Home Resources Blog April 2019

Launch Your Next Mission - Part 2: Risk Based Thinking

17 april 2019
There are two key concepts within the ISO 9001 and subsequently AS91xx standards; process approach and Risk Based Thinking. The process approach has been in the standard for years but Risk Based Thinking, although implied, is new and not necessarily being applied correctly by organizations.

Interestingly (well to me anyway), 'Risk Based Thinking' is not in ISO 9000:2015 (definitions) but it is within the introduction of the standard itself.

Risk-based Thinking

ISO 9001/AS91xx states:
0.3.3 Risk-based thinking
Risk-based thinking (see Clause A.4) is essential for achieving an effective quality management system. The concept of risk-based thinking has been implicit in previous editions of this International Standard including, for example, carrying out preventive action to eliminate potential nonconformities, analyzing any nonconformities that do occur, and taking action to prevent recurrence that is appropriate for the effects of the nonconformity.
To conform to the requirements of this International Standard, an organization needs to plan and implement actions to address risks and opportunities. Addressing both risks and opportunities establishes a basis for increasing the effectiveness of the quality management system, achieving improved results, and preventing negative effects.
Opportunities can arise as a result of a situation favorable to achieving an intended result, for example, a set of circumstances that allow the organization to attract customers, develop new products and services, reduce waste, or improve productivity. Actions to address opportunities can also include consideration of associated risks. Risk is the effect of uncertainty and any such uncertainty can have positive or negative effects. A positive deviation arising from a risk can provide an opportunity, but not all positive effects of risk result in opportunities.

So what is risk?

Risk is defined as an undesirable situation or circumstance that has both a likelihood of occurring and a potentially negative consequence.
Risk is at the forefront of the new ISO 9001/AS91xx standards as well as other Annex SL based standards such as ISO 14001 and ISO 45001. Organizations need to determine a risk management system and set about mitigating these risks in a systematic method, this may sound like a lot of work and effort but it’s not as bad as you think. Implementing an effective risk management system can add so many benefits to your business including reduced costs, reduced lead times, improved quality and increased customer satisfaction. One of the main benefits which is not necessarily obvious is improved reliability of the products and services as you have correctly implemented risk management controls.
Risk Management is an iterative process to identify, assess, reduce, accept and control risks in a systematic, proactive, comprehensive and cost effective manner, taking into account the business, costs, technical, quality and schedule programmatic constraints. Generally speaking it is a process of reviewing your business and systems in such a manner that it highlights the possible risks and sets about a plan on mitigating those risks to prevent product and service non-conformances.

Benefits of risk management

Process benefits:

  • Increase the likelihood of achieving objectives

  • Encourage proactive management

  • Be aware of the need to identify and treat risk throughout the organization

  • Improve the identification of threats

  • Comply with relevant legal and regulatory requirements and international norms

  • Improve financial reporting and governance

  • Improve stakeholder confidence and trust

  • Establish a reliable basis for decision making and planning

  • Improve organizational controls

  • Effectively allocate and use resources for risk treatment / handling

  • Improve operational effectiveness and efficiency

  • Cost of risk management is typically less than the cost of issue management

  • Enhance health and safety performance, as well as environmental protection

  • Minimise losses and improve loss prevention and incident management

  • Improve organizational learning and resilience.

Product, service and mission benefits:

  • Reduce likelihood of delivering nonconforming product/services to customers

  • Reduce the likelihood of delivering late product / services to customers

  • Increase likelihood of business success (meeting schedules, budgets etc)

  • Reduce probability & consequences of mission failure

  • Reduce the probability of injury or death due to product /service failure.

Risk management programme

Now that we have a better understanding of what is required from the standard we can then start to implement some controls around the risk management system.
A risk management programme will help an organization to:

  • Identify risks

  • Reduce occurrences and impacts of risks

  • Understand significance/severity of risks

  • Promote organizational behaviour focused on risk management

  • Increase effectiveness of product and service delivery to customer

  • Creates a process for who, what, when, where, how and how much

  • Helps to maintain information on historic issues

  • Helps capitalise on historical issues to prevent future issues

  • Helps organizations bring out hidden risk knowledge, so it can be managed.

