ISO 9001: How to apply Risk-based Thinking to Quality Processes

Size: px

Start display at page:

Download "ISO 9001: How to apply Risk-based Thinking to Quality Processes"

Dulcie Morris
5 years ago
Views:

ISO 9001:2015 - How to apply Risk-based Thinking to Quality Processes Title VI-404842-TM ISO 9001:2015 - How

1 ISO 9001: How to apply Risk-based Thinking to Quality Processes Title VI TM ISO 9001: How to apply Risk-based Thinking to Quality Processes Version 1 Author Michael Shuff Issue Date 05 Aug 2015 Page 1

2 Summary The new version of the ISO 9001:2015 standard is scheduled for final publication on September 23rd One of the new requirements is to show evidence of risk-based thinking (RBT) in the quality management system. How do you do that? How are auditors likely to respond to the new challenges that ISO 9001:2015 brings? How do you produce documented evidence of risk-based thinking? Although ISO 9001:2015 does not call for formal methods of risk management, it is likely that anyone trying to understand RBT may turn to ISO and the list of risk assessment techniques in particular. However, this is not as easy as it sounds. There are many techniques to choose from and many may not be applicable to the sectors that ISO 9001 serves. This white paper has two major sections. The first part provides a primer on many of the ISO risk assessment techniques and considers their applicability to quality management. The second part provides a six-step methodology that you can follow to deliver evidence of a risk based approach to quality. It is a practical methodology that is specific on inputs / outputs, and what you need to do in-between. Several example templates are provided that could form the basis for your documented information. Page 2

3 1 Risk-based thinking as a requirement of ISO A starting point for risk-based thinking applied to quality processes ISO Risk Management Techniques Look-up Methods Checklists Preliminary hazard analysis Supporting Methods Structured interview and brainstorming What can we learn from ISO risk assessment processes? Are structured interviews and brainstorming 9001 requirements? Other Supporting Methods Delphi technique SWIFT (Structured what-if ) Human reliability analysis (HRA) Scenario Analysis Root cause analysis (RCA) Scenario analysis Toxicological / Environmental / Ecological risk assessment Business impact analysis (BIA) Fault tree analysis Event tree analysis Cause and consequence analysis Cause-and effect analysis Function Analysis FMEA and FMECA Reliability-centred maintenance (RCM) Page 3

4 2.5.3 Sneak analysis (SA) and sneak circuit analysis (SCI) HACCP Controls Assessment LOPA (Layers of Protection Analysis) Bow-tie analysis Statistical Methods Markov analysis Monte-Carlo analysis Bayesian analysis A Risk Management Methodology for Quality Management Risk based thinking is the new 'preventive actions' for QMS Planning and considering risks in quality system processes What actions are required to plan for risks and opportunities? The Six Steps Step 1: Establish the Context Scope and responsibilities for specific risk management activities How should we document the "context of the organization"? What information should the Statement of Context contain? Risk criteria for Quality Management Systems Step 2: Risk identification Techniques for risk identification Step 3: Qualitative risk analysis & risk evaluation What is a `Qualitative analysis' of risk? Does ISO 9001:2015 require a qualitative risk assessment? Sources of information for qualitative analysis Summary: Step 4: Semi-Quantitative risk analysis and risk evaluation Page 4

5 3.6.1 Methods for calculating risk factors What is the value of the Semi-Quantitative approach in Step 4, following the Qualitative Assessment conducted in Step 3? Step 5: Risk treatment Example of Risk Treatment in a Quality Management System Step 6: Monitoring & review Summary and Conclusions Risk Assessment Methodology for applying RBT to QMS Conclusion Page 5

6 1 Risk-based thinking as a requirement of ISO 9001 Risk-based thinking is a sore point among many Quality professionals. Even so, identifying risk, analysing the consequences, probability and level of risk (i.e. risk analysis) and risk evaluation using formal techniques are becoming increasingly important tasks in the global business world. ISO 9001:2015 incorporates what the draft version of the International Standard has termed "Risk-based Thinking" in its requirements for the establishment, implementation, maintenance and continual improvement of the quality management system. If you are already familiar with the DIS or read the many discussions on the subject that have appeared on LinkedIn groups and elsewhere, you will already be aware that formal risk management is not mandated. However, organizations can, in the words of the TC 176 Committee's draft standard (May 2014) "...choose to develop a more extensive risk-based approach than is required by this International Standard, and ISO provides guidelines on formal risk management which can be appropriate in certain organizational contexts". We are sceptical about the subject of demonstrating risk-based thinking to a certification auditor when they assess your quality management system. Of course, it is possible that you will not be subject to an intensive grilling if the Standard does not require you to produce the outputs from your risk assessment processes or evidence of a formal risk management system. Although if riskbased thinking is required by ISO 9001:2015 to plan and control the quality management system (QMS) and component processes and activities, it is unlikely to be ignored in the certification audit process. This begs the question: How do you show risk-based thinking during a certification audit? Risk-based thinking" assessment is likely to form a sizeable section of the ISO 9000 Guidance documents when they are published along with the ISO 9001:2015 Standard. Waiting until September may not be an option for those of you looking to transition from the 2008 Standard as rapidly as possible, so we thought that it would be a good idea to look at how you might go about this interesting task. The aim is to produce (a) evidence that you could show to an assessor [HEALTH WARNING: nobody yet knows exactly what they will be asking for], and (b) a useful way of identifying, evaluating and treating the kind of risks that apply to the processes used in Quality Management. Page 6

7 1.1 A starting point for risk-based thinking applied to quality processes In our blog post ISO 9001:2015 The likely impact (Part II), we suggested the following basic checklist of tasks: Analyse and prioritize the risks and opportunities in your organisation: What is acceptable? What is unacceptable? Then plan actions to address the risks. Ask yourself: How can I avoid or eliminate the risk? How can I mitigate the risk? Then... Implement the plan take action Check the effectiveness of the actions does it work? Learn from experience continual improvement However, this list presupposes that you have identified risks and opportunities. So if you have not done so yet, how do you approach risk identification in your context? Read on... Will ISO 31000:2009 help in taking a 'risk-based approach' to the quality management system, component processes and activities? Short answer: it can do, depending on your organization's context. The ISO 9001 DIS says that ISO provides guidelines on formal risk management, which can be appropriate in certain organizational contexts. Those working for large, indeed global entities understand this. They have long since adopted risk management methodologies and have risk managers on their team who are familiar with ISO But what is ISO attempting to achieve, and is it relevant to the majority of organizations that are trying to gain or transition to ISO 9001? ISO describes an "overall approach to risk management, not just risk analysis or risk assessment. It deals with the links between risk management process and both strategic direction and day to day actions and treatments." 1 This on the face of it sounds an ideal recipe for risk-based thinking. However, pick up the Standard and read it and this thought is quickly dispelled because ISO 1 Project risk management guidelines: managing risk with ISO and IEC 62198, Dale F Cooper, et al, Wiley, 2014 Page 7

8 31000 takes a generic approach that has to be developed - in considerable detail - to be useful in a given context. Great for the Strategic aims of the senior management, but not of any great value to the 'poor bloody infantry' of quality managers out there. Perhaps the first (and frustrating) conclusion you will come to, having spent at least 120 ($180) on your personal copy is that you also need to buy ISO.IEC 31010:2009 Risk management Risk assessment techniques. Therefore, your boss says, "OK, buy the one you actually need, but don't come back to me asking for more. We've got by without 'risk-based thinking' in the past [insert number of years or decades]; surely we can do so this time?" You thank her or him for authorizing the purchase. The PDF arrives on your computer. You open it. There are 92 pages, 6 of which in Annex A are a comparison of risk assessment techniques (some useful tables here) before you arrive at Annex B, consisting of 61 pages describing the 31 risk assessment techniques. These seem suited for the kind of people who enjoyed Mathematics (and Statistics especially) at school, but who may not be that interested in helping you to design effective quality processes. Yes, there is a worthy (absorbing even?) preamble about risk assessment concepts and processes. There also a Clause describing how to select techniques for risk assessment, this starts with the valid advice: Risk assessment may be undertaken in varying degrees of depth and detail and using one or many methods ranging from simple to complex. The form of assessment and its output should be consistent with the risk criteria developed as part of establishing the context. [Clause 6.2] There is no point in making life more complicated than it needs to be; thus: In general, suitable techniques should exhibit the following characteristics: it should be justifiable and appropriate to the situation or organization under consideration; it should provide results in a form which enhances understanding of the nature of the risk and how it can be treated; it should be capable of use in a manner that is traceable, repeatable and verifiable. [Ibid] Great! By now, you are probably fired up with the possibility of finding a suitable risk assessment technique that fits the context of your organization and its quality management system. You cannot wait to get started on the job. You turn to... Page 8 Annex A (informative) Comparison of risk assessment techniques

9 You quickly realize there are more risk assessment techniques than you thought existed, and even a cursory reading suggests that some are complex. Notably the ones that are strongly applicable to each step of the full risk assessment process; specifically: risk identification; risk analysis consequence analysis; risk analysis qualitative, semi-quantitative or quantitative probability estimation; risk analysis assessing the effectiveness of any existing controls; risk analysis estimation the level of risk; risk evaluation. Below is the list of the 31 tools. Depending on the industry you are working in, you will almost certainly recognise at least some of them, even if you have not actually used any of the techniques to assess risk. Tools used for risk assessment 1. Brainstorming 2. Structured or semi-structured interviews 3. Delphi 4. Check-lists 5. Primary hazard analysis 6. Hazard and operability studies (HAZOP) 7. Hazard Analysis and Critical Control Points (HACCP) 8. Environmental risk assessment 9. Structure «What if?» (SWIFT) 10. Scenario analysis 11. Business impact analysis 12. Root cause analysis 13. Failure mode effect analysis 14. Fault tree analysis 15. Event tree analysis 16. Cause and consequence analysis Page 9

10 17. Cause-and-effect analysis 18. Layer protection analysis (LOPA) 19. Decision tree 20. Human reliability analysis 21. Bow tie analysis 22. Reliability centred maintenance 23. Sneak circuit analysis 24. Markov analysis 25. Monte Carlo simulation 26. Bayesian statistics and Bayes Nets 27. FN curves 28. Risk indices 29. Consequence/probability matrix 30. Cost/benefit analysis 31. Multi-criteria decision analysis (MCDA) Table 1: Tools used for risk assessment Not everybody will have the resources and capabilities within the organization to attempt some of these - e.g., Fault tree analysis, Cause / consequence analysis, Monte-Carlo analysis, Bayesian analysis. Quality managers working for smaller enterprises (SMEs) may only dream of conducting analysis at the level required by some techniques in the list. The sheer complexity of some types of risk assessment will render the tool useless in most organizations employing between 1 and 250 people. However, that does not mean to say that ISO isn't a valuable reference should you ever be required to think about risk in these terms. In the following sections, we will focus on some of these techniques. Page 10

2 ISO 31000 Risk Management Techniques Although risks and opportunities have to be determined and addressed, there is no requirement in ISO 9001:2015 for a formal risk management or a documented risk

