Understanding ISO Risk-Based Thinking


September 22, 2020

When the most recent version of ISO 9001 came out in 2015, the standard’s authors introduced a significant change that even today remains a source of confusion for some quality professionals.

That change was an increased emphasis on risk-based thinking, a somewhat fuzzy term that has sparked numerous discussions about what it means—and the practical implications for manufacturers.

With that in mind, this post looks at the basics of ISO risk-based thinking, plus a strategy companies can use to comply with the standard while reducing production defects.

Risk-Based Thinking is the New Preventive Action

One conspicuous change that accompanied the new requirements was the elimination of the preventive action clause in ISO 9001:2015. It’s not a coincidence.

In the new version, risk-based thinking has replaced preventive action, providing a starting point for how to understand the term.

ISO has stated in separate guidance documents that the goal of the change was to get organizations to stop treating prevention as a standalone quality management system (QMS) component. Instead, the expectation is that companies incorporate prevention into the entire quality process. To that end, risk is woven throughout multiple clauses of the standard, including planning, operation, analysis and evaluation.

Risk-Based Thinking and the Process Approach

It’s important to note that ISO risk-based thinking requirements don’t mandate that companies implement a formal risk management process. This is in keeping with ISO’s intentional flexibility in terms of how companies implement standard requirements.

ISO guidance notes, however, that risk-based thinking is central to the Plan-Do-Check-Act approach, requiring organizations to:

  • Identify and understand risks
  • Determine what are unacceptable vs. acceptable risks
  • Plan actions to avoid, eliminate and/or mitigate risks
  • Execute on those plans and check effectiveness
  • Continuously improve from lessons learned

How to Use Layered Process Audits to Comply with Risk Requirements

Making risk part of your decision-making process sounds easy, but formalizing and documenting your approach can be less straightforward. Layered process audits (LPAs) help close that gap, giving manufacturers an important tool for reducing defects, certification findings and complaints.

LPAs are a type of high-frequency audit that involve verifying process inputs to minimize variation from standards. In an LPA program, auditors at every level or layer of management participate in daily checks, getting more eyes on known risks to prevent production defects.

LPAs help companies comply with ISO risk-based thinking requirements by:

  • Engaging the team in identifying risks: Cross-functional teams that include engineering, operations and quality should contribute to writing LPA questions, which examine high-risk process inputs such as equipment settings and functionality of error-proofing devices.
  • Planning actions to reduce risks: Checking process inputs helps prevent production defects at their source, which is far more effective than just inspecting finished products. Each LPA question also includes a reaction plan to mitigate any non-conformances identified during the audits.
  • Helping execute plans and determining effectiveness: LPAs provide a formal structure for making sure work instructions and other documentation is actually followed. Reporting on audit findings helps reduce risk by identifying where problems are occurring or recurring and revealing trends in nonconformances in different areas of the plant.
  • Enabling continuous improvement: Adding new LPA questions based on corrective actions or complaints ensures any fixes you implement stay in place. Via face-to-face conversations between management and front-line operators, LPAs also help leaders identify process improvements and documentation that needs shoring up.

Using a digital LPA platform like EASE can help manufacturers demonstrate effective handling of quality risks, streamlining certification while improving customer satisfaction. This type of platform provides key advantages over paper-based LPAs with automated scheduling, mobile audits and immediate access to findings.

According to ISO, risk-based thinking is about making prevention part of what you do every day rather than a one-off activity for satisfying a management system requirement. LPAs align with this goal with daily checks of known risks, proactive identification of emerging risks and a process to prevent recurrence of quality problems.