Professional Documents
Culture Documents
to apply Risk-based
Thinking to Quality
Processes [Part I]
Why taking a risk-based approach is a
requirement of ISO 9001
Risk-based thinking is a sore point among many Quality professionals. Even so,
identifying risk, analyzing the consequences, probability and level of risk (i.e. risk
analysis) and risk evaluation using formal techniques are becoming increasingly
important tasks in the global business world.
ISO 9001:2015 incorporates what the draft version of the International Standard has
termed Risk-based Thinking in its requirements for the establishment,
implementation, maintenance and continual improvement of the quality management
system. If you are already familiar with the DIS or have read the many discussions on
the subject that have appeared on LinkedIn groups and elsewhere, you will already be
aware that formal risk management is not mandated. However, organizations can, in
the words of the TC 176 Committees draft standard (May 2014) choose to
develop
a more extensive risk-based approach than is required by this International Standard,
and ISO 31000 provides guidelines on formal risk management which can be
appropriate in certain organizational contexts.
I am sceptical about the subject of demonstrating risk-based thinking to a certification
auditor when they assess your quality management system. Of course, its possible that
you wont be subject to an intensive grilling if the Standard does not require you to
produce the outputs from your risk assessment processes or evidence of a formal risk
management system. Although if risk-based thinking is required by ISO 9001:2015 to
plan and control the quality management system (QMS) and component processes and
activities, it is unlikely to be ignored in the certification audit process.
Which begs the question:
themselves either, unless they are the ones writing the guidelines!], and (b) a useful way
of identifying, evaluating and treating the kind of risks that apply to the processes used
in Quality Management.
What is acceptable?
What is unacceptable?
Then
However, this list presupposes that you have identified risks and opportunities.
So if you havent yet, how do you approach risk identification in your context?
Read on
The ISO 9001 DIS says that ISO 31000 provides guidelines on formal risk management
which can be appropriate in certain organizational contexts.
This fact will be well understood by those working for large, indeed global entities that
have long since adopted risk management methodologies and have risk managers on
their team who are familiar with ISO 31000.
But what is ISO 31000 attempting to achieve, and is it relevant to the majority of
organizations that are trying to gain or transition to ISO 9001?
ISO 31000 describes an overall approach to risk management, not just risk analysis or
risk assessment. It deals with the links between risk management process and both
strategic direction and day to day actions and treatments 1. Which on the face of it
sounds an ideal recipe for risk-based thinking. Pick up the Standard and read it, and this
thought is quickly dispelled, since ISO 31000 takes a generic approach that has to be
developed in considerable detail to be useful in a given context.
Great for the Strategic aims of the senior management, but not of any great value to the
poor bloody infantry of quality managers out there.
Perhaps the first (and most frustrating) conclusion that you will come to, having spent
120 ($180 USD) on your personal copy is that you next need to buy ISO.IEC 31010:2009
Risk management Risk assessment techniques. A slightly steeper 226 from BSI, or
$337 USD, on 24/03/15.
So your boss says, OK, buy the one that you actually need, but dont come back to me
asking for any more. Weve got by without risk-based thinking in the past [insert
number of years or decades]; surely we will do so this time? And you thank her or him
for authorizing the purchase.
The pdf arrives on your machine. You open it. There are 92 pages, 6 of which in Annex A
are a comparison of risk assessment techniques (some useful tables here) before you
arrive at Annex B, consisting of 61 pages describing the 31 risk assessment techniques;
all for the kind of people who enjoyed Mathematics (statistics especially) at school but
who may not be that interested in helping you to design effective quality processes.
Yes, theres a worthy (absorbing even?) preamble about risk assessment concepts and
processes. There also a Clause describing how techniques for risk assessment may be
selected, which starts with the valid advice:
Risk assessment may be undertaken in varying degrees of depth and detail and using
one or many methods ranging from simple to complex. The form of assessment and its
output should be consistent with the risk criteria developed as part of establishing the
context. [Clause 6.2]
There is no point in making life more complicated than it needs to be; thus:
In general terms, suitable techniques should exhibit the following characteristics:
Great!
