ISO 9001:2015 specifically addresses risk. Is your organization ready?

The global economy has provided organizations with many opportunities that didn’t exist even 10 years ago, but it also presents organizations with many risks due to changes, including the internet and extensive outsourcing to countries such as China and Mexico.

To handle these changes, organizations must employ risk-based thinking, an approach that includes tools for identifying, managing and mitigating risks. One method consists of defining the organization’s objectives, specifying the risk categories, identifying risks to the objectives and developing methods for managing the risks.
Risk in ISO/DIS 9001:2015

There are many elements of risk-based thinking in the draft international standard (DIS) of ISO 9001:2015 (ISO/DIS 9001:2015) that may affect organizations as they work toward compliance to the revised standard.¹ The following excerpts and summaries describe references to risk in ISO/DIS 9001:2015.²

Definition. ISO/DIS 9001:2015 defines risk as the "effect of uncertainty on an expected result." The DIS does not include requirements for preventive action.

Process approach. An important element discussed in clause 4.4 of the DIS is the process approach, which requires an organization to "determine the processes needed for the quality management system (QMS)" and its application of those processes throughout the organization. This includes identifying:
• Inputs, outputs and resources.
• Sequence and interaction.
• Effective operation.
• Responsibilities and opportunities for improvement.
• Risks and the opportunities and actions needed to address them.

Customer focus. Clause 5.1.2 says top management must "demonstrate leadership and commitment with respect to customer focus by ensuring … the risks and opportunities that can affect products, services and the ability to enhance customer satisfaction are determined and addressed."

Actions to address risks and opportunities. Clauses 6.1.1 and 6.1.2 say organizations must "determine the risks and opportunities" that must be addressed to ensure the QMS can:
• "Achieve its intended results.
• Prevent or reduce undesired effects.
• Achieve continual improvement."

Actions taken to address risks and opportunities must be proportionate to the potential effects on conformity of goods and services, and customer satisfaction. Furthermore, the organization should implement changes in a "planned and systematic manner," identifying risks and opportunities, and reviewing the potential consequences of changes. Options for addressing risk can include avoidance, eliminating the source, sharing the risk, and deciding whether to take the risk.

Post-delivery activities. According to clause 8.5.5, when applicable, an organization must determine and meet requirements for post-delivery activities associated with the nature and intended lifetime of the goods and services, accounting for:
• Risks associated with the goods and services.
• Use and lifetime.
• Customer feedback.
• Statutory and regulatory requirements.

Management review. Clause 9.3 says an organization must consider the effectiveness of the actions taken to address risks and opportunities (also see clause 6.1). This includes:
• Determining what needs to be monitored and measured so the organization can demonstrate conformity of goods and services to requirements.
• Evaluating the performance of processes (also see clause 4.4).
• Ensuring conformity and effectiveness of the QMS.
• Evaluating customer satisfaction.

Internal audit. Clause 9.2 says an organization must "plan, establish, implement and maintain an audit program," and establish the "frequency, methods, responsibilities, planning requirements and reporting." The audit program must consider the quality objectives, importance of the processes concerned, related risks and results of previous audits.

Risk-based approach. Section A4 of Annex A describes a risk-based management approach consisting of:
• Requiring the organization to understand its context consisting of internal and external issues.
• Understanding that one of the key purposes of a management system is to act as a preventive tool.
• Determining its risks and opportunities.
• Addressing the risks and opportunities identified.

Applying risk-based thinking
The four main types of risks that affect organizations could be characterized as:
1. Organizational risk, which occurs at the entity and activity levels.
2. Strategic risk, which happens when an organization’s strategy or business plan is inadequate.
3. Compliance risk, which involves failure to comply with legal and regulatory requirements.
4. Operational risk, which includes seven subcategories related to an organization’s procedures and actions.

1. Organizational risk
Entity-level risks can be external or internal. External factors include technology, competition and legislation. Internal factors involve security, information systems, lost shipping and receiving, personnel competence and changes in responsibilities.

Activity-level risks affect individual units or functions, and include things such as information or materials not entered into the system, lost receiving reports or shipping records, poor security control, inadequate skilled labor and employee carelessness. If activity-level risks occur across the organization, they will ultimately affect entity-level risks.

