One of the primary changes introduced by the new ISO9001 standard is the concept of risk-based thinking as a cornerstone of quality planning. Along with this notion that it is important to think about risk, there are also requirements to identify and address risks and opportunities within the Quality Management System.
What do the ISO 9001:2015 requirements actually specify?
The requirements for addressing risks and opportunities are spread throughout the ISO 9001:2015 standard, starting at the beginning in section 4.4.1, where the organization is required to determine the processes needed to address risks and opportunities that are determined. This is reinforced in section 5.1.2, where top management needs to ensure that risks and opportunities that affect product and service conformity are determined and addressed.
The real meat of the requirements for risks and opportunities is in section 6.1 on actions to address risks and opportunities. This section discusses the need to plan the actions needed to address the risks and opportunities, integrate these actions into the QMS, and evaluate the actions for effectiveness. These actions need to be in proportion to the potential impact on product and service conformity, and there are many ways to address risk, from avoiding it to accepting it.
The last mentions of risk and opportunities are in section 9.1.3 that talks about analyzing the information necessary to determine if actions were effective, and section 9.3.2, which specifies that management review will look at the effectiveness of the actions taken to address risks and opportunities. There is also mention that risks and opportunities should be updated when a non-conformity occurs (section 10.2).
How can you address these requirements?
It is important to note that there are no requirements for a formal process to monitor and control risks and opportunities within the Quality Management System. Just like risk-based thinking, there is not a requirement for full risk management, only the identification of the risks and opportunities and decisions on what action to take. This does not even need to be maintained as documented information within the QMS
As with any new requirements for ISO 9001:2015, it is a good practice to look at what you already do within your organization to see if you address these requirements with your current business practices. For instance, many companies have business planning processes that look at the risks to the business and the opportunities that could be present, such as the use of a SWOT analysis (strengths, weaknesses, opportunities, and threats).
The use of a SWOT analysis in business planning will also include making plans to address the risks and opportunities identified, which is also required by the ISO 9001:2015 standard requirements. For instance, if you identify a risk that a key component in your product or service will become obsolete, you can make the plans necessary to find a replacement before your customers are impacted by your product becoming unavailable.
If you already do this as part of your business capture strategy, then you are already meeting the requirements of the ISO 9001:2015 standards; if not, then this is certainly an industry best practice that you could be adopt. Remember, the format of this identification is not mandated, so you can look at these risks and opportunities in any fashion you wish.
Why look at risks and opportunities?
As has been said before, the ISO 9001 standard is intended to be a set of requirements that represent the good practices that form the basis of a Quality Management System, and companies that want to survive will be assessing and addressing risks and opportunities to their businesses as a standard course of action. In order for a business to thrive, you need to identify in some manner what risks you have and how they can affect you.
However, as always, it is important that you find the best way for your organization to do this activity to address your risks and opportunities. This can be as simple as brainstorming for your SWOT analysis and then deciding if you need to do anything about the risks that are identified. This process is there to benefit your business, so do not take extremely expensive steps to implement this system if it is not required for you.