By now, youre probably fired up with the possibility of finding a suitable risk
assessment technique that fits the context of your organization and its quality
management system? You cant wait to get started on the job.
(Come on humour me!)
You turn to
Annex A
(informative)
Comparison of risk assessment techniques
And quickly realize that there are more risk assessment techniques than you thought
existed, and even a cursory reading suggests that some are complex. Notable the ones
that are strongly applicable to each step of the full risk assessment process; specifically:
risk identification;
risk evaluation.
Below is the list of the 31 tools. Depending on the industry you are working in, you will
almost certainly recognise at least some of them, even if you havent actually used any
of the techniques to assess risk.
Table A.1 Tools used for risk assessment
1.
Brainstorming
2.
3.
Delphi
4.
Check-lists
5.
6.
7.
8.
9.
10.
Scenario analysis
11.
12.
13.
14.
15.
16.
17.
Cause-and-effect analysis
18.
19.
Decision tree
20.
21.
22.
23.
24.
Markov analysis
25.
26.
27.
FN curves
28.
Risk indices
29.
Consequence/probability matrix
30.
Cost/benefit analysis
31.
employing between 1 and 250 people. However, that doesnt mean to say that ISO
31010 isnt a valuable reference should you ever be required to think about risk in these
terms.
Bear with me, though, because in the next few posts, I am going to show you a method
to assess risk by turning Complexity into Simplicity!
1
Project risk management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F Cooper,
LOOK UP METHODS
Check-lists
A simple form of risk identification. A technique which provides a listing of typical
uncertainties which need to be considered. Users refer to a previously developed list,
codes or standards.
Check-lists and reviews of historical data are, naturally enough, a sensible step if you are
serious about identifying the risks and opportunities in accordance with the
requirements of ISO 9001:2015 Clause 6.1, and intend to plan and implement the
appropriate actions to address them. Although you could enhance the quality of the
output by following a systematic process to identify risks by means of a structured set of
prompts or questions for the experts see Structured interview below.
Personally, I would start by making a check-list of the known issues in the environment
that can (a) affect conformity of products and services [risk] and (b) have the ability to
enhance customer satisfaction [opportunity].
No ISO 9001 assessor is likely to fault you for making this much effort; whether or not
you have addressed these risks and opportunities in the design of your quality
management system and its associated processes.
However, it is also worth remembering that check-lists are most useful when applied to
check that everything has been covered after a more imaginative technique that
identifies new problems has been applied.
SUPPORTING METHODS
Structured interview and brainstorming
A means of collecting a broad set of ideas and evaluation, ranking them by a team.
Brainstorming may be stimulated by prompts or by one-on-one and one-on-many
interview techniques.
So what should
we plan to collect in terms of ideas and evaluation?
Lets remind ourselves first of what ISO 9001:2015 says
we should do.
When planning for the quality management system, ISO 9001:2015 requires
organizations to consider the issues referred to in 4.1 [Understanding the organization
and its context] and the requirements referred to in 4.2 [Understanding the needs and
expectations of interested parties] and determine the risks and opportunities that need
to be addressed, in order to:
a) give assurance that the quality management system can achieve its intended
result(s);
b) prevent, or reduce, undesired effects;
c) achieve continual improvement.
We should integrate and implement the actions into the organizations quality
management system processes (see clause 4.4) and evaluate their effectiveness.
What are the risks associated with the organizations context and
objectives and why does each risk occur? [identifying the risk and the reason
for its occurrence].
2.
3.
developed list available of hazards, risks or control failures, either resulting from a
previous risk assessment or past failures,- where do you begin? This is likely to be a
especially vexing question for organizations that are new to ISO 9001 quality
management and have to develop appropriate documented information for their
quality processes.
However: a cautionary note:
Before you despair and start writing out check-lists based on your own observations in
an effort to tick the box, remember that your colleagues in other departments and
business units may already be using some of the formal techniques of risk assessment
and risk management process (in a silo-centric way of course), without you even
knowing about this.
To quote from the Introduction to ISO 31000:2009:
The current management practices and processes of many organizations include
components of risk management, and many organizations have already adopted
a formal risk management process for particular types of risk or circumstances 1.
