Although I've called this section 'risk management' we need to be clear right away: formal "Risk Management" is not a requirement of the Standard. What is required is something called 'risk based thinking'. For simplicity, I will refer to risk management, but please remember, we are not talking formal risk management, but 'thinking about risk' or 'taking risk into account when planning, operating and reviewing your quality management system'.
Now, having a suitable method or methods to manage risk in any business or other organisation makes good sense. And it isn't as complicated as some people try to make it.
The view that the Standard takes is that 9001 was always about risk - after all, having a robust quality management system is one way of reducing risk. The difference is that now there is a specific requirement to consider risk and that a new and somewhat vague term was introduced;'risk based thinking'.
Now there's a couple of things in this version of the Standard that I think could have been done better. This is one of them, coming up with a new definition of risk as 'the effect of uncertainty' (ISO 9000:2015 3.7.9) rather than using the one that is already in the Risk Management Standard, ISO 31000.
And leading on from that new definition, the Standard also wraps risks and opportunities in together, on the basis that risks aren't always negative and that opportunities can involve risk. Incidentally, this led to lots of spluttering and spirited debates across the world, especially from professional risk managers.
Let's leave that aside, and look at what the Standard actually says about risk based thinking, in the Introduction and an Appendix.
- An explanation of 'risk based thinking' appears in 0.3.3 and a longer one in Appendix A4. Do read the Appendix and note the very clear statement that 'there is no requirement for formal methods for risk management or a documented risk management process' (A4). I have aready found that some external auditors appear to have missed this!
- That an organisation should 'address risks and opportunities associated with its context and objectives' in 0.1 (c)
- That it should use a process approach 'with an overall focus on risk-based thinking ...aimed at taking advantage of opportunities and preventing undesirable results' in 0.3.1
Neither the Introduction nor the Appendix are part of the actual requirements of the Standard (the specific things you get audited on), but they do give important context and background, to help you read and understand the requirements.
The next step is to look at what the requirements are, to see what you actually have to do.
That mostly is set out in clause 6.1 and it covers what sensible organisations have always done. Note they may not have done it formally and they probably didn't think of it as, or call it: 'risk based thinking'. This is what you are required to do:
- In 4.4.1f, there is a general requirements to address risks and opportunities
- In 5.1.1d, top management is required to promote risk based thinking as well as the process approach
- In 5.1.2 top management must ensure that risks and opportunities are addressed, so that services/products conform to requirements and customer satisfaction is not negatively affected
- In 6.1, the Standard sets out the actions that must be taken. As part of your planning, the relevant risks you need to address are to be identified. (6.1.1)
- And in 6.1.2, you are required to plan what you will do to address your risks, how you will do this, and how you will evaluate whether what you did was effective. In doing all this, you consider how important the risks/opportunities are and what impact they might have on your services or products
- Under Performance Evaluation in 9.1.3e revisits the subject, requiring you to do the evaluation you planned for earlier.
- Lastly, in 9.3.2e, you are required to ensure that this is an input for review by management.
Let's run through an example, to illustrate what all this might mean in practice. Consider a small architectural practice, with 2 owners and a small staff. The owners - practising, registered architects - do their planning for risks on two main levels.
First, there is the project-based level, where they analyse each project they bid for, to help them consider their pricing and whether there is anything that suggests they need to build in a greater buffer (contingency), in their fee structure. For example, a design job for a builder they haven't worked with before, and don't know anything about versus a job for a local government. They would identify financial risk/nonpayment as a much more likely risk with the builder, than with the government job, but with the latter, there is much more likelihood of an extended engagement period, given that local governments often ant to build in consultation periods with local people. And they 'promote' this kind of thinking with their own staff, through example and project discussions.
The other level they plan at is the company level: risks to the company itself. Here, they have identified professional liability as an obvious risk, but also losing key staff. Finding and attracting suitably qualified young architects is difficult.
They have integrated this kind of thinking into their practice: a risk assessment is part of the brief and thinking for every project. At the company level, they do an annual risk assessment, and revisit it during the year if things change.
There are various ways they address these risks. They balance their projects portfolio, to ensure a mix of work from builders and developers with government jobs. They require an initial deposit up front from all clients, break the work into stages, and manage finances to ensure that payments are received on agreed milestones. They put a lot of attention on staff development and coaching, to help make the practice an exciting place to work for young architects, and give them a chance to stretch their skills and learn. They have regular staff events, and actively seek feedback from their staff, and take it into account in their practice.
Their evaluation to date gives them confidence that this approach has worked for them, as they have had no major financial losses, they have been able to manage the flow of work, and they do not have high staff turnover.