Available online at www.sciencedirect.

com
Available online at www.sciencedirect.com
ScienceDirect
ScienceDirect
Available online at www.sciencedirect.com
Transportation Research Procedia 00 (2022) 000–000
Transportation Research Procedia 00 (2022) 000–000
ScienceDirect www.elsevier.com/locate/procedia
www.elsevier.com/locate/procedia
Transportation Research Procedia 63 (2022) 1–12

X International Scientific Siberian Transport Forum

X International Scientific Siberian Transport Forum
Application of risk-based approach methods of various levels of
Application of risk-based approach methods of various levels of
complexity in the quality management system of a transport
complexity in the quality management system of a transport
company
company
Oksana Zhemchugovaa,a, *, Violetta Levshinaaa, Lev Levshinaa
Oksana Zhemchugova *, Violetta Levshina , Lev Levshin
a
Reshetnev Siberian State University of Science and Technology, 660049, Prospect Mira, 82, Krasnoyarsk, Russia
a
Reshetnev Siberian State University of Science and Technology, 660049, Prospect Mira, 82, Krasnoyarsk, Russia

Abstract
Abstract
The relevance of the study is associated with the determination of the set of application of the risk-based approach methods of
The relevance
various the study is which
levels of complexity, associated
will with the determination
be evidence of the setduring
of the organization of application
the auditofofthe
therisk-based approach methods
quality management system of
various
the levels company.
transport of complexity, which willforbethe
An algorithm evidence of the organization
development of methods during the audit
of various levelsofofthecomplexity
quality management system of
of the risk-oriented
the transport
approach company.
in the processesAnofalgorithm
the qualityformanagement
the development
systemofof methods of company
a transport various levels of complexity
has been determined.ofComparison
the risk-oriented
of the
approach
stages in the
of risk processes ofand
management thehandling
quality management system
of risks is carried of Risk-based
out. a transport approach
company techniques
has been determined. Comparison
from the simplest to theofmost
the
stages of level
complex risk management and handling
have been developed of risks
and tested (ISOis31000:
carried2018).
out. Risk-based approach techniques from the simplest to the most
complex
© level
2022 The have been
Authors. developed
Published and tested (ISO
by ELSEVIER B.V.31000: 2018).
© 2022 The Authors. Published by ELSEVIER B.V.
© 2022
This is The
an Authors.
open accessPublished
article by ELSEVIER
under the CC B.V.
BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
(https://creativecommons.org/licenses/by-nc-nd/4.0)
This is an open access article under the CC BY-NC-ND license
This is an
Peer-review open access
under article under
responsibility of the CC BY-NC-ND
scientific license
committee
Peer-review under responsibility of the scientific committee of of (https://creativecommons.org/licenses/by-nc-nd/4.0)
thethe X International
X International Scientific
Scientific Siberian
Siberian Transport
Transport ForumForum
Peer-review
Keywords: ISOunder responsibility
9001:2015; risk-basedofapproach;
the scientific
qualitycommittee
managementofsystem;
the X International Scientific Siberian
quality risk; organizational processes;Transport Forum
ISO 31000: 2018,
techniques ISOapplying
Keywords: for 9001:2015; risk-based
a risk-based approach; quality management system; quality risk; organizational processes; ISO 31000: 2018,
approach.
techniques for applying a risk-based approach.

1. Introduction
1. Introduction
It is known that the emergence of a new requirement for planning actions to address risks and opportunities in the
ISOIt 9001:2015
is known that
hasthe emergence
prompted manyof aorganizations
new requirement for the
to find planning actions
right risk to address methodologies
management risks and opportunities
for them.in But
the
ISO 9001:2015 has prompted many organizations to find the right risk management methodologies
despite the large number of scientific works devoted to the implementation of a risk-based approach in quality for them. But
despite
managementthe large number
systems (QMS)of of
scientific works the
organizations, devoted to the
obtained implementation
results of a risk-based
require understanding approach in quality
and systematization. In our
management systems (QMS) of organizations, the obtained results require understanding and systematization.
early work (Zhemchugova and Levshina, 2020), risks were considered in relation to QMS - “risks in the field In our
of
early work (Zhemchugova and Levshina, 2020), risks were considered in relation to QMS - “risks in
quality”, which were defined as “the effect of uncertainty on the achievement of quality objectives aimed at ensuringthe field of
quality”, which were defined as “the effect of uncertainty on the achievement of quality
the sustainable development of an organization by balancing the requirements of its stakeholders”. objectives aimed at ensuring
the sustainable development of an organization by balancing the requirements of its stakeholders”.

* Corresponding author. Tel.: +7-902-923-22-45; fax: +7-902-923-22-45.