11 2 ISO Risk Management Techniques Although risks and opportunities have to be determined and addressed, there is no requirement in ISO 9001:2015 for a formal risk management or a documented risk management process. Even so, the concept of preventive action is expressed in the 2015 wording through the risk-based approach to formulating quality management system requirements. It follows that we will most probably want to show our reasoning in this respect. In other words, how our thinking about risk led to these actions? In our view, this does not have to be an onerous task even at the high-risk end of the context spectrum. However, to completely ignore the risks and opportunities aspect of planning your QMS [see 6.1], regardless of the degree of risk involved, would surely be to risk a major non-conformity? ISO 9001 Risk-based thinking could (and we are not saying that it should) be demonstrated by showing the outputs from one or more of the risk assessment tools in ISO in your "documented information". To give you a flavour of what these tools are intended to achieve and how they work, we intend to describe a selection of the 31 listed in ISO At the same time and over the next two posts, we will attempt to link these tools to QMS processes in a meaningful way; however, we do not anticipate our work in this respect to be in any way definitive as a reliable reference. There is no common consensus on how best to employ risk assessment techniques in quality management - at least none that we are aware of yet! [That said, we are studying with interest the ICH guideline Q9 on quality risk management, which provides principles and examples of tools for quality risk management applied to different aspects of pharmaceutical quality. If you have experience of this guideline, I'd welcome your input!] Note: the text is based on the contents of Table A.2 Attributes of a selection of risk assessment tools [Source: IEC/FDIS 31010:2009]. 2.1 Look-up Methods Checklists This is a simple form of risk identification and a technique that provides a list of uncertainties that need to be considered. Users can refer to a previously developed checklist, code or standard. Page 11

Checklists and reviews of historical data are, naturally enough, a sensible step if you are serious about identifying the risks and opportunities in accordance with the requirements of ISO 9001:2015

12 Checklists and reviews of historical data are, naturally enough, a sensible step if you are serious about identifying the risks and opportunities in accordance with the requirements of ISO 9001:2015 Clause 6.1, and intend to plan and implement the appropriate actions to address them. Although you could enhance the quality of the output by following a systematic process to identify risks by means of a structured set of prompts or questions for the experts - see structured interview below. Personally, we would start by making a checklist of the known issues in the environment that can (a) affect conformity of products and services [risk] and (b) have the ability to enhance customer satisfaction [opportunity]. No ISO 9001 assessor is likely to fault you for making this much effort; whether or not you have addressed these risks and opportunities in the design of your quality management system and its associated processes. However, it is also worth remembering that checklists are most useful when applied to check that everything has been covered after a more imaginative technique that identifies new problems has been applied Preliminary hazard analysis This is a simple inductive method of analysis whose objective is to identify the hazards and hazardous situations and events that can cause harm for a given activity, facility or system. Note: the term 'hazard' is always used in the context of physical harm. At first sight, not a very promising tool but it does have advantages; namely: it is able to be used when there is limited information; and it also allows risks to be considered very early in the system lifecycle. In some organizational contexts, preliminary hazard analysis could be appropriate as a risk assessment tool for quality when its use helps prevent Critical Non-conformities; which could, for example, result in hazardous or unsafe conditions for individuals using, maintaining or depending on the product. 2.2 Supporting Methods Structured interview and brainstorming This is a means of collecting a broad set of ideas and evaluation, ranking them by a team. Brainstorming may be stimulated by prompts or by one-on-one and one-on-many interview techniques. So what should we plan to collect in terms of "ideas and evaluation"? Let us remind ourselves first of what ISO 9001:2015 says we should do. Page 12

13 When planning for the quality management system, ISO 9001:2015 requires organizations to consider the issues referred to in 4.1 [Understanding the organization and its context] and the requirements referred to in 4.2 [Understanding the needs and expectations of interested parties] and determine the risks and opportunities that need to be addressed, in order to: a) give assurance that the quality management system can achieve its intended result(s) b) prevent, or reduce, undesired effects c) achieve continual improvement. We should integrate and implement the actions into the organization's quality management system processes (see clause 4.4) and evaluate their effectiveness. Brainstorming as a technique could be particularly useful when, for example, identifying risks of new technology where there is no data or where novel solutions to problems are needed. To quote ISO "...it encourages imagination which helps identify new risks and novel solutions". However, it is not applicable to risk analysis tasks of consequence, probability or level of risk. It therefore has its limitations and along with the 'Look-Up Methods' of Checklists and Primary hazard analysis, and most of the 'Supporting Methods' of structured interviews, Delphi technique, SWIFT (Structured "what if") and, it does not provide any quantitative output - although this is not a requirement of ISO [Note: in the section 'Supporting Methods', Human reliability analysis (HRA), which deals with the impact of humans on system performance and can be used to evaluate human error influences on the system, is able to provide quantitative output and is 'strongly applicable' to risk analysis and 'applicable' to risk evaluation - see Table A.1 in ISO ] However, before we get bogged down in too much detail with regard to the other Supporting Methods, Scenario Analysis, Function Analysis, Controls Assessment and Statistical Methods, we should ask what are we trying to achieve here, and how will any of these assessment tools help? Let us take a step back. If we were considering risks in relation to a quality management system and its associated processes, we would be asking the following questions: 1. What are the risks associated with the organization's context and objectives - and why does each risk occur? [identifying the risk and the reason for its occurrence]. 2. What would be the likely negative consequences of process, product, service or system nonconformities? [consequences if the risk occurs]. 3. How likely is it that the organization will deliver nonconforming products and services in relation to the risks we have identified? [probability of the risk occurring]. There are other possible questions worth considering at this stage - for example, 'How effective are our existing controls?' - in order to identify factors that reduce the consequences or probability of the risk; however, in terms of what we actually need to know, these will make a good start. Page 13

14 2.2.2 What can we learn from ISO risk assessment processes? ISO states that risk assessment attempts to answer the following fundamental questions: what can happen and why (by risk identification)? what are the consequences? what is the probability of their future occurrence? are there any factors that mitigate the consequence of the risk or that reduce the probability of the risk? Providing that you adhere to this basic structure, you are following the framework that is set out in the International Standard ISO 31000:2009. Rather than spending several days reading the Standard and having long meetings with colleagues to see how it might be applicable, why not look for methods that would help you to meet the requirements of ISO 9001? For me, a good start would be: Documenting the results of any 'consideration of risks and opportunities' exercise as evidence of your management team's "risk-based thinking". Even if it is clear from the design of your processes that you have taken account of Clause 6.1 and determined the risks and opportunities that need to be addressed, having a record of your risk assessment processes might prove useful, if only as a reminder to keep matters under review! Then, evaluate the risk assessment tools (numbering 31 in total) in ISO to see if they are applicable to your organizational context. It's probably not the time to use them in anger yet (see below), but at least you will know they exist and that some tools could help to identify risks and opportunities and be useful in carrying out risk analysis (if you consider consequences, probability and level of risk) and risk evaluation? Are structured interviews and brainstorming 9001 requirements? No, absolutely not. Although if you don't currently use risk assessment tools to identify the typical uncertainties that need to be considered, and there is no previously developed list available of hazards, risks or control failures, either resulting from a previous risk assessment or past failures,- where do you begin? This is likely to be a especially vexing question for organizations that are new to ISO 9001 quality management and have to develop appropriate documented information for their quality processes. However, a cautionary note: Before you despair and start writing out check-lists based on your own observations in an effort to tick the box, remember that your colleagues in other departments and business units may already be using some of the formal techniques of risk assessment and risk management process (in a 'silocentric' way of course), without you even knowing about this. Page 14

15 To quote from the Introduction to ISO 31000:2009: "The current management practices and processes of many organizations include components of risk management, and many organizations have already adopted a formal risk management process for particular types of risk or circumstances". 2 It follows therefore that it is worth interviewing them (in a structured or unstructured way) or bringing them together for a brainstorming session - if only to find out what qualitative and quantitative risk assessments have been made that could help you to address the requirements of ISO 9001! Whether or not though anyone is carrying out risk assessments, with or without the use of the tools in ISO 31010, ISO 9001:2015 expects the organization to understand its context (see clause 4.1) and determine the risks and opportunities that need to be addressed (see clause 6.1). For example: The ISO assume that one of the key purposes of a quality management system is to act as a preventive tool, taking account of identified risks. Consequently, ISO 9001:2015 does not have a separate clause or sub-clause titled 'Preventive action. Rather, the wording states unequivocally: "The concept of preventive action is expressed through a risk-based approach to formulating quality management system requirements". 3 Although there are undoubtedly a number of quality professionals who feel uncomfortable talking about risk in relation to preventive actions, assessing risk is something that managers in most (all?) organizations do already in one form or another. They may not always use the term risk to describe their activities, - which could include for example conducting a sensitivity analysis of a financial projection, or scenario planning for a project appraisal, assessing the contingency allowance in a cost estimate, negotiating contract conditions, or developing contingency plans - ; but even so, thinking about risks and opportunities is central to their work. 4 IF it can reasonably be argued that managing risk is an integral part of good management (and we think that it can) and that risk-based thinking is fundamental to achieving good business and project outcomes and the effective procurement of goods and services, THEN identifying, analysing and evaluating risk should be processes familiar to all quality managers? Not everyone agrees with this statement of course, but understanding the context (see clause 4.1) and determining the risks and opportunities that need to be addressed (clause 6.1) are requirements of ISO 9001:2015. Therefore, before you reject the idea of using risk assessment tools because they 2 ISO 31000: Principles and Guidelines on Implementation 3 Draft BS EN ISO 9001 Quality Management Systems - Requirements, Date: 14 May 2014, A.4 Risk-based approach 4 Project risk management guidelines: managing risk with ISO and IEC 62198, Dale F Cooper, et al, Wiley, Page 15

are too complicated and "not part of your job", it is worth pondering this quote from the Introduction to the ISO 31000:2009: "The generic approach described in this International Standard provides

16 are too complicated and "not part of your job", it is worth pondering this quote from the Introduction to the ISO 31000:2009: "The generic approach described in this International Standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context" Other Supporting Methods We have already looked at the following Look- Up and Supporting Methods that are relevant to risk identification: Check-lists Brainstorming Structured or semi-structured interviews Brainstorming and structured/semi-structured interviews are techniques that are often used for improving the accuracy and completeness in risk identification; the Delphi methodology is another Delphi technique A structured collaborative communication technique, originally developed as a systematic, interactive forecasting method which relies on a panel of experts. By combining expert opinions, the aim is to support the source and influence identification, probability and consequence estimation and risk evaluation. The experts answer questionnaires in two or more rounds. After each round, a facilitator provides an anonymous summary of the experts forecasts from the previous round as well as the reasons they provided for their judgments. In this way, experts are encouraged to revise their earlier answers in light of the replies of other members of their panel. Delphi can be used to estimate probability of adverse and positive outcomes: In the words of ISO 31010: "Expert opinion can be used in a systematic and structured process to estimate probability. Expert judgements should draw upon all relevant available information including historical, system-specific, organizational-specific, experimental, design, etc. There are a number of formal methods for eliciting expert judgement which provide an aid to the formulation of appropriate questions. The methods available include the Delphi approach, paired comparisons, category rating and absolute probability judgements." 6 5 ISO 31000: Principles and Guidelines on Implementation, Introduction, p.v 6 ISO/IEC 31010:2009 Risk management Risk assessment techniques, p.15. Page 16

