ISO 9001:2015 Update Series:

Integrated-Standards.com has many tools to help you integrate ISO Standards in their existing
format, which will be simplified with Annex SL.

This is the next part of our continuing series on the ISO 9001-2015 revision.
Our previous installments dealt with the general revision process and the new
Annex SL underlying template being used for this revision and for other
quality standards.

Making Risk Part of the Quality

Management Process
Preventing and correcting unwanted actions and outcomes have long been a
part of ISO 9001, but it has been limited to specific elements of the quality
management process. ISO 9001:2015 is about to change that.
As an organization, ISO has already addressed the notion of a more global
risk management approach to businesses in its ISO 31000 standard, which
provides an organizational-level risk management approach. ISO 31000 deals
with crucial risk management concepts like:

Avoiding activities associated with a given risk

When to or not to accept risk when taking advantage of a key
opportunity
Acceptable ways to remove a risk source entirely

Another example of ISOs move into risk management is ISO 9004, which
addresses many aspects of risk management such as including the needs and
expectation of interested parties and risk's impact on strategy and innovation.
Is ISO Risk Management Emphasis Really New?
But what about risk management at the individual standards level? Here too,
ISO has essentially built whole standards around the concept of planning for
and responding to risk. Key examples are ISO 14001 which in effect is a
blueprint for dealing with environmental problems before, during and after
their inception. The same goes for AS9100 which requires identification,
assessment and communication of risks throughout product realization,
identification, implementation and management of actions to mitigate risks
that exceed the defined risk.

A Giant Risk That ISO 9001 2015 Could Have

Mitigated
The Northeast region of Japan has been the major supplier of key auto
components, not only for Japanese car companies, but other automakers
worldwide. After the 2011 earthquake/tsunami hit the area, Toyota, Nissan
and many other producers were forced to halt production with resulting sales
declines of almost 20% for some. Dependence upon a small, but vital set of
suppliers would be a major risk that the new ISO 9001 2015 emphasis on risk
mitigation would have required addressing.
And yet ISO 9001, perhaps the most broadly used management process in
history, seems to have remained focused on quality management. And for
many involved in the quality process from quality managers to consultants to
auditors, keeping it that way preserves a unique and important focus within
most organizations on keeping quality as high as possible.

ISO 9001:2015: Revolutionary or

Evolutionary?
The draft text of the ISO 9001:2015 revision expands the more limited view of trying
to find the "root cause" of a problem, then fix it and keep it from happening
again. Instead, it elevates the idea of risk management into higher priority. It
examines system-wide risks that can be concerns of a broader base that the
organization may serve. This can include not only customers, but other
"stakeholders" as well including employees, vendors, communities in which
the company operates, unions, regulators and beyond. It also asks the
company to balance the likelihood versus the impact of these potential
events.* (So for instance the impact of a meteor strike is enormous, but the
likelihood very small.)
But is the notion of charging a quality management system with the
responsibility of anticipating and responding to organizational such a major
reach? Perhaps not if you view ISO 9001 previous involvement with risk
management in specific areas of the standard, since clauses dealing with
subjects ranging from human resources to purchasing seem to address it.
(See the table below for some "indirect" examples of risk management
included in the current ISO 9001:2008 revision.)
ISO 9001:2008
clauses
5.6. Management
review

6.2 Human
Resources

Comments
Review should include an assessment of improvement
opportunities and needs for changes in the quality
management organization. One of the conditions of
this review is to analyze changes that could affect the
quality management system
By meeting the requirements to ensure the necessary
competence, you can manage the risks associated
with human resources.

The provision and maintenance of infrastructure (i.e.

buildings, equipment, information environment)
6.3 Infrastructure needed to achieve conformity to product
requirements, would manage the risks associated with
the control of infrastructure
The requirement to review contract prior to its
7.2.2 Review of
signing, including determining the organization's
requirements
ability to fulfill certain requirements, significantly
related to the
reduces the risk of default on contractual obligations
product
in the future
7.3.7 Control of
design and
It is necessary to evaluate the effect of the changes
development
on constituent parts and product already delivered.
changes
Definition of criteria for evaluating vendors and their
systematic evaluation reduces risks of the
7.4 Purchasing
vulnerability of organizations associated with the
activity of suppliers and partners
Provision of controlled conditions for production (i.e.,
7.5. Production
availability of necessary information, instructions,
and service
equipment, measurement and testing, etc.)
provision
significantly reduces the risk of release of
nonconforming products.
Monitoring information relating to customer
perception as to whether the organization has met
their requirements is an important element for the
8.2.1 Customer
identification of risks associated customer
satisfaction
dissatisfaction, and hence the risk to the reputation /
image of the organization and, consequently,
declining market share
8.2.2 Internal
audit

Internal audits help to identify operational risks

8.5.3 Preventive
action

The organization shall determine actions to eliminate

causes of potential non- conformances in order to
prevent their occurrence, i.e. to conduct risk
assessment.

The new ISO 9001-2015 revision focuses on risk management at the

organizational level. While this may seem a departure from a strict quality
management focus, there is ample focus within the existing standard on
controlling risk to justify an expanded focus. Above are just some of the
clauses that in effect mandate risk management, albeit for specific activities.
The new revision in its current draft form appears to expand these more
tactical risk management elements into a more programmatic view.