* E-mail
Corresponding zhemchugova.oksa@mail.ru
address:author. Tel.: +7-902-923-22-45; fax: +7-902-923-22-45.
E-mail address: zhemchugova.oksa@mail.ru
2352-1465 © 2022 The Authors. Published by ELSEVIER B.V.
This is an open
2352-1465 access
© 2022 Thearticle under
Authors. the CC BY-NC-ND
Published by ELSEVIER B.V.(https://creativecommons.org/licenses/by-nc-nd/4.0)
license
Peer-review under
This is an open responsibility
access of the scientific
article under CC BY-NC-NDcommittee
license (https://creativecommons.org/licenses/by-nc-nd/4.0
of the X International Scientific Siberian Transport Forum )
Peer-review under responsibility of the scientific committee of the X International Scientific Siberian Transport Forum
2352-1465 © 2022 The Authors. Published by ELSEVIER B.V.
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review under responsibility of the scientific committee of the X International Scientific Siberian Transport Forum
10.1016/j.trpro.2022.05.001
2 Oksana Zhemchugova et al. / Transportation Research Procedia 63 (2022) 1–12
2 Oksana Zhemchugova et al / Transportation Research Procedia 00 (2022) 000–000

In studies (Dzedik and Ezrakhovich, 2015; Itkin, 2016; Mire-Sluis, et al., 2018; Balme, 2015; Barafort, et al.,
2018; Smith, et al., 2015; ISO 31000, 2018; Crocker and Snow, 2018; Golubinsky, et al., 2016; Zhemchugova, et al.,
2017; Zhemchugova and Levshina, 2018; Orlova, 2018; Panasyuk, 2015; Molach, et al., 2015; Tapman, 2002), the
implementation of the idea of a risk-based approach in an organization can be implemented by various methods –
from simple ways of dealing with risks to standardized methods of risk management (according to ISO 31000: 2018
and IEC 31010- 2019). We have found (Zhemchugova and Levshina, 2020) that the risk-oriented approach in the
QMS can be applied in organizations, regardless of their size and industry, but the level of complexity of the
methods used is determined by the maturity of the organization's QMS and the factors of its external environment.
Based on this, we have developed a model for the evolution of the application of the risk-based approach in the
QMS, depending on the magnitude of these characteristics of the organization.
The latest versions of ISO 9001 and ISO 31000 standards reflect the integration of process and risk-based
approaches. So, the ISO 9001:2015 standard states that the process approach to the organization's QMS must be
incorporated with the management of risks that can affect the outputs of the processes and the overall outputs of the
QMS. And in the ISO 31000:2018 standard - “risk management should be integrated into the structure, activities and
processes of the organization” (ISO 31000, 2018). Consequently, the methods for applying the risk-based approach
can be from the simplest to the most complex, but they should all be based on the processes of the organization.
In our research in the organization's QMS, we considered the processes of the product life cycle (business
processes) that provide processes and management processes. The work (Tapman, 2002) identifies groups of risk
sources as forms of uncertainty of socio-economic results, one of which is based on management theory, where risk
is considered as “a characteristic of any type of purposeful human activity carried out under conditions of resource
constraints and the possibility of choosing a way to achieve the set goals in the conditions of information
uncertainty”. Therefore, we can apply a risk-oriented approach to management processes only from the standpoint of
making management decisions to achieve quality goals based on risk analysis, when a manager identifies
opportunities and associated risks, and assesses which path he will choose (Dzedik and Ezrakhovich, 2015). But the
same approach is also used for the business processes of products and supporting processes in the QMS. Another
group of risk sources, according to (Tapman, 2002), is the process of creating products, carried out in conditions of
resource constraints. That is, entrepreneurial risks are realized in business processes and supporting processes of the
QMS, for which inputs and outputs, quality goals are determined, and performance is assessed. It follows that risk,
as the influence of uncertainty on the achievement of quality objectives, can be characterized by a deviation from the
result. However, in the same processes, the risk can be determined in relation to potential events and their
consequences or to their combination (ISO 9001, 2015) and, therefore, the organization can carry out a qualitative
and / or quantitative assessment of risks in the QMS and make appropriate management decisions. For qualitative
and quantitative assessment, all methods described in the IEC 31010 standard can be applied.
Based on the foregoing, we formulated a hypothesis reflecting the relationship between the application of the
process and risk-oriented approaches: “A risk-oriented approach can be applied to all processes of the organization's
QMS from the standpoint of making a management decision based on an assessment of risks and opportunities;
however, in business and support processes, quality risks can also be defined in relation to potential events and their
consequences, or a combination of them”. In our work (Zhemchugova and Levshina, 2020), various methods of
applying the risk-based approach were divided into three groups by levels of complexity (Fig. 1), which we
conventionally designated as A, B, C.

Fig. 1. Methods for applying a risk-based approach.

 Oksana Zhemchugova et al. / Transportation Research Procedia 63 (2022) 1–12 3
Oksana Zhemchugova / Transportation Research Procedia 00 (2019) 000–000 3

We have developed a methodology that allows us to determine what level of complexity of the risk-based
approach can be chosen for an organization, taking into account its characteristics (Zhemchugova and Levshina,
2020). In this work, we solve the following tasks: a) determine an algorithm for the development of methods of
various levels of complexity for the application of a risk-oriented approach in the organization's QMS processes; b)
develop and test methods of various levels of complexity for applying the risk-based approach in the organization's
QMS.

