ISO 9001:2015 - How to

apply Risk-based Thinking

to Quality Processes

Title

VI-404842-TM

Version
Author
Issue Date

1
Michael Shuff
05 Aug 2015

Page 1

ISO 9001:2015 - How to apply Risk-based Thinking to

Quality Processes

Summary

The new version of the ISO 9001:2015 standard is scheduled for final publication on September
23rd 2015. One of the new requirements is to show evidence of risk-based thinking (RBT) in the
quality management system. How do you do that? How are auditors likely to respond to the new
challenges that ISO 9001:2015 brings? How do you produce documented evidence of risk-based
thinking?
Although ISO 9001:2015 does not call for formal methods of risk management, it is likely that
anyone trying to understand RBT may turn to ISO 31000 and the list of risk assessment techniques
in particular. However, this is not as easy as it sounds. There are many techniques to choose from
and many may not be applicable to the sectors that ISO 9001 serves.
This white paper has two major sections. The first part provides a primer on many of the ISO
31000 risk assessment techniques and considers their applicability to quality management. The
second part provides a six-step methodology that you can follow to deliver evidence of a risk
based approach to quality. It is a practical methodology that is specific on inputs / outputs, and
what you need to do in-between. Several example templates are provided that could form the
basis for your documented information.

Page 2

Risk-based thinking as a requirement of ISO 9001 ........................................................................................................... 6

1.1

A starting point for risk-based thinking applied to quality processes ..................................................................... 7

ISO 31000 Risk Management Techniques ....................................................................................................................... 11

2.1

Look-up Methods .................................................................................................................................................. 11

2.1.1

Checklists ........................................................................................................................................................ 11

2.1.2

Preliminary hazard analysis............................................................................................................................. 12

2.2

Supporting Methods ............................................................................................................................................. 12

2.2.1

Structured interview and brainstorming......................................................................................................... 12

2.2.2

What can we learn from ISO 31000 risk assessment processes? .................................................................... 14

2.2.3

Are structured interviews and brainstorming 9001 requirements? ............................................................... 14

2.3

Other Supporting Methods ................................................................................................................................... 16

2.3.1

Delphi technique ............................................................................................................................................. 16

2.3.2

SWIFT (Structured what-if ) ......................................................................................................................... 17

2.3.3

Human reliability analysis (HRA) ..................................................................................................................... 18

2.4

Scenario Analysis ................................................................................................................................................... 20

2.4.1

Root cause analysis (RCA) ............................................................................................................................... 20

2.4.2

Scenario analysis ............................................................................................................................................. 20

2.4.3

Toxicological / Environmental / Ecological risk assessment............................................................................ 21

2.4.4

Business impact analysis (BIA) ........................................................................................................................ 21

2.4.5

Fault tree analysis ........................................................................................................................................... 22

2.4.6

Event tree analysis .......................................................................................................................................... 22

2.4.7

Cause and consequence analysis .................................................................................................................... 23

2.4.8

Cause-and effect analysis ................................................................................................................................ 23

2.5

Function Analysis .................................................................................................................................................. 24

2.5.1

FMEA and FMECA ........................................................................................................................................... 24

2.5.2

Reliability-centred maintenance (RCM) .......................................................................................................... 25

Page 3

2.5.3

Sneak analysis (SA) and sneak circuit analysis (SCI) ........................................................................................ 25

2.5.4

HACCP ............................................................................................................................................................. 26

2.6
2.6.1

LOPA (Layers of Protection Analysis) .............................................................................................................. 26

2.6.2

Bow-tie analysis .............................................................................................................................................. 27

2.7

Controls Assessment ............................................................................................................................................. 26

Statistical Methods ............................................................................................................................................... 27

2.7.1

Markov analysis .............................................................................................................................................. 28

2.7.2

Monte-Carlo analysis ...................................................................................................................................... 29

2.7.3

Bayesian analysis ............................................................................................................................................ 30

A Risk Management Methodology for Quality Management ......................................................................................... 32

3.1

Risk based thinking is the new 'preventive actions' for QMS ................................................................................ 32

3.1.1

Planning and considering risks in quality system processes ........................................................................... 33

3.1.2

What actions are required to plan for risks and opportunities? ..................................................................... 34

3.2

The Six Steps ......................................................................................................................................................... 35

3.3

Step 1: Establish the Context ................................................................................................................................ 37

3.3.1

Scope and responsibilities for specific risk management activities ................................................................ 38

3.3.2

How should we document the "context of the organization"?....................................................................... 39

3.3.3

What information should the Statement of Context contain? ....................................................................... 40

3.3.4

Risk criteria for Quality Management Systems ............................................................................................... 40

3.4
3.4.1
3.5

Step 2: Risk identification ...................................................................................................................................... 41

Techniques for risk identification .................................................................................................................... 42
Step 3: Qualitative risk analysis & risk evaluation ................................................................................................. 43

3.5.1

What is a `Qualitative analysis' of risk? ........................................................................................................... 43

3.5.2

Does ISO 9001:2015 require a qualitative risk assessment? ........................................................................... 43

3.5.3

Sources of information for qualitative analysis............................................................................................... 44

3.5.4

Summary: ........................................................................................................................................................ 46

3.6

Page 4

Step 4: Semi-Quantitative risk analysis and risk evaluation .................................................................................. 46

3.6.1

Methods for calculating risk factors................................................................................................................ 47

3.6.2
What is the value of the Semi-Quantitative approach in Step 4, following the Qualitative Assessment
conducted in Step 3? ...................................................................................................................................................... 48
3.7
3.7.1
3.8
4

Step 5: Risk treatment ........................................................................................................................................... 49

Example of Risk Treatment in a Quality Management System ....................................................................... 50
Step 6: Monitoring & review ................................................................................................................................. 52

Summary and Conclusions .............................................................................................................................................. 54

4.1

Risk Assessment Methodology for applying RBT to QMS ..................................................................................... 55

4.2

Conclusion ............................................................................................................................................................. 57

Page 5

1 Risk-based thinking as a requirement of ISO 9001

Risk-based thinking is a sore point among many Quality professionals. Even so, identifying risk,
analysing the consequences, probability and level of risk (i.e. risk analysis) and risk evaluation using
formal techniques are becoming increasingly important tasks in the global business world.
ISO 9001:2015 incorporates what the
draft version of the International
Standard has termed "Risk-based
Thinking" in its requirements for the
establishment, implementation,
maintenance and continual
improvement of the quality
management system. If you are
already familiar with the DIS or read
the many discussions on the subject
that have appeared on LinkedIn
groups and elsewhere, you will
already be aware that formal risk
management is not mandated.
However, organizations can, in the
words of the TC 176 Committee's
draft standard (May 2014) "...choose to develop a more extensive risk-based approach than is
required by this International Standard, and ISO 31000 provides guidelines on formal risk
management which can be appropriate in certain organizational contexts".
We are sceptical about the subject of demonstrating risk-based thinking to a certification auditor
when they assess your quality management system. Of course, it is possible that you will not be
subject to an intensive grilling if the Standard does not require you to produce the outputs from
your risk assessment processes or evidence of a formal risk management system. Although if riskbased thinking is required by ISO 9001:2015 to plan and control the quality management system
(QMS) and component processes and activities, it is unlikely to be ignored in the certification audit
process.
This begs the question:
How do you show risk-based thinking during a certification audit?
Risk-based thinking" assessment is likely to form a sizeable section of the ISO 9000 Guidance
documents when they are published along with the ISO 9001:2015 Standard. Waiting until
September may not be an option for those of you looking to transition from the 2008 Standard as
rapidly as possible, so we thought that it would be a good idea to look at how you might go about
this interesting task. The aim is to produce (a) evidence that you could show to an assessor [HEALTH
WARNING: nobody yet knows exactly what they will be asking for], and (b) a useful way of
identifying, evaluating and treating the kind of risks that apply to the processes used in Quality
Management.

Page 6

1.1 A starting point for risk-based thinking applied to quality processes

In our blog post ISO 9001:2015 The likely impact (Part II), we suggested the following basic
checklist of tasks:
Analyse and prioritize the risks and opportunities in your organisation:

What is acceptable?
What is unacceptable?

Then plan actions to address the risks. Ask yourself:

How can I avoid or eliminate the risk?

How can I mitigate the risk?

Then...

Implement the plan take action

Check the effectiveness of the actions does it work?
Learn from experience continual improvement

However, this list presupposes that you have identified risks and opportunities.
So if you have not done so yet, how do you approach risk identification in your context?
Read on...
Will ISO 31000:2009 help in taking a 'risk-based approach' to the quality management system,
component processes and activities?
Short answer: it can do, depending on your organization's context.
The ISO 9001 DIS says that ISO 31000 provides guidelines on formal risk management, which can be
appropriate in certain organizational contexts.
Those working for large, indeed global entities understand this. They have long since adopted risk
management methodologies and have risk managers on their team who are familiar with ISO 31000.
But what is ISO 31000 attempting to achieve, and is it relevant to the majority of organizations that
are trying to gain or transition to ISO 9001?
ISO 31000 describes an "overall approach to risk management, not just risk analysis or risk
assessment. It deals with the links between risk management process and both strategic direction
and day to day actions and treatments."1 This on the face of it sounds an ideal recipe for risk-based
thinking. However, pick up the Standard and read it and this thought is quickly dispelled because ISO

Project risk management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F Cooper, et al, Wiley, 2014

Page 7

31000 takes a generic approach that has to be developed - in considerable detail - to be useful in a
given context.
Great for the Strategic aims of the senior management, but not of any great value to the 'poor
bloody infantry' of quality managers out there.
Perhaps the first (and frustrating) conclusion you will come to, having spent at least 120 ($180) on
your personal copy is that you also need to buy ISO.IEC 31010:2009 Risk management Risk
assessment techniques.
Therefore, your boss says, "OK, buy the one you actually need, but don't come back to me asking for
more. We've got by without 'risk-based thinking' in the past [insert number of years or decades];
surely we can do so this time?" You thank her or him for authorizing the purchase.
The PDF arrives on your computer. You open it. There are 92 pages, 6 of which in Annex A are a
comparison of risk assessment techniques (some useful tables here) before you arrive at Annex B,
consisting of 61 pages describing the 31 risk assessment techniques. These seem suited for the kind
of people who enjoyed Mathematics (and Statistics especially) at school, but who may not be that
interested in helping you to design effective quality processes.
Yes, there is a worthy (absorbing even?) preamble about risk assessment concepts and processes.
There also a Clause describing how to select techniques for risk assessment, this starts with the valid
advice:
Risk assessment may be undertaken in varying degrees of depth and detail and using one or
many methods ranging from simple to complex. The form of assessment and its output
should be consistent with the risk criteria developed as part of establishing the context.
[Clause 6.2]
There is no point in making life more complicated than it needs to be; thus:
In general, suitable techniques should exhibit the following characteristics:

it should be justifiable and appropriate to the situation or organization under consideration;

it should provide results in a form which enhances understanding of the nature of the risk
and how it can be treated;
it should be capable of use in a manner that is traceable, repeatable and verifiable. [Ibid]

Great!
By now, you are probably fired up with the possibility of finding a suitable risk assessment technique
that fits the context of your organization and its quality management system. You cannot wait to get
started on the job.
You turn to...
Annex A
(informative)
Comparison of risk assessment techniques
Page 8

You quickly realize there are more risk assessment techniques than you thought existed, and even a
cursory reading suggests that some are complex. Notably the ones that are strongly applicable to
each step of the full risk assessment process; specifically:

risk identification;
risk analysis consequence analysis;
risk analysis qualitative, semi-quantitative or quantitative probability estimation;
risk analysis assessing the effectiveness of any existing controls;
risk analysis estimation the level of risk;
risk evaluation.

