Home Resources Videos

ISO 9001:2015 - Principles of Risk

18 December 2020
This pre-recorded webinar is designed to dig deeper into the principles of risk within ISO 9001.

Please feel free to download the slides here.

The presenter Martin Graham – Quality Management Auditor with NQA did a great job and highlighting some of the key queries around risk within the standard. In particular he drilled down into:

  • What risk is

  • The principles of risk based thinking

  • Risk based thinking as part of the process approach

  • Why use, and the benefits of, risk based thinking

  • Risk clauses within ISO and the PDCA model 

During the webinar there was an opportunity for questions, we will ensure that these are turned into content to cover off any consistent topics. 

Take a look at our virtual ISO 9001 training courses here.

To ensure we support you throughout your certification journey, you are also able to download a copy of the ISO 9001 Implementation Guide



Principles of Management System Risk

00:06 - Good afternoon everybody, hopefully everyone can hear me okay. It's a little bit strange just speaking out into the ether, but I’m sure you'll be able to hear me done it a few times now so.
00:16 - Thank you for joining me this afternoon on this webinar on Principles of Management System Risk. I'm going to run for about kind of half hour 40 minutes or so thereabouts, and oh thank you everyone I can hear see some messages on my screen telling me you can hear me, so that's good. So, the system's working, that's great.
00:34 - Okay, so we're just going to talk for oh I’m going to talk for a half hour 40 minutes or so, just to need the principles and management system risk. Just run through some ideas with you about things that I’ve seen through my experience through auditing over the years, and hopefully that will kind of resonate and give you some pointers for you to move forward with, okay? 

Our Purpose

00:55 - Before we kick off officially if you like a little bit of background on NQA, for those of you that don't know there's a little illustration there on the screen. Just about kind of who we are, where we Operate, and the kind of numbers that we're involved with. So, feel free to kind of absorb that for a moment or two.
01:11 - You will get a copy of these slides and indeed this recording is available as well if need be. So, please feel free to make notes but obviously it's not a memory test at the end of it. Just some information there about inquiry and who we are, where we operate, and the things that we do.


01:29 - Just a little bit of housekeeping, I think hopefully we've answered this by, I can see the messages coming through, they're telling me so hopefully you can hear me which is good. You should see a little dialogue box on your screen there that allows you to ask questions.
01:43 - Now you can ask those as you're going along. Now I won't answer those as we're going along because obviously that will just eat into the time, but I’ll kind of save them for the end and then I can respond to those kind of privately as a group if need be. So if there is anything please feel free to ask away I won't respond as we go along like I say, but we'll cluster them at the end.
02:01 - Okay now you will get a copy of this presentation for your own reference as well. So hopefully you should be able to if there's if there's anything you want to reference during that point then you can come back to that, okay?

Certification and Training Services

02:19 - Again just a little, a couple handfuls of things about kind of what we do at NQA. Lots of things going on there obviously certifications were involved with quality, obviously aerospace, automotive, environmental, energy, health and safety, information resilience, food safety, and risk management, and medical device as well. So quite a comprehensive offer in there
02:39 - when it comes to NQA. Now, obviously supporting that is our training services as well, for those of you that aren't aware we offer training services to support these areas as well so.

NQA: Clients We Certify

02:50 - Have a cruise around the website it will give you a wealth of information and you can, you can absorb that your leisure okay. Just on your screen there just a handful of clients that we certified obviously some names certainly will recognize and maybe you remember the taste of for the Costa and that kind of thing Vodafone I use them myself, so nice to know you can safe hands when it comes to these kinds of things. So yeah, obviously yeah just a little hand little illustration some of the clients that we certify and the kind of status that we are.

Webinar Agenda

03:21 - Okay so a quick bit about me, it's not all about me in case you're wondering, what I look like there I am, still got the beard, keeping it for Christmas. My name is Martin Graham. I am the training manager at NQA and also a field based auditor. Which means well previous to March, I used to go out in the field and deliver audits. So, I undertake audits but now I’ve been doing that remotely, but I also head up the training unit with my colleagues at NQA.
03:47 - Okay been in the industry for around 20 years or so for my sins covering quality, environmental, health and safety, energy management, and so on across a number of sectors. But yeah, that's all.
03:58 - I know how to do, so I want to carry on doing It. So one of the things we're going to be, just on the left hand side there, some of the things we're going to be talking about this afternoon. Just kind of really obviously, risk is a big subject matter we could spend probably an awful lot more time this on it, but just going to run through some of kind  of the initial principles.
04:16 - Some things to consider, things to maybe kind of get, you know, think about when you're looking at your management systems or undertaking audits and so on and so forth. Just based upon you know the industry feedback we've got my experience and that of my colleagues as well.
04:29 - We're going to run through what risk is in the context of ISO, principles of risk-based thinking, risk-based thinking as part of the process approach, why using the benefits of risk-based thinking, and finally kind of a look at the risk clauses within ISO, and the PDCA model okay. So, it's going to run for a kind of a few slides on that so.
04:49 - I’ll talk around them as we go along. Like I say, if there are any questions fire them away into the little box there or just listen away and I’ll answer them at the end for you okay.

What is Risk?