2. Materials and methods

It is known that the method (from Greek metodos) is a way, a set of correct actions that must be taken in order to
solve a certain problem or achieve a certain goal. Unlike a method, a technique is, as a rule, a certain ready-made
recipe, algorithm, procedure for carrying out any targeted actions. The technique differs from the method by the
concretization of ways and tasks.
We have developed a research algorithm for the development of methods of various levels of complexity of
applying the risk-based approach in the QMS of organizations, which is based on the classification of QMS
processes and methods of applying the risk-oriented approach (in relation to potential events and consequences and
when making management decisions based on an assessment of risks and opportunities) (Fig. 2).

Fig. 2. Algorithm for the development of techniques of various levels of complexity (A, B, C) for the application of a risk-based approach.

The figure shows that for business processes and supporting processes, various techniques of applying the risk-
oriented approach (A, B, C) can be applied, differing in the level of complexity.
For the practical application of this approach, it is necessary to determine the set of actions (stages), from which
techniques A, B, C will consist; and establish evidence that can be used in auditing the organization's QMS,
including to assess the effectiveness of actions taken to address risks and opportunities.
The solution to the problem of determining the stages of each method can have many solutions, but for
conducting research in organizations of various industries, we decided to use approximately the same stages and
determine in practice how their content will be transformed depending on the complexity of methods A, B, C.
Names of the stages and their content have been defined the same as in the ISO 31000:2018 standard. In our opinion,
these stages are suitable for techniques of high and medium levels of complexity (C and B). However, the content
and procedures of these stages will differ.
Technique C, which is recommended for large mature organizations, should be more consistent with the
requirements of risk management. Conversely, technique B, which can be applied in medium-sized and less mature
4 Oksana Zhemchugova et al. / Transportation Research Procedia 63 (2022) 1–12
4 Oksana Zhemchugova et al / Transportation Research Procedia 00 (2022) 000–000

organizations, should be somewhat simplified. For the simplest technique A intended for small businesses and the
service sector, in our opinion, the stages of dealing with risks proposed by Ezrahovich and Dzedik (2015) are better
suited. The authors use the phrase “risk management” to emphasize that ISO 31000 is a useful document, but not
mandatory, in line with ISO 9001:2015, which does not require formal risk management practices.
A comparison of the stages of risk handling and risk management is presented in Fig. 3.
Comparison of the stages of risk management and risk handling shows that they are close in meaning, but the
term “risk handling” emphasizes the optional formalization of the application of the risk-based approach, which
should be taken into account when developing technique A.
It should be noted that in the above figure, we did not include the first stage of risk management, in which the
organization is recommended to determine the scope of its risk management activities, the external and internal
environment, as well as the risk criteria. Instead, we recommend that organizations use our proven technique
(Zhemchugova and Levshina, 2020): analyze their external and internal environment and, based on this, choose the
level of complexity of applying the risk-based approach (techniques A, B, C).
The basis for establishing audit evidence and the volume of documented information is the determination of the
stages that make up the techniques of various levels of complexity of the risk-based approach.
1. Identification of possible risks in
1. Quality risk identification
the field of quality
2. Identification of priority risks in Risk management stages 2. Quality risk analysis
the field of quality 3. Quality risk assessment
Risk handling stages

3. Determination of methods for 4. Choice of options for

dealing with quality risks influencing quality risk
5. Preparation and
4. Applying risk handling techniques implementation of quality
risk management plans
5. Determination of the effectiveness
of the applied methods 6. Monitoring and review
6. Re-identification of potential
quality risks 7. Documenting and
reporting

Fig. 3. Comparison of the stages of risk management (ISO 31000:2018) and risk handling.

It is known that “audit evidence is records, statements of fact, or other information that are related to audit criteria
and can be verified. Audit evidence can be qualitative or quantitative” (ISO 9001, 2015). The work (Panasyuk, 2015)
emphasizes that “the organization is responsible for actions in relation to risk, including the appropriateness of
recording and retaining documented information as evidence in determining the risks of the organization”.
Therefore, when developing techniques A, B, C using the example of organizations in various industries, we
identified audit evidence, including documented information.

3. Results

It was decided, first of all, to consider the development of technique C - the most difficult level of application of
the risk-based approach, which is generally recommended for large high-tech organizations (Zhemchugova and
Levshina, 2020). Therefore, we used two enterprises - for the production of building materials and mechanical
engineering, in which the QMS operates and is constantly being improved in accordance with the requirements of
ISO 9001.
In order to identify and assess risks in the field of quality, working groups of responsible persons were created at
the surveyed enterprises. The sources of information about the risks in the field of quality at the enterprise for the
production of building materials were inconsistencies previously identified at the output of the “Limestone
extraction” process, which always affect the failure to achieve the goal or the established level of requirements due
to the realized risks. The results of the identification of risks in the field of quality are presented in Table 1 (columns
2-3).
 Oksana Zhemchugova et al. / Transportation Research Procedia 63 (2022) 1–12 5
Oksana Zhemchugova / Transportation Research Procedia 00 (2019) 000–000 5

Table 1. Identification, analysis and assessment of risks at an enterprise for the production of building materials (fragment).

