Featured Product
This Week in Quality Digest Live
Risk Management Features
Master Gage and Tool Co.
Why it matters for accurate measurements
Jón Bergsteinsson
Understanding the standard is essential
Megan Wallin-Kerth
Or, how mistakes factor into a kaizen mindset
Shaneé Dawkins
Learn how to spot and avoid common phishing tactics
Gleb Tsipursky
Tension between desire for flexibility and perceived need to be visible for career advancement

More Features

Risk Management News
Providing practical interpretation of the EU AI Act
A tool to help detect sinister email
Developing tools to measure and improve trustworthiness
Streamlines annual regulatory review for life sciences
Adds increased focus on governance
Educational offerings available in Santa Clara in December 2023
Greater accuracy in under 3 seconds of inspection time

More News

Nicole Radziwill

Risk Management

Taming Uncertainty in Your QMS With Risk-Based Thinking and ISO 9001:2015

Why you should start employing a risk-based mindset

Published: Wednesday, August 29, 2018 - 11:01

ISO 31000 defines risk as “the effect of uncertainty on outcomes.” Identifying risks and determining ways to respond to them help you learn about your processes, your organization, and the environment you’re operating within. It also raises your awareness of how any of these things might change in the future. Perhaps most important, this helps you quickly respond to—and recover from—negative events like natural disasters, supply chain disruptions, and cyberattacks.

Risk management can also help your organization uncover new opportunities, if risks are considered within the context of strengths, capabilities, and threats.

But let’s face it: Risk management can be difficult and time-intensive, and it doesn’t easily reveal returns on investment. Especially when people are busy, and budgets are tight, taking a risk-based approach can feel like a distraction. “Compliance complacency” is not uncommon, and sometimes only the minimal amount of effort goes toward meeting governance or documentation requirements. In 2016, Carmela Cucuzzella, of Concordia University in Canada, mentioned that some product designers even express contempt for risk management, claiming that it can strip them of their creative freedom.

Although it may be tempting to avoid risk management entirely, ignoring risks can lead to cost overruns, time delays, waste and rework, and other unpleasant surprises. This is why risk management has played a pivotal role in strategic management since the 1970s, and why enterprise risk management (ERM) and the ISO 31000 guidelines for risk management have emerged. This is also why the topic has received increased attention in the latest revision to ISO 9001.

ISO 9001:2015, which becomes the authoritative version of the standard on Sept. 14, 2018, incorporated several major changes. (For insights into how to make the transition, read Graham Freeman’s “Transitioning to ISO 9001:2015: What You Need to Know.” The revised standard now conforms to Annex SL, the high-level structure that many ISO standards share, making it easier for organizations to avoid duplication of effort when multiple standards are used. Documentation requirements have been relaxed as well, so organizations will have more freedom to capture and share institutional knowledge. Finally, risk-based thinking is now strongly emphasized, and depends upon the organizational context (clause 4.1) and the needs and expectations of “interested parties” or stakeholders (clause 4.2).

What is risk-based thinking?

Raimond Laqua defines risk-based thinking as a “mindset to proactively improve the certainty of achieving outcomes utilizing methods that consider threats and opportunities.” In a recent webinar called “Demystifying Risk,”he explained that risks can be both positive and negative, and can hide within our processes, can lurk outside the processes, or can emerge as a result of changing environmental conditions. To make things even more challenging, “risks hide in our cognitive biases,” he explains, noting that the psychology of risk plays just as important a role as the engineering aspects.

One consequence of this shift toward risk-based thinking in ISO 9001:2015 is that “preventive action” has been dropped from clauses 4 through 10, marking a strong departure from earlier versions of the standard. Does this mean that you don’t need to take preventive actions anymore, or that you can throw away your corrective action/preventive action (CAPA) software? Of course not.

The philosophy underlying the change is that a robust quality management system itself prevents nonconformances: Every time you revisit the information in your risk register, or make adjustments to continually improve the quality management system, you’re engaging in preventive action. Although clause 8.5.3 from ISO 9001:2008 indirectly mentioned risk, it was not a driver for identifying and executing preventive actions. Also, auditors reported that corrective actions were plentiful in most organizations, while preventive actions were much less common and felt more “forced”—i.e., undertaken just to check off a box on the auditing checklist. Find out more from John West and Charles Cianfrani in the article, “Where Is Preventive Action?” from the March 2016 issue of Quality Progress.

What should you do to start employing a risk-based mindset? First, recognize that not all risks need to be identified or managed. Start with the most critical processes, and don’t feel pressured to envision every manifestation of uncertainty you might encounter. Next, examine risks in the context of your strengths and capabilities, which can be used to transform threats into opportunities.

But this is just the beginning. There are many different ways to jumpstart risk-based thinking in your organization, including some from the domain of agile methods. Risk-based thinking can benefit small businesses and large enterprises, and the techniques are applicable whether you use ISO 9001:2015, the Baldrige Criteria for Performance Excellence, the EFQM Excellence Model, or another approach to quality management. Where do you begin?

Find out the answer to this question and more—including what the world’s biggest recent supply chain cyberattack teaches us about risk-based thinking—during the Sept. 6, 2018, webinar, “Risk-Based Thinking: New Requirements for ISO 9001:2015 and Integrated Management Systems.” Register here.

Additional reading
Cucuzzella, Carmela. “Creativity, sustainable design and risk management.” Journal of Cleaner Production, Dec. 2015.
Freeman, Graham. “Transitioning to ISO 9001:2015: What You Need to Know.” Intelex Insight Report, 2018.
West, John, and Cianfrani, Charles. “Where Is Preventive Action?” Quality Progress, March, 2016.
Laqua, Raimond. NEW QUALITY STRATEGIES: “Turn your ‘Risk Management’ Into ‘Risk-Based Thinking!’ ” Aug., 2018.


About The Author

Nicole Radziwill’s picture

Nicole Radziwill

Nicole Radziwill is senior VP and chief data scientist at Ultranauts, and an internationally recognized expert in digital transformation and next generation quality. Formerly VP of the Global Quality and Supply Chain Practice at Intelex Technologies in Toronto, and a tenured associate professor of Data Science and Production Systems, she is an elected academician with the International Academy of Quality (IAQ), a Fellow of the American Society for Quality (ASQ), and a past chair of the ASQ Software Division. She has a Ph.D. in Quality Systems and is the author of data science and statistics textbooks used in more than 30 universities, as well as “Connected, Intelligent, Automated: The Definitive Guide to Digital Transformation and Quality 4.0,” from Quality Press (2020).