LRQA ISO Revisions Risk Series

The power of Risk-Based Thinking

in ISO 9001:2015 and ISO 14001:2015

Every organisation faces uncertainty; how this is addressed can often

inuence and even determine success. The new international Management
System Standards for both ISO 9001:2015 (Quality) and ISO 14001:2015
(Environmental) are based in part on a principle of Risk-Based Thinking (RBT)
which provides a structured, measurable approach to the issues that are most
likely to impact organisations.

Risk is dened in both standards as
the effect of uncertainty. Although
risk is more commonly characterised
as negative, the standards also address the
positive side of uncertainty; opportunity.
Through a proper understanding of the
organisational context and key stakeholder
needs, organisations can identify and
manage the most important risks and
opportunities through the Plan-Do-Check-
Act (PDCA) structured Management
System, with planned changes being
integrated into processes.
Whilst the chances are some risks and Combining RBT and PDCA when designing
opportunities may never be realised, your Management System will make it not
determining those that are business-critical only compliant to the new ISO standards,
should not be taken lightly. but also a powerful tool to meet
performance objectives across product
Focusing on the most important risks and or service, process, Management Systems,
opportunities is accomplished through business and strategic levels.
informed opinions and the professional
judgement of experts, using available
data and information to make informed
forecasts. This should be done at every
level of the company, with relevant
internal and external factors being taken
into consideration.

Improving performance,
reducing risk
Why the increased
emphasis on risk?
What has changed?
Earlier versions of Management System
standards focused on preventive actions.
These emphasised the root causes of
potentially negative situations and how
the organisation could react and change in
the event they materialise. This clause no
longer exists in the new 2015 standards.
Historically, in many cases, the clause
was not usefully applied, and became
reactionary based on the analyses of
trends of traditional Quality or
Environmental data.
The new standards utilise a more
systematic PDCA forward-looking approach
in identifying, prioritising and managing
risks and opportunities.
Annex SL - the common text and high level
structure for all and revised ISO standards,
takes a broader view with the emphasis on
organisational context. By properly aligning
the Management System with core business
strategies and practices, RBT can get an
organisation out in front of issues that
have potentially detrimental consequences
either internally or externally, thus reducing
or even avoiding potential repercussions.
Further, and equally important, RBT can
also put organisations in a better position
to take full advantage of opportunities
that arise. This is essential in ensuring
managed sustainable business success over
the long term.
In the simplest of terms, possible responses
to risk are often described as the four Ts:
Treat, Transfer, Tolerate or Terminate.
Treating risk is addressing it directly,
working to minimise uncertainty and/or
negative effects
Transferring risk involves moving the
issue to another area or responsibility or
even an outsourced organisation, such
as outsourcing cyber-security to another
organisation with greater expertise and
capability
Tolerating risk is detecting the issues
that arise and staying the course, but
when tolerating risks any conscientious
organisation should have considered
their ability to quickly detect the risk,
should it occur and respond quickly
and effectively to limit consequential
damages
Finally, terminating the risk involves
stopping the activity or combination of
activities that created the risk in the rst
place.
Using these four possible responses,
Treat, Transfer, Tolerate and Terminate
as a framework, organisations are able
to deliver against their strategies and
objectives. They are also able to meet
the needs and expectations of internal
and external stakeholders whilst also
combatting other external threats in an
informed and systematic way.
As an organisation identies ways in
which it wants to change or expand its
business or invest in new technologies,
opportunities will be identied where
improvements can be introduced into the
way they address risk.
For example; should an organisation
decide to build a new ofce or factory, or
if they decide to invest in new machinery
or revamp their production lines, they
have the opportunity to introduce new
technologies, new ways of working, or
introduce new materials which will allow
them to improve both their quality and
environmental performance and
reduce organisational risks.
It is important that the principles of
risk reduction should be applied at the
development stage of any such project,
before being applied through the life
cycle of any organisational initiatives.
This ensures that improvements can be
identied and successfully implemented.
How are risks and
opportunities addressed in
the new standards?
The differences in the application
of RBT between ISO 9001:2015 and
ISO 14001:2015 are minor, as the common
requirements are driven by the structure
and content of Annex SL. In many cases,
the environmental requirements in ISO
14001 are more specically outlined.
This is not always the case, however, as
heavily regulated quality industries, such as
aerospace, nuclear and food safety should
also spell out risks from a regulatory and/or
legal standpoint.
To be compliant with regulations/
legal requirements, organisations need
to demonstrate due diligence in their
approach to risk management. However,
to conform to customer requirements,
organisations need not address every
possible risk or opportunity that may arise.
Instead, it is important to prioritise the
most important risks and opportunities
based on the outputs from their analysis
of organisational context. The critical
factors are the likelihood of the risk or
opportunity being realised, and the degree
of the effects. This needs to reect the real
world, and the risks and opportunities may
change as new regulations, technologies
and markets arise. PESTLE or SWOT
analyses are common tools often used to
do exactly that, (i.e. analysis of political,
economic, social, technological, legal,
environmental, ethical AND strengths,
weaknesses, opportunities and threats
respectively).
To gain certication, an organisation
should demonstrate RBT at all levels, from
top business objectives and strategies,
through systems, processes and products
from an internal and/or external
perspective. This is done by determining
the priorities, using available information
and data and expertise to make informed
projections, and showing how they can be
addressed in an on-going process through
a PDCA iterative cycle approach, i.e.
through the MS.
Who is responsible for
Risk-Based Thinking?
The new standards emphasise the
importance of Leadership and the role
of top management. With ultimate
accountability for management systems
results, performance and/or outcomes
assigned to the highest levels of top
management in an organisation, the
accountability for RBT must also
reside there.
With the scope of the management
systems linked to the key strategies
and business objectives/key processes,
top management is indeed best suited
to see the big picture and balance all
organisational challenges and stakeholder
needs and requirements with associated
opportunities and risks.
While ultimate accountability is with
top management, they can delegate
responsibility to dene the specics. As RBT
is incorporated across all levels, every
member of the organisation has a platform
to nd the most important risks and
opportunities in their area and feed them
into the Management System, with top
management remaining accountable
for the resulting impact of these
delegated efforts.
How does risk
management drive
cultural engagement and
best practice?
A key to engagement is allowing
individuals to feel their contributions are
making a difference. By driving RBT across
the entire organisation and empowering
authorised persons at all dened levels in
the Management System, every employee
is empowered to link how they manage
the essential risks and opportunities in their
area of responsibility whilst endeavouring
to link their efforts to the overall strategic
direction and objectives of the business.
Communicating an organisations direction
and priorities through RBT provides clarity
of purpose, more informed and balanced
decision-making, and a way to successfully
navigate and address emerging challenges
and needs.
An old saying, what gets measured gets
managed, is also true here. RBT highlights
the crucial topics and issues and helps an
organisation understand how well they
are adapting to the forces of change, both
internal and external, that determines and
inuences the future.
A best practice is to consistently measure,
evaluate, and where necessary, improve
the actions taken in response to targeted
and constantly evolving risks and
opportunities.
How will better
managing risk benet my
organisation?
Taking a systematic PDCA measured
approach to managing risk through a
Management System is an avenue to
continuous improvement and preventive
measures. This helps to heighten the level
of assured success in the short, medium
and longer term going forward. By
identifying key risks, the negative effects
can often be avoided or minimised, and
the ability to recognise and act on key
opportunities is the competitive advantage
businesses will benet immensely from.
An organisation that properly applies RBT
will denitely be better prepared to cope
effectively with uncertainty, capitalise
on and maximise opportunities and the
inevitable factors that can affect both.
Get started
Every organisation is different, and one
size does not t all when it comes to
RBT. Proper assessment, documentation,
planning and evaluation (i.e. PDCA applied
in full to each risk/opportunity) is crucial
for both compliance to the new standards
and assured, sustainable future success.
Working with an impartial partner such as
LRQA that understands strategic planning,
organisational context, key business
processes, organisation structures, and
Management System design can facilitate
the improved management of risk and
opportunities, thereby driving more
reliable and sustainable organisational
performance.
LRQA is one of the worlds leading
providers of professional assurance
services spanning certication, verication,
validation services, methodologies and
professional training across a broad
spectrum of standards and schemes, with
recognition from over 50 accreditation
bodies.
LRQA helps you manage your systems and
risks to improve and protect the current
and future performance of
your organisation.
5 reasons

