ISO 9001:2015 Risk-based Thinking

1. ISO 9001:2015
Quality Management System

2. OBJECTIVES
• By the end of this session, you will be able to:
– Understand risk management
– Understand risk based thinking

3. IDENTIFYING AND
ADDRESSING RISK
• Organisations are required to:
– Identify the risks
– Address such risks
• Options to address risks:
– Risk avoidance
– Risk mitigation
– Risk acceptance

4. RISK
“Risk is often thought of only in the
negative sense. Risk-based thinking can
also help to identify opportunities, which
should be considered to be the positive side
of risk.”

5. What is Risk?
Effect of
uncertainty
on
objectives.
5

6. 3. What is risk-based thinking?
• Risk-based thinking is a
process of addressing both
risk and opportunities as a
basic for increasing the
effectiveness of the quality
management system,
achieving improved results and
preventing negative effects on
the achievement of an
organization’s strategic and
operational objectives. 6

7. .
• Risk-based thinking is
something we all do
automatically in
everyday life.
• Example: If I wish to
cross a road I look for
traffic before I begin. I
will not step in front of
a moving car.
What is risk-based thinking?

8. What is risk-based thinking?
• In ISO 9001:2015 risk is
considered from the
beginning and throughout
the standard, making
preventive action part of
strategic planning as well
as operation and review.
7

9. Risk-based thinking is already part
of
the process approach.
• Example: To cross
the road I may go
directly or I may
use a nearby
footbridge. Which
process I choose
will be determined
by considering the
risks.

10. • Risk is commonly
understood to have
only negative
consequences;
however the effects
of risk can be either
negative or positive.
mbustamanIA
B
10

11. • Opportunity is not always directly
related to risk but it is always
related to the objectives. By
considering a situation it may be
possible to identify opportunities
to improve.
11

12. •Risk is the possibility of events or
activities impeding the
achievement of an organization’s
strategic and operational objectives.
It is the volatility of potential
outcomes. Risk can be defined by
two parameters
• Severity (This is the Seriousness
of the harm)
•Probability (This is the
Probability that the harm will

13. Why use risk-based thinking?
• builds a strong knowledge base
•establishes a proactive culture
of improvement
•assures consistency of quality
of goods or services
•improves customer confidence
and satisfaction
13

14. How do we do it?
• 1. Use a risk-driven approach
in your organizational
processes.
• Identify what YOUR risks
and opportunities are – it
depends on context
If I cross a busy road with many fast-moving
cars the risks are not the same as if the road
is small with very few moving cars. It is also
necessary to consider such things as
weather, visibility, personal mobility and
specific personal objectives.
14

15. 2. Analyse and prioritize your risks
and opportunities
• What is acceptable,
• what is unacceptable?
• What advantages or disadvantages are there
to one process over another?
• Example
• Objective: I need to safely cross a road
to reach a meeting at a given time.
• It is UNACCEPTABLE to be injured.
• It is UNACCEPTABLE to be late.
15

16. • 3. Plan actions to address
the risks
• How can I avoid or
eliminate the risk? How
can I mitigate risks?
• Example: I could eliminate risk of injury by
using the footbridge but I have already
decided that the risk involved in crossing the
road is acceptable.
16

17. 4. Implement the plan – take the
action
• Example
I move to the side of the road, check
there are no barriers to crossing and
that there is a safe place in the centre of
the moving traffic.
I check there are no cars coming.
I cross half of the road and stop in the
central safe place.
I assess the situation again and then
cross the second part of the road.
17

18. 5. Check the effectiveness
of the actions - does it
work?
18

19. 6. Learn from experience -
continual improvement..
19

20. • To limit the risk I revise and improve my
process by using the footbridge at these
times.
• I continue to analyse the effectiveness of
the processes and revise them when
the context changes.
• I also continue to consider
innovative opportunities:
• - can I move the meeting place so that the
road does not have to be crossed?
• - can I change the time of the meeting so
that I cross the road when it is quiet?
• - can we meet electronically?
20

21. Conclusion
• risk-based thinking is not new
• risk-based thinking is something you do
already
• risk-based thinking is continuous
• risk-based thinking ensures greater
knowledge and preparedness
• risk-based thinking increases the
probability of reaching objectives
• risk-based thinking reduces the
probability of poor results
• risk-based thinking makes prevention a
habit 21

22. 22
ISO 9001 REQUIREMENT
Clause No Requirement
4.4.1 (f)
Quality management system and its processes shall Address the risks and opportunities as determined in
accordance with the requirements of 6.1.
5.1.1 (d) Leadership shall Promote the use of the process approach and risk-based thinking
5.1.2
Customer Focus -Ensure the risks and opportunities that can affect conformity of products and services and
the ability to enhance customer satisfaction are determined and addressed
6.1.1
While planning determine the risks and opportunities that need to be addressed to:
a) give assurance that the quality management system can achieve its intended result(s);
b) enhance desirableeffects;
c) prevent, or reduce, undesired effects;
d) achieve improvement.
6.1.2
The organization shall plan:
a) actions to address these risks and opportunities;
b) how to:
1)integrate and implement the actions into its quality management system processes (see 4.4);
2) evaluate the effectiveness of these actions.
9.1.3 Analysis and evaluate the effectiveness of actions taken to address risks and opportunities;
9.3.2 Discuss the effectiveness of actions taken to address risks and opportunities in MRM.
10.2.1 e) update risks and opportunities determined during planning, whenever NC arises

