ISO/DIS 9001:2015 – Risk-Based Thinking

ISO/DIS 9001:2015
Risk-Based Thinking

Whittington & Associates, LLC

6175 Hickory Flat Highway, Suite 110-303, Canton, GA 30115
www.WhittingtonAssociates.com
770-517-7944

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 1

What is Risk?

Risk is the “effect of uncertainty on an expected result”

Effect is a deviation from the expected – positive or negative.
Uncertainty is the lack of information related to understanding
or knowledge of an event, its consequence, or likelihood.

• Risk often refers to potential “events” and “consequences”

• Risk is often expressed as the “consequences” of an event
and the associated likelihood or “probability”

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 2

Requirements – V1.0 © 2015 Whittington & Associates, LLC Page 1

ISO/DIS 9001:2015 – Risk-Based Thinking

What is Risk-Based Thinking?

• The concept of risk has been implicit in ISO 9001:2008

(however, “risk” is not mentioned in clauses 4 to 8)
• The ISO 9001:2015 revision makes it more explicit
(“risk” is mentioned 14 times within clauses 4 to 10)
• Risk-based thinking ensures that risk is considered
from beginning and throughout the process approach
• Risk-based thinking makes preventive action part of
your strategic planning and direction
• Risk is often thought of in the negative sense, however,
risk-based thinking can also help identify opportunities
Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 3

ISO/DIS 9001:2015

Risk-Based Approach (6.1, A.4)

• Determine and address risks and opportunities
• Use planning events to identify and analyze risks
• Don’t want to say “we should’ve seen that coming”
• Replaces the Preventive Action requirements

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 4

Requirements – V1.0 © 2015 Whittington & Associates, LLC Page 2

ISO/DIS 9001:2015 – Risk-Based Thinking

Risk-Based Approach

Risk now considered throughout the standard:

4.1.f - Determine risks; take actions to address.
5.1.2.b - Ensure risks determined and addressed.
6.1.1 - Plan to determine risks that need to be
addressed to achieve intended results.
6.1.2 - Plan actions to address risks; integrate into
processes; evaluate effectiveness of actions.
8.5.5.a - Consider risks in post-delivery activities.
9.3.1.e - Review effectiveness of actions on risks.

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 5

Consequences and Constraints

Risk relates to “consequences” and “constraints”:

6.3.a - Consequences of planned system changes
7.1.1.a - Constraints on existing internal resources
8.1 - Consequences of unintended process changes
8.3.3.e - Consequences of product or service failure
10.2.1.a.2 - Consequences of nonconformities

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 6

Requirements – V1.0 © 2015 Whittington & Associates, LLC Page 3

ISO/DIS 9001:2015 – Risk-Based Thinking

Risk Assessment

Consider scenarios that may impact your business:

• product failures • currency changes

• late deliveries • raw material shortages
• service issues • oil price increases
• supply chain disruption • work stoppage
• technology shifts • economic downturn
• competitive pressures • increased regulations

Version 5: 8/05/05 © 2000-2005 Whittington & Associates, LLC Slide 7

Risk Assessment Worksheet

Risk
Identify and Rate Risks Rating Risk Rating Risk Risk Assessment
Index Action Action
for Business Events Probability Consequence Low - Med - High
PxC=I Type Reference
(strategic, operational, financial, compliance) (1 to 5) (1 to 5) (1-8) (9-16) (17-25)
(1 to 25)

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 8

Requirements – V1.0 © 2015 Whittington & Associates, LLC Page 4

ISO/DIS 9001:2015 – Risk-Based Thinking

Rating of Risk Probability

Rating Probability Criteria (Likelihood of Risk Occurrence)

1 Rare Unlikely to occur, but possible

2 Unlikely Unlikely, but can be reasonably expected to occur

3 Possible Will occur several times

4 Likely Will occur frequently

5 Almost Certain Continually experienced

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 9

Rating of Risk Consequences

Rating Consequence Criteria (Impact of Risk to Business)

Negligible business impact. Local media attention quickly remedied. Nothing reportable to
1 Incidental
regulator. No injuries to employees or third parties. Isolated staff dissatisfaction. Loss up to $x.