Risk management programme cycle

There are 4 key steps to an effective risk management plan:

  • Step 1 - Risk identification

  • Step 2 - Risk assessment

  • Step 3 - Risk action management

  • Step 4 - Risk reporting and monitoring

PDCA cycle

When you think about risk you can consider the PDCA cycle (Plan, Do, Check, Act) and this can have an impact on your risk ratings. If you think about your overall process steps and where the risk points are the costs on the business are greater the further along the steps you are. If you identify a failure in the checking stage (inspection and testing) then the cost will be high as you have already purchased parts and built your product. If you identify a failure at the contract stage then you have possibly spent very little money so far and can easily rectify the problem before moving onto the next step.
You should also consider the criticality of the items as part of your risk ratings, are the products or services going to impact safety for example. What is the impact of the item on product throughout the life?

Step 1 - Risk identification

Risk identification should never be done by one person, it should always be done by a team of people who represent a cross section of interests. Risk is always a perception and depending on your background, experience, knowledge or even personal attributes you will perceive risk differently to other people within the group. It is not a case of who is right and who is wrong, it is about identifying all possible risks.
Someone who works in purchasing will see a risk differently from someone who is in production as we could be impacted in different ways. The person in purchasing will possibly more look towards the cost impacts or lead times where the person in production could possibly look more towards on time delivery and usability.
It is important to involve as many personnel as possible and document everything. How you do the initial documentation is up to you, some people prefer to use a whiteboard, some people like to document on paper or an excel sheet, some people may just record in minutes. The aim is to document as many risks as possible at this stage and not to give risk ratings as you tend to go off on a side track. You can do the ratings later once you have identified all of the possible risks.
Examples of types of risk: 

  • Financial

  • Strategic

  • compliance/effectiveness

  • Operational / planning including physical & environmental

  • Human factors

  • Political (import export controls)

  • Environment health and safety

  • Ethical, legal, image

 Examples of specific risks around purchasing:

Specific Clauses within the standard for risk identification are shown below.

Clause 6.1

Although risk based thinking is throughout the standard as it talks about reducing and managing risks in a number of areas there are a couple of critical steps in the standard which emphasis the requirements even more. The first is within clause 6.1 - Actions to Address Risks and Opportunities.
This clause of the standard asks you to consider the risks and opportunities system with specific focus on the context of the organization and interested parties when going about planning how your quality system will be managed and determined. What you should be doing early on in your system development is think about what risks there are within the business and implementing a system around those risks (6.1.2b). This process should be completed shortly after you have identified your context and your interested parties relating to the business.
Most organizations are identifying their context, identifying their interested parties and their needs and then also producing a risk assessment. However, what they are failing to do is join up the dots between the three elements.
If you have identified a risk during your context stage then you should be putting this into your risks and opportunities plan. If you identify a risk around one of your interested parties needs then this should also go on your risks and opportunities plan. Don’t do these three activities separately as you will likely end up with a non-conformance as you have not read the first line of the clause requirement.
I like to think about this section of the standard as a funnel. You identify the factors around your context, you identify the factors around your interested party’s needs, you put all of those into the top of a funnel and out the bottom pops the risks and opportunities.

Risks and opportunities funnel

So what do you do with those risks and opportunities once they have been identified? You need to mitigate those risks and explore those opportunities and this should be done based on the potential impact on the conformity of the products and services. In essence they are asking you to take action against your highest risk areas first as these could have the greatest impact on your product or service.
It’s worthwhile reading the two notes in this section:
NOTE 1: Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or training risk by informed decision.
NOTE 2: Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers building partnerships, using new technology and other desirable and viable possibilities to address the organization’s or its customers’ needs.
What these two notes are telling you to do is mitigate those risks and in doing so you could create new opportunities. If you take the factor of limited customer base in the risk funnel, as part of the risk management process you could then explore an opportunity of sourcing new customers. The risks and opportunities are not necessarily a separate activity, they are often linked to each other. Organizations should also consider the implementation of KPIs surrounding the risks and opportunities to ascertain whether the actions have been effective or not?
With the ISO 9001 standard it kind of leaves the requirement there and leaves it up to the organization on how they are going to present and manage the risks and opportunities but with the AS91xx series of standards you are required to take things further. In all honesty, the other requirements would probably help ISO 9001 organizations to read and understand as it could help them to implement an effective risk management process.