Risk magnitude
Assessment of
the severity of

consequences
consequence
Quality risk

of the event
(frequency)
Probability

Risk level
Process

Event

Event
name

name

the
Stopping the bulldozer Stopping the bulldozer 1 The block for drilling has 1 1
(for various reasons) not been prepared, the
deadlines for the

Significant Acceptable
production of a mass
explosion and production
Limestone mining

Lack of testing data for
blocks planned for
development for
aluminum content
Lack of testing data for
blocks planned for
development for
aluminum content
are postponed
1 Failure to meet the 8 8
deadlines for the
production of building
material

The stage of risk assessment ends with the compilation of a Register of risks in the field of quality and a matrix of
their assessment for a year, indicating the number of risks located by zones of significance level. At the end of the
calendar year, the results of the application of the risk-based approach were analyzed at the enterprise for the
production of building materials, namely, the implementation of measures to reduce the level of risk in the field of
quality was assessed, monitoring, measurements and analysis were carried out in order to determine the correct
measures taken. Subsequently, decisions were made on the possibility of transferring the risk from significant to the
category of acceptable risk. In case of positive results, the quality risk matrix for the next year is revised.
To organize activities at enterprises, the Regulation “Application of a risk-oriented approach in the production of
products” was put into effect. The implementation of the risk management procedure was documented in the
corresponding passport (Table 2).
The quality risk analysis was carried out on the basis of the risk assessment matrix (Figure 4). The results are
presented in Table 1 (columns 4-6). Risk assessment in the area of quality consists in calculating its value (formula
1); the results are presented in Table 1 (column 7).

RISK=(probability) х (severity of the consequences) (1)

In the same place (column 8), the result of assessing the level of risk is presented, based on the matrix (Figure 4),
where

Fig. 4. Risk assessment matrix with an uneven scale of consequences.

6 Oksana Zhemchugova et al. / Transportation Research Procedia 63 (2022) 1–12
6 Oksana Zhemchugova et al / Transportation Research Procedia 00 (2022) 000–000

Table 2. Quality risk passport (example).

QUALITY RISK PASSPORT
Subdivision name Grinding workshop
Process type Basic
Process name Building material production (grinding)
Risk level (significant / critical) Critical
Responsible Head of the workshop Pavlov A.I.
General risk information
Risk name Unstable mill water supply
Event Release of nonconforming products
Causes/sources of risk Lack of competence of the employee (operator)
Consequences of risk 1. Inconsistency of the quality characteristics of the building
material
2. Failure to meet the delivery time of finished products
3. Re-labeling of products
Quality risk management action plan
No. Measures to reduce / optimize the level of risk Responsible
(resources)
1 Installation of an automated water injection Mechanic / Head of the grinding shop
system
2 Improving the competence of the operator Personnel retraining center
Realization of quality risk
No. Date Event name Cause Corrective actions / Correction
- - - - -
- - - - -
Residual risk assessment in the field of quality
During the period 2020-2021, the risk was not realized.
At the end of 2021, the “Automated water supply to mill No. 5” was purchased and installed. The risk is
reduced to an acceptable level.

We have determined (Zhemchugova and Levshina, 2020) that technique B - the average level of complexity of
applying the risk-based approach, is mainly recommended for medium-sized organizations related to the chemical
industry, the production of rare non-ferrous metals, higher and secondary vocational education, wholesale and retail
trade and etc.
It was found that technique B, like technique C, can consist of steps similar to the recommendations of ISO
31000:2018. Its development and testing were carried out at two enterprises - for the production of rare non-ferrous
metals and the organization of higher professional education. Both organizations have QMS certified for compliance
with ISO 9001:2015.
At an enterprise for the production of rare non-ferrous metals, the use of a risk-oriented approach is presented
using the example of the process “Manufacturing products at site No. 3” (Fig. 5), where for the operation “Cutting
an ingot into blanks of a plate”, quality risks were identified by the method of brainstorming carried out by a group
of managers: “The ingot fell and broke”, “Inappropriate workpieces and plates”, “The machine broke down”. The
reasons for the occurrence of these undesirable events are also shown there.
The assessment of quality risks was carried out by an expert group on the basis of a scale (Table 3).
 Oksana Zhemchugova et al. / Transportation Research Procedia 63 (2022) 1–12 7
Oksana Zhemchugova / Transportation Research Procedia 00 (2019) 000–000 7

Fig. 5. Process “Manufacturing products at site No. 3" and risks in the field of quality of the operation "Cutting an ingot into blanks of a plate”.

Table 3. Scales for assessing the probabilities and the expected frequency of occurrence of quality risk (undesirable event).
Probability rank Characteristic Expected frequency
Low Isolated cases of the occurrence of risk events. Risk factors are stable, but negative Once every 3 years
changes in the organization's environment are possible.
Medium Events occur from time to time. There is evidence of the occurrence of such risk events Once every 2 years
over the past few years. Risk factors are unstable.
High Frequent occurrence of risk events. There is information about the repeated occurrence of Once every six months or
similar events in the past year. Risk factors are highly variable. more

Measures to eliminate the causes of risk events in the process “The ingot fell and shattered” (Table 4).

