

• Risk-based thinking is introduced as a concept, not a requirement.
• Annex A declares that there is no requirement for formal risk management or a documented risk management process.
• The phrase “risk-based thinking“ appears under clauses 0.5 and 0.6, which are normally not auditable.
• Annex A, clauses A.4 and A.8 discuss the “risk-based approach” but not risk-based thinking.
• Objective evidence for “risk-based thinking” could take the form of the output from the already-implemented processes and procedures under ISO 9001:2008.
• If you are already certificated to the 2008 standard, you can begin to consider evolving the context of how you view and perceive your existing processes - toward one of risk-based thinking. If your culture already embraces this, very well! If there is resistance, better to address and mitigate that resistance now before you are forced to "upgrade" to the 2015 standard. 
• CB auditors must rely on objective evidence and not personal opinion as they attempt to audit the client (you!) for compliance to “risk-based thinking” under the 2015 standard.
• Think carefully before signing up for training classes for implementing or for compliance to risk-based thinking or risk management related to the 2015 standard. You may be more experienced than the person offering the training!

 

Follow My Blog:
www.Lawrence-international-LLC.Blogspot.Com