Below is the list of the 31 tools. Depending on the industry you are working in, you will almost
certainly recognise at least some of them, even if you have not actually used any of the techniques
to assess risk.
Tools used for risk assessment
1. Brainstorming
2. Structured or semi-structured interviews
3. Delphi
4. Check-lists
5. Primary hazard analysis
6. Hazard and operability studies (HAZOP)
7. Hazard Analysis and Critical Control Points (HACCP)
8. Environmental risk assessment
9. Structure What if? (SWIFT)
10. Scenario analysis
11. Business impact analysis
12. Root cause analysis
13. Failure mode effect analysis
14. Fault tree analysis
15. Event tree analysis
16. Cause and consequence analysis

Page 9

17. Cause-and-effect analysis

18. Layer protection analysis (LOPA)
19. Decision tree
20. Human reliability analysis
21. Bow tie analysis
22. Reliability centred maintenance
23. Sneak circuit analysis
24. Markov analysis
25. Monte Carlo simulation
26. Bayesian statistics and Bayes Nets
27. FN curves
28. Risk indices
29. Consequence/probability matrix
30. Cost/benefit analysis
31. Multi-criteria decision analysis (MCDA)

Table 1: Tools used for risk assessment

Not everybody will have the resources and capabilities within the organization to attempt some of
these - e.g., Fault tree analysis, Cause / consequence analysis, Monte-Carlo analysis, Bayesian
analysis.
Quality managers working for smaller enterprises (SMEs) may only dream of conducting analysis at
the level required by some techniques in the list. The sheer complexity of some types of risk
assessment will render the tool useless in most organizations employing between 1 and 250 people.
However, that does not mean to say that ISO 31010 isn't a valuable reference should you ever be
required to think about risk in these terms.
In the following sections, we will focus on some of these techniques.

Page 10

2 ISO 31000 Risk Management Techniques

Although risks and opportunities have to be determined and addressed, there is no requirement in
ISO 9001:2015 for a formal risk management or a documented risk management process. Even so,
the concept of preventive action is expressed in the 2015 wording through the risk-based approach
to formulating quality management system requirements. It follows that we will most probably want
to show our reasoning in this respect. In other words, how our thinking about risk led to these
actions?
In our view, this does not have to be an
onerous task even at the high-risk end of
the context spectrum. However, to
completely ignore the risks and
opportunities aspect of planning your
QMS [see 6.1], regardless of the degree of
risk involved, would surely be to risk a
major non-conformity?
ISO 9001 Risk-based thinking could (and
we are not saying that it should) be
demonstrated by showing the outputs
from one or more of the risk assessment
tools in ISO 31010 in your "documented
information".
To give you a flavour of what these tools
are intended to achieve and how they
work, we intend to describe a selection of
the 31 listed in ISO 31010. At the same
time and over the next two posts, we will attempt to link these tools to QMS processes in a
meaningful way; however, we do not anticipate our work in this respect to be in any way definitive
as a reliable reference. There is no common consensus on how best to employ risk assessment
techniques in quality management - at least none that we are aware of yet!
[That said, we are studying with interest the ICH guideline Q9 on quality risk management, which
provides principles and examples of tools for quality risk management applied to different aspects of
pharmaceutical quality. If you have experience of this guideline, I'd welcome your input!]
Note: the text is based on the contents of Table A.2 Attributes of a selection of risk assessment
tools [Source: IEC/FDIS 31010:2009].

2.1 Look-up Methods

2.1.1 Checklists
This is a simple form of risk identification and a technique that provides a list of uncertainties that
need to be considered. Users can refer to a previously developed checklist, code or standard.

Page 11

Checklists and reviews of historical data are,

naturally enough, a sensible step if you are serious
about identifying the risks and opportunities in
accordance with the requirements of ISO 9001:2015
Clause 6.1, and intend to plan and implement the
appropriate actions to address them. Although you
could enhance the quality of the output by
following a systematic process to identify risks by
means of a structured set of prompts or questions
for the experts - see structured interview below.
Personally, we would start by making a checklist of
the known issues in the environment that can (a) affect conformity of products and services [risk]
and (b) have the ability to enhance customer satisfaction [opportunity].
No ISO 9001 assessor is likely to fault you for making this much effort; whether or not you have
addressed these risks and opportunities in the design of your quality management system and its
associated processes.
However, it is also worth remembering that checklists are most useful when applied to check that
everything has been covered after a more imaginative technique that identifies new problems has
been applied.

2.1.2 Preliminary hazard analysis

This is a simple inductive method of analysis whose objective is to identify the hazards and
hazardous situations and events that can cause harm for a given activity, facility or system.
Note: the term 'hazard' is always used in the context of physical harm.
At first sight, not a very promising tool but it does have advantages; namely: it is able to be used
when there is limited information; and it also allows risks to be considered very early in the system
lifecycle. In some organizational contexts, preliminary hazard analysis could be appropriate as a risk
assessment tool for quality when its use helps prevent Critical Non-conformities; which could, for
example, result in hazardous or unsafe conditions for individuals using, maintaining or depending on
the product.

2.2 Supporting Methods

2.2.1 Structured interview and brainstorming
This is a means of collecting a broad set of ideas and evaluation, ranking them by a team.
Brainstorming may be stimulated by prompts or by one-on-one and one-on-many interview
techniques.
So what should we plan to collect in terms of "ideas and evaluation"?
Let us remind ourselves first of what ISO 9001:2015 says we should do.

Page 12

When planning for the quality management system, ISO 9001:2015 requires organizations to
consider the issues referred to in 4.1 [Understanding the organization and its context] and the
requirements referred to in 4.2 [Understanding the needs and expectations of interested parties]
and determine the risks and opportunities that need to be addressed, in order to:
a) give assurance that the quality management system can achieve its intended
result(s)
b) prevent, or reduce, undesired effects
c) achieve continual improvement.
We should integrate and implement the actions into the organization's quality management system
processes (see clause 4.4) and evaluate their effectiveness.
Brainstorming as a technique could be particularly useful when, for example, identifying risks of new
technology where there is no data or where novel solutions to problems are needed. To quote ISO
31010 "...it encourages imagination which helps identify new risks and novel solutions". However, it
is not applicable to risk analysis tasks of consequence, probability or level of risk. It therefore has its
limitations and along with the 'Look-Up Methods' of Checklists and Primary hazard analysis, and
most of the 'Supporting Methods' of structured interviews, Delphi technique, SWIFT (Structured
"what if") and, it does not provide any quantitative output - although this is not a requirement of ISO
9001.
[Note: in the section 'Supporting Methods', Human reliability analysis (HRA), which deals with the
impact of humans on system performance and can be used to evaluate human error influences on
the system, is able to provide quantitative output and is 'strongly applicable' to risk analysis and
'applicable' to risk evaluation - see Table A.1 in ISO 31010.]
However, before we get bogged down in too much detail with regard to the other Supporting
Methods, Scenario Analysis, Function Analysis, Controls Assessment and Statistical Methods, we
should ask what are we trying to achieve here, and how will any of these assessment tools help?
Let us take a step back.
If we were considering risks in relation to a quality management system and its associated
processes, we would be asking the following questions:
1. What are the risks associated with the organization's context and objectives - and why
does each risk occur? [identifying the risk and the reason for its occurrence].
2. What would be the likely negative consequences of process, product, service or system
nonconformities? [consequences if the risk occurs].
3. How likely is it that the organization will deliver nonconforming products and services in
relation to the risks we have identified? [probability of the risk occurring].
There are other possible questions worth considering at this stage - for example, 'How effective are
our existing controls?' - in order to identify factors that reduce the consequences or probability of
the risk; however, in terms of what we actually need to know, these will make a good start.

Page 13

2.2.2 What can we learn from ISO 31000 risk assessment processes?
ISO 31000 states that risk assessment attempts to answer the following fundamental questions:

what can happen and why (by risk identification)?

what are the consequences?
what is the probability of their future occurrence?
are there any factors that mitigate the consequence of the risk or that reduce the probability
of the risk?

Providing that you adhere to this basic structure, you are following the framework that is set out in
the International Standard ISO 31000:2009.
Rather than spending several days reading the Standard and having long meetings with colleagues to
see how it might be applicable, why not look for methods that would help you to meet the
requirements of ISO 9001?
For me, a good start would be:
Documenting the results of any 'consideration of risks and opportunities' exercise as evidence of
your management team's "risk-based thinking".
Even if it is clear from the design of your processes that you have taken account of Clause 6.1 and
determined the risks and opportunities that need to be addressed, having a record of your risk
assessment processes might prove useful, if only as a reminder to keep matters under review!
Then, evaluate the risk assessment tools (numbering 31 in total) in ISO 31010 to see if they are
applicable to your organizational context.
It's probably not the time to use them in anger yet (see below), but at least you will know they exist
and that some tools could help to identify risks and opportunities and be useful in carrying out risk
analysis (if you consider consequences, probability and level of risk) and risk evaluation?

2.2.3 Are structured interviews and brainstorming 9001 requirements?

No, absolutely not. Although if you don't currently use risk assessment tools to identify the typical
uncertainties that need to be considered, and there is no previously developed list available of
hazards, risks or control failures, either resulting from a previous risk assessment or past failures,where do you begin? This is likely to be a especially vexing question for organizations that are new to
ISO 9001 quality management and have to develop appropriate documented information for their
quality processes.
However, a cautionary note:
Before you despair and start writing out check-lists based on your own observations in an effort to
tick the box, remember that your colleagues in other departments and business units may already
be using some of the formal techniques of risk assessment and risk management process (in a 'silocentric' way of course), without you even knowing about this.
Page 14

To quote from the Introduction to ISO 31000:2009:

"The current management practices and processes of many organizations include components of
risk management, and many organizations have already adopted a formal risk management process
for particular types of risk or circumstances".2
It follows therefore that it is worth interviewing them (in a structured or unstructured way) or
bringing them together for a brainstorming session - if only to find out what qualitative and
quantitative risk assessments have been made that could help you to address the requirements of
ISO 9001!
Whether or not though anyone is carrying out risk assessments, with or without the use of the tools
in ISO 31010, ISO 9001:2015 expects the organization to understand its context (see clause 4.1) and
determine the risks and opportunities that need to be addressed (see clause 6.1).
For example:
The ISO assume that one of the key purposes of a quality management system is to act as a
preventive tool, taking account of identified risks. Consequently, ISO 9001:2015 does not have a
separate clause or sub-clause titled 'Preventive action. Rather, the wording states unequivocally:
"The concept of preventive action is expressed through a risk-based approach to formulating quality
management system requirements".3
Although there are undoubtedly a number of quality professionals who feel uncomfortable talking
about risk in relation to preventive actions, assessing risk is something that managers in most (all?)
organizations do already in one form or another. They may not always use the term risk to describe
their activities, - which could include for example conducting a sensitivity analysis of a financial
projection, or scenario planning for a project appraisal, assessing the contingency allowance in a cost
estimate, negotiating contract conditions, or developing contingency plans - ; but even so, thinking
about risks and opportunities is central to their work.4
IF it can reasonably be argued that managing risk is an integral part of good management (and we
think that it can) and that risk-based thinking is fundamental to achieving good business and project
outcomes and the effective procurement of goods and services, THEN identifying, analysing and
evaluating risk should be processes familiar to all quality managers?
Not everyone agrees with this statement of course, but understanding the context (see clause 4.1)
and determining the risks and opportunities that need to be addressed (clause 6.1) are requirements
of ISO 9001:2015. Therefore, before you reject the idea of using risk assessment tools because they

ISO 31000:2009 - Principles and Guidelines on Implementation

Draft BS EN ISO 9001 Quality Management Systems - Requirements, Date: 14 May 2014, A.4 Risk-based approach

Project risk management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F Cooper, et al, Wiley, 2014.

Page 15

are too complicated and "not part of your job", it is worth pondering this quote from the
Introduction to the ISO 31000:2009:
"The generic approach described in this International Standard provides the principles and
guidelines for managing any form of risk in a systematic, transparent and credible manner and
within any scope and context".5

2.3 Other Supporting Methods

We have already looked at the following LookUp and Supporting Methods that are relevant to
risk identification:

Check-lists
Brainstorming
Structured or semi-structured interviews

Brainstorming and structured/semi-structured

interviews are techniques that are often used for
improving the accuracy and completeness in risk
identification; the Delphi methodology is
another.

2.3.1 Delphi technique

A structured collaborative communication technique, originally developed as a systematic,
interactive forecasting method which relies on a panel of experts. By combining expert opinions, the
aim is to support the source and influence identification, probability and consequence estimation
and risk evaluation. The experts answer questionnaires in two or more rounds. After each round, a
facilitator provides an anonymous summary of the experts forecasts from the previous round as
well as the reasons they provided for their judgments. In this way, experts are encouraged to revise
their earlier answers in light of the replies of other members of their panel.
Delphi can be used to estimate probability of adverse and positive outcomes: In the words of ISO
31010:
"Expert opinion can be used in a systematic and structured process to estimate probability. Expert
judgements should draw upon all relevant available information including historical, system-specific,
organizational-specific, experimental, design, etc. There are a number of formal methods for eliciting
expert judgement which provide an aid to the formulation of appropriate questions. The methods
available include the Delphi approach, paired comparisons, category rating and absolute probability
judgements."6

ISO 31000:2009 - Principles and Guidelines on Implementation, Introduction, p.V

ISO/IEC 31010:2009 Risk management Risk assessment techniques, p.15.