Table 4. Measures to eliminate the causes of risk events.

Cause
The recipe for the preparation of picein has
not been followed (glue for gluing the
substrate)
The temperature of gluing the ingot to the
substrate is not maintained
The time for gluing the ingot to the
substrate was not kept
Insufficient operator qualifications
Using the wrong brand of glue to glue the
Measures
Place visual information on the wall (near the scales) on the picein recipe
Develop an automated system for maintaining the temperature and gluing time
Place visual information on the modes of technological gluing of the ingot and substrate
Conduct training and technical minimums at least once every two years, with the passing of
an exam and confirmation of the qualification category, competence.
Check the brand of glue by testing before issuing it to production

end of the ingot to the ingot holder

The development and testing of technique B in the organization of higher professional education was carried out
using the example of two significant processes of the university's QMS – “Design and development of the basic
educational program” and “Admission of applicants”. Risk events, quality risks and consequences of risk events
were identified. Since the consequences associated with the implementation of a risk event in a university can hardly
be called catastrophic, it was decided to differentiate the frequency (probability) of an event and an assessment of the
severity of its consequences on a three-point scale. Data were obtained on the assessment of the magnitude of quality
risks for the two investigated processes (Table 5).
8 Oksana Zhemchugova et al. / Transportation Research Procedia 63 (2022) 1–12
8 Oksana Zhemchugova et al / Transportation Research Procedia 00 (2022) 000–000

Table 5. Assessment of the magnitude of quality risks for the university processes (fragment).
Magnitude of the
Quality risk Probability Consequences
quality risk
1. Assigning a faculty member to be responsible for a large
3 2 6
number of curriculum programs
2. Lack of teacher competence 1 2 2
3. Inconsistency of the curriculum with the requirements 1 2 2
13. Lack of a well-designed curriculum 3 3 9
17. Lack of objective and accessible information about the
1 3 3
admission of applicants
20. Non-compliance with the rules of admission 1 3 3
21. Recruitment of applicants with a low level of knowledge 2 3 6
25. Lack of normative documents for writing work programs
of academic disciplines 3 3 9

To assess the quality risks, a two-factor matrix was used (Fig. 6), from which it can be seen that the group of
significant risks included: (for the process “Design and development of the basic educational program”) – “The risk
of assigning a teacher to be responsible for a large number of work programs of academic disciplines”, “The risk of
lack of normative documents for writing work programs of academic disciplines” and others; (for the process
“Admission of applicants”) – “Risk of non-fulfillment of the check digits of the set”; “The risk of recruiting
applicants with a low level of knowledge”, etc. For such risks, an Action Plan has been developed to eliminate or
reduce risks, which is revised once a year.
We have determined (Zhemchugova and Levshina, 2020) that the simplest method of applying the risk-oriented
approach in the QMS - method A - can be used in small businesses, primarily in the service sector. In these
organizations, as a rule, there is no QMS in accordance with the requirements of the ISO 9001 standard. But they are
characterized by a highly competitive environment and, accordingly, a high focus on consumers in order to remain in
the market.
High frequency MR SR SR
3 166
1 13
Probability of occurrence

Medium frequency IR MR SR
8 18
2
6 22
4
23
12 21
19

Low frequency IR IR MR
1
0 Insignificant Moderate Significant
1 2 3
Consequences of the occurrence of a risk event

Fig. 6. Two-factor matrix of quality risk assessment in the university; IR – insignificant risk, MR – moderate risk, SR- significant risk.

The development of technique A (dealing with risks) (Dzedik and Ezrakhovich, 2015) is shown using the
example of a small business that provides all types of services in the field of advertising. A network of business
processes was defined, including service life cycle processes. Using the method of interviews with the head and
employees of the enterprise, the methods of a risk-oriented approach were applied using the example of the
processes “Planning the installation of advertising and information materials (AIM)” and “Installation of AIM”.
For the “Planning the installation of AIM” process, the stage of identifying possible risks in the field of quality is
carried out at a planning meeting, during which the manager announces the number of planned assemblies per team,
as well as their readiness to perform this amount of work, subject to the availability of the required equipment and
personnel. The managers and technicians participating in the discussion who are planning the installation of the AIM
conduct an analysis of previously encountered inconsistencies. That is, in this way, possible quality risks are
 Oksana Zhemchugova et al. / Transportation Research Procedia 63 (2022) 1–12 9
Oksana Zhemchugova / Transportation Research Procedia 00 (2019) 000–000 9

identified, and the most priority ones are determined. The results are included in the official protocol, which
indicates the decisions taken, including the implementation of measures to reduce the likelihood of the occurrence of
causes of nonconformities, as well as those responsible and the timing. With the aim of the effectiveness of the
methods used for dealing with quality risks in the organization, it was decided to make managers responsible for the
implementation of these methods and include it in their KPIs.
Also, during the planning meeting, which brings together managers, technical specialists for planning and control,
heads of installation teams (outsourcing), they discuss the previous installation of AIM and list the realized risks in
the field of quality. As a result of their ranking, the two most significant risks were identified: 1) “Untimely
installation of AIM” associated with bad weather conditions; with breakdowns of technological equipment or with a
human factor; as well as with the late provision of the banner due to poor planning of the installation of the AIM; 2)
“Low-quality installation of AIM”, which may arise due to weather conditions, low qualifications of personnel; as
well as low-quality AIM (for example, inappropriate density). The latter may be the responsibility of the customer, if
he prints himself, or the supplier of the organization under study, who prints the AIM. Responsibility for dealing
with quality risks is also enshrined in the KPIs of the respective employees.
Table 6 presents the steps of techniques C, B, A and the audit evidence. The correspondence of the stages of risk
management and risk handling is shown in Fig. 3.