17 Despite the mention of probability above, Table A.1 Applicability of tools used for risk assessment, the Delphi method is marked 'NA' [NA = Not Applicable] for Risk Analysis to assess Consequence, Probability and Level of risk - although personally we would agree with the commentary on page 29 [Clause B.3.2 Use] which states: "The Delphi technique can be applied at any stage of the risk management process or at any phase of a system life cycle, wherever a consensus of views of experts is needed." 7 A true consensus approach that avoids the bias of dominant members of the team can be the wakeup call that management needs to assess risk SWIFT (Structured what-if ) SWIFT is a system for prompting a team to identify risks, normally used within a facilitated workshop and linked to a risk analysis and evaluation technique. The first thing to understand about SWIFT is that it was originally developed as a simpler alternative to HAZOP (Hazard and Operability Studies), a qualitative risk identification technique. HAZOP aims to stimulate the imagination of participants to identify potential hazards and operability problems; structure and completeness are given by using guideword prompts. The HAZOP technique was developed to analyse chemical process systems and mining operation process but has later been extended to other types of systems and also to complex operations such as nuclear power plant operation and to use software to record the deviation and consequence. 8 HAZOP is intended for high-risk organizational contexts where appropriate levels of resourcing are available to support its use. SWIFT, on the other hand, has been purposely-design as a sort of 'HAZOP-Lite' needing fewer resources. ISO regards the 'Resources and capability' requirement as "Medium", so this may be a viable risk identification technique for use by most small to medium as well as larger quality conscious organizations? The system, procedure, plant item and/or change has to be carefully defined before the study can commence. Both the external and internal contexts are established through interviews and through the study of documents, plans and drawings by the facilitator. The facilitator asks the participants to raise and discuss: known risks and hazards; previous experience and incidents; known and existing controls and safeguards; regulatory requirements and constraints. 9 7 Ibid., page British Standard BS: IEC61882:2002 Hazard and operability studies (HAZOP studies)- Application Guide, published by BSI Group. 9 ISO/IEC 31010:2009, B.9.3 Inputs, p.39. Page 17

18 Discussion is facilitated by creating a question using a what-if phrase and a prompt word or subject. The what-if phrases to be used are what if, what would happen if, could someone or something, has anyone or anything ever. The intent is to stimulate the study team into exploring potential scenarios, their causes and consequences and impacts. 10 The risks identified are summarized and the team considers the controls already in place - assuming that there are any - before confirming the description of the risk, its causes, consequences and expected controls. This information is then recorded. What we particularly like about the SWIFT concept approach is the inherent discipline which forces the team members to consider the effectiveness of the controls. Assessing risk is one thing, but treating it is another entirely. They have to agree a statement of risk control effectiveness, which, if it proves to be less than satisfactory, triggers the task of further considering risk treatment tasks and potential controls. The application of this team-based model does not have to be complex. ISO simply rates the Complexity of the technique as "Any" Human reliability analysis (HRA) Human reliability assessment (HRA) deals with the impact of humans on system performance, and can be used to evaluate human error influences on the system. At the risk of stating the obvious, human reliability is very important due to the contributions of humans to the resilience of systems and to possible adverse consequences of human errors or oversights, especially when the human is a crucial part of today's large socio-technical systems. Contrary to the impression that you might receive by reading the relevant section in ISO specifically B.20 Human reliability assessment (HRA) - a variety of methods exist for human reliability analysis. These break down into two basic classes of assessment method: probabilistic risk assessment (PRA), and those based on a cognitive theory of control. In 2009, the Health and Safety Laboratory compiled a report 12 for the Health and Safety Executive (HSE) outlining HRA methods for review. 10 Ibid. 11 Ibid., Table A.2 - Attributes of a selection of risk assessment tools. 12 Review of human reliability assessment methods, Prepared by the Health and Safety Laboratory for the Health and Safety Executive 2009, PR679 Research Report, Julie Bell & Justin Holroyd, Health and Safety Laboratory; First published Page 18

19 They identified 35 tools that constituted true HRA techniques and that could be used effectively in the context of health and safety management. Obviously, it is well beyond the scope of this article to define the merits and demits of all these methods. However, the HRA tools in the table below illustrates that there are a large number of risk assessment techniques in the Health & Safety arena that could be applied elsewhere. It is also worth reflecting that Risk Management is usually associated with the financial risk; however, risk assessment techniques have other well-established uses including helping to maintain safe working environments. Without being specific at this time, we think that it is possible that some of these tools could be adapted (if they haven't been?) to identify, analyse and evaluate risks and opportunities in the design of quality processes. After all, corrective and preventive actions usually involve human beings! Acronym for Tool ASEP AIPA APJ ATHEANA CAHR CARA CES CESA CM CODA COGENT COSIMO CREAM DNE DREAMS FACE HCR HEART HORAAM HRMS INTENT JHEDI MAPPS MERMOS Expanded name Accident Sequence Evaluation Programme Accident Initiation and Progression Analysis Absolute Probability Judgement A Technique for Human Error Analysis Connectionism Assessment of Human Reliability Controller Action Reliability Assessment Cognitive Environmental Simulation Commission Errors Search and Assessment Confusion Matrix Conclusions from occurrences by descriptions of actions COGnitive EveNt Tree Cognitive Simulation Model Cognitive Reliability and Error Analysis Method Direct Numerical Estimation Dynamic Reliability Technique for Error Assessment in Manmachine Systems Framework for Analysing Commission Errors Human Cognitive Reliability Human Error Assessment and Reduction Technique Human and Organisational Reliability Analysis in Accident Management Human Reliability Management System Not an acronym Justified Human Error Data Information Maintenance Personnel Performance Simulation Method d'evaluation de la Realisation des Missions Operateur pour la Surete (Assessment method for the performance of safety operation.) Table 2: List of HRA tools Page 19

As ISO 31010 points out in the section on the 'Limitations' of HRA, many activities of humans do not have a simple pass/fail mode.

20 As ISO points out in the section on the 'Limitations' of HRA, many activities of humans do not have a simple pass/fail mode. HRA has difficulty dealing with partial failures or failure in quality or poor decision-making Scenario Analysis Root cause analysis (RCA) Root Cause Analysis (RCA) uses a specific set of steps, with associated tools, to help find the primary cause of the problem; so that you can: Determine what happened. Determine why it happened Figure out what to do to reduce the likelihood that it will happen again. RCA assumes that systems and events are interrelated. An action in one area triggers an action in another, and another, and so on. By tracing back these actions, you can discover where the problem started and how it grew into the symptom you are now facing Scenario analysis Scenario analysis is a process of analyzing possible future events by considering alternative outcomes (sometimes called "alternative worlds"). 15 The technique can be used to identify risks by considering sets of scenarios that reflect (for example) best case, worst case and expected case, in order to analyse potential consequences and their probabilities for each scenario as a form of sensitivity analysis when analysing risk. 'The possible future scenarios or 'alternative worlds' are identified: "...through imagination or extrapolation from the present and different risks considered assuming [that] each of these scenarios might occur. This can be done formally or informally, qualitatively or quantitatively." ISO/IEC 31010:2009, B.20.6 Strengths and limitations, p Root Cause Analysis, Tracing a Problem to its Root Origins, Mind Tools website: 15 Scenario Analysis, Wikipedia: 16 ISO/IEC 31010:2009, Table A.2 - Attributes of a selection of risk assessment tools. Page 20

21 2.4.3 Toxicological / Environmental / Ecological risk assessment An ecological risk assessment tells what happens to a bird, fish, plant or other non-human organism when it is exposed to a stressor, such as a pesticide. 17 Aspects of the methodology, such as pathway analysis which explore different routes by which a target might be exposed to a source of risk, can be adapted and used across a very wide range of different risk areas, outside human health and the environment, and is useful in identifying treatments to reduce risk. 18 The strength of this analysis is that it provides a very detailed understanding of the nature of the problem and the factors that increase risk. However, it needs good data that is often not available or has a high level of uncertainty associated with it. Likewise, it is also resource intensive as is unlikely to find many uses in quality management systems. Pathway analysis, though, is a useful tool, generally, for all areas of risk and permits the identification of how and where it may be possible to improve controls or introduce new ones. If you are interested in following the steps of this type of environmental risk assessment process, we recommend that you read 'Basic Information about Risk Assessment Guidelines Development', published by the United States Environmental Protection Agency. See the web page link below: Business impact analysis (BIA) A Business Impact Analysis identifies an organization's exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization, while maintaining competitive advantage and value system integrity. 19 The analysis provided by a conscientiously-conducted BIA could be of value when determining "...the external and internal issues that are relevant to the organization's purpose... and that affect its ability to achieve the intended result(s) of its quality management system"; as well as helping to determine who are "the interested parties", and the requirements of these interested parties that are relevant to the quality management system - see ISO 9001:2015 Clause 4 Context of the organization. If your organization already has a business continuity management (BCM) system based on the ISO Standard and since a BIA is a mandatory document, seeking out your Business Continuity Manager to obtain the BIA report could be a sound move at this point. You will then have a valuable 17 Ecological Risk Assessment: Technical Overview, Ecological Risk Assessment Process, U.S. Environmental Protection Agency website: 18 ISO/IEC 31010:2009, B.8.2 Use, p Elliot, D.; Swartz, E.; Herbane, B. (1999) Just waiting for the next big bang: business continuity planning in the UK finance sector. Journal of Applied Management Studies, Vol. 8, No, pp Here: p. 48 Page 21

22 item of documented information to show risk-based thinking because you will have assessed (by means of the BIA) how key disruption risks could affect an organization s operations and identified/quantified the capabilities that would be required to manage it. If not, well... you could consider conducting a BIA; although we would strongly recommend calling in a qualified business continuity consultant Fault tree analysis A technique used in safety engineering and reliability engineering, mostly in the aerospace, nuclear power, chemical and process, pharmaceutical, petrochemical and other high-hazard industries. Fault tree analysis (FTA) can be used to understand how systems can fail, to identify the best ways to reduce risk or to determine or 'get a feel for' event rates of a safety accident or a particular system level (functional) failure. It sounds more complicated than it actually is; however, it is a resource hungry method. If you are a Quality Manager in one of the above industries you will probably already be familiar with fault tree diagrams produced from this type of analysis and you may well use the fault trees developed by the organization to reduce or eliminate potential causes of non-conformities. They start with the undesired event (top event) and determine all the ways in which it could occur, shown graphically in a logical tree diagram. Fault tree analysis is a time-consuming and costly exercise although it can be invaluable in determining the probability of (undesirable) outcomes. FTA can be used to: understand the logic leading to the top event / undesired state. show compliance with the (input) system safety / reliability requirements. prioritize the contributors leading to the top event - Creating the Critical Equipment/Parts/Events lists for different importance measures. monitor and control the safety performance of the complex system (e.g., is a particular aircraft safe to fly when fuel valve x malfunctions? For how long is it allowed to fly with the valve malfunction?). minimize and optimize resources. assist in designing a system. The FTA can be used as a design tool that helps to create (output / lower level) requirements. function as a diagnostic tool to identify and correct causes of the top event. It can help with the creation of diagnostic manuals / processes Event tree analysis A forward, bottom up, logical modelling technique for both success and failure that explores responses through a single initiating event and lays a path for assessing probabilities of the 20 Fault tree analysis, Wikipedia: Page 22

23 outcomes and overall system analysis. Using inductive reasoning, ETA translates probabilities of different initiating events into possible outcomes. It is arguably less resource intensive than fault tree analysis (see Table A.2 in ISO 31010). ETA can be applied to a wide range of systems including: nuclear power plants, spacecraft, and chemical plants. 21 Once again, if you are managing the quality system of a small enterprise in a relatively 'low risk' context, this technique is unlikely to be for you Cause and consequence analysis ISO describes the Cause and consequence analysis method as: "A combination of fault and event tree analysis that allows inclusion of time delays. Both causes and consequences of an initiating event are considered." It starts from a critical event and analyses consequences by means of a combination of YES/NO logic gates that represent conditions that may occur or failures of systems designed to mitigate the consequences of the initiating event. The causes of the conditions or failures are analysed by means of fault trees (see ISO 31010, Clause B.15). Cause-consequence analysis does provide a comprehensive view of the entire system. However, it is more complex than fault tree and event tree analysis, both to construct and in the manner in which dependencies are dealt with during quantification, and so requires more time and resources Cause-and effect analysis An effect can have a number of contributory factors that can be grouped in Ishikawa diagrams. Contributory factors are identified often through a brainstorming process (see Part II of this article for more information). Kaoru Ishikawa popularized these diagrams in the 1960s, when he pioneered quality management processes in the Kawasaki shipyards. The basic concept was first used in the 1920s, and is considered one of the seven basic tools of quality control. Ishikawa diagrams are known as fishbone diagrams because their shape is like the side view of a fish skeleton. The basic steps in performing a cause-and-effect analysis are as follows: establish the effect to be analysed and place it in a box. The effect may be positive (an objective) or negative (a problem) depending on the circumstances; 21 Event Tree Analysis, Wikipedia: 22 ISO/IEC 31010:2009, B.17.4 Process, p.57. Page 23

