As part of each client engagement, we go through a process of brainstorming what risks and opportunities should be considered as part of their Quality Management System (QMS). This activity begins with determining the organization's context, which includes defining the QMS and its processes.  With these processes defined, and corresponding inputs / outputs identified, we can then begin to associate "what could go wrong" with each. 

A few QMS risk examples are shown below, for an imaginary company created solely for this illustration, that I'll just call "XYZ Corporation". As it happens, "XYZ" has a fairly straightforward ISO 9001:2015 Quality Management System, developed around the manufacturing of everyday widgets...

Sales Risk Examples:
Products/Services Overpriced
Products/Services Underpriced
Customer Requirements Unclear
Slow Quote
Didn’t quote 
 
Purchasing Risk Examples:
Overpay
Order Incorrectly
Late Delivery
Wrong Product Delivered
Substandard or Defective Materials
 
Production Risk Examples:
Wrong material used
Incorrect dimensions
Incorrect tolerances
Manufactured to obsolete drawing
Contamination
 
Inspection Risk Examples:
Reject good product
Accept bad product
Miss inspection point
Unable to perform inspection
 
Delivery Risk Examples:
Lost in shipment
Damaged in shipment
Delivered to incorrect location
​Late Delivery
Stolen

Summary
​Identifying QMS risk doesn't have to be particularly difficult, and many different companies share similar risks, although each one will likely have different views on the corresponding impact. Just take your time, give a little thought, and start out by making a simple list. Also note that some occurrences are merely beyond our control, and there is no reasonable effort that would mitigate an impact on our QMS (e.g., meteor strikes, global war, plague and the zombie apocalypse).

​Hope the risk examples above were helpful.  Since ISO 9001 requires us to consider both risks and opportunities related to our QMS, we'll follow up with some additional examples shortly, as part of another post.

This photo is from just outside our Fulshear, TX office during Hurricane Harvey 2017.

​When determining business risk, make sure to consider the environment as an external factor. In extreme circumstances such as this, there is no way to provide your products and services to your customers.

​Two of the most frequent inquiries we receive relating to the ISO 9001:2015 Standard are seeking help in understanding and determining "Context" and "Risk Based Thinking".

As for context, the easiest explanation is to consider it as an opportunity to present “about our company”. Who we are, what we do, how do we do it, and who do we do it for. For example, many companies may make chairs, but all chairs are not created equal (e.g., a chair may be for an office, a kitchen table, a bar, a plane, a patio, a pool, etc.). If your business was a painting on canvas, your context would be the background.
 
The best approach we’ve had so far is to replace the “old” ISO 9001:2008 manual with a “new” ISO 9001:2015 manual that addresses all of the above. Rather than just restating and paraphrasing the ISO 9001 standard, the QMS becomes the company’s explanation of its interested parties, products and processes, and how it manages quality. Once documented, it should be communicated internally, so everyone can understand and speak the same language.
 
As for risk based thinking, the only requirement of ISO 9001:2015 is that the organization can demonstrate that it is applying this concept. TC-176, the ISO technical committee responsible for this standard, intentionally didn’t prescribe any requirements, for fear of alienating the various users of the standard. Along with several other new requirements, this hesitation created more problems than it solved. Now the certification auditors are taking it upon themselves to mandate their own personal opinions…
 
The best approach we’ve had with this area is the use of a risk registry (list), detailing by each QMS process, what risks we consider to be important. Once identified, this registry is scored highest-to-lowest (based on whatever company-defined method is used), with the highest values being those which are considered to require immediate control. The rest can just be monitored for change. If you’re familiar with the term, think FMEA (Failure Modes Effects Analysis).

​Risk-based thinking is something we all do automatically and often sub-consciously to get the best result. The concept of risk has always been implicit in ISO 9001 – the 2015 edition makes it more explicit and builds it into the whole management system. Risk-based thinking ensures risk is considered from the beginning and throughout.

​While Clause 6, Planning, is an obvious reference to risks and opportunities, the concept of risk-based thinking is present throughout the Standard.  Where is risk addressed in ISO 9001:2015?

Introduction - the concept of risk-based thinking is explained.

Clause 4 – the organization is required to determine its QMS processes and to address its risks and opportunities.

Clause 5 – top management is required to
·      Promote awareness of risk-based thinking
·      Determine and address risks and opportunities that can affect product /service conformity.

Clause 6 – the organization is required to identify risks and opportunities related to QMS performance and take appropriate actions to address them.

Clause 7 – the organization is required to determine and provide necessary resources (risk is implicit whenever “suitable” or “appropriate” is mentioned).

Clause 8 – the organization is required to manage its operational processes (risk is implicit whenever “suitable” or “appropriate” is mentioned).

Clause 9 – the organization is required to monitor, measure, analyze and evaluate effectiveness of actions taken to address the risks and opportunities.

Clause 10 – the organization is required to correct, prevent or reduce undesired effects and improve the QMS and update risks and opportunities.