It follows therefore that it is worth interviewing them (in a structured or unstructured
way) or bringing them together for a brainstorming session if only to find out what
qualitative and quantitative risk assessments have been made that could help you to
address the requirements of ISO 9001!
Whether or not though anyone is carrying out risk assessments, with or without the use
of the tools in ISO 31010, ISO 9001:2015 expects the organization to understand its
context (see clause 4.1) and determine the risks and opportunities that need to be
addressed (see clause 6.1).
For example:The ISO assume that one of the key purposes of a quality management
system is to act as a preventive tool, taking account of identified risks. Consequently, ISO
9001:2015 does not have a separate clause or sub-clause titled Preventive action.
Rather, the wording states unequivocally:
The concept of preventive action is expressed through a risk-based approach to
formulating quality management system requirements.2
Although there are undoubtedly a number of quality professionals who feel
uncomfortable talking about risk in relation to preventive actions, assessing risk is
something that managers in most (all?) organizations do already in one form or another.
They may not always use the term risk to describe their activities, which could include
for example conducting a sensitivity analysis of a financial projection, or scenario
planning for a project appraisal, assessing the contingency allowance in a cost estimate,
Next time: More risk assessment tools described in ISO 31010 How useful could
they be to quality professionals in different contexts?
For a start, due to the introduction of Annex SL, the requirements for
documents and records (documented information) are now contained within each
of the clauses numbered 4 through 10 in the new structure. See further down.
At the same time, familiar document references will be erased from the standard.
As mentioned, one of the most notable deletions is Quality Manual. This might
be a shocker for those whose QM careers date all the way back to the
introduction of ISO 9001 in 1987.Yet this is only one among a number of changes
that set ISO 9001:2015 apart as a major revision of the QMS Standard.
Documented information now means both documents and records.
A.6 Documented information explains, [due to the introduction of Annex SL
common management system framework] a common clause on Documented
Information has been adopted without significant change or addition. This
means that the terms documented procedure and record have been replaced in
ISO 9001 with documented information.
I counted the text documented information appearing a total of 34 times in the
committee draft of ISO 9001 between Clauses 4 to 10.
From that figure alone, you can appreciate that ISO 9001:2015 will require the
creation/maintenance of a sizeable number of documents!
format (e.g. language, software version, graphics) and media (e.g. paper,
electronic);
How do you know that the documented information has been approved?
What are the steps in your process for reviewing, updating and reapproving documented information? Does it include a regular review of
changes and who is responsible for the different parts of this process?
Who has access to the documented information and is the current version
available where it is needed, for example by teams operating in the field?
How will you archive and segregate obsolete documented information that
you want retain?
Once again here, this is not an exhaustive list, but it does highlight the
complexity of the task of managing the documented information.
You can find a further discussion of this topic on an earlier CogniDox blog; see:
Document Control, ISO 9001 and CogniDox DMS
Mark Hammars post on the excellent ISO 9001 Blog (dated May 20, 2014) has
some helpful tips and advice on ISO 9001 document control:
Some Tips to make Document Control more useful for your QMS
Given the sheer number of new documents that are likely to be required, a
document management system (DMS) hosted on your server or in the cloud is
worth considering before you transition.
In our earlier post (see above) on the subject of using a DMS versus other
approaches, we showed how CogniDox maps to the list in Mark Hammars post to
give you much greater control over your documented information.
Marks useful tips will help to make your controls better suited to your
organisations needs. He lists them under the following seven categories:
1.
2.
3.
4.
5.
6.
7.
For those looking for straightforward answers to the simple questions regarding
the 2015 version and transition process, I recommend BSIs FAQ on ISO
9001:2015 in the ISO Revisions series see reference below:
ISO 9001:2015 Revision, Frequently Asked Questions Approaching change, BSI
Group, July 2014 [PDF]
For a more detailed discussion about the importance of risk in quality
management and why this idea is not new, BSIs white paper is useful:
ISO 9001 Whitepaper, The importance of risk in quality management
Approaching change, BSI Group, December 2014 [PDF]
The BSI White Paper ISO 9001: Understanding the changes from ISO Revisions is
also useful in explaining the likely impact of ISO 9001:2015:
ISO 9001 Whitepaper, Understanding the changes, Approaching change, BSI
Group, July 2014[PDF]
I also recommend an earlier white paper by Evgeny Avanesov, D.B.A., Prof. at
TEST-St.-Petersburg, and (as stated on the document in 2009) a Member of
Russian delegation in ISO/TC 176, ISO/TC 207, see the link:
Risk Management in ISO 9000 Series Standards [PDF]
Although this document was published in 2009, it is interesting to revisit because
it came out when the common concepts and ideas for future activities ISO/TC
176 on the revision of ISO 9001 were being formulated.
