5 key elements of risk management in AS9100 Rev D
With the latest release of ISO 9001:2015, upon which AS9100 Rev D is based, the concept of risk-based thinking has been introduced into the Quality Management System (QMS) of companies around the world. However, managing risk has always been part of the aerospace industry, and these requirements were not enough. That is why there are additional requirements in AS9100 Rev D to ensure that the risks due to the operations of the organization are managed.
Risk management and risk-based thinking: What is the difference?
The new concept of risk-based thinking is intended to get organizations to think about what risks they face at certain points in time: during strategic planning, during planning for product and service conformity, during management review, and when taking corrective action. This idea wants you, as an organization, to identify the risk, decide if you will take action, and then take action. But, it does not ask you to track the risk as the project progresses to determine whether actions have indeed addressed the risk, or need to be updated.
Risk management, on the other hand, is a process for identifying the risks, deciding on actions to mitigate those risks, tracking those actions, and then accepting any risk left over after actions are complete (or taking further actions). This process involves not just thinking about risk at certain stages in the provision of products and services, but also having a process to track these risks until they are addressed or are past the time of potential occurrence.
What is required for operational risk management, and what isn’t?
To start with what is not required – there is a note specifying that while clause 6.1 (actions to address risks and opportunities) addresses the risks and opportunities for the QMS, this clause (8.1.1, Operational risk management) is only limited to risks that are associated with operational processes that your organization needs to provide for your products and services. So, while you may identify a QMS risk that your current big product might soon have a rival product with which to compete, this is not a risk that needs to be tracked according to the risk management requirements, as it is not an operational risk.
So, there are five requirements that an organization needs to ensure are included when they plan, implement, and control their operational risk management process. These requirements are to:
- Assign responsibilities – Who needs to do your risk management? If there is a team (a good idea), then which departments need to be included? If actions are likely to be assigned to a certain department or function, it is best to have them involved in the whole management process.
- Define risk assessment criteria – What will be your criteria for risk assessment? How will you decide what risk to accept and what you will mitigate? A note in this clause states that within the aviation, space, and defense industry, risk is generally expressed in terms of the likelihood of the occurrence and the severity of the consequences.
- Identify, assess, and communicate risks – If you identify that there is a risk of product failure due to carrying out a certain test, this had better be communicated to those who design and perform that test. If you don’t adequately communicate, then identifying the risk is futile.
- Identify, implement, and manage mitigation actions – There are many ways to address risk, and one of those methods for highly risky items is to take action to mitigate the risk – or, in other words, try to prevent the risk from happening. If a risk exceeds your risk acceptance criteria, then make plans to address the risk and track those actions.
- Accept risk that remains when mitigation is complete – Sometimes, no matter what actions you take, there will still be some risk left; or, mitigation actions can be too costly or prohibitive. In these cases, accepting this risk is what needs to be done at this point. Note the remaining risk and move on.
Has anything really changed from AS9100 Rev C?
In fact, the main body of the requirements has remained greatly unchanged since the past revision. The risk management process requirements were already included in AS9100 Rev C as risk management, and the five requirements have remained basically as they were. The only real change is the clarification that these requirements only applied to operational risk, hence the name change in the clause. The other change from Rev C is the addition of the two notes to clarify how these requirements are separate from risk-based thinking and to make it clear that risk in aerospace is a combination of likelihood and severity. If you are already compliant with AS9100 Rev C, then your current risk management process should most likely remain unchanged.
How can you make risk management work for you?
In the aerospace industry, we are fortunate that we do not need to struggle with including risk assessment in our Quality Management System, because it has always been there. We understand how risk management works, and why it is important to manage and control risk when lives are at stake. So, how can this help with the changeover to AS9100 Rev D?
Because you already have a process in place for risk assessment and management, why not use this same process and procedure for understanding and managing any new risks that you may identify when you comply with the new requirements on assessing risks and opportunities? While other industries are struggling to understand this, we can be one step ahead and ensure that the actions we determine are necessary for all of the risks in the organization, not just those for operational risk, are identified and tracked to completion. If you have a good thing going, why not use it for more?
Use this free downloadable AS9100 Rev D Implementation Diagram to manage implementation of AS9100 Rev D.