05:03 - Okay so, off the bat then what is risk? Obviously I think we're kind of all aware of it, we understand it in you know in principle, but obviously in the context of ISO 9001, risk is defined as the effect of uncertainty. So something fundamentally that's going to, you know, that is uncertain about your management system or your operations that by definition is the, is the risk associated with within the ISO standards. Okay, so like it says there within the context
05:30 - of ISO management systems. This relates to the risks associated with achieving intended results, enhancing desirable effects, preventing undesirable effects, and achieving improvements. So, when you're looking at risk in the context of ISO, bear those things in mind and they are kind of embedded
05:46 - within the standard there. They're words from the standard so you've got to look at kind of the uncertainties associated with achieving these things. That's on the screen there, so think about the intended results of the management system, it's your policy, it’s customer satisfaction,
05:59 - it's your objectives, it's compliance, and so on. So, all those kind of things that can factor in and can, you know, essentially allow for uncertainty within your day-to-day operations.
06:11 - Now it's always been implicit and implied for those who you've been around ISO, it's really not the time you I’m sure you remember this idea of preventative action that sat at the back of the previous ISO standards. So, it's always kind of been there, it's not a new concept it's just really kind of become a little much more kind of obvious if you like.
06:29 - You know within the standards okay. So preventative action was always there, and but obviously then now they're pulled to the front of the standards in the kind of the planning section, the risks and opportunities clauses which we'll come on to in a little while.
06:42 - Okay so, where is their risk and uncertainty? Any number of places obviously is most things in life, but typically within kind of management systems and day-to-day operations, you've got obviously the ultimate variable which is people. You've got the process uncertainties, the product itself, and infrastructure okay.
07:00 - There's a handful of ideas there to consider where kind of these uncertainties may appear within your management system and operations.
07:08 - Okay so identify and address the uncertainty and by definition you can address the risk okay.
07:15 - Just really looking at those, kind of look, at look where the doubts are in the system you know is it the people, the process, the product, the infrastructure. Where in these things are there uncertainties, where are the gaps, and how can we look to address those.
07:27 - And that's what the standards are asking for okay. Now risk can apply and indeed it does apply to pretty much any management system, it's certainly within those that are following the Annex SL structure but don't confuse necessarily with occupational health and safety risks or aspects and impacts. Now they can obviously, you know, they 
07:46 - sit very closely alongside each other but when the standard talks about risks and opportunities it's really kind of talking about those things in that second paragraph there, about the risks associated with achieving the intended results of the management system okay. So there's, that's what it's kind of really getting to
08:03 - within environmental, health and safety standards. There's particular causes associated with risks, health and safety risks, and aspects of impact so there's dedicated clauses to that whereas the risks and opportunities clause is a standalone thing that asks you to think about
08:17 - the uncertainties associated with your management system okay. So in plain English having said all of that, what is in doubt that could affect, what we do so, you know, what are the doubts, and whereabouts are they, what do we do, to kind of, to address them okay.
08:34 - So, types of risks there, then things to consider, then when it comes to thinking about risk-based thinking naturally financial, obviously you know, there's a there's any number of financial elements there.
08:48 - Although the standards aren't necessarily financial standards obviously we're all in business to earn a living and make money so there's financial risks there. Certainly to consider there are compliance obligations, you know, compliance related risks, so you know not being aware of a or not be so compliance obligations. Not being aware of compliance obligations necessarily or
09:10 - being up to date with them or and so on and so forth. So there's those kinds of things and also risks associated with product compliance. So if you've got a, you know, kind of a product related requirement or service related requirement, that's  a compliance obligation.
09:24 - Need to be sure that you're aware of that there's a potential uncertainty there, human obviously, absolutely yes you've got variables like we say the ultimate variable which is human obviously. And that goes down to people's behaviours and kind of, you know, maybe complacency to some degree if there is such a thing.
09:42 - Obviously, you know, kind of, you know, and language and so on and got risks associated with their people's understanding and general kind of competence and awareness of the system. There can be potential uncertainty there.
09:53 - Okay naturally as we've already said, you Know, mentioned there, they don't they do go hand-in-hand, environmental, health and safety risks absolutely but it's kind of fundamental here, it's you don't need to make a distinction necessarily between, you know, health and safety hazards and risks and so on. But obviously you do need to think about kind of the intended outcomes of
10:12 - the management system, that’s what you're trying to in the context of ISO, what it’s after okay. You've got perception risks obviously nowadays you know probably a customer perception, public perception.
10:22 - There can be uncertainties associated to that things to consider naturally operational, you know, that can be down to anything from documentation through to making sure that the right information is available through to making the logistical arrangements in place and so on.