Table 6. Risk management / risk handling steps and audit evidence for techniques of varying complexity (А.В,С).
Audit evidence
Stages

Technique С Technique В Technique А

The results of the brainstorming Results of brainstorming a group of managers During the planning meetings, an
session on the identification of risks of an organization to identify quality risks for analysis of customer
1 Quality risk identification

in the life cycle processes and
providing (Table 1, columns 2-3).
Minutes of meetings of the working
group on identification of quality
risks; Analysis of legal
requirements, customer
requirements, data on the
infrastructure of the organization.
Minutes of meetings of the working
group to determine the likelihood,
3. Quality risk assessment 2. Quality risk analysis
critical and / or key processes. Using case
analysis of realized risks in the field of quality.
Analysis of customer requirements.
For the enterprise, the identification of quality
risks and the causes of undesirable events is
requirements is carried out, a
retrospective analysis of
previously arising non-
conformities or frequently
occurring risks in the field of
quality. The method of
brainstorming is used. The results
of the planning meeting are
included in the official protocol.
Identification of priority risks in
the field of quality is carried out

consequences and assessment of
their severity (Table 1, columns 4-
6). Matrix for assessing quality
risks to assess the likelihood and
severity of consequences (Fig. 4).
presented; a three-level scale for assessing the at the planning meeting, which
probabilities and the expected frequency of risk are included in its protocol.
occurrence in the quality area is selected (Table
3). For a university - an assessment of quality
risks (Table 5) and a matrix for their
assessment (three-level scale).

Determination of the magnitude of
quality risk (formula 1) (Table. 1,
column 7). The result of assessing
the level of risk (table. 1, column
8). Register of quality (critical and
significant). Minutes of the
meetings of the working group on
its approval.
For the enterprise (Fig. 5), the reasons for Identification of priority quality risks
the occurrence of undesirable events are is carried out at the planning meeting,
shown. Quality risks were assessed on a which are included in its protocol.
three-level scale (Table 4); the most
significant quality risk was selected. For
the university, all risks are located in the
matrix for assessing quality risks (three-
level scale) (Fig. 6) and the most
significant ones are selected.
10 Oksana Zhemchugova et al. / Transportation Research Procedia 63 (2022) 1–12
10 Oksana Zhemchugova et al / Transportation Research Procedia 00 (2022) 000–000

Matrix for assessing quality risks The enterprise has identified the main At the planning meeting, methods of
for a year. Minutes of meetings of methods of influencing the risk, mainly dealing with risks are selected: refusal
4. Choice of options for influencing

the working group on the
development and approval of
measures to reduce / optimize the
level of risk in the field of quality,
as well as the appointment of those
responsible for the implementation
of these measures. Quality Risk
Passport, section “Action Plan for
quality risk
aimed at reducing the likelihood of its
occurrence and, less often, at replacing the
source of risk, for example, technological
equipment. This is presented in the form
of tables. At the university, a working
group of specialists for the processes
under study stated that the main option for
influencing quality risk is the introduction
of an order and/or transfer of the
process to outsourcing; reducing the
likelihood of a quality risk by
increasing the responsibility of
personnel and their motivation; and
also, on the basis of a preliminary
assessment of the customer's
representative, ways of reducing the

Quality Risk Management” (Table
2).
Passport of risk in the field of
quality, section “Realization of risk
in the field of quality” (Table 2).
implementation of
6. Monitoring and review 5. Preparation and
of documented information in order to
reduce the likelihood of significant quality
risks.
At the enterprise, the tables show
measures to eliminate the causes of quality
risks, as well as the proposed requirements
consequences of his inadequate
decisions are determined.
Introduced into the KPI of managers
responsible for the implementation of
methods for dealing with the

Quality Risk Passport, Section
“Residual quality risk assessment”.
Matrix for assessing quality risks
for a year, indicating the number of
risks arranged by zones of
significance level. Regulation
“Application of a risk-oriented
approach in the production of
goods”.
for the process. At the university, an action
plan to eliminate or reduce quality risks is
coordinated with interested officials and
approved by the rector of the university.
There is no monitoring and revision
information for a rare non-ferrous metal
plant. For the university, the revision of
the Action Plan is carried out once a year.
corresponding risks. The effectiveness
of the applied methods of dealing with
risks is recorded when accounting in
the CRM system for the number of
hours spent on product revision.
Re-determination (identification) of
possible risks, as a rule, is not carried
out, since over the course of several
years, the risks for the online and
offline department processes have
been repeatedly identified.