Page 16

Despite the mention of probability above, Table A.1 Applicability of tools used for risk assessment,
the Delphi method is marked 'NA' [NA = Not Applicable] for Risk Analysis to assess Consequence,
Probability and Level of risk - although personally we would agree with the commentary on page 29
[Clause B.3.2 Use] which states:
"The Delphi technique can be applied at any stage of the risk management process or at any phase
of a system life cycle, wherever a consensus of views of experts is needed."7
A true consensus approach that avoids the bias of dominant members of the team can be the wakeup call that management needs to assess risk.

2.3.2 SWIFT (Structured what-if )

SWIFT is a system for prompting a team to identify risks, normally used within a facilitated workshop
and linked to a risk analysis and evaluation technique.
The first thing to understand about SWIFT is that it was originally developed as a simpler alternative
to HAZOP (Hazard and Operability Studies), a qualitative risk identification technique. HAZOP aims to
stimulate the imagination of participants to identify potential hazards and operability problems;
structure and completeness are given by using guideword prompts. The HAZOP technique was
developed to analyse chemical process systems and mining operation process but has later been
extended to other types of systems and also to complex operations such as nuclear power plant
operation and to use software to record the deviation and consequence.8 HAZOP is intended for
high-risk organizational contexts where appropriate levels of resourcing are available to support its
use. SWIFT, on the other hand, has been purposely-design as a sort of 'HAZOP-Lite' needing fewer
resources. ISO 31010 regards the 'Resources and capability' requirement as "Medium", so this may
be a viable risk identification technique for use by most small to medium as well as larger quality
conscious organizations?
The system, procedure, plant item and/or change has to be carefully defined before the study can
commence. Both the external and internal contexts are established through interviews and through
the study of documents, plans and drawings by the facilitator.
The facilitator asks the participants to raise and discuss:

known risks and hazards;

previous experience and incidents;
known and existing controls and safeguards;
regulatory requirements and constraints.9

Ibid., page 29.

British Standard BS: IEC61882:2002 Hazard and operability studies (HAZOP studies)- Application Guide, published by BSI Group.

ISO/IEC 31010:2009, B.9.3 Inputs, p.39.

Page 17

Discussion is facilitated by creating a question using a what-if phrase and a prompt word or subject.
The what-if phrases to be used are what if, what would happen if, could someone or
something, has anyone or anything ever. The intent is to stimulate the study team into
exploring potential scenarios, their causes and consequences and impacts.10
The risks identified are summarized and the team considers the controls already in place - assuming
that there are any - before confirming the description of the risk, its causes, consequences and
expected controls.
This information is then recorded.
What we particularly like about the SWIFT concept approach is the inherent discipline which forces
the team members to consider the effectiveness of the controls. Assessing risk is one thing, but
treating it is another entirely. They have to agree a statement of risk control effectiveness, which, if
it proves to be less than satisfactory, triggers the task of further considering risk treatment tasks and
potential controls.
The application of this team-based model does not have to be complex. ISO 31010 simply rates the
Complexity of the technique as "Any".11

2.3.3 Human reliability analysis (HRA)

Human reliability assessment (HRA) deals with the impact of humans on system performance, and
can be used to evaluate human error influences on the system.
At the risk of stating the obvious, human reliability is very important due to the contributions of
humans to the resilience of systems and to possible adverse consequences of human errors or
oversights, especially when the human is a crucial part of today's large socio-technical systems.
Contrary to the impression that you might receive by reading the relevant section in ISO 31010 specifically B.20 Human reliability assessment (HRA) - a variety of methods exist for human reliability
analysis. These break down into two basic classes of assessment method:

probabilistic risk assessment (PRA), and

those based on a cognitive theory of control.

In 2009, the Health and Safety Laboratory compiled a report12 for the Health and Safety Executive
(HSE) outlining HRA methods for review.

10

Ibid.

11

Ibid., Table A.2 - Attributes of a selection of risk assessment tools.

12

Review of human reliability assessment methods, Prepared by the Health and Safety Laboratory for the Health and Safety Executive
2009, PR679 Research Report, Julie Bell & Justin Holroyd, Health and Safety Laboratory; First published 2009.

Page 18

They identified 35 tools that constituted true HRA techniques and that could be used effectively in
the context of health and safety management.
Obviously, it is well beyond the scope of this article to define the merits and demits of all these
methods. However, the HRA tools in the table below illustrates that there are a large number of risk
assessment techniques in the Health & Safety arena that could be applied elsewhere. It is also worth
reflecting that Risk Management is usually associated with the financial risk; however, risk
assessment techniques have other well-established uses including helping to maintain safe working
environments.
Without being specific at this time, we think that it is possible that some of these tools could be
adapted (if they haven't been?) to identify, analyse and evaluate risks and opportunities in the
design of quality processes. After all, corrective and preventive actions usually involve human
beings!
Acronym for Tool
ASEP
AIPA
APJ
ATHEANA
CAHR
CARA
CES
CESA
CM
CODA
COGENT
COSIMO
CREAM
DNE
DREAMS
FACE
HCR
HEART
HORAAM
HRMS
INTENT
JHEDI
MAPPS
MERMOS

Expanded name
Accident Sequence Evaluation Programme
Accident Initiation and Progression Analysis
Absolute Probability Judgement
A Technique for Human Error Analysis
Connectionism Assessment of Human Reliability
Controller Action Reliability Assessment
Cognitive Environmental Simulation
Commission Errors Search and Assessment
Confusion Matrix
Conclusions from occurrences by descriptions of actions
COGnitive EveNt Tree
Cognitive Simulation Model
Cognitive Reliability and Error Analysis Method
Direct Numerical Estimation
Dynamic Reliability Technique for Error Assessment in Manmachine Systems
Framework for Analysing Commission Errors
Human Cognitive Reliability
Human Error Assessment and Reduction Technique
Human and Organisational Reliability Analysis in Accident
Management
Human Reliability Management System
Not an acronym
Justified Human Error Data Information
Maintenance Personnel Performance Simulation
Method d'Evaluation de la Realisation des Missions Operateur pour
la Surete (Assessment method for the performance of safety
operation.)
Table 2: List of HRA tools

Page 19

As ISO 31010 points out in the section on the 'Limitations' of HRA, many activities of humans do not
have a simple pass/fail mode. HRA has difficulty dealing with partial failures or failure in quality or
poor decision-making.13

2.4 Scenario Analysis

2.4.1 Root cause analysis (RCA)
Root Cause Analysis (RCA) uses a specific set of steps, with associated tools, to help find the primary
cause of the problem; so that you can:

Determine what happened.

Determine why it happened

Figure out what to do to reduce the likelihood that it will

happen again. RCA assumes that systems and events are
interrelated. An action in one area triggers an action in
another, and another, and so on. By tracing back these
actions, you can discover where the problem started and
how it grew into the symptom you are now facing.14

2.4.2 Scenario analysis

Scenario analysis is a process of analyzing possible future events by considering alternative
outcomes (sometimes called "alternative worlds").15
The technique can be used to identify risks by considering sets of scenarios that reflect (for example)
best case, worst case and expected case, in order to analyse potential consequences and their
probabilities for each scenario as a form of sensitivity analysis when analysing risk.
'The possible future scenarios or 'alternative worlds' are identified:
"...through imagination or extrapolation from the present and different risks considered
assuming [that] each of these scenarios might occur. This can be done formally or informally,
qualitatively or quantitatively."16

13

ISO/IEC 31010:2009, B.20.6 Strengths and limitations, p.63.

14

Root Cause Analysis, Tracing a Problem to its Root Origins, Mind Tools website:
http://www.mindtools.com/pages/article/newTMC_80.htm
15

Scenario Analysis, Wikipedia: http://en.wikipedia.org/wiki/Scenario_analysis.

16

ISO/IEC 31010:2009, Table A.2 - Attributes of a selection of risk assessment tools.

Page 20

2.4.3 Toxicological / Environmental / Ecological risk assessment

An ecological risk assessment tells what happens to a bird, fish, plant or other non-human organism
when it is exposed to a stressor, such as a pesticide.17
Aspects of the methodology, such as pathway analysis which explore different routes by which a
target might be exposed to a source of risk, can be adapted and used across a very wide range of
different risk areas, outside human health and the environment, and is useful in identifying
treatments to reduce risk.18
The strength of this analysis is that it provides a very detailed understanding of the nature of the
problem and the factors that increase risk. However, it needs good data that is often not available or
has a high level of uncertainty associated with it. Likewise, it is also resource intensive as is unlikely
to find many uses in quality management systems.
Pathway analysis, though, is a useful tool, generally, for all areas of risk and permits the
identification of how and where it may be possible to improve controls or introduce new ones.
If you are interested in following the steps of this type of environmental risk assessment process, we
recommend that you read 'Basic Information about Risk Assessment Guidelines Development',
published by the United States Environmental Protection Agency. See the web page link below:
http://www2.epa.gov/osa/basic-information-about-risk-assessment-guidelines-development

2.4.4 Business impact analysis (BIA)

A Business Impact Analysis identifies an organization's exposure to internal and external threats and
synthesizes hard and soft assets to provide effective prevention and recovery for the organization,
while maintaining competitive advantage and value system integrity.19
The analysis provided by a conscientiously-conducted BIA could be of value when determining "...the
external and internal issues that are relevant to the organization's purpose ... and that affect its
ability to achieve the intended result(s) of its quality management system"; as well as helping to
determine who are "the interested parties", and the requirements of these interested parties that
are relevant to the quality management system - see ISO 9001:2015 Clause 4 Context of the
organization.
If your organization already has a business continuity management (BCM) system based on the ISO
22301 Standard and since a BIA is a mandatory document, seeking out your Business Continuity
Manager to obtain the BIA report could be a sound move at this point. You will then have a valuable

17

Ecological Risk Assessment: Technical Overview, Ecological Risk Assessment Process, U.S. Environmental Protection Agency website:
http://www.epa.gov/oppefed1/ecorisk_ders/index.htm#WITERAP
18

ISO/IEC 31010:2009, B.8.2 Use, p.37.

19

Elliot, D.; Swartz, E.; Herbane, B. (1999) Just waiting for the next big bang: business continuity planning in the UK finance sector. Journal
of Applied Management Studies, Vol. 8, No, pp. 4360. Here: p. 48

Page 21

item of documented information to show risk-based thinking because you will have assessed (by
means of the BIA) how key disruption risks could affect an organizations operations and
identified/quantified the capabilities that would be required to manage it.
If not, well ... you could consider conducting a BIA; although we would strongly recommend calling in
a qualified business continuity consultant.

2.4.5 Fault tree analysis

A technique used in safety engineering and reliability engineering, mostly in the aerospace, nuclear
power, chemical and process, pharmaceutical, petrochemical and other high-hazard industries. Fault
tree analysis (FTA) can be used to understand how systems can fail, to identify the best ways to
reduce risk or to determine or 'get a feel for' event rates of a safety accident or a particular system
level (functional) failure. It sounds more complicated than it actually is; however, it is a resource
hungry method.
If you are a Quality Manager in one of the above industries you will probably already be familiar with
fault tree diagrams produced from this type of analysis and you may well use the fault trees
developed by the organization to reduce or eliminate potential causes of non-conformities. They
start with the undesired event (top event) and determine all the ways in which it could occur, shown
graphically in a logical tree diagram.
Fault tree analysis is a time-consuming and costly exercise although it can be invaluable in
determining the probability of (undesirable) outcomes.
FTA can be used to:

understand the logic leading to the top event / undesired state.

show compliance with the (input) system safety / reliability requirements.
prioritize the contributors leading to the top event - Creating the Critical
Equipment/Parts/Events lists for different importance measures.
monitor and control the safety performance of the complex system (e.g., is a particular
aircraft safe to fly when fuel valve x malfunctions? For how long is it allowed to fly with the
valve malfunction?).
minimize and optimize resources.
assist in designing a system. The FTA can be used as a design tool that helps to create
(output / lower level) requirements.
function as a diagnostic tool to identify and correct causes of the top event. It can help with
the creation of diagnostic manuals / processes.20

2.4.6 Event tree analysis

A forward, bottom up, logical modelling technique for both success and failure that explores
responses through a single initiating event and lays a path for assessing probabilities of the

20

Fault tree analysis, Wikipedia: http://en.wikipedia.org/wiki/Fault_tree_analysis

Page 22

outcomes and overall system analysis. Using inductive reasoning, ETA translates probabilities of
different initiating events into possible outcomes. It is arguably less resource intensive than fault
tree analysis (see Table A.2 in ISO 31010).
ETA can be applied to a wide range of systems including: nuclear power plants, spacecraft, and
chemical plants.21
Once again, if you are managing the quality system of a small enterprise in a relatively 'low risk'
context, this technique is unlikely to be for you.