24 2. determine the main categories of causes represented by boxes in the Fishbone diagram. Typically, for a system problem, the categories might be people, equipment, environment, processes, etc. However, these are chosen to fit the particular context; 3. fill in the possible causes for each major category with branches and sub-branches to describe the relationship between them; 4. keep asking why? or what caused that? to connect the causes; 5. review all branches to verify consistency and completeness and ensure that the causes apply to the main effect; 6. identify the most likely causes based on the opinion of the team and available evidence. The results are displayed as either an Ishikawa diagram or tree diagram. 2.5 Function Analysis FMEA and FMECA This section covers FMEA (Failure modes and effects analysis) and FMECA (Failure modes and effects and criticality analysis). FMEA/FMECA is an inductive reasoning (forward logic) single point of failure analysis and is a core task in reliability engineering, safety engineering and quality engineering. Quality engineering is especially concerned with the "Process" (Manufacturing and Assembly) type of FMEA. 23 FMEA/FMECA identifies: all potential failure modes of the various parts of a system (a failure mode is what is observed to fail or to perform incorrectly); the effects these failures may have on the system; the mechanisms of failure; how to avoid the failures, and/or mitigate the effects of the failures on the system. FMEA/FMECA is a systematic analysis technique that can be used to identify the ways in which components, systems or processes can fail to fulfil their design intent, highlighting: design alternatives with high dependability; failure modes of systems and processes, and their effects on operational success have been considered; human error modes and effects; a basis for planning testing and maintenance of physical systems; improvements in the design of procedures and processes. FMEA/FMECA also provides qualitative or quantitative information for other types of analysis, such as fault tree analysis, and is used in quality assurance applications. For example, it can produce a semi-quantitative measure of criticality known as the risk priority number (RPN) obtained by multiplying numbers from rating scales (usually between 1 and 10) for (a) consequence of failure, (b) 23 Failure mode and effects analysis, Wikipedia: Page 24

25 likelihood of failure, (c) ability to detect the problem. Note, a failure is given a higher priority if it is difficult to detect Reliability-centred maintenance (RCM) A technique that is used to achieve the required safety, availability and economy of operation (safe minimum levels of maintenance), so that assets continue to do what their users require in their operating context. RCM allows you to identify applicable and effective preventive maintenance requirements for equipment "...in accordance with the safety, operational and economic consequences of identifiable failures, and the degradation mechanism responsible for those failures". 24 RCM uses a failure mode, effect and criticality analysis (FMECA) type of risk assessment that requires a specific approach to analysis in this context. From a quality management standpoint, it's worth being aware that RCM identifies required functions and performance standards and failures of equipment and components that can interrupt those functions. For more information, see IEC , Dependability management Part 3-11: Application guide Reliability Sneak analysis (SA) and sneak circuit analysis (SCI) Sneak analysis is aimed at uncovering design flaws that allow for 'sneak conditions', i.e. those that may cause unwanted actions or may inhibit a desired function, and are not caused by component failure to develop. Sneak analysis can locate problems in both hardware and software using any technology. The sneak analysis tools can integrate several analyses such as fault trees, failure mode and effects analysis (FMEA), reliability estimates, etc. into a single analysis saving time and project expenses. 25 The technique helps in identifying design errors and works best when applied in conjunction with HAZOP. It is very good for dealing with systems which have multiple states such as batch and semibatch plant. Sneak Circuit Analysis (SCA) is used in safety-critical systems to identify sneak (or hidden) paths in electronic and electro-mechanical systems that may cause unwanted action or inhibit desired functions. The analysis is based on identification of designed-in inadvertent modes of operation and is not based on failed equipment or software. SCA is most applicable to circuits that can cause irreversible events. These include: a. Systems that control or perform active tasks or functions b. Systems that control electrical power and its distribution 24 ISO/IEC 31010:2009, B.22.1 Overview, p Ibid., B.23.2 Use, p.68. Page 25

26 c. Embedded code which controls and times system functions. 26 The SA process differs depending on whether it is applied to electrical circuits, process plants, mechanical equipment or software technology, and the method used is dependent on establishing correct network trees HACCP HACCP a systematic preventive approach to food safety from biological, chemical, and physical hazards in production processes that can cause the finished product to be unsafe, and designs measurements to reduce these risks to a safe level. 27 HACCP has been recognized internationally as a logical tool for adapting traditional inspection methods to a modern, science-based, food safety system. 28 HACCP is focused only on the health safety issues of a product ensuring that risks are minimized by controls throughout the process rather than through inspection of the end product. The seven HACCP principles are the basis of most food quality and safety assurance systems, and the United States, HACCP compliance is regulated by 21 CFR part 120 and 123. The HACCP principles are also included in the international standard ISO FSMS This standard is a complete food safety and quality management system incorporating the elements of prerequisite programmes (GMP & SSOP), HACCP and the quality management system, which together form an organization's Total Quality Management system. Table A.1 Applicability of tools used for risk assessment [see page 22 of ISO 31010], lists the HACCP technique as "Not Applicable" for analysis of probability or levels of risk. 29 However, the principle of identifying the factors [risks] that can influence product quality, and defining process points where critical parameters can be monitored and hazards controlled, can be generalized for use other technical systems Controls Assessment LOPA (Layers of Protection Analysis) A technique for analysing whether there are sufficient measures to control or mitigate the risk of an undesired outcome. The basic steps are: 26 Sneak circuit analysis, Wikipedia: 27 Hazard analysis and critical control points, Wikipedia: 28 Ibid. 29 ISO/IEC 31010:2009, Table A.1 Applicability of tools used for risk assessment, p Ibid., B.7.2 Use, p.35. Page 26

27 A cause-consequence pair is selected, and the layers of protection that prevent the cause leading to the undesired consequence are identified. An order of magnitude calculation is then carried out to determine whether the protection is adequate to reduce risk to a tolerable level. 31 LOPA is a less resource-intensive process than a fault tree analysis or a quantitative form of risk assessment, but is more rigorous than qualitative subjective judgements alone. It focuses efforts on the most critical layers of protection, identifying operations, systems and processes for which there are insufficient safeguards and where failure will have serious consequences. However, this technique looks at one cause-consequence pair and one scenario at a time and, therefore, does not apply to complex scenarios where there are many cause consequence pairs or where a variety of consequences affects different stakeholders. For more information, see: IEC (all parts), Functional safety of electrical/electronic/programmable electronic safetyrelated systems IEC 61511, Functional safety Safety instrumented systems for the process industry sector. [PDF] Bow-tie analysis Bow-tie analysis is a simple diagrammatic way to display the pathways of a risk showing a range of possible causes and consequences. It is used in situations when a complex fault tree analysis is not justified or to ensure that there is a barrier or control for each of the possible failure pathways. To understand how this works we recommend viewing a short video entitled "The Bow Tie Method in 5 Minutes" by CGE Risk Management Solutions, 32 which explains the basics of the method for risk assessment of hazards. 2.7 Statistical Methods ISO lists the following statistical methods for risk assessment: Markov analysis Monte-Carlo analysis Bayesian analysis 31 Ibid., B.18 Layers of protection analysis (LOPA), p The Bow Tie Method in 5 Minutes, CGE Risk Management Solutions, YouTube: Page 27

28 2.7.1 Markov analysis A method named after a Russian mathematician, best known for his work on stochastic processes, where a collection of random variables represents the evolution of some system of random values over time. Markov analysis, or State-space analysis, is commonly used in the analysis of repairable complex systems that can exist in multiple states, including degraded states 33, and where the use of a reliability block analysis would be inadequate to properly analyse the system. The nature of the Markov analysis techniques lends itself to the use of software. There are several to choose from on the market. The Markov analysis process is a quantitative technique and can be discrete (using probabilities of change between the states) or continuous (using rates of change across the states). To quote ISO 31010: "The Markov analysis technique is centred around the concept of states, e.g. available and failed, and the transition between these two states over time based on a constant probability of change. A stochastic transitional probability matrix is used to describe the transition between each of the states to allow the calculation of the various outputs." 34 The inputs essential to a Markov analysis are as follows: list of various states that the system, sub-system or component can be in (e.g. fully operational, partially operation (i.e. a degraded state), failed state, etc); a clear understanding of the possible transitions that are necessary to be modelled. For example, failure of a car tyre needs to consider the state of the spare wheel and hence the frequency of inspection; rate of change from one state to another, typically represented by either a probability of change between states for discrete events, or failure rate (λ) and/or repair rate (ì) for continuous events. 35 The output from a Markov analysis is the various probabilities of being in the various states, and therefore an estimate of the failure probabilities and/or availability, one of the essential components of a system. 33 ISO/IEC 31010:2009, Table A.2 - Attributes of a selection of risk assessment tools. 34 Ibid. B.24.4 Process, p Ibid. B.24.3 Input, p.70. Page 28

29 Strengths and limitations of a Markov analysis Markov diagrams for large systems are often too large and complicated to be of value in most business contexts and inherently difficult to construct. Markov models are more suited to analysing smaller systems with strong dependencies requiring accurate evaluation. Other techniques, such as Fault Tree analysis (see Part IV of this blog post series), may be used to evaluate large systems using simpler probabilistic calculation techniques. States depend on current state probabilities and the constant transition rates between states - see the state transition diagram in Figure 1 below: Figure 1: Example of a state transition diagram Apart from this obvious drawback (complexity), a true Markovian process would only consider constant transition rates, which may not be the case in a real-world systems. Events are statistically independent since future states are treated as independent of all past states, except for the state immediately prior. In this way the Markov model does not need to know about the history of how the state probabilities have evolved in time in order to calculate future state probabilities. However, computer programs are being marketed that allow time-varying transition rates to be defined. Markov analysis requires knowledge of matrix operations and the results are - unsurprisingly! - hard to communicate with non-technical personnel. If you would like to perform Markov analysis, you are advised to consult IEC 61165, Application of Markov techniques Monte-Carlo analysis Monte Carlo analysis consists of a broad class of computational algorithms that rely on repeated random sampling to obtain numerical results. This method can address complex situations that would be very difficult to understand and solve by an analytical method. Whenever there is significant uncertainty in a system and you need to make an estimate, forecast or decision, a Monte Carlo simulation could be the answer How does Monte Carlo analysis model the effects of uncertainty? Systems are sometimes too complex for the effects of uncertainty on them to be modelled using analytical techniques. However, they can be evaluated by considering the inputs as random variables Page 29

