ISO 9001:2015 addresses the concept of risk in the form of definitions, guidance, and requirements.
Previous versions of the standard only included a preventive action clause aimed at preventing non-conformities, and in a sense, this reference can be seen as the first tentative approach to mitigating a potential risk, even though there was no requirement at the time to determine the probability of occurrence, assess the consequences based on the expected impact, and decide whether to avoid or manage it in some way. But how are these decisions made? Based on a rule of thumb or a risk analysis grounded in solid methodological foundations?
If we looked at ISO 9001 through the lens of risk, we would see that all its requirements can be read as risk management treatments, so it cannot be said that ISO 9001’s approach to risk management is a new concept, even though the latest version of the standard has explained it more clearly.
However, reading specifically what was required in the old version of the document, we see that the decision to undertake the activities listed above in the presence of a potential risk was not based on a risk analysis, on calculating the probability of occurrence, or on estimating the significance of potential losses, but simply on the fact that requirements had to be met to obtain certification.
In the 2015 version, however, there are not only requirements to identify and manage risks as a basis for planning, but also specific requests to determine the effectiveness of actions taken to address the risks, which implies some form of measurement. Although no formal method for risk management and no documented risk management process are required, it is hard to imagine an organization being able to demonstrate that risks were identified and addressed and that the effectiveness of the actions taken was determined without the use of solid methods.
But let’s see what is commonly defined as "risk." If we look up the term in a common dictionary, we find it explained in simple terms as the possibility that something bad will happen; for example, "exposure to the risk of loss, injury, or other adverse or undesirable circumstances." There is no dictionary where the term is used to express the possibility of something good happening. The definition of risk found in ISO 9001:2015, however, draws directly from the vocabulary of risk management, defining risk as the effect of uncertainty on objectives, suggesting that uncertainty could be either something positive or negative.
But what exactly is uncertainty?
In very simple terms, we can define it as something about which there is doubt, but not everything we are uncertain about is important to us. Risk can be defined as that uncertainty that is important because uncertainties that pose neither risks nor opportunities relative to the achievement of objectives are simply irrelevant uncertainties. What concerns us, in fact, are only the uncertainties that could cause losses or gains.
Once we have defined what risk is, we still need to understand which types of uncertainties we should look for. The standard leaves this decision to our imagination. But if we can't imagine what might go wrong or what could happen in the future, where do we begin? First of all, remember that the risks and uncertainties referred to are strategic, not tactical, so here we are not concerned with isolated incidents like the use of an outdated document or the delivery of an incorrect order to a customer, but rather those risks and opportunities that could affect our ability to consistently satisfy our customers.
When we talk about risks, most of the time we refer to events, whether something will happen or not, but there are other circumstances we are exposed to that could influence our success. To help us, scholars in the field have identified four types of uncertainty. Let's look at them together:
- Stochastic uncertainty: This is uncertainty related to events, meaning whether an event will happen or not. For example, stochastic uncertainty arises when we don’t know whether the supply of a critical resource will cease or whether a sudden cyber attack will cause a significant disruption to operations.
- Random uncertainty: This is uncertainty due to variables, meaning that the results may always be the same or different from those previously observed. We don’t know what result we will get from a range of possible outcomes, for example, how much something will cost or how much material will be needed.
- Epistemic uncertainty: This is uncertainty related to knowledge. For example, whether the knowledge we have is complete or not. It can concern, for instance, knowing what the customer wants or what we will learn from a survey.
- Ontological uncertainty: This is uncertainty related to the unknown, meaning anything that influences the outcomes both within and outside our frame of reference, things we haven’t considered. Reflecting on these uncertainties is really useful for identifying more risks and opportunities.
There are various types of risk, and not all can be managed by the quality management system, but they should always be considered when potential losses could impact the performance of the QMS.