Risk-based thinking refers to a set of activities and methods that a business would use to manage and control the risk factors that could prevent them from achieving the objectives.
Previously referred to as a preventive action, newer versions of ISOs, in particular, ISOs 9001:2015 and 14001:2015, both require businesses to apply risk-based thinking across planning, operations and performance evaluation.
But how does risk-based thinking link with ISO? How is it different from previous models of thinking and risk-reducing actions?
What is risk-based thinking?
In terms of ISO9001:2015, risk-based thinking replaces preventive action and whereas once preventive thinking was a separate clause, risk-based thinking is now incorporated throughout.
In other words, you need to evaluate risk when establishing processes, controls and improvements in quality management systems.
But it is recognised that risks are not always negative. You can use this risk-based thinking strategy to pinpoint opportunities, the flipside of risk. Just as negativity can swamp your business, so too can unparalleled and unplanned success. Finding a product all of a sudden takes off can leave your struggling to meet demand whilst maintaining quality.
Risk-based thinking appears in the newer versions of ISOs across key areas such as;
- Organisational context – risk-based thinking requires a business to identify risks that may impact on quality objectives. What would be the risk of producing non-conforming products, for example?
- Leadership – business management must commit to addressing both the risk and opportunities to qualities
- Planning – it makes sense that once risk and opportunities have been identified, that there is a plan to exploit and minimise them in turn.
Performance evaluation, improvement and operation are also subjects to which risk-based thinking needs to be applied.
So, it’s risk management then?
Risk management is not a new concept in business – understand what your risks are and how to minimise and deal with them is nothing new – and it would be easy to assume that risk-based thinking is a watered down version of the same thing.
Under ISO 9001:2015 there is no requirement for a formal risk assessment nor is there a need to maintain a Risk register.
Rather than it being a tangible process, it is a mode of thinking or attitude that runs through every decision-making process, without necessarily formalising it.
It allows a company to maintain both its flexibility and adaptability in an increasingly competitive marketplace.
Risks can change from day to day or they can be a long time coming but the process of thinking in this way, this constant state of vigilance if you like, improves how responsive and adaptive a company could be, an important factor when standards need to be maintained.
Building in risk-mitigating technology
Many companies are choosing to use tech to bring about a more recognisable risk-thinking approach to business and quality.
A centralised risk register, although there is no requirement, has proved an excellent tool, as have flexible risk tools such as a decision tree alongside risk-based effectiveness checks.
Automation also reduces risk, ensuring nothing falls through the cracks. Is your business ready to take the risk-based thinking test?
How can we help you?
If you’re in need of assistance with any aspect of ISO or GDPR compliance, here at Synergos we’d be delighted to help. Whether you have questions about the path to compliance or are looking for advice and support to maintain compliance, call 01484 817 444 or Email firstname.lastname@example.org and we’ll be happy to talk it over with you.