2.4.7 Cause and consequence analysis

ISO 31010 describes the Cause and consequence analysis method as:
"A combination of fault and event tree analysis that allows inclusion of time delays. Both causes and
consequences of an initiating event are considered."
It starts from a critical event and analyses consequences by means of a combination of YES/NO logic
gates that represent conditions that may occur or failures of systems designed to mitigate the
consequences of the initiating event. The causes of the conditions or failures are analysed by means
of fault trees (see ISO 31010, Clause B.15).
Cause-consequence analysis does provide a comprehensive view of the entire system. However, it is
more complex than fault tree and event tree analysis, both to construct and in the manner in which
dependencies are dealt with during quantification, and so requires more time and resources.

2.4.8 Cause-and effect analysis

An effect can have a number of contributory factors that can be grouped in Ishikawa diagrams.
Contributory factors are identified often through a brainstorming process (see Part II of this article
for more information).
Kaoru Ishikawa popularized these diagrams in the 1960s, when he pioneered quality management
processes in the Kawasaki shipyards. The basic concept was first used in the 1920s, and is considered
one of the seven basic tools of quality control. Ishikawa diagrams are known as fishbone diagrams
because their shape is like the side view of a fish skeleton.
The basic steps in performing a cause-and-effect analysis are as follows:22
1. establish the effect to be analysed and place it in a box. The effect may be positive (an
objective) or negative (a problem) depending on the circumstances;

21

Event Tree Analysis, Wikipedia: http://en.wikipedia.org/wiki/Event_tree_analysis.

22

ISO/IEC 31010:2009, B.17.4 Process, p.57.

Page 23

2. determine the main categories of causes represented by boxes in the Fishbone diagram.
Typically, for a system problem, the categories might be people, equipment,
environment, processes, etc. However, these are chosen to fit the particular context;
3. fill in the possible causes for each major category with branches and sub-branches to
describe the relationship between them;
4. keep asking why? or what caused that? to connect the causes;
5. review all branches to verify consistency and completeness and ensure that the causes
apply to the main effect;
6. identify the most likely causes based on the opinion of the team and available evidence.
The results are displayed as either an Ishikawa diagram or tree diagram.

2.5 Function Analysis

2.5.1 FMEA and FMECA
This section covers FMEA (Failure modes and effects analysis) and FMECA (Failure modes and effects
and criticality analysis).
FMEA/FMECA is an inductive reasoning (forward logic) single point of failure analysis and is a core
task in reliability engineering, safety engineering and quality engineering. Quality engineering is
especially concerned with the "Process" (Manufacturing and Assembly) type of FMEA.23
FMEA/FMECA identifies:

all potential failure modes of the various parts of a system (a failure mode is what is
observed to fail or to perform incorrectly);
the effects these failures may have on the system;
the mechanisms of failure;
how to avoid the failures, and/or mitigate the effects of the failures on the system.

FMEA/FMECA is a systematic analysis technique that can be used to identify the ways in which
components, systems or processes can fail to fulfil their design intent, highlighting:

design alternatives with high dependability;

failure modes of systems and processes, and their effects on operational success have
been considered;
human error modes and effects;
a basis for planning testing and maintenance of physical systems;
improvements in the design of procedures and processes.

FMEA/FMECA also provides qualitative or quantitative information for other types of analysis, such
as fault tree analysis, and is used in quality assurance applications. For example, it can produce a
semi-quantitative measure of criticality known as the risk priority number (RPN) obtained by
multiplying numbers from rating scales (usually between 1 and 10) for (a) consequence of failure, (b)

23

Failure mode and effects analysis, Wikipedia: http://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis

Page 24

likelihood of failure, (c) ability to detect the problem. Note, a failure is given a higher priority if it is
difficult to detect.

2.5.2 Reliability-centred maintenance (RCM)

A technique that is used to achieve the required safety, availability and economy of operation (safe
minimum levels of maintenance), so that assets continue to do what their users require in their
operating context.
RCM allows you to identify applicable and effective preventive maintenance requirements for
equipment "...in accordance with the safety, operational and economic consequences of identifiable
failures, and the degradation mechanism responsible for those failures".24
RCM uses a failure mode, effect and criticality analysis (FMECA) type of risk assessment that requires
a specific approach to analysis in this context. From a quality management standpoint, it's worth
being aware that RCM identifies required functions and performance standards and failures of
equipment and components that can interrupt those functions.
For more information, see IEC 60300-3-11, Dependability management Part 3-11: Application
guide Reliability

2.5.3 Sneak analysis (SA) and sneak circuit analysis (SCI)

Sneak analysis is aimed at uncovering design flaws that allow for 'sneak conditions', i.e. those that
may cause unwanted actions or may inhibit a desired function, and are not caused by component
failure to develop.
Sneak analysis can locate problems in both hardware and software using any technology. The sneak
analysis tools can integrate several analyses such as fault trees, failure mode and effects analysis
(FMEA), reliability estimates, etc. into a single analysis saving time and project expenses.25 The
technique helps in identifying design errors and works best when applied in conjunction with
HAZOP. It is very good for dealing with systems which have multiple states such as batch and semibatch plant.
Sneak Circuit Analysis (SCA) is used in safety-critical systems to identify sneak (or hidden) paths in
electronic and electro-mechanical systems that may cause unwanted action or inhibit desired
functions. The analysis is based on identification of designed-in inadvertent modes of operation and
is not based on failed equipment or software. SCA is most applicable to circuits that can cause
irreversible events. These include:
a. Systems that control or perform active tasks or functions
b. Systems that control electrical power and its distribution

24

ISO/IEC 31010:2009, B.22.1 Overview, p.66

25

Ibid., B.23.2 Use, p.68.

Page 25

c. Embedded code which controls and times system functions.26

The SA process differs depending on whether it is applied to electrical circuits, process plants,
mechanical equipment or software technology, and the method used is dependent on establishing
correct network trees.

2.5.4 HACCP
HACCP a systematic preventive approach to food safety from biological, chemical, and physical
hazards in production processes that can cause the finished product to be unsafe, and designs
measurements to reduce these risks to a safe level.27 HACCP has been recognized internationally as
a logical tool for adapting traditional inspection methods to a modern, science-based, food safety
system.28
HACCP is focused only on the health safety issues of a product ensuring that risks are minimized by
controls throughout the process rather than through inspection of the end product. The seven
HACCP principles are the basis of most food quality and safety assurance systems, and the United
States, HACCP compliance is regulated by 21 CFR part 120 and 123. The HACCP principles are also
included in the international standard ISO 22000 FSMS 2005. This standard is a complete food safety
and quality management system incorporating the elements of prerequisite programmes (GMP &
SSOP), HACCP and the quality management system, which together form an organization's Total
Quality Management system.
Table A.1 Applicability of tools used for risk assessment [see page 22 of ISO 31010], lists the HACCP
technique as "Not Applicable" for analysis of probability or levels of risk.29 However, the principle of
identifying the factors [risks] that can influence product quality, and defining process points where
critical parameters can be monitored and hazards controlled, can be generalized for use other
technical systems.30

2.6 Controls Assessment

2.6.1 LOPA (Layers of Protection Analysis)
A technique for analysing whether there are sufficient measures to control or mitigate the risk of an
undesired outcome.
The basic steps are:

26

Sneak circuit analysis, Wikipedia: http://en.wikipedia.org/wiki/Sneak_circuit_analysis

27

Hazard analysis and critical control points, Wikipedia: http://en.wikipedia.org/wiki/Hazard_analysis_and_critical_control_points

28

Ibid.

29

ISO/IEC 31010:2009, Table A.1 Applicability of tools used for risk assessment, p.22

30

Ibid., B.7.2 Use, p.35.

Page 26

A cause-consequence pair is selected, and the layers of protection that prevent the cause
leading to the undesired consequence are identified.
An order of magnitude calculation is then carried out to determine whether the protection is
adequate to reduce risk to a tolerable level.31

LOPA is a less resource-intensive process than a fault tree analysis or a quantitative form of risk
assessment, but is more rigorous than qualitative subjective judgements alone. It focuses efforts on
the most critical layers of protection, identifying operations, systems and processes for which there
are insufficient safeguards and where failure will have serious consequences. However, this
technique looks at one cause-consequence pair and one scenario at a time and, therefore, does not
apply to complex scenarios where there are many cause consequence pairs or where a variety of
consequences affects different stakeholders.
For more information, see:
IEC 61508 (all parts), Functional safety of electrical/electronic/programmable electronic safetyrelated systems
IEC 61511, Functional safety Safety instrumented systems for the process industry sector. [PDF]

2.6.2 Bow-tie analysis

Bow-tie analysis is a simple diagrammatic way to display the pathways of a risk showing a range of
possible causes and consequences. It is used in situations when a complex fault tree analysis is not
justified or to ensure that there is a barrier or control for each of the possible failure pathways.
To understand how this works we recommend viewing a short video entitled "The Bow Tie Method
in 5 Minutes" by CGE Risk Management Solutions,32 which explains the basics of the method for risk
assessment of hazards.

2.7 Statistical Methods

ISO 31010 lists the following statistical methods for risk assessment:

Markov analysis
Monte-Carlo analysis
Bayesian analysis

31

Ibid., B.18 Layers of protection analysis (LOPA), p.59.

32

The Bow Tie Method in 5 Minutes, CGE Risk Management Solutions, YouTube: https://www.youtube.com/watch?v=P7Z6L7fjsi0

Page 27

2.7.1 Markov analysis

A method named after a Russian mathematician, best known for his work on stochastic processes,
where a collection of random variables represents the evolution of some system of random values
over time.
Markov analysis, or State-space analysis, is commonly used in the analysis of repairable complex
systems that can exist in multiple states, including degraded states33, and where the use of a
reliability block analysis would be inadequate to properly analyse the system.
The nature of the Markov analysis techniques lends itself to the use of software. There are several to
choose from on the market.
The Markov analysis process is a quantitative technique and can be discrete (using probabilities of
change between the states) or continuous (using rates of change across the states).
To quote ISO 31010:
"The Markov analysis technique is centred around the concept of states, e.g. available
and failed, and the transition between these two states over time based on a constant
probability of change. A stochastic transitional probability matrix is used to describe the
transition between each of the states to allow the calculation of the various outputs."34
The inputs essential to a Markov analysis are as follows:

list of various states that the system, sub-system or component can be in (e.g. fully
operational, partially operation (i.e. a degraded state), failed state, etc);
a clear understanding of the possible transitions that are necessary to be modelled. For
example, failure of a car tyre needs to consider the state of the spare wheel and hence
the frequency of inspection;
rate of change from one state to another, typically represented by either a probability of
change between states for discrete events, or failure rate () and/or repair rate () for
continuous events.35

The output from a Markov analysis is the various probabilities of being in the various states, and
therefore an estimate of the failure probabilities and/or availability, one of the essential
components of a system.

33

ISO/IEC 31010:2009, Table A.2 - Attributes of a selection of risk assessment tools.

34

Ibid. B.24.4 Process, p.70.

35

Ibid. B.24.3 Input, p.70.

Page 28

2.7.1.1 Strengths and limitations of a Markov analysis

Markov diagrams for large systems are often too large and complicated to be of value in most
business contexts and inherently difficult to construct. Markov models are more suited to analysing
smaller systems with strong dependencies requiring accurate evaluation. Other techniques, such as
Fault Tree analysis (see Part IV of this blog post series), may be used to evaluate large systems using
simpler probabilistic calculation techniques.
States depend on current state probabilities and the constant transition rates between states - see
the state transition diagram in Figure 1 below:

Figure 1: Example of a state transition diagram

Apart from this obvious drawback (complexity), a true Markovian process would only consider
constant transition rates, which may not be the case in a real-world systems. Events are statistically
independent since future states are treated as independent of all past states, except for the state
immediately prior. In this way the Markov model does not need to know about the history of how
the state probabilities have evolved in time in order to calculate future state probabilities. However,
computer programs are being marketed that allow time-varying transition rates to be defined.
Markov analysis requires knowledge of matrix operations and the results are - unsurprisingly! - hard
to communicate with non-technical personnel.
If you would like to perform Markov analysis, you are advised to consult IEC 61165, Application of
Markov techniques.

