How to implement risk management to quality management system?

In this part of the paper only changes related to implementation of risk management are discussed. It should be noted, that there are other changes in the ISO 9001:2015 standard, which are not of interest to this article. Among changes related to risk management required by new standard are:

  • withdrawal of preventive actions procedure,
  • determining the context of the organization,
  • determining needs and expectations of interested parties,
  • implementation of risk management process.

As preventive actions procedure is no longer required and should be replaced by risk management procedure. Organizations that have joined corrective and preventive actions procedure should remove part concerning preventive actions. Due to merger of nonconformity and corrective actions in section 10.2, merger of procedures on these issues should be considered.

The external context of the organization includes all factors that can influence objectives, strategy and risk appetite that are related to the environment. It may include parameters related to culture, society, politics, legislation, regulations, finance, technology, economy, competition, natural environment [ISO 31000 2009, p. 10]. The internal contexts includes i.e.: governance, organizational structure, roles, accountabilities, policies, objectives, strategy, organization capability, information system, relations with stakeholders, organizational culture, implemented standards, relationships with partners [ISO 31000 2009, p. 10]. The top management should identify all factors that are important, measure them and assess in the context of organization's sustainability, growth and development.

Additionally, top management should identify interested parties that can have impact on organization's ability to consistently provide products and services that meet customer and other requirements. Requirements of those parties should be determined. The word consistently refers to business continuity. Therefore it is required to assure business continuity solutions that prevent customers from receiving products that don’t comply the requirements. Effectiveness of those solutions should be adapted to type of the organization, products and customer requirements. Risk management should help assure business continuity thanks to, among others, extended planning.

The risk management process should consider risks as well as opportunities, which stem from internal and external context of the organization and requirements of interested parties. The aim is to assure achievement of intended results, prevent or reduce undesired effects and achieve continual improvement. The key part of the process is risk assessment, which includes identification, analysis and evaluation. All risks and opportunities should be assessed to determine their impact on the organization and its products. According to specificity of the factors, organization should apply the treatment. It can include i.e.: refusing to carry out the activity, taking opportunity, removing risk source, sharing risk. Each action should be proportionate to the potential impact on the conformity of products and services. Organization should be able to explain why certain amount of resources was assigned to risk management actions.

Organization should evaluate the effectiveness of the planned actions. The evaluation should compare objectives with results. The standard doesn't require evaluation of economics of those actions unless it is clearly stated in the objectives.

The risk management process in medium and large companies should be decentralized, as the standard requires integration on the level of quality management system processes. Centralized process can significantly increase bureaucracy and managers' work load. Decentralization, however, requires more training. Only establishing context and monitoring activities should be centralized and managed by quality manager (top management representative). In small companies risk management process can be centralized and limited to top management.

The new requirements entail both benefits and costs to the organizations. Top management receives tool for prevention and continual improvement that can do its job. It can be much more effective than preventive actions when properly implemented. Requirement to evaluate the effectiveness of the risk management actions will deliver information about improvement and economical effects. This can encourage top management to extend risk management process and invest in improvements. Finally it can lead to better quality management system. The costs are related to required changes and designing and implementation of the new process. At least all the managers should be trained in risk management process which is related to further costs. The big change is required in approach to continual improvement, which was pretended in many companies. The benefits of the change can be diminished if certification bodies will treat new requirements too lightly during the audits. Overall, it is probable that benefits of proper implementation will significantly exceed the costs.

Recommended external sources:

Photo: Sean Davis,, CC