23. RISK ASSESSMENT
• Risk assessment is the overall process of
risk:
– Identification
– Analysis
– Evaluation

24. RISK IDENTIFICATION
• The organisation should identify:
– Sources of risk
– Areas of impacts
– Events (including changes in circumstances)
– Their causes
– Their potential consequences

25. RISK ANALYSIS
• Involves developing an understanding of the risk
• Provides an input:
– To risk evaluation and to decisions on whether risks need to be
treated, and on the most appropriate risk treatment strategies and
methods
– Into making decisions where choices must be made and the options
involve different types and levels of risk
• Involves consideration of:
– The causes and sources of risk
– Their positive and negative consequences
– The likelihood that those consequences can occur

26. Risk evaluation
• Purpose:
– To assist in making decisions, based on the
outcomes of risk analysis, about which risks
need treatment and the priority for treatment
implementation
• Involves:
– Comparing the level of risk found during the
analysis process with risk criteria established
when the context was considered
– Based on this comparison, the need for
treatment can be considered

27. Risk treatment
• Involves:
– Selecting one or more options for modifying risks
– Implementing those options
– Once implemented, provide treatments or modify controls
• Involves a cyclical process of:
– Assessing a risk treatment
– Deciding whether residual risk levels are tolerable
– If not tolerable, generating a new risk treatment
– Assessing the effectiveness of that treatment

28. How to Identify Risk &
Opportunities?
SWOT Analysis
PESTLE Analysis
Brainstorming
Surveys
Interviews
Historical data on Failures
Organization's Records
Professional Expertise
On-Site Investigations
Ramasubramanian.s Management system consultant/Trainer/Auditor+919952229598

29. SWOT ANALYSIS
Ramasubramanian.s Management system consultant/Trainer/Auditor+919952229598
How to Use a SWOT Analysis
Internal
What occurs within the company serves as a great source of
information for the strengths and weaknesses categories of
the SWOT analysis. Examples of internal factors include
financial and human resources, tangible and intangible
(brand name) assets, and operational efficiencies.
Potential questions to list internal factors are:
•(Strength) What are we doing well?
•(Strength) What is our strongest asset?
•(Weakness) What are our detractors?
•(Weakness) What are our lowest-performing
product lines?

30. SWOT ANALYSIS
Ramasubramanian.s Management system consultant/Trainer/Auditor+919952229598
External
What happens outside of the company is equally
as important to the success of a company as
internal factors. External influences, such as
monetary policies, market changes, and access to
suppliers, are categories to pull from to create a list
of opportunities and weaknesses.
Potential questions to list external factors are:
•(Opportunity) What trends are evident in the
marketplace?
•(Opportunity) What demographics are we not
targeting?
•(Threat) How many competitors exist, and what is their
market share?

31. SWOT ANALYSIS
Ramasubramanian.s Management system consultant/Trainer/Auditor+919952229598

32. SWOT ANALYSIS

33. PESTLE ANALYSIS

34. 34
here are certain questions that one needs to ask while conducting this
analysis, which gives them an idea of what things to keep in mind. They
are:
•What is the political situation of the country and how can it affect the
industry?
•What are the prevalent economic factors?
•How much importance does culture have in the market and what are its
determinants?
•What technological innovations are likely to pop up and affect the market
structure?
•Are there any current legislations that regulate the industry or can there be
any change in the legislations for the industry?
•What are the environmental concerns for the industry?

35. Where to Start?
4.1 &4.2 Needs &Expectation of Interested
parties
List down all interested parties(Internal,
external, Legal & regulatory bodies)
Find all need and expectations of all interested
parties
Assess Risk and opportunities in meeting them.

36. Where to Start?
5.1.2 Customer Focus
Find all requirement for the products&
services(customer, Legal & your own)
List down all the processes for Meeting the
requirements
Assess Risk and opportunities in converting the inputs
in to outputs

37. What is Next?
6.1Action to address Risk &Opportunity
Incorporate Mitigation action in to your
process/procedure wherever required.
Consider Risk mitigation as objectives wherever
required.
Monitor the Risk on regularbasis.

38. What is Next?
9.1.3 Analysis and evaluation
Monitor the Risk on regularbasis.
Analyze the effectiveness of the mitigation plan
put in place.

39. What is Next?
9.3.2 Management Review
Discuss the effectiveness of the mitigation plan
putin place.

40. What is Next?
10.2 Non conformity &Correctiveaction
Whenever Non conformity arises, check whether
the particular NC addressed in Risk Register?
If yes, investigate what went wrong with the
mitigation plan ?
If not include it with mitigation plan.

41. What is Next?
6.3 &8.5.6 Changes in Risk &Opportunity
Asses Risk & Opportunities Whenever changes
happening in
Need & expectation of interested parties (4.0)
Leadership, policy, roles & responsibilities (5.0)
Objectives (6.0)
Resources(7.0)
Process /Operations(8.0)
& Update Risk mitigation plan.

42. What is Next?
Ensure your Risk Management plan is a
dynamicone.
So you can achieve Continual Improvement….

43. END OF PRESETATION
• QUESTIONS