How to identify risk significance in ISO 9001:2015

With the new version of the ISO 9001:2015 standard requirements for creating a quality management system (QMS), the new concept of risk based thinking has brought with it some confusion on how to implement these new requirements. While some companies were already using a SWOT analysis (strength, weakness, opportunity, threat) on their business to help them identify risks, this process does not determine how to address these risks once they are known. So, how do you assess the significance of the risk once you know what it is?

For more on how risk based thinking is applied in the ISO 9001:2015 standard see this article: Does ISO 9001 require a procedure for addressing risks and opportunities.


How significant is the QMS risk?

As discussed in the linked article above, the ISO 9001:2015 standard requirements ask you to identify risks, plan your response, integrate it into the QMS and evaluate its effectiveness. To ensure the effectiveness you want from your risk response, there is one step you will want to do as part of planning your response: identify how significant your risk is. In other words, how important is the risk?

For those who understand the failure modes and effects analysis (FMEA) process, you will be familiar with the fact that there are several things to consider when determining what a risk is, its severity of occurrence, probability of occurrence and chance of detection. The chance of detection is affected by the controls you put in place, which has not yet been done in this discussion. The severity and probability of occurrence, however, are the two things we need to consider when assessing the significance of the risks.

It is important to consider how bad the possible problem could be (severity), combined with how likely it is that the problem will happen (probability). If a risk can cause a problem that you think will have drastic consequences, and the chance of the risk happening is very likely, then this is a significant risk that you will want to do something about. Conversely, if you have a risk that will cause a minor inconvenience, and is not likely to happen, then maybe this is a risk that you will choose to do nothing to prevent and just react should the unlikely occurrence happen.

ISO 9001 2015 risk significance how to identify it

Criteria to assess the severity and probability of risk

What do you do next? You need to expand your thinking about each risk. If a risk can cause a problem that will create difficulty for you, and has a 50-50 chance of happening, then you will need to assess what you will do about it, in other words: what controls you will put in place. Remember that you can also choose to do nothing if the significance of the risk does not warrant action. Knowing how significant the risk is, or how it will affect you, is the first thing you need to do before deciding how you are going to react.

So, what criteria do you use to assess the severity and probability? What assessment criteria you choose is not as important as keeping your criteria consistent. You can choose to assess each element with a low-medium-high range, a 1 to 5-point scale, or any other ranking that works best for you. What is important is that a consistent ranking criterion can help you to make consistent decisions about what is actually important and what is not. This way, you will only control what is important for you to control.

For more explanation on how the FMEA process works to try to compare different risks, see this article: Methodology for ISO 9001 risk analysis.

Use risk significance to make risk management work for you

While the FMEA process tries to compare different risks by assigning numbers to the severity, probability and detection using a 10-point scale, this is not necessary in the ISO 9001:2015 QMS. It is sufficient for you to determine how important a risk is and then determine what controls are necessary for you to address the risk to a point where the risk threat is at an acceptable level for your business. So, use your risk significance assessment to avoid going overboard with your risk controls.

For a graphical representation of an easy risk management process for ISO 9001:2015 see this free download: Diagram of 4 steps in ISO 9001 risk management.

Advisera Mark Hammar
Author
Mark Hammar
Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.