8.1.1 Operational risk management

AS91xx states:
“The organization shall plan, implement, and control a process for managing operational risks to the achievement of applicable requirements, which includes as appropriate to the organization and the products and services:

a. assignment of responsibilities for operational risk management;
b. definition of risk assessment criteria (e.g., likelihood, consequences, risk acceptance);
c. identification, assessment, and communication of risks throughout operations;
d. identification, implementation, and management of actions to mitigate risks that exceed the defined risk acceptance criteria;
e. acceptance of risks remaining after implementation of mitigating actions.
NOTE 1: While clause 6.1 addresses the risks and opportunities when planning for the quality management system of the organization, the scope of this clause (8.1.1) is limited to the risks associated to the operational processes needed for the provision of products and services (clause 8).
NOTE 2: Within the aviation, space, and defense industry, risk is generally expressed in terms of the likelihood of occurrence and the severity of the consequences.”
This requirement of the standard is basically putting some structure around the risk management process relating to the operations of the organization and asking for specific focus on the cradle to grave process and not so much the overall management system. Some common tools for this type of control are FMEAs, Risk Registers, PPAPs etc.
There is no need to implement the more detailed risk control process stated above to address clause 6.1 but it could be of benefit, why have two risk systems in place?

8.4 Control of externally provided processes, products, and services

AS91xx states:
“The organization shall identify and manage the risks associated with the external provision of processes, products, and services, as well as the selection and use of external providers.”
This one line has probably one of the greatest impacts on the management system and is often overlooked or paid lip service to.
The standard is almost asking for a specific risk assessment against the purchasing process, the reason for the greater emphasis is that most aircraft parts are purchased and go down the supply chain many levels and the risk surrounding this increases the further down the chain you go.
The risks surrounding suppliers can include the risk of counterfeit parts, escape prevention, parts obsolescence (and then we include the risk of black market products), raw material testing, product safety, change notifications, part qualifications, sub-tier suppliers. The list goes on.
I will be going into the supply chain management in more detail in a later article as it is more in depth than this single line suggests. The standard is not necessarily asking you to perform a risk assessment on each supplier but more look from a category or type perspective and what problems can arise. If you look at special process suppliers for example, fundamentally the biggest risk is that they do not perform the special process as per the requirements. So what mitigations can you put in place for this?

Step 2 - Risk assessment

Once all risks have been identified, the organization then needs to perform a risk assessment which involves some form of risk ranking/classification.
There are many different methods for risk ranking, none of which are specific requirements as long as you consider the likelihood and consequence which all risk ranking tools will do.
Generally all risk factors will have a rating of 1-5 or similar, you can use red, amber, green (RAG rating) or simply wording to differentiate. As long as your method is clear and consistent you can use whatever method you prefer.

Risk likelihood assessment table



Proven of completely mitigated by an approved plan



Demonstrated or well mitigated by approved plan



Partially demonstrated or mitigated by approved plan



Analytically demonstrated possible mitigate plan



Speculative with no mitigation plan

Risk consequence assessment table

The consequence description would possible change depending on whether you are looking at the consequence on cost, schedule or product conformance so would adjust as necessary. The below is related to product and service conformance rather than cost and schedule


Moderate or no Impact


Moderate Impact. Same approach retained


Moderate Impact but alternatives available


Major impact but alternatives available


Major impact and no alternatives available

Risk matrix

A risk matrix is a common tool which is used within health and safety management systems but can be applied anywhere.

