Methodology for ISO 9001 Risk Analysis

Risk analysis is one of the biggest expected additions to the ISO 9001 standard, and has been included in all of the drafts of ISO 9001:2015 that have been circulated. Risk analysis is the important step of identifying the potential problems that could arise in your organization, otherwise known as risks, and deciding how to deal with these risks. Although risk assessment and analysis are not currently required by the ISO 9001 standard, as I explained in a previous blog post on The Role of Risk Assessment in the QMS, it is currently used by many companies especially in the product design process.

One commonly used method of risk identification and analysis is the Failure Modes and Effect Analysis (FMEA), sometimes modified to a Failure Modes Effects and Criticality Analysis (FMECA), which is done during the design of a product or process. The idea of this assessment is to identify all potential problems that could arise in the product or process, identify the overall criticality of the risk, and decide what to do about it. This sounds simple enough, but it can present challenges.

How does Failure Modes and Effects Analysis work?

While I will not be able to give an in-depth explanation of the FMEA (there are entire courses explaining how to use it), there are four basic steps in the FMEA process:

  1. Identify your Risks – This is often done as a brainstorming session with knowledgeable people from different areas of the company. In this step, you list all the potential problems that can arise in the product or from using the process. For instance, the process for using a hammer has the risk that the handle can break, a sliver of metal can break off of the hammer head, the head can fly off of the handle, etc.
  2. Determine how critical each risk is – This is done by assessing the risk against a set of factors and ranking it (often on a scale from 1 to 10, but other methods are used). The factors are often something like probability of occurrence, severity of occurrence, and chance of detection of occurrence (high is hard to detect). So, the three risks above might have probability, severity, and detection numbers of: broken handle (2 hardwood used, 9 unusable, 8 can have small undetected cracks), metal sliver (2 hardened steel used, 7 if safety glasses are worn and the hammer is still usable, 6 can be hard to detect), and finally, head flying off the handle (4 can happen if wood shrinks, 9 dangerous and hammer unusable, 1 easily detected).
  3. Rank the risks – The risks are ranked to see which are acceptable and which are unacceptable. With the numbering system above, the three numbers are multiplied to get a risk value, while in other systems a table can be used to compare the results. So, for our example, the risk numbers are: broken handle – 144, metal sliver – 84, head flying off – 36. So, even though the head flying off is the most dangerous, it is easily detected, so the result is the lowest number.
  4. Determine actions – Finally, once you understand the risks better, you can determine what you will do. This can be anything from taking actions to reduce or eliminate the risks (such as a maintenance program for your hammer to check for wear that can cause these problems) to doing nothing because the chance of the risk happening is so low, and it will be easily fixed if it happens. Remember, not all risk analysis needs to result in risk-reduction actions.

What are the benefits and criticisms of FMEA?

The benefits of FMEA are simple; it is easy to use once understood, gives results that are easy to determine acceptability, and thus provides a framework to assign resources to risk reduction that is easily supported. When all parties can agree that one particular ranking of risks is the best, it is easy to determine which is most critical to address first, then second, and so on. The FMEA process is also widely used, so if you are in an industry that uses the FMEA process, there will be no need to explain what you have done.

On the other hand, there are some criticisms of the FMEA process. The biggest criticism is that it is assumed that each of the three factors is equally important, and if not, then having the same numerical ranking multiplied together is a flawed assumption. For instance, if a risk has a low probability, high severity, and low detection, it can have a very low overall number (1 X 10 X 1 = 10) even though the severity of this risk could warrant action on its own, while a risk with very low severity that has a medium probability and high detection would rank higher (10 X 1 X 10 = 100) even if the risk would not cause a real problem with the product.

Remember – Risk analysis is not risk management

As I said, FMEA is only one way of dealing with risk analysis, and it is in no way mandated by the ISO 9001 standard that you must use it. Any method that you find useful and efficient will be acceptable. It is also important to note that the requirements in the draft versions of ISO 9001:2015 only require you to analyze the risks in your QMS, but not to actively manage them afterwards. There are many methods, and many software tools, that can help you with the task of managing risks, but you need to ask yourself if this is important for your business. The choice is up to you; ISO 9001 is there to provide the basic framework for a good Quality Management System, not to add extra expense to your processes beyond what you need.

For more information on changes brought about by ISO 9001:2015, check this free ISO 9001:2015 vs. ISO 9001:2008 matrix.

Advisera Mark Hammar
Mark Hammar
Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.