2.7.2 Monte-Carlo analysis

Monte Carlo analysis consists of a broad class of computational algorithms that rely on repeated
random sampling to obtain numerical results. This method can address complex situations that
would be very difficult to understand and solve by an analytical method. Whenever there is
significant uncertainty in a system and you need to make an estimate, forecast or decision, a Monte
Carlo simulation could be the answer.

2.7.2.1 How does Monte Carlo analysis model the effects of uncertainty?
Systems are sometimes too complex for the effects of uncertainty on them to be modelled using
analytical techniques. However, they can be evaluated by considering the inputs as random variables
Page 29

and running a number N of calculations (so-called simulations) by sampling the input in order to
obtain N possible outcomes of the wanted result.
Monte-Carlo analysis can be developed using spreadsheets, but software tools are readily available
to assist with more complex requirements, many of which are now relatively inexpensive.
Monte-Carlo analysis can be developed using spreadsheets, but software tools are readily available
to assist with more complex requirements, many of which are now relatively inexpensive.
Monte Carlo simulations require you to build a quantitative model of your business activity, plan or
process. This is often done by using Microsoft Excel with a simulation tool plug-in - a relatively
inexpensive set of tools.
To deal with uncertainties using Monte Carlo analysis in your model, you'll replace certain fixed
numbers -- for example in spreadsheet cells -- with functions that draw random samples from
probability distributions. And to analyze the results of a simulation run, you'll use statistics such as
the mean, standard deviation, and percentiles, as well as charts and graphs.36
For risk assessment using the Monte Carlo simulation, triangular distributions or beta distributions
are commonly used.
Note that ISO 31010 Table A.1 Applicability of tools used for risk assessment states this is tool is
strongly applicable for the Evaluation stage of risk assessment but not applicable (NA) for risk
identification or risk analysis.

2.7.3 Bayesian analysis

Referring again to Table A.1 from ISO 31010, Bayesian analysis is used in the risk analysis and risk
evaluation stages in risk assessment.37
In a nutshell, it is a statistical procedure
which utilizes prior distribution data to
assess the probability of the result. These
are often called conditional probabilities.38
There are many places that explain the
mathematics behind Bayes' theorem,
including Wikipedia, the Stanford
Encyclopedia of Philosophy, and the
wonderful blog LessWrong. The definition

36

Monte Carlo Simulation, web page on Frontline Solvers website

37

ISO/IEC 31010:2009, Table A.1 Applicability of tools used for risk assessment, p.22.

38

ISO/IEC 31010:2009, p.26

Page 30

that explains it best for me comes from the last of these - it is:
"The probability of a hypothesis C given some evidence E equals our initial estimate of the
probability times the probability of the evidence given the hypothesis C divided by the sum
of the probabilities of the data in all possible hypotheses."
Bayesian inference is used in a wide range of fields from medical diagnosis to checking your inbox for
likely spam emails. However, is it any good for risk assessment?
Although it can appear to be objective, this is typically not the case. A Bayesian probability is really a
persons degree of belief in a certain event rather than one based upon physical evidence.
Because the Bayesian analysis approach is based upon the subjective interpretation of probability, it
provides a ready basis for decision thinking and the development of Bayesian nets (or Belief Nets,
belief networks or Bayesian networks).39 The availability of software computing tools and what ISO
31010 terms "intuitive appeal" has led to the widespread adoption of Bayesian nets. However, they
can be valuable wherever there is the requirement for finding out about unknown variables by using
structural relationships and data.
The inputs are similar to the Monte Carlo analysis above; namely:

define system variables;

define causal links between variables;
specify conditional and prior probabilities;
add evidence to net;
perform belief updating;
extract posterior beliefs.40

Bayesian analysis can provide an easily understood model and the data readily modified to consider
correlations and sensitivity of parameters.
This technique could be successfully applied to Quality Management Systems. However, there will
be minimum sample size requirements for control charts that measure non-conformities (errors),
based on the average non-conformity rate in the quality processes being measured.
Lower error rates would therefore require larger sample sizes to make valid inferences because of
the properties of the binomial distribution.
Even so, we would be very interested to hear from Quality Managers who have applied Bayesian
analysis in this way to predict likely error rates in processes!

39

ISO/IEC 31010:2009, B.26.1 Overview, p.26.

40

Ibid. B.26.3 Input, p.77.

Page 31

3 A Risk Management Methodology for Quality Management

Those are some of the techniques covered in ISO 31000. In this section, we will apply them to a risk
management methodology suitable for quality standards such as ISO 9001:2015.

3.1 Risk based thinking is the new 'preventive actions' for QMS
To briefly recap the position to date:
ISO 9001 Risk-based thinking could (and we am not saying that it should) be demonstrated by one or
more of the risk assessment tools in ISO 31010:2010. However, that still leaves you with the
dilemma of selecting the most appropriate tools to help you to identify, analyse and evaluate risk in
your organizational context and with the resources at your disposal.
In ISO 9001:2015 there is no requirement for risk management. However, organizations can choose
to develop a more extensive risk-based approach, and the Standard refers to ISO 31000, which
provides guidelines that can be appropriate in "certain organizational contexts".
It remains to seen whether assessors for the various Certification Bodies will expect you to produce
documented evidence of risk-based thinking.
How will ISO Assessors attempt to assess RBT in Quality Systems?
The short answer is we do not know at present. However, as we have postulated, there are three
possibilities:
Option 1: They will ignore the risk-based thinking requirements of Clause 6 in the same way that
some claim preventive actions were ignored in the past. The counter to this is that Clause 6 in the
DIS requires "Processes for planning and consideration of risks and opportunities".
Option 2: They will regard the failure to show evidence of risk-based thinking in an organizations
quality processes as a non-conformity (perhaps even a major non-conformity) and will judge the
quality system to be ineffective because it has failed to reduce or eliminate the risks to process
outputs.
Option 3: Auditors will highlight in their report any good practices seen in the application of riskbased thinking to the planning and consideration of quality processes; showing how this has helped
to achieve continual improvement of the system and provide the assurance of conformity to
customer and applicable statutory and regulatory requirements.
You may decide differently, but in our view, Option 3 is more likely in the majority of cases. Ergo, it
cannot hurt your case to show documented evidence of RBT, regardless of whether documented
information is a requirement or not.
However, it will be your assessor that decides this, not us!
Regarding Option 3 above, it is also worth reflecting upon the number uses of the words "continual
improvement" in the clauses of the new Standard.
Page 32

Aside from the definition that appears in Normative References, the term "continual improvement"
is used in Clause 5: Leadership, Clause 6: Planning, Clause 7: Support, Clause 9: Performance
Evaluation, and - unsurprisingly - in Clause 10: Continual Improvement; which states that:
"...the organization shall consider the outputs of analysis and evaluation, and the outputs
from management review, to confirm if there are areas of underperformance or
opportunities that shall be addressed as part of continual improvement."41
There is doubt about which of the three options above best describes the likely future response of
external auditors/assessors, but you can help put your organization in a position where Option 3 is
the more likely outcome, because your quality processes reflect the fact that you have taken
account of the risk and opportunities in your context.

3.1.1 Planning and considering risks in quality system processes

Notwithstanding the concerns about what ISO 9001 assessors may or may not be looking for with
regard to applying risk-based thinking (RBT), there are good reasons to put in place...
"Processes for planning and consideration of risks and opportunities"
There is already a significant precedent in the ISO family of management system standards that
explains the need for the risk-based approach.
BSI's Product Guide, ISO/IEC 27001 Information Security Management, sets out the case for RBT in
the context of improving information security:
"ISO/IEC 27001 takes a risk-based approach to the planning and implementation of your
ISMS, resulting in an appropriate and affordable level of organizational security. In this way,
it ensures that the right people, processes, procedures and technologies are in place to
secure your organizations information assets."42
We suggest that we could readily substitute "ISO 9001:2015" for "ISO/IEC 27001"; "ISMS" for "QMS";
"quality" for "organizational security"; and "achieve the intended results of the quality management
system" for "secure your organization's information assets" to arrive at the following:
"ISO 9001:2015 takes a risk-based approach to the planning and implementation of your
QMS, resulting in an appropriate and affordable level of quality. In this way, it ensures that
the right people, processes, procedures and technologies are in place to achieve the
intended results of the quality management system."
It is also worth bearing in mind that one of the key influences on the development of ISO
27001:2013 was the decision by the ISO to align ISO/IEC 27001 with the principles and guidance
given in ISO 31000 (risk management). This was deemed to be, in the words of BSI, "good news for

41

ISO/DIS 9001:2014, 10.3 Continual improvement, p.63.

42

ISO/IEC 27001 Information Security Management Securing your information assets Product Guide, October 2012 (modified May 2013)

Page 33

integrated management systems as now an organization may apply the same risk assessment
methodology across several disciplines".43
Earlier posts in this series have examined the different risk assessment techniques aligned to ISO
31000 and described fully in ISO 31010:2009.

3.1.2 What actions are required to plan for risks and opportunities?
Clause 6 of ISO 9001:2015 is likely to be explicit about the need for planned actions to address risks
and opportunities in quality systems:
6.1.2 The organization shall plan:
1. actions to address these risks and opportunities;
2. how to:
a. integrate and implement the actions into its quality management system
processes (see 4.4);
b. evaluate the effectiveness of these actions.
Actions taken to address risks and opportunities shall be proportionate to the potential impact on
the conformity of products and services.44
Although not all the processes of the quality management system will represent the same level of
risk in terms of the organizations ability to meet its objectives, - and the consequences of process,
product, service or system nonconformities are not the same for all organizations - there will be risks
that you will need to address through the quality processes.
So how do you go about identifying, considering and planning for risks to quality - and how could risk
analysis help you to achieve your objectives?
The simple answer is that before you can plan processes that address risk, you need to analyze the
relative importance of risks in your system. In a world where risk factors determine the
organization's success or failure, we need a detailed understanding of each of the specific risks
posed to successful outcomes at the various stages of quality processes. With this knowledge, we
can determine appropriate priorities for actions.
This full understanding should result in fewer unpleasant surprises arising and will enable managers
to determine where the greatest effort should be focused in treating identified risks and for quality
assurance purposes.
The alternative to decision-making based on risk analysis is a combination of experience and
intuition. Experience, no matter how extensive, can be out of date and therefore fail to anticipate

4343

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013: The new international standard for information security management
systems, Transition Guide, BSI Group.
44

Ibid., p.28, lines 1054 to 1060.

Page 34

the potential risks in a system. Intuition is the ability to acquire knowledge without inference or the
use of reason and is of questionable value to organizations when planning and considering processes
in order to consistently produce desired outcomes.
By developing a better understanding of risk, risk analysis techniques help organizations facilitate
structured action planning and resource allocation.
The following section of this blog post contains the first part of a Proposal for a formal methodology
for making risk-based decisions when planning and considering quality processes. we have based
some of the ideas on work by Dale F. Cooper et al in the book 'Project management guidelines:
managing risk with ISO 31000 and IEC 62198' (John Wiley and Sons); however, we have simplified
the approach therein as applied to international, large-scale project management. Furthermore, we
have re-engineered these ideas into a method of risk assessment and continual process
improvement for ISO 9001 quality management systems, based on the process improvement model
from ITIL, which itself uses methods from quality management.
The CSI process in ITIL aims to continually improve the effectiveness and efficiency of IT processes
and services, in line with the concept of continual improvement adopted in ISO 20000. It defines the
specific initiatives aimed at improving services and processes, based on the results of service reviews
and process evaluations. The improvement cycle takes into account the business perspective of
service quality, although CSI aims to improve process effectiveness, efficiency and cost effectiveness.
In ITIL 2011, the CSI Register was introduced as a central document or database where all
improvement opportunities and initiatives are recorded. we propose to extend this idea to create a
controlled documented information system (CDIS) for QMS which would contain a Risks and
Opportunities Register (R&O Register), used to record and manage risks to, and improvement
opportunities in, quality management processes throughout their lifecycle.
A key feature of our design for the R&O Register would be outputs from a simple risk assessment
process, following a six-step risk assessment and continual process improvement model, which are:
1.
2.
3.
4.