2. Strategic risk
A strategic risk is a loss that might result from pursuing an unsuccessful business plan or strategy. This might be due to making poor business decisions, substandard execution of decisions, inadequate resource allocation or failure to respond to changes in the business environment.

3. Compliance risk
Compliance risk is due to legal and regulatory requirements. Environmental, health and safety requirements cause concern because of the risk of fines, shutdowns or criminal prosecution. Conformance to quality and environmental standards and specifications is also included in this category.
Environmental risks include liquid spills, gaseous emissions and incorrect disposal of solid waste, and would include events such as:
• The purchasing department’s shift from a domestic to a foreign supplier.
• Not replacing a key environmental manager.
• Not developing a data safety sheet for new material.

4. Operational risk
Operational risk can be thought of as having seven subcategories:

1. Management systems risk. Management systems may be ineffective due to inefficiencies in strategies, practices and tools, data processing, call centers, contract administration, and design and development. A highly outsourced supply chain, for example, can be a major risk.

Other management system risks include incorrect revenue recognition, violation of homeland security rules, and noncompliance with environmental requirements and the Sarbanes-Oxley Act (SOX).³ These may result in fines, shutdowns or criminal prosecution. To reduce these types of risks, an organization’s top management and its board of directors must understand the management system and work to improve its effectiveness. If the following activities are ineffective, a management system can be harmed:
• HR practices.
• Management tools.
• Data processing.
• Call centers.
• Marketing.
• Contract administration.
• Customer communication.
• Design and development.

Top management and the board of directors must understand their management system and improve its effectiveness.

2. Customer satisfaction risk. Customer satisfaction risk is affected by customer communication, problems with delivery, product, design and repair, and poor response to customer feedback. To reduce this risk, data should be input into a process of analysis along with product quality data, product and process monitoring data, and inputs on supplier quality.

3. Supply chain risk. Procurement managers must be concerned with outsourced products and services, sole suppliers, timely delivery, inventory management and documentation. Communication is a key to effective supply chains. Metrics used to manage supply chain risk include delivery times, inventory levels and cost.

4. Revenue recognition risks affect profits. Managing this type of risk consists of tracing products from sales, through production, to delivery and payments receivable. Revenue recognition is affected by accounts payable, accounts receivable, revenues recorded before delivery, quotation to cash errors, spreadsheet errors and incomplete pricing information.

The quality manager has a major role in controlling the effectiveness of the revenue recognition process. There is overlap between quality and financial management systems, including product realization, costs, sales, invoices, payments, inventory management and delivery. Data from shipping are a direct input into accounts receivables and revenue recognition. In many organizations, revenue recognition problems have a major effect on earnings and may result in a falling stock price.

There is also a risk of material misstatements due to fraudulent revenue recognition. An auditor should test the controls established to detect fraud in the revenue recognition processes.

5. Information security risks include viruses, unsecured files, inaccurate financial records and reporting, poor change control, information retrieval errors, overuse of spreadsheets, use of contractors and consultants, the introduction of new technology, industrial espionage and fraud.

ISO/IEC 27001:2005—Information technology—Security techniques—Information security management systems—Requirements⁴ contains requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security management.

6. Logistics risks. A major concern for organizations today is the risk caused by the threat to national security. The search for concealed weapons of mass destruction slows the shipping process. One consideration is how containers will be screened, identified and traced from the country of origin to the purchasing organization. The following factors affect logistics risk:
• Transportation of raw materials and completed products.
• Damage during shipping.
• Delays resulting in missing on-time delivery requirements.
• Delays causing understocking of materials.
• Homeland security information requirements.

New tools must be developed for screening and tracing without supply line disruption. After the product is produced, you must overcome these logistics-related challenges to ship it to the customer.

7. Natural disaster risk. In the past few years, the world has experienced a number of natural disasters. Businesses continuity (BC) requires safekeeping of information in protected storage and planning for disaster recovery.

IT plays an important role in the BC process. IT procedures should be specifically defined to assure that BC will operate in a timely and effective manner. The organization’s members of IT should be part of the BC development team.