The author provides Examples of the requirements of ISO 9001:2008, indirectly
associated with the risk management. The Table on page 6 of 11 is worth
reading whether you believe that risk-based thinking is a new idea, or
something that you do already (see the Conclusion of BSIs 2014 white paper
and the ISOs white paper titled ISO 9001 and Risk).
For the ISOs own (easily digested) explanation of Risk-based Thinking, view their
slideshare presentation at:
http://www.slideshare.net/timdwill/iso9001-risk-basedthinking
Note slide 4 of 12: What is risk-based thinking? which features a version of the
statement found in the DIS, Clause 0.5, Risk-based thinking; i.e. the concept
of risk has always been implicit in ISO 9001 this revision makes it more explicit
and builds it into the whole management system.
The ISO white paper on the same subject of ISO 9001 and Risk can be
downloaded from Public information on the ISO TC/176/SC2 Home Page:
http://isotc.iso.org/livelink/livelink/open/tc176SC2public
Note the frequently quoted line: Risk-based thinking has always been in ISO
9001 - this revision builds it into the whole management system. [Source: ISO
Document N1222, July 2014, page 2], which appears, in a longer and more
detailed form, in the committee draft of the standard.
2.
3.
4.
5.
Commentary:
For SME organisations employing <50 people, among the first things that I would
definitely recommend checking are the default configurations of routers, including
converged wireless routers with access points (AP) and often an Ethernet switch, which
offer little security in their default setting.
Wireless routers are very common in micro-businesses and home office set-ups in
particular; hence I would have named these devices by saying:
Computers and network devices (including wireless routers/wireless access
points) should be securely configured
It is good practice to begin hardening your configuration by ensuring that your router is
secure as this is one of the best initial lines of defence. Consult the users guide, which
will direct you to a predefined URL or IP address where you can do the following:
I would also have stressed that many wired networks base their security on physical
access control, trusting all the users on the local network, but if wireless access points
are connected to the network, anybody within range of the AP (which typically extends
farther than the intended area) can attach to the network. Your security stance will be
compromised if it is easy to attack your network using unencrypted wireless access
points.
Control in management means setting standards, measuring actual performance
and taking corrective action. Control is a continuous process.
I would have added to the Cyber Essentials Requirements that you should remove
unnecessary software and disable nonessential services, and modify unnecessary
default features to eliminate opportunities for attack, on a continuous basis. Your
system technology is constantly evolving and new software/software upgrades can
introduce security vulnerabilities see below. Only through system hardening measures
can you hope to maintain an optimum level of protection when connected to the
internet; and even then unmitigated vulnerabilities will be exploited by the hackers.
From the initial installation onwards, review the features that came enabled by default
on your computer and disable or customise those you dont need or plan on using. As
with nonessential services, be sure to research these features before disabling or
modifying them. Recent operating systems are configured more securely by default and
are preferred. However, all systems should be continuously hardened. Besides the
operating system, some user-installed applications provide network services to
communicate with other devices. In many cases these services are required for the
intended operation of the device, and are therefore permitted. However, some
applications install gratuitous network services that are either not required or are
configured to provide network access when only local access is required. Hence, it will
not be enough to apply this requirement once a year or every 6 months and still be
confident that you have these issues under control. Cyber security is not a steady state..
Next up: access control. In computer security, general access control
includes authorisation,authentication, access approval, and audit.
Cyber Essentials Control 3. User access controls adopts elements of the this definition in
the Requirements including a regular review of special access privileges. It stops short
though of calling the process an audit.
