​As the COVID-19 pandemic sweeps the world, we’re faced with risks and opportunities that we never considered. Millions are forced to self-isolate; businesses are closing, employee layoffs are occurring, basic items such as toilet paper and hand sanitizer are in short supply. We are faced with challenges on a scale that are unparalleled since World War II, as we make our best attempt to “flatten the curve”.
 
It is estimated that we are still several weeks away from being back to “normal”, if not months, or potentially even longer. It could even be that a new “normal” takes shape, one where this becomes a recurring concern, until such time that a vaccine is introduced and made available to the public.

​As of this writing, we are facing health risks, including death, to our persons, our families and our neighbors; economic risks associated with the economy, the falling stock market, the security of our jobs, and the integrity of our supply chains. We also faced with the risks that both our livelihoods and lifestyles may be negatively affected by prolonged shutdowns, and the necessity of remaining in our homes.
 
As we work our way through this pandemic, which we will, there will also be opportunities that follow, once of the first likely being a reduction in our dependence on imported manufactured goods and materials. We may potentially see a new era of domestic growth and expansion, with many industries revitalized as “Made in America” takes on a new meaning. We may also see new opportunities related to improvements in medicine, health care and social programs, as the coronavirus is now testing our current capabilities and capacity to its limits.

For most organizations, the consideration of a global pandemic was just not “on-the-radar”, and if it was, it was considered alongside other extraordinary events such as meteor strikes, volcanic eruptions, and alien arrivals. While such events would surely have a significant impact to the organization, their probability of occurrence was, until this point, considered low.
 
Now that we’ve reached this point, the impact of this pandemic has affected nearly every industrial sector. While I’m not sure that any business could develop and execute a contingency plan that is comprehensive enough to deal with all of the profound effects and impacts of this virus, hopefully it will emphasize the importance of considering potential risks and opportunities that may affect our businesses, prior to their occurrence.
 
For those companies where the consideration of risks and opportunities was considered an academic exercise, required only for achieving and maintaining ISO 9001:2015 certification, the need to address such concerns through our planning activities should be clearer than ever.
​

As part of each client engagement, we go through a process of brainstorming what risks and opportunities should be considered as part of their Quality Management System (QMS). This activity begins with determining the organization's context, which includes defining the QMS and its processes.  With these processes defined, and corresponding inputs / outputs identified, we can then begin to associate "what could go wrong" with each. 

A few QMS risk examples are shown below, for an imaginary company created solely for this illustration, that I'll just call "XYZ Corporation". As it happens, "XYZ" has a fairly straightforward ISO 9001:2015 Quality Management System, developed around the manufacturing of everyday widgets...

Sales Risk Examples:
Products/Services Overpriced
Products/Services Underpriced
Customer Requirements Unclear
Slow Quote
Didn’t quote 
 
Purchasing Risk Examples:
Overpay
Order Incorrectly
Late Delivery
Wrong Product Delivered
Substandard or Defective Materials
 
Production Risk Examples:
Wrong material used
Incorrect dimensions
Incorrect tolerances
Manufactured to obsolete drawing
Contamination
 
Inspection Risk Examples:
Reject good product
Accept bad product
Miss inspection point
Unable to perform inspection
 
Delivery Risk Examples:
Lost in shipment
Damaged in shipment
Delivered to incorrect location
​Late Delivery
Stolen

Summary
​Identifying QMS risk doesn't have to be particularly difficult, and many different companies share similar risks, although each one will likely have different views on the corresponding impact. Just take your time, give a little thought, and start out by making a simple list. Also note that some occurrences are merely beyond our control, and there is no reasonable effort that would mitigate an impact on our QMS (e.g., meteor strikes, global war, plague and the zombie apocalypse).

​Hope the risk examples above were helpful.  Since ISO 9001 requires us to consider both risks and opportunities related to our QMS, we'll follow up with some additional examples shortly, as part of another post.

This photo is from just outside our Fulshear, TX office during Hurricane Harvey 2017.

​When determining business risk, make sure to consider the environment as an external factor. In extreme circumstances such as this, there is no way to provide your products and services to your customers.

​Two of the most frequent inquiries we receive relating to the ISO 9001:2015 Standard are seeking help in understanding and determining "Context" and "Risk Based Thinking".

As for context, the easiest explanation is to consider it as an opportunity to present “about our company”. Who we are, what we do, how do we do it, and who do we do it for. For example, many companies may make chairs, but all chairs are not created equal (e.g., a chair may be for an office, a kitchen table, a bar, a plane, a patio, a pool, etc.). If your business was a painting on canvas, your context would be the background.
 
The best approach we’ve had so far is to replace the “old” ISO 9001:2008 manual with a “new” ISO 9001:2015 manual that addresses all of the above. Rather than just restating and paraphrasing the ISO 9001 standard, the QMS becomes the company’s explanation of its interested parties, products and processes, and how it manages quality. Once documented, it should be communicated internally, so everyone can understand and speak the same language.
 
As for risk based thinking, the only requirement of ISO 9001:2015 is that the organization can demonstrate that it is applying this concept. TC-176, the ISO technical committee responsible for this standard, intentionally didn’t prescribe any requirements, for fear of alienating the various users of the standard. Along with several other new requirements, this hesitation created more problems than it solved. Now the certification auditors are taking it upon themselves to mandate their own personal opinions…
 
The best approach we’ve had with this area is the use of a risk registry (list), detailing by each QMS process, what risks we consider to be important. Once identified, this registry is scored highest-to-lowest (based on whatever company-defined method is used), with the highest values being those which are considered to require immediate control. The rest can just be monitored for change. If you’re familiar with the term, think FMEA (Failure Modes Effects Analysis).

​Risk-based thinking is something we all do automatically and often sub-consciously to get the best result. The concept of risk has always been implicit in ISO 9001 – the 2015 edition makes it more explicit and builds it into the whole management system. Risk-based thinking ensures risk is considered from the beginning and throughout.

​While Clause 6, Planning, is an obvious reference to risks and opportunities, the concept of risk-based thinking is present throughout the Standard.  Where is risk addressed in ISO 9001:2015?

Introduction - the concept of risk-based thinking is explained.

Clause 4 – the organization is required to determine its QMS processes and to address its risks and opportunities.

Clause 5 – top management is required to
·      Promote awareness of risk-based thinking
·      Determine and address risks and opportunities that can affect product /service conformity.

Clause 6 – the organization is required to identify risks and opportunities related to QMS performance and take appropriate actions to address them.

Clause 7 – the organization is required to determine and provide necessary resources (risk is implicit whenever “suitable” or “appropriate” is mentioned).

Clause 8 – the organization is required to manage its operational processes (risk is implicit whenever “suitable” or “appropriate” is mentioned).

Clause 9 – the organization is required to monitor, measure, analyze and evaluate effectiveness of actions taken to address the risks and opportunities.

Clause 10 – the organization is required to correct, prevent or reduce undesired effects and improve the QMS and update risks and opportunities.