Slight business impact. Local damage to reputation. Reportable incident to regulator with no
2 Minor follow-up. No or minor injuries to employees or third parties. Some morale problems and turnover
increase. Financial loss of $x to $x.

Limited business impact. Short-term negative media coverage. Report of breach to regulator
3 Moderate with immediate correction. Out-patient medical treatment for employees or third parties.
Widespread staff morale problems and high turnover. Financial loss of $x to $x.

Serious business impact. Negative media coverage. Significant loss of market share. Report to
4 Major regulator requiring major corrective action. Limited in-patient care for employees or third parties.
High turnover of experienced staff. Financial loss of $x to $x.

Disastrous business impact. Long-term negative media coverage. Dramatic loss of market
5 Extreme share. Significant litigation, prosecution, or fines. Significant injuries or fatalities to employees or
third parties. Multiple leaders leave. Potential closure of business. Financial loss of $x or more.

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 10

Requirements – V1.0 © 2015 Whittington & Associates, LLC Page 5

ISO/DIS 9001:2015 – Risk-Based Thinking

Risk Index Table

P x C = Index Consequence Range

Low: 1 - 8
Medium: 9-16
High: 17-25 1 2 3 4 5

1 1 2 3 4 5
Probability Range

2 2 4 6 8 10

3 3 6 9 12 15

4 4 8 12 16 20

5 5 10 15 20 25

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 11

Mitigation Actions

Type Option Description

1 Avoid Risk Withdraw from the activity

2 Eliminate Risk Eliminate the risk source

3 Change Risk Change probability or consequence

4 Share Risk Outsource risk or insure against it

5 Retain Risk Accept risk by informed management decision

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 12

Requirements – V1.0 © 2015 Whittington & Associates, LLC Page 6

ISO/DIS 9001:2015 – Risk-Based Thinking

Mitigation Action Worksheet

Reference Risk Action Person Due Actual

Description of Action
Number Level Type Assigned mm/dd/yy mm/dd/yy

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 13

Optimal Risk-Taking

Insufficient Optimal Excessive

Risk-Taking Risk-Taking Risk-Taking

Expected
Value

Risk Level

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 14

Requirements – V1.0 © 2015 Whittington & Associates, LLC Page 7

ISO/DIS 9001:2015 – Risk-Based Thinking

Risk Assessment Process

1. Identify relevant business objectives.

2. Identify events that could affect achievement of objectives.
3. Determine risk tolerance.
4. Assess inherent likelihood and impact of risks.
5. Evaluate the portfolio of risks and determine risk responses.
6. Assess residual likelihood and impact of risks.

Inherent risk is the current level of risk assuming existing

responses operate according to design.
Residual risk is the estimated risk after responses under
consideration are put into place.

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 15

Why Adopt Risk-Based Thinking?

• Successful companies usually take a risk-based

approach because it brings benefits:
– improves customer satisfaction
– assures consistency of products and services
– establishes culture of prevention and improvement
• ISO/DIS 9001:2015 does not require a formal risk
assessment, but requires documented information
• ISO 31000, Risk Management, provides guidance
and may be a useful reference, but is not required
Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 16

Requirements – V1.0 © 2015 Whittington & Associates, LLC Page 8

ISO/DIS 9001:2015 – Risk-Based Thinking

What Should I Do?

• Analyze and prioritize your risks and opportunities

– what is acceptable?
– what is unacceptable?
– which opportunities should be acted on?
• Plan actions to address the risks and opportunities
– how can I avoid, eliminate, or mitigate the risk?
– how can I realize opportunities?
• Implement the plan – take action
• Check the effectiveness of the actions – did it work?
• Learn from experience – continual improvement

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 17

Questions

If you have questions about ISO/DIS 9001:2015,

please contact me at 770-517-7944, or send an
email to Larry@WhittingtonAssociates.com.

Version 1.0: 01/10/15 © 2015 Whittington & Associates, LLC Slide 18

Requirements – V1.0 © 2015 Whittington & Associates, LLC Page 9