IT must provide safekeeping and protective storage of information and must manage, secure and provide safety against all disasters. The method is to regularly copy information and store it in a backup system at a secure, off-site location. Data at this location should be tested for accuracy regularly.
ISO/IEC 27001 provides controls for BC management. The following are components of a BC plan (BCP):
• Business risk and impact analysis.
• Initial response activities for a disaster event.
• Procedures for managing emergencies and business recovery processes.
• Plans for training at multiple levels.
• Procedures for keeping the BCP up-to-date.
BCPs should be exercised periodically. Some questions an organization should ask about its BCP are:
• Does a written plan exist to ensure continuation of information processes?
• Is the plan updated and tested annually? When do significant modifications to computer hardware, software or application systems occur?
• Is the back-up media tested regularly?
• Are application programs, application data and operating system software backed up periodically?
• Are copies of the plan and the back-up information retained off-site?

Risk analysis methods
Risk analysis starts with the organization determining its risk appetite and risk tolerance so all members of the organization can understand the risk philosophy. After these are decided, there are tools to determine the risk levels and manage the identified risks. One key tool is the organization’s controls. These are especially important for compliance to SOX. Compliance includes financial controls at the entity and activity levels.

Risk appetite and risk tolerance
Risk appetite is the amount of risk on a broad level an entity is willing to accept. It is the measure of the risk reward trade-off within the business. In terms of SOX compliance, risk appetite reflects the tone at the top. It is a major consideration in shaping the control environment, as outlined by the Committee of Sponsoring Organizations of the Treadway Commission.⁵ Risk assessments beyond the boundaries of the risk appetite should result in preventive actions being implemented.

Risk appetite acts as a driver for allocation of capital to identified risks. Improving the understanding of risk appetite leads to a more efficient allocation of capital across the organization.⁶ It should be a function of the capacity to bear risk. Constraints on risk appetite include the capital needed to maintain the organization’s credit rating and meet regulatory capital requirements.

On the other hand, risk tolerance relates to the entity’s specific objectives. It is the amount of variation relative to the objectives an entity is willing to accept. Risk tolerance varies within an organization.
While risk appetite is a broad, entity-wide concept, risk tolerance has a narrower focus. An organization may have different risk tolerances for its various operating units. When the individual risk tolerances are combined, however, they should fall within the overall risk appetite set by top management and the board.

Using controls
One important tool for managing risk is the organization’s set of controls. Controls are especially important for compliance to SOX. Auditors test the controls as a key part of the compliance process. The financial and quality controls are at two levels, entity and activity, while the quality controls also appear as "shall" statements in ISO 9001 and ISO 14001. Shall statements are often accompanied by requirements to submit data. Some process performances requirements also include records of results, which can be used to identify impending risks.

Examples of entity-level controls include:
• HR policies.
• Code of conduct.
• Communication strategy.
• Accounting policies.
• Management’s risk assessment process, organizational structure and contract review. Contract review requirements are related to quality requirements in ISO/DIS 9001:2015, Clause 8.2.3—Review of requirements related to goods and services.

Activity-level controls include reconciliation of the general ledger to a subsidiary ledger, automated data validation and edit checks, limited access to confidential information, numbered transactions prior to entry, and review and approval of paper-based information prior to input.

Quality controls at the activity level include control of production (clause 8.6.1), documented information—correction of nonconforming products and services (clause 8.8) and identification of significant environmental aspects (ISO 14001:2004, clause 4.3.1).

Risk and preventive action
Effective risk assessment activities include:
• Defining the organization’s measurable objectives.
• Assuring the compatibility of the objectives.
• Identifying risks to achieving objectives.
• Judging which risks are critical. A risk analysis matrix can be used to determine criticality of the risk.
• Using risk management tools to mitigate risks, such as the objectives, risk, controls and alignment (ORCA) process, the ISO 9001 improvement process, failure mode and effects analysis (FMEA) and risk control matrix.

Risk analysis matrix
A key tool is the risk analysis matrix. For each identified risk, the consequences and likelihood of occurrence of the risk are estimated. These are then input into a risk analysis matrix.

After the level of concern is determined for each risk, actions can be implemented for the extreme and high risks.⁷ ISO/DIS 9001:2015 requires a procedure that implements the following:
• Take action to control and correct the nonconformity.
• Evaluate the need for action to eliminate causes.
• Implement corrective actions.
• Review effectiveness of actions.
• Make changes to the QMS, if necessary.

