Action to addressing risks and opportunities, is a new and key planning requirement to having a successful QMS. One of the purposes of the QMS is to act as a preventative action tool, however there is no longer a clause that specifically relates to preventative action. The main focus in the revised standard is ‘risk based thinking’.
As previously explained in lesson 4.1 (Understanding the context of the organisation) and 4.2 (understanding needs and expectations of interested parties), considering risks and opportunities is a fundamental exercise. By this stage, you should have identified and considered the interested parties internal and external issues, your organisations requirements and obligations, and the potential impact this will have on the QMS.
Next, you must decide whether your organisation needs to take action on those risks and opportunities.
Why? Because your organisation needs to minimise the potential negative impacts on the QMS, take advantage on the positive potential results, and demonstrate your intention for continual improvement. By doing so, you have a better chance of achieving your planned result(s).
Even though it is important to spend time focusing on risks to protect the business, focusing in on potential opportunities demonstrate your organisations intent for continual improvement and the determination to make the QMS succeed.
During this planning stage, you must consider the risks and opportunities emerging from the internal and external context of the organisation and the requirements of interested parties. You must focus on ensuring the QMS can achieve its intended results, enhancing the desirable effects, achieve improvement and finally to prevent, or reduce, undesired effects.
You need to identify the potential consequences of changes. This will include determining who is involved, when changes are to take place and what resource would need to be allocated.
Prioritising by the risks and opportunities level of importance, will decrease the work load required and time spent on this exercise. Remember, you do not have to include every single risk and opportunity the business faces, just the ones that could have a significant impact on the QMS intended results.
The term ‘risk’ does tend to have a negative connotation. Risk is a combination of the consequences of an event and the associated likelihood. However, risk should not be assumed as negative only. The term ‘risk’ can reflect both, positive AND negative levels of uncertainty (see ISO 9000:2015 clause 3.7.9 for the terminology).
The next part of the planning stage is two-fold. You need to plan what actions you will take to address the risks and opportunities and how to do this by integrated them into the QMS and evaluating their effectiveness.
Planning actions to address risks and opportunities
When planning actions to address risks, Note 1, in the ISO 9001 standard, states ways in which to do this;
“Options to address risk can include avoiding risks, taking risks in order to pursue an opportunity, eliminating a risk source, changing the likelihood of or consequences, sharing the risk or retaining risk by informed decision”.Note 1, ISO 9001:2015 Clause 6.1
Where planning possible opportunities outcomes, Note 2, in the ISO 9001 standard, highlights;
“Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using new technology and other desirable and viable possibilities to address the organisations or its customer’s needs.”Note 2, ISO 9001:2015 Clause 6.1
You need to ensure that the actions taken should be proportionate to the risk or opportunity identified. For example, if there is a serious issue with customer service records, the actions taken (time, resources, attention) must be a high priority to the organisation.
Although this clause specifies you must plan actions to address risk, there is no explicit requirement for a formal risk management method or a documented risk management procedure. The decision on what to document and to which level will depend on the context of the organisation. However, if you would like to conduct a more extensive Risk Assessment exercise for your own due diligence and practice a specific methodology, ISO 31000 is a fantastic standard to provide very simple guidance on how to do so. You can find that standard here.
How to implement and integrate the actions into the QMS
You need to plan how to implement the actions, and ensure they are integrated into the organisation’s daily activities and processes. How to evaluate the effectiveness of those actions is not described in the Standard so this is down to your own desgretion.
How to evaluate the effectiveness of the actions.
These reviews could be evaluated based on process flows (input vs. expected outputs), analysis of data (e.g. customer complaints), systems reporting, customer feedback etc. However, you must ensure that the evaluation of the action’s effectiveness is reviewed frequently (possibly during the management meeting reviews).
During assigning the roles, responsibilities and authorities, the evaluation of effectiveness must be delegated so that they can be monitored, managed and communicated across the organisation as necessary.