Risk Based Thinking Model for ISO 9001

Risk based thinking is a must if you want to have better business planning. It improves the teams’ ability to deal with problems in a time-effective and less costly manner. This is why, adding risk and opportunity assessment in QMS like ISO 9001 can prove to be very advantageous.

The risk based thinking starts with considering the potential problems that may occur due to the context, process and product/service and decide what to do about them. The biggest benefit of risk based thinking is that it helps you figure out the best decision, either it is risk avoidance, risk mitigation and risk acceptance (in case if the cost to remove the risk is greater than the cost to fix the problem).

Risk based thinking can be helpful in QMS planning, product/service planning, requirements review for product/service, design, purchasing, product control, measurement, analysis and improvement, internal audit, disposition of a non-conforming product as well as devising preventive or corrective action.

Now, let’s see how to do the risk based thinking (a.k.a risk assessment) for ISO 9001.

Step 1: Identifying the Risk: The first step in risk based thinking is to identify the risks. Brainstorming is the best way to identify risks; you may ask yourself and the team following type of questions:

• Where are the risks in your processes? 
• What risks arise when making changes to the processes? 
• What resources are required to address the risks? 
• What are the risk areas in the design where requirements may not be met? 
• What risks are present when a design change is made? 
• What are the risks on adding a new supplier? 
• What are the risks that the first time supplier will not be able to deliver properly? 
• Do you have control over the riskiest parts of the production/creation process of product or service? 
• If the post-delivery activities, i.e. service/maintenance are planned; do they address the risk (identify instantly if something might go wrong)? 
• Are riskier processes scheduled to be audited more frequently? 
• Do you focus improvement on the riskiest parts of the process? 
• Have you considered the risks associated with the disposition of a non-conforming product?

Well, the list of questions may go longer depending upon your product/service, but the key proper risk identification is “focus on improvement”.

Step 2: Explore the Risk & Associated Areas:

The next step in analyzing each situation that you have identified earlier, i.e. figuring out the root cause, relating effected areas, noting down the intensity of the risk and knowing what needs to be done when a particular problem occurs.

You can devise a preventive or corrective maintenance plan right after knowing the problem, its root cause and the areas that it is affecting.

Following type of questions can help you assess the risks:

• Are there risks that stop you from meeting the requirements for the product or service? 
• Is there a new design responsible for limiting your abilities or knowledge? 
• Is there new technology that can help in meeting the requirements efficiently? 
• Are you measuring and analyzing the riskiest parts of the processor just choosing the ones easiest to measure?

Step 3: Assess Risk The above step requires you to document the risks in an order so the information should be readily available whenever it’s needed. Ideally, there should be a clear representation of identified risks/potential problems involved in processes, impacts involved in risks, relation to internal and external issues, i.e. context of organization that affects the process/products/services etc.
Know the risk history, assess the available options to deal with each risk and take control measure to reduce risks.