Risk-based thinking 101
The way you apply ISO 9001:2015‘s requirement for “risk-based thinking” is a departure from previous iterations of the standard, which has led to some confusion. Primarily, risk-based thinking has replaced risk management as a requirement to meet quality standards and to ace ISO certification audits.
The confusion is that risk-based thinking is not necessarily an abstract concept. A risk is tangible, albeit qualitative, so you can narrow its definition for colleagues who are not familiar with risk-based thinking. Here’s a quick primer on how to define risk and apply that definition throughout your organization.
What does risk mean?
As a quality professional, you are no stranger to the consequences of poor risk management, but the new version of ISO 9001 veers away from strategic risk management as a tool. Instead, standards like ISO 9001:2015 and IATF 16949 encourage you to think more broadly about risk and its effect on quality.
The relationship between cause, risk and effect
If you need to explain to coworkers what risk means in a manufacturing context, you can begin by explaining the relationship between cause, risk and effect.
Cause simply refers to existing manufacturing processes that precede a specific risk, which is the probability of an uncertain event occurring. An effect is the outcome of this event if you do not intervene.
The keyword here is uncertainty. Specifically, risk means uncertainty that matters, which can reveal threats to as well as opportunities for process improvement. Uncertainty can simultaneously have a positive spin or a negative spin. Your job is to know the difference and explain both sides to your colleagues.
It is common for manufacturing workers to think about risk as only a negative outcome. In this context, manufacturers can avoid risk, transfer risk to another process (e.g., to suppliers) or accept a risk. There is no such thing as zero risk; this concept refers to opportunities for improvement, not an absence of threat altogether.
If you are familiar with the history of ISO 9001, you will notice that the term “preventative action” has been substituted with risk-based thinking. As you define risk thoroughly, opportunities to exploit new insights emerge. Sharing these ideas can enhance manufacturing processes and put a positive spin on risk. The takeaway is that you can indeed adjust preventative actions to leverage newly identified opportunities.
How to narrow the definition of risk
Having said that, what is the best way to identify risk? Think of risk identification on two dimensions: Uncertainty and its effect on strategic objectives. In all likelihood, your organization’s upper management will want clear explanations for how you plan to pinpoint risk.
The beauty of risk-based thinking is that you can adapt similar data to different stakeholders to bring everyone into the fold. You can narrow the definition of risk in any context by:
- Defining objectives
- Identifying uncertainties that matter most
- Including both threats and opportunities
- Prioritizing risks
- Identifying options for change
Different job roles will need you to interpret these concepts into actions your colleagues can apply every day.
For instance, the plant managers on the shop floor know that operational risk can be drastically different from how upper management thinks about risk. Safety and risk on the shop floor are inseparable priorities, but the financial impact of those risks means much more to upper management. You can use risk-based thinking to bridge this gap and find ways to improve teamwork.
EQMS and common risk identification processes
The potential to identify risks quickly is a major benefit of enterprise quality management software. Essentially, EQMS creates a platform for all workers to see quality from a single source of truth.
Some common risk identification processes include:
- Prompt checklists
- Assumption analysis
What EQMS can do is help you pull all of these methods together into one system of accountability, not an ad hoc process that will complicate, rather than simplify, risk identification.