10:38 - And then finally they're looking at infrastructure, so is the right, you know, is the right equipment in place, is the right training place for that, do people know, kind of, what  they should and shouldn't be doing. In a particular instance and kind of really just looking at the areas that you can.
10:50 - There's some these aren't obviously exhaustive, there's some of the things that you can take into consideration, we look at the types of risk associated with uncertainty and kind of management systems okay. Within obviously within your context of your own organization.
11:08 - Okay. So, the effects of uncertainty on uncertainty that affects there you go there's a there's a play on words for you. So risk within ISO is defined as the former. Okay so that's that, if you like the dictionary definition, but certainly the latter can determine the risk.
11:26 - So, like we're saying it's really just looking at the uncertainties associated with, you know, with what you're doing as an organization. Okay so and that uncertainty can create an effect but obviously, you know, the effect is the effect of that uncertainty itself okay.
11:41 - Whatever, whichever is chosen though whatever way you slice it, risk is involved and the output is the same I.e. you have to kind of make, review, assess the risk, and take action.
11:55 - You know as you do necessary to address it and mitigate it, okay, to kind of carry on so you can start achieving your intended results. Okay action taken to address a risk typically addresses an uncertainty. Okay so if you're that that's kind of you know taking this whole thing just like kind of pushing it a little bit further okay. If you're if you're audited or quite a risk you'll address an uncertainty it's, it's kind of one of the same thing okay.
12:19 - The terminology is not critical here it's really just that kind of understanding that, that principle and it's something when I’m auditing is, you know, talk to people and say look okay take away the ISO, you know, language if you like and put into something plain English. And say look okay what concerns, you know, what's uncertain, what are the doubts within, you know, what you're doing, and what are you trying to achieve and then and look at look at how take it that way.
12:46 - Okay so contextual risks okay in plain English relevant uncertainties one of the things that I always kind of you know when I’m auditing now, the standards very much of that kind of context.
12:55 - I know you like to use the word relevance when it comes to, when it comes to why so, basically kind of everything that you do, every risk that you identify, keep it in context, keep it relevant, you know, make it kind of a value and on worth to your organization or your management system.
13:10 - There will be some kind of generic things that will come into play but obviously, you know, all of this is really about, kind of, you know improving your management system and achieving those intended results, so keep things in context keep it relevant.

Risk Based Thinking

13:26 - So, just a little bit then on risk-based thinking. Okay so some of the things this space is like it says there should be systematic within the management system not a separate component, it can be easy to fall into this trap and make it kind of like an isolated, you know a box in the corner, so to speak but fundamentally it's it should be kind of
13:46 - embedded within everything that you do. With the kind of every process and function and part of your operation your business has got risk associated with it so.
13:54 - You know don't have it as a standalone thing if you're going to put it in the context of health safety risks and that process you know every everything's got a risk associated with it. But obviously you know in the same way quality or systematic risk as applies to every process.
14:13 - Risk can exist in any part of the system process or functions and should be considered at each stage so don't think about it, you know, just think of it as a holistic thing. Think about, kind of, whatever the risk and uncertainty may be however small or whatever stage it's, it can exist okay.

14:27 - But obviously the trick here is to assess that and look at kind of the effects and you don't want to kind of, you know, overrate the custody in terms of actions you want to make sure the actions that you take can be effective and worthwhile okay. Now not all processes naturally carrier will be exposed to the same level of risks, you know, that there may
14:45 - be kind of activities within your organization that just simply don't you know, warrant or carry the same level of risk and uncertainty now, and so when you're looking at them this is when you kind of need to address and kind of evaluate and have a system in place for kind of, you know, scoring. And you know looking at kind of the the potential effects that these risks can have.
15:06 - Okay identifying addressing risks should be proactive rather than reactive process okay. It's, it's not as most of these things it sits within the planning section of ISO.
15:17 - So, section six there which we'll come on to in a short while so it really sits in that front end planning section of your management system. So there'll obviously be lessons learned that you as time goes by that you can then feed back into your planning process, so once you've been through kind of your check-in and process. But obviously off the bat there should be a
15:37 - risk-based thinking, should be a proactive thing rather than just a reactive, like it says there response thinking is integral to everyday life and business operations but fundamentally recognize and apply. And this is important the chances are and almost guarantee this that you're already
15:54 - addressing the clause that the risk-based clause it's, it can be one of the things just looking at what you're already doing and seeing, kind of, and interpreting that and saying look, okay, yeah, we are doing that you know we're doing we're applying risk-based thinking but it's then just recognizing that and putting it into and building that back into your system.
16:16 - Okay now risk is not only negative certainly not you know what one of the kind of biggest risks or one of a risk in any business is kind of its competition or expansion you know kind of we'll have doubts there but those uncertainties.
16:32 - So, they can produce positive effects and opportunities okay so obviously you know with competition yes it's a risk and uncertainty it's a risk but obviously that can make kind of more capacity for more efficient and you can pursue an opportunity that way.
16:46 - Okay risk-based thinking can allow you to consider the current situation and the possibilities for and impacts of change, so that's a big thing to consider obviously change as we've all been through this year it carries with it by definition a degree of uncertainty so it's kind of that's one of the things that kind of you're looking for within your management system, is how can
17:07 - it react to change, how can it change to react, how can it react to change, to people, to processes, to product requirements, to customers needs, to legislation. Whatever it may be and so obviously within that within that under those changes it carries uncertainties it carries risks.
17:23 - So your management system needs to kind of just be able to kind of absorb those process them and then allow you to react to them okay now some risks will be acceptable because that's just the way of life. But you but it's obviously what you need to do as part of your planning process and your when you're looking at your management system is look at the
17:44 - advantages and disadvantages of taking action, you know, you don't want to take action to kind of, you know, that will just over address the whole thing and become a cumbersome and make it awkward for you as an organization to function that's not what it's about the standard doesn't say that you have to address every single risk.
17:57 - It just says that you need to determine them apply this process and to just make sure that you can achieve what you're trying to achieve with the management system.
18:09 - Remember so yeah, it's ultimately the risks of and associated with the achieving of the objectives of the management system conforming to your products and services and achieving intended outcomes that are to be considered that's really the crux of the whole thing.