2.
3.
Details about special access privileges (e.g. the individual and purpose)
should be documented, kept in a secure location and reviewed on a regular basis
(e.g. quarterly).
4.
5.
6.
7.
You put yourself in the position of an attacker. What is your primary task once you have
infiltrated (i.e. got into) a network? Its not really a brain teaser question: just ask
yourself what you would do in the real-world to gain access to valuable data assets?
Your job the moment you are in the system is to initiate escalation of privileges, which is
how an attacker attempts to gain more access from the established foothold that they
have created. After an escalation of privileges has occurred, there is little left in the
systems defences to stop an intruder from whatever intent that attacker has. Attackers
employ many different mechanisms to achieve an escalation of privileges (too many for
this post!), but primarily they involve compromising existing accounts, especially those
with administrator equivalent privileges.
In most cases the bad guys need hours to compromise (>75% of the cases) where the
good guys rarely get their job done in less than months (incredibly, only about 25% of
the breaches are detected in days or less). [Source: The 2014 Verizon DBIR Report:
Time-to-Compromise vs. Time-to-Discovery]
After an attacker has compromised a network to the point where a critical account with
high privileges is compromised, the entire network can never be considered as
completely trustworthy again unless it is flattened and completely recreated. Therefore
the level of security for all manner of accounts is a very important aspect of any network
security initiative.
In the words of Microsoft Developer Network: The matter of managing the security
for all account types in a network is very important to managing risk for a midsize
business network. Internal and external threats must be taken into account, and the
solution to these threats must balance the need for security with the functionality a
midsize business demands from their network resources. As a small business grows,
the number of all types of accounts increases, and so too do the number of exploitable
vulnerabilities. However, this is often forgotten in the priorities set by management in
the commercial pressure to expand.
Personally, I consider the control themes in this Requirement to be one of the most
useful aspects of Cyber Essentials. Administrative accounts should only be used to
perform legitimate administrative activities, and should not be granted access to email
or the internet. SMEs and quite a few large organisations need to understand the cyber
risks associated with administrative, service, application-related, and default accounts.
At this point it is worth remembering that the National Security Agency (NSA) is the font
of information security wisdom for the US defence and intelligence communities. Yet,
despite this obvious reason for cyber security, NSAs network security was apparently so
weak that a single administrator was able to hijack the credentials of a number of NSA
employees with high-level security clearances and use them to download data from the
agencys internal networks so the problem really exists.
1.
2.
3.
4.
5.
computer. While the email may appear to come from someone you know, it really came
from a compromised computer.
Relying purely on your malware protection software is not a good idea. You should take
steps to raise staff awareness of the external threats, and what steps they can take as
individuals to avoid malware infection.
Personally, I would like to have seen a reference to training employees in cyber security
awareness and incident reporting rather than total reliance on software tools: both are
important in reducing the risk of data breach.
Likewise, there should be a health warning about advanced persistent threats to dispel
the notion that Cyber Essentials controls are effective against 100% of the malware
attacks perpetrated by determined hackers.
However, what Control 4 attempts to do is probably a realistic goal for essential
security given the limited aims of Cyber Essentials certification.
And so, finally, we arrive at the fifth and final Cyber Essentials Control:
5. Patch management
Objectives Software running on computers and network devices should be kept
up-to-date and have the latest security patches installed.
Any computer and network device that runs software can contain weaknesses or
flaws, typically referred to as technical vulnerabilities. Vulnerabilities are common
in many types of popular software, are frequently being discovered (e.g. daily),
and once known can quickly be deliberately misused (exploited) by malicious
individuals or groups to attack an organisations computers and networks.
Vendors of software will typically try to provide fixes for identified vulnerabilities
as soon as possible, in the form of software updates known as patches, and
release them to their customers (sometimes using a formal release schedule such
as weekly). To help avoid becoming a victim of cyber attacks that exploit software
vulnerabilities, an organisation needs to manage patches and the update of
software effectively.
Basic technical cyber protection for patch management
Software should be kept up-to-date. As a minimum:
1.
software vendor or supplier of the software) to ensure security patches for known
vulnerabilities are made available.
2.
3.
4.