why you should

book training
Our trainers use their
assessment experience
to understand your
Our courses are
delivered at multiple
locations allowing you
We pride ourselves
on your success and
achievements, protecting
Providers of
In-House training
courses, tailored
Competitively priced
training that ensures you
can easily apply your new
challenges, ensuring to nd a time and place and improving your to your business skills and knowledge
with LRQA relevant course material convenient to you business performance and objectives to your workplace

ISO Management System
Standards Risk - Based
Thinking Workshop
This half day Risk-Based Thinking
ISO Management Systems Standards
workshop is for those wanting to gain
further insight and understanding on the
new requirements relating to Risk-Based
Thinking within the revised ISO standards.
This workshop will help you understand
what these changes will mean for you
and your organisation by explaining how
you can guide your organisation through
an effective and successful transition to
the revised standards.
You can choose whether to attend our
Risk-Based Thinking workshop as a public
course or as an in-house event. Our
public courses allow delegates to interact
and network with other delegates and
appreciate how other organisations have
interpreted and plan to implement the
new requirements.
As an in-house event, our experts come to
you and the content of the workshop can
be tailored to your organisations own
management system and run at a date
and time to suit you.
Workshop - Process
Management
This half day workshop will provide
further insight on the new requirements
relating to process management and how
to achieve the intended management
system outcomes in relation to process
management.
Workshop - Context of
the Organisation
This half day workshop will explain the
requirements concerning Context of
the organisation as dened in the new
standards based on Annex SL and how
you can address and demonstrate these
requirements.
Workshop - Leadership
This in-house course will provide an
overview of the new and changed
requirements for leaders in relation to
the revised ISO management systems
standards and how you can incorporate
them into your existing leadership
processes.

LRQA Transition Advisory Line: Transition Training Line:

Lloyds Register Quality
Assurance Limited 0800 014 9152 0800 328 6543
1 Trinity Park, transition@lrqa.com lrqatraining@lrqa.com
Bickenhill Lane, Birmingham,
West Midlands, B37 7ES,
United Kingdom lrqa.co.uk/iso-revisions

LRQA, 1 Trinity Park, Bickenhill Lane, Birmingham, B37 7ES, United Kingdom
Care is taken to ensure that all information provided is accurate and up to date. However, LRQA accepts no
responsibility for inaccuracies in, or changes to, information. Lloyds Register and variants of it are trading names
of Lloyds Register Group Limited, its subsidiaries and afliates.
Lloyds Register Quality Assurance Limited 2016. A member of the Lloyds Register group. Pub Aug 2016