Since conversion from older versions is due by 9/15/2018, we are looking at some of the new concepts and their application.
Risk-Based Thinking is woven through every section of the new standards. While risk-based thinking is common in executive management strategic planning, for production this is a shift from “we always” to “what if” thinking, which requires a different level of employee engagement. Risk-based thinking is a vital element in our increasingly dynamic business landscape of innovation and tech advancements. To be competitive, we must identify risks before they occur and mitigate or eliminate them. ISO describes it this way: “Risk-based thinking enables an organization to determine the factors that could cause its processes and its quality management system to deviate from the planned results, to put in place preventive controls to minimize negative effects and to make maximum use of opportunities as they arise.”
So how are Risk and Opportunities related? Risk is the effect of uncertainty. Uncertainty can have positive or negative effects. A deviation from expected results can be the result of operational changes, political decisions, lack of information, supply-chain breakdowns, etc. A positive deviation is an opportunity. Risk could include process failures, low customer satisfaction, etc. Opportunities could include identifying new potential customers, new product needs, revising a process, or new technology to improve efficiency. Identifying these possible deviations and their potential impact, allows you to determine actions needed to avoid or reduce the impact or likelihood.
Identifying Risks and Opportunities (clause 6.1). When you plan or update processes, identify any associated risks or opportunities, and plan actions to address them. Choose the method that suits your company. It is important to note that although the standard refers to ISO 31000 as a source of risk management information, there is no requirement for the company to follow its structured steps of formal risk management. IEC 31010 also gives a list of risk assessment tools. There are many possible analysis tools, from using simple brainstorming, SWIFT (Structured What If Technique), SWOT (Strengths, Weakness, Opportunities, Threats), or PESTLE (Political, Economic, Social, Technological, Legal & Environmental); to a variety of consequences/probability matrixes such as FMEA (Failure Mode & Effects Analysis), FMECA (Failure Mode, Effects & Criticality Analysis), or HACCP (Hazard Analysis and Critical Control Points). These can be used in strategy meetings, management reviews, internal audits, setting objectives, planning design stages, production planning, etc.
Actions to address Risks & Opportunities (clause 6.2) Identified risks must be acted upon. Actions should be based on the potential impact on products, services, customer satisfaction, or the environment (for EMS), and should be incorporated into your processes. Actions will depend on the type of risk but would include Avoid the risk, Eliminate the risk, Take the risk, Share the risk, or Accept the risk – and could look like documenting a complex process; changing process steps; partnering with customers or suppliers; setting process performance criteria; pursuing an opportunity, like investing in new equipment, launching a product line, finding a new market or new customer.
Whatever your risk identification and analysis method, review frequency, selected actions, and how you choose to document them, the purpose of Risk-Based Thinking is to develop a proactive and preventive culture where the whole team is focused on doing things better. Next: Planning and Objectives.