Establish the context

Identify possible risks to quality outputs
Carry out a qualitative risk analysis and risk evaluation
Extend this analysis to a semi-quantitative analysis used to assign a numerical risk factor
(RF value) to each of the risks in order to determine the highest priority risks, before
5. Determining a risk treatment plan, and
6. Monitoring and reviewing the quality system processes to determine the effectiveness
of the quality controls and identify as early as possible any new risks and opportunities.
These ideas are for DISCUSSION ONLY and are not recommendations for actions needed to comply
with the wording of ISO 9001:2015 in its published form (September 2015). However, we offer them
as a way to combine quality management systems and risk management processes in order to
achieve continual process improvement in a way that takes full account of the risks and
opportunities in any given context.

3.2 The Six Steps

The method we are suggesting breaks down into six simple Steps. They are:

Page 35

1. Establish the context

This step references 4.1 Understanding the organization and its context, and 4.2 Understanding the
needs and expectations of interested parties. It determines the issues and requirements that can
impact on the planning of the quality management system; including: (a) the main objectives and
outcomes that are uncertain / subject to risk; and (b) the needs and expectations of the
organization's customers and other relevant interested parties; the products and services it
provides; the complexity of processes it employs and their interactions; the competence of persons
within or working on behalf of the organization; and its size and organizational structure.
2. Risk identification
This step involves selecting a suitable process for risk identification (see below) and for each quality
process, identifying and numbering the risks. The activity is designed to be carried out in a group
situation where each risk is described in terms of what could happen and what that could lead to,
the causes of the risk - both external and internal to the organization - and the existing controls that
could prevent, transfer or mitigate risks. This process records the risks in a Risk and Opportunities
Register (R&O Register) that would form an integral part of the Quality Management System.
3. Qualitative risk analysis & risk evaluation
The systematic use of available information regarding probability, consequence and exposure will
lead to a better understanding of the risk and the controls that are needed. For each risk we would
then: assess the effectiveness of the existing controls using a suitable effectiveness scale; determine
the consequences (impact) for each risk; the likelihood of these consequences occurring; and the
potential exposure were the controls that we have in place to fail. For example, the consequence of
a failure to control the quality of production outputs through an adequate inspection process could
result in the customer rejecting the goods or services supplied as unfit for purpose; causing the
organization to suffer a financial loss that can measured in penalties under the terms and conditions
of contract, and reputation damage.
4. Semi-Quantitative risk assessment for systems and processes
Qualitative analysis is used to determine the probability and impact of risks, however, by its nature
and definition, lacks quantitative precision. In comparison, a semi-quantitative measure of risk is an
estimate derived using a scoring approach. Risk indices are used to rate a series of risks using similar
criteria so that they can be more easily compared. Scores are applied to each component of risk, to
assess both the consequence (impact) and likelihood of the risk occurring and to derive an average
consequence score and average likelihood score for the risks associated with each process analysed.
These risk scores are then used to determine the comparative 'risk factors' (RFs) associated with
different processes to aid decision-making by plotting the RFs on a graph overlaid with iso-contours.
5. Risk-treatment
This step brainstorms options for treating the risk that fit the following categories: avoiding or
seeking the risk; changing the likelihood; changing the consequences; sharing the risk; and explicitly
accepting the risk without further treatment. The benefits and costs, advantages and disadvantages
of each treatment option are taken into account and where the benefits determined exceed the
known/likely costs of action, treatment options are selected for implementation. The brainstorming
Page 36

process is repeated after implementation to determine whether the level of risk after risk treatment
has been completed is tolerable; and if this is not the case, then further risk treatment actions are
sought and considered.
6. Monitoring & review
A monitor process is developed for each risk by the risk owners and each relevant control (control
owners). Decisions are made about the time intervals at which the risks and controls will be
reviewed. At the same time, a monitoring process will be put in place for each risk treatment plan
under the direction of the relevant risk owners. Progress will be monitored in respect to the
objectives of the risk treatment plan, and the resulting successes and failures recorded. Periodically,
the team will assess whether new risks are affecting or could affect quality processes and systems as
part of the cycle of continuous quality process improvement (see Figure 1 below).

Figure 1: A six step Risk Assessment Methodology

We will now consider each step in more detail.

3.3 Step 1: Establish the Context

The 'context' of the organization is essentially its business environment.

Page 37

That is to say, context is a term that is used to describe a combination of internal and external
factors and conditions that can have an effect on an organization's (3.01) approach to its products
(3.47), services (3.48), investments, and interested parties (3.02).45
An organization needs to demonstrate its ability to provide products and services that consistently
meet customer and applicable statutory and regulatory requirements and aims to enhance customer
satisfaction.46 Therefore, it is necessary to determine both the external and internal context before
designing and implementing quality processes that take account of the risks and opportunities that
apply in a particular context.
The risk-based approach of ISO 9000:2015 requires the organization to understand its context (see
clause 4.1) and determine the risks and opportunities that need to be addressed (see clause 6.1).
When applying risk-based thinking to the planning and consideration of quality processes, we should
take into account the organization's understanding of the...

external context; which can be facilitated by considering issues arising from legal,
technological, competitive, market, cultural, social, and economic environments, whether
international, national, regional or local.
internal context; which can be facilitated by considering issues related to values, culture
knowledge and performance of the organization.47

The Standard also requires that "...the organization shall maintain documented information to the
extent necessary to support the operation of processes and retain documented information to the
extent necessary to have confidence that the processes are being carried out as planned".48

3.3.1 Scope and responsibilities for specific risk management activities

The scope and responsibilities of persons responsible for risk management and the risk assessment
methods employed will need to be documented.
Risk is defined as "the effect of uncertainty on objectives",49 so it follows that it is necessary to
articulate the objectives of the organization and the processes that it uses. In other words, you must
define and document what is 'at risk', and how you intend to address risk in your quality
management system; specifically, who is to be made responsible for identifying, analyzing (if you
chose to analyze risk), evaluating and treating the risk to your QMS and its associated processes.

45

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013: The new international standard for information security management systems,
Transition Guide, BSI Group. 3.24, p.17.
46

Ibid. A.3, p.45.

47

Ibid. 4.1. p.25.

48

Ibid. 4.4 Quality management system and its processes, p.26

49

ISO 31000, 2 Terms and definitions, 2.1 risk, p.1

Page 38

It is valuable to be as specific as possible in articulating the organization's business objectives as this

will assist with the risk identification process (defined in Step 2).50

3.3.2 How should we document the "context of the organization"?

The context of an organization can include internal factors such as organizational culture, and
external factors such as the socio-economic conditions under which it operates; consequently all the
requirements of ISO 9001:2015 are generic but the ways in which they are applied can differ from
one organization to another.51
Risk-based thinking as it is defined in ISO 9001:2015 requires you to consider risk qualitatively (and,
depending on the context that has been identified, quantitatively) when defining the rigour and
degree of formality needed to plan and control the quality management system, as well as its
component processes and activities.52
Taking the above definitions into account, we would suggest that it would be appropriate for a ISO
9001-compliant organization - and especially one adopting a more formal risk management
approach based on ISO 31000 - to document the context in what we am terming a Statement of
Context.
To establish the context, you need to:

Establish the external and internal organisational context in which the risk assessment is
taking place (see ISO 9001:2015 Clause 4.1);
Specify the main objectives and outcomes that are uncertain and, therefore, represent a
risk;
Develop criteria against which the consequences and likelihoods of identified risks can be
measured; and
Define the key elements for structuring the risk assessment process.

Process inputs
Key process documents, scope definitions, pre-existing analyses and other relevant documented
information such as organisational policies, processes and structures.
Method
1. Review organisational and process documentation.
2. Review the external and internal contexts.
3. Develop criteria for evaluating consequences and likelihoods.

50

Project management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F Cooper, et al, John Wiley & Sons Inc, March 2014.

51

ISO/DIS 9001:2004, Clause 0.1 Introduction, p.6.

52

Ibid. Clause 0.5, p.9.

Page 39

4. Prepare briefing material for the risk assessment process.

3.3.3 What information should the Statement of Context contain?

The organization's Statement of Context would include internal factors such as organizational
culture, and external factors such as the socio-economic conditions under which it operates [ISO
9001:2015, Introduction 0.1].
Establishing the context will provide information that is essential to risk identification, analysis, and
evaluation activities if they are to efficient and effective. Components of the context could be
summarised as follows:
1.
2.
3.
4.
5.
6.

organisational objectives;
process objectives;
the internal environment;
the external environment;
the context of the risk management process;
risk criteria.53

3.3.4 Risk criteria for Quality Management Systems

The risk criteria should reflect the objectives and context for the risk assessment. Consideration
should be given to stakeholder views and risk perceptions, the legal and regulatory framework that
applies in the organization's context, and the time and resources that are available.
These criteria should be continually reviewed.
Categories for which risks in a quality management system and associated processes will be
evaluated need to be defined and documented, taking account of all associated activities from which
risks could arise that would adversely affect the organization or any of its stakeholders. These could
include:

human health and safety;

environmental protection;
legal and regulatory compliance;
cost;
production schedule / deadlines;
reputation;
performance.

However, this list will depend on context and the risks being evaluated.
When defining risk criteria, you should consider:

53

the nature and type of causes;

Ibid. Clause 0.1 Introduction, p.6.

Page 40

the consequences that can occur;

how consequences will be measured;
how likelihood will be defined (for example qualitatively or as a quantitative probability);
the timeframe;
how the level of risk is to be determined;
what is an acceptable (or tolerable) level of risk.

For the risk criteria to be adequate to support the decisions made at the risk treatment stage, they
should:

assist in decision-making leading to actions that reduce risk to levels that are as low as
reasonably practicable;
be capable of being communicated, understood and applied within the organization and to
an external organization (ISO 9001:2013, 3.01) where it performs part of an organization's
function (Ibid. 3.25) or process (Ibid. 3.12);
be unambiguous in their formulation;
not evidence any bias towards particular risk treatment options in the way in which risk is
expressed.

Documented information:
Statement of organization context - including its size and complexity, a general outline of the
external and internal risks and opportunities that it needs to address, and how that knowledge is to
be made accessible.

3.4 Step 2: Risk identification

Having established the organization's context, we need to identify the specific risks and
opportunities that need to be addressed (see clause 6.1) through the quality management system
and its associated processes. Risk identification is the process to determine what might happen that
could result in undesirable outcomes (see 0.5) that have a negative impact on the organization's
ability to "...consistently provide products and services that meet customer and applicable statutory
and regulatory requirements or the organization's aim to enhance customer satisfaction".54
The risk identification process should be as comprehensive and systematic as possible in order to
ensure that risks affecting quality are not ignored.
Process inputs
Information used may include:

54

historical data;
theoretical analysis;
empirical data and analysis;
informed opinion of the project team and other experts;

Ibid. A.3 Context of the organization, p.43.

Page 41

the concerns of stakeholders.55

Method
1. Use one or more of the Look-up and/or Supporting Methods described in ISO/IEC 31010
designed for Risk identification.
These techniques include:

Structured interviews
Brainstorming
Examination of similar quality processes
Delphi technique
SWIFT technique

[See our previous blog post about ISO/IEC 31010 for more information: ISO 31000 Risk management
techniques Attributes of a selection of risk assessment tools ].
Produce a comprehensive list of possible risks to successful outcomes.
Process outputs
See item 2 above.
Steps 3 - 5 will analyse and evaluate these risks and prioritise treatment.
Documented information:
1. Risks and opportunities register (R&O register) - recording identified risks, controls, and
ratings.
2. Risk description worksheet - (for recording risk at process level) listing risk description
process, existing controls, key assumptions, sources of information, document attachments.

3.4.1 Techniques for risk identification

The International Standard, ISO/IEC 31010 describes the techniques for risk identification that could
be used in Quality Management Systems.
Along with examining any check-lists that identify the causes of risk that have led to preventive
actions, and the experience of other quality managers in similar contexts, you should also consider
conducting structured interviews with individuals, focus and discussion groups, scenario analysis,
and surveys and questionnaires to help identify risks.

55

Adapted from assessing risks to quality from Project management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F
Cooper, et al, John Wiley & Sons Inc, March 2014

Page 42

The recommended method is Brainstorming - see previous blog post.