4. Discussions

Analyzing the stages of techniques C, B, A (Table 5), we can say that the first stage “Identification of quality
risk” has approximately the same meaning for all three techniques – brainstorming to identify quality risks, which is
drawn up by the minutes of the meeting. The second stage “Quality risk analysis” for techniques C and B is to
determine the likelihood, consequences and severity of quality risks. The most difficult option is to select a quality
risk assessment matrix. Our experience shows that it is better to use a five-level scale for technique C.
Thus, empirically, a matrix of ranks with a uniform five-point scale was chosen for an enterprise in the machine-
building industry, and a matrix of risks with an uneven scale of consequences for an enterprise producing building
materials (Fig. 4). For technique B, we can choose a quality risk assessment matrix with a three-point scale (Fig. 6).
In addition, we can use a three-level scale for assessing the probabilities and the expected frequency of quality risk
occurrence (Table 3).
For technique A, the second stage is combined with the third – “Assessment of quality risk”. Here, by the method
of making a managerial decision, managers choose which quality risks will be significant. For techniques B and C,
the most critical and significant quality risks are selected, their Registers are created.
The fourth stage “Choice of options for influencing the quality risk” is the most formed for technique C: a matrix
for assessing quality risks for 20__ is made. For critical and significant quality risks, Passports are created, where the
person responsible for this risk is indicated. There is also a Quality Risk Management Action Plan. For technique B,
tables with a similar Action Plan are being developed. Technique A – at the planning meeting, methods of dealing
with quality risks are selected.
The fifth stage “Preparing and implementing impact plans” occurs when the organization implements action plans
for quality risk management. In technique C, this can be observed in the Quality Risk Passport, section “Quality risk
implementation”, where you can record the realized quality risks, the reasons for their occurrence and indicate
corrective actions/correction. If during the year this part of the risk passport was not filled out, then the selected
 Oksana Zhemchugova et al. / Transportation Research Procedia 63 (2022) 1–12 11
Oksana Zhemchugova / Transportation Research Procedia 00 (2019) 000–000 11

measures for quality risk management are correct. Techniques B and A indicate who is responsible for this item, but,
unfortunately, it does not indicate how the assessment of the realized quality risks is carried out.
The sixth stage “Monitoring and revision” in technique C is carried out at the end of the year, and the risks are
reviewed in the matrix of quality risk assessment for 20__: some of them are transferred to acceptable, while others
remain in the area of quality risk management. All this is noted in the Quality Risk Passport, section “Assessment of
residual quality risk”. In some organizations, quality risks are reviewed in technique B. In technique A in the studied
organization, this redefinition was not carried out.
Thus, the development and testing of methods of various levels of complexity of applying the risk-based
approach in the organization's QMS showed that technique C most fully represents the entire cycle of risk
management set forth in the ISO 31000:2018 standard, as well as the PDCA management cycle (Zhemchugova and
Levshina, 2020).
Despite the complexity of the implementation of the stages of technique C, it has the advantage of various
formalization of all the actions included in it and their results. Therefore, if an organization applies technique C, then
the problem of misunderstanding between employees and auditors is reduced, a demonstration material is formed,
including local regulations, a base of results and evidence of the implementation of a risk-based approach.
It was determined that technique B, like technique C, consists of steps similar to the recommendations of the ISO
31000:2018 standard and can be used for medium-sized organizations. The main differences of this technique are the
use of three-point matrices or scales for assessing risks in the field of quality (in technique C – five-point matrices);
an action plan was developed to eliminate or reduce risks; risk passports were not used. But, in the studied
organizations, we see that the use of the PDCA cycle at the stages of “control” and “improvement” is not fully
utilized.
The development of technique A (method of dealing with risks), the simplest method for applying a risk-based
approach, was carried out using the example of a small business. We see that there is some evidence for the audit in
this organization, but basically all the information can be told to the auditor in an interview. Here, as well as in
technique B, we do not see the full use of all stages of the PDCA cycle.
The significance of our research lies in its practical use in organizations of various industries facing the choice of
the optimal methodology for applying the risk-based approach in the QMS. The disadvantages of the study include
the influence of subjectivity inherent in the expert methods used in the work, which is reflected in the list of audit
evidence for various methods of applying the risk-based approach (A, B, C).