How ISO 9001:2015 Will Ask You To

Manage Your Risk
Interestingly, the current working draft of ISO 9001:2015 no longer even
mentions the specific term preventive action (although this may of course

change as the standard develops into a final form). This may be the first clue
on how the revision aims to take risk management to a higher level by
assuming that a management system (and in this case a quality management
system or QMS) is designed as a whole to prevent unwanted outcomes - and
that this function of isolating potential risks is really also implicitly preventing
them. In the draft, clause 4.1 requires your company to identify risks and
ways to address them so that the QMS can deliver upon its objectives.
Clause 6.1 does require a traditional prevention or reduction of unwanted
outcomes, but more in a more global sense and at a higher priority level. The
clause also asks the organization to consider opportunities, since many risks
contain both "opportunities" and "threats." Essentially ISO 9001:2015 will
likely ask organizations to do the common sense (but not commonly
executed) task of asking and answering key questions such as:

How will the organization identify potential threats?

What are they ways to prevent, or reduce, undesired effects?
How will the organization ensure that it can achieve its intended
outcomes?
Who will be responsible for ensuring that this process works correctly?
When and how will the risk management actions be triggered?
What are the priorities and cost impacts of each threat?
Where could these threats come from, and who are all of the potential
players that could help identify and deal with these risks?
How can such a system for dealing with these risks be evaluated,
tested and kept up to date to ensure it will work when needed?

What The 9000 Store Is Doing

We're here To Help You Address Potential ISO 9001:2015 Risk
Management Requirements
Since we are in the business of helping companies more quickly and more
cost effectively gain and maintain ISO 9001 certification, we are planning
major revisions of our document templates, training, software and
registration relationships to accommodate the risk planning features in the
new ISO 9001(2015) revision. We are also planning more education and
updates on specific areas of the standard. If you have not done so already,
we encourage you to sign up for our newsletter series to stay abreast of these
important changes.
In effect, 9001:2015 risk management asks the organization to establish an
end-to-end process for risk management and then to execute that process
consistently, carefully and widely. And while the process for creating and
applying risk management may never be overly specific because of the need
to apply in so many different situations, ISO has already provided a fairly rich
reference set in this area including:

ANSI/ASSE Z690.1-2011 Vocabulary for Risk Management (U.S.

Adoption of ISO Guide 73:2009),
ANSI/ASSE Z690.2-2011 Risk Management Principles and Guidelines
(U.S. Adoption of IEC/ISO 31000:2009)

ANSI/ASSE Z690.3-2011 Risk Assessment Techniques (U.S. Adoption

of IEC/ISO 31010:2009

How Risk Management in ISO

9001:2015 May Change Quality
Management
In a sense, quality management has always been about ensuring the output
of a group meets a consistent, acceptable level. But this new emphasis on
higher level risk impact may put quality management representatives
(including organizational quality personnel, consultants and auditors) in the
position of managing higher level business risks.
And where other planning is present (as perhaps in the case of larger
organizations), that role may also include reconciling or integrating those
other management systems around the risks identified through the new ISO
9001:2015 risk management process. (This may be even beyond current
responsibilities for integrating multiple standards into areas of strategic business
planning.) At whatever level the quality representatives operate, the
increased emphasis upon higher level risk management may necessitate a
broader perspective, increased organizational knowledge, and expanded skill
sets. This may be in opposition to others who see the role of quality
management shrinking and being "subsumed" by other departments or
functions such as engineering, human resources or financial management.
For example, the growing dependence upon global suppliers and outsourcing
of management functions, may shift the responsibility for assessment and
accountability in these functions to the quality representative, since the risks
associated with these functions could be one of the keys to creating and
managing risk under ISO 9001:2015.

Questions That Remain About

Implementing ISO 9001:2015 Risk
Management
The objectives of injecting more risk management into ISO 9001 may be
aimed at addressing a variety of management needs such as:

Moving to more of a data-driven decision process that increases

objectivity
Being able to more accurately prioritize risks and allocate resources to
mitigating them more successfully
Being truly preventative with respect to those risks that have the
potential for greatest harm
Capturing, retaining and transferring organizational knowledge
regarding risk mitigation as employees and managers change
Broadening the knowledge base regarding risk and creating
communication and trust among those who are involved

However, because of the major shift that this approach entails, and because
the revision is still very much a work in process, there are major questions
and concerns regarding ISO 9001:2015 risk management as proposed
including:

Will the inclusion of risk management make ISO 9001 (2015) more
confusing and less likely to be applied and audited correctly either by
the certification body or the registered organization?
How will ISO 9001:2015 risk concepts be harmonized and prioritized
with those expressed in other standards such as ISO 31000 since they
are to some extent unique?
Correctly implementing organization-wide risk management will likely
require more internal authority and access than many quality
representatives currently hold; will the new standard including
anything to help quality representatives gain this access and resources
Risk management may be a more abstract concept than other
elements of ISO 9001; will internal auditors, lead auditors and
registrars be able to audit these concepts?
Other more mature risk management systems include processes for
Governance, Risk and Compliance (GRC) and Enterprise Risk
Management (ERM) which are considered essential but are not yet
included in ISO 9001:2015's risk management approach.

*Some "risk-based thinking" models also consider the potential frequency

with which the threat can occur.