Brainstorming is significantly more effective than superficially attractive mechanisms such as
checklists. The process draws on the creative capacity of the participants, reducing the danger of
over-looking new and emerging issues.56
The quality manager/lead writes the initial risk list on a whiteboard without comments from the
other participants, who then make their contributions. The team reviews the list, classifying and
grouping the similar risks where appropriate and adding new ones as ideas are generated. The aim is
usually to generate a list of 10 risks associated with each quality process being assessed, although
this number will vary depending on the organizational context and complexity of processes.
A structured workshop is the most effective format and adequate time should be allocated by key
participants for all the risks to be considered.
Experience and knowledge will always form a valuable part of the process, however, historical
information should not be allowed to block a creative assessment of the future where the situations
that have never arisen before affect the balance between familiar risks may shift dramatically.57

3.5 Step 3: Qualitative risk analysis & risk evaluation

3.5.1 What is a `Qualitative analysis' of risk?
Qualitative analysis is based on ordinal and ranking scales for describing the consequences and
likelihoods of risk. This method helps managers to understand risks and prioritise them for
treatment, taking account of activities, processes and plans that act as controls. It is a useful
approach in situations where there is insufficient reliable statistical data available, or where time
and cost constraints prevent managers from undertaking a more resource-intensive semiquantitative or quantitative analysis of risk.
In comparison:
Quantitative analysis uses numerical (ratio) scales for consequences and likelihoods, rather than
descriptive or nominal scales, and requires more advanced skills.

3.5.2 Does ISO 9001:2015 require a qualitative risk assessment?

ISO 9001:2015 requires that we consider risk qualitatively (and, depending on the organization's
context, quantitatively) when defining the rigour and degree of formality needed to plan and control
the quality management system, as well as its component processes and activities. Qualitative risk

56

57

Ibid.
Ibid.

Page 43

analysis is the systematic use of available information - including documented information from the
risk identification process in Step 2 - to develop an understanding of the risks to quality objectives.58
This includes:

assessing the effectiveness of existing controls;

determining the consequences that characterise each risk;
the likelihood of those consequences arising; and
the potential exposure were the controls to fail.

3.5.3 Sources of information for qualitative analysis

The quality management team is often the best source of information for assessing risks to quality in
terms of their causes and consequences.
However, where the organizational context is high-risk and/or complex, additional information will
most likely be required from other teams. When assessing high-priority risks and evaluating the
most effective ways to mitigate them, quality managers/leads may include sources such as:

historical records;
process records; either specific to the kind of process being assessed, or where comparisons
and inferences can be drawn regarding risk scenarios;
industry best practice;
user experience (from quality records and other sources - e.g. customer service records,
social media discussions, consumer satisfaction surveys);
published literature and research reports that contain theory and/or examples relating to
failure modes or equipment reliability;
product brochures and technical manuals;
audit reports.

Process inputs
Information used in qualitative risk analysis and evaluation includes:

58

historical data;
theoretical analysis;
empirical data and analysis;
informed opinion of the project team and other experts;
the concerns of stakeholders.59

Ibid. Chapter 8: Qualitative Risk Analysis and Risk Evaluation.

59

Adapted from assessing risks to quality from Project management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F
Cooper, et al, John Wiley & Sons Inc, March 2014

Page 44

Note: This simple list is intended to be identical to the list for risk identification in Step 1, although
you can probably add further types of information based on your organization's experience of risks
to outputs.
Method
Steps required for a Qualitative Risk Assessment include:
1. List process controls that are already in place and act to modify each risk and assess their
effectiveness.
2. Determine the kind and level of consequences that characterise each risk.
3. Assess the likelihood of the consequences occurring, given the controls in place.
4. Combine levels of consequences and likelihoods to determine the level of risk.
5. Evaluate the potential exposure for each risk identified to desired quality outcomes.
6. Agree the management priorities for:

risk treatment;
control assurance; and
ensure top management oversight.60

7. In conjunction with Step 5 (Risk Treatment): use risk criteria to determine a) the risk
treatment options available and b) whether any residual risk level in your quality processes
will be tolerable.
Process outputs
A prioritised list of risks that takes account of uncertainty for:

quality process objectives

organizational objectives

For each risk, determine a rating for:

control effectiveness;
consequence;
likelihood;
level of risk; and
potential exposure.

Documented information:
Risks and opportunities register (R&O register) - recording identified risks, controls, and ratings.

60

ISO/DIS 9001:2014, Clause 5.1.1 Leadership and commitment for the quality management system, pp.26-27.

Page 45

Risk description worksheet - (for recording risk at process level) listing risk description process,
existing controls, key assumptions, sources of information, document attachments.

3.5.4 Summary:
In the first three Steps of this risk management process for quality systems, we have addressed
three fundamental requirements of ISO 9001:2015; namely:
1. Understanding the context of the organization, its quality management system and
processes (Clause 4).
2. Processes for planning and consideration of risks and opportunities (Clause 6)
3. Processes for support, including resources, people and information (Clause 7)
As ISO 9001:2015 states, the process for considering and controlling past, existing and additional
knowledge needs to take account of the organization's context, including its size and complexity, the
risks and opportunities it needs to address, and the need for accessibility of knowledge.61 We
propose documented information in the form of (1) Statement of Context, and (2) Risks and
Opportunities Register (R&O register) used to record identified risks, controls, and ratings.

3.6 Step 4: Semi-Quantitative risk analysis and risk evaluation

Semi-Quantitative risk assessments support decision-making by identifying potentially high-risk
processes, without identifying risks explicitly.
Agreed priorities are used to determine those processes where the highest level of planning and
consideration of risk should be focussed.
Process inputs
Documented information used in the assessment process may include process documents, such as:

quality plans, procedures and work instructions;

scope definitions;
cost and schedule assumptions pertaining to processes and outputs;
engineering process designs and studies;
economic analyses;
empirical data and analysis;
informed opinions of experts;
concerns and expectations of stakeholders and customers; and
relevant documented information about the QMS and its processes.

Method
1. Develop an appropriate structure for examining quality system processes;

61

ISO/DIS 9001:2014, A.7 Organisational knowledge, p.46.

Page 46

2. Use a semi-quantitative risk assessment tool (see example to follow) to assess the
consequences and likelihood of risks arising in each process.
3. Convert the consequence and likelihood of risks arising in each process to an initial priority
level.
4. Determine Risk Factors (RF) for each of the risks analysed - see below:
5. P (Probability) and C (Consequence) values are plotted to show the risk factors affecting
quality processes and their desired outputs.
6. The risk factors, the ranking and the risk profile are then used to decide which of the
identified risks may be deemed acceptable or unacceptable, and to enable resource
priorities to be determined.
Process outputs
A list of risks to outputs prioritised by risk factor; i.e. level of 'riskiness'.
Consequence and likelihood ratings and agreed priorities for each risk.
Risk contour diagrams (see example below) to plot risk factors and iso-contours; i.e., points of equal
RF value, to give an indication of priorities.

3.6.1 Methods for calculating risk factors

Risk factors may be calculated as the product of the likelihood (probability) and consequence scores:
RF = P x C
There is a very good reason for being very cautious with this method. It is that risks with high
consequence scores and low probabilities are allocated low risk factors. The product formula may
result in the risk being downgraded in terms of priorities. This is an important concern in quality
management when considering possible critical non-conformities (i.e. any nonconformity which may
result in hazardous or unsafe conditions for individuals using, maintaining or depending upon the
product or prevent performance of a vital agency mission) and major non-conformities (any
nonconformity other than critical, which may result in failure or materially reduce the usability of
the product for the intended purpose). However unlikely the undesired outcome, the purpose of the
quality system will be undermined and the organization's reputation badly damaged in the event of
this type of non-conformity ever arising.
By using score from 0 (low) to 1 (high), it is possible to assess whether the risk factor is high if the
consequence is high, or if the likelihood is high by using the following method described in work by
Dale F Cooper.62
RF = Likelihood (P) + Consequence (C) - Product of scores (P x C)
Where:

62

Project management guidelines: managing risk with ISO 31000 and IEC 62198; Dale F Cooper, et al, John Wiley & Sons Inc, March 2014.

Page 47

=
=
C =
=
RF =
=

likelihood measure on a scale 0 to 1

average of likelihood factors
consequence measure, on a scale of 0 to 1
average of consequence factors
risk factor
P + C - (P x C)

Figure 2: Risk factors and iso-contours for a quality process

Iso-contours are curves on a graph connecting points of a constant value, which is the function of
two variables. A common example is map contours, which use points of equal height separated by
distance. The curve in this example is the Risk Factor (RF), the two variables are L and C, and the
constant values are e.g. RF = 0.20, RF=0.4, RF=0.6, RF=0.8, RF=0.9.

3.6.2 What is the value of the Semi-Quantitative approach in Step 4, following the
Qualitative Assessment conducted in Step 3?
To quote Holger Schutz et al, in 'Comparative risk assessments: concepts, problems and
applications.'63 In the qualitative approach to risk assessment, "An event is verbally described in
relation to other events. Absolute reference points and specifications for the bandwidths are lacking
(in which field is the term "high" to be classified?) so that no comparison of various processes /
specifications is possible." In other words, the value of a qualitative risk assessment is limited since
precise data is needed to make more accurate comparisons between the risks being analysed. The
breadth of the classifications needs to be chosen so that "...the findings of imprecise data still lie

63

Comparative risk assessments: concepts, problems and applications; Holger Schutz, Peter M. Wiedemann, Wilfried Hennings, Johannes
Mertens, Martin Clauberg; John Wiley & Sons, July 2006; ISBN: 978-3-527-31667-0.

Page 48

within the bandwidth of the classes". A semi-quantitative classification of the type in the diagram
above can assess the order of magnitude of the importance of individual risk scenarios, either at the
quality process or wider organisational level. Because qualitative terms in this approach have been
given numerical values, the verification of results is made possible by the comprehension of single
steps of awareness,64 enabling high priority risks to be prioritised.
This semi-quantitative approach to assessing risks in a Quality System has the advantage of allowing
comparison of the various risks of non-conformities (minor, major and critical) on one or more risk
attributes by one or more evaluators, resulting in a consensus view of what are the 'real' risks as
measured by risk factors which are plotted on one graph.
In organisational environments where a degree of uncertainty makes it difficult to predict which
risks to quality outcomes are the highest priority, this type of analysis supported by a consensus risk
identification process, provides meaningful outputs to guide planning and consideration of risks.
To read more about the semi-quantitative risk analysis method, see:
Project management guidelines: managing risk with ISO 31000 and IEC 62198; Dale F Cooper, John
Wiley & Sons Inc, March 2014.
Documented information
Assessment sheets, recording likelihood indicators (rated high-low), consequence indictors (rated
high-low); plus the relevant discussions, assumptions and responses; and a risk score for each line
entry made.
Diagrammatic representations of risk - e.g., a risk factor and iso-contour graph used to plot data
from a semi-quantitative risk analysis.

3.7 Step 5: Risk treatment

The risk identification and assessment process must translate into actions.
ISO 9001:2015 states that one of the key purposes of a quality management system is to act as a
preventive tool. There is no longer a separate clause or sub-clause titled 'Preventive action, since
the concept of preventive action is expressed through a risk-based approach to formulating quality
management system requirements.65
Although there is no requirement for formal risk management or a documented risk management
process, risk and opportunities have to be determined and addressed. If the QMS is to act as a
preventive tool, risks have to be identified and evaluated (by some method, whether through
analysis or "intuitively"), priorities assigned and risk treatment actioned.

64

Ibid. p.192, Appendix 4.

65

ISO/DIS 9001:2014, A.4 Risk based approach, p.45.

Page 49

Risk treatment involves the following steps:

1. Identifying feasible risk treatment actions;
2. Selecting those risk treatment actions that create value;
3. Develop risk treatment plans.66
Brainstorming is a supporting method for examining treatment options.
The options can be summed up as follows:

Avoiding or seeking the risk

Changing the likelihood
Changing the consequences
Sharing the risk
Explicitly accepting the risk without further treatment.67

Process inputs
The primary inputs are lists of:

Risks and their priorities from the risk analysis and evaluation step.
Resources, including budget, which can be applied to treating risks.

Method
1.
2.
3.
4.
5.

Identify options to addressing high-priority risks;

Determine the potential benefits and costs of the options;
Select the best options to treat the high-priority risks;
Develop and implement detailed risk action plans;
Make appropriate provisions in budgets for actions.68

Process outputs
Risk action plan summaries for each proposed risk treatment action.

3.7.1 Example of Risk Treatment in a Quality Management System

Starting with a list of high-priority risks, we:

66

Project management guidelines: managing risk with ISO 31000 and IEC 62198; Dale F Cooper, et al, John Wiley & Sons Inc, March 2014,
p.363.
67

Ibid., p.363.

68

Ibid. Chapter 10 Risk Treatment.