Step 3 - Risk action plan

After an organization has identified its risk ratings/classifications for each of the identified risks, they need to take actions to mitigate the risks.
Now a common issue we see is that actions are put in place for every single risk identified, this is possibly not always needed. The organization should establish what actions are required for each identified risk rating. You should aim to reduce the identified risks as much as possible but with focus on the most critical/highest risks first.
For example; critical risks could require mitigations and a weekly review of those mitigations to try and reduce the likelihood or consequence. High risks may also require mitigations but a monthly review to try and reduce the likelihood or consequence. Medium risk could just require a monthly review but no reduction on the likelihood or consequence and low risks can be left.
The risk mitigations/actions should be identified on the same document/format you have used for your risk identification and assessment. However, these may just be short mitigations/actions and more detail could be held elsewhere such as within review minutes or even six sigma programmes etc. Some organizations will split the risk assessment process down into separate functions within the organization and those functions will determine the methods for controlling the actions. As long as mitigations have been identified then you will be controlling the process sufficiently (notice I didn’t say effective as this is different).
These actions are what auditors should see implemented throughout the management system, if you have identified some mitigations then we want to see how you have controlled these. This could be introducing KPIs to monitor a process, they could be specific objectives around gaining new business. If they are project based risks then they could be around reviewing alternative materials. Whatever you have deemed to be mitigations, ensure that you are doing something about them.

Step 4 - Risk reporting and monitoring

Risk management effectiveness

Organizations do not often perform risk management effectiveness, they do not tend to have a system in place for measuring the effectiveness of their process. They could be under the impression that the process is working as it should but unless they have some form of measuring then it is hard to determine this.
Just as you would measure the effectiveness of your key processes, you should consider applying performance metrics around the risk management process. Identifying the measures can depend on the organizations risk management maturity and could start off with measuring the number of open critical risks without action plans or the frequency of reviews.
As the maturity of the system develops you can then start looking at the maturity rating of each identified risks and setting some performance measures around those levels (see Risk Maturity Section).
Some other possible KPIs include:

  • Risk mitigation performance-to-plan

  • Percent of moderate and high risks with mitigation plans

  • Time from risk identification to risk handling

  • Percent of risks identified by lowest affected team

  • Percent of mitigation plan tasks included in project/team/organization schedules

  • Ratio of cost savings attributed to risk management over the cost of conducting risk management

  • Percent of project or organization targets met.

Lessons learned

Continual learning should always be an output of your risk management process, as projects are performed there is always something to learn. What could you have done better, what didn’t go as well as expected, what recommendations could you put forward for future projects?
It’s a good idea to keep a lessons learned database that can be used for future projects, have some mechanism for identifying the risks, classifications (incorrect tools, missing equipment, incomplete methods etc), the programme/project, who the customer was etc.
As the database develops and the maturity of your risk management programme increases you will be able to quickly apply and launch new projects with reduced overall risk as you have carefully considered all previous project issues and addressed them as time goes on.

Planning of changes

When you have your risk management system in place you should keep this under constant review, as things change you should update your risk system and one of the key areas this should be done is within clause 6.3 - Planning of Changes.
This is another one of those “lip service” clauses which are overlooked. When you plan on changes to the management system (and i am not talking about raising the issue of a procedure) you should review the impact of that change. I would even possibly look at performing a specific risk assessment around the change to ascertain the impact to the management system.
Something as simple as changing the organization structure could have huge impacts on the management system and the risks should be identified and considered. Let’s say you wish to remove a position within the structure and combine two roles into one. What were all of the roles each person was performing, not just the documented tasks but the undocumented also? Can one person do all of the tasks? Is there a risk of some tasks not being performed? There are many things to consider when making changes and these could impact your risk process.

Risk maturity model

Most organizations can identify their risks and actions but tend to leave the system standing still unless something has changed with the business or risk ratings. However, an effective risk management system takes this one stage further and looks at the maturity model.
The maturity model will ensure that the system is fully optimised and is simple to follow, you simply score each of the attributes and work towards improving those scores and moving onto the next maturity level.

Download a copy of the Risk Maturity Model Table here.