18:20 - Okay what are you trying to achieve with the management system and what can trip you up along the way and remember obviously your context absolutely keep things relevant.
18:33 - It's not this think risk-based thinking isn't new and very likely for nearly all of us I would imagine that certainly an organization that i come across is something that you already do okay that just needs to be recognized and it's a continual process.
18:50 - Now risk is all relative like we said there obviously within individual processes and procedures it's the size and shape of those procedures it's you know the consequences they can vary by organization product and service.
19:02 - So absolutely this is where it comes important to keeping things in context okay so you don't want to kind of over analyze or overthink it you know if you've come to a conclusion on it you're happy obviously like.
19:12 - It's a continual process so you don't leave it parked but obviously you know you do kind of you make sure that you keep things relevant and up to date and up to in context.
19:24 - Keep it simple absolutely you know it's a good way of being certainly when it comes to management systems, it's very easy to kind of overthink the whole thing but basically look what you're trying to do here is like I say, look at what's uncertain, what are the risks,
19:37 - and then understand review and assess and act and fundamentally this is where that kind of plan do check act that PDCA process comes in which is embedded within your advantage of the ISO standard.
19:49 - That's which will come onto the PDCA in a little while okay involvement of people. Okay so whilst top management are required to be involved with and promote risk-based thinking those directly involved with the process may be best placed in identifying the uncertainties involved. So, another thing we mentioned there earlier on about the
20:08 - kind of you know making it kind of exists essentially within any part of the operation and your management system get the people involved, you know, if you're talking to people and who are actually performing a task on the function ask them you know what do you think is good here, what
20:21 - could be better, where do you think our, you know our thoughts, and not faults. But uncertainties or doubts may be is there anything we could be doing better you know kind of if you're not doing it if you're not as efficient it was effective you could then it could be uncertainties there.
20:35 - So get people involved you know as many people as you can don't want to over let's say over engineer it but get people involved and they can kind of help you come up with ideas and you know help you with your management system there get that participation is important.
20:52 - Okay consider the issues that can affect your organization's values performance perception and knowledge and how can these issues affect your objective.
20:59 - So again, just another point there to kind of push home that idea you know that it's what value what the issues that can affect who you are and what you do obviously to consider you know what actions are practical to take now in some instances you might want to avoid the activity altogether that you might eliminate substitute. Whatever it may
21:20 - be manage the likelihood manage the consequence even you may even decide to accept the risk or even pursue it if it leads to an opportunity like we said earlier it's not necessarily always a bad thing. So that's the thing because consider kind of what actions are practical to take you don't want to kind of you know within the resources that you've got okay.
21:43 - So just carrying that idea further a little bit further forward so yes you do need to take action obviously you know determine action that needs to be taken but obviously keep things in context and proportion that you don't want to kind of you know just work for yourselves okay.
21:58 - Like we said earlier preventive action not necessarily gone if you prefer it you can use that term absolutely if people don't like the term risk or it doesn't necessarily sit well with them for whatever reason you can say okay we're trying to prevent things from going wrong.
22:10 - We're trying to be proactive in preventing issues within our within our system and approach success this space thinking uh basically in principle here it enables you as an organization to determine the factors that can cause its process and its management system to deviate from the planned results to put in place preventive actions to minimize negative effects
22:31 - and to make the maximum use of opportunities. I think that's kind of you know that's the important thing to remember there that kind of that planned results okay.
22:38 - Just keep it simple, what are we trying to achieve here with our management system what are the planned results and those planned results like we say they can be your objectives they can be customer driven service level agreements, they can be KPIs compliance obligations, you know, any number of things, we know the planned results is what you're trying to achieve.
22:58 - Okay now there's no correct methodology necessarily you know there's ways of approaching this whole thing which will come a handful of ideas will come onto a little while but you know it's whatever remember it's whatever works for you as an organization it's not there to impress an auditor. Although it does sometimes you know it's whatever works for you for the size
23:16 - and shape of who you are and what you're doing okay the standard is not prescriptive in that regard it just asks that you adopt this way of thinking look for uncertainties and address them within your system planning process yes okay. But ultimately you know you may not be able to eliminate the uncertainties because they it just may just be there you know the hazard if you like.
23:35 - One of a better phrase majors may always exist but you can certainly manage the effects and kind of how people approach it and how your process and system manages the whole thing okay.
