One of the main changes in ISO 9001:2015 is more explicit leadership requirements to manage risk. However, these changes are causing a lot of confusion. So, what exactly does your leadership team need to do to meet the new requirements of ISO 9001?
We asked Richard Green, Founder of Kingsford Consultancy Services to explain leadership, risk and ISO 9001:2015.
In the video below, Richard explains:
- What are quality risks?
- Top Management's Role
- Risk-Based Thinking Explained
- Tips for getting the attention of Top Management
- Approaches to Risk Management
Watch the video
Transcript from the talk
How can you get top management to manage risk to meet ISO 9001:2015 Requirements?
If your organisation is still trading it is probable that your top management already has a good appreciation of the risks the business faces. You organisation probably has already put in place arrangements to both manage existing risks and to horizon scan for any new ones.
In respect of your QMS, the risks you are concerned with are those which have the potential to impact:
- Your organisation’s ability to consistently provide customers with conforming products and services
- Your organisation’s ability to meet applicable statutory and regulatory requirements
- Your organisation’s ability to enhance customer satisfaction
Firstly, ISO 9001:2015 states top management are responsible for ensuring the effectiveness of their organisation’s quality management system and for ensuring its intended results are achieved.
They therefore need to be mindful of internal and external threats that could prevent them from delivering the intended results. However, risk can be positive as well as negative in the ISO world. Top management need to be mindful of opportunities which will facilitate the realisation of the intended results.
Secondly, top management are explicitly required to promote risk-based thinking in respect of their organisation’s QMS. This does not mean they have to do all of the risk-based thinking themselves, but they do need to evidence that they support a risk-based thinking approach.
One of the key changes Annex SL has brought to existing MS standards is a systematic approach to the management of risk (P-D-C-A). We refer to this as ‘risk based thinking’. A useful overview of risk-based thinking is provided in 9001:2015’s introduction for those new to the subject or you can find an article here.
Risk-based thinking was implicit in ISO 9001:2008 (preventive action) – ISO 9001:2015 now makes the requirement explicit.
Why do we need risk-based thinking?
Within our organisations different processes carry different levels of risks in terms of their potential impact on our organisation’s quality objectives and outcomes. We need to focus our efforts on our critical processes – how might they fail or how might they be improved?
Also the consequences of experiencing a process, product, service or system nonconformity is not the same for all types of organisation. You’d therefore expect greater management of risk in a nuclear power station than a dog grooming business. So too would your auditor.
Where in ISO 9001:2015 is Risk-Based Thinking?
Clause 4 Context - Determine the processes required for operation of the quality management system and the risks and opportunities associated with these processes.
Clause 5 Leadership – Top management must ensure that the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed.
Clause 6 Planning – to give assurance that the quality management system can achieve its intended result(s), prevent or reduce, undesired effects and achieve continual improvement.
Clause 8 Operation -The organisation is required to implement processes to address risk and opportunities.
Clause 9 Performance Evaluation - The organisation is required to monitor, measure, analyse and evaluate risk and opportunities.
Clause 10 Improvement - The organisation is required to continually improve processes whilst responding to changes in risks and opportunities.
The requirements around risk are extensive. How can we ensure top management embrace these?
If top management are not engaged with respect to quality management system risk, what can you do?
- Highlight the cost of quality failure - (Deepwater Horizon $43bn). As well as financial costs there is reputational damage or even jail.
- Remember positive risk (opportunities) too – these include cost reduction, elimination of waste, faster to market and new innovations. Top management are always interested in bottom line improvement
- Remind them this is not optional.
ISO 9001:2015 doesn’t tell top management how to manage risk. It leaves that up to the organisation. Usually, it is the one(s) that works best for you. When selecting a risk assessment methodology ensure;
- It enables the requirements of 9001:2015 to be met
- It is straightforward to use
- It is not cost prohibitive to use
- It gives consistent and repeatable results
- It is universally applied across functions managing the same risks
- There is documentation, training and support available in order to ensure it is properly applied
Here are some risk management techniques:
- ISO 31010 Risk Management – lists some Risk Assessment Techniques
- Failure mode and effect analysis
- Cause and effect analysis
- Delphi technique – structured, interactive forecasting
- Hazard analysis and critical control points
- Scenario analysis
- Root cause analysis
- Risk Indices
- Cost benefit analysis
For more information about the changes to ISO 9001:2015, download the ISO 9001:2015 toolkit here