HOW TO: ADDRESS RISK-BASED THINKING IN A QUALITY MANAGEMENT SYSTEM

info@riskza.com | www.riskza.com | 0861 RISK ZA

© Risk ZA Group (PTY) Ltd. Page 2

How to: Address Risk-based Thinking in A Quality Management System

CONTENTSOVERVIEW OF THE ISO 9001:2015 REVISION 3

MANAGING RISK IN A QUALITY MANAGEMENT SYSTEM 4

CONSIDERING AN ENTERPRISE-WIDE APPROACH TO RISK MANAGEMENT 5

RISK-BASED THINKING IN THE QUALITY MANAGEMENT STANDARD 5

SUMMARY OF THE BENEFITS OF RISK-BASED THINKING 6

THE IMPORTANCE OF INSTITUTIONAL KNOWLEDGE 6

WORK WITH RISK ZA 7

How to: Address Risk-based Thinking in A Quality Management System

© Risk ZA Group (PTY) Ltd. Page 3

OVERVIEW OF THE ISO 9001:2015 REVISIONThe ISO 9001:2015 Quality Management Systems standard provides confidence in an organisation’s ability to consistently provide customers with conforming goods or services and to enhance customer satisfaction.

The revised Quality Management Systems (QMS) standard was published in September 2015, and the committee responsible for the ISO 9001 revision introduced several changes, which are:

Providing a Quality Management standard with a foundation for integration with other Management Systems.Introducing Risk-based Thinking.Aligning the QMS policy and objectives with the strategy of an organisation. Providing greater flexibility for documentation.

The common format developed by ISO to facilitate integration is known as Annex SL or the High Level Structure. It provides a standardised core text and structure common to all revised ISO Management Systems as follows:

CLAUSE 1 Scope

CLAUSE 2 Normative references

CLAUSE 3 Terms and definitions

CLAUSE 4 Context of the organisation

CLAUSE 5 Leadership

CLAUSE 6 Planning

CLAUSE 7 Support

CLAUSE 8 Operation

CLAUSE 9 Performance evaluation

CLAUSE 10 Improvement

How to: Address Risk-based Thinking in A Quality Management System

© Risk ZA Group (PTY) Ltd. Page 4

MANAGING RISK IN A QUALITY MANAGEMENT SYSTEMRisk in the ISO 9001:2015 Quality Management standard relates to the uncertainty of achieving the objectives of the QMS, which are to provide products and services that conform to customers’ requirements. Understanding risks and finding ways to mitigate them helps organisations to drive changes and improvements.

Risk-based thinking is incorporated into the whole management system, in order to:

Ensure that risks are considered from the beginning and throughout the process approach. Make proactive action part of strategic planning. Identify opportunities for improvement.

There isn’t a requirement in ISO 9001:2015 to use formal risk management and an organisation can choose the methods that best suit its needs. ISO/TS 9002:2016 states that organisations can consider using the outputs of techniques such as:

SWOT: Strengths-Weaknesses-Opportunities-ThreatsPESTLE: Political-Economic-Social-Technological-Legal-EnvironmentalFMEA: Failure Mode and Effects AnalysisFMECA: Failure Mode, Effects, and Criticality AnalysisHACCP: Hazard Analysis and Critical Control Points

Simpler approaches include methods such as brainstorming, Structured What IF Technique (SWIFT), and risk matrix (consequences and probability).

The application of risk-based thinking can also help an organisation to develop a proactive and preventive culture focused on doing things better and improving how work is done in general.

How to: Address Risk-based Thinking in A Quality Management System

© Risk ZA Group (PTY) Ltd. Page 5

CONSIDERING AN ENTERPRISE-WIDE APPROACH TO RISK MANAGEMENTRisk-based thinking is common to all revised ISO Management Systems standards, written using the High-Level Structure. For some organisations facing high levels of risk, it may however be worth considering taking an enterprise-wide approach to Risk Management and applying the ISO 31000:2018 Risk Management standard.

ISO 9001:2015 does not require a formal risk assessment. ISO 31000:2018 improves risk identification and risk treatment by providing best practice Risk Management principles, a framework and a process for managing risk at an enterprise-wide level.

Want to find out more about the ISO 31000:2018 Risk Management standard? Download our FREE Guide ISO 31000:2018 – HOW DO I GET STARTED.

