Risk Based Thinking
Last week I have read an article, posted at the professional social network, LinkedIn, on the subject of transition to the new/renewed QMS standard ISO 9001:2015. The standard emphasizes and centers on Risk Based Thinking .
The article was written by IRCA Certified QMS ISO 9001:2015 Lead Auditor, Statistical Quality Control and Lean Manufacturing specialist, Mohammad Elshahat, from Egypt. I have previously read some of his articles and found them not bad at all, speaking straight to the point. This time I have decided to bring his words to you, due to their importance and truth.
Below – I reprint the article with his permission (with minor language editing). The illustrations were added by me.
Risk Based Thinking: 6 Universal Questions to Formulate Your RBT Model for ISO 9001:2015
Mohammad Elshahat
Do this and you will get lousy results. The last time he held a meeting to identify risks with his coworkers he got unexpected and unpleasant results. The meeting ended up with more confusion, and he couldn’t achieve the meeting’s outcomes.
It was the first meeting with the head departments in his organization after the transition training to QMS ISO 9001:2015. He asked everyone to brainstorm the risks that they might encounter in their work.
Tens of negative responses, consequences and bad events started to flow, while no one mentioned any upside risks or opportunities! He tried to show them that the term “risk” includes both upside risks (opportunities) and downside risks (threats). Some were convinced, others refused the idea, and the rest were confused.
Can you figure out why this happened?
He didn’t prepare them for the easiest but the most important stage in the risk management process: “The Definition Stage” or “Establishing the Context”.
Despite the training your people attended about the new QMS ISO 9001:2015, their minds are still wired with the layman’s definition of risk. Ask anyone if he would like to have a risk happen for him/her, and you will get a “No” response every time.
It is important to be clear about the definition of “risk”, to avoid confusion among teams trying to manage their risks.
I can’t emphasize this enough: one of your challenges as a quality professional is to install and instill the technical definition in your people’s minds, before moving on, so as not encounter the same results my friend did.
In this article I’m going to show you how to create a Risk Based Thinking Model for your ISO 9001:2015 implementation. In addition to, I’m going to provide you with 25 techniques and tools to properly identify and analyze upside and downside risks. To do so, I’m going to share with you today four things:
- How Risk Based Thinking and Risk Based Auditing will go together?
- How to shift your people’s mind to adopt the technical definition of risk?
- 6 universal questions to formulate your Risk Based Thinking Model
- The Risk Based Thinker’s Toolkit.
Risk Based Thinking and Risk Based Auditing
One of the benefits of risk based audits, introduced since 2011, is to unlock the hidden risks that couldn’t be identified by the organization itself and monitor the current risk treatments.
However, the auditor may fail to identify significant risk, or may identify a risk that is not important, because the auditor’s evaluation mainly depends on samples, therefore that would involve a sampling risk.
The new ISO 9001:2015 incorporated Risk Based Thinking to the quality management system in the very beginning, during the planning stage, so all risks and opportunities associated with the organization’s context and objectives are identified, analyzed, treated and monitored ahead of time.
The internal or external auditor is not solely responsible for this anymore, but the organization leadership and every process owner, too.
This is how Risk Based Auditing and Risk Based Thinking will go hand in hand, and I’ve devoted the rest of the article to show how to do this without being overwhelmed by the risk management jargon.
Rewire the New Paradigm
The story that I’ve introduced earlier can simply happen inside your halls, so you have to prelude the risk term to your people in a manner that doesn’t confuse them.
But how can you do that?
How to take your people from where they are right now (the layman’s definition of “risk”) to a new mental model, different paradigm, and different way of thinking about risk?
You can do that by letting them recognize that both threats and opportunities are equally important to their business success, and to make that crystal clear in their minds, you have to introduce to them the two failings below.
There are two equal failings which should be avoided:
- A threat occurred and could have been mitigated or avoided.
- An opportunity missed and could have been seized or exploited.
“Fear of harm ought to be proportional not merely to the gravity of harm, but also to the probability of the event.” – Antoine Arnauld (1612-1694)
“The excitement that a gambler feels when making a bet is equal to the amount he might win times the probability of winning it.” – Blaise Pascal (1623-1662)
Read the two quotes again with pondering, I have brought them here intentionally… What are their implications?
The theologian and philosopher Arnauld and his friend Pascal, the developer of the theory of probability, have framed the downside risk and upside risk in these two quotes many years ago. These quotes reveal that the idea of equal treatment of both threats and opportunities is not new, since it was being addressed by two of the earliest thinkers in the field of risk management.
If you still have doubts, or not are not yet convinced, I have explained this in my previous article with a conducted survey. You can pause, and go read it from here.
Now you’re ready to approach the risk definition, so let’s dive into the details …
The Socratic Method and the Six Universal Questions
A quality leader should realize the incredible power of questions, and how it could shape people’s thoughts and let them learn virtually anything. In fact, the entire Socratic Method is based on the teacher doing nothing but asking questions, directing the students’ focus and getting them to come up with their own answers.
