RISK BASED

THINKING
THE ISO 9001:2015 PERSPECTIVE

EKPEDEM
E
 Course Objectives

• The objective of the training is to provide participants with

an introduction to risk management awareness aligned with
ISO 9001:2015 Quality management system requirements.
• It provides participant with an overview of the purpose and
requirements of a risk management system, certified to ISO
9001.
• Help participant to do risk assessment and plan on actions
to address risks and opportunities within the organization.
 Learning Outcome

On successful completion of this training participant will:

• Have an understanding of the ISO 9001:2015 concept of
risk management,
• Be able to identify risk and opportunities within the
Quality management system processes, and ability to
reduce its effect in the system,
• Understand and be able to use various risk analysis tools.
QUALITY NUGGET

T–
Thoughtful
H – Helpful
I – Inspires
N–
Necessary
K–
Knowledge
Introduction to Risk
Management

In Quality Management System

Requirements
 What is Risk
• Risk is an uncertain event or condition that, if it
occurs, has a positive or negative on a project’s
objectives – PMBOK.
The ISO 9000:2015 fundamental and vocabulary has
this to say about Risk:
• “The effect of uncertainty on the ability of an
organization to meets its objectives.”
What is Risk-Based Thinking? - (the
new ‘preventive actions’ for QMS

• Risk-based thinking is the idea that all the

possible effects of an action are kept in mind
when deciding which actions will be best for the
organization.
• Risk-based thinking ensures risk is considered
from the beginning and throughout activities.
• Risk-based thinking makes preventive action part
of strategic and operational planning.
Why Risk-Based Thinking?

WHY TAKE THIS RISK?

 Why Risk-Based Thinking?

• Establish proactive culture of improvement -

While risk is often given a negative connotation,
identifying risk within a business model and being
able to constantly consider outcomes of risk can
also help in finding opportunities for growth and
development. If a company is able to see road
blocks that may become evident in the future, a
better plan of action can be taken to help prevent
negative outcomes all together.
 Why Risk-Based Thinking?

• Assures consistency of quality of goods

and services - It should come as no surprise
that being proactive in business ensures
consistency when it comes to the quality of a
company’s goods and services. But
proactivity also helps cultivate an attitude of
constant improvement across the standard.
Where is Risk Addressed in ISO 9001:2015

Introduction - the concept of risk-based thinking is

explained in the following clauses of the ISO 9001:2015 QMS
standard;
• Clause 4 – the organization is required to determine its
QMS processes and to address its risks and opportunities;
• Clause 5 – top management is required to
Promote awareness of risk-based thinking
Determine and address risks and opportunities that can affect
product /service conformity.
 Where is Risk Addressed in ISO 9001:2015
Continued
• Clause 6 – the organization is required to identify risks and opportunities
related to QMS performance and take appropriate actions to address them;
• Clause 7 – the organization is required to determine and provide necessary
resources (risk is implicit whenever “suitable” or “appropriate” is
mentioned)
• Clause 8 – the organization is required to manage its operational processes
(risk is implicit whenever “suitable” or “appropriate” is mentioned)
• Clause 9 – the organization is required to monitor, measure, analyse and
evaluate effectiveness of actions taken to address the risks and opportunities
• Clause 10 – the organization is required to correct, prevent or reduce
undesired effects and improve the QMS and update risks and opportunities.
 Identifying Risks and
Opportunities
• Risk identification is the critical first step of the
risk management process.
• The proper identification of risks calls for a
detailed knowledge of the company, of the market
in which it operates, of the legal, social, political
and cultural environment in which it is set.
• Risk may come from within the project or from
external sources.
 Sources for Identifying Risks
• Sources of risk are all of those company environments, whether internal or
external, that can generate threats of losses or obstacles for achieving the
company’s objectives.
• SWOT ANALYSIS
• Pressure by competitors
• The employees
• The customers
• The new technologies
• Changes in the environment
• Laws and Regulations
• Globalization
• The operations
• The suppliers
 Classification of Risks

Risk can be classified into;

• Strategic risks
• Operational risks
• Reporting risks
• Compliance risks
Manage the Risks
 Manage the Risk