RISK-BASED THINKING IN THE ISO 9001:2015 STANDARDRisk-based thinking is included in the following clauses of ISO 9001:2015:

Clause 4: risks which can affect an organisation’s ability to meet objectives must be determined.

Clause 5: top management needs to ensure that risks and opportunities that can affect the conformity of a product or service are determined and addressed.

Clause 6: the organisation must identify risks and opportunities and plan how to address them.

Clause 8: the organisation is required to plan, implement and control its processes to address the actions identified in Clause 6.

Clause 9: risks and opportunities must be monitored, measured, analysed and evaluated.

Clause 10: continual improvement is achieved by responding to changes in risk.

How to: Address Risk-based Thinking in A Quality Management System

© Risk ZA Group (PTY) Ltd. Page 6

THE BENEFITS OF RISK MANAGEMENT IN A QUALITY MANAGEMENT SYSTEMThe benefits from successful risk management include compliance, assurance that customers will receive the expected products or services and improved decision-making ability.

Summary of the Benefits of Risk-based Thinking:

Establishes a proactive culture of improvement. Assures consistency of quality of goods or services. Improves customer confidence and satisfaction.Builds a strong knowledge base. Proactively improves operational efficiency and governance. Builds stakeholder confidence in the use of risk techniques.Enables organisations to apply Management System controls to analyse risk and minimise losses.Improves Management System performance and resilience.Enables organisations to respond to change effectively and protect their business as they grow.

THE IMPORTANCE OF ORGANISATIONAL KNOWLEDGEOrganisational knowledge needs to be captured, analysed, managed and improved on so that an organisation can continually improve and achieve excellence. Businesses need tools to drive continual improvement and purpose-built software is invaluable. Purpose-built software provides your team with a complete view of documentation that is shared among auditors, managers and executives in real-time so more effective collaboration can occur on issues that pose risks to the business.

Find out more about ISO Document and Control Procedures and our tailored Software Solutions. Download our FREE guide Automated Document Control: A Key Component of ISO Management Systems.

How to: Address Risk-based Thinking in A Quality Management System

© Risk ZA Group (PTY) Ltd. Page 7

WORK WITH RISK ZARisk ZA provides a unique combination of complementary services. We help our clients to understand how they are performing and identify areas for improvement through the following services.

TRAINING SERVICESWe train our clients to understand ISO standards and how to implement them through:

Awareness training (in English, Afrikaans and isiZulu)Introductory and intermediate coursesAdvanced exposure to developing and implementing management arrangements to foster a culture of continual improvementPractical application of strategic elements of local and international best-practicesInternal and supplier auditingSAATCA registered Lead auditor training

CONSULTING INTERVENTIONSGap Analysis and Project PlanningSteering CommitteesPolicy DevelopmentProcess Mapping and EvaluationCorrective Action SystemsSystem Development and ImplementationDocumentation Creation, Review and Control

How to: Address Risk-based Thinking in A Quality Management System

© Risk ZA Group (PTY) Ltd. Page 8

AUDITING SERVICESAuditing is an integral function of continual improvement and we promote the use of risk-based auditing. Our performance and conformance audits are conducted with influence from ISO 19011 and ISO 17021 for our clients or on their behalf and we provide the following services:

First party internal auditsSecond-party supplier auditsThird-party preparation audits (pre-certification)

ONLINE LEARNINGRisk ZA is the regional channel and technical partner for Erudio Global, an Online ISO Training and Coaching provider. This service is aimed at people who are pressed for time as well as professionals working in remote locations who are unable to attend our public training courses.

Our online learning service focuses on ISO 9001:2015 Quality Management and ISO 14001:2015 Environmental Management.

Sign Up and discover more about our Online Learning Service here.

SOFTWARE SOLUTIONSPurpose-built software offers your team more effective collaboration on issues that pose risks to the business and a complete view of documentation that needs to be shared among auditors, managers and executives in real-time.

Click here for information about our purpose-built Software Solutions designed to effectively manage your Document and Control Procedures.

Contact us on +27 (0) 31 569 5900, or email info@riskza.com and find out how to manage key risks in your enterprise more effectively.

OUR RISK MANAGEMENT EXPERTS ARE READY TO ASSIST YOU!