Risk is something every businessperson experiences and understands but rarely spends time thinking about it. There are risks in all our activities but have you thought about what risks you have and how you manage them?
In this blog, we will:
1. Define what risk and risk-based thinking (RBT) is
2. When/how ISO 9001 requires us to use risk-based thinking
3. Give you some FQ tips on how you could apply it in your organization
Overall, we will demonstrate to you that risk-based thinking is a crucial continuous improvement tool, like corrective actions, that we should use more often.
What is Risk?
Risk is something we all encounter, in our lives and our jobs.
For example, when you are:
1. A toddler, it is risky to take your first steps because you might fall.
2. In elementary school, trying the monkey bars might be risky.
3. In a business, the biggest risk we have is to lose a customer or make them unhappy.
It is easy to find examples of risk but not easy to as easy to define it.
When you search in Google for the definition of risk you will find definitions that imply there might be a negative outcome looming. But what if I told you that there could be positive outcomes when we encounter risk.
Is it too hard to believe?
-
-
- a situation involving exposure to danger.
- the possibility that something unpleasant or unwelcome will happen.
- a person or thing regarded as a threat or likely source of danger.
- a possibility of harm or damage against which something is insured.
- a person or thing regarded as likely to turn out well or badly, as specified, in a particular context or respect.
- the possibility of financial loss.
-
Source: Google
Let’s go back to the every-day risk we had mentioned before and let me prove to you that sometimes there are positive outcomes.
1. If the toddler did not take their first steps they would have never learned to walk.
2. When you try the monkey bars and you succeed, your arms will become stronger.
3. In business sometimes managing risk makes a customer happy.
Sometimes moving past the risk and managing it, helps you succeed.
As the American motivational speaker, Denis Waitley said: “Life is inherently risky. There is only one big risk you should avoid at all costs, and that is the risk of doing nothing.” Doing things despite any inherent risk will allow you to succeed and not managing risk is dangerous.
What is Risk-Based Thinking? (RBT)
Now that we know risk is everywhere and that we should not avoid it, we need to understand the ISO created this term, risk-based thinking. According to the standard in the general introduction, it states that “risk-based thinking enables an organization to determine the factors that could cause its processes and its quality management to deviate from its planned results, to put in place preventive controls to minimize negative effects and to make maximum use of opportunities as they arise.” Then it goes further in stating that risk-based thinking is “essential for achieving an effective quality management system”. Further, ISO 9001 states in 0.3.3 that “an organization needs to plan and implement actions to address risks and opportunities.”
Risk-based thinking is the act of thinking through a lens, the lens of risk.
ISO goes further in stating that risk-based thinking should not only focus on activities/ processes that could have negative outcomes but also on opportunities to improve or benefit. This will allow organizations to do the preventive control that will be extremely beneficial to a business.
Most of the time in business, issues arise and we fix them. This is a reaction state. However, ISO believes that if you are using Risk-based thinking every step of the way, then you will be able to improve things before they go awry. This is the preventive state.
So, let’s summarize and try to understand risk-based thinking (RBT):
- RBT is not only an attitude towards risk but the act of thinking about risk.
- It needs to be well planned + implemented.
- If done properly, it will allow us to prevent potential issues.
- Highlights any opportunities an organization could take.
- Is essential to make a QMS effective.
Why does ISO favor Risk-Based Thinking?
Risk-based thinking according to ISO 9001 is essential. Many of our customers ask the question: why is it such a big deal?
FQ believes that if you do not apply methodical risk-based thinking to your organization, then you will be in a reactive state. Improvement could still happen in reactive cases like it does through corrective actions. But these corrective actions are done once the company has been impacted. It could be compared to fighting a fire. You react to the fire, put the fire out, make improvements to prevent a fire from happening again, but things are already burnt.
The question is: when can you improve without affecting your organization? Well, we believe that ISO created risk-based thinking to ensure we were improving before any issues could happen. It provides analytical insight into the business. This will prevent any issues. It could be compared to all fire preventive measures you can take such as: making sure smoke detectors are working, maintaining all cords tidy, not overloading electrical outlets, etc.
