Get 4 FREE months of Conformio to implement ISO 27001

How to identify risk controls in ISO 9001:2015

Identifying and implementing controls is a critical step in risk-based thinking for the ISO 9001:2015 quality management system (QMS). In a previous article, How to identify risk significance in ISO 9001:2015, we looked at the need to assess how significant a risk is before determining controls. With each risk you have identified you will need to assess the severity of the problem should the risk happen. You also need to combine this with the assessment of how likely the problem is to occur and whether it is possible to detect the problem. By combining the numbers assigned to these properties you get the risk priority number (RPN) from the Failure Modes and Effects Analysis (FMEA). This will help you to consistently determine the significance of each risk you have identified for your QMS.

To make risk-based thinking work for your organization, you will want to make your risk controls match your risk significance.

Six risk strategies for a standard control structure

After determining which risks are significant what do you do? You will want to determine what controls to put in place for each risk, but how do you do this? The secret is to use the risk significance to decide what level of control is needed. This is probably best understood as a standard control structure that uses six ways to manage risks, as defined in Note 1 to Clause 6.1 of ISO 9001:2015. Below are the six risk strategies, explained in the context of the QMS risk assessment:

  1. Retaining risk by informed decision: For insignificant risks, sometimes the best strategy is to just accept the risk and proceed. If a problem has a very low chance of happening, or is not severe if it does occur, then choosing to just react to the problem should it happen can be the best decision. This can also be the case when a possible avoidance measure is too costly or time consuming to be worth the resources it would take to implement.
  2. Avoiding risk: For significant risks you may choose to take action to prevent the risk from happening, or in other words: change the chance of occurrence. This could be an improvement in a process, replacing old equipment with better equipment, or changing a design to remove a component that is causing a risk. The key is that once the avoidance actions are completed, the risk no longer exists.
  3. Eliminating the risk source: One way of avoiding the risk is to eliminate the risk source. This may involve changing a part used in an assembly, or removing a process step that is risky and replacing it with one that does not have the risk.
  4. Sharing the risk: Sometimes you can transfer a risk elsewhere, such as having a process done by an expert supplier rather than doing it yourself. Another way of transferring risk is through having insurance in place that would provide the necessary additional resources to deal with a problem if it happens.
  5. Changing the likelihood or consequences: Putting in administrative controls, training, or additional inspections are examples of mitigation of the risk. You are not stopping the risk from happening, but you are increasing your chances of identifying the problem after it occurs. This mitigation often includes having plans in place to deal with the consequences of the risk once the problem has occurred. These plans can include such things as reworking products or procedures to return a process to a conforming state. The risk still exists, but you have actions and plans in place to reduce the risk consequences.
  6. Taking risk in order to pursue an opportunity: We have talked about risks in the terms of having a negative consequence, but what if taking a risk can be an opportunity for your organization? In these situations, you are assessing the risk in terms of what you need to do to capitalize on the opportunity and take action to make it happen. When this is your plan, you are exploiting the risks in order to benefit from long-term gains to your organization.

ISO 9001:2015: How to identify risk controls

How do you implement controls once they are identified?

One critical element of risk control is to ensure that any actions that you take are incorporated into your QMS processes. Improved processes, or even new equipment, are not effective if the people using them are not fully trained in how to utilize these improvements.

Mitigation plans need to be known and understood by those employees who will be expected to use them so that your risk mitigation actions are done in a timely manner rather than trying to train everyone once the problem has happened. Your controls need to become part of your everyday processes, rather than an extra activity that is out of sight and out of mind.

Use risk significance to make risk control work for you

Remember, make sure that you do not go overboard on putting controls in place for risks that are not important. This is the critical combination of understanding how you decide what risk controls are needed for the risks you have identified. By tackling significant risks with adequate controls, and adequately incorporating those controls into your QMS processes, you will find that you can use risk-based thinking to improve the processes within your QMS to make them better respond do your needs in times of trouble. After all, this is the reason for risk-based thinking in the QMS.

For a graphical representation of an easy risk management process for ISO 9001:2015 see this free download: Diagram of 4 steps in ISO 9001 risk management.

Advisera Mark Hammar
Mark Hammar
Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.