23:49 - So just coming on to last few ideas on risk-based thinking then so what are the failure points of the process? So think about kind of you know for example, if you look at the the process itself when you're thinking to yourself well okay where are the failure points? Is it an input, is it an output, is it the person that they not understand, is it our equipment itself, is the is there not enough instruction, at that point you know it's just really kind of look at the potential failure points there.
24:14 - And that will kind of help you start to understand where you can go with the whole thing risk perception broader resource input may hide may highlight unnoticed risks like we said there.
24:26 - Get people involved get people's perception you know we've all got different ideas and thoughts about things and the you know kind of the you know the level of risk essentially, but obviously, you know, so get that kind of balanced view on it okay. So one step at a time let's say
24:43 - you don't need to write everything off the bat it's basically a case of yes one step at a time you know get people involved take a step at a time you don't necessarily do everything in one go you can you can rate and evaluate the risks for further down the line once you gather them.
24:58 - What they are and it will be a live thing it's a continual thing you know if you're going to compile a risk register it'd be a live document keep it up to date you know it's not an absolute thing this it can it's allowed to change and indeed it probably should okay joined up thinking.
25:12 - Absolutely yeah keep things in context keep it relevant to you as an organization look for your processes look at who you are what you're doing your customers and everything and keep things in context okay. Document them if necessary if you find that it helps. Absolutely now, obviously some of the standards that they require slightly different things I won’t confuse
25:33 - the issue now but 9001 doesn't require that you document your risks and opportunities it does require as part require as part of your managed review process that you obviously review the effectiveness of the actions that you take to address them but within kind of environmental standards and health and safety standards. There's a subtle difference that's worth being aware of in
25:52 - as much that both of those standards require level different slightly different levels of documentation when it comes to risks and opportunities so just peruse that clause okay.
26:05 - So, addressing the risks may identify opportunities if you know for example a risk around your supply chain may ultimately lending you then end up with use you know sourcing a better alternative. It's not unheard of you know it's if you're thinking okay well
26:18 - our supply chain is limited or we've got our eggs in the basket whatever it may be you can you might start to pursue and expand your supply chain and you know it may lead to, you know, an overall improvement okay. So, use it as a process for identifying opportunities as well
26:36 - but there was uncertainty in everything as i think we've discovered recently identifying this and evaluating the effect and determining action is the fundamental concept of risk-based thinking.
26:45 - Okay so basically keeping it taking a step backwards just looking at the potential gaps the potential holes and say okay how can we fill these and who needs to be involved and fill in them okay.
26:59 - So just to kind of illustrate having said all of that just to illustrate some of the possible effects of uncertainties okay just ah these aren't exhaustive but just to give you kind of some of the ideas that you can maybe start to think of as you roll that through your system okay so.
27:13 - Customer requirements not met you know it's a fundamental goal and intent of a management system but if you're not meeting that you know that's the effect there's a risk there okay.
27:21 - You're not going to be a customer's requirements in any sense of the word okay, there could be insufficient product knowledge you may not be able to kind of you know just keep up to date with kind of you know relevant legislations or compliance or specifications and technology wrong product delivered or late delivery okay. Yes there's an effect of an uncertainty it's a risk there.
27:43 - Incorrect material is used sourced or used contamination damage certainly you know within a product or as part of an environmental management system potential uncertainty and risk there within resources like we said earlier we've got people being a variable okay.
28:02 - So, there could be this potential risk associated with people's competence their training their awareness their availability even you know kind of one of the big things nowadays is about kind of succession and knowledge planning and that kind of thing you know if you've got people out of an equation for whatever reason, does that leave a big gap in uncertainty within
28:19 - your management system and your operations you know if you look if you've got knowledge in people's heads and they disappear for whatever reason you know it's it can leave a gap there accidents certainly like I said their resource succession failure absolutely.
28:36 - Like the succession plan is becoming a big thing nowadays business continuity and so on supply chain issues yep supply chains are a big part of most people's businesses and doubts and uncertainties within them can be numerous as I’m sure you'll all be aware,
28:53 - financial instability and overspend absolutely uncertainties and risks associated with that poor communication language barriers, you know, kind of with the language barriers there can be us from a health and safety perspective there could be potential uncertainty a risk there if you know there's not correct or sufficient communication.
29:11 - Like I say in any sense of the world not just health and safety for poor communication can ultimately lead to an inefficient or an effective management system and just not good for anyone.
29:22 - Compliance breaches obviously nobody wants those compliance obviously not good for anyone from legal perspective processing efficiency absolutely you know and it can be one of the things that can ultimately come out of all this you know if there's risk and uncertainty.

