What is Risk-Based Thinking?
September 14, 2018
Risk-Based Thinking in the Aviation, Space and Defense Context
The idea of risk has always been evident in AS9100 by requiring organizations to plan and manage their business to avoid potential non-conformity, analyze the non-conformity that occurs, and take action to prevent recurrence of that non-conformity.
With the revision of ISO 9001:2015, the concept of Preventive Action is embedded in risk-based thinking. Risk-based thinking must now be part of the organization’s culture, it’s not just a management responsibility (other than to educate the organization) but everyone’s responsibility to look for risks and opportunities to improve or prevent failure.
Furthermore, risk-based thinking supports and improves the planning process and understanding and application of the process approach. In the most recent AS9100D revision, you will find that risks and opportunities are moved to the very beginning of planning, helping an organization develop a proactive and preventative culture. During the planning stage, organizations shall determine their objectives, risks, and opportunities, all of which will become key inputs for each process and drivers for the operation, control, and measurement of those processes.
Use of the term risk-based thinking was added to the AS9100 standard with the intent to make it clear that while awareness of risk is crucial, formal risk-management methodologies and risk assessment are not suitable ways of managing risk for all organizations; the way that organizations manage risk is dependent on their business context. An organization should be prepared to provide evidence of implementation related to the following:
- Inputs (documented information) used for risk and opportunity determination
- How risks and opportunities are determined (e.g. meeting minutes, SWOT, strategic planning, etc.)
- How determined risk and opportunities are addressed (e.g. action plans, on-job training, etc.)
- Internal audits and performance evaluation activities take into account the effective application of risk-based thinking
In the standard, risk is identified in many areas, but in general it follows ISO 9001:2015, which is outlined as follows:
- Clause 4 (Context) the organization is required to determine the risks which may affect this. The organization is also required to determine its QMS processes and to address its risks and opportunities.
- Clause 5 (Leadership) top management are required to commit to ensuring Clause 4 is followed. Top management is required to; Promote awareness of risk-based thinking; Determine and address risks and opportunities that can affect product/service conformity.
- Clause 6 (Planning) the organization is required to identify risks and opportunities related to QMS performance and take appropriate actions to address them.
- Clause 7 (Support) the organization is required to determine and provide necessary resources (risk is implicit whenever “suitable” or “appropriate” is mentioned).
- Clause 8 (Operation) the organization is required to manage its operational processes (risk is implicit whenever “suitable” or “appropriate” is mentioned). The organization is required to implement processes to address risks and opportunities.
- Clause 9 (Performance evaluation) the organization is required to monitor, measure, analyse and evaluate the risks and opportunities.
- Clause 10 (Improvement) the organization is required to correct, prevent or reduce undesired effects and improve the QMS and update risks and opportunities.
It is important to remember that risk is the possibility of events or activities impeding the achievement of an organization’s strategic and operational objectives. It is the volatility of potential outcomes. Risk can be defined by two factors, which are:
- Severity: Magnitude of the risk event, and can be measured on any scale of choosing (e.g. 1 to 10).
- Probability: The likelihood that the risk event will occur, and can also be measured on any scale, usually the same as severity (e.g. 4 out of 10).
Multiplied together it allows an organization to Pareto the level of risks and identify high versus low potential risk events and take mitigation actions as appropriate.