The world’s most popular quality management system ISO 9001 now requires organizations to place “risk-based thinking” at the center of their quality management system.
Organizations must now apply risk-based thinking when identifying and addressing their quality risks, designing their quality management system and allocating resources, managing their operational processes, monitoring, analyzing and evaluating their risk control performance and preventing or reducing the impact of nonconformance.
The revised standard states that organizations can either adopt a qualitative or quantitative risk-based thinking approach to these activities, depending on their context. Here I outline the key differences between the two options, and why your organization should choose the quantitative approach.
Qualitative risk-based thinking relies on people’s opinions rather than hard empirical evidence to assess process and supplier nonconformance risks. Its simplicity makes it an appealing ISO 9001:2015 option, but it has one serious weakness – you can’t effectively control your non-conformance risks using qualitative methods. And if you can’t effectively control your nonconformance risks – you can’t improve them; as highlighted out by H. James Harrington.
Organizations that choose to go down the qualitative route are very likely to end up with inconsistent risk assessments, suboptimal process and supplier monitoring, ineffective risk control, and little if any long-term improvement.
This can result in inappropriate risk controls, unnecessarily high monitoring costs, product and service rejections, rework costs, project delays, performance penalties, reputational damage and reduced earnings.
This is why, if used at all, qualitative “risk-based thinking” should be restricted to initial risk assessment activities only.
Quantitative “risk-based thinking” avoids many of the pitfalls associated with the qualitative approach by accurately measuring an organization’s process and supplier risks.
The typical risk matrices associated with each approach, illustrated below, highlight the key differences between the two approaches.
In the above example, the quantitative risk assessment matrices’ vertical axis represents the dollar ($) impact a product or service nonconformance is likely to have on an organization’s goals and objectives. The horizontal axis, its frequency or rate-of-nonconformance; which acts as a precursor of future nonconformance likelihood or probability. In contrast the qualitative approach uses subjective descriptions.
The key to turning a quantitative risk assessment matrix into a highly effective and efficient ISO 9001 risk monitoring, control and improvement tool, is being able to accurately measure the consequence and rate of nonconformance at process and supplier levels.
The new risk-based thinking requirements outlined in ISO 9001:2015 can be seen as an extra burden by some organizations. For this reason, the qualitative route may appear appealing; despite its serious pitfalls.
Progressive organizations, however, will see the quantitative risk-based thinking approach as an opportunity to significantly improve the efficiency and effectiveness of their quality management system; thereby helping secure their future business success.
Source: Peter Miller