5. Conclusions

In our earlier work (Zhemchugova and Levshina, 2020), we considered quality risks and developed a model for
the evolution of the application of a risk-based approach in the QMS, depending on the maturity of the organization's
QMS and factors of its external environment. In this paper, we show that all methods of applying the risk-based
approach should be based on the processes of the organization. Using the work of Tapman (2002) on identifying the
main groups of risk sources as a form of uncertainty in the socio-economic result, we proposed a hypothesis: “A
risk-oriented approach can be applied to all processes of the organization's QMS from the standpoint of making
management decisions based on an assessment of risks and opportunities; however, in product life cycle and
supporting processes, quality risks can also be defined in relation to potential events and their consequences, or a
combination of the two”. To do this, we have identified an algorithm for the development of techniques (A, B and C)
of various levels of complexity of applying the risk-based approach in the organization's QMS processes, based on
the classification of the QMS processes and methods of applying the risk-based approach (in relation to potential
events and consequences and when taking management decisions based on an assessment of risks and opportunities).
Using the example of selected organizations (in total, there were more than 50 of them in the study) for the
application of techniques A, B and C of various levels of complexity of the risk-based approach, the actions included
in these methods, as well as the audit evidence, were determined. The closest to the requirements of the ISO
31000:2018 standard is technique C implemented in high-tech enterprises. The entire PDCA cycle is also
implemented there; its difference is more complex (five-level) risk assessment matrices. Techniques B, to a lesser
extent, differs in the implementation of all stages of risk management and the management cycle. It has been applied
in medium-sized enterprises where (three-level) matrices/scales were used to assess risks. The simplest technique A
12 Oksana Zhemchugova et al. / Transportation Research Procedia 63 (2022) 1–12
12 Oksana Zhemchugova et al / Transportation Research Procedia 00 (2022) 000–000

was used in small organizations, for example, in the provision of advertising services, where, to a large extent,
actions to deal with risks are shown. The actions of this technique are known to all managers and employees of the
organization, so they can talk about it in an interview with the auditor. But the latter stages of the PDCA
management cycle are usually unfulfilled.
All of the above confirms our hypothesis about the application to the processes of a risk-oriented approach in the
organization's QMS, focused on management decisions, as well as on the identification of potential events and their
consequences.

References

Balme, D., 2015. ISO 9001:2015: A Key Lever to Take Up the Challenges of Deregulated Markets, Change of Consumption Habits and Make the
Best Use of Technological Breakthroughs. Asigurarea Calităţii–Quality Assurance XXI(83), 23-25.
Barafort, B., Mesquida, A.-L., Mas, A., 2018. ISO 31000‐based integrated risk management process assessment model for IT organizations.
https://onlinelibrary.wiley.com/doi/full/10.1002/smr.1984.
Crocker, K.J., Snow, A., 2018. The Theory of Risk Classification. Handbook of Insurance, pp. 245-276. DOI: 10.1007/978-94-010-0642-2_8.
Dzedik, V.A., Ezrakhovich, A., 2015. Creation and audit of quality management systems in accordance with the international standard ISO
9001:2015. Volgograd PrinTerra-Design, p. 300.
Humanitarian technologies. Analytical portal. Access mode: https://gtmarket.ru/concepts/6871.
Hutchins, G., 2014. Risk management – The future of quality management (translated by V. Rakhmanov). Unified standard. Access mode:
https://1cert.ru/stati/upravlenie-riskami-budushcheemenedzhmenta-kachestva.
ISO 31000, 2018. Risk management. Guidelines. Academy of Risks. Access mode: https://www.risk-academy.ru/.
ISO 9001, 2015. Quality management systems. Requirements. M.: FSUE Standartinform, p. 23.
Itkin, B., 2016. Risk and risk-oriented thinking, is it possible to use the second to manage the first. Standards and quality 10(952), 68-73.
Mire-Sluis, A., Ramnarine, E., Siemiatkoski, J., Weese, D., Swann, P., O’Keeffe, R., Kutza, J., Edwards, J., McLeod, L.D., 2018. Practical
Applications of Quality Risk Management.
https://www.researchgate.net/publication/242544503_Practical_Applications_of_Quality_Risk_Management
Orlova, O.A., 2018. Improvement of the organization's quality management systems based on the development of risk-oriented models: diss. For
the degree of Dr. Sci. (Economy). Saint Petersburg, p. 373.
Panasyuk, V.N., 2015. Integrated risk management in MERI and Mikron JSC. Methods of quality management 4, 10-15.
Renn, O., Concepts of Risk: A Classification. https://mafiadoc.com/queue/concepts-of-risk-a-classification_5af80b8a7f8b9a53378b4667.html.
DOI:10.18419/opus-7248.
Smith, C., Kourouklis, A., Cano, M., 2015. University of the West of Scotland, Paisley, Scotland, UK. ISO 9001:2015 Introduction of Explicit
Risk-Based Thinking - Benefit or Limitation? Asigurarea Calitatii Quality Assurance XXIV(94), 29-40.
Tapman, L.N., 2002. Risks in the Economy. Ed. prof. V.A. Shvandar. M.: UNITY-DANA, p. 380.
Zhemchugova, O.V., Levshina, V.V., 2020. The risk-based approach in organization quality management systems. Revista Galega de Economía
29(3), 6538. https://revistas.usc.gal/index.php/rge/article/view/6538. https://doi.org/10.15304/rge.29.3.6538.
Zhemchugova, O.V., Levshina, V.V., Levshin, L.M., 2017. The choice of a method for applying risk-oriented thinking in an organization.
Economy and Entrepreneurship 11, 1063-1066.
Zhemchugova, O.V., Levshina, V.V., 2018. Testing methodological approaches to the choice of a method for applying risk-oriented thinking in
the quality management system of an organization. Economy and Entrepreneurship 11, 871-875.