29:39 - Infrastructure issues you know kind of you know are we are we maintaining that how we've got correct maintenance programs in place in terms you know safety quality and so on.
29:48 - Is it suitable fit for purpose you know if it's creating an inefficiency it creates an uncertainty within the system because then leads to risks and problems further down the line uncontrolled change we mentioned earlier about the importance of change within a management system and the potential effects it can have in terms of risks so yes.
30:08 - Making sure that change is managed and or captured effectively that can be a good way of managing risk within your management system reputation damage absolutely.
30:20 - That's kind of like I say it's not an exhaustive list you know I say you don't make a note from these you will get copies of the slides at the end, but yeah just some of the things that you might want to factor in take into consideration as part of your management system you know risk-based thinking okay.

The Possible Benefits

30:38 - So possible benefits then having done all of that why on earth are we doing it apart from, you know, just meeting the standard possible benefits improve the likelihood of achieving your objectives. Like I say it's though that those planned results they're all
30:51 - part of your management system okay and objectives certainly are of part of that can lead to consistency of output now output obviously can be anything obviously that can be a production output but it can be consistency in terms of you know the person you know a training you know the overall kind of effectiveness of the management system.
31:10 - Okay and later benefits you know can lead to confidence in the system and its deliverables, so you know, kind of if you're kind of managing the uncertainties and the risks yeah absolutely.
31:20 - You know that that can lead to confidence in the system and what you're trying to achieve product and service and indeed you know internal as well the way the management the way your company an organization is perceived internally can help to establish a proactive culture of improvement.
31:36 - Okay like we said earlier it's a continual process this and it's not negative not in any sense of the word you know it's people are hear risk they think of you know negative, but it certainly shouldn't be that it should be used as a as a positive okay of how we're going to manage and improve and reduce the uncertainties with who we are and what we do and certainly assist with audit statutory and regulatory compliance absolutely yes if you're managing uncertainties.
32:02 - Why not you know if you're looking at the efficiency and effectiveness of your process, yeah absolutely it can assist with you know the compliance of your management system certainly operational efficiency and governance okay. So like we said just kind of taking that a step
32:18 - further you know kind of looking at the how you work and organization what are the steps if you've got lots of steps and links in the chain so to speak within your process and your service provision and so on. Looking at those and how they all fit together you know kind of how they
32:32 - all join together you know is the communication there are there is a handover of information is all the inputs and outputs gelling together you know if there's gaps or if there's staggered and inefficiencies and that then it can lead to uncertainties and risks within your system and effectiveness of change management already mentioned there a few times it's you know.
32:50 - Kind of you know just this idea if you've got change within the system is it capturing it is it being managed effectively and then associated risks and uncertainties.
33:05 - So there's more even believe it or not there's more potential benefits the longer you think the more you come up with so you can look at it to kind of enhance your knowledge base. okay so you mentioned earlier on about kind of organizational knowledge it's a clause within the standards.
33:17 - Now you require to maintain that and, you know, and retain it and it's obviously knowledge as well with it sits in people's heads as well as you know general who our organization is and what they do so you can enhance your knowledge base as part of risk-based thing you can potentially improve stakeholder perception. Absolutely it's a big thing nowadays well it's always been it
33:39 - can enhance system and operational resilience like I say if you if you're if you're mitigating risks and uncertainties yeah absolutely. It stands to reason that you know resilience could potentially be improved and obviously uh improve management system effectiveness that all these things combined can lead to the effectiveness of your management system what it's trying to achieve that's really think about what you're trying to achieve here this that.
34:04 - Keep there's no need to overthink it any more than that it's what you're trying to achieve preventing negative effects absolutely.
34:13 - I need to improve reliability of products and services those things there it's kind of really just you know these aren't again not exhaustive but some of the reasons for taking this on board and kind of carrying this whole idea forward.