Page 50

Identify options for addressing the risks. Let's say that the anticipated problem is a backlog in
production indicated by the following RF values:
1. Speed and feed rates too slow: RF = 0.8
2. Machine breakdowns: RF = 0.6
3. High absence and tardiness rate: RF = 0.4
Which risks should take priority? And what options are available to the organization to treat one or
more of the risks using available resources? The highest level risk is number 1. Speed and feed rates
are likely to be too slow at present to meet the delivery schedule of a customer order. The quality
management team working with the operations team has identified, analyzed and evaluated this risk
as having a Risk Factor of 0.8 (on a scale of 0-1). Through brainstorming, they have identified and
analysed a problem with the production operatives' familiarity with new materials. There is a
secondary factor in terms of unfamiliarity with new machines (RF = 0.6). Absence and tardiness are
also potentially an issue as the operatives are reluctant to operate the new machines without proper
training. However, the third anticipated risk: 'high absence and tardiness rate' has been assessed as
a lower risk at RF = 0.4 than the risk factors for risks 1 or 2, so it is decided to prioritise treatment of
1 and 2.
The rationale:
Although lack of familiarity with new materials is thought a higher risk than machine breakdowns or
high absence/tardiness rates, risks 1 & 2 taken together represent an unacceptably high risk within
the context. Machine breakdowns due to poor maintenance by the supplier and/or operator error
are known to have been a problem recently in a competing production facility, and are likely to
reduce output rates at a critical time.
Risk 3 is thought to be a lower priority but merits consideration later on.
So what are the best options?
Strengthening the Operations team with an operator who is familiar with both the new materials
and the machine is one possibility to consider.
Other options are:

Instigating a training programme to familiarise operatives with the new materials and
improve their output performance using the new machines.
Increasing production hours through over-time to compensate for low output until the
operatives are more familiar with the new materials, etc.
Outsourcing the manufacturing of the component made with the new material (either on a
temporary or permanent basis) to avoid the risk.

Obviously, there could be other options available, but let's stick with these for now. The next action
is to determine the potential benefits and costs of the options; and then select the best options to
treat the risks.
The team next look at the possibility of hiring a skilled operative with experience of working with the
materials in question and the machines. Although it is an attractive idea, they cannot be sure that
Page 51

they can hire the right person given the tight timescales they are working to; and although urgent
enquiries could be made through Human Resources with specialist recruitment agencies, the
expectation is that the only two viable options in the short-term are increasing production hours and
outsourcing on a temporary basis. This is because a training programme will take longer to organise
and will require a specialist trainer who has experience of the material and the machines. The trainer
will not be available until over half way through the production of the customer's order. Therefore,
the only options are to increase production hours, accepting a high proportion of scrap that will be
generated while operatives learn to work the material, or outsource to a manufacturer that has
been using the material for two years and has successfully overcome their machine reliability
problems.
The decision is made to avoid the risk by outsourcing in this instance; however, actions to design and
implement a training course are agreed, so that the anticipated production problem will not re-occur
in the future.
This risk treatment plan has removed the risk. It may of course have introduced a new potential risk:
i.e. that the chosen outsourcing company proves to be unreliable and fails to deliver on time, and/or
within budget?
This identified risk will then be duly analysed, evaluated and, if it is thought necessary, treated as
part of a continual review of the risks.
See Step 6: Monitoring and Review below.
Process outputs
Risk action plan summaries for each proposed risk treatment action.
Documented information
1. Risk treatment options worksheet
2. Risk treatment plan summary

3.8 Step 6: Monitoring & review

The main aims of monitoring and review can be summed up as:
Developing a monitoring process for each...

risk (risk owners);

control (control owners);
treatment plan (risk owners)

It will be necessary to decide how risks and controls will be periodically reviewed, including how
often and when these will take place; who will conduct the reviews, and what is the most
appropriate approach to adopt.
At this final stage, an organization would set up the following processes:
Page 52

reporting process for risk and control monitoring and review;

reporting process for progress with risk treatment plans;
process to derive lessons from successes and failures within the quality processes and for
communicating this information to the organization.69

This conforms to the requirements of ISO 9001:2015 in terms of establishing, implementing,

maintaining and continually improving a quality management system, including the processes
needed and their interactions.70
The Standard will expect you to plan and consider the risks and opportunities in accordance with the
requirements of 6.1 (Steps 1-4 above), and plan and implement the appropriate actions to address
them (Step 5 above. This includes the methods for monitoring, measuring, as appropriate, and
evaluation of processes and, if needed, the changes to processes to ensure that they achieve their
intended results (Step 6).71
ISO 9001:2015 also mandates that the organization shall maintain documented information to the
extent necessary to support the operation of processes and retain documented information to the
extent necessary to have confidence that the processes are being carried out as planned.
With the help of a Risk Management Method similar to the one described above and using QMS
documented information templates controlled in the Cognidox Document Management System, you
will be in a strong position to show an assessor that you are taking appropriate actions to address
risks and opportunities, in line with the requirements of ISO 9001:2015!

69

Ibid., adapted from Monitoring and Review section summarised on pp.363-364.

70

ISO/DIS 9001:2014, 4.4 Quality management system and its processes, p.26.

71

Ibid., p.26.

Page 53

4 Summary and Conclusions

In this paper, we looked at the topic of risk-based thinking (RBT) in the context of ISO 9001:2015.
This is something of a sore point among Quality professionals. Some believe that RBT is an illconsidered introduction in the latest revision of the standard. Others are more positively inclined
towards it. Either way, the Standard revision (at least in draft form) is not at all clear on what needs
to be done.
One approach could be to look to the ISO 31000 family of standards for guidance. If you do, then
ISO/IEC 31010:2009 Risk management Risk assessment techniques would be a key input.
The need for Risk-Based Thinking (RBT)
We began by saying that identifying risk, analysing the consequences, probability and level of risk
(i.e. risk analysis), and evaluating risk using formal techniques, are becoming increasingly important
in the global business world.
Formal risk management is not mandated by ISO 9001:2015 (at least not in the draft published in
2014). However, organizations can, in the words of the TC 176 Committees draft standard (May
2014) choose to develop a more extensive risk-based approach than is required by this
International Standard, and ISO 31000 provides guidelines on formal risk management which can be
appropriate in certain organizational contexts".
So what will actually be required by ISO 9001 assessors as evidence of risk-based thinking? At this
point in time (June 2015), we do not really know. You could read the DIS to suggest that the outputs
from your processes to consider risk will need to be shown as evidence of RBT. Whether this is the
case when the ISO 9001:2015 Standard is published in September, risk-based thinking is likely to be
required to plan and control the quality management system (QMS) and component processes and
activities, and unlikely to be ignored in certification audits.
Why think about risks in the context of Quality Processes?
Apart from the obvious answer that most ISO 9001:2008-registered organizations would like to
continue to comply with the Standard, there are several good reasons for analyzing and prioritizing
the risks and opportunities, and planning the actions necessary to address the risks.
To achieve that often complex task, ISO 31000:2009 can help in taking a risk-based approach to the
quality management system, component processes and activities - although the ISO 9001:2015
standard will not (or is unlikely to) mandate the use of formal risk management processes.
Unfortunately, ISO 31000 has not been specifically designed to explain how you should apply "risk
based thinking" to quality systems. Instead, it takes a generic approach that has to be developed
often in considerable detail to be useful in a given context. In practice, risk management using ISO
31000 is not likely to be intuitive.
Risk assessment in ISO 31000 may be undertaken in varying degrees of depth and detail and using
one or many methods ranging from simple to complex. When applying these ideas to quality
systems, it would surely be appropriate to select a form of risk assessment method with an output
Page 54

that is consistent with the risk criteria developed as part of establishing the context? [Clause 6.2].
Assuming that you do not have a method in place already: which one should you choose from the
bewildering array?
A risk assessment process needs to include the following task activities:

risk identification;
risk analysis consequence analysis;
risk analysis qualitative, semi-quantitative or quantitative probability estimation;
risk analysis assessing the effectiveness of any existing controls;
risk analysis estimation of the level of risk;
risk evaluation.

The tools necessary to achieve these steps are listed in ISO 31010:2009; especially Table A.1 Tools
used for risk assessment. However, it has to be said that the list is daunting to many quality
professionals who are unfamiliar with risk management processes.
The sheer complexity of some types of risk assessment will render the tool useless in most
organizations employing between 1 and 250 people. However, that does not mean to say that ISO
31010 is not a valuable reference should you ever be required to think about risk in these terms.
We have described a selection of the 31 techniques listed in ISO 31010. We have attempted to link
these tools to QMS processes in a meaningful way; however, our approach is not intended as a
reference, since a great deal will depend on the organization's context and there are a considerable
number of possibilities (potentially many thousands for different types and/or sizes of organization).
There is also no common consensus as yet regarding which ISO 31010 risk assessment techniques
are the most appropriate to apply to ISO 9001:2015 quality processes; although this is certain to be
covered in future books and journal articles on how to comply with the standard.

4.1 Risk Assessment Methodology for applying RBT to QMS

Accepting that nobody can 100% sure of how RBT will be assessed in any given QMS, we have
proposed in this series of posts a method for applying RBT in the form of a basic risk management
model. This is guided by the work of established risk management gurus, including Dale F Cooper,
but also takes account of continual process improvement models, such as those used in ITIL. This
breaks down into six simple Steps.
To close, we look at the 6-step process we are recommending and provide links to templates for
documenting the outputs that we hope you will find useful. Click on the document icon to download
the PDF, or visit the Free Templates page in our Documents Library.
The six steps are:
1. Establish the context
This step determines the issues and requirements that can impact on the planning of the quality
management system; including: (a) the main objectives and outcomes that are uncertain / subject to
risk; and (b) the needs and expectations of the organizations customers and other relevant
interested parties; the products and services it provides; the complexity of processes it employs and
Page 55

their interactions; the competence of persons within or working on behalf of the organization; and
its size and organizational structure.
An example statement of context template is available here.

2. Risk identification
This step involves selecting a suitable process for risk identification and for each quality process,
identifying and numbering the risks. This process records the risks in a Risk and Opportunities
Register (R&O Register) that would form an integral part of the Quality Management System.
We offer two supporting templates a Risk Description Brainstorming Sheet and a Risks &
Opportunities Register.
Risk Description Brainstorming Sheet:

Risks & Opportunities Register:

3. Qualitative risk analysis & risk evaluation

This step considers (for each risk) the effectiveness of the existing controls using a suitable
effectiveness scale; the consequences (impact) for each risk; the likelihood of these consequences
occurring; and the potential exposure were the controls in place to fail.
4. Semi-Quantitative risk assessment for systems and processes
A semi-quantitative measure of risk is an estimate derived using a scoring approach. Risk indices are
used to rate a series of risks using similar criteria so that they can be more easily compared.
The template below is an example Semi-Quantitative Risk Assessment Calculator (SQ-RAC)
worksheet, adapted from Dale F Cooper.5
Page 56

5. Risk-treatment
This step considers options for either avoiding or seeking the risk; changing the likelihood; changing
the consequences; sharing the risk; or explicitly accepting the risk without further treatment.
We offer two supporting templates a Risk Treatment Plan Template and a Risk Treatment Options
Worksheet.
Risk Treatment Plan Template:

Risk Treatment Options Worksheet:

6. Monitoring & review

Periodically, the team will re-assess risks and decide whether new risks are affecting or could affect
quality processes and systems as part of the cycle of continuous quality process improvement.

4.2 Conclusion
The key point in this white paper is that risk-based thinking (RBT) is here to stay in ISO 9001:2015
and other ISO standards.
We believe that it is in your interests to maximise the likelihood of what we term Option 3 that
your ISO auditor will positively note evidence that you have applied RBT.
To do this, you might look to ISO 31000 and its list of risk assessment techniques. This is not as easy
as it sounds.
We have therefore put together a best practices guideline in the form of a proposed six-step
methodology.

Page 57

Company Information
Registered Office:

Cognidox Limited
St Johns Innovation Centre
Cowley Road
Cambridge CB4 0WS
UK

Registered in England and Wales No. 06506232

Email

salesinfo@cognidox.com

Telephone

+44 (0) 1223 911080

Smart Document Management

CogniDox helps teams in Engineering, Marketing, Sales, Operations and other departments to
capture, share and publish product and design documentation.

This easy-to-use tool helps break down the barriers to find information, share
solutions and enjoy a faster, more productive development workflow inside
your company. In addition, CogniDox helps you manage and publish
documents and other content to licensed customers. It reduces technical
support load and accelerates your customers' time to market.

https://www.cognidox.com/

Page 58