You are on page 1of 5

ISO 9001:2015 Clause 6.

1 Actions to address risks and opportunities, explained


Bite Size explanations and interpretations of the updated Business Management
System standard
“There is an old adage that the way to climb a mountain, is one step at a time.

In this series of articles I aim therefore to help


organisations on a clause by clause basis, to understand what can seem on first sight,
to be a bewildering range of requirements in the revised management system standard.
I will do this in (as much as possible) plain English!
The intent is not to prescribe a road map to certification, as every business is different,
but rather to help organisations understand the meaning and interpretation of the
requirements in order to carry out a meaningful gap analysis against their current
processes and procedures.
So, whether you are updating your existing management systems from the 2008
release, or implementing for the first time, I hope your find them useful on your road to
certification.”
Dave Barker MCQI CQP
6 Planning
6.1 Actions to address risks and opportunities
This is a new and significant requirement which necessitates organisations to identify
those risks and opportunities that have the potential to impact (negatively or positively)
on the operation and performance of the management system. We will therefore spend
a little more time in this article than some of the carry over requirements to the 2015
revision of the standard.

The requirement:

When planning for the management system, the organisation is required to consider
article 4.1 (internal and external context in which the organisation operates) and article
4.2 (the requirements of interested parties) and establish the risks and opportunities that
need to be addressed in order to:
1) Assure that the management system can achieve its intended results,

2) Enhance desirable effects,

3) Prevent, or reduce, undesired effects,


4) Improve.

In addition, the organisation must plan appropriate actions to address these risks and
opportunities and also to integrate and implement the actions into the management
system processes (see article 4.4) and evaluate the effectiveness of these actions.
Actions taken to address risks and opportunities must also be proportionate to the
potential impact on the conformity of products and services.
Comment:
Section 6.0 of ISO 9001:2015 is primarily concerned with the “Plan” part of the Plan, Do,
Check, Act cycle.
The concept of risk has always been implied in the 9001:2008 standard. IE The now
deleted reference to “Preventive Action.” The 2015 update however, makes it now much
more explicit and builds it into the whole management system. From the Introduction –
where the concept of risk-based thinking is first explained, to Clause 4, 5, (6) 9, and 10
risks and opportunities are required to be considers and acted upon. (Risk based
thinking is also implied in clauses 7 & 8, as risk can be considered implicit whenever
“suitable” or “appropriate” is referred to.)

The intent is that by addressing risk throughout the business processes, the output
quality is more consistent and customers more likely to receive the required products or
services. The emphasis on organisations assessing their own unique risks and
opportunities, has also enabled a reduction in prescriptive requirements in the standard.
(Critics would term this as being more “woolly.”)

Methodology: Plan, Do, Check, Act


Although there are many tools and methodologies available, ISO 9001:2015 does not
require formal risk management and there is no specific requirement in on how to
document the results of determinations of risks and opportunities. It is therefore up to
each organisation to determine the extent of documentation needed to provide objective
evidence of the application of appropriate risk based thinking. (The important thing of
course, is to do whatever is right for your business.)
To this end, the Plan, Do, Check, Act approach can be used to great effect:

First, determine the risks and opportunities. By for example:

Analysis of external and internal issues.


(EG: Legal, technological, competitive, market related and cultural, social and economic
environments, whether international, national, regional or local. Values, culture,
knowledge and performance of the organisation.)

The relevant requirements, of relevant interested parties (stakeholders).


(EG: Customers, regulators, shareholders, board members, staff, competitors and
subcontractors / suppliers.)
The scope of the management system.

The organisations processes and their interrelationship.

Possible inputs to this process could include:


Legislative changes,
Product and process design innovations,
New contract or project launches,
Strategic planning,
Management review,
Customer feedback,
Market research and trends,
Competitor analysis,
Benchmarking,
SWOT analysis,
Operational performance / Key Performance Indicators,
Staff surveys,
Human resource plans,
Supplier development activities,
Management system audit results,
Corrective actions analysis,
Brain-storming activities.

Next, analyse and prioritise risks.

IE: What is the probability and severity? (What is acceptable or unacceptable and hence
requiring mitigation?)
Methods might include:
Research,
Analysis of data,
Formal risk assessment / prioritisation tools such as; Brainstorming, FMEA, Risk
Registers, Pareto Analysis, Pugh Matrix,
Meetings output.

Plan, Do, Check, Act


Next, (Plan) actions to address the risks / opportunities and Implement. (Do)
EG:
For Opportunities:
New practices, adopting / developing new technology, design of new products or
services, opening new markets, identifying new customers, building relationships with
strategic suppliers.

For Risk:
Actions to avoid the risk, deciding to take an identified acceptable risk in order to pursue
an opportunity, eliminating the risk at source, changing the probability or consequences,
sharing the risk, or retaining risk by informed decision.
(Remember, planed actions must be proportionate.)

Possible tools and techniques:

Improvement projects,
Action plans,
Design Reviews,
Capital Investment plans,
The revision of old, or the setting of new, objectives,
Training,
Procedures / work instructions review,

(Check) the effect of the planned action. IE:


Monitoring and measuring of actions taken through the gathering, analysing and
evaluating of data, to determine their effectiveness.

IE: Key Performance indicators, business metrics, internal audits, monitoring of


corrective actions and action plans and subsequent reporting into management reviews.

(Act) Embed the new state / revisit the PDCA cycle


If (from the check phase) the actions have been effective, the new state should be
embedded (IE revised practices, processes etc), if not repeat a new PDCA cycle.
(See also article 6.3 Planning of changes.)

Note:
For complex systems, an alternative, highly structured process may be required (IE 6
sigma.)

ISO 31000 Risk management – Principles and guidelines, may also be a useful
reference for organisations that require a more formal approach to risk. It can be used
by any business regardless of its size, activity or sector, but its use is not a mandatory
requirement of ISO 9001:2015
(See also article 9.1.3 Analysis and Evaluation)

Audit Check:
These guidelines and lists are by no means exhaustive and every organisation will have
its unique risks and opportunities. However, businesses need to be prepared to
demonstrate to auditors that a systematic, planned methodology is in place that allows
them to determine the risks and opportunities relevant to the planning and
implementation of the management system.
As risk based thinking is now embedded throughout the standard, auditors are being
advised to assess compliance when conducting audits across the entire breadth of the
management system, including when interviewing top management (risk can of course
impact on the business strategy) and ensuring that the effectiveness of planned actions
(Act) have been followed up, as this is the most common point of failure in the Plan, Do,
Check, Act process.

Dave Barker is a Chartered Independent Quality Practitioner, who through his company
Relevant Business Solutions, delivers flexible, quality management support to
organisations across the Midlands.

You might also like