Risk Clauses & PDCA

34:31 - So, just a quick run through then of the risk clauses and PDCA for those of you that got certified management systems or certainly work to an ISO standard you'll recognize this kind of structure that the PDCA says called stands for plan do check act okay. Now within the standards the ISO standards that follow a structure called Annex SL which is the common ISO structure.
34:53 - We're going to walk through some of clauses four through ten of those because that's where those that you've got the management system will recognize. Okay so section four then of the ISO standards it talks about the determination of the management system processes exposed to risk so fundamentally there what it's saying is okay. You your management system is going to exist
35:12 - and it needs to exist and to kind of determine and cover the areas of the processes that are potentially exposed to risk there all sits in that kind of getting the whole system set up okay.
35:26 - Leads on to clause 5 which requires that top management must engage okay so there's a requirement within the standards now that there's a promotion an application of risk-based thinking directly by top management okay although they may not necessarily get involved in the nitty-gritty.
35:40 - They're required to support and promote the whole thing internally within your management system.
35:47 - So, clause 6 then that's where the actual nuts and bolts of risks and opportunities sit so it's okay. So that kind of is what we're kind of essentially talking about here but fundamentally that's where you require it requires that you identify risks and take action as appropriate.
36:01 - Okay leading through to clause seven requires that you provide the resources to address those risks and obviously just your management system but certainly, it's all embedded within that so provide necessary resources now that's people infrastructure and so on.
36:19 - It goes deeper into clause eight which is managing operational processes in line with plural six so, clause six is where you've done your planning you've set your objectives you looked at your risks and opportunities and then you've actually got to kind of make these things happen within the operational side of things and make sure that and make sure that that they put out.
36:35 - People know what they're doing leads into clause nine fundamentally this is kind of where the checking face it's in okay. So you've done all your planning identified your risks looked at the actions you want to take taken them now you went in to say okay are we actually doing this and has it been an effective process oh you know the actions the right ones do we need to revisit them do we need to re-evaluate our risks and so on. Okay that leads ultimately
37:01 - you know kind of into section 10 which is you know addressing undesired effects and fundamentally elite improvement so this is kind of really what it's all about that PDCA these clauses four through ten they cover that plan do check act cycle so you're setting out the setting that you're planning through your planning clauses like I say and then checking them, and then acted upon them as need be okay you can see this kind of circle that goes round and round.
37:31 - Okay there's there so you've got the plan do check act there so planning leadership commitment absolutely identify assess and plan actions to address the risks the only ones are doing implement and communicate the mitigation plan.
37:44 - Monitor the implementation phase and then implementing changes to your risk and system and that then leads back into the planning again so it goes around in a happy circle okay.
37:54 - See a little illustration there on your screen about the PDCA now there's an illustration of PDCA within all of the ISO standards so it's certainly worth having a look at the beginning of those that gives an illustration of where the clause is set within the PDCA= process.
38:10 - So, risk-based thinking then so you've kind of done all the hard work if you like you know you set the system up you've identified your risks and you know you're kind of you've got top management involved and you're doing the thing and so on and so forth some of the things you can a man in terms of a management program then okay. So very simple kind of steps to take when it comes
38:27 - to risk-based thinking so you identify straight off the bat then you analyze. Okay so, you assess kind of you know the level of the risk and you know kind of or whatever means you're going to do that be it numerical or you know whatever format you're going to choose whatever methodology.
38:45 - You then treat it okay with actions to address the risks you monitor them certainly so obviously you make sure that you know that the actually the action is being effective and is the risk being controlled to the degree that you want it to and then the ultimate at least to a control. So basically kind of
39:03 - a five-step kind of process there pretty kind of you know pretty straightforward but obviously but all necessary and relevant steps when it comes to risk-based thinking and managing a risk okay and it all goes around in a circle there so once you've finished up controlling it you may then go back and reassess your risk the level and adjust the actions as need be okay.
39:28 - So possible methodologies then number of ways you can attack this again this is an exhaustive list just a couple of things to think about you may have heard some of these acronyms as you go along but obviously you've got this idea of a swap you know which is,
39:41 - strengths weaknesses opportunities threats you know you can look at that whether you can google any of these and then they'll come up and it will kind of give you the ideas on ways of attacking the whole thing you can pestle that's on my head now a little memory test that kind of it factors in things like, political environmental social technological legal economic.
40:02 - It's the idea is that it kind of gets you thinking about kind of the different factors and steps within an organization that could be affected by risk you've got FMEA failure mode effect analysis you've got dedicated standards ISO 31000 that is all about kind of risk-based thinking and takes the whole thing to a very at the next level okay. You can use causing effect brainstorming absolutely.
40:24 - Mentioned making people involved in the process certainly interview and root cause analysis you know there's loads of ways you could do this you don't have to do any of these you know you can do all of them if you like you know but it's or you can just you know sit around the table and talk about the whole thing you know what we think it can affect us and all that as an organization.
40:45 - So, I think to factor in when it comes to risk and leadership then like I say leadership is this whole all the standards now they require risk risk-based thinking to be promoted by top management okay so and that is by definition leaders within an organization okay.
41:02 - So a couple of things to consider here so you can't control people through policies procedures and policing necessarily you can only do it through a strong risk management culture and absolute integrity in all leaders so the idea is kind of you know leading from the front promoting the whole thing getting people involved and supporting it and engaging absolutely.
41:21 - Ask the right questions certainly of leaders it's leaders, managers whatever your top management and so on you know kind of challenging underlying assumptions and engaging with the workers.
41:30 - Obviously not necessarily expecting to do it every day on a micro management level absolutely.
41:35 - Not but obviously just seem to be supporting the whole process and what you're trying to achieve. Okay consult with a mix of people absolutely like I’ve already said you know getting involved the more people you get involved without making it too busy obviously you want to keep it doing a controlled manner but to get their thoughts and an input on whole process.
41:54 - Encourage critical ideas and testing of assumptions you know keep the whole thing, you know, kind of keep the whole thing go be critical you know of your organization and what you're doing and say like challenge, change the process, challenge what's going on and you
42:07 - know is there uncertainty there and how can we address it okay some in summary just a bit of a paragraph there so policies and procedures for predicting evaluating and managing risk are important but if leaders don't ask the right questions if they don't seek out a diversity of opinions and perspectives and if they don't engage and promote the principles risk-based thinking.
42:27 - These rules won't make any difference and when that happens the blame for the damaging consequence is very soluble leadership so obviously you know it kind of sits there it's really saying like okay it's embedded within the standard it should be embedded risk-based thinking should be applied and adopted by top management leadership within an organization.
42:48 - We mentioned a little bit earlier on about kind of changing risk okay. So again really important obviously when it comes to change you know to some degree it can be considered maybe one of the biggest uncertainties within an organization, change you know because it can it can evolve change around people, change your product to process a law.