30 and running a number N of calculations (so-called simulations) by sampling the input in order to obtain N possible outcomes of the wanted result. Monte-Carlo analysis can be developed using spreadsheets, but software tools are readily available to assist with more complex requirements, many of which are now relatively inexpensive. Monte-Carlo analysis can be developed using spreadsheets, but software tools are readily available to assist with more complex requirements, many of which are now relatively inexpensive. Monte Carlo simulations require you to build a quantitative model of your business activity, plan or process. This is often done by using Microsoft Excel with a simulation tool plug-in - a relatively inexpensive set of tools. To deal with uncertainties using Monte Carlo analysis in your model, you'll replace certain fixed numbers -- for example in spreadsheet cells -- with functions that draw random samples from probability distributions. And to analyze the results of a simulation run, you'll use statistics such as the mean, standard deviation, and percentiles, as well as charts and graphs. 36 For risk assessment using the Monte Carlo simulation, triangular distributions or beta distributions are commonly used. Note that ISO Table A.1 Applicability of tools used for risk assessment states this is tool is strongly applicable for the Evaluation stage of risk assessment but not applicable (NA) for risk identification or risk analysis Bayesian analysis Referring again to Table A.1 from ISO 31010, Bayesian analysis is used in the risk analysis and risk evaluation stages in risk assessment. 37 In a nutshell, it is a statistical procedure which utilizes prior distribution data to assess the probability of the result. These are often called conditional probabilities. 38 There are many places that explain the mathematics behind Bayes' theorem, including Wikipedia, the Stanford Encyclopedia of Philosophy, and the wonderful blog LessWrong. The definition 36 Monte Carlo Simulation, web page on Frontline Solvers website 37 ISO/IEC 31010:2009, Table A.1 Applicability of tools used for risk assessment, p ISO/IEC 31010:2009, p.26 Page 30

31 that explains it best for me comes from the last of these - it is: "The probability of a hypothesis C given some evidence E equals our initial estimate of the probability times the probability of the evidence given the hypothesis C divided by the sum of the probabilities of the data in all possible hypotheses." Bayesian inference is used in a wide range of fields from medical diagnosis to checking your inbox for likely spam s. However, is it any good for risk assessment? Although it can appear to be objective, this is typically not the case. A Bayesian probability is really a person s degree of belief in a certain event rather than one based upon physical evidence. Because the Bayesian analysis approach is based upon the subjective interpretation of probability, it provides a ready basis for decision thinking and the development of Bayesian nets (or Belief Nets, belief networks or Bayesian networks). 39 The availability of software computing tools and what ISO terms "intuitive appeal" has led to the widespread adoption of Bayesian nets. However, they can be valuable wherever there is the requirement for finding out about unknown variables by using structural relationships and data. The inputs are similar to the Monte Carlo analysis above; namely: define system variables; define causal links between variables; specify conditional and prior probabilities; add evidence to net; perform belief updating; extract posterior beliefs. 40 Bayesian analysis can provide an easily understood model and the data readily modified to consider correlations and sensitivity of parameters. This technique could be successfully applied to Quality Management Systems. However, there will be minimum sample size requirements for control charts that measure non-conformities (errors), based on the average non-conformity rate in the quality processes being measured. Lower error rates would therefore require larger sample sizes to make valid inferences because of the properties of the binomial distribution. Even so, we would be very interested to hear from Quality Managers who have applied Bayesian analysis in this way to predict likely error rates in processes! 39 ISO/IEC 31010:2009, B.26.1 Overview, p Ibid. B.26.3 Input, p.77. Page 31

32 3 A Risk Management Methodology for Quality Management Those are some of the techniques covered in ISO In this section, we will apply them to a risk management methodology suitable for quality standards such as ISO 9001: Risk based thinking is the new 'preventive actions' for QMS To briefly recap the position to date: ISO 9001 Risk-based thinking could (and we am not saying that it should) be demonstrated by one or more of the risk assessment tools in ISO 31010:2010. However, that still leaves you with the dilemma of selecting the most appropriate tools to help you to identify, analyse and evaluate risk in your organizational context and with the resources at your disposal. In ISO 9001:2015 there is no requirement for risk management. However, organizations can choose to develop a more extensive risk-based approach, and the Standard refers to ISO 31000, which provides guidelines that can be appropriate in "certain organizational contexts". It remains to seen whether assessors for the various Certification Bodies will expect you to produce documented evidence of risk-based thinking. How will ISO Assessors attempt to assess RBT in Quality Systems? The short answer is we do not know at present. However, as we have postulated, there are three possibilities: Option 1: They will ignore the risk-based thinking requirements of Clause 6 in the same way that some claim preventive actions were ignored in the past. The counter to this is that Clause 6 in the DIS requires "Processes for planning and consideration of risks and opportunities". Option 2: They will regard the failure to show evidence of risk-based thinking in an organization s quality processes as a non-conformity (perhaps even a major non-conformity) and will judge the quality system to be ineffective because it has failed to reduce or eliminate the risks to process outputs. Option 3: Auditors will highlight in their report any good practices seen in the application of riskbased thinking to the planning and consideration of quality processes; showing how this has helped to achieve continual improvement of the system and provide the assurance of conformity to customer and applicable statutory and regulatory requirements. You may decide differently, but in our view, Option 3 is more likely in the majority of cases. Ergo, it cannot hurt your case to show documented evidence of RBT, regardless of whether documented information is a requirement or not. However, it will be your assessor that decides this, not us! Regarding Option 3 above, it is also worth reflecting upon the number uses of the words "continual improvement" in the clauses of the new Standard. Page 32

33 Aside from the definition that appears in Normative References, the term "continual improvement" is used in Clause 5: Leadership, Clause 6: Planning, Clause 7: Support, Clause 9: Performance Evaluation, and - unsurprisingly - in Clause 10: Continual Improvement; which states that: "...the organization shall consider the outputs of analysis and evaluation, and the outputs from management review, to confirm if there are areas of underperformance or opportunities that shall be addressed as part of continual improvement." 41 There is doubt about which of the three options above best describes the likely future response of external auditors/assessors, but you can help put your organization in a position where Option 3 is the more likely outcome, because your quality processes reflect the fact that you have taken account of the risk and opportunities in your context Planning and considering risks in quality system processes Notwithstanding the concerns about what ISO 9001 assessors may or may not be looking for with regard to applying risk-based thinking (RBT), there are good reasons to put in place... "Processes for planning and consideration of risks and opportunities" There is already a significant precedent in the ISO family of management system standards that explains the need for the risk-based approach. BSI's Product Guide, ISO/IEC Information Security Management, sets out the case for RBT in the context of improving information security: "ISO/IEC takes a risk-based approach to the planning and implementation of your ISMS, resulting in an appropriate and affordable level of organizational security. In this way, it ensures that the right people, processes, procedures and technologies are in place to secure your organization s information assets." 42 We suggest that we could readily substitute "ISO 9001:2015" for "ISO/IEC 27001"; "ISMS" for "QMS"; "quality" for "organizational security"; and "achieve the intended results of the quality management system" for "secure your organization's information assets" to arrive at the following: "ISO 9001:2015 takes a risk-based approach to the planning and implementation of your QMS, resulting in an appropriate and affordable level of quality. In this way, it ensures that the right people, processes, procedures and technologies are in place to achieve the intended results of the quality management system." It is also worth bearing in mind that one of the key influences on the development of ISO 27001:2013 was the decision by the ISO to align ISO/IEC with the principles and guidance given in ISO (risk management). This was deemed to be, in the words of BSI, "good news for 41 ISO/DIS 9001:2014, 10.3 Continual improvement, p ISO/IEC Information Security Management Securing your information assets Product Guide, October 2012 (modified May 2013) Page 33

34 integrated management systems as now an organization may apply the same risk assessment methodology across several disciplines". 43 Earlier posts in this series have examined the different risk assessment techniques aligned to ISO and described fully in ISO 31010: What actions are required to plan for risks and opportunities? Clause 6 of ISO 9001:2015 is likely to be explicit about the need for planned actions to address risks and opportunities in quality systems: The organization shall plan: 1. actions to address these risks and opportunities; 2. how to: a. integrate and implement the actions into its quality management system processes (see 4.4); b. evaluate the effectiveness of these actions. Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services. 44 Although not all the processes of the quality management system will represent the same level of risk in terms of the organization s ability to meet its objectives, - and the consequences of process, product, service or system nonconformities are not the same for all organizations - there will be risks that you will need to address through the quality processes. So how do you go about identifying, considering and planning for risks to quality - and how could risk analysis help you to achieve your objectives? The simple answer is that before you can plan processes that address risk, you need to analyze the relative importance of risks in your system. In a world where risk factors determine the organization's success or failure, we need a detailed understanding of each of the specific risks posed to successful outcomes at the various stages of quality processes. With this knowledge, we can determine appropriate priorities for actions. This full understanding should result in fewer unpleasant surprises arising and will enable managers to determine where the greatest effort should be focused in treating identified risks and for quality assurance purposes. The alternative to decision-making based on risk analysis is a combination of experience and intuition. Experience, no matter how extensive, can be out of date and therefore fail to anticipate 4343 Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013: The new international standard for information security management systems, Transition Guide, BSI Group. 44 Ibid., p.28, lines 1054 to Page 34

35 the potential risks in a system. Intuition is the ability to acquire knowledge without inference or the use of reason and is of questionable value to organizations when planning and considering processes in order to consistently produce desired outcomes. By developing a better understanding of risk, risk analysis techniques help organizations facilitate structured action planning and resource allocation. The following section of this blog post contains the first part of a Proposal for a formal methodology for making risk-based decisions when planning and considering quality processes. we have based some of the ideas on work by Dale F. Cooper et al in the book 'Project management guidelines: managing risk with ISO and IEC 62198' (John Wiley and Sons); however, we have simplified the approach therein as applied to international, large-scale project management. Furthermore, we have re-engineered these ideas into a method of risk assessment and continual process improvement for ISO 9001 quality management systems, based on the process improvement model from ITIL, which itself uses methods from quality management. The CSI process in ITIL aims to continually improve the effectiveness and efficiency of IT processes and services, in line with the concept of continual improvement adopted in ISO It defines the specific initiatives aimed at improving services and processes, based on the results of service reviews and process evaluations. The improvement cycle takes into account the business perspective of service quality, although CSI aims to improve process effectiveness, efficiency and cost effectiveness. In ITIL 2011, the CSI Register was introduced as a central document or database where all improvement opportunities and initiatives are recorded. we propose to extend this idea to create a controlled documented information system (CDIS) for QMS which would contain a Risks and Opportunities Register (R&O Register), used to record and manage risks to, and improvement opportunities in, quality management processes throughout their lifecycle. A key feature of our design for the R&O Register would be outputs from a simple risk assessment process, following a six-step risk assessment and continual process improvement model, which are: 1. Establish the context 2. Identify possible risks to quality outputs 3. Carry out a qualitative risk analysis and risk evaluation 4. Extend this analysis to a semi-quantitative analysis used to assign a numerical risk factor (RF value) to each of the risks in order to determine the highest priority risks, before 5. Determining a risk treatment plan, and 6. Monitoring and reviewing the quality system processes to determine the effectiveness of the quality controls and identify as early as possible any new risks and opportunities. These ideas are for DISCUSSION ONLY and are not recommendations for actions needed to comply with the wording of ISO 9001:2015 in its published form (September 2015). However, we offer them as a way to combine quality management systems and risk management processes in order to achieve continual process improvement in a way that takes full account of the risks and opportunities in any given context. 3.2 The Six Steps The method we are suggesting breaks down into six simple Steps. They are: Page 35