Risk can be managed using the following

techniques;
• Avoid
• Mitigate/Reduce
• Transfer
• Accept
Manage the Risk
 Risk Avoidance
• Risk avoidance is the elimination of hazards, activities and
exposures that can negatively affect an organization's objective.
• While the complete elimination of all risk is rarely possible, a risk
avoidance strategy is designed to deflect as many threats as
possible in order to avoid the costly and disruptive consequences
of a damaging event.
• A risk avoidance methodology attempts to minimize
vulnerabilities which can pose a threat
• When a risk as potentially large impact on your project, it should
be avoided.
 Examples of Risk Avoidance

• A Company limiting the number of

customer data stored in its computer in
case of cyberattack.
• A manufacturing business not using certain
hazardous materials or chemicals due to
the dangers of handling and storing them.
 Mitigate Risk

• Mitigating against a risk is probably the most

commonly used risk management technique.
• It’s also the easiest to understand and the easiest
to implement.
• What mitigation means is that you limit the
impact of a risk, so that if it does occur, the
problem it creates is smaller and easier to fix.
 Example of Mitigating Risk

• For example, if you are launching a new washing

machine and the Sales team then have to
demonstrate it to customers, there is a risk that the
Sales team don’t understand the product and can’t
give good demonstrations. As a result, they will make
fewer sales and there will be less revenue for the
company.
• A mitigation strategy for this situation would be to
provide good training to the sales team.
 Transferring Risk

• Risk transfer is a risk management and control

strategy that involves the contractual shifting of a
pure risk from one party to another.
• Transference is a risk management strategy that
isn’t used very often and tends to be more common
in projects where there are several parties.
• Essentially, you transfer the impact and
management of the risk to someone else.
 Example of Risk Transfer

• If you have a third party contracted to write your

software code, you could transfer the risk that
there will be errors in the code over to them. They
will then be responsible for managing this risk.
 Risk Acceptance

• Accepting risk occurs when a business acknowledges that

the potential loss from a risk is not great enough to
warrant spending money to avoid it.
• Also known as "risk retention," it is an aspect of risk
management commonly found in the business or
investment fields.
• This also involves risk that are relatively too small.
 Pareto Analysis
• Pareto Analysis is a statistical technique in decision-making used for
the selection of a limited number of tasks that produce significant
overall effect.
• It uses the Pareto Principle (also known as the 80/20 rule) the idea
that by doing 20% of the work you can generate 80% of the benefit of
doing the entire job.
• Pareto analysis is used to guide corrective action and to help the
project team take steps to fix the problems that are causing the
greatest number of defects first.
• The 80/20 rules can be applied to almost anything we do;
• 80% of customer complaints arise from 20% of your products and
services.
 Risk Register
• A Risk Register, also referred to as a Risk Log, is a master document
which is created during the early stages of a project.
• It is a tool that plays an important part in your Risk Management
Plan, helping you to track issues and address problems as they arise.
• Having a Risk Register in place simply provides a better means of
responding to problems as they arise.
• A risk needn't be a threat to your project, it is simply an issue that
can arise during the project; if effectively managed, it shouldn't
prevent your project from attaining its goals and objectives.
 Risk Register Continued

• The Risk Register is a document that contains information

about identified project risks, analysis of risk severity and
evaluations of the possible solutions to be applied.
• Presenting this in a spreadsheet if often the easiest way to
manage things, so that key information can be found and
applied quickly and easily.
• The Risk Register is the risk management technique
adopted in the Organization’s Quality Management
System.
 Element of a Risk Register
• Risk ID - a unique identifier for the risk
• Date raised - the date the risk was identified
• Risk description - best written as 'There is a risk that xxxxx, because
of xxxx if this occurs it will xxxx'
• Likelihood - How likely is that the risk will occur. Can be 1- 5 or High
/ Medium / Low
• Impact - What will the impact be if the risk occurs.
• Severity - Likelihood x Impact Owner - The person who will be
responsible for managing the risk.
• Owner - The person who will be responsible for managing the risk.
• Mitigating action - Actions that can be taken to reduce the
likelihood of the risk occurring. May also be acceptance of the risk or
transference of the risk.
Risk Register Matrix
Risk Register Matrix
Example of Risk Register
THE END