43:05 - Whatever it may be and the idea is that obviously your management system needs to be set up and geared to react to that okay. So when you have your risk management system in place you should keep this under constant review as things change you should update your risk system and one of the key areas that should be done within the plan of changes clause now there is actually.
43:24 - There's plenty for those who have read the standard there is a clause around associated with change and it kind of covers certainly in quality environmental health and safety.
43:33 - So the idea is that your management system is set up so that it can react to and you know kind of deal with the uncertainties and risks associated with change within your management system.
43:43 - Now they can obviously come from like we said from many angles okay. It can be like I say people processes the product pandemics whatever it may be obviously how your management system reacts to that and then kind of you manage the associated risks okay.
44:00 - So it says there something as simple as changing the organization structure could have a huge impact on the management system and the risk should be identified and considered so it could be you know you wish to remove a position within the structure and combine two roles into one.
44:15 - So what were all of the roles each person was performing not just documented tasks but the undocumented also so can one person do all of the tasks is there a risk of some tasks not being performed so it's kind of like you know on the surface of it you know a simple change you know it can, it can be that but obviously then you know you've got to look at the potential
44:35 - impacts and the bigger picture if you like okay changing a particular process it can have a heavy effect on the inputs and the outputs and remember what we said earlier that kind of how the whole thing gels together how your management system how your process and organization all gels together there's all links in a chain and they're all kind of potential failure points that you need to be looking at associated with them what you're trying to achieve with your management system.
45:00 - Okay so, supply chain risk management then absolutely mentioned suppliers a few times now okay. Number of things that can come into play here obviously the risks surrounding supplies can include the risk of counterfeit parts, escape prevention parts, obsolescence raw material, testing, and so on and so forth. So the standard doesn't ask that you perform a risk assessment on each supplier or even on you know your management system your processes.
45:26 - But obviously from a supplier perspective it's really kind of just looking at kind of your supply chain that can be from the types of products or processes they're supplying or it can be down to the sheer number you know how is it just one person you're relying upon is it.
45:39 - Is it just the eggs in baskets the old analogy or is it you know kind of you know the process that have you got a strong enough control over what they're providing to your organization as a process okay. So really, it's about looking at the mitigations that you could put in place when it comes to your supply chain be it you know within the realms of reality if you like okay.
45:59 - So looking at you know kind of what qualifications what people are actually if you've got suppliers and contractors coming into your premises to do a do a task for you or even as an outsourced process.
46:09 - As a contractor you know who are they what are the steps what are the what are the hoops you're making them jump through to have so you can have confidence in what they're delivering and this is all down to kind of that same principle the uncertainty is okay what you're trying to achieve with the management system and supply chain that can be certainly a big part of that.
46:29 - So, some examples then i suppose associated with supply chain supplies going out of business have their alternatives be considered just some ones to consider here people not understanding roles responsibilities. So kind of how robust is you know it's a management system are people aware of what they should be doing you know do they understand where they fit in the management system and the role that they play.
46:53 - So it is how robust is your induction and training process okay. Do people actually know what they shouldn't be doing if they don't then you know there's risk there there's uncertainties there, if they don't understand their role their responsibilities their you know their importance if you like within the system, yeah kind of is it, is it even leads to uncertainties,
47:14 - inadequate infrastructure okay. So it yeah absolutely consider maintenance instruction and efficiency you know if it's not maintained properly and people don't know how they how to use it. Yeah absolutely it's logical that there's uncertainty and risk associated with that.
47:32 - Okay poor communication is there a lack of it or is it ineffective like we said there if you're not communicating effectively yeah it can lead to uncertainties because people won't know what they should be doing and you know be it documented communication or verbal or whatever it may be there can be certainly uncertainties associated with that documentation is it available is it up to date is it for use you know that it's any, kind of,
47:55 - any levels of documentation that can you know create uncertainty if it's not correct for purpose legible controlled again all potential risks within your management system.
48:06 - Okay and external influences how can they impact you and how can that be managed we've already mentioned supply chain there but obviously you've got you know members of the public and so on so forth visitors they could all arguably create kind of uncertainties within your management system there's variables there that you need to make sure you've got controlled okay.
48:31 - The last kind of 45 - 49 minutes or so really kind of looking at what you're looking at there it's kind of what is uncertain around what you're trying to achieve and what it can affect and how and how you can manage it so just really look at your management system look at the intent remember those words kind of the intended outcomes what you're trying to achieve with the
48:49 - management system. That it will be things like your objectives obviously customer satisfaction there's obviously a number of things like compliance obligations and stakeholder perceptions and supply chains and so on all of these that can have little gaps and uncertainties that you're,
49:02 - you know, you can fall down essentially and prevent you achieving what you're trying to achieve and that's really what the standard is getting for getting that is saying okay.
49:11 - Look at what you can control and indeed control it and when you're taking those actions have they been effective do you need to take anything further or can it kind of you know does it fall under than a system of just control and monitoring.
49:22 - But yeah so I think yeah keep it simple as you possibly can keep it in context don't overthink it but just look at what you do look at how your processes sit together and one thing leads to the next and look at the gaps and that you can potentially go down in that regard okay.
New Advanced Training Courses
49:41 - So just that's pretty much it for me talking hopefully I do hope that was of some interest it's certainly an area that I spent a lot of time talking through when it comes to audits and have reasonable discussions with it's like I say something we could spend a lot of time talking about but I’m not sure that would be good for anyone's help on a Friday afternoon but certainly kind of just something I do want to just run past you.
50:04 - Again you will get copies of this but something that we are developing at NQA is these kind of advanced training courses on your screen there are some of the some of the areas that can be covering within that now they're going to be short kind of if you like bite size from one to a better phrase two or three are kind of modules where we'll kind of focus on a particular area go into a bit more detail and just enhance on some of the topics that you can see on screen there.
50:27 - Okay so again you will get copies of this so it's not memory tests no exams but obviously though so but feel free to take a mental note of those and prove them at your leisure they're all on our website you can see that the website address there okay.

Questions and Answers - End

50:43 - So, officially then that's it for me obviously now I’m going to stay online there may be some questions I’ve kind of kept half an eye open there's been some questions coming through as we were going along, I want to do my level best to answer those each and every one of them.
50:57 - But like I say if feel free to want to stay here I’ll keep answering I know as we go along you will get copies of the slides if there's any questions you can go back to back to NQA back to back to the office there and but failing that I hope everyone has a safe and happy and peaceful Christmas and I wish you all the very best for the new year and best of luck in your risk-based thinking thanks everyone thanks for listening really appreciate it take care.