36 1. Establish the context This step references 4.1 Understanding the organization and its context, and 4.2 Understanding the needs and expectations of interested parties. It determines the issues and requirements that can impact on the planning of the quality management system; including: (a) the main objectives and outcomes that are uncertain / subject to risk; and (b) the needs and expectations of the organization's customers and other relevant interested parties; the products and services it provides; the complexity of processes it employs and their interactions; the competence of persons within or working on behalf of the organization; and its size and organizational structure. 2. Risk identification This step involves selecting a suitable process for risk identification (see below) and for each quality process, identifying and numbering the risks. The activity is designed to be carried out in a group situation where each risk is described in terms of what could happen and what that could lead to, the causes of the risk - both external and internal to the organization - and the existing controls that could prevent, transfer or mitigate risks. This process records the risks in a Risk and Opportunities Register (R&O Register) that would form an integral part of the Quality Management System. 3. Qualitative risk analysis & risk evaluation The systematic use of available information regarding probability, consequence and exposure will lead to a better understanding of the risk and the controls that are needed. For each risk we would then: assess the effectiveness of the existing controls using a suitable effectiveness scale; determine the consequences (impact) for each risk; the likelihood of these consequences occurring; and the potential exposure were the controls that we have in place to fail. For example, the consequence of a failure to control the quality of production outputs through an adequate inspection process could result in the customer rejecting the goods or services supplied as unfit for purpose; causing the organization to suffer a financial loss that can measured in penalties under the terms and conditions of contract, and reputation damage. 4. Semi-Quantitative risk assessment for systems and processes Qualitative analysis is used to determine the probability and impact of risks, however, by its nature and definition, lacks quantitative precision. In comparison, a semi-quantitative measure of risk is an estimate derived using a scoring approach. Risk indices are used to rate a series of risks using similar criteria so that they can be more easily compared. Scores are applied to each component of risk, to assess both the consequence (impact) and likelihood of the risk occurring and to derive an average consequence score and average likelihood score for the risks associated with each process analysed. These risk scores are then used to determine the comparative 'risk factors' (RFs) associated with different processes to aid decision-making by plotting the RFs on a graph overlaid with iso-contours. 5. Risk-treatment This step brainstorms options for treating the risk that fit the following categories: avoiding or seeking the risk; changing the likelihood; changing the consequences; sharing the risk; and explicitly accepting the risk without further treatment. The benefits and costs, advantages and disadvantages of each treatment option are taken into account and where the benefits determined exceed the known/likely costs of action, treatment options are selected for implementation. The brainstorming Page 36

process is repeated after implementation to determine whether the level of risk after risk treatment has been completed is tolerable; and if this is not the case, then further risk treatment actions

37 process is repeated after implementation to determine whether the level of risk after risk treatment has been completed is tolerable; and if this is not the case, then further risk treatment actions are sought and considered. 6. Monitoring & review A monitor process is developed for each risk by the risk owners and each relevant control (control owners). Decisions are made about the time intervals at which the risks and controls will be reviewed. At the same time, a monitoring process will be put in place for each risk treatment plan under the direction of the relevant risk owners. Progress will be monitored in respect to the objectives of the risk treatment plan, and the resulting successes and failures recorded. Periodically, the team will assess whether new risks are affecting or could affect quality processes and systems as part of the cycle of continuous quality process improvement (see Figure 1 below). Figure 1: A six step Risk Assessment Methodology We will now consider each step in more detail. 3.3 Step 1: Establish the Context The 'context' of the organization is essentially its business environment. Page 37

38 That is to say, context is a term that is used to describe a combination of internal and external factors and conditions that can have an effect on an organization's (3.01) approach to its products (3.47), services (3.48), investments, and interested parties (3.02). 45 An organization needs to demonstrate its ability to provide products and services that consistently meet customer and applicable statutory and regulatory requirements and aims to enhance customer satisfaction. 46 Therefore, it is necessary to determine both the external and internal context before designing and implementing quality processes that take account of the risks and opportunities that apply in a particular context. The risk-based approach of ISO 9000:2015 requires the organization to understand its context (see clause 4.1) and determine the risks and opportunities that need to be addressed (see clause 6.1). When applying risk-based thinking to the planning and consideration of quality processes, we should take into account the organization's understanding of the... external context; which can be facilitated by considering issues arising from legal, technological, competitive, market, cultural, social, and economic environments, whether international, national, regional or local. internal context; which can be facilitated by considering issues related to values, culture knowledge and performance of the organization. 47 The Standard also requires that "...the organization shall maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned" Scope and responsibilities for specific risk management activities The scope and responsibilities of persons responsible for risk management and the risk assessment methods employed will need to be documented. Risk is defined as "the effect of uncertainty on objectives", 49 so it follows that it is necessary to articulate the objectives of the organization and the processes that it uses. In other words, you must define and document what is 'at risk', and how you intend to address risk in your quality management system; specifically, who is to be made responsible for identifying, analyzing (if you chose to analyze risk), evaluating and treating the risk to your QMS and its associated processes. 45 Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013: The new international standard for information security management systems, Transition Guide, BSI Group. 3.24, p Ibid. A.3, p Ibid p Ibid. 4.4 Quality management system and its processes, p ISO 31000, 2 Terms and definitions, 2.1 risk, p.1 Page 38

39 It is valuable to be as specific as possible in articulating the organization's business objectives as this will assist with the risk identification process (defined in Step 2) How should we document the "context of the organization"? The context of an organization can include internal factors such as organizational culture, and external factors such as the socio-economic conditions under which it operates; consequently all the requirements of ISO 9001:2015 are generic but the ways in which they are applied can differ from one organization to another. 51 Risk-based thinking as it is defined in ISO 9001:2015 requires you to consider risk qualitatively (and, depending on the context that has been identified, quantitatively) when defining the rigour and degree of formality needed to plan and control the quality management system, as well as its component processes and activities. 52 Taking the above definitions into account, we would suggest that it would be appropriate for a ISO 9001-compliant organization - and especially one adopting a more formal risk management approach based on ISO to document the context in what we am terming a Statement of Context. To establish the context, you need to: Establish the external and internal organisational context in which the risk assessment is taking place (see ISO 9001:2015 Clause 4.1); Specify the main objectives and outcomes that are uncertain and, therefore, represent a risk; Develop criteria against which the consequences and likelihoods of identified risks can be measured; and Define the key elements for structuring the risk assessment process. Process inputs Key process documents, scope definitions, pre-existing analyses and other relevant documented information such as organisational policies, processes and structures. Method 1. Review organisational and process documentation. 2. Review the external and internal contexts. 3. Develop criteria for evaluating consequences and likelihoods. 50 Project management guidelines: managing risk with ISO and IEC 62198, Dale F Cooper, et al, John Wiley & Sons Inc, March ISO/DIS 9001:2004, Clause 0.1 Introduction, p Ibid. Clause 0.5, p.9. Page 39

40 4. Prepare briefing material for the risk assessment process What information should the Statement of Context contain? The organization's Statement of Context would include internal factors such as organizational culture, and external factors such as the socio-economic conditions under which it operates [ISO 9001:2015, Introduction 0.1]. Establishing the context will provide information that is essential to risk identification, analysis, and evaluation activities if they are to efficient and effective. Components of the context could be summarised as follows: 1. organisational objectives; 2. process objectives; 3. the internal environment; 4. the external environment; 5. the context of the risk management process; 6. risk criteria Risk criteria for Quality Management Systems The risk criteria should reflect the objectives and context for the risk assessment. Consideration should be given to stakeholder views and risk perceptions, the legal and regulatory framework that applies in the organization's context, and the time and resources that are available. These criteria should be continually reviewed. Categories for which risks in a quality management system and associated processes will be evaluated need to be defined and documented, taking account of all associated activities from which risks could arise that would adversely affect the organization or any of its stakeholders. These could include: human health and safety; environmental protection; legal and regulatory compliance; cost; production schedule / deadlines; reputation; performance. However, this list will depend on context and the risks being evaluated. When defining risk criteria, you should consider: the nature and type of causes; 53 Ibid. Clause 0.1 Introduction, p.6. Page 40

41 the consequences that can occur; how consequences will be measured; how likelihood will be defined (for example qualitatively or as a quantitative probability); the timeframe; how the level of risk is to be determined; what is an acceptable (or tolerable) level of risk. For the risk criteria to be adequate to support the decisions made at the risk treatment stage, they should: assist in decision-making leading to actions that reduce risk to levels that are as low as reasonably practicable; be capable of being communicated, understood and applied within the organization and to an external organization (ISO 9001:2013, 3.01) where it performs part of an organization's function (Ibid. 3.25) or process (Ibid. 3.12); be unambiguous in their formulation; not evidence any bias towards particular risk treatment options in the way in which risk is expressed. Documented information: Statement of organization context - including its size and complexity, a general outline of the external and internal risks and opportunities that it needs to address, and how that knowledge is to be made accessible. 3.4 Step 2: Risk identification Having established the organization's context, we need to identify the specific risks and opportunities that need to be addressed (see clause 6.1) through the quality management system and its associated processes. Risk identification is the process to determine what might happen that could result in undesirable outcomes (see 0.5) that have a negative impact on the organization's ability to "...consistently provide products and services that meet customer and applicable statutory and regulatory requirements or the organization's aim to enhance customer satisfaction". 54 The risk identification process should be as comprehensive and systematic as possible in order to ensure that risks affecting quality are not ignored. Process inputs Information used may include: historical data; theoretical analysis; empirical data and analysis; informed opinion of the project team and other experts; 54 Ibid. A.3 Context of the organization, p.43. Page 41

42 the concerns of stakeholders. 55 Method 1. Use one or more of the Look-up and/or Supporting Methods described in ISO/IEC designed for Risk identification. These techniques include: Structured interviews Brainstorming Examination of similar quality processes Delphi technique SWIFT technique [See our previous blog post about ISO/IEC for more information: ISO Risk management techniques Attributes of a selection of risk assessment tools ]. Produce a comprehensive list of possible risks to successful outcomes. Process outputs See item 2 above. Steps 3-5 will analyse and evaluate these risks and prioritise treatment. Documented information: 1. Risks and opportunities register (R&O register) - recording identified risks, controls, and ratings. 2. Risk description worksheet - (for recording risk at process level) listing risk description process, existing controls, key assumptions, sources of information, document attachments Techniques for risk identification The International Standard, ISO/IEC describes the techniques for risk identification that could be used in Quality Management Systems. Along with examining any check-lists that identify the causes of risk that have led to preventive actions, and the experience of other quality managers in similar contexts, you should also consider conducting structured interviews with individuals, focus and discussion groups, scenario analysis, and surveys and questionnaires to help identify risks. 55 Adapted from assessing risks to quality from Project management guidelines: managing risk with ISO and IEC 62198, Dale F Cooper, et al, John Wiley & Sons Inc, March 2014 Page 42

43 The recommended method is Brainstorming - see previous blog post. Brainstorming is significantly more effective than superficially attractive mechanisms such as checklists. The process draws on the creative capacity of the participants, reducing the danger of over-looking new and emerging issues. 56 The quality manager/lead writes the initial risk list on a whiteboard without comments from the other participants, who then make their contributions. The team reviews the list, classifying and grouping the similar risks where appropriate and adding new ones as ideas are generated. The aim is usually to generate a list of 10 risks associated with each quality process being assessed, although this number will vary depending on the organizational context and complexity of processes. A structured workshop is the most effective format and adequate time should be allocated by key participants for all the risks to be considered. Experience and knowledge will always form a valuable part of the process, however, historical information should not be allowed to block a creative assessment of the future where the situations that have never arisen before affect the balance between familiar risks may shift dramatically Step 3: Qualitative risk analysis & risk evaluation What is a `Qualitative analysis' of risk? Qualitative analysis is based on ordinal and ranking scales for describing the consequences and likelihoods of risk. This method helps managers to understand risks and prioritise them for treatment, taking account of activities, processes and plans that act as controls. It is a useful approach in situations where there is insufficient reliable statistical data available, or where time and cost constraints prevent managers from undertaking a more resource-intensive semiquantitative or quantitative analysis of risk. In comparison: Quantitative analysis uses numerical (ratio) scales for consequences and likelihoods, rather than descriptive or nominal scales, and requires more advanced skills Does ISO 9001:2015 require a qualitative risk assessment? ISO 9001:2015 requires that we consider risk qualitatively (and, depending on the organization's context, quantitatively) when defining the rigour and degree of formality needed to plan and control the quality management system, as well as its component processes and activities. Qualitative risk 56 Ibid. 57 Ibid. Page 43

