Risk Based Thinking and Quality Manual in ISO 9001:2015

Step 1: Deploying risk-based thinking

As the new ISO 9001:2015 Quality management systems – Requirements standard requires you to deploy ‘risk-based thinking’, that means the first and foremost step to comply with the standard will be to produce a list of risks associated with your business. It is important to engage a broad selection of employees throughout the business to contribute to this, as this will enable your business to have a better chance of identifying all applicable risks.

The simple approach will be to do a brainstorming session(s) for each aspect of the business – for example for:

• Process level (eg, hiring, induction, client feedback or auditing etc.)
• Functional/category level (eg, service related, staff or client satisfaction related and cost related, etc.)
• Divisional/departmental level (eg, marketing, human resources, operations, research and development, call centre and software development, etc.)
• Board/directorial level  (ie, executive/strategy level, etc.)

You could also consider dividing your business risks, based on internal and external risk factors:

• Internal – people (competence, retention), directors (fulfilling business needs) and for business itself (workplace conditions, environment, infrastructure and efficiency) etc.
• External – certification audits, customer audits, customers contracts, end-users’ requirements, suppliers’ agreements, health and safety, society/local community, regulators, subcontractor and partners etc.

Developing a list of risks at process and functional level, and then collating it centrally by quality/risk/assurance/compliance/governance department, would be useful.

It is also important that organisations ensure that all relevant processes are reviewed for inherent risk, and risk management techniques are applied where risk is identified, and that a process approach is used.

Step 2: Remembering the Pareto Principle

Most of us know about the Pareto Principle: the principle states that, for many events, roughly 80% of the effects come from 20% of the causes.

Once you have defined and developed a list of risks for each department/function/division, as a result of a brainstorming session, then you can focus mainly on those which can be classified as more imminent risks, as per the Pareto Principle.

Why? If you are identifying the risks for each department, then the final list at the company executive’s table could have hundreds of risks, yet only 30% to 40% of those risks will require significant contingency planning and a prevention mechanism put in place.

Looking for an example? Common modern risks are mainly due to a loss of network, data or server connections, and one would be expect these risks to be reported from each department. So it is helpful to group similar risks in one category (I used a ‘Venn Diagram’ approach for finalising my risk list). The overall solution to cater such risk will therefore be holistic and universal for your entire business.

Applying the 80-20 rule on your listed risks before reporting these to the executive team would be a good idea.

Step 3: Does the risk list make sense?

In this step, you need to ensure that each risk has its corresponding potential impact(s) listed against it. The next thing is to allocate a risk likelihood for each risk. Why? To ensure that the risks identified have a prevention plan ready based on their potential for occurrence. Doing the above will transform your ‘risk list’ into a simple ‘risk register’.

Please note that each risk requires a specialist impact analysis and preventive plan(s), so consulting a subject matter expert would be advisable.

It would be beneficial if the company could adopt, or adapt, the principles of ISO 31000 – Risk management, or other industry relevant risk mitigation techniques/standards/requirements, to mitigate risks to an acceptable level wherever identified, and to take the necessary actions to address these risks.

Note that there are numerous free resources available online on how to develop a risk register (with additional tabs of risk type, owner, risk prevention plan and deadline, etc) along with available tools, but I would rather share a tested approach.

Step 4: Have the register reviewed by an experienced interested party

Your Risk Register is now ready. You can now have it reviewed by an experienced or principal interested party to discuss risks which are significant for your business. It is recommended that the listed risks should be reviewed with the team, which includes the Managing Director/CEO/Board. Why? To ensure that the risks you considered are also imminent and important in the executive team’s point of view.

Step 5: Risk register – a (new) quality manual

Once the company executives have endorsed the risk register, then following these few simple tips will help you to replace your old ‘quality manual’ with a simpler risk register.

1. Mention corresponding company procedures, against each risk, which can be used to prevent each risk and to minimise its impact.
2. Refer relevant ISO 9001:2015 clauses against each risk, to ensure that business remains integrated and conformed to the certification requirements.

Once these points have been added in your risk register then pass it on to the relevant authority for endorsement and publish it within your Quality Management System.

You can now use this register as an alternative to your quality manual in your certification/client/regulatory audits. This manual contains a list of significant risks along with the key processes, polices and references of ISO 9001:2015.

Attribute to original publisher/ publishing organization: Khubaib Asadullah, CQP MCQI, Quality Manager at Hawkins & Associates Limited, https://www.quality.org/knowledge/five-steps-transforming-your-risk-register-quality-manual