ORCA
Risk expert Greg Hutchins suggests considering using ORCA as an organizational risk assessment method.
"It is well accepted and adopted. It incorporates elements of other types of assessments including process, internal control and system audits." he wrote. "Also, it fits into today’s corporate governance focus on risk management and operational effectiveness."⁸

ORCA requires organizations to:
• Articulate organizational objectives.
• Identify and assess risks across the entire spectrum.
• Build in balanced controls to manage organizational risks.
• Ensure alignment of objectives, risks and controls across the entire enterprise.

After the risk assessment is conducted, senior and operational management can develop strategies to manage risks and execute business decisions. Risk management strategies include avoidance, mitigation, acceptance, diversification and control.

ISO 9001 improvement process
Clause 10.2 of ISO/DIS 9001:2015 says an organization should improve its QMS by responding to:
• Results of analysis of data.
• Changes in the context of the organization.
• Changes in identified risk (clause 6.1).
• New opportunities.

FMEA
FMEA is a method for risk prioritization and taking preventive action aimed at risk reduction. FMEA is used to examine potential failures in products or processes and helps select remedial actions that reduce risks.
FMEA starts with a description of the parts of a system. Next, the consequences of each part failure are determined.

A risk analysis matrix is used to evaluate the severity and likelihood of occurrence of each failure. The ability of controls to detect failures also is determined.

Actions that could eliminate or reduce the occurrence of failures or improve the ability to detect the risks are identified. Finally, the FMEA helps institute changes to processes and products, which are incorporated to avoid potential failures.

Carl S. Carlson of ReliaSoft Corp. describes an 11-step process for developing an effective FMEA process.9 He starts with the development of strategic and resource plans and describes generic programs included in design management reviews, quality audits, supplier FMEAs, and methods of execution and follow-up of recommended actions. His final steps are to include software support, links to other processes and testing, and follow-up of field failures.

Risk control matrix
A risk control matrix is a tool to manage the risk of a specific process. Controls are set up to determine the status of the individual risks to the process. A risk control matrix gives management a picture of the most recent results of the control assessment.

Adopt a risk-based approach

ISO/DIS 9001:2015 is strongly risk oriented. Risk-based thinking within an organization must start by defining its measurable objectives. Risks are obstacles that impede progress toward achieving these objectives.
Organizations must determine their risk appetite and risk tolerance so they will have a consistent risk philosophy. They then determine risk levels by combining the likelihood of an event and its consequences in a risk analysis matrix.

In a SOX-compliant process, controls should be selected using a top-down, risk-based approach and tested to identify deficiencies and possible material misstatements. Based on the revision to date, the new versions of ISO 9001 and ISO 14001 seem poised to provide valuable tools to organizations working to improve their risk management strategies.
________________________________________

References and notes
1. ISO 9001:2008 did not include the word "risk." ISO/DIS 9001:2015 specifically addresses risk-related processes.
2. International Organization for Standardization, ISO 9001:2015 Draft International Standard—Quality management systems—Requirements.
3. SOX is a U.S. federal law that identifies standards for U.S. public company boards, management and public accounting firms, requiring top management to certify the accuracy of financial information. The law made penalties for fraudulent financial activity more severe and increased oversight of boards of directors and the independence of the outside auditors who review the accuracy of corporate financial statements. For more information, visit Wikipedia, "Sarbanes-Oxley Act,"http://en.wikipedia.org/wiki/Sarbanes_Oxley_Act.
4. International Organization for Standardization and the International Electrotechnical Commission, ISO/IEC 27001: 2005, Information technology—security techniques—Information Security Management Systems—Requirements.
5. Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management—Integrated Framework; Executive Summary Framework, 2004. COSO is a joint initiative of five private-sector organizations designed to provide thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. For more information, visit www.coso.org.
6. Lloyd’s, "Why Is Risk Appetite Important?" www.lloyds.com.
7. International Organization for Standardization, ISO 9001:2015 Draft International Standard—Clause 10.1—Nonconformity and corrective action.
8. Greg Hutchins, "Value-Added Auditing," Quality Plus Engineering, 2003, p. 62.
9. Carl S. Carlson, "FMEA Success Factors: An Effective FMEA Process,"Reliability Edge, Vol. 6, No. 1, 2005.
Protiviti Inc., "How to Standardize Documentation for Internal Controls," www.protiviti.com

Article Reference: Quality Digest