“He who asks questions cannot avoid the answers”. – Old Cameroon Proverb
If you’re a business owner or a senior executive and cannot afford the huge budget of the risk management process, take time for risk workshops, create risk registers and reports and then update them all consistently; and you’d like to be leaner than that, especially there’s no formal framework or even documents required by ISO 9001:2015! Then, you can use the questioning approach to manage risks smoothly and effectively.
There are six universal questions which any risk based thinker (e.g., risk manager, quality specialist, or an executive) could ask himself/herself or their teams. These questions are universal, because they follow the typical risk management process (see Table 1).
Table 1 : The six questions and their reference in ISO 9001:2015
# | The six questions | Reference clauses in ISO 9001:2015 |
1 | What are we aiming to accomplish? | 6.1.1, 4.1, 4.2, 6.2, 0.1 (c) |
2 | What could happen that might affect our objectives/goals/expected outcomes? And how would it be affected? | 6.1.1, 5.1.2 (b) |
3 | What are the most important effects? | 6.1.2 |
4 | What are we going to do about them? And how to make sure this will be effective? | 6.1.1 (a) (b), 4.4.1 (f), 5.1.2 (b) |
5 | What did work from our taken actions and what didn’t work? And why? | 9.1.3 (e) |
6 | What will be changed and what have we learned? | 10.2.1 (e), 6.3, 7.1.6 |
Using these simple questions as a framework for managing risks in SMEs will allow you to avoid using Risk Management jargon. Thus, your people can easily understand what you are asking them, and they are not going to feel overwhelmed. In addition, these questions could be used at any size of business regardless of its industry.
The story that I’ve introduced earlier can simply happen inside your halls, so you have to prelude the risk term to your people in a manner that doesn’t confuse them.
But how can you do that?
How to take your people from where they are right now (the layman’s definition of “risk”) to a new mental model, different paradigm, and different way of thinking about risk?
You can do that by letting them recognize that both threats and opportunities are equally important to their business success, and to make that crystal clear in their minds, you have to introduce to them the two failings below.
There are two equal failings which should be avoided:
- A threat occurred and could have been mitigated or avoided.
- An opportunity missed and could have been seized or exploited.
Here’s an important practical tip I’d like to share with you. Don’t treat all your processes as if they were the same. Some processes are more critical than others, some activities have greater impact than others, and some tasks have more probable consequences than others. So, you can go deeper with more investigation in every stage of risk management and ask questions like: How? When? Where? and Why?
You’re the one who will decide whether to dive or just swim! But to help you in this decision, there are three main elements you have to consider, if you want to go beyond these questions (such as adopting ISO 31000 as a guidance), unless this framework satisfies your needs. The three elements are:
- the size of your organization and its context;
- the complexity of your processes;
- the competencies of the people who are doing the job.
Large corporations will need to go into a detailed Risk Management process to cover all their major internal and external risks. So, they might hire full time risk managers, use specialized risk management software, and create detailed risk reports.
On the other hand, SMEs can run a meeting to figure out the answers to these questions, then doing this, say, at specific intervals, to review actions taken and share the lessons learned. These could encompass but are not limited to day to day routine checks, self-assessments (internal audits), management reviews, and vendor assessments. All of these are also called performance audits or Risk Based Audits.
At the same time, you shall not be violating the typical risk management process, but following it with less formality.
Call to Action!
In this article and my previous one, I have tried to make the term “risk” clear to you, then I showed you how to develop a Risk Based Thinking Model so you can address risks and opportunities in your organization.
I also didn’t forget to supply you with the techniques and tools to support your risk management program. Here’s the Risk Based Thinker’s Toolkit, you can download it for FREE from here, and it provides you with:
- 8 risk identification techniques;
- 5 opportunity analysis techniques and methods;
- 3 threat analysis techniques and methods;
- 9 techniques for both threats and opportunities.
Now, I would like you to do two things, and let me know: first, did you find this article helpful for you? Second, what is the ONE thing that you are still struggling with in your transition?
If you’re in transition to the new QMS ISO 9001:2015, read this article too:
3 Things You Have to Know About ISO 9001:2015 Risk’s Definition Before Moving On, and don’t leave without downloading your FREE Copy of the required Documented Information by ISO 9001:2015.
P.S.: This article and the six questions are inspired by the work of Dr. David Hillson, he’s know as The Risk Doctor. He has made valuable contributions to the risk management field. He had published a paper entitled “Managing risk at your SME” (2015), which includes the six questions, and I have just made little tweaks and cross-referenced them to ISO 9001:2015 clauses. It is interesting to note, that the six questions follow the typical risk management process introduced by ISO 31000.
This post is available also in: עברית
You may also find interesting:
Powered by Contextual Related Posts