Mastering Risk Management in the framework of ISO 9001:2015

Introduction

In a dynamic organizational context, companies aiming for excellence and success need to orient their operations within the framework of Risk Management according to ISO 9001.

ISO 9001:2015 introduces the risk-based approach as a fundamental element in establishing a sound and effective quality management system. This proactive approach enables organizations to identify, assess, and appropriately address potential risks that may affect their performance and the achievement of their objectives.

This article will introduce you to the principles of quality risk management within the framework of ISO 9001:2015, providing you with the tools and knowledge you need to identify, assess, and appropriately address potential risks that may affect your organization.

Risks and opportunities: keys to effective planning

As organizations structure activities in an organized, sequential, and methodical way, establishing defined working methods, they increase their contribution to the prevention of waste and inefficiencies. They also contribute to building trust among their customers by developing quality products and services. In this way, it transforms the reactive organizational approach into a preventive one.

Risk is expressed in terms of the combination of the consequences of an event and the probability of its occurrence. There is no doubt that, when planning a management system, it is necessary to consider those aspects that can affect or influence the normal development and fulfillment of the proposed objectives, which is why it is recommended to manage risks and opportunities, considering in this way both negative and positive aspects or factors.

Planning a management system is a process that requires the establishment and definition of objectives, activities, resources, roles, responsibilities, and procedures, for which the activities aimed at achieving what is desirable must be managed, as well as addressing risks (avoiding risks, eliminating sources of risk, reducing the consequences of risks and assuming risks that cannot be avoided).

Benefits of risk management according to ISO 9001:2015

Each organization manages risks according to its own characteristics, risks inherent to its nature and operations, as well as according to the sector in which it operates.

Generally speaking, managing risks within the framework of ISO 9001:2015 will contribute to a greater or lesser extent, according to the impact that these risks represent on aspects such as:

• Satisfaction of customer requirements.
• Identification of reliable suppliers
• Definition of times required to meet delivery deadlines.
  Analysis of the production system.
• Reduction of financial and operational losses.
• Implementation of a proactive culture of prevention.
• Compliance with rules, regulations, and industry standards.
  Improved reputation in the sector.
• Openness to innovation and new working methods.
• Implementation of more effective risk mitigation action plans.
• Quality assurance in products and services delivered to the client.

How to manage risks with ISO 9001?

In the face of vulnerability, it is advisable to take assurance actions. Actions that contribute to the management of both strategic and operational risks and opportunities that arise as a consequence of the interaction of the organization with its context, whether internal or external, must be implemented.

The risk-based approach of ISO 9001:2015 is based on a cyclical process comprising several stages. This process is characterized by its continuous and cyclical nature due to the variation that risks can experience, they can appear, disappear, evolve, and change over time. Doria, López, Bonilla and Parra (2019) describe and interpret these stages according to ISO 9001:2015 as:

Defining the context

In this stage, the relationship between the organization and its context is determined, i.e., the conditions, factors, and phenomena that surround or circumscribe the organization.

In the internal context we can mention its culture, organizational climate, structure configuration, financial resources, technology, processes, internal guidelines, among others; while in the external context we find the market, competitors, regulations and norms, political environment, social factors, environmental factors, suppliers, and stakeholders.

A strategic analysis such as SWOT contributes to the completion of this stage.

Identification of risks

The next step is to identify all potential risks that may affect the organization. The output of this step is a list of risks that could have an impact. This can be done using historical records, background information, expert judgement, and other tools.

In order to describe the risk in detail, the following are questions that can be answered to assist in this process:

• What events or situations may occur that pose a threat to the organization and its purposes?
• What events or situations may occur that represent an opportunity for the organization and its purposes?

Risk analysis

Once the risks have been identified, they should be analyzed in terms of their probability of occurrence and the potential impact they could have on the organization, i.e., understanding the risks, their causes, and the severity of the consequences.

For this purpose, various tools can be used, such as the risk matrix. The risk matrix helps to visualize and categorize the identified risks.

At this stage of analysis, each identified risk is assigned a probability of occurrence value (frequency, e.g., rarely, unlikely, possible, probable, likely, almost certain). The impact value is also established, corresponding to the effect of the consequences of the risk (e.g., negligible, minor, moderate, major, critical).

Risk level= Probability of occurrence x Impact level

Questions that can be answered at this stage:

• What are the root causes of these events or situations?
• Who generates these causes?
• What is the origin of the risk?
• What would be the negative consequences of the risk if it were to materialize?

Risk assessment

When assessing there shall be a comparison between acceptable and unacceptable values of the organization’s risk levels calculated in the analysis phase. The organization will establish its score range for each category on the scale (e.g. not acceptable, critical, moderate, acceptable).

Then, as a result of the assessment, the risks will be prioritized and identified according to the degree of urgency or severity.

If you want to know more about the risk matrix, you can consult the following articles:

• Development of the risk and opportunity matrix in ISO 9001
• How to make a risk matrix?

Addressing risks and opportunities

Based on the assessment carried out, actions to address the identified risks must be established, leading to risk treatment.

These actions may include preventive measures, contingency plans, or even a decision to assume the risk if the potential benefits justify it.

Some questions that can be answered at this stage:

• Should we avoid, transfer, mitigate, or accept this risk?
• What measures are currently in place to mitigate the risk?

In addition, the essential purpose of risk treatment plans is to capture the implementation of the selected risk strategies, ensuring their alignment with the organization’s management processes.

Regular monitoring and review of risks and the action plans implemented to address them is essential. This ensures that the measures taken continue to be effective and allows adjustments to be made where necessary.

What is the risk-based approach in ISO 9001:2015?

The risk-based approach in ISO 9001:2015 is not a set of prescriptive requirements, but a flexible framework that allows organizations to tailor the quality management system to their particular needs and context.

This approach is based on the following principles:

• Integration: Risk management according to ISO 9001:2015 should be integrated into all levels and processes of the organization.
• Information: Decision-making should be based on sound and up-to-date risk information.
• Proactive: The organization shall take preventive measures to address risks before they materialize.
• Continuous improvement: The risk management system should be regularly reviewed and updated.

Conclusions

Risk management according to ISO 9001:2015 is a fundamental pillar for any organization seeking to implement an effective, robust, adaptable, and sustainable quality management system. ISO 9001:2015 provides a robust framework for integrating risk management into organizational processes.

This approach enables improved decision-making, and the generation of efficient action plans based on the treatment of risks and opportunities.

If you are a professional who wants to be at the forefront and stand out in the business world, specialize in quality management systems. Check out Inspenet Academy’s training offers.

References

1. Pirani Academy (2024). Guide to implement a risk management system, according to ISO 31000. https://www.piranirisk.com/es/academia/especiales/guia-del-sistema-de-gestion-de-riesgos-iso-31000
2. Doria-Parra, A., López-Benavidez, L., Bonilla-Ferrer, M. & Parra-Cera, G. (2019). Methodology for the implementation of risk management in a quality management system. Signos. Research in
3. Management Systems, 12(1), 123-135. DOI: https://doi.org/10.15332/24631140.5424
   ISOTOOLS. ISO Standards for Enterprise Risk Management. https://www.isotools.us/2022/02/17/normas-iso-para-la-gestion-de-riesgos-corporativos/