Since June 3rd 2013, when the first Committee Draft (CD) of ISO 9001 was released for formal review there has been much ado of nothing when it comes to, what has come to be known as Risk-Based Thinking. This single topic has been central to the objections of the 2015 revision and debated ad nauseum – with Supporters claiming Risk has always been a part of ISO quality management systems and Opponents arguing TC-176 (authors of the Standard) just made it up. Once and for all, we will settle the argument!
In the Introduction to this Committee Draft, section (d) it states, “Annex SL, Appendix 2 High Level Structure and core text does not include a clause giving specific requirements for ‘preventive action.’ This is because one of the key purposes of a formal management system is to act as a preventive tool.” It goes on to say, “Consequently,the High Level Structure and Identical text require an assessment of the organization’s external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) and to determine the risks and opportunities that need to be addressed to: assure the quality management system can achieve its intended outcome(s); prevent, or reduce, undesired effects; achieve continual improvement . ‟ And so, the concept of Risk-Based Thinking was born. Or was it? The answer is Yes… and No. The introduction also states, “Although risks have to be identified and acted upon there is no requirement for formal risk management.”
It may be the first use of the term Risk-Based Thinking but TC-176 had been ‘thinking’ about risk for a long time. To find out, we’ll have to go back to the very beginning – all the way back to MIL-Q-9858*. Remember that one? In section 1.3 (Scope) it states regarding Quality Program Requirements, “This program shall provide for the prevention and ready detection of discrepancies…” This demonstrates the reality that; a) Preventive Action is a fundamental part of a quality management system and, b) because the nature of preventive action is proactive rather than reactive, it requires that issues and concerns be identified and acted upon. That my friends sounds like risk management.
*Note: Interestingly enough, the MIL-Q-9858 also introduces the concept of Cost of Poor Quality in section 3.6 which unfortunately never made into the ISO version (ISO 9001:1987.)
Enter the new kid on the block, ISO 9001:1987. In section 4.14 Corrective Action it states, “The organization shall have a procedure for each of the following purposes: …c) Preventing problems consistent with the risk they may present.” There it is folks and they even connected the dots for us. The concept of preventive action linked with risk have always been there. But wait, there’s more!
Imbedded in ISO 9004:1987, (US equivalent ANSI/ASOC Q94), section Q220.127.116.11 is “Risk, cost, and benefit considerations have great importance for both company and customer” and section Q18.104.22.168, “A well-structured quality system is a valuable management resource in the optimization and control of quality in relation to risk, cost, and benefit considerations. It continues with section Q22.214.171.124, “The quality system should function in such a manner as to provide proper confidence that… c) emphasis is placed on problem prevention rather than dependenceon detection after occurrence.”
With this discovery, we see from the Standard we all read, ISO 9001 and the one we never looked at ISO 9004, TC-176 has presented the concepts of prevention and risk as ‘joined at the hip.’ How did so many miss this. Es machtnichts – We’ll bring it full circle and beyond in Part 2.