How to Address Risk in ISO 9001

Addressing risk in ISO 9001 was dialled up a notch by major changes introduced in the updated ISO 9001:2015 Standard. Until then, the concept of risk-based thinking had been implicit, suggested but not directly expressed in the previous versions, under the clause of “preventative actions”. 

But the updated Standard increased the focus by explicitly defining how to address risk in ISO 9001, under the clause: “Actions to address risk and opportunity”. 

It defines risk as “the effect of uncertainty”, which can be both a negative and positive deviation from the expected. For example, addressing a risk could present the business with a new opportunity. 

What’s for sure is that the old ‘fail to prepare and prepare to fail’ adage remains steadfast. Because truthfully, the better your business manages risks, the better prepared you are to face uncertainties. And as a result, effective management of risk leads to –

• Superior performance
• Ongoing improvement
• Supercharged customer satisfaction

So, where do you start to address risk in ISO 9001? The three steps to success are –

• Determining risks and opportunities
• Addressing risks and opportunities
• Monitoring and reviewing risks and opportunities

Let’s run through each of them.

Determining risk and opportunities

In order to address risk in ISO 9001, you need to understand what the challenges or opportunities are, and also the root causes. Compiling this information involves determining your risks and opportunities around the “Context of the Organisation”.

This means considering internal and external risk, for example:-

• Internal Context – Your risk and opportunity factors might be driven by hierarchy, resource capabilities or organisational procedures.

• External Context - Your risk and opportunity factors might be influenced and impacted by the circumstances in which the business operates, such as political, economic, social, technological, legal or environmental factors. 

All risks and opportunities which may arise due to the context or the requirements of interested parties should be determined and understood.

How to address risk in ISO 9001?

Firstly, it’s important to make the distinction that ISO 9001:2015 doesn’t require a formal risk management system. But it does require that you determine –

• Any risks and opportunities you’re faced with
• How these will be addressed

Just like when you’re conducting a health & safety risk assessment, it’s helpful to analyse risk against –

• Severity of the risk occurring
• Probability of the risk occurring

There are options available to address risk in ISO 9001, which include:

• Avoiding the risk at source
• Taking action to reduce the severity of the risk
• Taking action to reduce the probability of the risk
• Transferring or sharing the risk with a third party

But, do bear in mind that there will always be inherent business risks, adverse or positive. It’s part of being in business. To this end, having a risk tolerance criterion defines the acceptable limit of the risk, which might be –

• Retained under informed decision making
• Taken in order to pursue an opportunity

Monitor and review the risks and opportunities

So, you’ve determined –

• Where and how risks might emerge
• How to deal with any emerging risks

The final piece of the jigsaw is monitoring and tracking risks and opportunities on a regular basis. By continuously re-visiting them, you’re better placed to gauge whether or not your risk potential is under control after you’ve implemented any control measures.

This should be performed on a fixed frequency or following a significant change in the business. And here is why… Your understanding of the risks to the business, and how to mitigate them, becomes an evolving process. As a result, the business is also presented with previously untapped opportunities to drive change and continual improvement.