The Role of Risk Assessment in the QMS

Have you wondered what risk assessment has to do with the Quality Management System? You are not alone. There has been much talk about what risk assessment is required, when it should be done, and how to do it. In this article I will talk a bit about what is required and when. There are many different ways to do risk assessment, and apart from specific customer requirements the choice is up to the company how this would be done. Even the current draft of ISO 9001:2015 (the next expected version of ISO9001) clearly states, “Although risks have to be identified and acted upon there is no requirement for formal risk management.” So even with this update there are not expected to be specific requirements on how to do risk assessment.

What risk assessment is required in the QMS?

As alluded to above, there is not currently a requirement for risk assessment in the ISO9001:2008 standard; however, for those who already deal with AS9100 for aerospace companies (which is the ISO9001:2008 standard with some additional clauses), risk assessment is already included in the QMS requirements. From a review of the draft of ISO9001:2015 it can be expected that even if changes are made, the inclusion of risk assessment is certain, which will bring this standard in line with other risk-based management system requirements such as ISO14001 for Environmental Management Systems. In preparation for these changes, and more importantly, to help your business have better planning, adding risk assessment as part of your QMS can be very advantageous.

Where can risk assessment fit in?

The following processes are identified as good places to look at risk and decide what to do about it. Assessing and dealing with the risks identified in these processes can improve your ability to deal with problems in a time-effective and less costly manner. The idea is to think about what potential problems could occur and decide what to do about them, with acceptable decisions including risk avoidance, risk mitigation and risk acceptance (e.g. if the cost to remove the risk is greater than the cost to fix the problem when it happens, accepting the risk might be a good decision). Below are some ideas on where in the processes a risk assessment might be helpful.

Quality Management System Planning. Where are the risks in your processes? What risks arise when making changes to the processes? What resources are required to address the risks?

Planning of Product/Service Realization. When planning for delivering the product or service, have we identified where in the process there is risk of problems occurring? Do we know what needs to be done when the problem occurs, or can there be a preventive maintenance plan in place to avoid the problem?

Review of Requirements for Product/Service. Are there risks that we will not be able to meet the requirements for the product or service? Is there a new design that stretches the limits of our abilities or knowledge? Is there new technology that we will be using for the first time to meet requirements?

Design. What are the risk areas in the design where requirements may not be met? What risks are present when a design change is made? How do we make sure that we can deal with a product or service non-conformance when it occurs?

Purchasing. What risks exist when adding a new supplier, and how will we address them? When placing an order with a supplier for material or services that we have not received from the supplier before, what are the risks that they will not be able to deliver properly?

Control of Product and Service Provision. Do we control the riskiest parts of the process for creating the product or service? If we have identified post-delivery activities (such as service maintenance), have these been designed to address the areas where risk assessment tells us something might go wrong?

Measurement, Analysis and Improvement. Do we make sure we measure and analyze the riskiest parts of the process, rather than just choosing what is easiest to measure? Do we focus improvement on the riskiest parts of the process?

Internal Audit. Are riskier processes scheduled to be audited more frequently? When auditing a process, are the risks of the process taken into account to make sure they are verified? If non-compliances are found, do they indicate risks that were missed on the risk assessment?

Non-Conforming Product. When deciding on the disposition of a non-conforming product, are the risks associated with the decision taken into account? This is often the case when choosing to accept a product as is, but do we assess the risk of rework or repair of the product?

Corrective Action/Preventive Action. By definition, Preventive Action is a method of risk reduction because we have identified a risk and decided to address it; however, do we look at the risks introduced with implementing a planned corrective or preventive action to make sure new and possibly worse risks are not introduced? When reviewing the root cause of a problem, does it indicate an area that was missed on the risk assessment for the process, and is this risk applicable to any other processes?

Why should you add risk assessment now?

When something goes wrong, the worst part of the problem is that it wasn’t anticipated, and due to this no one knows what to do about it yet. By adding risk assessment into your processes, especially at the planning stage, you can either take steps to ensure that anticipated problems don’t occur, or have steps in place to deal with them when they do. The saying goes that an ounce of prevention is worth a pound of cure, and equally, an hour identifying potential risks can be worth several days scurrying around trying to deal with an unexpected problem. The savings in time and cost can be great.

Click here to read an  Overview of Changes in ISO 9001:2015 from the 2013 Committee Draft Update.

Advisera Mark Hammar
Mark Hammar
Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.