How to Fulfill the Requirements of Risk Based Thinking in ISO9001:2015

    A concept or methodology which is introduced in ISO9001:2015 for the first time is the risk based thinking. To employ this methodology in an organization, one can refer to another international standard - ISO31000:2009 Risk management – Principles and guidelines and follow the requirements specified there, but it is not mandatory that ISO31000 has to be followed in order to fulfill the requirements of risk based thinking of ISO9001:2015.
    To meet the minimum requirements of the risk based thinking as specified in Clause 6.2.1 and 6.2.2 of ISO9001:2015, an organization should at least do the following things:

• Step 1: Identify the risks and opportunities in its quality management system
• Step 2: Take the necessary actions to address these risks and opportunities
• Step 3: Evaluate the effectiveness of the above actions taken

Now let's look into these steps one by one.

Step 1: Identify the risks and opportunities in its quality management system
    When ISO9001:2015 talks about the risk based thinking, it's not just about managing the risks which have negative results, but also the opportunities which can be taken advantage of. The organization should identify both the risks and opportunities in its quality management system.
As required in 6.1.1 of ISO9001:2015, when identifying the risk and opportunities, the organization needs at least to consider two aspects:

• Internal and external issues of the organization (4.1 of ISO9001:2015)
• Needs and expectations of the interested parties (4.2 of ISO9001:2015)

    The internal issues of the organization include but are not limited to the company's culture, employees’ ability, company’s financial status (it determines how many resources can be provided), etc. The external issues include but are not limited to the overall economic situation, market trend, technology level of the industry, etc.
    Needs and expectations of the interested parties include but are not limited to legal requirements from government, requirements from customers, needs of employees, expectations from suppliers, etc. In terms of each department in the organization, needs of expectations of interested parties also include needs and expectations from other departments. It should be noted here that Clause 4.2 of ISO9001:2015 is talking about the needs and expectations from, not for the interested parties.
    By analyzing the above issues, the organization should assess the associated risks and opportunities, and determine whether actions are needed to

• eliminate, mitigate, prevent or take the risks
• take advantage of the opportunities   

Step 2: Take the necessary actions to address these risks and opportunities
    If it is determined that necessary actions are needed to address the risks or opportunities as identified above, actions should be proposed and implemented. As always, when actions are proposed, the owner of each action and the due date must be clearly defined.

Step 3: Evaluate the effectiveness of the above actions taken
    The effectiveness of the actions taken must be evaluated to ensure that the corresponding risks and opportunities are properly addressed. So for identified risk or opportunity, an objective should be set up for the actions taken and the result of actions should be reviewed against the objective. Such review must be included in the management review meetings, as required in 9.3.2 of ISO9001:2015.

Owner of Risk Identification
    So far, it has been discussed the steps which should be followed to fulfill the requirements of 6.2.1 and 6.2.2 of ISO9001:2015. An important question here is who should be responsible for it. It should be the top management of the company, who of course must be supported by the owners of the quality processes. Each owner of a process first identify the risks and opportunities associated with his/her process and propose the actions to address them, and then submit to the top management for review and consolidation. As the owner of each process can only understand the internal and external issues and the needs and expectations of the interested parties from the perspective of the process he/she owns, it is necessary for the top management team to review what submitted by the process owners, provide their opinion and summarize them from the perspective of the whole quality management system.

Template for Risk Identification
    So much has been said about what should be done, and now let's see one example to have some idea how it can actually be done. As a good start, the organization can use the template as shown below to identify the risks/opportunities and propose the corresponding actions to address them. In the column of “Context of the Organization”, internal and external issues of the organization are identified one by one, and in the column of “needs and expectations of interested parties”, the need, expectation or requirement of interested parties is also identified one by one. The risks and opportunities associated are then analyzed and identified in the column of “Risks” and “Opportunities” respectively. The actions to address these risks and opportunities are then proposed in the next column. The due date and owner of each action are specified in the next two columns. And in the final column, the objectives are defined, against which the effectiveness of the actions taken will be reviewed.