44 analysis is the systematic use of available information - including documented information from the risk identification process in Step 2 - to develop an understanding of the risks to quality objectives. 58 This includes: assessing the effectiveness of existing controls; determining the consequences that characterise each risk; the likelihood of those consequences arising; and the potential exposure were the controls to fail Sources of information for qualitative analysis The quality management team is often the best source of information for assessing risks to quality in terms of their causes and consequences. However, where the organizational context is high-risk and/or complex, additional information will most likely be required from other teams. When assessing high-priority risks and evaluating the most effective ways to mitigate them, quality managers/leads may include sources such as: historical records; process records; either specific to the kind of process being assessed, or where comparisons and inferences can be drawn regarding risk scenarios; industry best practice; user experience (from quality records and other sources - e.g. customer service records, social media discussions, consumer satisfaction surveys); published literature and research reports that contain theory and/or examples relating to failure modes or equipment reliability; product brochures and technical manuals; audit reports. Process inputs Information used in qualitative risk analysis and evaluation includes: historical data; theoretical analysis; empirical data and analysis; informed opinion of the project team and other experts; the concerns of stakeholders Ibid. Chapter 8: Qualitative Risk Analysis and Risk Evaluation. 59 Adapted from assessing risks to quality from Project management guidelines: managing risk with ISO and IEC 62198, Dale F Cooper, et al, John Wiley & Sons Inc, March 2014 Page 44

45 Note: This simple list is intended to be identical to the list for risk identification in Step 1, although you can probably add further types of information based on your organization's experience of risks to outputs. Method Steps required for a Qualitative Risk Assessment include: 1. List process controls that are already in place and act to modify each risk and assess their effectiveness. 2. Determine the kind and level of consequences that characterise each risk. 3. Assess the likelihood of the consequences occurring, given the controls in place. 4. Combine levels of consequences and likelihoods to determine the level of risk. 5. Evaluate the potential exposure for each risk identified to desired quality outcomes. 6. Agree the management priorities for: risk treatment; control assurance; and ensure top management oversight In conjunction with Step 5 (Risk Treatment): use risk criteria to determine a) the risk treatment options available and b) whether any residual risk level in your quality processes will be tolerable. Process outputs A prioritised list of risks that takes account of uncertainty for: quality process objectives organizational objectives For each risk, determine a rating for: control effectiveness; consequence; likelihood; level of risk; and potential exposure. Documented information: Risks and opportunities register (R&O register) - recording identified risks, controls, and ratings. 60 ISO/DIS 9001:2014, Clause Leadership and commitment for the quality management system, pp Page 45

46 Risk description worksheet - (for recording risk at process level) listing risk description process, existing controls, key assumptions, sources of information, document attachments Summary: In the first three Steps of this risk management process for quality systems, we have addressed three fundamental requirements of ISO 9001:2015; namely: 1. Understanding the context of the organization, its quality management system and processes (Clause 4). 2. Processes for planning and consideration of risks and opportunities (Clause 6) 3. Processes for support, including resources, people and information (Clause 7) As ISO 9001:2015 states, the process for considering and controlling past, existing and additional knowledge needs to take account of the organization's context, including its size and complexity, the risks and opportunities it needs to address, and the need for accessibility of knowledge. 61 We propose documented information in the form of (1) Statement of Context, and (2) Risks and Opportunities Register (R&O register) used to record identified risks, controls, and ratings. 3.6 Step 4: Semi-Quantitative risk analysis and risk evaluation Semi-Quantitative risk assessments support decision-making by identifying potentially high-risk processes, without identifying risks explicitly. Agreed priorities are used to determine those processes where the highest level of planning and consideration of risk should be focussed. Process inputs Documented information used in the assessment process may include process documents, such as: quality plans, procedures and work instructions; scope definitions; cost and schedule assumptions pertaining to processes and outputs; engineering process designs and studies; economic analyses; empirical data and analysis; informed opinions of experts; concerns and expectations of stakeholders and customers; and relevant documented information about the QMS and its processes. Method 1. Develop an appropriate structure for examining quality system processes; 61 ISO/DIS 9001:2014, A.7 Organisational knowledge, p.46. Page 46

47 2. Use a semi-quantitative risk assessment tool (see example to follow) to assess the consequences and likelihood of risks arising in each process. 3. Convert the consequence and likelihood of risks arising in each process to an initial priority level. 4. Determine Risk Factors (RF) for each of the risks analysed - see below: 5. P (Probability) and C (Consequence) values are plotted to show the risk factors affecting quality processes and their desired outputs. 6. The risk factors, the ranking and the risk profile are then used to decide which of the identified risks may be deemed acceptable or unacceptable, and to enable resource priorities to be determined. Process outputs A list of risks to outputs prioritised by risk factor; i.e. level of 'riskiness'. Consequence and likelihood ratings and agreed priorities for each risk. Risk contour diagrams (see example below) to plot risk factors and iso-contours; i.e., points of equal RF value, to give an indication of priorities Methods for calculating risk factors Risk factors may be calculated as the product of the likelihood (probability) and consequence scores: RF = P x C There is a very good reason for being very cautious with this method. It is that risks with high consequence scores and low probabilities are allocated low risk factors. The product formula may result in the risk being downgraded in terms of priorities. This is an important concern in quality management when considering possible critical non-conformities (i.e. any nonconformity which may result in hazardous or unsafe conditions for individuals using, maintaining or depending upon the product or prevent performance of a vital agency mission) and major non-conformities (any nonconformity other than critical, which may result in failure or materially reduce the usability of the product for the intended purpose). However unlikely the undesired outcome, the purpose of the quality system will be undermined and the organization's reputation badly damaged in the event of this type of non-conformity ever arising. By using score from 0 (low) to 1 (high), it is possible to assess whether the risk factor is high if the consequence is high, or if the likelihood is high by using the following method described in work by Dale F Cooper. 62 RF = Likelihood (P) + Consequence (C) - Product of scores (P x C) Where: 62 Project management guidelines: managing risk with ISO and IEC 62198; Dale F Cooper, et al, John Wiley & Sons Inc, March Page 47

P = likelihood measure on a scale 0 to 1 = average of likelihood factors C = consequence measure, on a scale of 0 to 1 = average of consequence factors RF = risk factor = P + C - (P x C) Figure 2:

A common example is map contours, which use points of equal height separated by distance.

48 P = likelihood measure on a scale 0 to 1 = average of likelihood factors C = consequence measure, on a scale of 0 to 1 = average of consequence factors RF = risk factor = P + C - (P x C) Figure 2: Risk factors and iso-contours for a quality process Iso-contours are curves on a graph connecting points of a constant value, which is the function of two variables. A common example is map contours, which use points of equal height separated by distance. The curve in this example is the Risk Factor (RF), the two variables are L and C, and the constant values are e.g. RF = 0.20, RF=0.4, RF=0.6, RF=0.8, RF= What is the value of the Semi-Quantitative approach in Step 4, following the Qualitative Assessment conducted in Step 3? To quote Holger Schutz et al, in 'Comparative risk assessments: concepts, problems and applications.' 63 In the qualitative approach to risk assessment, "An event is verbally described in relation to other events. Absolute reference points and specifications for the bandwidths are lacking (in which field is the term "high" to be classified?) so that no comparison of various processes / specifications is possible." In other words, the value of a qualitative risk assessment is limited since precise data is needed to make more accurate comparisons between the risks being analysed. The breadth of the classifications needs to be chosen so that "...the findings of imprecise data still lie 63 Comparative risk assessments: concepts, problems and applications; Holger Schutz, Peter M. Wiedemann, Wilfried Hennings, Johannes Mertens, Martin Clauberg; John Wiley & Sons, July 2006; ISBN: Page 48

49 within the bandwidth of the classes". A semi-quantitative classification of the type in the diagram above can assess the order of magnitude of the importance of individual risk scenarios, either at the quality process or wider organisational level. Because qualitative terms in this approach have been given numerical values, the verification of results is made possible by the comprehension of single steps of awareness, 64 enabling high priority risks to be prioritised. This semi-quantitative approach to assessing risks in a Quality System has the advantage of allowing comparison of the various risks of non-conformities (minor, major and critical) on one or more risk attributes by one or more evaluators, resulting in a consensus view of what are the 'real' risks as measured by risk factors which are plotted on one graph. In organisational environments where a degree of uncertainty makes it difficult to predict which risks to quality outcomes are the highest priority, this type of analysis supported by a consensus risk identification process, provides meaningful outputs to guide planning and consideration of risks. To read more about the semi-quantitative risk analysis method, see: Project management guidelines: managing risk with ISO and IEC 62198; Dale F Cooper, John Wiley & Sons Inc, March Documented information Assessment sheets, recording likelihood indicators (rated high-low), consequence indictors (rated high-low); plus the relevant discussions, assumptions and responses; and a risk score for each line entry made. Diagrammatic representations of risk - e.g., a risk factor and iso-contour graph used to plot data from a semi-quantitative risk analysis. 3.7 Step 5: Risk treatment The risk identification and assessment process must translate into actions. ISO 9001:2015 states that one of the key purposes of a quality management system is to act as a preventive tool. There is no longer a separate clause or sub-clause titled 'Preventive action, since the concept of preventive action is expressed through a risk-based approach to formulating quality management system requirements. 65 Although there is no requirement for formal risk management or a documented risk management process, risk and opportunities have to be determined and addressed. If the QMS is to act as a preventive tool, risks have to be identified and evaluated (by some method, whether through analysis or "intuitively"), priorities assigned and risk treatment actioned. 64 Ibid. p.192, Appendix ISO/DIS 9001:2014, A.4 Risk based approach, p.45. Page 49

50 Risk treatment involves the following steps: 1. Identifying feasible risk treatment actions; 2. Selecting those risk treatment actions that create value; 3. Develop risk treatment plans. 66 Brainstorming is a supporting method for examining treatment options. The options can be summed up as follows: Avoiding or seeking the risk Changing the likelihood Changing the consequences Sharing the risk Explicitly accepting the risk without further treatment. 67 Process inputs The primary inputs are lists of: Risks and their priorities from the risk analysis and evaluation step. Resources, including budget, which can be applied to treating risks. Method 1. Identify options to addressing high-priority risks; 2. Determine the potential benefits and costs of the options; 3. Select the best options to treat the high-priority risks; 4. Develop and implement detailed risk action plans; 5. Make appropriate provisions in budgets for actions. 68 Process outputs Risk action plan summaries for each proposed risk treatment action Example of Risk Treatment in a Quality Management System Starting with a list of high-priority risks, we: 66 Project management guidelines: managing risk with ISO and IEC 62198; Dale F Cooper, et al, John Wiley & Sons Inc, March 2014, p Ibid., p Ibid. Chapter 10 Risk Treatment. Page 50

