ISO 9001 and Risk

What does ISO 9001 say regarding risk management? Well, ISO 9001:2008, clause 0.4, repeats this statement unchanged from the ISO 9001:2000 standard (underlines are my emphasis):

This International Standard does not include requirements specific to other management systems, such as those particular to environmental management, occupational health and safety management, financial management, or risk management

It seems to clearly state there are no requirements in ISO 9001 for risk management. However, the revised statement below from ISO 9001:2008, clause 0.1, says “risk” will influence how you set up your quality management system:

“The design and implementation of an organization’s quality management system is influenced by its organizational environment, change in that environment, and the risks associated with that environment, “

Although ISO 9001:2008 doesn’t include any requirements for risk management, does it include any that are risk-related? Consider clause 5.6.2, Input (Management Review), which states:

“The input to management review shall include information on (f) changes that could affect the quality management system.” 

To determine how a change might affect the quality management system, you should assess the likelihood of the change happening, when it might happen, and its impact if it did happen. This sounds like considering the risk associated with a change to understand its effect.

And, what about clause 8.5.3, Preventive Action, when you consider potential problems and try to keep them from happening? Wouldn’t that involve identifying, assessing, and mitigating the risk associated with a potential problem?

Risk Guidance

Although ISO 9001:2008 doesn’t include a specific requirement for risk management, several places in the standard would cause us to consider risks. And, the guidance standard, ISO 9004:2000, states that an organization “should” consider risk management.

For example, ISO 9004:2000, clause 5.1.2, “Issues to be Considered”, states that management should consider identifying and managing risks. And, clause 5.4.2, “Quality Planning”, says that inputs for effective and efficient planning include risk assessment and mitigation data.

Clause 5.6.3, “Management Review Output”, says additional outputs may include loss prevention and mitigation plans for identified risks. Clause 6.3, “Infrastructure”, states that infrastructure planning should consider the identification and mitigation of associated risks.

Clause 7.1.3.1, “Managing Processes – General”, says an operating plan should be defined to manage the processes, including identification, assessment, and mitigation of risk.

Clause 7.1.3.3, “Product and Process Validation and Changes”, says that risk assessment should be undertaken to assess the potential for, and the effect of, possible failures or faults in processes. And, that the results of the assessment should be used to define and implement preventive actions to mitigate the identified risks.

Clause 7.3.1, “Design and Development”, says management has the responsibility to ensure steps are taken to identify and mitigate potential risk to the users of the product and the processes of the organization. Risk assessment should be undertaken to assess the potential for, and effect of, possible failures or faults in products or processes. The results of the assessment should be used to define and implement preventive actions to mitigate the identified risks.

Clause 7.4.1, “Purchasing Process”, says management should identify and mitigate any risk associated with the purchased product. Clause 7.5.2, “Product Identification” (yes, 7.5.2 in ISO 9004; not 7.5.3 as in ISO 9001) says the need for identification and traceability may arise from the mitigation of identified risks. Clause 8.5.3, “Loss Prevention” refers to the data generated from the use of risk analysis tools, such as, fault mode and effects analysis.

But what is risk management?

Risk Management

Risk is a product of the uncertainty of future events and is a part of any process. It is a fact for any organization. We typically try to stay away from situations that involve high risk. However, when we cannot avoid risk, we look for ways to reduce it (or its impact). Yet, even with careful planning and preparation, risks cannot be completely eliminated because they cannot be completely identified in advance. However, strange as it may seem, risk is essential to progress.

The opportunity to succeed also carries the opportunity to fail. So, we have to learn to balance the possible negative consequences of risk with the potential benefits of its associated opportunity. Risk may be defined as the possibility to suffer damage or loss. The possibility is characterized by three factors:

1. The probability, or likelihood, that loss or damage will occur.
2. The expected time of occurrence.
3. The magnitude of the negative impact that can result from its occurrence.

The seriousness of a risk can be determined by multiplying the probability of the event actually occurring by the potential negative impact to cost, schedule, or performance:

Risk Severity = Probability of Occurrence x Potential Negative Impact

Risks where the probability of occurrence is high and the potential impact is very low, or vice versa, are not considered as serious as the risks where both the probability of occurrence and the potential impact are medium to high. Managers should recognize and accept the fact that risk is inherent in any activity.

There are two ways of dealing with this risk. One, risk management, is proactive and carefully analyzes future project events and past projects to identify potential risks. Once risks are identified, they are dealt with by taking measures to reduce their probability or to reduce their impact. The alternative to risk management is crisis management. It is a reactive and resource-intensive process, with available options constrained or restricted by events.

Because risk will be found in all areas, and will often be interrelated, risk management should address all processes of the system. Learning to balance the possible negative consequences of risk with its potential benefits is the key to successful risk management.