Risk Based Thinking; Let’s Keep It Simple
It is pretty fair to say that if your business runs out of money then this is a severe risk, but not all risks are so disastrous, in fact the purpose of risk based thinking is to mitigate risks within your company. A familiar method you may recognise is this model;
How do I assess or decide a risk?
There are many simple tools to start you off, and it may be the case that as you likely do this subconsciously everyday it seems a difficult area to evidence to an auditor. An important recognition of the ISO standards is that they exist to help you improve your business and bring value; therefore it is vital that you make the standard work for your business not make your business fit the standard.
At first it sounds a pretty arduous task, however if you actively refer to and use these tools, you may find improvements that you don’t have when we simply talk and acknowledge these factors.
If you hold management reviews every 12 months and only discuss these factors then technically you are not breaching the Standard as such, however you equally will not get any real time value from it. If you put time into SWOT and then discuss the findings 12 months later you may find threats have increased, opportunities have expired and then you haven’t met 6.1.2 in ISO 9001:2015 because we haven’t created certainty of integration and implantation into the system and we haven’t evaluated the effectiveness. Let us not forget that part of risk based thinking does include;
- Shared risk
- Elimination of risk
- Taking risk to pursue an opportunity
What will my auditor want to see?
The main thing we check for is conformity to the standard, NOT non-conformity, this means that we look for what you are doing well and we identity any non-conformances so that you have an opportunity to rectify and improve. Let’s look at ISO 9001:2015 as an example;
4.4 Quality management system and its processes
4.4.1 The organization shall establish, implement, maintain and continually improve a quality
management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard.
The organization shall determine the processes needed for the quality management system and their application throughout the organization, and shall:
f) Address the risks and opportunities as determined in accordance with the requirements of 6.1;
g) Evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results;
*Top Tip – 6.1 is the planning section of the standard, 6.1 is Actions to address risks and opportunities; what this tells us is that within your quality management system we must address risk and opportunities (Fig 1 – Plan). We also see that you must evaluate the processes of your quality management system – this includes risk. You must therefore ensure that you can discuss risks and opportunities with your auditor, what you are doing with this information.
4.4.2 To the extent necessary, the organization shall:
a) Maintain documented information to support the operation of its processes;
b) Retain documented information to have confidence that the processes are being carried out as planned.
*Top Tip – Maintain and retain documented information, we aren’t asking you to create reams of paperwork, we are asking to see how you have addressed, actioned and evaluated your risks e.g. management review minutes, risk register, team meetings, statistical data. These are all examples of documented information to show your auditor, however we will ask for your understanding as well.