51 Identify options for addressing the risks. Let's say that the anticipated problem is a backlog in production indicated by the following RF values: 1. Speed and feed rates too slow: RF = Machine breakdowns: RF = High absence and tardiness rate: RF = 0.4 Which risks should take priority? And what options are available to the organization to treat one or more of the risks using available resources? The highest level risk is number 1. Speed and feed rates are likely to be too slow at present to meet the delivery schedule of a customer order. The quality management team working with the operations team has identified, analyzed and evaluated this risk as having a Risk Factor of 0.8 (on a scale of 0-1). Through brainstorming, they have identified and analysed a problem with the production operatives' familiarity with new materials. There is a secondary factor in terms of unfamiliarity with new machines (RF = 0.6). Absence and tardiness are also potentially an issue as the operatives are reluctant to operate the new machines without proper training. However, the third anticipated risk: 'high absence and tardiness rate' has been assessed as a lower risk at RF = 0.4 than the risk factors for risks 1 or 2, so it is decided to prioritise treatment of 1 and 2. The rationale: Although lack of familiarity with new materials is thought a higher risk than machine breakdowns or high absence/tardiness rates, risks 1 & 2 taken together represent an unacceptably high risk within the context. Machine breakdowns due to poor maintenance by the supplier and/or operator error are known to have been a problem recently in a competing production facility, and are likely to reduce output rates at a critical time. Risk 3 is thought to be a lower priority but merits consideration later on. So what are the best options? Strengthening the Operations team with an operator who is familiar with both the new materials and the machine is one possibility to consider. Other options are: Instigating a training programme to familiarise operatives with the new materials and improve their output performance using the new machines. Increasing production hours through over-time to compensate for low output until the operatives are more familiar with the new materials, etc. Outsourcing the manufacturing of the component made with the new material (either on a temporary or permanent basis) to avoid the risk. Obviously, there could be other options available, but let's stick with these for now. The next action is to determine the potential benefits and costs of the options; and then select the best options to treat the risks. The team next look at the possibility of hiring a skilled operative with experience of working with the materials in question and the machines. Although it is an attractive idea, they cannot be sure that Page 51

52 they can hire the right person given the tight timescales they are working to; and although urgent enquiries could be made through Human Resources with specialist recruitment agencies, the expectation is that the only two viable options in the short-term are increasing production hours and outsourcing on a temporary basis. This is because a training programme will take longer to organise and will require a specialist trainer who has experience of the material and the machines. The trainer will not be available until over half way through the production of the customer's order. Therefore, the only options are to increase production hours, accepting a high proportion of scrap that will be generated while operatives learn to work the material, or outsource to a manufacturer that has been using the material for two years and has successfully overcome their machine reliability problems. The decision is made to avoid the risk by outsourcing in this instance; however, actions to design and implement a training course are agreed, so that the anticipated production problem will not re-occur in the future. This risk treatment plan has removed the risk. It may of course have introduced a new potential risk: i.e. that the chosen outsourcing company proves to be unreliable and fails to deliver on time, and/or within budget? This identified risk will then be duly analysed, evaluated and, if it is thought necessary, treated as part of a continual review of the risks. See Step 6: Monitoring and Review below. Process outputs Risk action plan summaries for each proposed risk treatment action. Documented information 1. Risk treatment options worksheet 2. Risk treatment plan summary 3.8 Step 6: Monitoring & review The main aims of monitoring and review can be summed up as: Developing a monitoring process for each... risk (risk owners); control (control owners); treatment plan (risk owners) It will be necessary to decide how risks and controls will be periodically reviewed, including how often and when these will take place; who will conduct the reviews, and what is the most appropriate approach to adopt. At this final stage, an organization would set up the following processes: Page 52

53 reporting process for risk and control monitoring and review; reporting process for progress with risk treatment plans; process to derive lessons from successes and failures within the quality processes and for communicating this information to the organization. 69 This conforms to the requirements of ISO 9001:2015 in terms of establishing, implementing, maintaining and continually improving a quality management system, including the processes needed and their interactions. 70 The Standard will expect you to plan and consider the risks and opportunities in accordance with the requirements of 6.1 (Steps 1-4 above), and plan and implement the appropriate actions to address them (Step 5 above. This includes the methods for monitoring, measuring, as appropriate, and evaluation of processes and, if needed, the changes to processes to ensure that they achieve their intended results (Step 6). 71 ISO 9001:2015 also mandates that the organization shall maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned. With the help of a Risk Management Method similar to the one described above and using QMS documented information templates controlled in the Cognidox Document Management System, you will be in a strong position to show an assessor that you are taking appropriate actions to address risks and opportunities, in line with the requirements of ISO 9001:2015! 69 Ibid., adapted from Monitoring and Review section summarised on pp ISO/DIS 9001:2014, 4.4 Quality management system and its processes, p Ibid., p.26. Page 53

54 4 Summary and Conclusions In this paper, we looked at the topic of risk-based thinking (RBT) in the context of ISO 9001:2015. This is something of a sore point among Quality professionals. Some believe that RBT is an illconsidered introduction in the latest revision of the standard. Others are more positively inclined towards it. Either way, the Standard revision (at least in draft form) is not at all clear on what needs to be done. One approach could be to look to the ISO family of standards for guidance. If you do, then ISO/IEC 31010:2009 Risk management Risk assessment techniques would be a key input. The need for Risk-Based Thinking (RBT) We began by saying that identifying risk, analysing the consequences, probability and level of risk (i.e. risk analysis), and evaluating risk using formal techniques, are becoming increasingly important in the global business world. Formal risk management is not mandated by ISO 9001:2015 (at least not in the draft published in 2014). However, organizations can, in the words of the TC 176 Committee s draft standard (May 2014) choose to develop a more extensive risk-based approach than is required by this International Standard, and ISO provides guidelines on formal risk management which can be appropriate in certain organizational contexts". So what will actually be required by ISO 9001 assessors as evidence of risk-based thinking? At this point in time (June 2015), we do not really know. You could read the DIS to suggest that the outputs from your processes to consider risk will need to be shown as evidence of RBT. Whether this is the case when the ISO 9001:2015 Standard is published in September, risk-based thinking is likely to be required to plan and control the quality management system (QMS) and component processes and activities, and unlikely to be ignored in certification audits. Why think about risks in the context of Quality Processes? Apart from the obvious answer that most ISO 9001:2008-registered organizations would like to continue to comply with the Standard, there are several good reasons for analyzing and prioritizing the risks and opportunities, and planning the actions necessary to address the risks. To achieve that often complex task, ISO 31000:2009 can help in taking a risk-based approach to the quality management system, component processes and activities - although the ISO 9001:2015 standard will not (or is unlikely to) mandate the use of formal risk management processes. Unfortunately, ISO has not been specifically designed to explain how you should apply "risk based thinking" to quality systems. Instead, it takes a generic approach that has to be developed often in considerable detail to be useful in a given context. In practice, risk management using ISO is not likely to be intuitive. Risk assessment in ISO may be undertaken in varying degrees of depth and detail and using one or many methods ranging from simple to complex. When applying these ideas to quality systems, it would surely be appropriate to select a form of risk assessment method with an output Page 54

55 that is consistent with the risk criteria developed as part of establishing the context? [Clause 6.2]. Assuming that you do not have a method in place already: which one should you choose from the bewildering array? A risk assessment process needs to include the following task activities: risk identification; risk analysis consequence analysis; risk analysis qualitative, semi-quantitative or quantitative probability estimation; risk analysis assessing the effectiveness of any existing controls; risk analysis estimation of the level of risk; risk evaluation. The tools necessary to achieve these steps are listed in ISO 31010:2009; especially Table A.1 Tools used for risk assessment. However, it has to be said that the list is daunting to many quality professionals who are unfamiliar with risk management processes. The sheer complexity of some types of risk assessment will render the tool useless in most organizations employing between 1 and 250 people. However, that does not mean to say that ISO is not a valuable reference should you ever be required to think about risk in these terms. We have described a selection of the 31 techniques listed in ISO We have attempted to link these tools to QMS processes in a meaningful way; however, our approach is not intended as a reference, since a great deal will depend on the organization's context and there are a considerable number of possibilities (potentially many thousands for different types and/or sizes of organization). There is also no common consensus as yet regarding which ISO risk assessment techniques are the most appropriate to apply to ISO 9001:2015 quality processes; although this is certain to be covered in future books and journal articles on how to comply with the standard. 4.1 Risk Assessment Methodology for applying RBT to QMS Accepting that nobody can 100% sure of how RBT will be assessed in any given QMS, we have proposed in this series of posts a method for applying RBT in the form of a basic risk management model. This is guided by the work of established risk management gurus, including Dale F Cooper, but also takes account of continual process improvement models, such as those used in ITIL. This breaks down into six simple Steps. To close, we look at the 6-step process we are recommending and provide links to templates for documenting the outputs that we hope you will find useful. Click on the document icon to download the PDF, or visit the Free Templates page in our Documents Library. The six steps are: 1. Establish the context This step determines the issues and requirements that can impact on the planning of the quality management system; including: (a) the main objectives and outcomes that are uncertain / subject to risk; and (b) the needs and expectations of the organization s customers and other relevant interested parties; the products and services it provides; the complexity of processes it employs and Page 55

their interactions; the competence of persons within or working on behalf of the organization; and its size and organizational structure. An example statement of context template is available here. 2.

This process records the risks in a Risk and Opportunities Register (R&O Register) that would form an integral part of the Quality Management System.

56 their interactions; the competence of persons within or working on behalf of the organization; and its size and organizational structure. An example statement of context template is available here. 2. Risk identification This step involves selecting a suitable process for risk identification and for each quality process, identifying and numbering the risks. This process records the risks in a Risk and Opportunities Register (R&O Register) that would form an integral part of the Quality Management System. We offer two supporting templates a Risk Description Brainstorming Sheet and a Risks & Opportunities Register. Risk Description Brainstorming Sheet: Risks & Opportunities Register: 3. Qualitative risk analysis & risk evaluation This step considers (for each risk) the effectiveness of the existing controls using a suitable effectiveness scale; the consequences (impact) for each risk; the likelihood of these consequences occurring; and the potential exposure were the controls in place to fail. 4. Semi-Quantitative risk assessment for systems and processes A semi-quantitative measure of risk is an estimate derived using a scoring approach. Risk indices are used to rate a series of risks using similar criteria so that they can be more easily compared. The template below is an example Semi-Quantitative Risk Assessment Calculator (SQ-RAC) worksheet, adapted from Dale F Cooper. 5 Page 56

5. Risk-treatment This step considers options for either avoiding or seeking the risk; changing the likelihood; changing the consequences; sharing the risk; or explicitly accepting the risk

Risk Treatment Plan Template: Risk Treatment Options Worksheet: 6.

quality process improvement. 4.2 Conclusion The key point in this white paper is that risk-based thinking (RBT) is here to stay in ISO 9001:2015 and other ISO standards.

57 5. Risk-treatment This step considers options for either avoiding or seeking the risk; changing the likelihood; changing the consequences; sharing the risk; or explicitly accepting the risk without further treatment. We offer two supporting templates a Risk Treatment Plan Template and a Risk Treatment Options Worksheet. Risk Treatment Plan Template: Risk Treatment Options Worksheet: 6. Monitoring & review Periodically, the team will re-assess risks and decide whether new risks are affecting or could affect quality processes and systems as part of the cycle of continuous quality process improvement. 4.2 Conclusion The key point in this white paper is that risk-based thinking (RBT) is here to stay in ISO 9001:2015 and other ISO standards. We believe that it is in your interests to maximise the likelihood of what we term Option 3 that your ISO auditor will positively note evidence that you have applied RBT. To do this, you might look to ISO and its list of risk assessment techniques. This is not as easy as it sounds. We have therefore put together a best practices guideline in the form of a proposed six-step methodology. Page 57

Company Information Registered Office: Cognidox Limited St John s Innovation Centre Cowley Road Cambridge CB4 0WS UK Registered in England and Wales N o. 06506232 Email salesinfo@cognidox.

58 Company Information Registered Office: Cognidox Limited St John s Innovation Centre Cowley Road Cambridge CB4 0WS UK Registered in England and Wales N o salesinfo@cognidox.com Telephone +44 (0) Smart Document Management CogniDox helps teams in Engineering, Marketing, Sales, Operations and other departments to capture, share and publish product and design documentation. This easy-to-use tool helps break down the barriers to find information, share solutions and enjoy a faster, more productive development workflow inside your company. In addition, CogniDox helps you manage and publish documents and other content to licensed customers. It reduces technical support load and accelerates your customers' time to market. Page 58