When we take actions to manage risks and opportunities, we are not reacting to circumstances that have already occurred, but rather trying to manage situations that could arise, ensuring we are adequately prepared to derive favorable outcomes.
Preferring certainty over uncertainty is the foundation of proactive organizations, as opposed to those that merely react to problems. When planning a quality system, it is essential to focus on three key factors:
- Understanding the context in which the organization operates: this first point consists of two activities:
- Identifying key areas of interest related to requirements
- Determining the scope of the quality system
- Planning in anticipation of a quality system: this second phase involves nine different actions:
- Identifying potential changes
- Identifying risks
- Identifying opportunities
- Analyzing changes
- Analyzing risks
- Analyzing opportunities
- Assessing changes
- Assessing risks
- Assessing opportunities
- Planning the quality system: this third phase concludes with three additional activities:
- Managing changes
- Managing risks
- Managing opportunities
Clause 6.1.1 of ISO 9001:2015 discusses the need to manage risks and opportunities, which is entirely logical if we consider that a truly effective system enables an organization to successfully create and maintain a certain number of customers over time. To achieve this, it is necessary to anticipate potential changes in both the internal and external environment and determine which will have positive or negative effects.
It is also necessary to assess the impact of these potential changes on stakeholder requirements and identify any new requirements that may fall outside the current scope of the quality system.
To manage this requirement, it is essential to analyze issues related to the organization’s internal and external context and identify risks and opportunities. The process typically follows these steps:
- Context analysis (PESTLE, SWOT analysis) and identification of key factors;
- Filtering these factors through the organization's strategic pillars and objectives to identify those of particular importance;
- Further filtering based on the expected outcomes of the quality management system, pinpointing the most critical factors for the quality system;
- Analyzing potential changes, risks, and opportunities and formulating a management approach;
- Setting quality objectives and measurements;
- Outlining quality programs
There are some key questions we can ask to identify and manage risks and opportunities that could facilitate or complicate quality system management:
- “What are we trying to achieve?” “What is our objective?”
- “What could impact what we are trying to achieve?”
- “Which of these factors are truly important?” - This is the risk assessment phase
- “What can we do about it?” - This is the risk or opportunity treatment phase
- “Have we implemented the decided actions?” - This is the implementation phase
- “Did they work?” - This is the risk or opportunity monitoring phase
- “What has changed?” - This is the review phase of the entire process
Clause 6.1.2a of the standard then requires us to plan actions to manage risks and opportunities. This means determining what to do once risks and opportunities have been identified. For example, it involves planning how to integrate the necessary actions into the quality system by defining objectives, operational controls, or other specific system elements such as resource allocation and identifying necessary competencies. The goal of planning is to anticipate future scenarios and possible consequences to minimize undesired effects.
In the following clause of ISO 9001:2015, 6.1.2b, it is required to integrate the previously identified actions into the quality system. Identifying risks and opportunities, analyzing their potential consequences, and defining actions to address them is not enough unless we also decide when and where to act and who will be responsible for implementing them through a specific process. Finally, still in clause 6.1.2b, it is required to determine how to evaluate the effectiveness of the actions taken and to carry out this evaluation over time.