Five-step laboratory risk management according to ISO 17025:2017

With the introduction of the 2017 revision of ISO/IEC 17025, which seeks greater alignment with ISO 9001, laboratories now need to implement risk-based thinking in relation to their activities. This was addressed in previous versions of the standards using preventive action, but the introduction of risk-based thinking requires the laboratory to take a formal and strategic look at the specific risks and opportunities it faces.

Because it is a new requirement and the standard does not prescribe how it should be done, many laboratories may be unsure about the steps to be taken to identify, assess and treat risks and opportunities. This article is intended to provide assistance to laboratories regarding ISO 17025 risk management.

Learn more about what’s new in the 2017 revision in the article ISO/IEC 17025:2005 vs. ISO/IEC 17025:2017 revision: What has changed?

The laboratory risk management process

Risk can be defined as uncertainty of the laboratory to meet its objectives, such as customer satisfaction. Nevertheless, uncertainty can be negative (risk) or positive (opportunity). Learn about the five steps in the laboratory risk management process below.

Step 1: Identify risks and opportunities

The ISO/IEC 17025 risk management process should be considered a team effort, comprising management, quality personnel and technical staff. In this step, all the potential problems and opportunities that can arise from laboratory activities must be listed. The following methods are useful at this stage and can be used individually or in combination:

Brainstorming. It enables gathering of opinions on all sources of risk (internal and external). Employees of various ranks should participate in brainstorming as this ensures the most complete and realistic risk assessment. All ideas are welcome and none are discarded at this stage of the process.

Process approach. It considers both internal and external influences. Sources are considered by reviewing the inputs and outputs to the process/activity, including management, methods, manpower, materials, machinery and the environment.

Future scenarios/scenario analysis. It involves creation of various scenarios (positive scenarios/best cases and negative scenarios/worst cases), which form the basis for development of a way of acting. The basis for forecasting should be obtained data, such as from audit reports or from customer feedback and complaints. As an example, an opportunity to expand testing may be identified using customer feedback requesting additional tests.

SWOT Analysis (Strengths, Weaknesses, Opportunities, Threats). It looks at external factors such as market forces and position, as well as internal factors such as unique services offered by the laboratory.

Step 2: Evaluate the risk

Depending on the complexity of your operations, you may want to conduct a qualitative or quantitative assessment of your risks and opportunities. For qualitative assessments, the team would assign a value of low, medium or high for each risk identified. The level of risk would depend on factors such as the likelihood that the event would occur and the severity of the consequences of the event (for example, if the laboratory may be affected financially or its reputation may be hurt).

For a quantitative assessment, determine how critical each risk or opportunity is by assigning a value to the probability/likelihood of occurrence, and the severity of the occurrence (i.e. measure of negative or positive impact). There are 3×3 or 5×5 risk matrices that can assist in the calculation and determination of the level of risk. The laboratory would use separate matrices for risk and for opportunity. Laboratories may assign scores between 1 and 3 for each factor, which, when multiplied, would result in risk values between 1 and 9. For a laboratory with more complex operations, scores between 1 and 5 may be assigned to each factor, resulting in risk values between 1 and 25. The resulting risk (or opportunity) value is indicated as low, medium or high on the matrix.

Step 3: Rank the risks and opportunities

At this stage, all parties should agree on which ranking of risks is the best, to determine which is to be addressed first, then second, and so on. Rankings may be based not only on the calculated or assigned risk value but also availability of resources and the costs to address the risk.

Step 4: Determine actions to be taken

The team will have to recommend and decide on the actions to be taken to address the risks and opportunities identified. Actions can range from taking measures to reduce or eliminate the risks to doing nothing because the chance of the risk happening is so low. Not all risk analysis needs to result in risk-reduction actions. The team may choose to tackle the easier issues first in order to cross them off the list, but issues which may result in critical risk to the laboratory should not be placed on the back burner.

It is advisable to assign person(s) to be responsible for the actions and a timeframe for them to be completed.

Step 5: Implement, monitor and follow up

Selected actions must then be implemented within the laboratory. Laboratory management will be responsible for ensuring that resources are provided, that the proposed actions are taken, and that they are having the desired effect.

Learn more about ISO 17025 implementation in the blog Checklist of ISO 17025 implementation steps.

ISO 17025 risk management in five steps


The standard does not require that the risk management process needs to be documented. However, to ensure consistent operations, it is recommended that the laboratory documents the process and retains records as evidence that it was implemented. The procedure can be a simple flow chart, while the actual risk assessment can be documented on a form which lists each risk or opportunity, the potential consequences, the level of risk or risk value and the actions to be taken. The team should sign and date the form. ISO 31000:2018 is a useful resource which provides guidance for management of risk.

For more about ISO 17025 mandatory documents read the article List of mandatory documents required by ISO 17025:2017.

Don’t forget to review for continuous improvement

It is important to note that risk management is an iterative process, and that the list of risks and opportunities must be periodically reviewed as conditions and resources change within the laboratory, or within the industry or country in which it operates. Above all, analysis of risk and opportunity promotes continuous improvement and will benefit the laboratory in terms of quality and even profit.

To see where the risk management fits into an overall ISO 17025 implementation, download this free Diagram of ISO 17025 Implementation Process.

Advisera Shivanna Mahabir-Lee
Shivanna Mahabir-Lee
Shivanna Mahabir-Lee is a chemist and environmental toxicologist with over 20 years of experience. She has worked on projects throughout the Caribbean for international clients such as the Inter-American Development Bank, Caribbean Regional Organization for Standards and Quality, Caribbean Development Bank, and the European Union, to name a few. She specializes in the development, implementation, and auditing of Laboratory Quality Management Systems according to the requirements of ISO/IEC 17025. Additionally, she develops and audits management systems according to ISO 15189 (Medical Laboratories), ISO 14001 (Environment), and ISO 9001 (Quality).