In prior versions of ISO 9001 preventive actions were a requirement. Many businesses struggled with this requirement because they did not know how to effectively demonstrate they did it. Risk-based thinking replaced the preventive action requirement. It is a more comprehensive approach to prevention. RBT will help every process/activity not just tackle issues but provide opportunities for improvement.
Benefits of RBT are:
- Customer confidence and satisfaction will be boosted because they know you are always seeking improvement even though nothing is wrong.
- When we apply RBT in each process we will have more effective processes.
- RBT will build a proactive culture of prevention and improvement.
- Will prevent impacting your business’ resources by addressing issues before they happen.
- RBT allows us to view the effectiveness of our processes.
So now that we know why ISO favors this concept, and that it is beneficial for our QMS, we need to learn to implement it through our organization.
What ISO clauses require us to apply Risk-Based Thinking?
Risk-based thinking is required in many clauses throughout the standard. They want you to address risk in every phase of your management system. This makes sense because of all the benefits we can reap from. Below is a list of all clauses in ISO 9001 that imply or call out RBT. If you have the standard, you can cross-reference and ensure that you have implemented something to meet the requirements.
4.1 | 4.2 | 4.3 | 4.4.1 | 5.1.1 | 5.1.2 | 6.1 | 8.3.6 | 8.4 | 8.4.2 | 8.5.5 | 8.5.6 | 9.1.3 | 9.3.2 | 9.3.3 | 10.2.1
How to simply implement Risk-Based Thinking & ensure it is effective?
(FQ recommendations)
We have had customers who have bought document templates and had a procedure and form for each of the requirements mentioned in the cheat sheet. IT WAS STRESSFUL for the business. It took them more than a year to make these documents and could not get them to work well.
FQ TIP: DO NOT BUY TEMPLATES!!! We have seen it several times they do not work because one way of doing things does not fit all of us. WE ALL DO THINGS DIFFERENTLY. REMEMBER WE ARE HERE IF YOU NEED THE HELP.
We won’t give you all the secrets of our sauce because we’d rather have you choose us as your consultants. However, these are 2 ways we suggest you to address risk in your system:
1. Run a Strength-Weakness-Opportunity-Threat SWOT analysis.
– Sounds easy enough, but devote time learning about SWOT analysis and then decide how you will use it in your system.
– You will find some issues that do not imply risk to your business, so leave those out of the items you will address.
– Make sure most if not all your leadership team is involved in this analysis.
2. Ask these two questions for every process in your system:
– What could go wrong? (Risk)
-What can be done better? (Opportunities)
There are other tools you could use depending on how you want to address risk:
-
-
-
- Risk matrix
- Risk levels
- Risk logs/ database
- Annual Risk forms, etcetera.
-
-
Whatever tool you choose, you need to ensure it works for your business. Like we have said before- simple actions are more effective when you are setting a new QMS. And remember that ISO 9001:2015 does not require procedures to show actions to address risk. Your goal is to identify risks & opportunities, that your plans are executed, that your leadership team is committed to promoting risk and measuring the effectiveness of the actions taken.
If you need help, we are here to help… email us @ info@factorquality.com
Continuous Improvement (CI) as a result of Risk-Based Thinking
When you use risk-based thinking throughout all your organization you will notice continuous improvement becomes smoother and natural to all. It involves your leadership team in managing risk at the strategic and process levels. When you start having each leader address specific risks that the business needs to take action on, it will role-model employee engagement and will ensure your business addresses risk proactively.
Essentially if you are doing risk-based thinking and using corrective actions, your system should be extremely effective in driving continuous improvement.
If you have not fallen asleep yet, we hope you understand risk-based thinking, how important RBT is to your system and leave with some tips on how / what to do to get RBT implemented effectively in your system.
As you know we value sharing our knowledge so that we help businesses stop viewing quality as this abstract or complex beast. Quality can be relatable and easy to understand.
If you still have questions or would like us to help you set or improve your QMS in an easy/ simple manner contact us below. Remember, questions / quotes are free.
